Christopher Faulet | aec7f76 | 2020-04-22 15:16:58 +0200 | [diff] [blame] | 1 | varnishtest "Health-checks: tcp-check health-check with ssl options" |
| 2 | #REQUIRE_OPTION=OPENSSL |
| 3 | #REQUIRE_VERSION=2.2 |
| 4 | #REGTEST_TYPE=slow |
| 5 | feature ignore_unknown_macro |
| 6 | |
| 7 | syslog S_ok -level notice { |
| 8 | recv |
Christopher Faulet | aec7f76 | 2020-04-22 15:16:58 +0200 | [diff] [blame] | 9 | expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be[0-9]+/srv succeeded, reason: Layer6 check passed.+check duration: [[:digit:]]+ms, status: 1/1 UP." |
| 10 | recv |
| 11 | expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be[0-9]+/srv succeeded, reason: Layer6 check passed.+check duration: [[:digit:]]+ms, status: 1/1 UP." |
| 12 | recv |
| 13 | expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be[0-9]+/srv succeeded, reason: Layer6 check passed.+check duration: [[:digit:]]+ms, status: 1/1 UP." |
| 14 | recv |
| 15 | expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be[0-9]+/srv succeeded, reason: Layer6 check passed.+check duration: [[:digit:]]+ms, status: 1/1 UP." |
| 16 | recv |
| 17 | expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be[0-9]+/srv succeeded, reason: Layer6 check passed.+check duration: [[:digit:]]+ms, status: 1/1 UP." |
| 18 | } -start |
| 19 | |
| 20 | syslog S3 -level notice { |
| 21 | recv |
Christopher Faulet | 8d38f0a | 2020-05-06 11:10:51 +0200 | [diff] [blame] | 22 | expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be3/srv failed, reason: Layer6 invalid response.+info: \"(Connection closed during SSL handshake|SSL handshake failure)\".+check duration: [[:digit:]]+ms, status: 0/1 DOWN." |
Christopher Faulet | aec7f76 | 2020-04-22 15:16:58 +0200 | [diff] [blame] | 23 | } -start |
| 24 | |
| 25 | syslog S4 -level notice { |
| 26 | recv |
Christopher Faulet | 8d38f0a | 2020-05-06 11:10:51 +0200 | [diff] [blame] | 27 | expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be4/srv failed, reason: Layer6 invalid response.+info: \"(Connection closed during SSL handshake|SSL handshake failure) at step 1 of tcp-check \\(connect\\)\".+check duration: [[:digit:]]+ms, status: 0/1 DOWN." |
Christopher Faulet | aec7f76 | 2020-04-22 15:16:58 +0200 | [diff] [blame] | 28 | } -start |
| 29 | |
| 30 | |
| 31 | haproxy htst -conf { |
| 32 | global |
| 33 | tune.ssl.default-dh-param 2048 |
| 34 | |
| 35 | defaults |
| 36 | mode tcp |
Willy Tarreau | f673923 | 2021-11-18 17:46:22 +0100 | [diff] [blame] | 37 | timeout client "${HAPROXY_TEST_TIMEOUT-5s}" |
| 38 | timeout server "${HAPROXY_TEST_TIMEOUT-5s}" |
| 39 | timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" |
Christopher Faulet | aec7f76 | 2020-04-22 15:16:58 +0200 | [diff] [blame] | 40 | |
| 41 | listen li1 |
| 42 | bind "fd@${li1}" |
| 43 | tcp-request inspect-delay 100ms |
| 44 | tcp-request content reject if { req.ssl_hello_type 0 } |
| 45 | tcp-request content accept if { req.ssl_sni check.haproxy.org } |
