| Amaury Denoyelle | 0ffad2d | 2021-06-18 16:30:36 +0200 | [diff] [blame] | 1 | varnishtest "Add server via cli with SSL activated" |
| 2 | |
| 3 | feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'" |
| 4 | feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'" |
| 5 | feature cmd "command -v socat" |
| 6 | feature ignore_unknown_macro |
| 7 | |
| Amaury Denoyelle | 3881e17 | 2022-03-09 16:43:34 +0100 | [diff] [blame] | 8 | barrier b1 cond 2 -cyclic |
| 9 | |
| 10 | syslog S1 -level notice { |
| 11 | recv |
| 12 | expect ~ ".*Server li-ssl/s1 is UP/READY \\(leaving forced maintenance\\)." |
| 13 | recv |
| 14 | expect ~ ".*Server li-ssl/s2 is UP/READY \\(leaving forced maintenance\\)." |
| 15 | recv |
| 16 | expect ~ "Health check for server li-ssl/s2 failed" |
| 17 | |
| 18 | barrier b1 sync |
| 19 | |
| 20 | recv |
| 21 | expect ~ ".*Server li-ssl/s3 is UP/READY \\(leaving forced maintenance\\)." |
| 22 | recv |
| 23 | expect ~ "Health check for server li-ssl/s3 succeeded." |
| 24 | } -start |
| 25 | |
| Amaury Denoyelle | 0ffad2d | 2021-06-18 16:30:36 +0200 | [diff] [blame] | 26 | haproxy h1 -conf { |
| 27 | global |
| 28 | stats socket "${tmpdir}/h1/stats" level admin |
| 29 | |
| 30 | defaults |
| 31 | mode http |
| Willy Tarreau | f673923 | 2021-11-18 17:46:22 +0100 | [diff] [blame] | 32 | timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" |
| 33 | timeout client "${HAPROXY_TEST_TIMEOUT-5s}" |
| 34 | timeout server "${HAPROXY_TEST_TIMEOUT-5s}" |
| Amaury Denoyelle | 3881e17 | 2022-03-09 16:43:34 +0100 | [diff] [blame] | 35 | option log-health-checks |
| 36 | option httpchk GET / |
| Amaury Denoyelle | 0ffad2d | 2021-06-18 16:30:36 +0200 | [diff] [blame] | 37 | |
| 38 | # proxy to attach a ssl server |
| 39 | listen li-ssl |
| 40 | bind "fd@${feSsl}" |
| 41 | balance random |
| Amaury Denoyelle | 3881e17 | 2022-03-09 16:43:34 +0100 | [diff] [blame] | 42 | log ${S1_addr}:${S1_port} daemon |
| Amaury Denoyelle | 0ffad2d | 2021-06-18 16:30:36 +0200 | [diff] [blame] | 43 | |
| 44 | # frontend used to respond to ssl connection |
| 45 | frontend fe-ssl-term |
| 46 | bind "fd@${feSslTerm}" ssl crt ${testdir}/common.pem |
| 47 | http-request return status 200 |
| 48 | } -start |
| 49 | |
| 50 | ### SSL SUPPORT |
| 51 | # 1. first create a ca-file using CLI |
| 52 | # 2. create an SSL server and use it |
| 53 | |
| 54 | client c1 -connect ${h1_feSsl_sock} { |
| 55 | txreq |
| 56 | rxresp |
| 57 | expect resp.status == 503 |
| 58 | } -run |
| 59 | |
| 60 | shell { |
| 61 | echo "new ssl ca-file common.pem" | socat "${tmpdir}/h1/stats" - |
| 62 | printf "set ssl ca-file common.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" - |
| 63 | echo "commit ssl ca-file common.pem" | socat "${tmpdir}/h1/stats" - |
| 64 | } -run |
| 65 | |
| 66 | haproxy h1 -cli { |
| 67 | send "show ssl ca-file common.pem" |
| 68 | expect ~ ".*SHA1 FingerPrint: 9A6418E498C43EDBCF5DD3C4C6FCD1EE0D7A946D" |
| 69 | } |
| 70 | |
| 71 | haproxy h1 -cli { |
| 72 | # non existent backend |
| Amaury Denoyelle | 76e8b70 | 2022-03-09 15:07:31 +0100 | [diff] [blame] | 73 | send "add server li-ssl/s1 ${h1_feSslTerm_addr}:${h1_feSslTerm_port} ssl ca-file common.pem verify none" |
| Amaury Denoyelle | 0ffad2d | 2021-06-18 16:30:36 +0200 | [diff] [blame] | 74 | expect ~ "New server registered." |
| 75 | |
| 76 | send "enable server li-ssl/s1" |
| 77 | expect ~ ".*" |
| 78 | } |
| 79 | |
| 80 | client c2 -connect ${h1_feSsl_sock} { |
| 81 | txreq |
| 82 | rxresp |
| 83 | expect resp.status == 200 |
| 84 | } -run |
| Amaury Denoyelle | 3881e17 | 2022-03-09 16:43:34 +0100 | [diff] [blame] | 85 | |
| 86 | # test interaction between SSL and checks for dynamic servers |
| 87 | haproxy h1 -cli { |
| 88 | # no explicit check-ssl |
| 89 | # The health check should failed. |
| 90 | send "add server li-ssl/s2 ${h1_feSslTerm_addr}:${h1_feSslTerm_port} ssl verify none check" |
| 91 | expect ~ "New server registered." |
| 92 | |
| 93 | send "enable server li-ssl/s2" |
| 94 | expect ~ ".*" |
| 95 | send "enable health li-ssl/s2" |
| 96 | expect ~ ".*" |
| 97 | |
| 98 | barrier b1 sync |
| 99 | |
| 100 | # explicit check-ssl : health check should succeeded |
| 101 | send "add server li-ssl/s3 ${h1_feSslTerm_addr}:${h1_feSslTerm_port} ssl verify none check check-ssl" |
| 102 | expect ~ "New server registered." |
| 103 | |
| 104 | send "enable server li-ssl/s3" |
| 105 | expect ~ ".*" |
| 106 | send "enable health li-ssl/s3" |
| 107 | expect ~ ".*" |
| 108 | } |
| 109 | |
| 110 | syslog S1 -wait |