# This teg-test verifies that automatic SNI selection for server conncetions and # health checks. varnishtest "Test the bind 'alpn' setting" feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.3-dev8)'" feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'" feature ignore_unknown_macro barrier b1 cond 7 -cyclic server s1 { rxreq expect req.http.x-sni == txresp -status 200 barrier b1 sync } -start server s2 { rxreq expect req.http.x-sni == "www.check2.org" txresp -status 200 barrier b1 sync } -start server s3 { rxreq expect req.http.x-sni == "www.check3.org" txresp -status 200 barrier b1 sync } -start server s4 { rxreq expect req.http.x-sni == "www.other.org" txresp -status 200 barrier b1 sync } -start server s5 { rxreq expect req.http.x-sni == txresp -status 200 barrier b1 sync } -start server s6 { rxreq expect req.http.x-sni == txresp -status 200 barrier b1 sync } -start haproxy h1 -conf { global .if feature(THREAD) thread-groups 1 .endif .if !ssllib_name_startswith(AWS-LC) tune.ssl.default-dh-param 2048 .endif defaults mode http option httplog log stderr local0 debug err timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" timeout client "${HAPROXY_TEST_TIMEOUT-5s}" timeout server "${HAPROXY_TEST_TIMEOUT-5s}" default-server inter 100ms frontend fe_ssl bind "fd@${fe_ssl}" ssl crt ${testdir}/common.pem http-request return status 200 if { path /test1 } { ssl_fc_sni www.test1.org } http-request return status 500 if { path /test2 } { ssl_fc_sni -m found } http-request return status 200 if { path /test3 } { ssl_fc_sni www.other.org } http-request deny listen li_check_ssl bind "fd@${li_check_ssl}" ssl crt ${testdir}/common.pem http-request set-header x-sni %[ssl_fc_sni] if { ssl_fc_sni -m found } use-server s1 if { path /test1 } use-server s2 if { path /test2 } use-server s3 if { path /test3 } use-server s4 if { path /test4 } use-server s5 if { path /test5 } use-server s6 if { path /test6 } server s1 ${s1_addr}:${s1_port} server s2 ${s1_addr}:${s2_port} server s3 ${s3_addr}:${s3_port} server s4 ${s4_addr}:${s4_port} server s5 ${s5_addr}:${s5_port} server s6 ${s6_addr}:${s6_port} listen li bind "fd@${li}" use-server s1 if { path /test1 } use-server s2 if { path /test2 } use-server s3 if { path /test3 } server s1 ${h1_fe_ssl_addr}:${h1_fe_ssl_port} ssl verify none server s2 ${h1_fe_ssl_addr}:${h1_fe_ssl_port} ssl verify none no-sni-auto server s3 ${h1_fe_ssl_addr}:${h1_fe_ssl_port} ssl verify none sni str("www.other.org") backend be1 option httpchk GET /test1 HTTP/1.1 server chk1 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none backend be2 option httpchk GET /test2 HTTP/1.1 www.check2.org:443 server chk2 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none backend be3 option httpchk http-check send meth GET uri /test3 hdr host "www.check3.org:443" server chk3 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none backend be4 option httpchk http-check send meth GET uri /test4 hdr host "www.check4.org:443" server chk4 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none check-sni "www.other.org" backend be5 option httpchk http-check send meth GET uri /test5 hdr host "www.check5.org:443" server chk5 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none no-check-sni-auto backend be6 option httpchk GET /test6 HTTP/1.1 www.check6.org:443 http-check connect default server chk2 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none } -start barrier b1 sync client c1 -connect ${h1_li_sock} { txreq -url "/test1" -hdr "host: www.test1.org:443" rxresp expect resp.status == 200 txreq -url "/test1" rxresp expect resp.status == 403 txreq -url "/test2" -hdr "host: www.test1.org" rxresp expect resp.status == 403 txreq -url "/test3" -hdr "host: www.test1.org" rxresp expect resp.status == 200 } -run