reg-tests/ssl/ssl_default_server.vtc - haproxy - Gitiles

 #REGTEST_TYPE=devel

 # This reg-test ensures that SSL related configuration specified in a
 # default-server option are properly taken into account by the servers
 # (frontend). It mainly focuses on the client certificate used by the frontend,
 # that can either be defined in the server line itself, in the default-server
 # line or in both.
 #
 # It was created following a bug raised in redmine (issue #3906) in which a
 # server used an "empty" SSL context instead of the proper one.
 #

 varnishtest "Test the 'set ssl cert' feature of the CLI"
 feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
 feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
 feature ignore_unknown_macro

 server s1 -repeat 7 {
   rxreq
   txresp
 } -start

 haproxy h1 -conf {
     global
         tune.ssl.default-dh-param 2048
         tune.ssl.capture-cipherlist-size 1
         stats socket "${tmpdir}/h1/stats" level admin
         crt-base ${testdir}
         ca-base ${testdir}

     defaults
         mode http
         option httplog
         log stderr local0 debug err
         option logasap
         timeout connect 100ms
         timeout client  1s
         timeout server  1s

     listen clear-lst
         bind "fd@${clearlst}"
         use_backend first_be if { path /first }
         use_backend second_be if { path /second }
         use_backend third_be if { path /third }
         use_backend fourth_be if { path /fourth }
         use_backend fifth_be if { path /fifth }


     backend first_be
         default-server ssl crt client1.pem ca-file ca-auth.crt verify none
         server s1 "${tmpdir}/ssl.sock"

     backend second_be
         default-server ssl ca-file ca-auth.crt verify none
         server s1 "${tmpdir}/ssl.sock" crt client1.pem

     backend third_be
         default-server ssl crt client1.pem ca-file ca-auth.crt verify none
         server s1 "${tmpdir}/ssl.sock" crt client2_expired.pem

     backend fourth_be
         default-server ssl crt client1.pem verify none
         server s1 "${tmpdir}/ssl.sock" ca-file ca-auth.crt

     backend fifth_be
         balance roundrobin
         default-server ssl crt client1.pem verify none
         server s1 "${tmpdir}/ssl.sock"
         server s2 "${tmpdir}/ssl.sock" crt client2_expired.pem
         server s3 "${tmpdir}/ssl.sock"


     listen ssl-lst
         bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ca-auth.crt verify required crt-ignore-err all

         acl cert_expired ssl_c_verify 10
         acl cert_revoked ssl_c_verify 23
         acl cert_ok ssl_c_verify 0

         http-response add-header X-SSL Ok if cert_ok
         http-response add-header X-SSL Expired if cert_expired
         http-response add-header X-SSL Revoked if cert_revoked

         server s1 ${s1_addr}:${s1_port}
 } -start


 client c1 -connect ${h1_clearlst_sock} {
     txreq -url "/first"
     rxresp
     expect resp.status == 200
     expect resp.http.x-ssl == "Ok"
 } -run

 client c1 -connect ${h1_clearlst_sock} {
     txreq -url "/second"
     txreq
     rxresp
     expect resp.status == 200
     expect resp.http.x-ssl == "Ok"
 } -run

 client c1 -connect ${h1_clearlst_sock} {
     txreq -url "/third"
     txreq
     rxresp
     expect resp.status == 200
     expect resp.http.x-ssl == "Expired"
 } -run

 client c1 -connect ${h1_clearlst_sock} {
     txreq -url "/fourth"
     txreq
     rxresp
     expect resp.status == 200
     expect resp.http.x-ssl == "Ok"
 } -run

 client c1 -connect ${h1_clearlst_sock} {
     txreq -url "/fifth"
     txreq
     rxresp
     expect resp.status == 200
     expect resp.http.x-ssl == "Ok"
 } -run

 client c1 -connect ${h1_clearlst_sock} {
     txreq -url "/fifth"
     txreq
     rxresp
     expect resp.status == 200
     expect resp.http.x-ssl == "Expired"
 } -run

 client c1 -connect ${h1_clearlst_sock} {
     txreq -url "/fifth"
     txreq
     rxresp
     expect resp.status == 200
     expect resp.http.x-ssl == "Ok"
 } -run
	#REGTEST_TYPE=devel

