1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
from datetime import timedelta
import pytest
from .conf import TlsTestConf
class TestProxyTLS:
@pytest.fixture(autouse=True, scope='class')
def _class_scope(self, env):
# add vhosts a+b and a ssl proxy from a to b
conf = TlsTestConf(env=env, extras={
'base': [
"LogLevel proxy:trace1 proxy_http:trace1 proxy_http2:trace2 http2:trace2 cgid:trace4",
"TLSProxyProtocol TLSv1.3+",
f"<Proxy https://127.0.0.1:{env.https_port}/>",
" TLSProxyEngine on",
f" TLSProxyCA {env.ca.cert_file}",
" TLSProxyProtocol TLSv1.2+",
" TLSProxyCiphersPrefer TLS13_AES_256_GCM_SHA384",
" TLSProxyCiphersSuppress TLS13_AES_128_GCM_SHA256",
" ProxyPreserveHost on",
"</Proxy>",
f"<Proxy https://localhost:{env.https_port}/>",
" ProxyPreserveHost on",
"</Proxy>",
f"<Proxy h2://127.0.0.1:{env.https_port}/>",
" TLSProxyEngine on",
f" TLSProxyCA {env.ca.cert_file}",
" TLSProxyCiphersSuppress TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256",
" ProxyPreserveHost on",
"</Proxy>",
],
env.domain_b: [
"Protocols h2 http/1.1",
f"ProxyPass /proxy-tls/ https://127.0.0.1:{env.https_port}/",
f"ProxyPass /proxy-local/ https://localhost:{env.https_port}/",
f"ProxyPass /proxy-h2-tls/ h2://127.0.0.1:{env.https_port}/",
"TLSOptions +StdEnvVars",
],
})
conf.add_tls_vhosts(domains=[env.domain_a, env.domain_b])
conf.install()
assert env.apache_restart() == 0
def test_tls_15_proxy_tls_get(self, env):
data = env.tls_get_json(env.domain_b, "/proxy-tls/index.json")
assert data == {'domain': env.domain_b}
def test_tls_15_proxy_tls_get_local(self, env):
# does not work, since SSLProxy* not configured
data = env.tls_get_json(env.domain_b, "/proxy-local/index.json")
assert data is None
#
env.httpd_error_log.ignore_recent(
lognos = [
"AH01961", # failed to enable ssl support [Hint: if using mod_ssl, see SSLProxyEngine]
"AH00961" # failed to enable ssl support (mod_proxy)
]
)
def test_tls_15_proxy_tls_h2_get(self, env):
r = env.tls_get(env.domain_b, "/proxy-h2-tls/index.json")
assert r.exit_code == 0
assert r.json == {'domain': env.domain_b}, f"{r.stdout}"
@pytest.mark.parametrize("name, value", [
("SERVER_NAME", "b.mod-tls.test"),
("SSL_PROTOCOL", "TLSv1.3"),
("SSL_CIPHER", "TLS_AES_256_GCM_SHA384"),
("SSL_SESSION_RESUMED", "Initial"),
("SSL_SECURE_RENEG", "false"),
("SSL_COMPRESS_METHOD", "NULL"),
("SSL_CIPHER_EXPORT", "false"),
("SSL_CLIENT_VERIFY", "NONE"),
])
def test_tls_15_proxy_tls_h1_vars(self, env, name: str, value: str):
r = env.tls_get(env.domain_b, f"/proxy-tls/vars.py?name={name}")
assert r.exit_code == 0, r.stderr
assert r.json == {name: value}, r.stdout
@pytest.mark.parametrize("name, value", [
("SERVER_NAME", "b.mod-tls.test"),
("SSL_PROTOCOL", "TLSv1.3"),
("SSL_CIPHER", "TLS_CHACHA20_POLY1305_SHA256"),
("SSL_SESSION_RESUMED", "Initial"),
])
def test_tls_15_proxy_tls_h2_vars(self, env, name: str, value: str):
r = env.tls_get(env.domain_b, f"/proxy-h2-tls/vars.py?name={name}")
assert r.exit_code == 0, r.stderr
assert r.json == {name: value}, r.stdout
|