From ef772235d1212aacff7af983698c28b6e17799e0 Mon Sep 17 00:00:00 2001 From: Ri Shen Chen Date: Fri, 11 Apr 2025 17:33:01 +0800 Subject: [PATCH] tests: stream proxy protocol v2 --- .travis.yml | 2 +- t/000-sanity.t | 97 +++++++++++---------- t/003-stream-proxy-protocol.t | 156 ++++++++++++++++++++++++++++++++++ 3 files changed, 205 insertions(+), 50 deletions(-) create mode 100644 t/003-stream-proxy-protocol.t diff --git a/.travis.yml b/.travis.yml index 5299424..faa805a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -74,7 +74,7 @@ install: script: - util/mirror-tarballs > build.log 2>&1 || (cat build.log && exit 1) - cd "openresty-$(./util/ver)" - - ./configure --with-http_v3_module --prefix=$OPENRESTY_PREFIX --with-cc-opt="-I$PCRE_INC -I$OPENSSL_INC" --with-ld-opt="-L$PCRE_LIB -L$OPENSSL_LIB -Wl,-rpath,$PCRE_LIB:$OPENSSL_LIB" --with-pcre-jit --with-http_ssl_module --with-debug -j$JOBS > build.log 2>&1 || (cat build.log && exit 1) + - ./configure --with-http_v3_module --with-stream_realip_module --with-http_realip_module --prefix=$OPENRESTY_PREFIX --with-cc-opt="-I$PCRE_INC -I$OPENSSL_INC" --with-ld-opt="-L$PCRE_LIB -L$OPENSSL_LIB -Wl,-rpath,$PCRE_LIB:$OPENSSL_LIB" --with-pcre-jit --with-http_ssl_module --with-debug -j$JOBS > build.log 2>&1 || (cat build.log && exit 1) - make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1) - sudo make install > build.log 2>&1 || (cat build.log && exit 1) - cd .. diff --git a/t/000-sanity.t b/t/000-sanity.t index 8ec93fa..0aee9f6 100644 --- a/t/000-sanity.t +++ b/t/000-sanity.t @@ -1838,7 +1838,7 @@ clean: -=== TEST 23: ngx_postgres not enabled but specify --with-pg_config +=== TEST 22: ngx_postgres not enabled but specify --with-pg_config --- cmd: ./configure --with-pg_config=pg_config --dry-run --- out platform: linux (linux) @@ -1849,7 +1849,7 @@ The http_postgres_module is not enabled while --with-pg_config is specified. -=== TEST 24: --with-make option +=== TEST 23: --with-make option --- cmd: ./configure --with-make=make --dry-run --- out platform: linux (linux) @@ -1939,7 +1939,7 @@ clean: -=== TEST 25: --with-luajit on Solaris +=== TEST 24: --with-luajit on Solaris --- cmd: ./configure --with-luajit --dry-run --platform=solaris --- out platform: solaris (solaris) @@ -2029,7 +2029,7 @@ clean: -=== TEST 26: default on Solaris +=== TEST 25: default on Solaris --- cmd: ./configure --dry-run --platform=solaris --- out platform: solaris (solaris) @@ -2119,7 +2119,7 @@ clean: -=== TEST 27: default on FreeBSD +=== TEST 26: default on FreeBSD --- cmd: ./configure --dry-run --platform=freebsd --- out platform: freebsd (freebsd) @@ -2209,7 +2209,7 @@ clean: -=== TEST 28: --with-luajit on FreeBSD +=== TEST 27: --with-luajit on FreeBSD --- cmd: ./configure --with-luajit --dry-run --platform=freebsd --- out platform: freebsd (freebsd) @@ -2299,7 +2299,7 @@ clean: -=== TEST 29: --with-luajit on Mac OS X +=== TEST 28: --with-luajit on Mac OS X --- cmd: ./configure --dry-run --platform=darwin --with-luajit --- out platform: macosx (darwin) @@ -2392,7 +2392,7 @@ Use of uninitialized value $v in scalar chomp at ./configure line 794. -=== TEST 30: default on Mac OS X +=== TEST 29: default on Mac OS X --- cmd: ./configure --dry-run --platform=darwin --- out platform: macosx (darwin) @@ -2485,7 +2485,7 @@ Use of uninitialized value $v in scalar chomp at ./configure line 794. -=== TEST 