Mercurial > hg > nginx-tests
comparison ssl_proxy_protocol.t @ 603:cc722d0c557d
Tests: proxy_protocol ssl tests.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Tue, 09 Jun 2015 17:38:47 -0400 |
| parents | |
| children | adf5671391ac |
comparison
equal
deleted
inserted
replaced
| 602:1177e4dd249a | 603:cc722d0c557d |
|---|---|
| 1 #!/usr/bin/perl | |
| 2 | |
| 3 # (C) Sergey Kandaurov | |
| 4 # (C) Nginx, Inc. | |
| 5 | |
| 6 # Tests for http ssl module with haproxy protocol. | |
| 7 | |
| 8 ############################################################################### | |
| 9 | |
| 10 use warnings; | |
| 11 use strict; | |
| 12 | |
| 13 use Test::More; | |
| 14 | |
| 15 use Socket qw/ CRLF /; | |
| 16 | |
| 17 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
| 18 | |
| 19 use lib 'lib'; | |
| 20 use Test::Nginx; | |
| 21 | |
| 22 ############################################################################### | |
| 23 | |
| 24 select STDERR; $| = 1; | |
| 25 select STDOUT; $| = 1; | |
| 26 | |
| 27 eval { require IO::Socket::SSL; }; | |
| 28 plan(skip_all => 'IO::Socket::SSL not installed') if $@; | |
| 29 eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; | |
| 30 plan(skip_all => 'IO::Socket::SSL too old') if $@; | |
| 31 | |
| 32 my $t = Test::Nginx->new()->has(qw/http http_ssl access ipv6 realip/) | |
| 33 ->has_daemon('openssl'); | |
| 34 | |
| 35 $t->write_file_expand('nginx.conf', <<'EOF')->plan(18); | |
| 36 | |
| 37 %%TEST_GLOBALS%% | |
| 38 | |
| 39 daemon off; | |
| 40 | |
| 41 events { | |
| 42 } | |
| 43 | |
| 44 http { | |
| 45 %%TEST_GLOBALS_HTTP%% | |
| 46 | |
| 47 log_format pp '$remote_addr $request'; | |
| 48 | |
| 49 server { | |
| 50 listen 127.0.0.1:8080 proxy_protocol ssl; | |
| 51 server_name localhost; | |
| 52 | |
| 53 ssl_certificate_key localhost.key; | |
| 54 ssl_certificate localhost.crt; | |
| 55 | |
| 56 set_real_ip_from 127.0.0.1/32; | |
| 57 add_header X-IP $remote_addr; | |
| 58 add_header X-PP $proxy_protocol_addr; | |
| 59 | |
| 60 location /pp { | |
| 61 real_ip_header proxy_protocol; | |
| 62 error_page 404 =200 /t1; | |
| 63 access_log %%TESTDIR%%/pp.log pp; | |
| 64 | |
| 65 location /pp_4 { | |
| 66 deny 192.0.2.1/32; | |
| 67 } | |
| 68 location /pp_6 { | |
| 69 deny 2001:DB8::1/128; | |
| 70 } | |
| 71 } | |
| 72 } | |
| 73 } | |
| 74 | |
| 75 EOF | |
| 76 | |
| 77 $t->write_file('openssl.conf', <<EOF); | |
| 78 [ req ] | |
| 79 default_bits = 2048 | |
| 80 encrypt_key = no | |
| 81 distinguished_name = req_distinguished_name | |
| 82 [ req_distinguished_name ] | |
| 83 EOF | |
| 84 | |
| 85 my $d = $t->testdir(); | |
| 86 | |
| 87 foreach my $name ('localhost') { | |
| 88 system('openssl req -x509 -new ' | |
| 89 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | |
| 90 . "-out '$d/$name.crt' -keyout '$d/$name.key' " | |
| 91 . ">>$d/openssl.out 2>&1") == 0 | |
| 92 or die "Can't create certificate for $name: $!\n"; | |
