From 0ffad2d76c33ca31e897d64e16ab00e6b1825ce3 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Fri, 18 Jun 2021 16:30:36 +0200 Subject: [PATCH] REGTESTS: server: test ssl support for dynamic servers Create a new regtest to test SSL support for dynamic servers. The first step of the test is to create the ca-file via the CLI. Then a dynamic server is created with the ssl option using the ca-file. A client request is made through it to achieve the test. --- reg-tests/server/cli_add_ssl_server.vtc | 63 +++++++++++++++++++++++++ reg-tests/server/common.pem | 1 + 2 files changed, 64 insertions(+) create mode 100644 reg-tests/server/cli_add_ssl_server.vtc create mode 120000 reg-tests/server/common.pem diff --git a/reg-tests/server/cli_add_ssl_server.vtc b/reg-tests/server/cli_add_ssl_server.vtc new file mode 100644 index 0000000000..d375152e6c --- /dev/null +++ b/reg-tests/server/cli_add_ssl_server.vtc @@ -0,0 +1,63 @@ +varnishtest "Add server via cli with SSL activated" + +feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'" +feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'" +feature cmd "command -v socat" +feature ignore_unknown_macro + +haproxy h1 -conf { + global + stats socket "${tmpdir}/h1/stats" level admin + + defaults + mode http + timeout connect 1s + timeout client 1s + timeout server 1s + + # proxy to attach a ssl server + listen li-ssl + bind "fd@${feSsl}" + balance random + + # frontend used to respond to ssl connection + frontend fe-ssl-term + bind "fd@${feSslTerm}" ssl crt ${testdir}/common.pem + http-request return status 200 +} -start + +### SSL SUPPORT +# 1. first create a ca-file using CLI +# 2. create an SSL server and use it + +client c1 -connect ${h1_feSsl_sock} { + txreq + rxresp + expect resp.status == 503 +} -run + +shell { + echo "new ssl ca-file common.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file common.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file common.pem" | socat "${tmpdir}/h1/stats" - +} -run + +haproxy h1 -cli { + send "show ssl ca-file common.pem" + expect ~ ".*SHA1 FingerPrint: 9A6418E498C43EDBCF5DD3C4C6FCD1EE0D7A946D" +} + +haproxy h1 -cli { + # non existent backend + send "experimental-mode on; add server li-ssl/s1 ${h1_feSslTerm_addr}:${h1_feSslTerm_port} ssl ca-file common.pem verify none" + expect ~ "New server registered." + + send "enable server li-ssl/s1" + expect ~ ".*" +} + +client c2 -connect ${h1_feSsl_sock} { + txreq + rxresp + expect resp.status == 200 +} -run diff --git a/reg-tests/server/common.pem b/reg-tests/server/common.pem new file mode 120000 index 0000000000..a4433d562b --- /dev/null +++ b/reg-tests/server/common.pem @@ -0,0 +1 @@ +../ssl/common.pem \ No newline at end of file