| # This reg-test is uses to test respect of the websocket protocol according to |
| # rfc6455. |
| # |
| # In particular, a request/response without a websocket key must be rejected by |
| # haproxy. Note that in the tested case (h1 on both sides), haproxy does not |
| # validate the key of the server but only checks its presence. |
| # |
| # For the case h2 client/h1 server, haproxy would add the key and validates it. |
| # However, there is no way to check this case quickly at the moment using vtest. |
| |
| varnishtest "WebSocket test" |
| |
| feature ignore_unknown_macro |
| |
| #REQUIRE_VERSION=2.4 |
| |
| # valid websocket server |
| server s1 { |
| rxreq |
| expect req.method == "GET" |
| expect req.http.connection == "upgrade" |
| expect req.http.upgrade == "websocket" |
| expect req.http.sec-websocket-key == "dGhlIHNhbXBsZSBub25jZQ==" |
| |
| txresp \ |
| -status 101 \ |
| -hdr "connection: upgrade" \ |
| -hdr "upgrade: websocket" \ |
| -hdr "sec-websocket-accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=" |
| } -repeat 2 -start |
| |
| # non-conformant server: no websocket key |
| server s2 { |
| rxreq |
| expect req.method == "GET" |
| expect req.http.connection == "upgrade" |
| expect req.http.upgrade == "websocket" |
| |
| txresp \ |
| -status 101 \ |
| -hdr "connection: upgrade" \ |
| -hdr "upgrade: websocket" |
| } -start |
| |
| # haproxy instance used as a server |
| # generate a http/1.1 websocket response with the valid key |
| haproxy hap_srv -conf { |
| defaults |
| mode http |
| timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" |
| timeout client "${HAPROXY_TEST_TIMEOUT-5s}" |
| timeout server "${HAPROXY_TEST_TIMEOUT-5s}" |
| |
| listen fe1 |
| bind "fd@${fe1}" |
| |
| # reject if the request does not contains a websocket key |
| acl ws_handshake hdr(sec-websocket-key) -m found |
| http-request reject unless ws_handshake |
| |
| # return a valid websocket handshake response |
| capture request header sec-websocket-key len 128 |
| http-request return status 200 hdr connection upgrade hdr upgrade websocket hdr sec-websocket-accept "%[capture.req.hdr(0),concat(258EAFA5-E914-47DA-95CA-C5AB0DC85B11,,),sha1,base64]" |
| http-after-response set-status 101 if { status eq 200 } |
| } -start |
| |
| # haproxy instance used as a server |
| # generate a http/1.1 websocket response with an invalid key |
| haproxy hap_srv_bad_key -conf { |
| defaults |
| mode http |
| timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" |
| timeout client "${HAPROXY_TEST_TIMEOUT-5s}" |
| timeout server "${HAPROXY_TEST_TIMEOUT-5s}" |
| |
| listen fe1 |
| bind "fd@${fe1}" |
| |
| # reject if the request does not contains a websocket key |
| acl ws_handshake hdr(sec-websocket-key) -m found |
| http-request reject unless ws_handshake |
| |
| # return an invalid websocket handshake response |
| capture request header sec-websocket-key len 128 |
| http-request return status 200 hdr connection upgrade hdr upgrade websocket hdr sec-websocket-accept "invalid_key" |
| http-after-response set-status 101 if { status eq 200 } |
| } -start |
| |
| haproxy hap -conf { |
| defaults |
| mode http |
| timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" |
| timeout client "${HAPROXY_TEST_TIMEOUT-5s}" |
| timeout server "${HAPROXY_TEST_TIMEOUT-5s}" |
| |
| listen fe1 |
| bind "fd@${fe1}" |
| server s1 ${s1_addr}:${s1_port} |
| |
| listen fe2 |
| bind "fd@${fe2}" |
| server s2 ${s2_addr}:${s2_port} |
| |
| listen fe3 |
| bind "fd@${fe3}" proto h2 |
| server hap_srv ${hap_srv_fe1_addr}:${hap_srv_fe1_port} |
| |
| listen fe4 |
| bind "fd@${fe4}" proto h2 |
| server hap_srv_bad_key ${hap_srv_bad_key_fe1_addr}:${hap_srv_bad_key_fe1_port} |
| } -start |
| |
| # standard request |
| client c1 -connect ${hap_fe1_sock} { |
| txreq \ |
| -req "GET" \ |
| -url "/" \ |
| -hdr "host: 127.0.0.1" \ |
| -hdr "connection: upgrade" \ |
| -hdr "upgrade: websocket" \ |
| -hdr "sec-websocket-key: dGhlIHNhbXBsZSBub25jZQ==" |
| rxresp |
| expect resp.status == 101 |
| expect resp.http.connection == "upgrade" |
| expect resp.http.upgrade == "websocket" |
| expect resp.http.sec-websocket-accept == "s3pPLMBiTxaQ9kYGzzhZRbK+xOo=" |
| } -run |
| |
| # missing websocket key |
| client c2 -connect ${hap_fe1_sock} { |
| txreq \ |
| -req "GET" \ |
| -url "/" \ |
| -hdr "host: 127.0.0.1" \ |
| -hdr "connection: upgrade" \ |
| -hdr "upgrade: websocket" |
| |
| rxresp |
| expect resp.status == 400 |
| } -run |
| |
| # missing key on server side |
| client c3 -connect ${hap_fe2_sock} { |
| txreq \ |
| -req "GET" \ |
| -url "/" \ |
| -hdr "host: 127.0.0.1" \ |
| -hdr "connection: upgrade" \ |
| -hdr "upgrade: websocket" \ |
| -hdr "sec-websocket-key: dGhlIHNhbXBsZSBub25jZQ==" |
| |
| rxresp |
| expect resp.status == 502 |
| } -run |
| |
| # connect with http/2 on a http/1.1 websocket server |
| # the key must be provided by haproxy |
| client c4 -connect ${hap_fe3_sock} { |
| txpri |
| stream 0 { |
| txsettings |
| rxsettings |
| txsettings -ack |
| rxsettings |
| expect settings.ack == true |
| } -run |
| |
| stream 1 { |
| txreq \ |
| -req "CONNECT" \ |
| -scheme "http" \ |
| -url "/" \ |
| -hdr ":authority" "127.0.0.1" \ |
| -hdr ":protocol" "websocket" |
| |
| rxhdrs |
| expect resp.status == 200 |
| } -run |
| } -run |
| |
| # connect with http/2 on a http/1.1 websocket server |
| # however, the server will respond with an invalid key |
| # haproxy is responsible to reject the request and returning a 502 to the client |
| client c5 -connect ${hap_fe4_sock} { |
| txpri |
| stream 0 { |
| txsettings |
| rxsettings |
| txsettings -ack |
| rxsettings |
| expect settings.ack == true |
| } -run |
| |
| stream 1 { |
| txreq \ |
| -req "CONNECT" \ |
| -scheme "http" \ |
| -url "/" \ |
| -hdr ":authority" "127.0.0.1" \ |
| -hdr ":protocol" "websocket" |
| |
| rxhdrs |
| expect resp.status == 502 |
| } -run |
| } -run |