# HG changeset patch # User Sergey Kandaurov # Date 1429786881 -10800 # Node ID 9208d82439261772637457f9984676686efd6823 # Parent 27740a2dd7818928fd384cab51a37cd3224b7ca4 Tests: stream ssl and proxy ssl tests. diff --git a/stream_proxy_ssl.t b/stream_proxy_ssl.t new file mode 100644 --- /dev/null +++ b/stream_proxy_ssl.t @@ -0,0 +1,119 @@ +#!/usr/bin/perl + +# (C) Sergey Kandaurov +# (C) Nginx, Inc. + +# Stream tests for proxy to ssl backend. + +############################################################################### + +use warnings; +use strict; + +use Test::More; + +BEGIN { use FindBin; chdir($FindBin::Bin); } + +use lib 'lib'; +use Test::Nginx; + +############################################################################### + +select STDERR; $| = 1; +select STDOUT; $| = 1; + +my $t = Test::Nginx->new()->has(qw/stream stream_ssl http http_ssl/) + ->has_daemon('openssl')->plan(4); + +$t->write_file_expand('nginx.conf', <<'EOF'); + +%%TEST_GLOBALS%% + +daemon off; + +events { +} + +stream { + proxy_ssl on; + proxy_ssl_session_reuse on; + + server { + listen 127.0.0.1:8080; + proxy_pass 127.0.0.1:8087; + proxy_ssl_session_reuse off; + } + + server { + listen 127.0.0.1:8081; + proxy_pass 127.0.0.1:8087; + } +} + +http { + %%TEST_GLOBALS_HTTP%% + + server { + listen 127.0.0.1:8087 ssl; + server_name localhost; + + ssl_certificate_key localhost.key; + ssl_certificate localhost.crt; + ssl_session_cache builtin; + + location / { + add_header X-Session $ssl_session_reused; + } + } +} + +EOF + +$t->write_file('openssl.conf', <write_file('index.html', ''); + +my $d = $t->testdir(); + +foreach my $name ('localhost') { + system('openssl req -x509 -new ' + . "-config '$d/openssl.conf' -subj '/CN=$name/' " + . "-out '$d/$name.crt' -keyout '$d/$name.key' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for $name: $!\n"; +} + +$t->run(); + +############################################################################### + +like(http_get('/', socket => getconn('127.0.0.1:8080')), + qr/200 OK.*X-Session: \./s, 'ssl'); +like(http_get('/', socket => getconn('127.0.0.1:8081')), + qr/200 OK.*X-Session: \./s, 'ssl 2'); + +like(http_get('/', socket => getconn('127.0.0.1:8080')), + qr/200 OK.*X-Session: \./s, 'ssl reuse session'); +like(http_get('/', socket => getconn('127.0.0.1:8081')), + qr/200 OK.*X-Session: r/s, 'ssl reuse session 2'); + +############################################################################### + +sub getconn { + my $peer = shift; + my $s = IO::Socket::INET->new( + Proto => 'tcp', + PeerAddr => $peer || '127.0.0.1:8080' + ) + or die "Can't connect to nginx: $!\n"; + + return $s; +} + +############################################################################### diff --git a/stream_proxy_ssl_name.t b/stream_proxy_ssl_name.t new file mode 100644 --- /dev/null +++ b/stream_proxy_ssl_name.t @@ -0,0 +1,152 @@ +#!/usr/bin/perl + +# (C) Sergey Kandaurov +# (C) Nginx, Inc. + +# Stream tests for proxy to ssl backend, use of Server Name Indication +# (proxy_ssl_name, proxy_ssl_server_name directives). + +############################################################################### + +use warnings; +use strict; + +use Test::More; + +use IO::Select; + +BEGIN { use FindBin; chdir($FindBin::Bin); } + +use lib 'lib'; +use Test::Nginx; + +############################################################################### + +select STDERR; $| = 1; +select STDOUT; $| = 