31: --with-debug on solaris +=== TEST 30: --with-debug on solaris --- cmd: ./configure --dry-run --platform=solaris --with-debug --- out platform: solaris (solaris) @@ -2576,7 +2576,7 @@ clean: -=== TEST 32: --without-lua_cjson +=== TEST 31: --without-lua_cjson --- cmd: ./configure --dry-run --without-lua_cjson --- out platform: linux (linux) @@ -2664,7 +2664,7 @@ clean: -=== TEST 33: --without-lua_tablepool +=== TEST 32: --without-lua_tablepool --- cmd: ./configure --dry-run --without-lua_tablepool --- out platform: linux (linux) @@ -2752,7 +2752,7 @@ clean: -=== TEST 34: --without-lua_resty_shell +=== TEST 33: --without-lua_resty_shell --- cmd: ./configure --dry-run --without-lua_resty_shell --- out platform: linux (linux) @@ -2841,7 +2841,7 @@ clean: -=== TEST 35: --without-lua_resty_signal +=== TEST 34: --without-lua_resty_signal --- cmd: ./configure --dry-run --without-lua_resty_signal --- out platform: linux (linux) @@ -2928,7 +2928,7 @@ clean: -=== TEST 36: --without-lua_redis_parser & --without-lua_cjson +=== TEST 35: --without-lua_redis_parser & --without-lua_cjson --- cmd: ./configure --dry-run --without-lua_redis_parser --without-lua_cjson --- out platform: linux (linux) @@ -3014,7 +3014,7 @@ clean: -=== TEST 37: disable rds-parser +=== TEST 36: disable rds-parser --- cmd: ./configure --dry-run --without-lua_rds_parser --- out platform: linux (linux) @@ -3102,7 +3102,7 @@ clean: -=== TEST 38: --with-luajit=PATH +=== TEST 37: --with-luajit=PATH --- cmd: ./configure --with-luajit=/tmp/luajit --dry-run --- out platform: linux (linux) @@ -3186,7 +3186,7 @@ clean: -=== TEST 39: ./configure with -jN +=== TEST 38: ./configure with -jN --- cmd: ./configure --dry-run -j10 --- out platform: linux (linux) @@ -3276,7 +3276,7 @@ clean: -=== TEST 40: --with-luajit & -jN +=== TEST 39: --with-luajit & -jN --- cmd: ./configure --with-luajit --dry-run -j5 --- out platform: linux (linux) @@ -3366,7 +3366,7 @@ clean: -=== TEST 41: relative path as the --add-module option's value +=== TEST 40: relative path as the --add-module option's value --- cmd: ./configure --add-module=/path/to/some/module --add-module=../some/module/ --dry-run --- out platform: linux (linux) @@ -3456,7 +3456,7 @@ clean: -=== TEST 42: relative path as the --with-openssl option's value +=== TEST 41: relative path as the --with-openssl option's value --- cmd: ./configure --with-openssl=../some/module/ --dry-run --- out platform: linux (linux) @@ -3546,7 +3546,7 @@ clean: -=== TEST 43: --without-lua_resty_memcached +=== TEST 42: --without-lua_resty_memcached --- cmd: ./configure --dry-run --without-lua_resty_memcached --- out platform: linux (linux) @@ -3635,7 +3635,7 @@ clean: -=== TEST 44: --without-lua_resty_redis +=== TEST 43: --without-lua_resty_redis --- cmd: ./configure --dry-run --without-lua_resty_redis --- out platform: linux (linux) @@ -3724,7 +3724,7 @@ clean: -=== TEST 45: --with-luajit-xcflags +=== TEST 44: --with-luajit-xcflags --- cmd: ./configure --with-luajit --with-luajit-xcflags='-DLUAJIT_USE_VALGRIND' --dry-run --- out platform: linux (linux) @@ -3814,7 +3814,7 @@ clean: -=== TEST 46: --with-debug & luajit & --with-luajit-xcflags +=== TEST 45: --with-debug & luajit & --with-luajit-xcflags --- cmd: ./configure --with-luajit --with-debug --dry-run --with-luajit-xcflags='-DLUAJIT_USE_VALGRIND' --- out platform: linux (linux) @@ -3905,7 +3905,7 @@ clean: -=== TEST 47: relative path as the --with-pcre option's value +=== TEST 46: relative path as the --with-pcre option's value --- cmd: ./configure --with-pcre=../some/module/ --dry-run --- out platform: linux (linux) @@ -3995,7 +3995,7 @@ clean: -=== TEST 48: relative path as the --with-zlib option's value +=== TEST 47: relative path as the --with-zlib option's value --- cmd: ./configure --with-zlib=../some/module/ --dry-run --- out platform: linux (linux) @@ -4085,7 +4085,7 @@ clean: -=== TEST 49: relative path as the --with-md5 option's value +=== TEST 48: relative path as the --with-md5 option's value --- cmd: ./configure --with-md5=../some/module/ --dry-run --- out platform: linux (linux) @@ -4175,7 +4175,7 @@ clean: -=== TEST 50: relative path as the --with-sha1 option's value +=== TEST 49: relative path as the --with-sha1 option's value --- cmd: ./configure --with-sha1=../some/module/ --dry-run --- out platform: linux (linux) @@ -4265,7 +4265,7 @@ clean: -=== TEST 51: relative path as the --with-libatomic option's value +=== TEST 50: relative path as the --with-libatomic option's value --- cmd: ./configure --with-libatomic=../some/module/ --dry-run --- out platform: linux (linux) @@ -4355,7 +4355,7 @@ clean: -=== TEST 52: --without-lua_resty_dns +=== TEST 51: --without-lua_resty_dns --- cmd: ./configure --dry-run --without-lua_resty_dns --- out platform: linux (linux) @@ -4444,7 +4444,7 @@ clean: -=== TEST 53: --prefix (relative path: "."), lua51 +=== TEST 52: --prefix (relative path: "."), lua51 --- cmd: ./configure --prefix=. --dry-run --- out platform: linux (linux) @@ -4536,7 +4536,7 @@ clean: -=== TEST 54: --prefix (relative path: "."), luajit +=== TEST 53: --prefix (relative path: "."), luajit --- cmd: ./configure --prefix=. --dry-run --- out platform: linux (linux) @@ -4628,7 +4628,7 @@ clean: -=== TEST 55: --prefix (relative path: ""), luajit +=== TEST 54: --prefix (relative path: ""), luajit --- cmd: ./configure --prefix= --dry-run --- out platform: linux (linux) @@ -4720,7 +4720,7 @@ clean: -=== TEST 56: MSYS platform +=== TEST 55: MSYS platform --- cmd: ./configure --prefix= --platform=msys --dry-run --- out platform: msys (msys) @@ -4810,7 +4810,7 @@ clean: -=== TEST 57: --with-pcre-opt='foo bar' +=== TEST 56: --with-pcre-opt='foo bar' --- cmd: ./configure --dry-run --with-pcre-opt='-foo -bar' --with-zlib-opt="hello, '\world" --- out platform: linux (linux) @@ -4900,7 +4900,7 @@ clean: -=== TEST 58: --with-luajit-xcflags lua 5.2 compat +=== TEST 57: --with-luajit-xcflags lua 5.2 compat --- cmd: ./configure --with-luajit-xcflags='-DLUAJIT_ENABLE_LUA52COMPAT' --dry-run --- out platform: linux (linux) @@ -4990,7 +4990,7 @@ clean: -=== TEST 59: --without-luajit-lua52 +=== TEST 58: --without-luajit-lua52 --- cmd: ./configure --without-luajit-lua52 --dry-run --- out platform: linux (linux) @@ -5080,7 +5080,7 @@ clean: -=== TEST 60: --with-luajit-xcflags disable gc64 +=== TEST 59: --with-luajit-xcflags disable gc64 --- cmd: ./configure --with-luajit-xcflags='-DLUAJIT_DISABLE_GC64' --dry-run --- out platform: linux (linux) @@ -5170,7 +5170,7 @@ clean: -=== TEST 61: --without-luajit-gc64 +=== TEST 60: --without-luajit-gc64 --- cmd: ./configure --without-luajit-gc64 --dry-run --- out platform: linux (linux) @@ -5260,7 +5260,7 @@ clean: -=== TEST 62: --with-luajit-xcflags gc64 & --without-luajit-gc64 +=== TEST 61: --with-luajit-xcflags gc64 & --without-luajit-gc64 --- cmd: ./configure --with-luajit-xcflags='-DLUAJIT_DISABLE_GC64' --without-luajit-gc64 --dry-run --- out platform: linux (linux) @@ -5350,7 +5350,7 @@ clean: -=== TEST 63: --sbin-path (absolute) +=== TEST 62: --sbin-path (absolute) --- cmd: ./configure --sbin-path=/opt/blah/nginx --dry-run --- out platform: linux (linux) @@ -5440,7 +5440,7 @@ clean: -=== TEST 64: --sbin-path (relative) +=== TEST 63: --sbin-path (relative) --- cmd: ./configure --sbin-path=../bin/nginx --dry-run --- out platform: linux (linux) @@ -5530,7 +5530,7 @@ clean: -=== TEST 65: --without-http_lua_upstream_module (on Linux) +=== TEST 64: --without-http_lua_upstream_module (on Linux) --- cmd: ./configure --dry-run --without-http_lua_upstream_module --- out platform: linux (linux) @@ -5619,7 +5619,7 @@ clean: -=== TEST 66: --without-http_lua_module & --without-stream_lua_module +=== TEST 65: --without-http_lua_module & --without-stream_lua_module --- cmd: ./configure --without-http_lua_module --without-stream_lua_module --dry-run --- out platform: linux (linux) @@ -5676,7 +5676,7 @@ clean: -=== TEST 67: relative path as the --add-dynamic-module option's value +=== TEST 66: relative path as the --add-dynamic-module option's value --- cmd: ./configure --add-dynamic-module=/path/to/some/module --add-dynamic-module=../some/module/ --dry-run --- out platform: linux (linux) @@ -5766,7 +5766,7 @@ clean: -=== TEST 68: --without-stream_ssl_module and --without-http_ssl_module are respected +=== TEST 67: --without-stream_ssl_module and --without-http_ssl_module are respected --- cmd: ./configure --without-http_ssl_module --without-stream_ssl_module --dry-run --- out platform: linux (linux) @@ -5808,7 +5808,7 @@ Type the following commands to build and install: -=== TEST 69: --without-stream_ssl_module and --with-stream_ssl_module specified at the same time causes errors +=== TEST 68: --without-stream_ssl_module and --with-stream_ssl_module specified at the same time causes errors --- cmd: ./configure --with-stream_ssl_module --without-stream_ssl_module --dry-run --- out platform: linux (linux) @@ -5819,7 +5819,7 @@ platform: linux (linux) -=== TEST 70: --with-luajit-ldflags +=== TEST 69: --with-luajit-ldflags --- cmd: ./configure --with-luajit --with-luajit-ldflags='-Wl,-rpath,/tmp/blah/foo' --dry-run --- out platform: linux (linux) @@ -5906,4 +5906,3 @@ install: all clean: rm -rf build *.exe *.dll openresty-* - diff --git a/t/003-stream-proxy-protocol.t b/t/003-stream-proxy-protocol.t new file mode 100644 index 0000000..1410d25 --- /dev/null +++ b/t/003-stream-proxy-protocol.t @@ -0,0 +1,156 @@ +# vim:set ft= ts=4 sw=4 et fdm=marker: +use Test::Nginx::Socket::Lua::Stream; +master_on(); +workers(2); +log_level('debug'); + +repeat_each(2); +plan tests => 14 * repeat_each(); + +#no_diff(); +no_long_string(); + +run_tests(); + + +__DATA__ + +=== TEST 1: Stream to HTTP proxy with Proxy Protocol v2 +--- stream_config + upstream backend { + server 127.0.0.1:$TEST_NGINX_RAND_PORT_2 max_fails=3 fail_timeout=5s; + } + +--- stream_server_config + proxy_pass backend; + proxy_protocol v2; +--- http_config + server { + listen 127.0.0.1:$TEST_NGINX_RAND_PORT_2 proxy_protocol; + + location /t1 { + echo "hello world"; + } + } +--- stream_request eval +"GET /t1 HTTP/1.0\r\nHost: localhost\r\n\r\n"; +--- stream_response_like +hello world +--- no_error_log +[error] +--- grep_error_log eval: qr/PROXY protocol v2 src:.