Mercurial > hg > nginx-tests
changeset 393:3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Fri, 18 Apr 2014 18:42:33 +0400 |
| parents | c28ecaef065f |
| children | 8d436291c09b |
| files | proxy_ssl_name.t proxy_ssl_verify.t |
| diffstat | 2 files changed, 319 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
new file mode 100644 --- /dev/null +++ b/proxy_ssl_name.t @@ -0,0 +1,153 @@ +#!/usr/bin/perl + +# (C) Maxim Dounin +# (C) Nginx, Inc. + +# Tests for proxy to ssl backend, use of Server Name Indication +# (proxy_ssl_name, proxy_ssl_server_name directives). + +############################################################################### + +use warnings; +use strict; + +use Test::More; + +BEGIN { use FindBin; chdir($FindBin::Bin); } + +use lib 'lib'; +use Test::Nginx; + +############################################################################### + +select STDERR; $| = 1; +select STDOUT; $| = 1; + +my $t = Test::Nginx->new()->has(qw/http http_ssl sni proxy/) + ->has_daemon('openssl') + ->write_file_expand('nginx.conf', <<'EOF'); + +%%TEST_GLOBALS%% + +daemon off; + +events { +} + +http { + %%TEST_GLOBALS_HTTP%% + + upstream backend { + server 127.0.0.1:8081; + } + + upstream backend2 { + server 127.0.0.1:8081; + } + + server { + listen 127.0.0.1:8080; + server_name localhost; + + # session reuse is off, as sessions are cached + # for a particular upstream, and resumed session + # will use server name previously negotiated + + proxy_ssl_session_reuse off; + + location /1 { + proxy_pass https://127.0.0.1:8081/; + proxy_ssl_name 1.example.com; + proxy_ssl_server_name on; + } + + location /2 { + proxy_pass https://127.0.0.1:8081/; + proxy_ssl_name 2.example.com; + proxy_ssl_server_name on; + + } + + location /off { + proxy_pass https://backend/; + proxy_ssl_server_name off; + } + + location /default { + proxy_pass https://backend/; + proxy_ssl_server_name on; + } + + location /default2 { + proxy_pass https://backend2/; + proxy_ssl_server_name on; + } + + location /port { + proxy_pass https://backend/; + proxy_ssl_server_name on; + proxy_ssl_name backend:123; + } + + location /ip { + proxy_pass https://127.0.0.1:8081/; + proxy_ssl_server_name on; + } + + #location /ip6 { + # proxy_pass https://[::1]:8081/; + # proxy_ssl_server_name on; + #} + } + + server { + listen 127.0.0.1:8081 ssl; + #listen [::1]:8081 ssl; + server_name 1.example.com; + + ssl_certificate localhost.crt; + ssl_certificate_key localhost.key; + + add_header X-Name $ssl_server_name,; + } +} + +EOF + +$t->write_file('openssl.conf', <<EOF); +[ req ] +default_bits = 1024 +encrypt_key = no +distinguished_name = req_distinguished_name +[ req_distinguished_name ] +EOF + +my $d = $t->testdir(); + +foreach my $name ('localhost') { + system('openssl req -x509 -new ' + . "-config '$d/openssl.conf' -subj '/commonName=$name/' " + . "-out '$d/$name.crt' -keyout '$d/$name.key' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for $name: $!\n"; +} + +$t->write_file('index.html', ''); + +$t->try_run('no proxy_ssl_name')->plan(8); + +############################################################################### + +like(http_get('/1'), qr/200 OK.*X-Name: 1.example.com,/ms, 'name 1'); +like(http_get('/2'), qr/200 OK.*X-Name: 2.example.com,/ms, 'name 2'); +like(http_get('/off'), qr/200 OK.*X-Name: ,/ms, 'no name'); + +like(http_get('/default'), qr/200 OK.*X-Name: backend,/ms, 'default'); +like(http_get('/default2'), qr/200 OK.*X-Name: backend2,/ms, 'default2'); +like(http_get('/default'), qr/200 OK.*X-Name: backend,/ms, 'default again'); + +like(http_get('/port'), qr/200 OK.*X-Name: backend,/ms, 'no port in name'); +like(http_get('/ip'), qr/200 OK.*X-Name: ,/ms, 'no ip'); +#like(http_get('/ip6'), qr/200 OK.*X-Name: ,/ms, 'no ipv6'); + +###############################################################################
