Mercurial > hg > nginx-tests
comparison proxy_ssl_certificate_vars.t @ 1674:55816c5fc861
Tests: variables support in certificates to upstream.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Thu, 06 May 2021 13:52:37 +0300 |
parents | |
children | 2a0a6035a1af |
comparison
equal
deleted
inserted
replaced
1673:7d40f2557a45 | 1674:55816c5fc861 |
---|---|
1 #!/usr/bin/perl | |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for http proxy module with variables in ssl certificates. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
16 | |
17 use lib 'lib'; | |
18 use Test::Nginx; | |
19 | |
20 ############################################################################### | |
21 | |
22 select STDERR; $| = 1; | |
23 select STDOUT; $| = 1; | |
24 | |
25 my $t = Test::Nginx->new()->has(qw/http http_ssl proxy/) | |
26 ->has_daemon('openssl'); | |
27 | |
28 $t->write_file_expand('nginx.conf', <<'EOF'); | |
29 | |
30 %%TEST_GLOBALS%% | |
31 | |
32 daemon off; | |
33 | |
34 events { | |
35 } | |
36 | |
37 http { | |
38 %%TEST_GLOBALS_HTTP%% | |
39 | |
40 server { | |
41 listen 127.0.0.1:8080; | |
42 server_name localhost; | |
43 | |
44 proxy_ssl_session_reuse off; | |
45 | |
46 location / { | |
47 proxy_pass https://127.0.0.1:8081/; | |
48 proxy_ssl_certificate $arg_cert.example.com.crt; | |
49 proxy_ssl_certificate_key $arg_cert.example.com.key; | |
50 } | |
51 | |
52 location /encrypted { | |
53 proxy_pass https://127.0.0.1:8082/; | |
54 proxy_ssl_certificate $arg_cert.example.com.crt; | |
55 proxy_ssl_certificate_key $arg_cert.example.com.key; | |
56 proxy_ssl_password_file password; | |
57 } | |
58 | |
59 location /none { | |
60 proxy_pass https://127.0.0.1:8082/; | |
61 proxy_ssl_certificate $arg_cert; | |
62 proxy_ssl_certificate_key $arg_cert; | |
63 } | |
64 } | |
65 | |
66 server { | |
67 listen 127.0.0.1:8081 ssl; | |
68 server_name localhost; | |
69 | |
70 ssl_certificate 2.example.com.crt; | |
71 ssl_certificate_key 2.example.com.key; | |
72 | |
73 ssl_verify_client optional_no_ca; | |
74 ssl_trusted_certificate 1.example.com.crt; | |
75 | |
76 location / { | |
77 add_header X-Verify $ssl_client_verify; | |
78 add_header X-Name $ssl_client_s_dn; | |
79 } | |
80 } | |
81 | |
82 server { | |
83 listen 127.0.0.1:8082 ssl; | |
84 server_name localhost; | |
85 | |
86 ssl_certificate 1.example.com.crt; | |
87 ssl_certificate_key 1.example.com.key; | |
88 | |
89 ssl_verify_client optional_no_ca; | |
90 ssl_trusted_certificate 3.example.com.crt; | |
91 | |
92 location / { | |
93 add_header X-Verify $ssl_client_verify; | |
94 } | |
95 } | |
96 } | |
97 | |
98 EOF | |
99 | |
100 $t->write_file('openssl.conf', <<EOF); | |
101 [ req ] | |
102 default_bits = 2048 | |
103 encrypt_key = no | |
104 distinguished_name = req_distinguished_name | |
105 [ req_distinguished_name ] | |
106 EOF | |
107 | |
108 my $d = $t->testdir(); | |
109 | |
110 foreach my $name ('1.example.com', '2.example.com') { | |
111 system('openssl req -x509 -new ' | |
112 . "-config $d/openssl.conf -subj /CN=$name/ " | |
113 . "-out $d/$name.crt -keyout $d/$name.key " | |
114 . ">>$d/openssl.out 2>&1") == 0 | |
115 or die "Can't create certificate for $name: $!\n"; | |
116 } | |
117 | |
118 foreach my $name ('3.example.com') { | |
119 system("openssl genrsa -out $d/$name.key -passout pass:$name " | |
120 . "-aes128 2048 >>$d/openssl.out 2>&1") == 0 | |
121 or die "Can't create private key: $!\n"; | |
122 system('openssl req -x509 -new ' | |
123 . "-config $d/openssl.conf -subj /CN=$name/ " | |
124 . "-out $d/$name.crt " | |
125 . "-key $d/$name.key -passin pass:$name" | |
126 . ">>$d/openssl.out 2>&1") == 0 | |
127 or die "Can't create certificate for $name: $!\n"; | |
128 } | |
129 | |
130 sleep 1 if $^O eq 'MSWin32'; | |
131 | |
132 $t->write_file('password', '3.example.com'); | |
133 $t->write_file('index.html', ''); | |
134 | |
135 $t->try_run('no upstream ssl_certificate variables')->plan(4); | |
136 | |
137 ############################################################################### | |
138 | |
139 like(http_get('/?cert=1'), | |
140 qr/X-Verify: SUCCESS/ms, 'variable - verify certificate'); | |
141 like(http_get('/?cert=2'), | |
142 qr/X-Verify: FAILED/ms, 'variable - fail certificate'); | |
143 like(http_get('/encrypted?cert=3'), | |
144 qr/X-Verify: SUCCESS/ms, 'variable - with encrypted key'); | |
145 like(http_get('/none'), | |
146 qr/X-Verify: NONE/ms, 'variable - no certificate'); | |
147 | |
148 ############################################################################### |