haproxy/reg-tests/ssl/ssl_alpn.vtc
Willy Tarreau 5003ac7fe9 MEDIUM: config: set useful ALPN defaults for HTTPS and QUIC
This commit makes sure that if three is no "alpn", "npn" nor "no-alpn"
setting on a "bind" line which corresponds to an HTTPS or QUIC frontend,
we automatically turn on "h2,http/1.1" as an ALPN default for an HTTP
listener, and "h3" for a QUIC listener. This simplifies the configuration
for end users since they won't have to explicitly configure the ALPN
string to enable H2, considering that at the time of writing, HTTP/1.1
represents less than 7% of the traffic on large infrastructures. The
doc and regtests were updated. For more info, refer to the following
thread:

  https://www.mail-archive.com/haproxy@formilux.org/msg43410.html
2023-04-19 09:52:20 +02:00

213 lines
6.7 KiB
Plaintext

#REGTEST_TYPE=devel
# This teg-test verifies that different ALPN values on the "server" line
# will negotiate the expected protocol depending on the ALPN "bind" line.
# It requires OpenSSL >= 1.0.2 for ALPN
varnishtest "Test the bind 'alpn' setting"
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.8-dev7)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && openssl_version_atleast(1.0.2)'"
feature ignore_unknown_macro
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
defaults
mode http
option httplog
log stderr local0 debug err
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
listen px-clr
bind "fd@${clearfe}"
default-server ssl verify none
# first digit select the alpn sent by the client, second digit, the server one
use-server s00 if { path /00 }
server s00 "${tmpdir}/ssl0.sock"
use-server s01 if { path /01 }
server s01 "${tmpdir}/ssl1.sock"
use-server s02 if { path /02 }
server s02 "${tmpdir}/ssl2.sock"
use-server s03 if { path /03 }
server s03 "${tmpdir}/ssl3.sock"
use-server s04 if { path /04 }
server s04 "${tmpdir}/ssl4.sock"
use-server s10 if { path /10 }
server s10 "${tmpdir}/ssl0.sock" alpn http/1.1
use-server s11 if { path /11 }
server s11 "${tmpdir}/ssl1.sock" alpn http/1.1
use-server s12 if { path /12 }
server s12 "${tmpdir}/ssl2.sock" alpn http/1.1
use-server s13 if { path /13 }
server s13 "${tmpdir}/ssl3.sock" alpn http/1.1
use-server s14 if { path /14 }
server s14 "${tmpdir}/ssl4.sock" alpn http/1.1
use-server s20 if { path /20 }
server s20 "${tmpdir}/ssl0.sock" alpn h2
use-server s21 if { path /21 }
server s21 "${tmpdir}/ssl1.sock" alpn h2
use-server s22 if { path /22 }
server s22 "${tmpdir}/ssl2.sock" alpn h2
use-server s23 if { path /23 }
server s23 "${tmpdir}/ssl3.sock" alpn h2
use-server s24 if { path /24 }
server s24 "${tmpdir}/ssl4.sock" alpn h2
use-server s30 if { path /30 }
server s30 "${tmpdir}/ssl0.sock" alpn h2,http/1.1
use-server s31 if { path /31 }
server s31 "${tmpdir}/ssl1.sock" alpn h2,http/1.1
use-server s32 if { path /32 }
server s32 "${tmpdir}/ssl2.sock" alpn h2,http/1.1
use-server s33 if { path /33 }
server s33 "${tmpdir}/ssl3.sock" alpn h2,http/1.1
use-server s34 if { path /34 }
server s34 "${tmpdir}/ssl4.sock" alpn h2,http/1.1
frontend fe-ssl
bind "${tmpdir}/ssl0.sock" ssl crt ${testdir}/common.pem
bind "${tmpdir}/ssl1.sock" ssl crt ${testdir}/common.pem alpn http/1.1
bind "${tmpdir}/ssl2.sock" ssl crt ${testdir}/common.pem alpn h2
bind "${tmpdir}/ssl3.sock" ssl crt ${testdir}/common.pem alpn h2,http/1.1
bind "${tmpdir}/ssl4.sock" ssl crt ${testdir}/common.pem no-alpn
http-request return status 200 hdr x-alpn _%[ssl_fc_alpn] hdr x-path %[path] hdr x-ver _%[req.ver]
} -start
# client sends no alpn
client c1 -connect ${h1_clearfe_sock} {
txreq -url "/00"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_"
expect resp.http.x-ver == "_1.1"
txreq -url "/01"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_"
expect resp.http.x-ver == "_1.1"
txreq -url "/02"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_"
expect resp.http.x-ver == "_1.1"
txreq -url "/03"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_"
expect resp.http.x-ver == "_1.1"
txreq -url "/04"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_"
expect resp.http.x-ver == "_1.1"
} -run
# client sends alpn=http/1.1
client c1 -connect ${h1_clearfe_sock} {
txreq -url "/10"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_http/1.1"
expect resp.http.x-ver == "_1.1"
txreq -url "/11"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_http/1.1"
expect resp.http.x-ver == "_1.1"
txreq -url "/12"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_"
expect resp.http.x-ver == "_1.1"
txreq -url "/13"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_http/1.1"
expect resp.http.x-ver == "_1.1"
txreq -url "/14"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_"
expect resp.http.x-ver == "_1.1"
} -run
# client sends alpn=h2
client c1 -connect ${h1_clearfe_sock} {
txreq -url "/20"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_h2"
expect resp.http.x-ver == "_2.0"
txreq -url "/21"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_"
expect resp.http.x-ver == "_1.1"
txreq -url "/22"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_h2"
expect resp.http.x-ver == "_2.0"
txreq -url "/23"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_h2"
expect resp.http.x-ver == "_2.0"
txreq -url "/24"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_"
expect resp.http.x-ver == "_1.1"
} -run
# client sends alpn=h2,http/1.1
client c1 -connect ${h1_clearfe_sock} {
txreq -url "/30"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_h2"
expect resp.http.x-ver == "_2.0"
txreq -url "/31"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_http/1.1"
expect resp.http.x-ver == "_1.1"
txreq -url "/32"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_h2"
expect resp.http.x-ver == "_2.0"
txreq -url "/33"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_h2"
expect resp.http.x-ver == "_2.0"
txreq -url "/34"
rxresp
expect resp.status == 200
expect resp.http.x-alpn == "_"
expect resp.http.x-ver == "_1.1"
} -run