Mercurial > hg > nginx-tests
comparison stream_proxy_ssl_verify.t @ 559:9208d8243926
Tests: stream ssl and proxy ssl tests.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Thu, 23 Apr 2015 14:01:21 +0300 |
parents | |
children | 153969b53780 |
comparison
equal
deleted
inserted
replaced
558:27740a2dd781 | 559:9208d8243926 |
---|---|
1 #!/usr/bin/perl | |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Stream tests for proxy to ssl backend, backend certificate verification. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
16 | |
17 use lib 'lib'; | |
18 use Test::Nginx; | |
19 | |
20 ############################################################################### | |
21 | |
22 select STDERR; $| = 1; | |
23 select STDOUT; $| = 1; | |
24 | |
25 my $t = Test::Nginx->new()->has(qw/stream stream_ssl/)->has_daemon('openssl'); | |
26 | |
27 $t->write_file_expand('nginx.conf', <<'EOF')->plan(6); | |
28 | |
29 %%TEST_GLOBALS%% | |
30 | |
31 daemon off; | |
32 | |
33 events { | |
34 } | |
35 | |
36 stream { | |
37 proxy_ssl on; | |
38 proxy_ssl_verify on; | |
39 | |
40 server { | |
41 listen 127.0.0.1:8080; | |
42 proxy_pass 127.0.0.1:8087; | |
43 | |
44 proxy_ssl_name example.com; | |
45 proxy_ssl_trusted_certificate 1.example.com.crt; | |
46 } | |
47 | |
48 server { | |
49 listen 127.0.0.1:8081; | |
50 proxy_pass 127.0.0.1:8087; | |
51 | |
52 proxy_ssl_name foo.example.com; | |
53 proxy_ssl_trusted_certificate 1.example.com.crt; | |
54 } | |
55 | |
56 server { | |
57 listen 127.0.0.1:8082; | |
58 proxy_pass 127.0.0.1:8087; | |
59 | |
60 proxy_ssl_name no.match.example.com; | |
61 proxy_ssl_trusted_certificate 1.example.com.crt; | |
62 } | |
63 | |
64 server { | |
65 listen 127.0.0.1:8083; | |
66 proxy_pass 127.0.0.1:8088; | |
67 | |
68 proxy_ssl_name 2.example.com; | |
69 proxy_ssl_trusted_certificate 2.example.com.crt; | |
70 } | |
71 | |
72 server { | |
73 listen 127.0.0.1:8084; | |
74 proxy_pass 127.0.0.1:8088; | |
75 | |
76 proxy_ssl_name bad.example.com; | |
77 proxy_ssl_trusted_certificate 2.example.com.crt; | |
78 } | |
79 | |
80 server { | |
81 listen 127.0.0.1:8085; | |
82 proxy_pass 127.0.0.1:8088; | |
83 | |
84 proxy_ssl_trusted_certificate 1.example.com.crt; | |
85 proxy_ssl_session_reuse off; | |
86 } | |
87 } | |
88 | |
89 stream { | |
90 server { | |
91 listen 127.0.0.1:8087 ssl; | |
92 proxy_pass 127.0.0.1:8089; | |
93 | |
94 ssl_certificate 1.example.com.crt; | |
95 ssl_certificate_key 1.example.com.key; | |
96 } | |
97 | |
98 server { | |
99 listen 127.0.0.1:8088 ssl; | |
100 proxy_pass 127.0.0.1:8089; | |
101 | |
102 ssl_certificate 2.example.com.crt; | |
103 ssl_certificate_key 2.example.com.key; | |
104 } | |
105 } | |
106 | |
107 EOF | |
108 | |
109 $t->write_file('openssl.1.example.com.conf', <<EOF); | |
110 [ req ] | |
111 prompt = no | |
112 default_bits = 1024 | |
113 encrypt_key = no | |
114 distinguished_name = req_distinguished_name | |
115 x509_extensions = v3_req | |
116 | |
117 [ req_distinguished_name ] | |
118 commonName=no.match.example.com | |
119 | |
120 [ v3_req ] | |
121 subjectAltName = DNS:example.com,DNS:*.example.com | |
122 EOF | |
123 | |
124 $t->write_file('openssl.2.example.com.conf', <<EOF); | |
125 [ req ] | |
126 prompt = no | |
127 default_bits = 1024 | |
128 encrypt_key = no | |
129 distinguished_name = req_distinguished_name | |
130 | |
131 [ req_distinguished_name ] | |
132 commonName=2.example.com | |
133 EOF | |
134 | |
135 my $d = $t->testdir(); | |
136 | |
137 foreach my $name ('1.example.com', '2.example.com') { | |
138 system('openssl req -x509 -new ' | |
139 . "-config '$d/openssl.$name.conf' " | |
140 . "-out '$d/$name.crt' -keyout '$d/$name.key' " | |
141 . ">>$d/openssl.out 2>&1") == 0 | |
142 or die "Can't create certificate for $name: $!\n"; | |
143 } | |
144 | |
145 $t->write_file('index.html', ''); | |
146 | |
147 $t->run_daemon(\&http_daemon); | |
148 $t->run(); | |
149 | |
150 $t->waitforsocket('127.0.0.1:8089'); | |
151 | |
152 ############################################################################### | |
153 | |
154 # subjectAltName | |
155 | |
156 like(http_get('/', socket => getconn('127.0.0.1:8080')), | |
157 qr/200 OK/, 'verify'); | |
158 like(http_get('/', socket => getconn('127.0.0.1:8081')), | |
159 qr/200 OK/, 'verify wildcard'); | |
160 unlike(http_get('/', socket => getconn('127.0.0.1:8082')), | |
161 qr/200 OK/, 'verify fail'); | |
162 | |
163 # commonName | |
164 | |
165 like(http_get('/', socket => getconn('127.0.0.1:8083')), | |
166 qr/200 OK/, 'verify cn'); | |
167 unlike(http_get('/', socket => getconn('127.0.0.1:8084')), | |
168 qr/200 OK/, 'verify cn fail'); | |
169 | |
170 # untrusted | |
171 | |
172 unlike(http_get('/', socket => getconn('127.0.0.1:8085')), | |
173 qr/200 OK/, 'untrusted'); | |
174 | |
175 ############################################################################### | |
176 | |
177 sub getconn { | |
178 my $peer = shift; | |
179 my $s = IO::Socket::INET->new( | |
180 Proto => 'tcp', | |
181 PeerAddr => $peer || '127.0.0.1:8080' | |
182 ) | |
183 or die "Can't connect to nginx: $!\n"; | |
184 | |
185 return $s; | |
186 } | |
187 | |
188 ############################################################################### | |
189 | |
190 sub http_daemon { | |
191 my $server = IO::Socket::INET->new( | |
192 Proto => 'tcp', | |
193 LocalHost => '127.0.0.1:8089', | |
194 Listen => 5, | |
195 Reuse => 1 | |
196 ) | |
197 or die "Can't create listening socket: $!\n"; | |
198 | |
199 local $SIG{PIPE} = 'IGNORE'; | |
200 | |
201 while (my $client = $server->accept()) { | |
202 $client->autoflush(1); | |
203 | |
204 while (<$client>) { | |
205 last if (/^\x0d?\x0a?$/); | |
206 } | |
207 | |
208 print $client <<EOF; | |
209 HTTP/1.1 200 OK | |
210 Connection: close | |
211 | |
212 EOF | |
213 | |
214 close $client; | |
215 } | |
216 } | |
217 | |
218 ############################################################################### |