Mercurial > hg > nginx-tests
comparison ssl_proxy_protocol.t @ 603:cc722d0c557d
Tests: proxy_protocol ssl tests.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 09 Jun 2015 17:38:47 -0400 |
parents | |
children | adf5671391ac |
comparison
equal
deleted
inserted
replaced
602:1177e4dd249a | 603:cc722d0c557d |
---|---|
1 #!/usr/bin/perl | |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for http ssl module with haproxy protocol. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 use Socket qw/ CRLF /; | |
16 | |
17 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
18 | |
19 use lib 'lib'; | |
20 use Test::Nginx; | |
21 | |
22 ############################################################################### | |
23 | |
24 select STDERR; $| = 1; | |
25 select STDOUT; $| = 1; | |
26 | |
27 eval { require IO::Socket::SSL; }; | |
28 plan(skip_all => 'IO::Socket::SSL not installed') if $@; | |
29 eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; | |
30 plan(skip_all => 'IO::Socket::SSL too old') if $@; | |
31 | |
32 my $t = Test::Nginx->new()->has(qw/http http_ssl access ipv6 realip/) | |
33 ->has_daemon('openssl'); | |
34 | |
35 $t->write_file_expand('nginx.conf', <<'EOF')->plan(18); | |
36 | |
37 %%TEST_GLOBALS%% | |
38 | |
39 daemon off; | |
40 | |
41 events { | |
42 } | |
43 | |
44 http { | |
45 %%TEST_GLOBALS_HTTP%% | |
46 | |
47 log_format pp '$remote_addr $request'; | |
48 | |
49 server { | |
50 listen 127.0.0.1:8080 proxy_protocol ssl; | |
51 server_name localhost; | |
52 | |
53 ssl_certificate_key localhost.key; | |
54 ssl_certificate localhost.crt; | |
55 | |
56 set_real_ip_from 127.0.0.1/32; | |
57 add_header X-IP $remote_addr; | |
58 add_header X-PP $proxy_protocol_addr; | |
59 | |
60 location /pp { | |
61 real_ip_header proxy_protocol; | |
62 error_page 404 =200 /t1; | |
63 access_log %%TESTDIR%%/pp.log pp; | |
64 | |
65 location /pp_4 { | |
66 deny 192.0.2.1/32; | |
67 } | |
68 location /pp_6 { | |
69 deny 2001:DB8::1/128; | |
70 } | |
71 } | |
72 } | |
73 } | |
74 | |
75 EOF | |
76 | |
77 $t->write_file('openssl.conf', <<EOF); | |
78 [ req ] | |
79 default_bits = 2048 | |
80 encrypt_key = no | |
81 distinguished_name = req_distinguished_name | |
82 [ req_distinguished_name ] | |
83 EOF | |
84 | |
85 my $d = $t->testdir(); | |
86 | |
87 foreach my $name ('localhost') { | |
88 system('openssl req -x509 -new ' | |
89 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | |
90 . "-out '$d/$name.crt' -keyout '$d/$name.key' " | |
91 . ">>$d/openssl.out 2>&1") == 0 | |
92 or die "Can't create certificate for $name: $!\n"; | |
93 } | |
94 | |
95 $t->write_file('t1', 'SEE-THIS'); | |
96 $t->run(); | |
97 | |
98 ############################################################################### | |
99 | |
100 my $tcp4 = 'PROXY TCP4 192.0.2.1 192.0.2.2 1234 5678' . CRLF; | |
101 my $tcp6 = 'PROXY TCP6 2001:Db8::1 2001:Db8::2 1234 5678' . CRLF; | |
102 my $unk1 = 'PROXY UNKNOWN' . CRLF; | |
103 my $unk2 = 'PROXY UNKNOWN 1 2 3 4 5 6' . CRLF; | |
104 my $r; | |
105 | |
106 # no realip, just PROXY header parsing | |
107 | |
108 $r = pp_get('/t1', $tcp4); | |
109 like($r, qr/SEE-THIS/, 'tcp4 request'); | |
110 like($r, qr/X-PP: 192.0.2.1/, 'tcp4 proxy'); | |
111 unlike($r, qr/X-IP: 192.0.2.1/, 'tcp4 client'); | |
112 | |
113 $r = pp_get('/t1', $tcp6); | |
114 like($r, qr/SEE-THIS/, 'tcp6 request'); | |
115 like($r, qr/X-PP: 2001:DB8::1/i, 'tcp6 proxy'); | |
116 unlike($r, qr/X-IP: 2001:DB8::1/i, 'tcp6 client'); | |
117 | |
118 like(pp_get('/t1', $unk1), qr/SEE-THIS/, 'unknown request 1'); | |
119 like(pp_get('/t1', $unk2), qr/SEE-THIS/, 'unknown request 2'); | |
120 | |
121 # realip | |
122 | |
123 $r = pp_get('/pp', $tcp4); | |
124 like($r, qr/SEE-THIS/, 'tcp4 request realip'); | |
125 like($r, qr/X-PP: 192.0.2.1/, 'tcp4 proxy realip'); | |
126 like($r, qr/X-IP: 192.0.2.1/, 'tcp4 client realip'); | |
127 | |
128 $r = pp_get('/pp', $tcp6); | |
129 like($r, qr/SEE-THIS/, 'tcp6 request realip'); | |
130 like($r, qr/X-PP: 2001:DB8::1/i, 'tcp6 proxy realip'); | |
131 like($r, qr/X-IP: 2001:DB8::1/i, 'tcp6 client realip'); | |
132 | |
133 # access | |
134 | |
135 $r = pp_get('/pp_4', $tcp4); | |
136 like($r, qr/403 Forbidden/, 'tcp4 access'); | |
137 | |
138 $r = pp_get('/pp_6', $tcp6); | |
139 like($r, qr/403 Forbidden/, 'tcp6 access'); | |
140 | |
141 # client address in access.log | |
142 | |
143 $t->stop(); | |
144 | |
145 my $log; | |
146 | |
147 { | |
148 open LOG, $t->testdir() . '/pp.log' | |
149 or die("Can't open nginx access log file.\n"); | |
150 local $/; | |
151 $log = <LOG>; | |
152 close LOG; | |
153 } | |
154 | |
155 like($log, qr!^192\.0\.2\.1 GET /pp_4!m, 'tcp4 access log'); | |
156 like($log, qr!^2001:DB8::1 GET /pp_6!mi, 'tcp6 access log'); | |
157 | |
158 ############################################################################### | |
159 | |
160 sub pp_get { | |
161 my ($url, $proxy) = @_; | |
162 | |
163 my $s = http($proxy, start => 1); | |
164 | |
165 IO::Socket::SSL->start_SSL($s, | |
166 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | |
167 SSL_error_trap => sub { die $_[1] } | |
168 ); | |
169 | |
170 return http(<<EOF, socket => $s); | |
171 GET $url HTTP/1.0 | |
172 Host: localhost | |
173 | |
174 EOF | |
175 } | |
176 | |
177 ############################################################################### |