	# This reg-test ensures that SSL related configuration specified in a
	# default-server option are properly taken into account by the servers
	# (frontend). It mainly focuses on the client certificate used by the frontend,
	# that can either be defined in the server line itself, in the default-server
	# line or in both.
	#
	# It was created following a bug raised in redmine (issue #3906) in which a
	# server used an "empty" SSL context instead of the proper one.
	#

	varnishtest "Test the 'set ssl cert' feature of the CLI"
	feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
	feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
	feature ignore_unknown_macro

	server s1 -repeat 7 {
	rxreq
	txresp
	} -start

	haproxy h1 -conf {
	global
	tune.ssl.default-dh-param 2048
	tune.ssl.capture-cipherlist-size 1
	stats socket "${tmpdir}/h1/stats" level admin
	crt-base ${testdir}
	ca-base ${testdir}

	defaults
	mode http
	option httplog
	log stderr local0 debug err
	option logasap
	timeout connect 100ms
	timeout client 1s
	timeout server 1s

	listen clear-lst
	bind "fd@${clearlst}"
	use_backend first_be if { path /first }
	use_backend second_be if { path /second }
	use_backend third_be if { path /third }
	use_backend fourth_be if { path /fourth }
	use_backend fifth_be if { path /fifth }


	backend first_be
	default-server ssl crt client1.pem ca-file ca-auth.crt verify none
	server s1 "${tmpdir}/ssl.sock"

	backend second_be
	default-server ssl ca-file ca-auth.crt verify none
	server s1 "${tmpdir}/ssl.sock" crt client1.pem

	backend third_be
	default-server ssl crt client1.pem ca-file ca-auth.crt verify none
	server s1 "${tmpdir}/ssl.sock" crt client2_expired.pem

	backend fourth_be
	default-server ssl crt client1.pem verify none
	server s1 "${tmpdir}/ssl.sock" ca-file ca-auth.crt

	backend fifth_be
	balance roundrobin
	default-server ssl crt client1.pem verify none
	server s1 "${tmpdir}/ssl.sock"
	server s2 "${tmpdir}/ssl.sock" crt client2_expired.pem
	server s3 "${tmpdir}/ssl.sock"


	listen ssl-lst
	bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ca-auth.crt verify required crt-ignore-err all

	acl cert_expired ssl_c_verify 10
	acl cert_revoked ssl_c_verify 23
	acl cert_ok ssl_c_verify 0

	http-response add-header X-SSL Ok if cert_ok
	http-response add-header X-SSL Expired if cert_expired
	http-response add-header X-SSL Revoked if cert_revoked

	server s1 ${s1_addr}:${s1_port}
	} -start



	client c1 -connect ${h1_clearlst_sock} {
	txreq -url "/first"
	rxresp
	expect resp.status == 200
	expect resp.http.x-ssl == "Ok"
	} -run

	client c1 -connect ${h1_clearlst_sock} {
	txreq -url "/second"
	txreq
	rxresp
	expect resp.status == 200
	expect resp.http.x-ssl == "Ok"
	} -run

	client c1 -connect ${h1_clearlst_sock} {
	txreq -url "/third"
	txreq
	rxresp
	expect resp.status == 200
	expect resp.http.x-ssl == "Expired"
	} -run

	client c1 -connect ${h1_clearlst_sock} {
	txreq -url "/fourth"
	txreq
	rxresp
	expect resp.status == 200
	expect resp.http.x-ssl == "Ok"
	} -run

	client c1 -connect ${h1_clearlst_sock} {
	txreq -url "/fifth"
	txreq
	rxresp
	expect resp.status == 200
	expect resp.http.x-ssl == "Ok"
	} -run

	client c1 -connect ${h1_clearlst_sock} {
	txreq -url "/fifth"
	txreq
	rxresp
	expect resp.status == 200
	expect resp.http.x-ssl == "Expired"
	} -run

	client c1 -connect ${h1_clearlst_sock} {
	txreq -url "/fifth"
	txreq
	rxresp
	expect resp.status == 200
	expect resp.http.x-ssl == "Ok"
	} -run