view stream_proxy_ssl_conf_command.t @ 1701:408fe0dd3fed

Tests: fixed mail_imap_ssl.t too long shutdown. Prior to literals support in IMAP test backend (e7f0b4ca0a1a), early backend response was treated as invalid, with subsequent proxy connection close. Now that the connection continues successfully, this requires connection close before nginx shutdown. Otherwise, it would wait for proxy_timeout.
author Sergey Kandaurov <pluknet@nginx.com>
date Thu, 17 Jun 2021 19:52:36 +0300
parents 4baeba0e0da2
children 8f13779e2cde
line wrap: on
line source

#!/usr/bin/perl

# (C) Sergey Kandaurov
# (C) Nginx, Inc.

# Tests for stream proxy to ssl backend, proxy_ssl_conf_command.

###############################################################################

use warnings;
use strict;

use Test::More;

BEGIN { use FindBin; chdir($FindBin::Bin); }

use lib 'lib';
use Test::Nginx;
use Test::Nginx::Stream qw/ stream /;

###############################################################################

select STDERR; $| = 1;
select STDOUT; $| = 1;

my $t = Test::Nginx->new()->has(qw/stream stream_ssl stream_return/)
	->has_daemon('openssl');

$t->{_configure_args} =~ /OpenSSL ([\d\.]+)/;
plan(skip_all => 'OpenSSL too old') unless defined $1 and $1 ge '1.0.2';
plan(skip_all => 'no ssl_conf_command') if $t->has_module('BoringSSL');

$t->write_file_expand('nginx.conf', <<'EOF');

%%TEST_GLOBALS%%

daemon off;

events {
}

stream {
    %%TEST_GLOBALS_STREAM%%

    server {
        listen       127.0.0.1:8080;
        proxy_pass   127.0.0.1:8081;
        proxy_ssl    on;

        proxy_ssl_certificate localhost.crt;
        proxy_ssl_certificate_key localhost.key;
        proxy_ssl_conf_command Certificate override.crt;
        proxy_ssl_conf_command PrivateKey override.key;
    }

    server {
        listen       127.0.0.1:8081 ssl;
        return       $ssl_client_s_dn;

        ssl_certificate localhost.crt;
        ssl_certificate_key localhost.key;
        ssl_verify_client optional_no_ca;
    }
}

EOF

$t->write_file('openssl.conf', <<EOF);
[ req ]
default_bits = 2048
encrypt_key = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
EOF

my $d = $t->testdir();

foreach my $name ('localhost', 'override') {
	system('openssl req -x509 -new '
		. "-config $d/openssl.conf -subj /CN=$name/ "
		. "-out $d/$name.crt -keyout $d/$name.key "
		. ">>$d/openssl.out 2>&1") == 0
		or die "Can't create certificate for $name: $!\n";
}

$t->write_file('index.html', '');
$t->run()->plan(1);

###############################################################################

like(stream('127.0.0.1:' . port(8080))->read(), qr/CN=override/,
	'Certificate');

###############################################################################