mirror of
				https://github.com/traefik/traefik.git
				synced 2025-10-26 14:01:41 +01:00 
			
		
		
		
	
		
			
				
	
	
		
			529 lines
		
	
	
		
			13 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			529 lines
		
	
	
		
			13 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| package integration
 | |
| 
 | |
| import (
 | |
| 	"crypto/tls"
 | |
| 	"crypto/x509"
 | |
| 	"fmt"
 | |
| 	"net"
 | |
| 	"net/http"
 | |
| 	"os"
 | |
| 	"path/filepath"
 | |
| 	"testing"
 | |
| 	"time"
 | |
| 
 | |
| 	"github.com/miekg/dns"
 | |
| 	"github.com/rs/zerolog/log"
 | |
| 	"github.com/stretchr/testify/assert"
 | |
| 	"github.com/stretchr/testify/require"
 | |
| 	"github.com/stretchr/testify/suite"
 | |
| 	"github.com/traefik/traefik/v3/integration/try"
 | |
| 	"github.com/traefik/traefik/v3/pkg/config/static"
 | |
| 	"github.com/traefik/traefik/v3/pkg/provider/acme"
 | |
| 	"github.com/traefik/traefik/v3/pkg/testhelpers"
 | |
| 	"github.com/traefik/traefik/v3/pkg/types"
 | |
| )
 | |
| 
 | |
| // ACME test suites.
 | |
| type AcmeSuite struct {
 | |
| 	BaseSuite
 | |
| 	pebbleIP      string
 | |
| 	fakeDNSServer *dns.Server
 | |
| }
 | |
| 
 | |
| func TestAcmeSuite(t *testing.T) {
 | |
| 	suite.Run(t, new(AcmeSuite))
 | |
| }
 | |
| 
 | |
| type subCases struct {
 | |
| 	host               string
 | |
| 	expectedCommonName string
 | |
| 	expectedAlgorithm  x509.PublicKeyAlgorithm
 | |
| }
 | |
| 
 | |
| type acmeTestCase struct {
 | |
| 	template            templateModel
 | |
| 	traefikConfFilePath string
 | |
| 	subCases            []subCases
 | |
| }
 | |
| 
 | |
| type templateModel struct {
 | |
| 	Domain    types.Domain
 | |
| 	Domains   []types.Domain
 | |
| 	PortHTTP  string
 | |
| 	PortHTTPS string
 | |
| 	Acme      map[string]static.CertificateResolver
 | |
| }
 | |
| 
 | |
| const (
 | |
| 	// Domain to check
 | |
| 	acmeDomain = "traefik.acme.wtf"
 | |
| 
 | |
| 	// Wildcard domain to check
 | |
| 	wildcardDomain = "*.acme.wtf"
 | |
| )
 | |
| 
 | |
| func (s *AcmeSuite) getAcmeURL() string {
 | |
| 	return fmt.Sprintf("https://%s/dir",
 | |
| 		net.JoinHostPort(s.pebbleIP, "14000"))
 | |
| }
 | |
| 
 | |
| func setupPebbleRootCA() (*http.Transport, error) {
 | |
| 	path, err := filepath.Abs("fixtures/acme/ssl/pebble.minica.pem")
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	os.Setenv("LEGO_CA_CERTIFICATES", path)
 | |
| 	os.Setenv("LEGO_CA_SERVER_NAME", "pebble")
 | |
| 
 | |
| 	customCAs, err := os.ReadFile(path)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	certPool := x509.NewCertPool()
 | |
| 	if ok := certPool.AppendCertsFromPEM(customCAs); !ok {
 | |
| 		return nil, fmt.Errorf("error creating x509 cert pool from %q: %w", path, err)
 | |
| 	}
 | |
| 
 | |
| 	return &http.Transport{
 | |
| 		TLSClientConfig: &tls.Config{
 | |
| 			ServerName: "pebble",
 | |
| 			RootCAs:    certPool,
 | |
| 		},
 | |
| 	}, nil
 | |
| }
 | |
| 
 | |
| func (s *AcmeSuite) SetupSuite() {
 | |
| 	s.BaseSuite.SetupSuite()
 | |
| 
 | |
| 	s.createComposeProject("pebble")
 | |
| 	s.composeUp()
 | |
| 
 | |
| 	// Retrieving the Docker host ip.
 | |
| 	s.fakeDNSServer = startFakeDNSServer(s.hostIP)
 | |
| 	s.pebbleIP = s.getComposeServiceIP("pebble")
 | |
| 
 | |
| 	pebbleTransport, err := setupPebbleRootCA()
 | |
| 	require.NoError(s.T(), err)
 | |
| 
 | |
| 	// wait for pebble
 | |
| 	req := testhelpers.MustNewRequest(http.MethodGet, s.getAcmeURL(), nil)
 | |
| 
