Commit f7a525ea authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Łukasz Nowak

caddy-frontend: Implement backend with own CA verification

parent 8a999d74
...@@ -13,7 +13,6 @@ Generally things to be done with ``caddy-frontend``: ...@@ -13,7 +13,6 @@ Generally things to be done with ``caddy-frontend``:
* ``type:eventsource``: * ``type:eventsource``:
* **Jérome Perrin**: *For event source, if I understand https://github.com/mholt/caddy/issues/1355 correctly, we could use caddy as a proxy in front of nginx-push-stream . If we have a "central shared" caddy instance, can it handle keeping connections opens for many clients ?* * **Jérome Perrin**: *For event source, if I understand https://github.com/mholt/caddy/issues/1355 correctly, we could use caddy as a proxy in front of nginx-push-stream . If we have a "central shared" caddy instance, can it handle keeping connections opens for many clients ?*
* ``ssl_proxy_ca_crt`` for ``ssl_proxy_verify``, this is related to bug `#1550 <https://github.com/mholt/caddy/issues/1550>`_, proposed solution `just adding your CA to the system's trust store`
* ``check-error-on-caddy-log`` like ``check-error-on-apache-log`` * ``check-error-on-caddy-log`` like ``check-error-on-apache-log``
* cover test suite like resilient tests for KVM and prove it works the same way as Caddy * cover test suite like resilient tests for KVM and prove it works the same way as Caddy
* have ``caddy-frontend`` specific parameters, with backward compatibility to ``apache-frontend`` ones: * have ``caddy-frontend`` specific parameters, with backward compatibility to ``apache-frontend`` ones:
......
...@@ -22,7 +22,7 @@ md5sum = c801b7f9f11f0965677c22e6bbe9281b ...@@ -22,7 +22,7 @@ md5sum = c801b7f9f11f0965677c22e6bbe9281b
[template-apache-frontend] [template-apache-frontend]
filename = instance-apache-frontend.cfg.in filename = instance-apache-frontend.cfg.in
md5sum = 395ea5b3389e26a57dad0f91cd458630 md5sum = f9d0e64b4aae205c7bb941f5c1c27876
[template-apache-replicate] [template-apache-replicate]
filename = instance-apache-replicate.cfg.in filename = instance-apache-replicate.cfg.in
...@@ -62,11 +62,11 @@ md5sum = f20d6c3d2d94fb685f8d26dfca1e822b ...@@ -62,11 +62,11 @@ md5sum = f20d6c3d2d94fb685f8d26dfca1e822b
[template-default-slave-virtualhost] [template-default-slave-virtualhost]
filename = templates/default-virtualhost.conf.in filename = templates/default-virtualhost.conf.in
md5sum = 73bc8abae6aadc3ce55662c3d821b363 md5sum = b7879a40ed7f8a49b764c82e7283811f
[template-cached-slave-virtualhost] [template-cached-slave-virtualhost]
filename = templates/cached-virtualhost.conf.in filename = templates/cached-virtualhost.conf.in
md5sum = 7cbcadc295860821ac9d3aaa3cca72c5 md5sum = c64f8ac7ec439460877ce5a5c5ccf1f7
[template-log-access] [template-log-access]
filename = templates/template-log-access.conf.in filename = templates/template-log-access.conf.in
......
...@@ -537,7 +537,7 @@ mode = 700 ...@@ -537,7 +537,7 @@ mode = 700
template = {{ parameter_dict['template_graceful_script'] }} template = {{ parameter_dict['template_graceful_script'] }}
rendered = ${directory:etc-run}/frontend-caddy-safe-graceful rendered = ${directory:etc-run}/frontend-caddy-safe-graceful
mode = 0700 mode = 0700
path_list = ${caddy-configuration:frontend-configuration} ${frontend-configuration:log-access-configuration} ${caddy-directory:slave-configuration}/*.conf ${caddy-directory:slave-with-cache-configuration}/*.conf ${caddy-directory:vh-ssl}/*.key ${caddy-directory:vh-ssl}/*.crt path_list = ${caddy-configuration:frontend-configuration} ${frontend-configuration:log-access-configuration} ${caddy-directory:slave-configuration}/*.conf ${caddy-directory:slave-with-cache-configuration}/*.conf ${caddy-directory:vh-ssl}/*.key ${caddy-directory:vh-ssl}/*.crt ${caddy-directory:vh-ssl}/*.proxy_ca_crt
sha256sum = {{ parameter_dict['sha256sum'] }} sha256sum = {{ parameter_dict['sha256sum'] }}
signature_file = ${directory:run}/caddy_graceful_signature signature_file = ${directory:run}/caddy_graceful_signature
extra-context = extra-context =
......