1; + +my $t = Test::Nginx->new()->has(qw/stream stream_ssl http http_ssl sni/) + ->has_daemon('openssl')->plan(5); + +$t->write_file_expand('nginx.conf', <<'EOF'); + +%%TEST_GLOBALS%% + +daemon off; + +events { +} + +stream { + proxy_ssl on; + proxy_ssl_session_reuse off; + + upstream u { + server 127.0.0.1:8086; + } + + server { + listen 127.0.0.1:8080; + proxy_pass u; + + proxy_ssl_server_name off; + } + + server { + listen 127.0.0.1:8081; + proxy_pass u; + + proxy_ssl_server_name on; + } + + server { + listen 127.0.0.1:8082; + proxy_pass 127.0.0.1:8086; + + proxy_ssl_server_name on; + proxy_ssl_name example.com; + } + + server { + listen 127.0.0.1:8083; + proxy_pass 127.0.0.1:8086; + + proxy_ssl_server_name on; + } + + server { + listen 127.0.0.1:8084; + proxy_pass 127.0.0.1:8086; + + proxy_ssl_server_name on; + proxy_ssl_name example.com:123; + } +} + +http { + %%TEST_GLOBALS_HTTP%% + + server { + listen 127.0.0.1:8086 ssl; + server_name localhost; + + ssl_certificate_key localhost.key; + ssl_certificate localhost.crt; + + location / { + add_header X-Name $ssl_server_name,; + } + } +} + +EOF + +$t->write_file('openssl.conf', <testdir(); + +foreach my $name ('localhost') { + system('openssl req -x509 -new ' + . "-config '$d/openssl.conf' -subj '/CN=$name/' " + . "-out '$d/$name.crt' -keyout '$d/$name.key' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for $name: $!\n"; +} + +$t->write_file('index.html', ''); + +$t->run(); + +############################################################################### + +like(http_get('/', socket => getconn('127.0.0.1:8080')), + qr/200 OK.*X-Name: ,/s, 'no name'); +like(http_get('/', socket => getconn('127.0.0.1:8081')), + qr/200 OK.*X-Name: u,/s, 'name default'); +like(http_get('/', socket => getconn('127.0.0.1:8082')), + qr/200 OK.*X-Name: example.com,/s, 'name override'); +like(http_get('/', socket => getconn('127.0.0.1:8083')), + qr/200 OK.*X-Name: ,/s, 'no ip'); +like(http_get('/', socket => getconn('127.0.0.1:8084')), + qr/200 OK.*X-Name: example.com,/s, 'no port in name'); + +############################################################################### + +sub getconn { + my $peer = shift; + my $s = IO::Socket::INET->new( + Proto => 'tcp', + PeerAddr => $peer || '127.0.0.1:8080' + ) + or die "Can't connect to nginx: $!\n"; + + return $s; +} + +############################################################################### diff --git a/stream_proxy_ssl_verify.t b/stream_proxy_ssl_verify.t new file mode 100644 --- /dev/null +++ b/stream_proxy_ssl_verify.t @@ -0,0 +1,218 @@ +#!/usr/bin/perl + +# (C) Sergey Kandaurov +# (C) Nginx, Inc. + +# Stream tests for proxy to ssl backend, backend certificate verification. + +############################################################################### + +use warnings; +use strict; + +use Test::More; + +BEGIN { use FindBin; chdir($FindBin::Bin); } + +use lib 'lib'; +use Test::Nginx; + +############################################################################### + +select STDERR; $| = 1; +select STDOUT; $| = 1; + +my $t = Test::Nginx->new()->has(qw/stream stream_ssl/)->has_daemon('openssl'); + +$t->write_file_expand('nginx.conf', <<'EOF')->plan(6); + +%%TEST_GLOBALS%% + +daemon off; + +events { +} + +stream { + proxy_ssl on; + proxy_ssl_verify on; + + server { + listen 127.0.0.1:8080; + proxy_pass 127.0.0.1:8087; + + proxy_ssl_name example.com; + proxy_ssl_trusted_certificate 