~bloodearnest/content-cache-charm:no-cache-or-measure-check

Branch merges

Propose for merging

Rejected for merging into content-cache-charm:master

Content Cache Charmers: Pending requested 2019-10-22

Diff: 53 lines (+17/-2)

2 files modified

templates/nginx_cfg.tmpl (+11/-2)
tests/unit/files/nginx_config_rendered_test_output-site2.local.txt (+6/-0)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

7da8bbb... by Simon Davy on 2019-10-22

Do not cache or measure check urls in nginx

Seems like Cache-control: no-cache is not enough to prevent nginx from
caching the health check urls. So have added explicit config to not
cache these in nginx template.

Additionally, noticed that the exemption for measuring for check urls
was hardcoded, so updated that to use the explicit healthcheck.

73ae757... by Ryan Finnie on 2019-10-22

Make inter time configurable with backend-inter-time

Reviewed-on: https://code.launchpad.net/~fo0bar/content-cache-charm/+git/content-cache-charm/+merge/374489
Reviewed-by: Joel Sing <email address hidden>

6b91b09... by Ryan Finnie on 2019-10-22

make lint

98223eb... by Haw Loeung on 2019-10-22

Reformatted by black

Reviewed-on: https://code.launchpad.net/~hloeung/content-cache-charm/+git/content-cache-charm/+merge/374495
Reviewed-by: Barry Price <email address hidden>

13f9f2a... by Haw Loeung on 2019-10-22

Reformatted by black

47804c6... by Ryan Finnie on 2019-10-22

Make inter time configurable with backend-inter-time

9b43da7... by Haw Loeung on 2019-10-18

Updated default cipher suites, also include TLSv1.3 suites - LP:1825321

Reviewed-on: https://code.launchpad.net/~hloeung/content-cache-charm/+git/content-cache-charm/+merge/374123
Reviewed-by: Joel Sing <email address hidden>

713dd50... by Haw Loeung on 2019-10-15

Updated default cipher suites, also include TLSv1.3 suites

Per review, updated default cipher suites to only those that provide
PFS. Also, this includes the TLSv1.3 cipher suites as per below (minus ECDSA):

* Disco/19.04 (OpenSSL 1.1.1b 26 Feb 2019)

    | 0x13,0x02 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
    | 0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
    | 0x13,0x01 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
    | 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
    | 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
    | 0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
    | 0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256

* Bionic/18.04 (OpenSSL 1.1.1 11 Sep 2018)

    | 0x13,0x02 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
    | 0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
    | 0x13,0x01 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
    | 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
    | 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
    | 0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
    | 0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256

* Xenial/16.04 (OpenSSL 1.0.2g 1 Mar 2016)

    | 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
    | 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
    | 0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
    | 0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256

* Trusty/14.04 (OpenSSL 1.0.1f 6 Jan 2014)

    | 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
    | 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
    | 0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
    | 0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256

2faab37... by Ryan Finnie on 2019-10-18

Change haproxy nbproc to nbthread

Reviewed-on: https://code.launchpad.net/~fo0bar/content-cache-charm/+git/content-cache-charm/+merge/374330
Reviewed-by: Haw Loeung <email address hidden>
Reviewed-by: Stuart Bishop <email address hidden>

6c9d63e... by Ryan Finnie on 2019-10-18

Change haproxy nbproc to nbthread

Eventually we want to have nbproc/nbthread/cpu-map configurable, but for
now having 1 implied proc + $CPUCOUNT threads is a safe default on
haproxy 1.8 (bionic).

(With multi-procs, each separate proc does its own health checks, which
can be overwhelming on sites with many backends.)