Mercurial > hg > nginx-tests

comparison proxy_ssl_certificate.t @ 497:d4330871bfb0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: proxy_ssl_certificate, proxy_ssl_password_file tests.
author Sergey Kandaurov <pluknet@nginx.com>
date Fri, 14 Nov 2014 12:30:26 +0300
parents
children 907e89fba9c3
comparison
equal deleted inserted replaced
496:d13ea470657d 497:d4330871bfb0
1 #!/usr/bin/perl
2
3 # (C) Sergey Kandaurov
4 # (C) Nginx, Inc.
5
6 # Tests for proxy with proxy certificate to ssl backend.
7 # The proxy_ssl_certificate and proxy_ssl_password_file directives.
8
9 ###############################################################################
10
11 use warnings;
12 use strict;
13
14 use Test::More;
15
16 BEGIN { use FindBin; chdir($FindBin::Bin); }
17
18 use lib 'lib';
19 use Test::Nginx;
20
21 ###############################################################################
22
23 select STDERR; $| = 1;
24 select STDOUT; $| = 1;
25
26 my $t = Test::Nginx->new()->has(qw/http http_ssl proxy/)
27 ->has_daemon('openssl');
28
29 plan(skip_all => 'no proxy_ssl_password_file') unless $t->has_version('1.7.8');
30
31 $t->plan(5)->write_file_expand('nginx.conf', <<'EOF');
32
33 %%TEST_GLOBALS%%
34
35 daemon off;
36
37 events {
38 }
39
40 http {
41 %%TEST_GLOBALS_HTTP%%
42
43 server {
44 listen 127.0.0.1:8080;
45 server_name localhost;
46
47 proxy_ssl_session_reuse off;
48
49 location /verify {
50 proxy_pass https://127.0.0.1:8081/;
51 proxy_ssl_certificate 1.example.com.crt;
52 proxy_ssl_certificate_key 1.example.com.key;
53 }
54
55 location /fail {
56 proxy_pass https://127.0.0.1:8081/;
57 proxy_ssl_certificate 2.example.com.crt;
58 proxy_ssl_certificate_key 2.example.com.key;
59 }
60
61 location /encrypted {
62 proxy_pass https://127.0.0.1:8082/;
63 proxy_ssl_certificate 3.example.com.crt;
64 proxy_ssl_certificate_key 3.example.com.key;
65 proxy_ssl_password_file password;
66 }
67 }
68
69 server {
70 listen 127.0.0.1:8081 ssl;
71 server_name localhost;
72
73 ssl_certificate 2.example.com.crt;
74 ssl_certificate_key 2.example.com.key;
75
76 ssl_verify_client optional_no_ca;
77 ssl_trusted_certificate 1.example.com.crt;
78
79 location / {
80 add_header X-Verify $ssl_client_verify;
81 add_header X-Name $ssl_client_s_dn;
82 }
83 }
84
85 server {
86 listen 127.0.0.1:8082 ssl;
87 server_name localhost;
88
89 ssl_certificate 1.example.com.crt;
90 ssl_certificate_key 1.example.com.key;
91
92 ssl_verify_client optional_no_ca;
93 ssl_trusted_certificate 3.example.com.crt;
94
95 location / {
96 add_header X-Verify $ssl_client_verify;
97 }
98 }
99 }
100
101 EOF
102
103 $t->write_file('openssl.conf', <<EOF);
104 [ req ]
105 default_bits = 1024
106 encrypt_key = no
107 distinguished_name = req_distinguished_name
108 [ req_distinguished_name ]
109 EOF
110
111 my $d = $t->testdir();
112
113 foreach my $name ('1.example.com', '2.example.com') {
114 system('openssl req -x509 -new '
115 . "-config '$d/openssl.conf' -subj '/CN=$name/' "
116 . "-out '$d/$name.crt' -keyout '$d/$name.key' "
117 . ">>$d/openssl.out 2>&1") == 0
118 or die "Can't create certificate for $name: $!\n";
119 }
120
121 foreach my $name ('3.example.com') {
122 system("openssl genrsa -out $d/$name.key -passout pass:$name "
123 . "-aes128 2048 >>$d/openssl.out 2>&1") == 0
124 or die "Can't create private key: $!\n";
125 system('openssl req -x509 -new '
126 . "-config '$d/openssl.conf' -subj '/CN=$name/' "
127 . "-out '$d/$name.crt' "
128 . "-key '$d/$name.key' -passin pass:$name"
129 . ">>$d/openssl.out 2>&1") == 0
130 or die "Can't create certificate for $name: $!\n";
131 }
132
133 $t->write_file('password', '3.example.com');
134 $t->write_file('index.html', '');
135
136 $t->run();
137
138 ###############################################################################
139
140 my $cert;
141
142 like(http_get('/verify'), qr/X-Verify: SUCCESS/ms, 'verify certificate');
143 like(http_get('/fail'), qr/X-Verify: FAILED/ms, 'fail certificate');
144 like(http_get('/encrypted'), qr/X-Verify: SUCCESS/ms, 'with encrypted key');
145
146 like(http_get('/verify'), qr!X-Name: /CN=1.example!, 'valid certificate');
147 unlike(http_get('/fail'), qr!X-Name: /CN=1.example!, 'invalid certificate');
148
149 ###############################################################################