1.example.com.crt; + } + + server { + listen 127.0.0.1:8081; + proxy_pass 127.0.0.1:8087; + + proxy_ssl_name foo.example.com; + proxy_ssl_trusted_certificate 1.example.com.crt; + } + + server { + listen 127.0.0.1:8082; + proxy_pass 127.0.0.1:8087; + + proxy_ssl_name no.match.example.com; + proxy_ssl_trusted_certificate 1.example.com.crt; + } + + server { + listen 127.0.0.1:8083; + proxy_pass 127.0.0.1:8088; + + proxy_ssl_name 2.example.com; + proxy_ssl_trusted_certificate 2.example.com.crt; + } + + server { + listen 127.0.0.1:8084; + proxy_pass 127.0.0.1:8088; + + proxy_ssl_name bad.example.com; + proxy_ssl_trusted_certificate 2.example.com.crt; + } + + server { + listen 127.0.0.1:8085; + proxy_pass 127.0.0.1:8088; + + proxy_ssl_trusted_certificate 1.example.com.crt; + proxy_ssl_session_reuse off; + } +} + +stream { + server { + listen 127.0.0.1:8087 ssl; + proxy_pass 127.0.0.1:8089; + + ssl_certificate 1.example.com.crt; + ssl_certificate_key 1.example.com.key; + } + + server { + listen 127.0.0.1:8088 ssl; + proxy_pass 127.0.0.1:8089; + + ssl_certificate 2.example.com.crt; + ssl_certificate_key 2.example.com.key; + } +} + +EOF + +$t->write_file('openssl.1.example.com.conf', <write_file('openssl.2.example.com.conf', <testdir(); + +foreach my $name ('1.example.com', '2.example.com') { + system('openssl req -x509 -new ' + . "-config '$d/openssl.$name.conf' " + . "-out '$d/$name.crt' -keyout '$d/$name.key' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for $name: $!\n"; +} + +$t->write_file('index.html', ''); + +$t->run_daemon(\&http_daemon); +$t->run(); + +$t->waitforsocket('127.0.0.1:8089'); + +############################################################################### + +# subjectAltName + +like(http_get('/', socket => getconn('127.0.0.1:8080')), + qr/200 OK/, 'verify'); +like(http_get('/', socket => getconn('127.0.0.1:8081')), + qr/200 OK/, 'verify wildcard'); +unlike(http_get('/', socket => getconn('127.0.0.1:8082')), + qr/200 OK/, 'verify fail'); + +# commonName + +like(http_get('/', socket => getconn('127.0.0.1:8083')), + qr/200 OK/, 'verify cn'); +unlike(http_get('/', socket => getconn('127.0.0.1:8084')), + qr/200 OK/, 'verify cn fail'); + +# untrusted + +unlike(http_get('/', socket => getconn('127.0.0.1:8085')), + qr/200 OK/, 'untrusted'); + +############################################################################### + +sub getconn { + my $peer = shift; + my $s = IO::Socket::INET->new( + Proto => 'tcp', + PeerAddr => $peer || '127.0.0.1:8080' + ) + or die "Can't connect to nginx: $!\n"; + + return $s; +} + +############################################################################### + +sub http_daemon { + my $server = IO::Socket::INET->new( + Proto => 'tcp', + LocalHost => '127.0.0.1:8089', + Listen => 5, + Reuse => 1 + ) + or die "Can't create listening socket: $!\n"; + + local $SIG{PIPE} = 'IGNORE'; + + while (my $client = $server->accept()) { + $client->autoflush(1); + + while (<$client>) { + last if (/^\x0d?\x0a?