Mercurial > hg > nginx-tests
comparison proxy_ssl_certificate.t @ 497:d4330871bfb0
Tests: proxy_ssl_certificate, proxy_ssl_password_file tests.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 14 Nov 2014 12:30:26 +0300 |
parents | |
children | 907e89fba9c3 |
comparison
equal
deleted
inserted
replaced
496:d13ea470657d | 497:d4330871bfb0 |
---|---|
1 #!/usr/bin/perl | |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for proxy with proxy certificate to ssl backend. | |
7 # The proxy_ssl_certificate and proxy_ssl_password_file directives. | |
8 | |
9 ############################################################################### | |
10 | |
11 use warnings; | |
12 use strict; | |
13 | |
14 use Test::More; | |
15 | |
16 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
17 | |
18 use lib 'lib'; | |
19 use Test::Nginx; | |
20 | |
21 ############################################################################### | |
22 | |
23 select STDERR; $| = 1; | |
24 select STDOUT; $| = 1; | |
25 | |
26 my $t = Test::Nginx->new()->has(qw/http http_ssl proxy/) | |
27 ->has_daemon('openssl'); | |
28 | |
29 plan(skip_all => 'no proxy_ssl_password_file') unless $t->has_version('1.7.8'); | |
30 | |
31 $t->plan(5)->write_file_expand('nginx.conf', <<'EOF'); | |
32 | |
33 %%TEST_GLOBALS%% | |
34 | |
35 daemon off; | |
36 | |
37 events { | |
38 } | |
39 | |
40 http { | |
41 %%TEST_GLOBALS_HTTP%% | |
42 | |
43 server { | |
44 listen 127.0.0.1:8080; | |
45 server_name localhost; | |
46 | |
47 proxy_ssl_session_reuse off; | |
48 | |
49 location /verify { | |
50 proxy_pass https://127.0.0.1:8081/; | |
51 proxy_ssl_certificate 1.example.com.crt; | |
52 proxy_ssl_certificate_key 1.example.com.key; | |
53 } | |
54 | |
55 location /fail { | |
56 proxy_pass https://127.0.0.1:8081/; | |
57 proxy_ssl_certificate 2.example.com.crt; | |
58 proxy_ssl_certificate_key 2.example.com.key; | |
59 } | |
60 | |
61 location /encrypted { | |
62 proxy_pass https://127.0.0.1:8082/; | |
63 proxy_ssl_certificate 3.example.com.crt; | |
64 proxy_ssl_certificate_key 3.example.com.key; | |
65 proxy_ssl_password_file password; | |
66 } | |
67 } | |
68 | |
69 server { | |
70 listen 127.0.0.1:8081 ssl; | |
71 server_name localhost; | |
72 | |
73 ssl_certificate 2.example.com.crt; | |
74 ssl_certificate_key 2.example.com.key; | |
75 | |
76 ssl_verify_client optional_no_ca; | |
77 ssl_trusted_certificate 1.example.com.crt; | |
78 | |
79 location / { | |
80 add_header X-Verify $ssl_client_verify; | |
81 add_header X-Name $ssl_client_s_dn; | |
82 } | |
83 } | |
84 | |
85 server { | |
86 listen 127.0.0.1:8082 ssl; | |
87 server_name localhost; | |
88 | |
89 ssl_certificate 1.example.com.crt; | |
90 ssl_certificate_key 1.example.com.key; | |
91 | |
92 ssl_verify_client optional_no_ca; | |
93 ssl_trusted_certificate 3.example.com.crt; | |
94 | |
95 location / { | |
96 add_header X-Verify $ssl_client_verify; | |
97 } | |
98 } | |
99 } | |
100 | |
101 EOF | |
102 | |
103 $t->write_file('openssl.conf', <<EOF); | |
104 [ req ] | |
105 default_bits = 1024 | |
106 encrypt_key = no | |
107 distinguished_name = req_distinguished_name | |
108 [ req_distinguished_name ] | |
109 EOF | |
110 | |
111 my $d = $t->testdir(); | |
112 | |
113 foreach my $name ('1.example.com', '2.example.com') { | |
114 system('openssl req -x509 -new ' | |
115 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | |
116 . "-out '$d/$name.crt' -keyout '$d/$name.key' " | |
117 . ">>$d/openssl.out 2>&1") == 0 | |
118 or die "Can't create certificate for $name: $!\n"; | |
119 } | |
120 | |
121 foreach my $name ('3.example.com') { | |
122 system("openssl genrsa -out $d/$name.key -passout pass:$name " | |
123 . "-aes128 2048 >>$d/openssl.out 2>&1") == 0 | |
124 or die "Can't create private key: $!\n"; | |
125 system('openssl req -x509 -new ' | |
126 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | |
127 . "-out '$d/$name.crt' " | |
128 . "-key '$d/$name.key' -passin pass:$name" | |
129 . ">>$d/openssl.out 2>&1") == 0 | |
130 or die "Can't create certificate for $name: $!\n"; | |
131 } | |
132 | |
133 $t->write_file('password', '3.example.com'); | |
134 $t->write_file('index.html', ''); | |
135 | |
136 $t->run(); | |
137 | |
138 ############################################################################### | |
139 | |
140 my $cert; | |
141 | |
142 like(http_get('/verify'), qr/X-Verify: SUCCESS/ms, 'verify certificate'); | |
143 like(http_get('/fail'), qr/X-Verify: FAILED/ms, 'fail certificate'); | |
144 like(http_get('/encrypted'), qr/X-Verify: SUCCESS/ms, 'with encrypted key'); | |
145 | |
146 like(http_get('/verify'), qr!X-Name: /CN=1.example!, 'valid certificate'); | |
147 unlike(http_get('/fail'), qr!X-Name: /CN=1.example!, 'invalid certificate'); | |
148 | |
149 ############################################################################### |