 | |
| 	client := &http.Client{
 | |
| 		Transport: pebbleTransport,
 | |
| 	}
 | |
| 
 | |
| 	err = try.Do(5*time.Second, func() error {
 | |
| 		resp, errGet := client.Do(req)
 | |
| 		if errGet != nil {
 | |
| 			return errGet
 | |
| 		}
 | |
| 		return try.StatusCodeIs(http.StatusOK)(resp)
 | |
| 	})
 | |
| 
 | |
| 	require.NoError(s.T(), err)
 | |
| }
 | |
| 
 | |
| func (s *AcmeSuite) TearDownSuite() {
 | |
| 	s.BaseSuite.TearDownSuite()
 | |
| 
 | |
| 	if s.fakeDNSServer != nil {
 | |
| 		err := s.fakeDNSServer.Shutdown()
 | |
| 		if err != nil {
 | |
| 			log.Info().Msg(err.Error())
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	s.composeDown()
 | |
| }
 | |
| 
 | |
| func (s *AcmeSuite) TestHTTP01Domains() {
 | |
| 	testCase := acmeTestCase{
 | |
| 		traefikConfFilePath: "fixtures/acme/acme_domains.toml",
 | |
| 		subCases: []subCases{{
 | |
| 			host:               acmeDomain,
 | |
| 			expectedCommonName: acmeDomain,
 | |
| 			expectedAlgorithm:  x509.RSA,
 | |
| 		}},
 | |
| 		template: templateModel{
 | |
| 			Domains: []types.Domain{{
 | |
| 				Main: "traefik.acme.wtf",
 | |
| 			}},
 | |
| 			Acme: map[string]static.CertificateResolver{
 | |
| 				"default": {ACME: &acme.Configuration{
 | |
| 					HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
 | |
| 				}},
 | |
| 			},
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	s.retrieveAcmeCertificate(testCase)
 | |
| }
 | |
| 
 | |
| func (s *AcmeSuite) TestHTTP01StoreDomains() {
 | |
| 	testCase := acmeTestCase{
 | |
| 		traefikConfFilePath: "fixtures/acme/acme_store_domains.toml",
 | |
| 		subCases: []subCases{{
 | |
| 			host:               acmeDomain,
 | |
| 			expectedCommonName: acmeDomain,
 | |
| 			expectedAlgorithm:  x509.RSA,
 | |
| 		}},
 | |
| 		template: templateModel{
 | |
| 			Domain: types.Domain{
 | |
| 				Main: "traefik.acme.wtf",
 | |
| 			},
 | |
| 			Acme: map[string]static.CertificateResolver{
 | |
| 				"default": {ACME: &acme.Configuration{
 | |
| 					HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
 | |
| 				}},
 | |
| 			},
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	s.retrieveAcmeCertificate(testCase)
 | |
| }
 | |
| 
 | |
| func (s *AcmeSuite) TestHTTP01DomainsInSAN() {
 | |
| 	testCase := acmeTestCase{
 | |
| 		traefikConfFilePath: "fixtures/acme/acme_domains.toml",
 | |
| 		subCases: []subCases{{
 | |
| 			host:               acmeDomain,
 | |
| 			expectedCommonName: "acme.wtf",
 | |
| 			expectedAlgorithm:  x509.RSA,
 | |
| 		}},
 | |
| 		template: templateModel{
 | |
| 			Domains: []types.Domain{{
 | |
| 				Main: "acme.wtf",
 | |
| 				SANs: []string{"traefik.acme.wtf"},
 | |
| 			}},
 | |
| 			Acme: map[string]static.CertificateResolver{
 | |
| 				"default": {ACME: &acme.Configuration{
 | |
| 					HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
 | |
| 				}},
 | |
| 			},
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	s.retrieveAcmeCertificate(testCase)
 | |
| }
 | |
| 
 | |
| func (s *AcmeSuite) TestHTTP01OnHostRule() {
 | |
| 	testCase := acmeTestCase{
 | |
| 		traefikConfFilePath: "fixtures/acme/acme_base.toml",
 | |
| 		subCases: []subCases{{
 | |
| 			host:               acmeDomain,
 | |
| 			expectedCommonName: acmeDomain,
 | |
| 			expectedAlgorithm:  x509.RSA,
 | |
| 		}},
 | |
| 		template: templateModel{
 | |
| 			Acme: map[string]static.CertificateResolver{
 | |
| 				"default": {ACME: &acme.Configuration{
 | |
