Mercurial > hg > nginx-tests
comparison stream_proxy_ssl_certificate.t @ 644:df8a498e0d50
Tests: stream proxy_ssl_certificate, proxy_ssl_password_file tests.
The tests were mostly borrowed from proxy_ssl_certificate.t.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Thu, 13 Aug 2015 12:42:47 +0300 |
| parents | |
| children | e9064d691790 |
comparison
equal
deleted
inserted
replaced
| 643:02bb93aebaa5 | 644:df8a498e0d50 |
|---|---|
| 1 #!/usr/bin/perl | |
| 2 | |
| 3 # (C) Sergey Kandaurov | |
| 4 # (C) Nginx, Inc. | |
| 5 | |
| 6 # Tests for stream proxy module with proxy certificate to ssl backend. | |
| 7 # The proxy_ssl_certificate and proxy_ssl_password_file directives. | |
| 8 | |
| 9 ############################################################################### | |
| 10 | |
| 11 use warnings; | |
| 12 use strict; | |
| 13 | |
| 14 use Test::More; | |
| 15 | |
| 16 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
| 17 | |
| 18 use lib 'lib'; | |
| 19 use Test::Nginx; | |
| 20 | |
| 21 ############################################################################### | |
| 22 | |
| 23 select STDERR; $| = 1; | |
| 24 select STDOUT; $| = 1; | |
| 25 | |
| 26 my $t = Test::Nginx->new()->has(qw/stream stream_ssl http http_ssl/) | |
| 27 ->has_daemon('openssl')->plan(5); | |
| 28 | |
| 29 $t->write_file_expand('nginx.conf', <<'EOF'); | |
| 30 | |
| 31 %%TEST_GLOBALS%% | |
| 32 | |
| 33 daemon off; | |
| 34 | |
| 35 events { | |
| 36 } | |
| 37 | |
| 38 stream { | |
| 39 proxy_ssl on; | |
| 40 proxy_ssl_session_reuse off; | |
| 41 | |
| 42 server { | |
| 43 listen 127.0.0.1:8083; | |
| 44 proxy_pass 127.0.0.1:8081; | |
| 45 | |
| 46 proxy_ssl_certificate 1.example.com.crt; | |
| 47 proxy_ssl_certificate_key 1.example.com.key; | |
| 48 } | |
| 49 | |
| 50 server { | |
| 51 listen 127.0.0.1:8084; | |
| 52 proxy_pass 127.0.0.1:8081; | |
| 53 | |
| 54 proxy_ssl_certificate 2.example.com.crt; | |
| 55 proxy_ssl_certificate_key 2.example.com.key; | |
| 56 } | |
| 57 | |
| 58 server { | |
| 59 listen 127.0.0.1:8085; | |
| 60 proxy_pass 127.0.0.1:8082; | |
| 61 | |
| 62 proxy_ssl_certificate 3.example.com.crt; | |
| 63 proxy_ssl_certificate_key 3.example.com.key; | |
| 64 proxy_ssl_password_file password; | |
| 65 } | |
| 66 } | |
| 67 | |
| 68 http { | |
| 69 %%TEST_GLOBALS_HTTP%% | |
| 70 | |
| 71 server { | |
| 72 listen 127.0.0.1:8081 ssl; | |
| 73 server_name localhost; | |
| 74 | |
| 75 ssl_certificate 2.example.com.crt; | |
| 76 ssl_certificate_key 2.example.com.key; | |
| 77 | |
| 78 ssl_verify_client optional_no_ca; | |
| 79 ssl_trusted_certificate 1.example.com.crt; | |
| 80 | |
| 81 location / { | |
| 82 add_header X-Verify $ssl_client_verify; | |
| 83 add_header X-Name $ssl_client_s_dn; | |
| 84 } | |
| 85 } | |
| 86 | |
| 87 server { | |
| 88 listen 127.0.0.1:8082 ssl; | |
| 89 server_name localhost; | |
| 90 | |
| 91 ssl_certificate 1.example.com.crt; | |
| 92 ssl_certificate_key 1.example.com.key; | |
| 93 | |
| 94 ssl_verify_client optional_no_ca; | |
| 95 ssl_trusted_certificate 3.example.com.crt; | |
| 96 | |
| 97 location / { | |
| 98 add_header X-Verify $ssl_client_verify; | |
| 99 } | |
| 100 } | |
| 101 } | |
| 102 | |
| 103 EOF | |
| 104 | |
| 105 $t->write_file('openssl.conf', <<EOF); | |
| 106 [ req ] | |
| 107 default_bits = 1024 | |
| 108 encrypt_key = no | |
| 109 distinguished_name = req_distinguished_name | |
| 110 [ req_distinguished_name ] | |
| 111 EOF | |
| 112 | |
| 113 my $d = $t->testdir(); | |
| 114 | |
| 115 foreach my $name ('1.example.com', '2.example.com') { | |
| 116 system('openssl req -x509 -new ' | |
| 117 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | |
| 118 . "-out '$d/$name.crt' -keyout '$d/$name.key' " | |
| 119 . ">>$d/openssl.out 2>&1") == 0 | |
| 120 or die "Can't create certificate for $name: $!\n"; | |
| 121 } | |
| 122 | |
| 123 foreach my $name ('3.example.com') { | |
| 124 system("openssl genrsa -out $d/$name.key -passout pass:$name " | |
| 125 . "-aes128 2048 >>$d/openssl.out 2>&1") == 0 | |
| 126 or die "Can't create private key: $!\n"; | |
| 127 system('openssl req -x509 -new ' | |
| 128 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | |
| 129 . "-out '$d/$name.crt' " | |
| 130 . "-key '$d/$name.key' -passin pass:$name" | |
| 131 . ">>$d/openssl.out 2>&1") == 0 | |
| 132 or die "Can't create certificate for $name: $!\n"; | |
| 133 } | |
| 134 | |
| 135 $t->write_file('password', '3.example.com'); | |
| 136 $t->write_file('index.html', ''); | |
| 137 | |
| 138 $t->run(); | |
| 139 | |
| 140 ############################################################################### | |
| 141 | |
| 142 like(http_get('/', socket => getconn('127.0.0.1:8083')), | |
| 143 qr/X-Verify: SUCCESS/ms, 'verify certificate'); | |
| 144 like(http_get('/', socket => getconn('127.0.0.1:8084')), | |
| 145 qr/X-Verify: FAILED/ms, 'fail certificate'); | |
| 146 like(http_get('/', socket => getconn('127.0.0.1:8085')), | |
| 147 qr/X-Verify: SUCCESS/ms, 'with encrypted key'); | |
| 148 | |
| 149 like(http_get('/', socket => getconn('127.0.0.1:8083')), | |
| 150 qr!X-Name: /CN=1.example!, 'valid certificate'); | |
| 151 unlike(http_get('/', socket => getconn('127.0.0.1:8084')), | |
| 152 qr!X-Name: /CN=1.example!, 'invalid certificate'); | |
| 153 | |
| 154 ############################################################################### | |
| 155 | |
| 156 sub getconn { | |
| 157 my $peer = shift; | |
| 158 my $s = IO::Socket::INET->new( | |
| 159 Proto => 'tcp', | |
| 160 PeerAddr => $peer || '127.0.0.1:8080' | |
| 161 ) | |
| 162 or die "Can't connect to nginx: $!\n"; | |
| 163 | |
| 164 return $s; | |
| 165 } | |
| 166 | |
| 167 ############################################################################### |