| 93 } | |
| 94 | |
| 95 $t->write_file('t1', 'SEE-THIS'); | |
| 96 $t->run(); | |
| 97 | |
| 98 ############################################################################### | |
| 99 | |
| 100 my $tcp4 = 'PROXY TCP4 192.0.2.1 192.0.2.2 1234 5678' . CRLF; | |
| 101 my $tcp6 = 'PROXY TCP6 2001:Db8::1 2001:Db8::2 1234 5678' . CRLF; | |
| 102 my $unk1 = 'PROXY UNKNOWN' . CRLF; | |
| 103 my $unk2 = 'PROXY UNKNOWN 1 2 3 4 5 6' . CRLF; | |
| 104 my $r; | |
| 105 | |
| 106 # no realip, just PROXY header parsing | |
| 107 | |
| 108 $r = pp_get('/t1', $tcp4); | |
| 109 like($r, qr/SEE-THIS/, 'tcp4 request'); | |
| 110 like($r, qr/X-PP: 192.0.2.1/, 'tcp4 proxy'); | |
| 111 unlike($r, qr/X-IP: 192.0.2.1/, 'tcp4 client'); | |
| 112 | |
| 113 $r = pp_get('/t1', $tcp6); | |
| 114 like($r, qr/SEE-THIS/, 'tcp6 request'); | |
| 115 like($r, qr/X-PP: 2001:DB8::1/i, 'tcp6 proxy'); | |
| 116 unlike($r, qr/X-IP: 2001:DB8::1/i, 'tcp6 client'); | |
| 117 | |
| 118 like(pp_get('/t1', $unk1), qr/SEE-THIS/, 'unknown request 1'); | |
| 119 like(pp_get('/t1', $unk2), qr/SEE-THIS/, 'unknown request 2'); | |
| 120 | |
| 121 # realip | |
| 122 | |
| 123 $r = pp_get('/pp', $tcp4); | |
| 124 like($r, qr/SEE-THIS/, 'tcp4 request realip'); | |
| 125 like($r, qr/X-PP: 192.0.2.1/, 'tcp4 proxy realip'); | |
| 126 like($r, qr/X-IP: 192.0.2.1/, 'tcp4 client realip'); | |
| 127 | |
| 128 $r = pp_get('/pp', $tcp6); | |
| 129 like($r, qr/SEE-THIS/, 'tcp6 request realip'); | |
| 130 like($r, qr/X-PP: 2001:DB8::1/i, 'tcp6 proxy realip'); | |
| 131 like($r, qr/X-IP: 2001:DB8::1/i, 'tcp6 client realip'); | |
| 132 | |
| 133 # access | |
| 134 | |
| 135 $r = pp_get('/pp_4', $tcp4); | |
| 136 like($r, qr/403 Forbidden/, 'tcp4 access'); | |
| 137 | |
| 138 $r = pp_get('/pp_6', $tcp6); | |
| 139 like($r, qr/403 Forbidden/, 'tcp6 access'); | |
| 140 | |
| 141 # client address in access.log | |
| 142 | |
| 143 $t->stop(); | |
| 144 | |
| 145 my $log; | |
| 146 | |
| 147 { | |
| 148 open LOG, $t->testdir() . '/pp.log' | |
| 149 or die("Can't open nginx access log file.\n"); | |
| 150 local $/; | |
| 151 $log = <LOG>; | |
| 152 close LOG; | |
| 153 } | |
| 154 | |
| 155 like($log, qr!^192\.0\.2\.1 GET /pp_4!m, 'tcp4 access log'); | |
| 156 like($log, qr!^2001:DB8::1 GET /pp_6!mi, 'tcp6 access log'); | |
| 157 | |
| 158 ############################################################################### | |
| 159 | |
| 160 sub pp_get { | |
| 161 my ($url, $proxy) = @_; | |
| 162 | |
| 163 my $s = http($proxy, start => 1); | |
| 164 | |
| 165 IO::Socket::SSL->start_SSL($s, | |
| 166 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | |
| 167 SSL_error_trap => sub { die $_[1] } | |
| 168 ); | |
| 169 | |
| 170 return http(<<EOF, socket => $s); | |
| 171 GET $url HTTP/1.0 | |
| 172 Host: localhost | |
| 173 | |
| 174 EOF | |
| 175 } | |
| 176 | |
| 177 ############################################################################### |