...@@ -131,12 +131,12 @@ ...@@ -131,12 +131,12 @@
}, },
"ssl-proxy-verify": { "ssl-proxy-verify": {
"default": "false", "default": "false",
"description": "[NOT Implemented] If set to true, Backend SSL Certificates will be checked and frontend will refuse to proxy if certificate is invalid", "description": "If set to true, Backend SSL Certificates will be checked and frontend will refuse to proxy if certificate is invalid",
"enum": [ "enum": [
"false", "false",
"true" "true"
], ],
"title": "[NOT Implemented] Verify Backend Certificates", "title": "Verify Backend Certificates",
"type": "string" "type": "string"
}, },
"ssl_ca_crt": { "ssl_ca_crt": {
...@@ -162,8 +162,8 @@ ...@@ -162,8 +162,8 @@
}, },
"ssl_proxy_ca_crt": { "ssl_proxy_ca_crt": {
"default": "", "default": "",
"description": "[NOT Implemented] Content of the SSL Certificate Authority file of the backend (to be used with ssl-proxy-verify)", "description": "Content of the SSL Certificate Authority file of the backend (to be used with ssl-proxy-verify)",
"title": "[NOT Implemented] SSL Backend Authority's Certificate", "title": "SSL Backend Authority's Certificate",
"type": "string" "type": "string"
}, },
"type": { "type": {
......
...@@ -19,9 +19,6 @@ ...@@ -19,9 +19,6 @@
bind {{ slave_parameter['local_ipv4'] }} bind {{ slave_parameter['local_ipv4'] }}
# Compress the output # Compress the output
gzip gzip
{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
status 501 /
{%- endif %}
# Rewrite part # Rewrite part
proxy / {{ slave_parameter.get('backend_url', '') }} { proxy / {{ slave_parameter.get('backend_url', '') }} {
# As backend is trusting REMOTE_USER header unset it always # As backend is trusting REMOTE_USER header unset it always
...@@ -30,7 +27,8 @@ ...@@ -30,7 +27,8 @@
transparent transparent
timeout 600s timeout 600s
{%- if ssl_proxy_verify %} {%- if ssl_proxy_verify %}
{%- if 'ssl_proxy_ca_crt' in slave_parameter %} {%- if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
{%- endif %} {%- endif %}
{%- else %} {%- else %}
insecure_skip_verify insecure_skip_verify
...@@ -43,16 +41,14 @@ ...@@ -43,16 +41,14 @@
bind {{ slave_parameter['local_ipv4'] }} bind {{ slave_parameter['local_ipv4'] }}
# Compress the output # Compress the output
gzip gzip
{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
status 501 /
{%- endif %}
proxy / {{ slave_parameter.get('https_backend_url', '') }} { proxy / {{ slave_parameter.get('https_backend_url', '') }} {
# As backend is trusting REMOTE_USER header unset it always # As backend is trusting REMOTE_USER header unset it always
header_upstream -REMOTE_USER header_upstream -REMOTE_USER
transparent transparent
timeout 600s timeout 600s
{%- if ssl_proxy_verify %} {%- if ssl_proxy_verify %}
{%- if 'ssl_proxy_ca_crt' in slave_parameter %} {%- if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
{%- endif %} {%- endif %}
{%- else %} {%- else %}
insecure_skip_verify insecure_skip_verify
......
