Amaury Denoyelle | 8969c32 | 2020-12-11 17:53:12 +0100 | [diff] [blame] | 1 | # This reg-test is uses to test respect of the websocket protocol according to |
| 2 | # rfc6455. |
| 3 | # |
| 4 | # In particular, a request/response without a websocket key must be rejected by |
| 5 | # haproxy. Note that in the tested case (h1 on both sides), haproxy does not |
| 6 | # validate the key of the server but only checks its presence. |
| 7 | # |
| 8 | # For the case h2 client/h1 server, haproxy would add the key and validates it. |
| 9 | # However, there is no way to check this case quickly at the moment using vtest. |
| 10 | |
| 11 | varnishtest "WebSocket test" |
| 12 | |
| 13 | feature ignore_unknown_macro |
| 14 | |
Christopher Faulet | 85a8136 | 2020-12-15 17:13:39 +0100 | [diff] [blame] | 15 | #REQUIRE_VERSION=2.4 |
| 16 | |
Amaury Denoyelle | 8969c32 | 2020-12-11 17:53:12 +0100 | [diff] [blame] | 17 | # valid websocket server |
| 18 | server s1 { |
| 19 | rxreq |
| 20 | expect req.method == "GET" |
| 21 | expect req.http.connection == "upgrade" |
| 22 | expect req.http.upgrade == "websocket" |
| 23 | expect req.http.sec-websocket-key == "dGhlIHNhbXBsZSBub25jZQ==" |
| 24 | |
| 25 | txresp \ |
| 26 | -status 101 \ |
| 27 | -hdr "connection: upgrade" \ |
| 28 | -hdr "upgrade: websocket" \ |
| 29 | -hdr "sec-websocket-accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=" |
| 30 | } -repeat 2 -start |
| 31 | |
| 32 | # non-conformant server: no websocket key |
| 33 | server s2 { |
| 34 | rxreq |
| 35 | expect req.method == "GET" |
| 36 | expect req.http.connection == "upgrade" |
| 37 | expect req.http.upgrade == "websocket" |
| 38 | |
| 39 | txresp \ |
| 40 | -status 101 \ |
| 41 | -hdr "connection: upgrade" \ |
| 42 | -hdr "upgrade: websocket" |
| 43 | } -start |
| 44 | |
| 45 | # haproxy instance used as a server |
| 46 | # generate a http/1.1 websocket response with the valid key |
| 47 | haproxy hap_srv -conf { |
| 48 | defaults |
| 49 | mode http |
Willy Tarreau | f673923 | 2021-11-18 17:46:22 +0100 | [diff] [blame] | 50 | timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" |
| 51 | timeout client "${HAPROXY_TEST_TIMEOUT-5s}" |
| 52 | timeout server "${HAPROXY_TEST_TIMEOUT-5s}" |
Amaury Denoyelle | 8969c32 | 2020-12-11 17:53:12 +0100 | [diff] [blame] | 53 | |
| 54 | listen fe1 |
| 55 | bind "fd@${fe1}" |
| 56 | |
| 57 | # reject if the request does not contains a websocket key |
| 58 | acl ws_handshake hdr(sec-websocket-key) -m found |
| 59 | http-request reject unless ws_handshake |
| 60 | |
| 61 | # return a valid websocket handshake response |
| 62 | capture request header sec-websocket-key len 128 |
| 63 | http-request return status 200 hdr connection upgrade hdr upgrade websocket hdr sec-websocket-accept "%[capture.req.hdr(0),concat(258EAFA5-E914-47DA-95CA-C5AB0DC85B11,,),sha1,base64]" |
| 64 | http-after-response set-status 101 if { status eq 200 } |
| 65 | } -start |
| 66 | |
| 67 | # haproxy instance used as a server |
| 68 | # generate a http/1.1 websocket response with an invalid key |
| 69 | haproxy hap_srv_bad_key -conf { |
| 70 | defaults |
| 71 | mode http |
Willy Tarreau | f673923 | 2021-11-18 17:46:22 +0100 | [diff] [blame] | 72 | timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" |
| 73 | timeout client "${HAPROXY_TEST_TIMEOUT-5s}" |
| 74 | timeout server "${HAPROXY_TEST_TIMEOUT-5s}" |
Amaury Denoyelle | 8969c32 | 2020-12-11 17:53:12 +0100 | [diff] [blame] | 75 | |
| 76 | listen fe1 |
| 77 | bind "fd@${fe1}" |
| 78 | |
| 79 | # reject if the request does not contains a websocket key |
| 80 | acl ws_handshake hdr(sec-websocket-key) -m found |
| 81 | http-request reject unless ws_handshake |
| 82 | |
| 83 | # return an invalid websocket handshake response |
| 84 | capture request header sec-websocket-key len 128 |
