mirror of
https://github.com/haproxy/haproxy.git
synced 2026-02-03 20:39:41 -05:00
6e94b69665
Move all these files and others for OCSP tests found into reg-tests/ssl
to reg-test/ssl/certs and adapt all the VTC files which use them.
This patch is needed by other tests which have to include the SSL tests.
Indeed, some VTC commands contain paths to these files which cannot
be customized with environment variables, depending on the location the VTC file
is runi from, because VTC does not resolve the environment variables. Only macros
as ${testdir} can be resolved.
For instance this command run from a VTC file from reg-tests/ssl directory cannot
be reused from another directory, except if we add a symbolic link for each certs,
key etc.
haproxy h1 -cli {
send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/common.pem:1"
}
This is not what we want. We add a symbolic link to reg-test/ssl/certs to the
directory and modify the command above as follows:
haproxy h1 -cli {
send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/common.pem:1"
}
91 lines
2.1 KiB
Text
91 lines
2.1 KiB
Text
varnishtest "Reverse server with a name parameter test"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
|
|
feature ignore_unknown_macro
|
|
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.9-dev0)'"
|
|
|
|
barrier b1 cond 2
|
|
|
|
haproxy h_edge -conf {
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
expose-experimental-directives
|
|
|
|
defaults
|
|
log global
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
mode http
|
|
|
|
frontend pub
|
|
bind "fd@${pub}"
|
|
use_backend be-reverse
|
|
|
|
backend be-reverse
|
|
server dev rhttp@ ssl sni hdr(x-name) verify none
|
|
|
|
frontend priv
|
|
bind "fd@${priv}" ssl crt ${testdir}/certs/common.pem verify required ca-verify-file ${testdir}/certs/ca-auth.crt alpn h2
|
|
tcp-request session attach-srv be-reverse/dev name ssl_c_s_dn(CN)
|
|
} -start
|
|
|
|
# Simple clear <-> SSL bridge between clients and h_edge haproxy
|
|
# Used certificate has the name "client1"
|
|
haproxy h_ssl_bridge -conf {
|
|
defaults
|
|
log global
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
mode tcp
|
|
|
|
listen li
|
|
bind "fd@${li}"
|
|
server h_edge "${h_edge_priv_addr}:${h_edge_priv_port}" ssl crt ${testdir}/certs/client1.pem verify none alpn h2
|
|
} -start
|
|
|
|
# Run a client through private endpoint
|
|
# Connection will be attached to the reverse server
|
|
client c_dev -connect ${h_ssl_bridge_li_sock} {
|
|
txpri
|
|
|
|
stream 0 {
|
|
txsettings
|
|
rxsettings
|
|
txsettings -ack
|
|
rxsettings
|
|
expect settings.ack == true
|
|
} -run
|
|
|
|
barrier b1 sync
|
|
stream 1 {
|
|
rxhdrs
|
|
} -run
|
|
|
|
sendhex "000004 01 05 00000001 88 5c 01 30"
|
|
} -start
|
|
|
|
# Wait for dev client to be ready to process connection
|
|
barrier b1 sync
|
|
|
|
# Run a client through public endpoint
|
|
# Use a different name than the client certificate thus resulting in a 503
|
|
client c1 -connect ${h_edge_pub_sock} {
|
|
txreq -url "/" \
|
|
-hdr "x-name: client99"
|
|
rxresp
|
|
expect resp.status == 503
|
|
} -run
|
|
|
|
# Run a client through public endpoint
|
|
# Use the correct name
|
|
client c2 -connect ${h_edge_pub_sock} {
|
|
txreq -url "/" \
|
|
-hdr "x-name: client1"
|
|
rxresp
|
|
expect resp.status == 200
|
|
} -run
|