...@@ -30,9 +30,6 @@ ...@@ -30,9 +30,6 @@
bind {{ slave_parameter['local_ipv4'] }} bind {{ slave_parameter['local_ipv4'] }}
# Compress the output # Compress the output
gzip gzip
{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
status 501 /
{%- endif %} {#- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter #}
tls {{ slave_parameter.get('path_to_ssl_crt', slave_parameter.get('login_certificate')) }} {{ slave_parameter.get('path_to_ssl_key', slave_parameter.get('login_key')) }} { tls {{ slave_parameter.get('path_to_ssl_crt', slave_parameter.get('login_certificate')) }} {{ slave_parameter.get('path_to_ssl_key', slave_parameter.get('login_key')) }} {
{%- if enable_h2 %} {%- if enable_h2 %}
# Allow HTTP2 # Allow HTTP2
...@@ -79,8 +76,9 @@ ...@@ -79,8 +76,9 @@
transparent transparent
timeout 600s timeout 600s
{%- if ssl_proxy_verify %} {%- if ssl_proxy_verify %}
{%- if 'ssl_proxy_ca_crt' in slave_parameter %} {%- if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
{%- endif %} {#- if 'ssl_proxy_ca_crt' in slave_parameter #} ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
{%- endif %} {#- if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
{%- else %} {#- if ssl_proxy_verify #} {%- else %} {#- if ssl_proxy_verify #}
insecure_skip_verify insecure_skip_verify
{%- endif %} {#- if ssl_proxy_verify #} {%- endif %} {#- if ssl_proxy_verify #}
...@@ -136,8 +134,9 @@ ...@@ -136,8 +134,9 @@
transparent transparent
timeout 600s timeout 600s
{%- if ssl_proxy_verify %} {%- if ssl_proxy_verify %}
{%- if 'ssl_proxy_ca_crt' in slave_parameter %} {%- if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
{%- endif %} {#- if 'ssl_proxy_ca_crt' in slave_parameter #} ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
{%- endif %} {#- if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
{%- else %} {#- if ssl_proxy_verify #} {%- else %} {#- if ssl_proxy_verify #}
insecure_skip_verify insecure_skip_verify
{%- endif %} {#- if ssl_proxy_verify #} {%- endif %} {#- if ssl_proxy_verify #}
...@@ -152,9 +151,6 @@ ...@@ -152,9 +151,6 @@
bind {{ slave_parameter['local_ipv4'] }} bind {{ slave_parameter['local_ipv4'] }}
# Compress the output # Compress the output
gzip gzip
{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
status 501 /
{%- endif %} {#- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter #}
log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
errors {{ slave_parameter.get('error_log') }} errors {{ slave_parameter.get('error_log') }}
...@@ -201,8 +197,9 @@ ...@@ -201,8 +197,9 @@
transparent transparent
timeout 600s timeout 600s
{%- if ssl_proxy_verify %} {%- if ssl_proxy_verify %}
{%- if 'ssl_proxy_ca_crt' in slave_parameter %} {%- if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
{%- endif %} {#- if 'ssl_proxy_ca_crt' in slave_parameter #} ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
{%- endif %} {#- if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
{%- else %} {#- if ssl_proxy_verify #} {%- else %} {#- if ssl_proxy_verify #}
insecure_skip_verify insecure_skip_verify
{%- endif %} {#- if ssl_proxy_verify #} {%- endif %} {#- if ssl_proxy_verify #}
...@@ -252,8 +249,9 @@ ...@@ -252,8 +249,9 @@
transparent transparent
timeout 600s timeout 600s
{%- if ssl_proxy_verify %} {%- if ssl_proxy_verify %}
{%- if 'ssl_proxy_ca_crt' in slave_parameter %} {%- if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
{%- endif %} {#- if 'ssl_proxy_ca_crt' in slave_parameter #} ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
{%- endif %} {#- if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
{%- else %} {#- if ssl_proxy_verify #} {%- else %} {#- if ssl_proxy_verify #}
insecure_skip_verify insecure_skip_verify
{%- endif %} {#- if ssl_proxy_verify #} {%- endif %} {#- if ssl_proxy_verify #}
......