| 					HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
 | |
| 				}},
 | |
| 			},
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	s.retrieveAcmeCertificate(testCase)
 | |
| }
 | |
| 
 | |
| func (s *AcmeSuite) TestMultipleResolver() {
 | |
| 	testCase := acmeTestCase{
 | |
| 		traefikConfFilePath: "fixtures/acme/acme_multiple_resolvers.toml",
 | |
| 		subCases: []subCases{
 | |
| 			{
 | |
| 				host:               acmeDomain,
 | |
| 				expectedCommonName: acmeDomain,
 | |
| 				expectedAlgorithm:  x509.RSA,
 | |
| 			},
 | |
| 			{
 | |
| 				host:               "tchouk.acme.wtf",
 | |
| 				expectedCommonName: "tchouk.acme.wtf",
 | |
| 				expectedAlgorithm:  x509.ECDSA,
 | |
| 			},
 | |
| 		},
 | |
| 		template: templateModel{
 | |
| 			Acme: map[string]static.CertificateResolver{
 | |
| 				"default": {ACME: &acme.Configuration{
 | |
| 					HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
 | |
| 				}},
 | |
| 				"tchouk": {ACME: &acme.Configuration{
 | |
| 					TLSChallenge: &acme.TLSChallenge{},
 | |
| 					KeyType:      "EC256",
 | |
| 				}},
 | |
| 			},
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	s.retrieveAcmeCertificate(testCase)
 | |
| }
 | |
| 
 | |
| func (s *AcmeSuite) TestHTTP01OnHostRuleECDSA() {
 | |
| 	testCase := acmeTestCase{
 | |
| 		traefikConfFilePath: "fixtures/acme/acme_base.toml",
 | |
| 		subCases: []subCases{{
 | |
| 			host:               acmeDomain,
 | |
| 			expectedCommonName: acmeDomain,
 | |
| 			expectedAlgorithm:  x509.ECDSA,
 | |
| 		}},
 | |
| 		template: templateModel{
 | |
| 			Acme: map[string]static.CertificateResolver{
 | |
| 				"default": {ACME: &acme.Configuration{
 | |
| 					HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
 | |
| 					KeyType:       "EC384",
 | |
| 				}},
 | |
| 			},
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	s.retrieveAcmeCertificate(testCase)
 | |
| }
 | |
| 
 | |
| func (s *AcmeSuite) TestHTTP01OnHostRuleInvalidAlgo() {
 | |
| 	testCase := acmeTestCase{
 | |
| 		traefikConfFilePath: "fixtures/acme/acme_base.toml",
 | |
| 		subCases: []subCases{{
 | |
| 			host:               acmeDomain,
 | |
| 			expectedCommonName: acmeDomain,
 | |
| 			expectedAlgorithm:  x509.RSA,
 | |
| 		}},
 | |
| 		template: templateModel{
 | |
| 			Acme: map[string]static.CertificateResolver{
 | |
| 				"default": {ACME: &acme.Configuration{
 | |
| 					HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
 | |
| 					KeyType:       "INVALID",
 | |
| 				}},
 | |
| 			},
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	s.retrieveAcmeCertificate(testCase)
 | |
| }
 | |
| 
 | |
| func (s *AcmeSuite) TestHTTP01OnHostRuleDefaultDynamicCertificatesWithWildcard() {
 | |
| 	testCase := acmeTestCase{
 | |
| 		traefikConfFilePath: "fixtures/acme/acme_tls.toml",
 | |
| 		subCases: []subCases{{
 | |
| 			host:               acmeDomain,
 | |
| 			expectedCommonName: wildcardDomain,
 | |
| 			expectedAlgorithm:  x509.RSA,
 | |
| 		}},
 | |
| 		template: templateModel{
 | |
| 			Acme: map[string]static.CertificateResolver{
 | |
| 				"default": {ACME: &acme.Configuration{
 | |
| 					HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
 | |
| 				}},
 | |
| 			},
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	s.retrieveAcmeCertificate(testCase)
 | |
| }
 | |
| 
 | |
| func (s *AcmeSuite) TestHTTP01OnHostRuleDynamicCertificatesWithWildcard() {
 | |
| 	testCase := acmeTestCase{
 | |
