mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-10-30 08:00:59 +01:00
d75718af14
First, the barrier to delay the client execution was moved before the client definition. Otherwise, the connection is established too early and with short timeouts it could be closed before the requests are sent. The main purpose of the barrier was to workaround slow health-checks. This is also the reason why the script was flagged as slow. But it can be significantly speed-up by setting a slow "inter" value. It is now set to 100ms and the script is no longer slow.
158 lines
4.5 KiB
Plaintext
158 lines
4.5 KiB
Plaintext
# This teg-test verifies that automatic SNI selection for server conncetions and
|
|
# health checks.
|
|
|
|
varnishtest "Test the bind 'alpn' setting"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.3-dev8)'"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
|
|
feature ignore_unknown_macro
|
|
|
|
barrier b1 cond 7 -cyclic
|
|
|
|
server s1 {
|
|
rxreq
|
|
expect req.http.x-sni == <undef>
|
|
txresp -status 200
|
|
barrier b1 sync
|
|
} -start
|
|
|
|
server s2 {
|
|
rxreq
|
|
expect req.http.x-sni == "www.check2.org"
|
|
txresp -status 200
|
|
barrier b1 sync
|
|
} -start
|
|
|
|
server s3 {
|
|
rxreq
|
|
expect req.http.x-sni == "www.check3.org"
|
|
txresp -status 200
|
|
barrier b1 sync
|
|
} -start
|
|
|
|
server s4 {
|
|
rxreq
|
|
expect req.http.x-sni == "www.other.org"
|
|
txresp -status 200
|
|
barrier b1 sync
|
|
} -start
|
|
|
|
server s5 {
|
|
rxreq
|
|
expect req.http.x-sni == <undef>
|
|
txresp -status 200
|
|
barrier b1 sync
|
|
} -start
|
|
|
|
server s6 {
|
|
rxreq
|
|
expect req.http.x-sni == <undef>
|
|
txresp -status 200
|
|
barrier b1 sync
|
|
} -start
|
|
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
.if !ssllib_name_startswith(AWS-LC)
|
|
tune.ssl.default-dh-param 2048
|
|
.endif
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
default-server inter 100ms
|
|
|
|
frontend fe_ssl
|
|
bind "fd@${fe_ssl}" ssl crt ${testdir}/common.pem
|
|
|
|
http-request return status 200 if { path /test1 } { ssl_fc_sni www.test1.org }
|
|
http-request return status 500 if { path /test2 } { ssl_fc_sni -m found }
|
|
http-request return status 200 if { path /test3 } { ssl_fc_sni www.other.org }
|
|
http-request deny
|
|
|
|
listen li_check_ssl
|
|
bind "fd@${li_check_ssl}" ssl crt ${testdir}/common.pem
|
|
http-request set-header x-sni %[ssl_fc_sni] if { ssl_fc_sni -m found }
|
|
|
|
use-server s1 if { path /test1 }
|
|
use-server s2 if { path /test2 }
|
|
use-server s3 if { path /test3 }
|
|
use-server s4 if { path /test4 }
|
|
use-server s5 if { path /test5 }
|
|
use-server s6 if { path /test6 }
|
|
|
|
server s1 ${s1_addr}:${s1_port}
|
|
server s2 ${s1_addr}:${s2_port}
|
|
server s3 ${s3_addr}:${s3_port}
|
|
server s4 ${s4_addr}:${s4_port}
|
|
server s5 ${s5_addr}:${s5_port}
|
|
server s6 ${s6_addr}:${s6_port}
|
|
|
|
listen li
|
|
bind "fd@${li}"
|
|
use-server s1 if { path /test1 }
|
|
use-server s2 if { path /test2 }
|
|
use-server s3 if { path /test3 }
|
|
|
|
server s1 ${h1_fe_ssl_addr}:${h1_fe_ssl_port} ssl verify none
|
|
server s2 ${h1_fe_ssl_addr}:${h1_fe_ssl_port} ssl verify none no-sni-auto
|
|
server s3 ${h1_fe_ssl_addr}:${h1_fe_ssl_port} ssl verify none sni str("www.other.org")
|
|
|
|
backend be1
|
|
option httpchk GET /test1 HTTP/1.1
|
|
server chk1 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none
|
|
|
|
backend be2
|
|
option httpchk GET /test2 HTTP/1.1 www.check2.org:443
|
|
server chk2 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none
|
|
|
|
backend be3
|
|
option httpchk
|
|
http-check send meth GET uri /test3 hdr host "www.check3.org:443"
|
|
server chk3 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none
|
|
|
|
backend be4
|
|
option httpchk
|
|
http-check send meth GET uri /test4 hdr host "www.check4.org:443"
|
|
server chk4 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none check-sni "www.other.org"
|
|
|
|
backend be5
|
|
option httpchk
|
|
http-check send meth GET uri /test5 hdr host "www.check5.org:443"
|
|
server chk5 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none no-check-sni-auto
|
|
|
|
backend be6
|
|
option httpchk GET /test6 HTTP/1.1 www.check6.org:443
|
|
http-check connect default
|
|
server chk2 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none
|
|
|
|
} -start
|
|
|
|
barrier b1 sync
|
|
|
|
client c1 -connect ${h1_li_sock} {
|
|
txreq -url "/test1" -hdr "host: www.test1.org:443"
|
|
rxresp
|
|
expect resp.status == 200
|
|
|
|
txreq -url "/test1"
|
|
rxresp
|
|
expect resp.status == 403
|
|
|
|
txreq -url "/test2" -hdr "host: www.test1.org"
|
|
rxresp
|
|
expect resp.status == 403
|
|
|
|
txreq -url "/test3" -hdr "host: www.test1.org"
|
|
rxresp
|
|
expect resp.status == 200
|
|
} -run
|