...@@ -40,6 +40,7 @@ from BaseHTTPServer import BaseHTTPRequestHandler ...@@ -40,6 +40,7 @@ from BaseHTTPServer import BaseHTTPRequestHandler
from forcediphttpsadapter.adapters import ForcedIPHTTPSAdapter from forcediphttpsadapter.adapters import ForcedIPHTTPSAdapter
import time import time
import tempfile import tempfile
import ipaddress
from utils import SlapOSInstanceTestCase from utils import SlapOSInstanceTestCase
from utils import findFreeTCPPort from utils import findFreeTCPPort
...@@ -118,11 +119,24 @@ def createSelfSignedCertificate(name_list): ...@@ -118,11 +119,24 @@ def createSelfSignedCertificate(name_list):
return key, key_pem, certificate, certificate_pem return key, key_pem, certificate, certificate_pem
def createCSR(common_name): def createCSR(common_name, ip=None):
key, key_pem = createKey() key, key_pem = createKey()
subject_alternative_name_list = []
if ip is not None:
subject_alternative_name_list.append(
x509.IPAddress(ipaddress.ip_address(unicode(ip)))
)
csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([ csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, unicode(common_name)), x509.NameAttribute(NameOID.COMMON_NAME, unicode(common_name)),
])).sign(key, hashes.SHA256(), default_backend()) ]))
if len(subject_alternative_name_list):
csr = csr.add_extension(
x509.SubjectAlternativeName(subject_alternative_name_list),
critical=False
)
csr = csr.sign(key, hashes.SHA256(), default_backend())
csr_pem = csr.public_bytes(serialization.Encoding.PEM) csr_pem = csr.public_bytes(serialization.Encoding.PEM)
return key, key_pem, csr, csr_pem return key, key_pem, csr, csr_pem
...@@ -157,6 +171,7 @@ class CertificateAuthority(object): ...@@ -157,6 +171,7 @@ class CertificateAuthority(object):
def signCSR(self, csr): def signCSR(self, csr):
builder = x509.CertificateBuilder( builder = x509.CertificateBuilder(
subject_name=csr.subject, subject_name=csr.subject,
extensions=csr.extensions,
issuer_name=self.certificate.subject, issuer_name=self.certificate.subject,
not_valid_before=datetime.datetime.utcnow() - datetime.timedelta(days=1), not_valid_before=datetime.datetime.utcnow() - datetime.timedelta(days=1),
not_valid_after=datetime.datetime.utcnow() + datetime.timedelta(days=30), not_valid_after=datetime.datetime.utcnow() + datetime.timedelta(days=30),
...@@ -465,9 +480,10 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase): ...@@ -465,9 +480,10 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):
(LOCAL_IPV4, findFreeTCPPort(LOCAL_IPV4)), (LOCAL_IPV4, findFreeTCPPort(LOCAL_IPV4)),
TestHandler) TestHandler)
cls.another_server_ca = CertificateAuthority("Another Server Root CA")
cls.test_server_ca = CertificateAuthority("Test Server Root CA") cls.test_server_ca = CertificateAuthority("Test Server Root CA")
key, key_pem, csr, csr_pem = createCSR( key, key_pem, csr, csr_pem = createCSR(
"testserver.example.com") "testserver.example.com", LOCAL_IPV4)
_, cls.test_server_certificate_pem = cls.test_server_ca.signCSR(csr) _, cls.test_server_certificate_pem = cls.test_server_ca.signCSR(csr)
cls.test_server_certificate_file = tempfile.NamedTemporaryFile( cls.test_server_certificate_file = tempfile.NamedTemporaryFile(
...@@ -759,6 +775,11 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s { ...@@ -759,6 +775,11 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
'ssl-proxy-verify': True, 'ssl-proxy-verify': True,
'ssl_proxy_ca_crt': cls.test_server_ca.certificate_pem, 'ssl_proxy_ca_crt': cls.test_server_ca.certificate_pem,
}, },
'ssl-proxy-verify_ssl_proxy_ca_crt-unverified': {
'url': cls.backend_https_url,
'ssl-proxy-verify': True,
'ssl_proxy_ca_crt': cls.another_server_ca.certificate_pem,
},
'ssl-proxy-verify-unverified': { 'ssl-proxy-verify-unverified': {
'url': cls.backend_https_url, 'url': cls.backend_https_url,
