| Amaury Denoyelle | 8969c32 | 2020-12-11 17:53:12 +0100 | [diff] [blame] | 1 | # This reg-test is uses to test respect of the websocket protocol according to |
| 2 | # rfc6455. |
| 3 | # |
| 4 | # In particular, a request/response without a websocket key must be rejected by |
| 5 | # haproxy. Note that in the tested case (h1 on both sides), haproxy does not |
| 6 | # validate the key of the server but only checks its presence. |
| 7 | # |
| 8 | # For the case h2 client/h1 server, haproxy would add the key and validates it. |
| 9 | # However, there is no way to check this case quickly at the moment using vtest. |
| 10 | |
| 11 | varnishtest "WebSocket test" |
| 12 | |
| 13 | feature ignore_unknown_macro |
| 14 | |
| Christopher Faulet | 85a8136 | 2020-12-15 17:13:39 +0100 | [diff] [blame] | 15 | #REQUIRE_VERSION=2.4 |
| 16 | |
| Amaury Denoyelle | 8969c32 | 2020-12-11 17:53:12 +0100 | [diff] [blame] | 17 | # valid websocket server |
| 18 | server s1 { |
| 19 | rxreq |
| 20 | expect req.method == "GET" |
| 21 | expect req.http.connection == "upgrade" |
| 22 | expect req.http.upgrade == "websocket" |
| 23 | expect req.http.sec-websocket-key == "dGhlIHNhbXBsZSBub25jZQ==" |
| 24 | |
| 25 | txresp \ |
| 26 | -status 101 \ |
| 27 | -hdr "connection: upgrade" \ |
| 28 | -hdr "upgrade: websocket" \ |
| 29 | -hdr "sec-websocket-accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=" |
| Christopher Faulet | 9704797 | 2023-04-17 08:52:10 +0200 | [diff] [blame] | 30 | |
| 31 | recv 4 |
| 32 | send "PONG" |
| 33 | } -start |
| Amaury Denoyelle | 8969c32 | 2020-12-11 17:53:12 +0100 | [diff] [blame] | 34 | |
| 35 | # non-conformant server: no websocket key |
| 36 | server s2 { |
| 37 | rxreq |
| 38 | expect req.method == "GET" |
| 39 | expect req.http.connection == "upgrade" |
| 40 | expect req.http.upgrade == "websocket" |
| 41 | |
| 42 | txresp \ |
| 43 | -status 101 \ |
| 44 | -hdr "connection: upgrade" \ |
| 45 | -hdr "upgrade: websocket" |
| 46 | } -start |
| 47 | |
| 48 | # haproxy instance used as a server |
| 49 | # generate a http/1.1 websocket response with the valid key |
| 50 | haproxy hap_srv -conf { |
| 51 | defaults |
| 52 | mode http |
| Willy Tarreau | f673923 | 2021-11-18 17:46:22 +0100 | [diff] [blame] | 53 | timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" |
| 54 | timeout client "${HAPROXY_TEST_TIMEOUT-5s}" |
| 55 | timeout server "${HAPROXY_TEST_TIMEOUT-5s}" |
| Amaury Denoyelle | 8969c32 | 2020-12-11 17:53:12 +0100 | [diff] [blame] | 56 | |
| 57 | listen fe1 |
| 58 | bind "fd@${fe1}" |
| 59 | |
| 60 | # reject if the request does not contains a websocket key |
| 61 | acl ws_handshake hdr(sec-websocket-key) -m found |
| 62 | http-request reject unless ws_handshake |
| 63 | |
| 64 | # return a valid websocket handshake response |
| 65 | capture request header sec-websocket-key len 128 |
| 66 | http-request return status 200 hdr connection upgrade hdr upgrade websocket hdr sec-websocket-accept "%[capture.req.hdr(0),concat(258EAFA5-E914-47DA-95CA-C5AB0DC85B11,,),sha1,base64]" |
| 67 | http-after-response set-status 101 if { status eq 200 } |
| 68 | } -start |
| 69 | |
| 70 | # haproxy instance used as a server |
| 71 | # generate a http/1.1 websocket response with an invalid key |
| 72 | haproxy hap_srv_bad_key -conf { |
| 73 | defaults |
| 74 | mode http |
| Willy Tarreau | f673923 | 2021-11-18 17:46:22 +0100 | [diff] [blame] | 75 | timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" |
| 76 | timeout client "${HAPROXY_TEST_TIMEOUT-5s}" |
| 77 | timeout server "${HAPROXY_TEST_TIMEOUT-5s}" |
| Amaury Denoyelle | 8969c32 | 2020-12-11 17:53:12 +0100 | [diff] [blame] | 78 | |
| 79 | listen fe1 |
| 80 | bind "fd@${fe1}" |
| 81 | |
| 82 | # reject if the request does not contains a websocket key |
| 83 | acl ws_handshake hdr(sec-websocket-key) -m found |
| 84 | http-request reject unless ws_handshake |
| 85 | |
| 86 | # return an invalid websocket handshake response |
| 87 | capture request header sec-websocket-key len 128 |
