mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-02-12 00:16:58 +00:00
86e5c607d1
Mark the reverse HTTP feature as experimental. This will allow to adjust if needed the configuration mechanism with future developments without maintaining retro-compatibility. Concretely, each config directives linked to it now requires to specify first global expose-experimental-directives before. This is the case for the following directives : - rhttp@ prefix uses in bind and server lines - nbconn bind keyword - attach-srv tcp rule Each documentation section refering to these keywords are updated to highlight this new requirement. Note that this commit has duplicated on several places the code from the global function check_kw_experimental(). This is because the latter only work with cfg_keyword type. This is not adapted with bind_kw or action_kw types. This should be improve in a future patch.
88 lines
2.0 KiB
Plaintext
88 lines
2.0 KiB
Plaintext
varnishtest "Reverse server with a name parameter test"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
|
|
feature ignore_unknown_macro
|
|
|
|
#REQUIRE_VERSION=2.9
|
|
|
|
barrier b1 cond 2
|
|
|
|
haproxy h_edge -conf {
|
|
global
|
|
expose-experimental-directives
|
|
|
|
defaults
|
|
log global
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
mode http
|
|
|
|
frontend pub
|
|
bind "fd@${pub}"
|
|
use_backend be-reverse
|
|
|
|
backend be-reverse
|
|
server dev rhttp@ ssl sni hdr(x-name) verify none
|
|
|
|
frontend priv
|
|
bind "fd@${priv}" ssl crt ${testdir}/common.pem verify required ca-verify-file ${testdir}/ca-auth.crt alpn h2
|
|
tcp-request session attach-srv be-reverse/dev name ssl_c_s_dn(CN)
|
|
} -start
|
|
|
|
# Simple clear <-> SSL bridge between clients and h_edge haproxy
|
|
# Used certificate has the name "client1"
|
|
haproxy h_ssl_bridge -conf {
|
|
defaults
|
|
log global
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
mode tcp
|
|
|
|
listen li
|
|
bind "fd@${li}"
|
|
server h_edge "${h_edge_priv_addr}:${h_edge_priv_port}" ssl crt ${testdir}/client1.pem verify none alpn h2
|
|
} -start
|
|
|
|
# Run a client through private endpoint
|
|
# Connection will be attached to the reverse server
|
|
client c_dev -connect ${h_ssl_bridge_li_sock} {
|
|
txpri
|
|
|
|
stream 0 {
|
|
txsettings
|
|
rxsettings
|
|
txsettings -ack
|
|
rxsettings
|
|
expect settings.ack == true
|
|
} -run
|
|
|
|
barrier b1 sync
|
|
stream 1 {
|
|
rxhdrs
|
|
} -run
|
|
|
|
sendhex "000004 01 05 00000001 88 5c 01 30"
|
|
} -start
|
|
|
|
# Wait for dev client to be ready to process connection
|
|
barrier b1 sync
|
|
|
|
# Run a client through public endpoint
|
|
# Use a different name than the client certificate thus resulting in a 503
|
|
client c1 -connect ${h_edge_pub_sock} {
|
|
txreq -url "/" \
|
|
-hdr "x-name: client99"
|
|
rxresp
|
|
expect resp.status == 503
|
|
} -run
|
|
|
|
# Run a client through public endpoint
|
|
# Use the correct name
|
|
client c2 -connect ${h_edge_pub_sock} {
|
|
txreq -url "/" \
|
|
-hdr "x-name: client1"
|
|
rxresp
|
|
expect resp.status == 200
|
|
} -run
|