*/ +--- grep_error_log_out eval +qr/PROXY protocol v2 src: 127\.0\.0\.1 \d+, dst: 127\.0\.0\.1 \d+/ + + + +=== TEST 2: Stream with Proxy Protocol tunnel (IPV4) +--- stream_config + upstream backend { + server 127.0.0.1:$TEST_NGINX_RAND_PORT_2 max_fails=3 fail_timeout=5s; + } +--- stream_server_config + proxy_pass backend; + set_real_ip_from 127.0.0.1/32; + proxy_protocol v2; +--- steam_listen_option +proxy_protocol +--- http_config + server { + set_real_ip_from 127.0.0.1/32; + listen 127.0.0.1:$TEST_NGINX_RAND_PORT_2 proxy_protocol; + + location /t2 { + echo "$proxy_protocol_addr via proxy protocol v2"; + } + } +--- stream_request eval + "PROXY TCP4 1.1.1.1 127.0.0.1 48078 1985\r\nGET /t2 HTTP/1.0\r\nHost: localhost\r\n\r\n"; +--- stream_response_like +1.1.1.1 via proxy protocol v2 +--- grep_error_log eval: qr/PROXY protocol v2 src:.*/ +--- grep_error_log_out eval +qr/PROXY protocol v2 src: 1\.1\.1\.1 \d+, dst: 127\.0\.0\.1 \d+/ +--- no_error_log +[error] + + + +=== TEST 3: Stream with Proxy Protocol tunnel (IPV6) +--- stream_config + upstream backend { + server [::1]:$TEST_NGINX_RAND_PORT_2 max_fails=3 fail_timeout=5s; + } +--- stream_server_config + proxy_pass backend; + set_real_ip_from 127.0.0.1/32; + proxy_protocol v2; +--- steam_listen_option +proxy_protocol +--- http_config + server { + listen [::1]:$TEST_NGINX_RAND_PORT_2 proxy_protocol; + location /t3 { + echo "$proxy_protocol_addr via proxy protocol v2 IPv6"; + } + } +--- stream_request eval + "PROXY TCP6 2001:0db8:85a3:0000:0000:8a2e:0370:7334 ::1 48078 1985\r\nGET /t3 HTTP/1.0\r\nHost: localhost\r\n\r\n"; +--- stream_response_like +2001:db8:85a3::8a2e:370:7334 via proxy protocol v2 IPv6 +--- no_error_log +[error] + + + +=== TEST 4: Stream with TLS Extended Property Validation +--- stream_config + upstream backend { + server 127.0.0.1:$TEST_NGINX_RAND_PORT_2 max_fails=3 fail_timeout=5s; + } + server { + listen 12344 ssl; + proxy_pass backend; + proxy_protocol v2; + ssl_certificate test.crt; + ssl_certificate_key test.key; + } +--- stream_server_config + proxy_pass 127.0.0.1:12344; + proxy_ssl on; +--- http_config + server { + listen 127.0.0.1:$TEST_NGINX_RAND_PORT_2 proxy_protocol; + location /t4 { + echo "$proxy_protocol_addr $proxy_protocol_tlv_ssl_version $proxy_protocol_tlv_ssl_cipher $proxy_protocol_tlv_ssl_sig_alg $proxy_protocol_tlv_ssl_key_alg $proxy_protocol_tlv_ssl_verify via proxy protocol v2 IPv4"; + } + } +--- post_setup_server_root +my $d = "t/servroot/conf"; +open my $fh, '>', "$d/openssl.conf" or die "can`t open $d/openssl.conf: $!"; +print $fh <<'END'; +[ req ] +default_bits = 2048 +encrypt_key = no +distinguished_name = req_distinguished_name +x509_extensions = myca_extensions +[ req_distinguished_name ] +[ myca_extensions ] +basicConstraints = critical,CA:TRUE +END +close $fh; + +foreach my $name ('test') { + system('openssl req -x509 -new ' + . "-config $d/openssl.conf -subj /CN=$name/ " + . "-out $d/$name.crt -keyout $d/$name.key " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for $name: $!\n"; +} + +--- stream_request eval + "GET /t4 HTTP/1.0\r\nHost: localhost\r\n\r\n"; +--- stream_response_like +127.0.0.1 TLSv1.3 TLS_AES_256_GCM_SHA384 RSA-SHA256 RSA2048 0 via proxy protocol v2 IPv4 +--- no_error_log +[error]