| 		traefikConfFilePath: "fixtures/acme/acme_tls_dynamic.toml",
 | |
| 		subCases: []subCases{{
 | |
| 			host:               acmeDomain,
 | |
| 			expectedCommonName: wildcardDomain,
 | |
| 			expectedAlgorithm:  x509.RSA,
 | |
| 		}},
 | |
| 		template: templateModel{
 | |
| 			Acme: map[string]static.CertificateResolver{
 | |
| 				"default": {ACME: &acme.Configuration{
 | |
| 					HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
 | |
| 				}},
 | |
| 			},
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	s.retrieveAcmeCertificate(testCase)
 | |
| }
 | |
| 
 | |
| func (s *AcmeSuite) TestTLSALPN01OnHostRuleTCP() {
 | |
| 	testCase := acmeTestCase{
 | |
| 		traefikConfFilePath: "fixtures/acme/acme_tcp.toml",
 | |
| 		subCases: []subCases{{
 | |
| 			host:               acmeDomain,
 | |
| 			expectedCommonName: acmeDomain,
 | |
| 			expectedAlgorithm:  x509.RSA,
 | |
| 		}},
 | |
| 		template: templateModel{
 | |
| 			Acme: map[string]static.CertificateResolver{
 | |
| 				"default": {ACME: &acme.Configuration{
 | |
| 					TLSChallenge: &acme.TLSChallenge{},
 | |
| 				}},
 | |
| 			},
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	s.retrieveAcmeCertificate(testCase)
 | |
| }
 | |
| 
 | |
| func (s *AcmeSuite) TestTLSALPN01OnHostRule() {
 | |
| 	testCase := acmeTestCase{
 | |
| 		traefikConfFilePath: "fixtures/acme/acme_base.toml",
 | |
| 		subCases: []subCases{{
 | |
| 			host:               acmeDomain,
 | |
| 			expectedCommonName: acmeDomain,
 | |
| 			expectedAlgorithm:  x509.RSA,
 | |
| 		}},
 | |
| 		template: templateModel{
 | |
| 			Acme: map[string]static.CertificateResolver{
 | |
| 				"default": {ACME: &acme.Configuration{
 | |
| 					TLSChallenge: &acme.TLSChallenge{},
 | |
| 				}},
 | |
| 			},
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	s.retrieveAcmeCertificate(testCase)
 | |
| }
 | |
| 
 | |
| func (s *AcmeSuite) TestTLSALPN01Domains() {
 | |
| 	testCase := acmeTestCase{
 | |
| 		traefikConfFilePath: "fixtures/acme/acme_domains.toml",
 | |
| 		subCases: []subCases{{
 | |
| 			host:               acmeDomain,
 | |
| 			expectedCommonName: acmeDomain,
 | |
| 			expectedAlgorithm:  x509.RSA,
 | |
| 		}},
 | |
| 		template: templateModel{
 | |
| 			Domains: []types.Domain{{
 | |
| 				Main: "traefik.acme.wtf",
 | |
| 			}},
 | |
| 			Acme: map[string]static.CertificateResolver{
 | |
| 				"default": {ACME: &acme.Configuration{
 | |
| 					TLSChallenge: &acme.TLSChallenge{},
 | |
| 				}},
 | |
| 			},
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	s.retrieveAcmeCertificate(testCase)
 | |
| }
 | |
| 
 | |
| func (s *AcmeSuite) TestTLSALPN01DomainsInSAN() {
 | |
| 	testCase := acmeTestCase{
 | |
| 		traefikConfFilePath: "fixtures/acme/acme_domains.toml",
 | |
| 		subCases: []subCases{{
 | |
| 			host:               acmeDomain,
 | |
| 			expectedCommonName: "acme.wtf",
 | |
| 			expectedAlgorithm:  x509.RSA,
 | |
| 		}},
 | |
| 		template: templateModel{
 | |
| 			Domains: []types.Domain{{
 | |
| 				Main: "acme.wtf",
 | |
| 				SANs: []string{"traefik.acme.wtf"},
 | |
| 			}},
 | |
| 			Acme: map[string]static.CertificateResolver{
 | |
| 				"default": {ACME: &acme.Configuration{
 | |
| 					TLSChallenge: &acme.TLSChallenge{},
 | |
| 				}},
 | |
| 			},
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	s.retrieveAcmeCertificate(testCase)
 | |
| }
 | |
| 
 | |
| // Test Let's encrypt down.
 | |
| func (s *AcmeSuite) TestNoValidLetsEncryptServer() {