new file mode 100644 --- /dev/null +++ b/proxy_ssl_verify.t @@ -0,0 +1,166 @@ +#!/usr/bin/perl + +# (C) Maxim Dounin +# (C) Nginx, Inc. + +# Tests for proxy to ssl backend, backend certificate verification. + +############################################################################### + +use warnings; +use strict; + +use Test::More; + +BEGIN { use FindBin; chdir($FindBin::Bin); } + +use lib 'lib'; +use Test::Nginx; + +############################################################################### + +select STDERR; $| = 1; +select STDOUT; $| = 1; + +my $t = Test::Nginx->new()->has(qw/http http_ssl proxy/) + ->has_daemon('openssl') + ->write_file_expand('nginx.conf', <<'EOF'); + +%%TEST_GLOBALS%% + +daemon off; + +events { +} + +http { + %%TEST_GLOBALS_HTTP%% + + server { + listen 127.0.0.1:8080; + server_name localhost; + + location /verify { + proxy_pass https://127.0.0.1:8081/; + proxy_ssl_name example.com; + proxy_ssl_verify on; + proxy_ssl_trusted_certificate 1.example.com.crt; + } + + location /wildcard { + proxy_pass https://127.0.0.1:8081/; + proxy_ssl_name foo.example.com; + proxy_ssl_verify on; + proxy_ssl_trusted_certificate 1.example.com.crt; + } + + location /fail { + proxy_pass https://127.0.0.1:8081/; + proxy_ssl_name no.match.example.com; + proxy_ssl_verify on; + proxy_ssl_trusted_certificate 1.example.com.crt; + } + + location /cn { + proxy_pass https://127.0.0.1:8082/; + proxy_ssl_name 2.example.com; + proxy_ssl_verify on; + proxy_ssl_trusted_certificate 2.example.com.crt; + } + + location /cn/fail { + proxy_pass https://127.0.0.1:8082/; + proxy_ssl_name bad.example.com; + proxy_ssl_verify on; + proxy_ssl_trusted_certificate 2.example.com.crt; + } + + location /untrusted { + proxy_pass https://127.0.0.1:8082/; + proxy_ssl_verify on; + proxy_ssl_trusted_certificate 1.example.com.crt; + proxy_ssl_session_reuse off; + } + } + + server { + listen 127.0.0.1:8081 ssl; + server_name 1.example.com; + + ssl_certificate 1.example.com.crt; + ssl_certificate_key 1.example.com.key; + + add_header X-Name $ssl_server_name; + } + + server { + listen 127.0.0.1:8082 ssl; + server_name 2.example.com; + + ssl_certificate 2.example.com.crt; + ssl_certificate_key 2.example.com.key; + + add_header X-Name $ssl_server_name; + } +} + +EOF + +$t->write_file('openssl.1.example.com.conf', <<EOF); +[ req ] +prompt = no +default_bits = 1024 +encrypt_key = no +distinguished_name = req_distinguished_name +x509_extensions = v3_req + +[ req_distinguished_name ] +commonName=no.match.example.com + +[ v3_req ] +subjectAltName = DNS:example.com,DNS:*.example.com +EOF + +$t->write_file('openssl.2.example.com.conf', <<EOF); +[ req ] +prompt = no +default_bits = 1024 +encrypt_key = no +distinguished_name = req_distinguished_name + +[ req_distinguished_name ] +commonName=2.example.com +EOF + +my $d = $t->testdir(); + +foreach my $name ('1.example.com', '2.example.com') { + system('openssl req -x509 -new ' + . "-config '$d/openssl.$name.conf' " + . "-out '$d/$name.crt' -keyout '$d/$name.key' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for $name: $!\n"; +} + +$t->write_file('index.html', ''); + +$t->try_run('no proxy_ssl_verify')->plan(6); + +############################################################################### + +# subjectAltName + +like(http_get('/verify'), qr/200 OK/ms, 'verify'); +like(http_get('/wildcard'), qr/200 OK/ms, 'verify wildcard'); +like(http_get('/fail'), qr/502 Bad/ms, 'verify fail'); + +# commonName + +like(http_get('/cn'), qr/200 OK/ms, 'verify cn'); +like(http_get('/cn/fail'), qr/502 Bad/ms, 'verify cn fail'); + +# untrusted + +like(http_get('/untrusted'), qr/502 Bad/ms, 'untrusted'); + +###############################################################################