Mercurial > hg > nginx-tests
comparison stream_ssl_realip.t @ 1029:21602616d8ee
Tests: stream realip tests, listen proxy_protocol ssl tests.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Thu, 08 Sep 2016 14:55:49 +0300 |
| parents | |
| children | 8ef51dbb5d69 |
comparison
equal
deleted
inserted
replaced
| 1028:403709429c3b | 1029:21602616d8ee |
|---|---|
| 1 #!/usr/bin/perl | |
| 2 | |
| 3 # (C) Sergey Kandaurov | |
| 4 # (C) Nginx, Inc. | |
| 5 | |
| 6 # Tests for stream realip module, server side proxy protocol with ssl. | |
| 7 | |
| 8 ############################################################################### | |
| 9 | |
| 10 use warnings; | |
| 11 use strict; | |
| 12 | |
| 13 use Test::More; | |
| 14 | |
| 15 use Socket qw/ $CRLF /; | |
| 16 | |
| 17 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
| 18 | |
| 19 use lib 'lib'; | |
| 20 use Test::Nginx; | |
| 21 use Test::Nginx::Stream qw/ stream /; | |
| 22 | |
| 23 ############################################################################### | |
| 24 | |
| 25 select STDERR; $| = 1; | |
| 26 select STDOUT; $| = 1; | |
| 27 | |
| 28 eval { require IO::Socket::SSL; }; | |
| 29 plan(skip_all => 'IO::Socket::SSL not installed') if $@; | |
| 30 eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; | |
| 31 plan(skip_all => 'IO::Socket::SSL too old') if $@; | |
| 32 | |
| 33 my $t = Test::Nginx->new()->has(qw/stream stream_return stream_realip ipv6/) | |
| 34 ->has(qw/stream_ssl/)->has_daemon('openssl') | |
| 35 ->write_file_expand('nginx.conf', <<'EOF'); | |
| 36 | |
| 37 %%TEST_GLOBALS%% | |
| 38 | |
| 39 daemon off; | |
| 40 | |
| 41 events { | |
| 42 } | |
| 43 | |
| 44 stream { | |
| 45 ssl_certificate_key localhost.key; | |
| 46 ssl_certificate localhost.crt; | |
| 47 | |
| 48 server { | |
| 49 listen 127.0.0.1:8083 proxy_protocol ssl; | |
| 50 return $proxy_protocol_addr:$proxy_protocol_port; | |
| 51 } | |
| 52 | |
| 53 server { | |
| 54 listen 127.0.0.1:8086 proxy_protocol ssl; | |
| 55 listen [::1]:%%PORT_8086%% proxy_protocol ssl; | |
| 56 return "$remote_addr:$remote_port: | |
| 57 $realip_remote_addr:$realip_remote_port"; | |
| 58 | |
| 59 set_real_ip_from ::1; | |
| 60 set_real_ip_from 127.0.0.2; | |
| 61 } | |
| 62 | |
| 63 server { | |
| 64 listen 127.0.0.1:8087; | |
| 65 proxy_pass [::1]:%%PORT_8086%%; | |
| 66 } | |
| 67 | |
| 68 server { | |
| 69 listen 127.0.0.1:8088 proxy_protocol ssl; | |
| 70 listen [::1]:%%PORT_8088%% proxy_protocol ssl; | |
| 71 return "$remote_addr:$remote_port: | |
| 72 $realip_remote_addr:$realip_remote_port"; | |
| 73 | |
| 74 set_real_ip_from 127.0.0.1; | |
| 75 set_real_ip_from ::2; | |
| 76 } | |
| 77 | |
| 78 server { | |
| 79 listen 127.0.0.1:8089; | |
| 80 proxy_pass [::1]:%%PORT_8088%%; | |
| 81 } | |
| 82 } | |
| 83 | |
| 84 EOF | |
| 85 | |
| 86 $t->write_file('openssl.conf', <<EOF); | |
| 87 [ req ] | |
| 88 default_bits = 2048 | |
| 89 encrypt_key = no | |
| 90 distinguished_name = req_distinguished_name | |
| 91 [ req_distinguished_name ] | |
| 92 EOF | |
| 93 | |
| 94 my $d = $t->testdir(); | |
| 95 | |
| 96 foreach my $name ('localhost') { | |
| 97 system('openssl req -x509 -new ' | |
| 98 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | |
| 99 . "-out '$d/$name.crt' -keyout '$d/$name.key' " | |
| 100 . ">>$d/openssl.out 2>&1") == 0 | |
| 101 or die "Can't create certificate for $name: $!\n"; | |
| 102 } | |
| 103 | |
| 104 $t->try_run('no stream proxy_protocol and/or inet6 support')->plan(6); | |
| 105 | |
| 106 ############################################################################### | |
| 107 | |
| 108 is(pp_get(8083, "PROXY TCP4 192.0.2.1 192.0.2.2 1234 5678${CRLF}"), | |
| 109 '192.0.2.1:1234', 'server'); | |
| 110 | |
| 111 like(pp_get(8086, "PROXY TCP4 192.0.2.1 192.0.2.2 1234 5678${CRLF}"), | |
| 112 qr/^(\Q127.0.0.1:\E\d+):\s+\1$/, 'server ipv6 realip - no match'); | |
| 113 | |
| 114 like(pp_get(8087, "PROXY TCP4 192.0.2.1 192.0.2.2 1234 5678${CRLF}"), | |
| 115 qr/\Q192.0.2.1:1234:\E\s+\Q::1:\E\d+/, 'server ipv6 realip'); | |
| 116 | |
| 117 like(pp_get(8088, "PROXY TCP4 192.0.2.1 192.0.2.2 1234 5678${CRLF}"), | |
| 118 qr/\Q192.0.2.1:1234:\E\s+\Q127.0.0.1:\E\d+/, 'server ipv4 realip'); | |
| 119 | |
| 120 like(pp_get(8089, "PROXY TCP4 192.0.2.1 192.0.2.2 1234 5678${CRLF}"), | |
| 121 qr/^(::1:\d+):\s+\1$/, 'server ipv4 realip - no match'); | |
| 122 | |
| 123 like(pp_get(8088, "PROXY UNKNOWN TCP4 192.0.2.1 192.0.2.2 1234 5678${CRLF}"), | |
| 124 qr/^(\Q127.0.0.1:\E\d+):\s+\1$/, 'server unknown'); | |
| 125 | |
| 126 ############################################################################### | |
| 127 | |
| 128 sub pp_get { | |
| 129 my ($port, $proxy) = @_; | |
| 130 | |
| 131 my $s = stream(PeerPort => port($port)); | |
| 132 $s->write($proxy); | |
| 133 | |
| 134 IO::Socket::SSL->start_SSL($s->{_socket}, | |
| 135 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | |
| 136 SSL_error_trap => sub { die $_[1] } | |
| 137 ); | |
| 138 | |
| 139 return $s->read(); | |
| 140 } | |
| 141 | |
| 142 ############################################################################### |