| 46 | tcp-request content accept if { req.ssl_sni connect.haproxy.org } |
| 47 | tcp-request content reject |
| 48 | server fe1 ${htst_fe1_addr}:${htst_fe1_port} |
| 49 | |
| 50 | listen li2 |
| 51 | bind "fd@${li2}" |
| 52 | tcp-request inspect-delay 100ms |
| 53 | tcp-request content reject if { req.ssl_hello_type 0 } |
| 54 | tcp-request content accept if { req.ssl_alpn h2 } |
| 55 | tcp-request content accept if { req.ssl_alpn http/1.1 } |
| 56 | tcp-request content reject |
| 57 | server fe1 ${htst_fe1_addr}:${htst_fe1_port} |
| 58 | |
| 59 | frontend fe1 |
| 60 | bind "fd@${fe1}" ssl crt ${testdir}/common.pem |
| 61 | |
| 62 | } -start |
| 63 | |
| 64 | haproxy h1 -conf { |
| 65 | defaults |
| 66 | mode tcp |
Willy Tarreau | f673923 | 2021-11-18 17:46:22 +0100 | [diff] [blame] | 67 | timeout client "${HAPROXY_TEST_TIMEOUT-5s}" |
| 68 | timeout server "${HAPROXY_TEST_TIMEOUT-5s}" |
| 69 | timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" |
Christopher Faulet | aec7f76 | 2020-04-22 15:16:58 +0200 | [diff] [blame] | 70 | |
| 71 | backend be1 |
| 72 | log ${S_ok_addr}:${S_ok_port} daemon |
| 73 | option log-health-checks |
| 74 | server srv ${htst_li1_addr}:${htst_li1_port} check check-ssl check-sni check.haproxy.org inter 1s rise 1 fall 1 verify none |
| 75 | |
| 76 | backend be2 |
| 77 | log ${S_ok_addr}:${S_ok_port} daemon |
| 78 | option log-health-checks |
| 79 | option tcp-check |
| 80 | tcp-check connect ssl sni connect.haproxy.org |
| 81 | server srv ${htst_li1_addr}:${htst_li1_port} check inter 1s rise 1 fall 1 verify none |
| 82 | |
| 83 | backend be3 |
| 84 | log ${S3_addr}:${S3_port} daemon |
| 85 | option log-health-checks |
| 86 | server srv ${htst_li1_addr}:${htst_li1_port} check check-ssl check-sni bad.haproxy.org inter 1s rise 1 fall 1 verify none |
| 87 | |
| 88 | backend be4 |
| 89 | log ${S4_addr}:${S4_port} daemon |
| 90 | option log-health-checks |
| 91 | option tcp-check |
| 92 | tcp-check connect ssl sni bad.haproxy.org |
| 93 | server srv ${htst_li1_addr}:${htst_li1_port} check inter 1s rise 1 fall 1 verify none |
| 94 | |
| 95 | backend be5 |
| 96 | log ${S_ok_addr}:${S_ok_port} daemon |
| 97 | option log-health-checks |
| 98 | option tcp-check |
| 99 | tcp-check connect default |
| 100 | server srv ${htst_li1_addr}:${htst_li1_port} check check-ssl check-sni check.haproxy.org inter 1s rise 1 fall 1 verify none |
| 101 | |
| 102 | backend be6 |
| 103 | log ${S_ok_addr}:${S_ok_port} daemon |
| 104 | option log-health-checks |
| 105 | server srv ${htst_li2_addr}:${htst_li2_port} check check-ssl check-alpn "h2,http/1.1" inter 1s rise 1 fall 1 verify none |
| 106 | |
| 107 | backend be7 |
| 108 | log ${S_ok_addr}:${S_ok_port} daemon |
| 109 | option log-health-checks |
| 110 | option tcp-check |
| 111 | tcp-check connect ssl alpn "h2,http/1.1" |
| 112 | server srv ${htst_li2_addr}:${htst_li2_port} check inter 1s rise 1 fall 1 verify none |
| 113 | |
| 114 | } -start |
| 115 | |
| 116 | syslog S_ok -wait |
| 117 | syslog S3 -wait |
| 118 | syslog S4 -wait |