'ssl-proxy-verify': True, 'ssl-proxy-verify': True,
...@@ -814,6 +835,12 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s { ...@@ -814,6 +835,12 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
'ssl-proxy-verify': True, 'ssl-proxy-verify': True,
'ssl_proxy_ca_crt': cls.test_server_ca.certificate_pem, 'ssl_proxy_ca_crt': cls.test_server_ca.certificate_pem,
}, },
'type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified': {
'url': cls.backend_https_url,
'type': 'zope',
'ssl-proxy-verify': True,
'ssl_proxy_ca_crt': cls.another_server_ca.certificate_pem,
},
'type-zope-ssl-proxy-verify-unverified': { 'type-zope-ssl-proxy-verify-unverified': {
'url': cls.backend_https_url, 'url': cls.backend_https_url,
'type': 'zope', 'type': 'zope',
...@@ -880,6 +907,12 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s { ...@@ -880,6 +907,12 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
'ssl_proxy_ca_crt': cls.test_server_ca.certificate_pem, 'ssl_proxy_ca_crt': cls.test_server_ca.certificate_pem,
'ssl-proxy-verify': True, 'ssl-proxy-verify': True,
}, },
'enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified': {
'url': cls.backend_https_url,
'enable_cache': True,
'ssl_proxy_ca_crt': cls.another_server_ca.certificate_pem,
'ssl-proxy-verify': True,
},
'enable-http2-default': { 'enable-http2-default': {
'url': cls.backend_url, 'url': cls.backend_url,
}, },
...@@ -953,9 +986,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s { ...@@ -953,9 +986,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
expected_parameter_dict = { expected_parameter_dict = {
'monitor-base-url': None, 'monitor-base-url': None,
'domain': 'example.com', 'domain': 'example.com',
'accepted-slave-amount': '40', 'accepted-slave-amount': '43',
'rejected-slave-amount': '4', 'rejected-slave-amount': '4',
'slave-amount': '44', 'slave-amount': '47',
'rejected-slave-dict': { 'rejected-slave-dict': {
"_apache_custom_http_s-rejected": ["slave not authorized"], "_apache_custom_http_s-rejected": ["slave not authorized"],
"_caddy_custom_http_s": ["slave not authorized"], "_caddy_custom_http_s": ["slave not authorized"],
...@@ -1769,6 +1802,45 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s { ...@@ -1769,6 +1802,45 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
result.headers['Location'] result.headers['Location']
) )
def test_ssl_proxy_verify_ssl_proxy_ca_crt_unverified(self):
parameter_dict = self.parseSlaveParameterDict(
'ssl-proxy-verify_ssl_proxy_ca_crt-unverified')
self.assertLogAccessUrlWithPop(parameter_dict)
self.assertEqual(
{
'domain': 'sslproxyverifysslproxycacrtunverified.example.com',
'replication_number': '1',
'url': 'http://sslproxyverifysslproxycacrtunverified.example.com',
'site_url':
'http://sslproxyverifysslproxycacrtunverified.example.com',
'secure_access':
'https://sslproxyverifysslproxycacrtunverified.example.com',
'public-ipv4': LOCAL_IPV4,
},
parameter_dict
)
result = self.fakeHTTPSResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqual(
self.certificate_pem,
der2pem(result.peercert))
self.assertEqual(
httplib.BAD_GATEWAY,
result.status_code
)
result_http = self.fakeHTTPResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqual(
httplib.BAD_GATEWAY,
result_http.status_code
)
def test_ssl_proxy_verify_ssl_proxy_ca_crt(self): def test_ssl_proxy_verify_ssl_proxy_ca_crt(self):
parameter_dict = self.parseSlaveParameterDict( parameter_dict = self.parseSlaveParameterDict(
'ssl-proxy-verify_ssl_proxy_ca_crt') 'ssl-proxy-verify_ssl_proxy_ca_crt')
...@@ -1793,17 +1865,42 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s { ...@@ -1793,17 +1865,42 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
self.certificate_pem, self.certificate_pem,
der2pem(result.peercert)) der2pem(result.peercert))
self.assertEqualResultJson(result, 'Path', '/test-path')
