Mercurial > hg > nginx-tests
comparison stream_proxy_ssl_certificate_vars.t @ 1674:55816c5fc861
Tests: variables support in certificates to upstream.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Thu, 06 May 2021 13:52:37 +0300 |
| parents | |
| children | 2a0a6035a1af |
comparison
equal
deleted
inserted
replaced
| 1673:7d40f2557a45 | 1674:55816c5fc861 |
|---|---|
| 1 #!/usr/bin/perl | |
| 2 | |
| 3 # (C) Sergey Kandaurov | |
| 4 # (C) Nginx, Inc. | |
| 5 | |
| 6 # Tests for stream proxy module with variables in ssl certificates. | |
| 7 | |
| 8 ############################################################################### | |
| 9 | |
| 10 use warnings; | |
| 11 use strict; | |
| 12 | |
| 13 use Test::More; | |
| 14 | |
| 15 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
| 16 | |
| 17 use lib 'lib'; | |
| 18 use Test::Nginx; | |
| 19 | |
| 20 ############################################################################### | |
| 21 | |
| 22 select STDERR; $| = 1; | |
| 23 select STDOUT; $| = 1; | |
| 24 | |
| 25 my $t = Test::Nginx->new()->has(qw/stream stream_ssl stream_map http http_ssl/) | |
| 26 ->has_daemon('openssl'); | |
| 27 | |
| 28 $t->write_file_expand('nginx.conf', <<'EOF'); | |
| 29 | |
| 30 %%TEST_GLOBALS%% | |
| 31 | |
| 32 daemon off; | |
| 33 | |
| 34 events { | |
| 35 } | |
| 36 | |
| 37 stream { | |
| 38 %%TEST_GLOBALS_STREAM%% | |
| 39 | |
| 40 map $server_port $cert { | |
| 41 %%PORT_8082%% 1; | |
| 42 %%PORT_8083%% 2; | |
| 43 %%PORT_8084%% 3; | |
| 44 %%PORT_8085%% ""; | |
| 45 } | |
| 46 | |
| 47 proxy_ssl on; | |
| 48 proxy_ssl_session_reuse off; | |
| 49 | |
| 50 server { | |
| 51 listen 127.0.0.1:8082; | |
| 52 listen 127.0.0.1:8083; | |
| 53 proxy_pass 127.0.0.1:8080; | |
| 54 | |
| 55 proxy_ssl_certificate $cert.example.com.crt; | |
| 56 proxy_ssl_certificate_key $cert.example.com.key; | |
| 57 } | |
| 58 | |
| 59 server { | |
| 60 listen 127.0.0.1:8084; | |
| 61 proxy_pass 127.0.0.1:8081; | |
| 62 | |
| 63 proxy_ssl_certificate $cert.example.com.crt; | |
| 64 proxy_ssl_certificate_key $cert.example.com.key; | |
| 65 proxy_ssl_password_file password; | |
| 66 } | |
| 67 | |
| 68 server { | |
| 69 listen 127.0.0.1:8085; | |
| 70 proxy_pass 127.0.0.1:8081; | |
| 71 | |
| 72 proxy_ssl_certificate $cert; | |
| 73 proxy_ssl_certificate_key $cert; | |
| 74 } | |
| 75 } | |
| 76 | |
| 77 http { | |
| 78 %%TEST_GLOBALS_HTTP%% | |
| 79 | |
| 80 server { | |
| 81 listen 127.0.0.1:8080 ssl; | |
| 82 server_name localhost; | |
| 83 | |
| 84 ssl_certificate 2.example.com.crt; | |
| 85 ssl_certificate_key 2.example.com.key; | |
| 86 | |
| 87 ssl_verify_client optional_no_ca; | |
| 88 ssl_trusted_certificate 1.example.com.crt; | |
| 89 | |
| 90 location / { | |
| 91 add_header X-Verify $ssl_client_verify; | |
| 92 add_header X-Name $ssl_client_s_dn; | |
| 93 } | |
| 94 } | |
| 95 | |
| 96 server { | |
| 97 listen 127.0.0.1:8081 ssl; | |
| 98 server_name localhost; | |
| 99 | |
| 100 ssl_certificate 1.example.com.crt; | |
| 101 ssl_certificate_key 1.example.com.key; | |
| 102 | |
| 103 ssl_verify_client optional_no_ca; | |
| 104 ssl_trusted_certificate 3.example.com.crt; | |
| 105 | |
| 106 location / { | |
| 107 add_header X-Verify $ssl_client_verify; | |
| 108 } | |
| 109 } | |
| 110 } | |
| 111 | |
| 112 EOF | |
| 113 | |
| 114 $t->write_file('openssl.conf', <<EOF); | |
| 115 [ req ] | |
| 116 default_bits = 2048 | |
| 117 encrypt_key = no | |
| 118 distinguished_name = req_distinguished_name | |
| 119 [ req_distinguished_name ] | |
| 120 EOF | |
| 121 | |
| 122 my $d = $t->testdir(); | |
| 123 | |
| 124 foreach my $name ('1.example.com', '2.example.com') { | |
| 125 system('openssl req -x509 -new ' | |
| 126 . "-config $d/openssl.conf -subj /CN=$name/ " | |
| 127 . "-out $d/$name.crt -keyout $d/$name.key " | |
| 128 . ">>$d/openssl.out 2>&1") == 0 | |
| 129 or die "Can't create certificate for $name: $!\n"; | |
| 130 } | |
| 131 | |
| 132 foreach my $name ('3.example.com') { | |
| 133 system("openssl genrsa -out $d/$name.key -passout pass:$name " | |
| 134 . "-aes128 2048 >>$d/openssl.out 2>&1") == 0 | |
| 135 or die "Can't create private key: $!\n"; | |
| 136 system('openssl req -x509 -new ' | |
| 137 . "-config $d/openssl.conf -subj /CN=$name/ " | |
| 138 . "-out $d/$name.crt " | |
| 139 . "-key $d/$name.key -passin pass:$name" | |
| 140 . ">>$d/openssl.out 2>&1") == 0 | |
| 141 or die "Can't create certificate for $name: $!\n"; | |
| 142 } | |
| 143 | |
| 144 sleep 1 if $^O eq 'MSWin32'; | |
| 145 | |
| 146 $t->write_file('password', '3.example.com'); | |
| 147 $t->write_file('index.html', ''); | |
| 148 | |
| 149 $t->try_run('no upstream ssl_certificate variables')->plan(4); | |
| 150 | |
| 151 ############################################################################### | |
| 152 | |
| 153 like(http_get('/', socket => IO::Socket::INET->new('127.0.0.1:' . port(8082))), | |
| 154 qr/X-Verify: SUCCESS/ms, 'variable - verify certificate'); | |
| 155 like(http_get('/', socket => IO::Socket::INET->new('127.0.0.1:' . port(8083))), | |
| 156 qr/X-Verify: FAILED/ms, 'variable - fail certificate'); | |
| 157 like(http_get('/', socket => IO::Socket::INET->new('127.0.0.1:' . port(8084))), | |
| 158 qr/X-Verify: SUCCESS/ms, 'variable - with encrypted key'); | |
| 159 like(http_get('/', socket => IO::Socket::INET->new('127.0.0.1:' . port(8085))), | |
| 160 qr/X-Verify: NONE/ms, 'variable - no certificate'); | |
| 161 | |
| 162 ############################################################################### |