| 88 | http-request return status 200 hdr connection upgrade hdr upgrade websocket hdr sec-websocket-accept "invalid_key" |
| 89 | http-after-response set-status 101 if { status eq 200 } |
| 90 | } -start |
| 91 | |
| 92 | haproxy hap -conf { |
| 93 | defaults |
| 94 | mode http |
| Willy Tarreau | f673923 | 2021-11-18 17:46:22 +0100 | [diff] [blame] | 95 | timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" |
| 96 | timeout client "${HAPROXY_TEST_TIMEOUT-5s}" |
| 97 | timeout server "${HAPROXY_TEST_TIMEOUT-5s}" |
| Amaury Denoyelle | 8969c32 | 2020-12-11 17:53:12 +0100 | [diff] [blame] | 98 | |
| 99 | listen fe1 |
| 100 | bind "fd@${fe1}" |
| 101 | server s1 ${s1_addr}:${s1_port} |
| 102 | |
| 103 | listen fe2 |
| 104 | bind "fd@${fe2}" |
| 105 | server s2 ${s2_addr}:${s2_port} |
| 106 | |
| 107 | listen fe3 |
| 108 | bind "fd@${fe3}" proto h2 |
| 109 | server hap_srv ${hap_srv_fe1_addr}:${hap_srv_fe1_port} |
| 110 | |
| 111 | listen fe4 |
| 112 | bind "fd@${fe4}" proto h2 |
| 113 | server hap_srv_bad_key ${hap_srv_bad_key_fe1_addr}:${hap_srv_bad_key_fe1_port} |
| 114 | } -start |
| 115 | |
| 116 | # standard request |
| 117 | client c1 -connect ${hap_fe1_sock} { |
| 118 | txreq \ |
| 119 | -req "GET" \ |
| 120 | -url "/" \ |
| 121 | -hdr "host: 127.0.0.1" \ |
| 122 | -hdr "connection: upgrade" \ |
| 123 | -hdr "upgrade: websocket" \ |
| 124 | -hdr "sec-websocket-key: dGhlIHNhbXBsZSBub25jZQ==" |
| 125 | rxresp |
| 126 | expect resp.status == 101 |
| 127 | expect resp.http.connection == "upgrade" |
| 128 | expect resp.http.upgrade == "websocket" |
| 129 | expect resp.http.sec-websocket-accept == "s3pPLMBiTxaQ9kYGzzhZRbK+xOo=" |
| Christopher Faulet | 9704797 | 2023-04-17 08:52:10 +0200 | [diff] [blame] | 130 | |
| 131 | send "PING" |
| 132 | recv 4 |
| Amaury Denoyelle | 8969c32 | 2020-12-11 17:53:12 +0100 | [diff] [blame] | 133 | } -run |
| 134 | |
| 135 | # missing websocket key |
| 136 | client c2 -connect ${hap_fe1_sock} { |
| 137 | txreq \ |
| 138 | -req "GET" \ |
| 139 | -url "/" \ |
| 140 | -hdr "host: 127.0.0.1" \ |
| 141 | -hdr "connection: upgrade" \ |
| 142 | -hdr "upgrade: websocket" |
| 143 | |
| 144 | rxresp |
| 145 | expect resp.status == 400 |
| 146 | } -run |
| 147 | |
| 148 | # missing key on server side |
| 149 | client c3 -connect ${hap_fe2_sock} { |
| 150 | txreq \ |
| 151 | -req "GET" \ |
| 152 | -url "/" \ |
| 153 | -hdr "host: 127.0.0.1" \ |
| 154 | -hdr "connection: upgrade" \ |
| 155 | -hdr "upgrade: websocket" \ |
| 156 | -hdr "sec-websocket-key: dGhlIHNhbXBsZSBub25jZQ==" |
| 157 | |
| 158 | rxresp |
| 159 | expect resp.status == 502 |
| 160 | } -run |
| 161 | |
| 162 | # connect with http/2 on a http/1.1 websocket server |
| 163 | # the key must be provided by haproxy |
| 164 | client c4 -connect ${hap_fe3_sock} { |
| 165 | txpri |
| 166 | stream 0 { |
| 167 | txsettings |
| 168 | rxsettings |
| 169 | txsettings -ack |
| 170 | rxsettings |
| 171 | expect settings.ack == true |
| 172 | } -run |
| 173 | |
| 174 | stream 1 { |
| 175 | txreq \ |
| 176 | -req "CONNECT" \ |
| 177 | -scheme "http" \ |
| 178 | -url "/" \ |
| 179 | -hdr ":authority" "127.0.0.1" \ |
| 180 | -hdr ":protocol" "websocket" |
| 181 | |
| 182 | rxhdrs |
| 183 | expect resp.status == 200 |
| 184 | } -run |
| 185 | } -run |
| 186 | |
| 187 | # connect with http/2 on a http/1.1 websocket server |
| 188 | # however, the server will respond with an invalid key |
| 189 | # haproxy is responsible to reject the request and returning a 502 to the client |
| 190 | client c5 -connect ${hap_fe4_sock} { |
| 191 | txpri |
| 192 | stream 0 { |
| 193 | txsettings |
| 194 | rxsettings |
| 195 | txsettings -ack |
| 196 | rxsettings |
| 197 | expect settings.ack == true |
| 198 | } -run |
| 199 | |
| 200 | stream 1 { |
| 201 | txreq \ |
| 202 | -req "CONNECT" \ |
| 203 | -scheme "http" \ |
| 204 | -url "/" \ |
| 205 | -hdr ":authority" "127.0.0.1" \ |
| 206 | -hdr ":protocol" "websocket" |
| 207 | |
| 208 | rxhdrs |
| 209 | expect resp.status == 502 |
| 210 | } -run |
| 211 | } -run |