try:
j = result.json()
except Exception:
raise ValueError('JSON decode problem in:\n%s' % (result.text,))
self.assertFalse('remote_user' in j['Incoming Headers'].keys())
self.assertEqual( self.assertEqual(
httplib.NOT_IMPLEMENTED, 'gzip',
result.status_code result.headers['Content-Encoding']
)
self.assertEqual(
'secured=value;secure, nonsecured=value',
result.headers['Set-Cookie']
) )
result_http = self.fakeHTTPResult( result_http = self.fakeHTTPResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path') parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqualResultJson(result_http, 'Path', '/test-path')
try:
j = result_http.json()
except Exception:
raise ValueError('JSON decode problem in:\n%s' % (result.text,))
self.assertFalse('remote_user' in j['Incoming Headers'].keys())
self.assertEqual( self.assertEqual(
httplib.NOT_IMPLEMENTED, 'gzip',
result_http.status_code result_http.headers['Content-Encoding']
)
self.assertEqual(
'secured=value;secure, nonsecured=value',
result_http.headers['Set-Cookie']
) )
def test_ssl_proxy_verify_unverified(self): def test_ssl_proxy_verify_unverified(self):
...@@ -1835,6 +1932,47 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s { ...@@ -1835,6 +1932,47 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
result.status_code result.status_code
) )
def test_enable_cache_ssl_proxy_verify_ssl_proxy_ca_crt_unverified(self):
parameter_dict = self.parseSlaveParameterDict(
'enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified')
self.assertLogAccessUrlWithPop(parameter_dict)
self.assertEqual(
{
'domain':
'enablecachesslproxyverifysslproxycacrtunverified.example.com',
'replication_number': '1',
'url':
'http://enablecachesslproxyverifysslproxycacrtunverified.example.com',
'site_url':
'http://enablecachesslproxyverifysslproxycacrtunverified.example.com',
'secure_access':
'https://enablecachesslproxyverifysslproxycacrtunverified.example.com',
'public-ipv4': LOCAL_IPV4,
},
parameter_dict
)
result = self.fakeHTTPSResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqual(
self.certificate_pem,
der2pem(result.peercert))
self.assertEqual(
httplib.BAD_GATEWAY,
result.status_code
)
result_http = self.fakeHTTPResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqual(
httplib.BAD_GATEWAY,
result_http.status_code
)
def test_enable_cache_ssl_proxy_verify_ssl_proxy_ca_crt(self): def test_enable_cache_ssl_proxy_verify_ssl_proxy_ca_crt(self):
parameter_dict = self.parseSlaveParameterDict( parameter_dict = self.parseSlaveParameterDict(
'enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt') 'enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt')
...@@ -1861,17 +1999,72 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s { ...@@ -1861,17 +1999,72 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
self.certificate_pem, self.certificate_pem,
der2pem(result.peercert)) der2pem(result.peercert))
self.assertEqualResultJson(result, 'Path', '/test-path')
headers = result.headers.copy()
self.assertKeyWithPop('Via', headers)
self.assertKeyWithPop('Server', headers)
self.assertKeyWithPop('Date', headers)
self.assertKeyWithPop('Age', headers)
# drop keys appearing randomly in headers
headers.pop('Transfer-Encoding', None)
headers.pop('Content-Length', None)
headers.pop('Connection', None)
headers.pop('Keep-Alive', None)
self.assertEqual( self.assertEqual(
httplib.NOT_IMPLEMENTED, {'Content-type': 'application/json',
result.status_code 'Set-Cookie': 'secured=value;secure, nonsecured=value',
'Content-Encoding': 'gzip', 'Vary': 'Accept-Encoding'},
headers
) )
result_http = self.fakeHTTPResult( result_direct = self.fakeHTTPResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path') parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path',
port=26011)