| 85 | http-request return status 200 hdr connection upgrade hdr upgrade websocket hdr sec-websocket-accept "invalid_key" |
| 86 | http-after-response set-status 101 if { status eq 200 } |
| 87 | } -start |
| 88 | |
| 89 | haproxy hap -conf { |
| 90 | defaults |
| 91 | mode http |
Willy Tarreau | f673923 | 2021-11-18 17:46:22 +0100 | [diff] [blame] | 92 | timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" |
| 93 | timeout client "${HAPROXY_TEST_TIMEOUT-5s}" |
| 94 | timeout server "${HAPROXY_TEST_TIMEOUT-5s}" |
Amaury Denoyelle | 8969c32 | 2020-12-11 17:53:12 +0100 | [diff] [blame] | 95 | |
| 96 | listen fe1 |
| 97 | bind "fd@${fe1}" |
| 98 | server s1 ${s1_addr}:${s1_port} |
| 99 | |
| 100 | listen fe2 |
| 101 | bind "fd@${fe2}" |
| 102 | server s2 ${s2_addr}:${s2_port} |
| 103 | |
| 104 | listen fe3 |
| 105 | bind "fd@${fe3}" proto h2 |
| 106 | server hap_srv ${hap_srv_fe1_addr}:${hap_srv_fe1_port} |
| 107 | |
| 108 | listen fe4 |
| 109 | bind "fd@${fe4}" proto h2 |
| 110 | server hap_srv_bad_key ${hap_srv_bad_key_fe1_addr}:${hap_srv_bad_key_fe1_port} |
| 111 | } -start |
| 112 | |
| 113 | # standard request |
| 114 | client c1 -connect ${hap_fe1_sock} { |
| 115 | txreq \ |
| 116 | -req "GET" \ |
| 117 | -url "/" \ |
| 118 | -hdr "host: 127.0.0.1" \ |
| 119 | -hdr "connection: upgrade" \ |
| 120 | -hdr "upgrade: websocket" \ |
| 121 | -hdr "sec-websocket-key: dGhlIHNhbXBsZSBub25jZQ==" |
| 122 | rxresp |
| 123 | expect resp.status == 101 |
| 124 | expect resp.http.connection == "upgrade" |
| 125 | expect resp.http.upgrade == "websocket" |
| 126 | expect resp.http.sec-websocket-accept == "s3pPLMBiTxaQ9kYGzzhZRbK+xOo=" |
| 127 | } -run |
| 128 | |
| 129 | # missing websocket key |
| 130 | client c2 -connect ${hap_fe1_sock} { |
| 131 | txreq \ |
| 132 | -req "GET" \ |
| 133 | -url "/" \ |
| 134 | -hdr "host: 127.0.0.1" \ |
| 135 | -hdr "connection: upgrade" \ |
| 136 | -hdr "upgrade: websocket" |
| 137 | |
| 138 | rxresp |
| 139 | expect resp.status == 400 |
| 140 | } -run |
| 141 | |
| 142 | # missing key on server side |
| 143 | client c3 -connect ${hap_fe2_sock} { |
| 144 | txreq \ |
| 145 | -req "GET" \ |
| 146 | -url "/" \ |
| 147 | -hdr "host: 127.0.0.1" \ |
| 148 | -hdr "connection: upgrade" \ |
| 149 | -hdr "upgrade: websocket" \ |
| 150 | -hdr "sec-websocket-key: dGhlIHNhbXBsZSBub25jZQ==" |
| 151 | |
| 152 | rxresp |
| 153 | expect resp.status == 502 |
| 154 | } -run |
| 155 | |
| 156 | # connect with http/2 on a http/1.1 websocket server |
| 157 | # the key must be provided by haproxy |
| 158 | client c4 -connect ${hap_fe3_sock} { |
| 159 | txpri |
| 160 | stream 0 { |
| 161 | txsettings |
| 162 | rxsettings |
| 163 | txsettings -ack |
| 164 | rxsettings |
| 165 | expect settings.ack == true |
| 166 | } -run |
| 167 | |
| 168 | stream 1 { |
| 169 | txreq \ |
| 170 | -req "CONNECT" \ |
| 171 | -scheme "http" \ |
| 172 | -url "/" \ |
| 173 | -hdr ":authority" "127.0.0.1" \ |
| 174 | -hdr ":protocol" "websocket" |
| 175 | |
| 176 | rxhdrs |
| 177 | expect resp.status == 200 |
| 178 | } -run |
| 179 | } -run |
| 180 | |
| 181 | # connect with http/2 on a http/1.1 websocket server |
| 182 | # however, the server will respond with an invalid key |
| 183 | # haproxy is responsible to reject the request and returning a 502 to the client |
| 184 | client c5 -connect ${hap_fe4_sock} { |
| 185 | txpri |
| 186 | stream 0 { |
| 187 | txsettings |
| 188 | rxsettings |
| 189 | txsettings -ack |
| 190 | rxsettings |
| 191 | expect settings.ack == true |
| 192 | } -run |
| 193 | |
| 194 | stream 1 { |
| 195 | txreq \ |
| 196 | -req "CONNECT" \ |
| 197 | -scheme "http" \ |
| 198 | -url "/" \ |
| 199 | -hdr ":authority" "127.0.0.1" \ |
| 200 | -hdr ":protocol" "websocket" |
| 201 | |
| 202 | rxhdrs |
| 203 | expect resp.status == 502 |
| 204 | } -run |
| 205 | } -run |