Mercurial > hg > nginx-tests
comparison stream_proxy_ssl_verify.t @ 559:9208d8243926
Tests: stream ssl and proxy ssl tests.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Thu, 23 Apr 2015 14:01:21 +0300 |
| parents | |
| children | 153969b53780 |
comparison
equal
deleted
inserted
replaced
| 558:27740a2dd781 | 559:9208d8243926 |
|---|---|
| 1 #!/usr/bin/perl | |
| 2 | |
| 3 # (C) Sergey Kandaurov | |
| 4 # (C) Nginx, Inc. | |
| 5 | |
| 6 # Stream tests for proxy to ssl backend, backend certificate verification. | |
| 7 | |
| 8 ############################################################################### | |
| 9 | |
| 10 use warnings; | |
| 11 use strict; | |
| 12 | |
| 13 use Test::More; | |
| 14 | |
| 15 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
| 16 | |
| 17 use lib 'lib'; | |
| 18 use Test::Nginx; | |
| 19 | |
| 20 ############################################################################### | |
| 21 | |
| 22 select STDERR; $| = 1; | |
| 23 select STDOUT; $| = 1; | |
| 24 | |
| 25 my $t = Test::Nginx->new()->has(qw/stream stream_ssl/)->has_daemon('openssl'); | |
| 26 | |
| 27 $t->write_file_expand('nginx.conf', <<'EOF')->plan(6); | |
| 28 | |
| 29 %%TEST_GLOBALS%% | |
| 30 | |
| 31 daemon off; | |
| 32 | |
| 33 events { | |
| 34 } | |
| 35 | |
| 36 stream { | |
| 37 proxy_ssl on; | |
| 38 proxy_ssl_verify on; | |
| 39 | |
| 40 server { | |
| 41 listen 127.0.0.1:8080; | |
| 42 proxy_pass 127.0.0.1:8087; | |
| 43 | |
| 44 proxy_ssl_name example.com; | |
| 45 proxy_ssl_trusted_certificate 1.example.com.crt; | |
| 46 } | |
| 47 | |
| 48 server { | |
| 49 listen 127.0.0.1:8081; | |
| 50 proxy_pass 127.0.0.1:8087; | |
| 51 | |
| 52 proxy_ssl_name foo.example.com; | |
| 53 proxy_ssl_trusted_certificate 1.example.com.crt; | |
| 54 } | |
| 55 | |
| 56 server { | |
| 57 listen 127.0.0.1:8082; | |
| 58 proxy_pass 127.0.0.1:8087; | |
| 59 | |
| 60 proxy_ssl_name no.match.example.com; | |
| 61 proxy_ssl_trusted_certificate 1.example.com.crt; | |
| 62 } | |
| 63 | |
| 64 server { | |
| 65 listen 127.0.0.1:8083; | |
| 66 proxy_pass 127.0.0.1:8088; | |
| 67 | |
| 68 proxy_ssl_name 2.example.com; | |
| 69 proxy_ssl_trusted_certificate 2.example.com.crt; | |
| 70 } | |
| 71 | |
| 72 server { | |
| 73 listen 127.0.0.1:8084; | |
| 74 proxy_pass 127.0.0.1:8088; | |
| 75 | |
| 76 proxy_ssl_name bad.example.com; | |
| 77 proxy_ssl_trusted_certificate 2.example.com.crt; | |
| 78 } | |
| 79 | |
| 80 server { | |
| 81 listen 127.0.0.1:8085; | |
| 82 proxy_pass 127.0.0.1:8088; | |
| 83 | |
| 84 proxy_ssl_trusted_certificate 1.example.com.crt; | |
| 85 proxy_ssl_session_reuse off; | |
| 86 } | |
| 87 } | |
| 88 | |
| 89 stream { | |
| 90 server { | |
| 91 listen 127.0.0.1:8087 ssl; | |
| 92 proxy_pass 127.0.0.1:8089; | |
| 93 | |
| 94 ssl_certificate 1.example.com.crt; | |
| 95 ssl_certificate_key 1.example.com.key; | |
| 96 } | |
| 97 | |
| 98 server { | |
| 99 listen 127.0.0.1:8088 ssl; | |
| 100 proxy_pass 127.0.0.1:8089; | |
| 101 | |
| 102 ssl_certificate 2.example.com.crt; | |
| 103 ssl_certificate_key 2.example.com.key; | |
| 104 } | |
| 105 } | |
| 106 | |
| 107 EOF | |
| 108 | |
| 109 $t->write_file('openssl.1.example.com.conf', <<EOF); | |
| 110 [ req ] | |
| 111 prompt = no | |
| 112 default_bits = 1024 | |
| 113 encrypt_key = no | |