self.assertEqualResultJson(result_direct, 'Path', '/test-path')
try:
j = result_direct.json()
except Exception:
raise ValueError('JSON decode problem in:\n%s' % (result_direct.text,))
self.assertFalse('remote_user' in j['Incoming Headers'].keys())
self.assertEqual( self.assertEqual(
httplib.NOT_IMPLEMENTED, 'gzip',
result_http.status_code result_direct.headers['Content-Encoding']
)
self.assertEqual(
'secured=value;secure, nonsecured=value',
result_direct.headers['Set-Cookie']
)
result_direct_https_backend = self.fakeHTTPResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path',
port=26012)
self.assertEqualResultJson(
result_direct_https_backend, 'Path', '/test-path')
try:
j = result_direct_https_backend.json()
except Exception:
raise ValueError('JSON decode problem in:\n%s' % (
result_direct_https_backend.text,))
self.assertFalse('remote_user' in j['Incoming Headers'].keys())
self.assertEqual(
'gzip',
result_direct_https_backend.headers['Content-Encoding']
)
self.assertEqual(
'secured=value;secure, nonsecured=value',
result_direct_https_backend.headers['Set-Cookie']
) )
def test_enable_cache_ssl_proxy_verify_unverified(self): def test_enable_cache_ssl_proxy_verify_unverified(self):
...@@ -1904,6 +2097,46 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s { ...@@ -1904,6 +2097,46 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
result.status_code result.status_code
) )
def test_type_zope_ssl_proxy_verify_ssl_proxy_ca_crt_unverified(self):
parameter_dict = self.parseSlaveParameterDict(
'type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified')
self.assertLogAccessUrlWithPop(parameter_dict)
self.assertEqual(
{
'domain': 'typezopesslproxyverifysslproxycacrtunverified.example.com',
'replication_number': '1',
'url':
'http://typezopesslproxyverifysslproxycacrtunverified.example.com',
'site_url':
'http://typezopesslproxyverifysslproxycacrtunverified.example.com',
'secure_access':
'https://typezopesslproxyverifysslproxycacrtunverified.example.com',
'public-ipv4': LOCAL_IPV4,
},
parameter_dict
)
result = self.fakeHTTPSResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqual(
self.certificate_pem,
der2pem(result.peercert))
self.assertEqual(
httplib.BAD_GATEWAY,
result.status_code
)
result_http = self.fakeHTTPResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqual(
httplib.BAD_GATEWAY,
result_http.status_code
)
def test_type_zope_ssl_proxy_verify_ssl_proxy_ca_crt(self): def test_type_zope_ssl_proxy_verify_ssl_proxy_ca_crt(self):
parameter_dict = self.parseSlaveParameterDict( parameter_dict = self.parseSlaveParameterDict(
'type-zope-ssl-proxy-verify_ssl_proxy_ca_crt') 'type-zope-ssl-proxy-verify_ssl_proxy_ca_crt')
...@@ -1929,17 +2162,29 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s { ...@@ -1929,17 +2162,29 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
self.certificate_pem, self.certificate_pem,
der2pem(result.peercert)) der2pem(result.peercert))
self.assertEqual( try:
httplib.NOT_IMPLEMENTED, j = result.json()
result.status_code except Exception:
raise ValueError('JSON decode problem in:\n%s' % (result.text,))
self.assertFalse('remote_user' in j['Incoming Headers'].keys())
self.assertEqualResultJson(
result,
'Path',
'/VirtualHostBase/https//'
'typezopesslproxyverifysslproxycacrt.example.com:443/'
'/VirtualHostRoot/test-path'
) )
result_http = self.fakeHTTPResult( result = self.fakeHTTPResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path') parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqual( self.assertEqualResultJson(
httplib.NOT_IMPLEMENTED, result,
result_http.status_code 'Path',
'/VirtualHostBase/http//'
'typezopesslproxyverifysslproxycacrt.example.com:80/'
'/VirtualHostRoot/test-path'
) )
def test_type_zope_ssl_proxy_verify_unverified(self): def test_type_zope_ssl_proxy_verify_unverified(self):
......