 | |
| 	file := s.adaptFile("fixtures/acme/acme_base.toml", templateModel{
 | |
| 		Acme: map[string]static.CertificateResolver{
 | |
| 			"default": {ACME: &acme.Configuration{
 | |
| 				CAServer:      "http://wrongurl:4001/directory",
 | |
| 				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
 | |
| 			}},
 | |
| 		},
 | |
| 	})
 | |
| 
 | |
| 	s.traefikCmd(withConfigFile(file))
 | |
| 
 | |
| 	// Expected traefik works
 | |
| 	err := try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.StatusCodeIs(http.StatusOK))
 | |
| 	require.NoError(s.T(), err)
 | |
| }
 | |
| 
 | |
| // Doing an HTTPS request and test the response certificate.
 | |
| func (s *AcmeSuite) retrieveAcmeCertificate(testCase acmeTestCase) {
 | |
| 	if len(testCase.template.PortHTTP) == 0 {
 | |
| 		testCase.template.PortHTTP = ":5002"
 | |
| 	}
 | |
| 
 | |
| 	if len(testCase.template.PortHTTPS) == 0 {
 | |
| 		testCase.template.PortHTTPS = ":5001"
 | |
| 	}
 | |
| 
 | |
| 	for _, value := range testCase.template.Acme {
 | |
| 		if len(value.ACME.CAServer) == 0 {
 | |
| 			value.ACME.CAServer = s.getAcmeURL()
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	file := s.adaptFile(testCase.traefikConfFilePath, testCase.template)
 | |
| 
 | |
| 	s.traefikCmd(withConfigFile(file))
 | |
| 
 | |
| 	// A real file is needed to have the right mode on acme.json file
 | |
| 	defer os.Remove("/tmp/acme.json")
 | |
| 
 | |
| 	backend := startTestServer("9010", http.StatusOK, "")
 | |
| 	defer backend.Close()
 | |
| 
 | |
| 	client := &http.Client{
 | |
| 		Transport: &http.Transport{
 | |
| 			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	// wait for traefik (generating acme account take some seconds)
 | |
| 	err := try.Do(60*time.Second, func() error {
 | |
| 		_, errGet := client.Get("https://127.0.0.1:5001")
 | |
| 		return errGet
 | |
| 	})
 | |
| 	require.NoError(s.T(), err)
 | |
| 
 | |
| 	for _, sub := range testCase.subCases {
 | |
| 		client = &http.Client{
 | |
| 			Transport: &http.Transport{
 | |
| 				TLSClientConfig: &tls.Config{
 | |
| 					InsecureSkipVerify: true,
 | |
| 					ServerName:         sub.host,
 | |
| 				},
 | |
| 				// Needed so that each subcase redoes the SSL handshake
 | |
| 				DisableKeepAlives: true,
 | |
| 			},
 | |
| 		}
 | |
| 
 | |
| 		req := testhelpers.MustNewRequest(http.MethodGet, "https://127.0.0.1:5001/", nil)
 | |
| 		req.Host = sub.host
 | |
| 		req.Header.Set("Host", sub.host)
 | |
| 		req.Header.Set("Accept", "*/*")
 | |
| 
 | |
| 		var resp *http.Response
 | |
| 
 | |
| 		// Retry to send a Request which uses the LE generated certificate
 | |
| 		err := try.Do(60*time.Second, func() error {
 | |
| 			resp, err = client.Do(req)
 | |
| 			if err != nil {
 | |
| 				return err
 | |
| 			}
 | |
| 
 | |
| 			cn := resp.TLS.PeerCertificates[0].Subject.CommonName
 | |
| 			if cn != sub.expectedCommonName {
 | |
| 				return fmt.Errorf("domain %s found instead of %s", cn, sub.expectedCommonName)
 | |
| 			}
 | |
| 
 | |
| 			return nil
 | |
| 		})
 | |
| 
 | |
| 		require.NoError(s.T(), err)
 | |
| 		assert.Equal(s.T(), http.StatusOK, resp.StatusCode)
 | |
| 		// Check Domain into response certificate
 | |
| 		assert.Equal(s.T(), sub.expectedCommonName, resp.TLS.PeerCertificates[0].Subject.CommonName)
 | |
| 		assert.Equal(s.T(), sub.expectedAlgorithm, resp.TLS.PeerCertificates[0].PublicKeyAlgorithm)
 | |
| 	}
 | |
| }
 |