| 114 distinguished_name = req_distinguished_name | |
| 115 x509_extensions = v3_req | |
| 116 | |
| 117 [ req_distinguished_name ] | |
| 118 commonName=no.match.example.com | |
| 119 | |
| 120 [ v3_req ] | |
| 121 subjectAltName = DNS:example.com,DNS:*.example.com | |
| 122 EOF | |
| 123 | |
| 124 $t->write_file('openssl.2.example.com.conf', <<EOF); | |
| 125 [ req ] | |
| 126 prompt = no | |
| 127 default_bits = 1024 | |
| 128 encrypt_key = no | |
| 129 distinguished_name = req_distinguished_name | |
| 130 | |
| 131 [ req_distinguished_name ] | |
| 132 commonName=2.example.com | |
| 133 EOF | |
| 134 | |
| 135 my $d = $t->testdir(); | |
| 136 | |
| 137 foreach my $name ('1.example.com', '2.example.com') { | |
| 138 system('openssl req -x509 -new ' | |
| 139 . "-config '$d/openssl.$name.conf' " | |
| 140 . "-out '$d/$name.crt' -keyout '$d/$name.key' " | |
| 141 . ">>$d/openssl.out 2>&1") == 0 | |
| 142 or die "Can't create certificate for $name: $!\n"; | |
| 143 } | |
| 144 | |
| 145 $t->write_file('index.html', ''); | |
| 146 | |
| 147 $t->run_daemon(\&http_daemon); | |
| 148 $t->run(); | |
| 149 | |
| 150 $t->waitforsocket('127.0.0.1:8089'); | |
| 151 | |
| 152 ############################################################################### | |
| 153 | |
| 154 # subjectAltName | |
| 155 | |
| 156 like(http_get('/', socket => getconn('127.0.0.1:8080')), | |
| 157 qr/200 OK/, 'verify'); | |
| 158 like(http_get('/', socket => getconn('127.0.0.1:8081')), | |
| 159 qr/200 OK/, 'verify wildcard'); | |
| 160 unlike(http_get('/', socket => getconn('127.0.0.1:8082')), | |
| 161 qr/200 OK/, 'verify fail'); | |
| 162 | |
| 163 # commonName | |
| 164 | |
| 165 like(http_get('/', socket => getconn('127.0.0.1:8083')), | |
| 166 qr/200 OK/, 'verify cn'); | |
| 167 unlike(http_get('/', socket => getconn('127.0.0.1:8084')), | |
| 168 qr/200 OK/, 'verify cn fail'); | |
| 169 | |
| 170 # untrusted | |
| 171 | |
| 172 unlike(http_get('/', socket => getconn('127.0.0.1:8085')), | |
| 173 qr/200 OK/, 'untrusted'); | |
| 174 | |
| 175 ############################################################################### | |
| 176 | |
| 177 sub getconn { | |
| 178 my $peer = shift; | |
| 179 my $s = IO::Socket::INET->new( | |
| 180 Proto => 'tcp', | |
| 181 PeerAddr => $peer || '127.0.0.1:8080' | |
| 182 ) | |
| 183 or die "Can't connect to nginx: $!\n"; | |
| 184 | |
| 185 return $s; | |
| 186 } | |
| 187 | |
| 188 ############################################################################### | |
| 189 | |
| 190 sub http_daemon { | |
| 191 my $server = IO::Socket::INET->new( | |
| 192 Proto => 'tcp', | |
| 193 LocalHost => '127.0.0.1:8089', | |
| 194 Listen => 5, | |
| 195 Reuse => 1 | |
| 196 ) | |
| 197 or die "Can't create listening socket: $!\n"; | |
| 198 | |
| 199 local $SIG{PIPE} = 'IGNORE'; | |
| 200 | |
| 201 while (my $client = $server->accept()) { | |
| 202 $client->autoflush(1); | |
| 203 | |
| 204 while (<$client>) { | |
| 205 last if (/^\x0d?\x0a?$/); | |
| 206 } | |
| 207 | |
| 208 print $client <<EOF; | |
| 209 HTTP/1.1 200 OK | |
| 210 Connection: close | |
| 211 | |
| 212 EOF | |
| 213 | |
| 214 close $client; | |
| 215 } | |
| 216 } | |
| 217 | |
| 218 ############################################################################### |