...@@ -27,6 +27,8 @@ TestSlave-1/var/log/httpd/_enable_cache-disable-via-header_access_log ...@@ -27,6 +27,8 @@ TestSlave-1/var/log/httpd/_enable_cache-disable-via-header_access_log
TestSlave-1/var/log/httpd/_enable_cache-disable-via-header_error_log TestSlave-1/var/log/httpd/_enable_cache-disable-via-header_error_log
TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify-unverified_access_log TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify-unverified_access_log
TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify-unverified_error_log TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify-unverified_error_log
TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt_access_log TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt_access_log
TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt_error_log TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt_error_log
TestSlave-1/var/log/httpd/_enable_cache_access_log TestSlave-1/var/log/httpd/_enable_cache_access_log
...@@ -51,6 +53,8 @@ TestSlave-1/var/log/httpd/_server-alias_custom_domain-duplicated_error_log ...@@ -51,6 +53,8 @@ TestSlave-1/var/log/httpd/_server-alias_custom_domain-duplicated_error_log
TestSlave-1/var/log/httpd/_server-alias_error_log TestSlave-1/var/log/httpd/_server-alias_error_log
TestSlave-1/var/log/httpd/_ssl-proxy-verify-unverified_access_log TestSlave-1/var/log/httpd/_ssl-proxy-verify-unverified_access_log
TestSlave-1/var/log/httpd/_ssl-proxy-verify-unverified_error_log TestSlave-1/var/log/httpd/_ssl-proxy-verify-unverified_error_log
TestSlave-1/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
TestSlave-1/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
TestSlave-1/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt_access_log TestSlave-1/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt_access_log
TestSlave-1/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt_error_log TestSlave-1/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt_error_log
TestSlave-1/var/log/httpd/_ssl_ca_crt_does_not_match_access_log TestSlave-1/var/log/httpd/_ssl_ca_crt_does_not_match_access_log
...@@ -67,6 +71,8 @@ TestSlave-1/var/log/httpd/_type-zope-path_access_log ...@@ -67,6 +71,8 @@ TestSlave-1/var/log/httpd/_type-zope-path_access_log
TestSlave-1/var/log/httpd/_type-zope-path_error_log TestSlave-1/var/log/httpd/_type-zope-path_error_log
TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify-unverified_access_log TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify-unverified_access_log
TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify-unverified_error_log TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify-unverified_error_log
TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt_access_log TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt_access_log
TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt_error_log TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt_error_log
TestSlave-1/var/log/httpd/_type-zope-virtualhostroot-http-port_access_log TestSlave-1/var/log/httpd/_type-zope-virtualhostroot-http-port_access_log
......
...@@ -28,6 +28,8 @@ TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify-unverified- ...@@ -28,6 +28,8 @@ TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify-unverified-
TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify-unverified-error-log-last-hour TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify-unverified-error-log-last-hour
TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-day TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-day
TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-hour TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-hour
TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-day
TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-hour
TestSlave-1/etc/monitor-promise/check-_https-only-error-log-last-day TestSlave-1/etc/monitor-promise/check-_https-only-error-log-last-day
TestSlave-1/etc/monitor-promise/check-_https-only-error-log-last-hour TestSlave-1/etc/monitor-promise/check-_https-only-error-log-last-hour
TestSlave-1/etc/monitor-promise/check-_monitor-ipv4-test-error-log-last-day TestSlave-1/etc/monitor-promise/check-_monitor-ipv4-test-error-log-last-day
...@@ -53,6 +55,8 @@ TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify-unverified-error-log-las ...@@ -53,6 +55,8 @@ TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify-unverified-error-log-las
TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify-unverified-error-log-last-hour TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify-unverified-error-log-last-hour
TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-day TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-day
TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-hour TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-hour
TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-day
TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-hour
TestSlave-1/etc/monitor-promise/check-_ssl_ca_crt_does_not_match-error-log-last-day TestSlave-1/etc/monitor-promise/check-_ssl_ca_crt_does_not_match-error-log-last-day
TestSlave-1/etc/monitor-promise/check-_ssl_ca_crt_does_not_match-error-log-last-hour TestSlave-1/etc/monitor-promise/check-_ssl_ca_crt_does_not_match-error-log-last-hour
TestSlave-1/etc/monitor-promise/check-_ssl_ca_crt_garbage-error-log-last-day TestSlave-1/etc/monitor-promise/check-_ssl_ca_crt_garbage-error-log-last-day
...@@ -73,6 +77,8 @@ TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify-unverified-err ...@@ -73,6 +77,8 @@ TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify-unverified-err
TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify-unverified-error-log-last-hour TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify-unverified-error-log-last-hour
TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-day TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-day
TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-hour TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-hour
TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-day
TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-hour
TestSlave-1/etc/monitor-promise/check-_type-zope-virtualhostroot-http-port-error-log-last-day TestSlave-1/etc/monitor-promise/check-_type-zope-virtualhostroot-http-port-error-log-last-day
TestSlave-1/etc/monitor-promise/check-_type-zope-virtualhostroot-http-port-error-log-last-hour TestSlave-1/etc/monitor-promise/check-_type-zope-virtualhostroot-http-port-error-log-last-hour
TestSlave-1/etc/monitor-promise/check-_type-zope-virtualhostroot-https-port-error-log-last-day TestSlave-1/etc/monitor-promise/check-_type-zope-virtualhostroot-https-port-error-log-last-day
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment