mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-21 03:00:35 +00:00
1105524cbe
Update the SSL reg-test in order to use the new pki.
111 lines
2.8 KiB
Plaintext
111 lines
2.8 KiB
Plaintext
varnishtest "Add server via cli with SSL activated"
|
|
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
|
|
feature cmd "command -v socat"
|
|
feature ignore_unknown_macro
|
|
|
|
barrier b1 cond 2 -cyclic
|
|
|
|
syslog S1 -level notice {
|
|
recv
|
|
expect ~ ".*Server li-ssl/s1 is UP/READY \\(leaving forced maintenance\\)."
|
|
recv
|
|
expect ~ ".*Server li-ssl/s2 is UP/READY \\(leaving forced maintenance\\)."
|
|
recv
|
|
expect ~ "Health check for server li-ssl/s2 failed"
|
|
|
|
barrier b1 sync
|
|
|
|
recv
|
|
expect ~ ".*Server li-ssl/s3 is UP/READY \\(leaving forced maintenance\\)."
|
|
recv
|
|
expect ~ "Health check for server li-ssl/s3 succeeded."
|
|
} -start
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
stats socket "${tmpdir}/h1/stats" level admin
|
|
|
|
defaults
|
|
mode http
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
option log-health-checks
|
|
option httpchk GET /
|
|
|
|
# proxy to attach a ssl server
|
|
listen li-ssl
|
|
bind "fd@${feSsl}"
|
|
balance random
|
|
log ${S1_addr}:${S1_port} daemon
|
|
|
|
# frontend used to respond to ssl connection
|
|
frontend fe-ssl-term
|
|
bind "fd@${feSslTerm}" ssl crt ${testdir}/common.pem
|
|
http-request return status 200
|
|
} -start
|
|
|
|
### SSL SUPPORT
|
|
# 1. first create a ca-file using CLI
|
|
# 2. create an SSL server and use it
|
|
|
|
client c1 -connect ${h1_feSsl_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 503
|
|
} -run
|
|
|
|
shell {
|
|
echo "new ssl ca-file common.pem" | socat "${tmpdir}/h1/stats" -
|
|
printf "set ssl ca-file common.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl ca-file common.pem" | socat "${tmpdir}/h1/stats" -
|
|
} -run
|
|
|
|
haproxy h1 -cli {
|
|
send "show ssl ca-file common.pem"
|
|
expect ~ ".*SHA1 FingerPrint: DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA"
|
|
}
|
|
|
|
haproxy h1 -cli {
|
|
# non existent backend
|
|
send "add server li-ssl/s1 ${h1_feSslTerm_addr}:${h1_feSslTerm_port} ssl ca-file common.pem verify none"
|
|
expect ~ "New server registered."
|
|
|
|
send "enable server li-ssl/s1"
|
|
expect ~ ".*"
|
|
}
|
|
|
|
client c2 -connect ${h1_feSsl_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
} -run
|
|
|
|
# test interaction between SSL and checks for dynamic servers
|
|
haproxy h1 -cli {
|
|
# no explicit check-ssl
|
|
# The health check should failed.
|
|
send "add server li-ssl/s2 ${h1_feSslTerm_addr}:${h1_feSslTerm_port} ssl verify none check"
|
|
expect ~ "New server registered."
|
|
|
|
send "enable server li-ssl/s2"
|
|
expect ~ ".*"
|
|
send "enable health li-ssl/s2"
|
|
expect ~ ".*"
|
|
|
|
barrier b1 sync
|
|
|
|
# explicit check-ssl : health check should succeeded
|
|
send "add server li-ssl/s3 ${h1_feSslTerm_addr}:${h1_feSslTerm_port} ssl verify none check check-ssl"
|
|
expect ~ "New server registered."
|
|
|
|
send "enable server li-ssl/s3"
|
|
expect ~ ".*"
|
|
send "enable health li-ssl/s3"
|
|
expect ~ ".*"
|
|
}
|
|
|
|
syslog S1 -wait
|