$/); + } + + print $client < 'Net::SSLeay not installed') if $@; + +my $t = Test::Nginx->new()->has(qw/stream stream_ssl/)->has_daemon('openssl'); + +$t->plan(5)->write_file_expand('nginx.conf', <<'EOF'); + +%%TEST_GLOBALS%% + +daemon off; + +events { +} + +stream { + ssl_certificate_key localhost.key; + ssl_certificate localhost.crt; + ssl_session_tickets off; + + # inherited by server "inherits" + ssl_password_file password_http; + + server { + listen 127.0.0.1:8080 ssl; + proxy_pass 127.0.0.1:8081; + + ssl_session_cache builtin; + ssl_password_file password; + } + + server { + listen 127.0.0.1:8082 ssl; + proxy_pass 127.0.0.1:8081; + + ssl_session_cache off; + ssl_password_file password_many; + } + + server { + listen 127.0.0.1:8083 ssl; + proxy_pass 127.0.0.1:8081; + + ssl_password_file password_fifo; + } + + server { + listen 127.0.0.1:8084 ssl; + proxy_pass 127.0.0.1:8081; + + ssl_certificate_key inherits.key; + ssl_certificate inherits.crt; + } +} + +EOF + +$t->write_file('openssl.conf', <testdir(); +mkfifo("$d/password_fifo", 0700); + +foreach my $name ('localhost', 'inherits') { + system("openssl genrsa -out $d/$name.key -passout pass:$name " + . "-aes128 2048 >>$d/openssl.out 2>&1") == 0 + or die "Can't create private key: $!\n"; + system('openssl req -x509 -new ' + . "-config '$d/openssl.conf' -subj '/CN=$name/' " + . "-out '$d/$name.crt' " + . "-key '$d/$name.key' -passin pass:$name" + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for $name: $!\n"; +} + + +my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); + +$t->write_file('password', 'localhost'); +$t->write_file('password_many', "wrong$CRLF" . "localhost$CRLF"); +$t->write_file('password_http', 'inherits'); + +fork() || exec("echo localhost > $d/password_fifo"); + +$t->run_daemon(\&http_daemon); +$t->run(); + +$t->waitforsocket('127.0.0.1:8081'); + +############################################################################### + +my ($s, $ssl, $ses); + +($s, $ssl) = get_ssl_socket(8080); +Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF"); +like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl'); + +# ssl_session_cache + +($s, $ssl) = get_ssl_socket(8080); +$ses = Net::SSLeay::get_session($ssl); + +($s, $ssl) = get_ssl_socket(8080, $ses); +is(Net::SSLeay::session_reused($ssl), 1, 'session reused'); + +($s, $ssl) = get_ssl_socket(8082); +$ses = Net::SSLeay::get_session($ssl); + +($s, $ssl) = get_ssl_socket(8082, $ses); +isnt(Net::SSLeay::session_reused($ssl), 1, 'session not reused'); + +# ssl_certificate inheritance + +($s, $ssl) = get_ssl_socket(8080); +like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=localhost/, 'CN'); + +($s, $ssl) = get_ssl_socket(8084); +like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=inherits/, 'CN inner'); + +############################################################################### + +sub get_ssl_socket { + my ($port, $ses) = @_; + my $s; + + my $dest_ip = inet_aton('127.0.0.1'); + my $dest_serv_params = sockaddr_in($port || 8080, $dest_ip); + + socket($s, &AF_INET, &SOCK_STREAM, 0) or die "socket: $!"; + connect($s, $dest_serv_params) or die "connect: $!"; + + my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); + Net::SSLeay::set_session($ssl, $ses) if defined $ses; + Net::SSLeay::set_fd( $ssl, fileno($s)); + Net::SSLeay::connect($ssl) or die("ssl connect"); + return ($s, $ssl); +} + +############################################################################### + +sub http_daemon { + my $server = IO::Socket::INET->new( + Proto => 'tcp', + LocalHost => '127.0.0.1:8081', + Listen => 5, + Reuse => 1 + ) + or die "Can't create listening socket: $!\n"; + + local $SIG{PIPE} = 'IGNORE'; + + while (my $client = $server->accept()) { + $client->autoflush(1); + + while (<$client>) { + last if (/^\x0d?\x0a?$/); + } + + print $client <