diff options
author | Yuchen Wu <[email protected]> | 2024-10-11 17:06:46 -0700 |
---|---|---|
committer | Yuchen Wu <[email protected]> | 2024-10-12 09:34:06 -0700 |
commit | b939776792cfc1aff3b83d5cdee2ae5562805f7b (patch) | |
tree | ab7812cbbf4b1cd23854e15e297711068dbcf546 /pingora-proxy | |
parent | 9921fe422274ced5ef14eb582d63529859fed441 (diff) | |
download | pingora-b939776792cfc1aff3b83d5cdee2ae5562805f7b.tar.gz pingora-b939776792cfc1aff3b83d5cdee2ae5562805f7b.zip |
Refactor openssl code one more time before rustls integration
Co-authored-by: Harald Gutmann <[email protected]>
Diffstat (limited to 'pingora-proxy')
-rw-r--r-- | pingora-proxy/Cargo.toml | 11 | ||||
-rw-r--r-- | pingora-proxy/examples/load_balancer.rs | 2 | ||||
-rw-r--r-- | pingora-proxy/tests/test_basic.rs | 39 | ||||
-rw-r--r-- | pingora-proxy/tests/utils/cert.rs | 63 | ||||
-rw-r--r-- | pingora-proxy/tests/utils/conf/keys/README.md | 9 | ||||
-rw-r--r-- | pingora-proxy/tests/utils/conf/keys/server_boringssl_openssl.crt | 13 | ||||
-rw-r--r-- | pingora-proxy/tests/utils/conf/keys/server_boringssl_openssl.csr (renamed from pingora-proxy/tests/utils/conf/keys/server.csr) | 0 | ||||
-rw-r--r-- | pingora-proxy/tests/utils/conf/keys/server_rustls.crt | 14 | ||||
-rw-r--r-- | pingora-proxy/tests/utils/conf/origin/conf/nginx.conf | 7 | ||||
-rw-r--r-- | pingora-proxy/tests/utils/mock_origin.rs | 25 | ||||
-rw-r--r-- | pingora-proxy/tests/utils/mod.rs | 2 | ||||
-rw-r--r-- | pingora-proxy/tests/utils/server_utils.rs | 37 |
12 files changed, 182 insertions, 40 deletions
diff --git a/pingora-proxy/Cargo.toml b/pingora-proxy/Cargo.toml index 13d4804..b65e0d8 100644 --- a/pingora-proxy/Cargo.toml +++ b/pingora-proxy/Cargo.toml @@ -44,7 +44,7 @@ env_logger = "0.9" hyper = "0.14" tokio-tungstenite = "0.20.1" pingora-limits = { version = "0.3.0", path = "../pingora-limits" } -pingora-load-balancing = { version = "0.3.0", path = "../pingora-load-balancing" } +pingora-load-balancing = { version = "0.3.0", path = "../pingora-load-balancing", default-features=false } prometheus = "0" futures-util = "0.3" serde = { version = "1.0", features = ["derive"] } @@ -55,9 +55,12 @@ serde_yaml = "0.8" hyperlocal = "0.8" [features] -default = ["openssl"] -openssl = ["pingora-core/openssl", "pingora-cache/openssl"] -boringssl = ["pingora-core/boringssl", "pingora-cache/boringssl"] +default = [] +openssl = ["pingora-core/openssl", "pingora-cache/openssl", "openssl_derived"] +boringssl = ["pingora-core/boringssl", "pingora-cache/boringssl", "openssl_derived"] +rustls = ["pingora-core/rustls", "pingora-cache/rustls", "any_tls"] +openssl_derived = ["any_tls"] +any_tls = [] sentry = ["pingora-core/sentry"] # or locally cargo doc --config "build.rustdocflags='--cfg doc_async_trait'" diff --git a/pingora-proxy/examples/load_balancer.rs b/pingora-proxy/examples/load_balancer.rs index 614981d..a428b9b 100644 --- a/pingora-proxy/examples/load_balancer.rs +++ b/pingora-proxy/examples/load_balancer.rs @@ -86,7 +86,7 @@ fn main() { let key_path = format!("{}/tests/keys/key.pem", env!("CARGO_MANIFEST_DIR")); let mut tls_settings = - pingora_core::listeners::TlsSettings::intermediate(&cert_path, &key_path).unwrap(); + pingora_core::listeners::tls::TlsSettings::intermediate(&cert_path, &key_path).unwrap(); tls_settings.enable_h2(); lb.add_tls_with_settings("0.0.0.0:6189", None, tls_settings); diff --git a/pingora-proxy/tests/test_basic.rs b/pingora-proxy/tests/test_basic.rs index 569e51a..f33a247 100644 --- a/pingora-proxy/tests/test_basic.rs +++ b/pingora-proxy/tests/test_basic.rs @@ -67,6 +67,7 @@ async fn test_simple_proxy() { } #[tokio::test] +#[cfg(feature = "any_tls")] async fn test_h2_to_h1() { init(); let client = reqwest::Client::builder() @@ -74,7 +75,12 @@ async fn test_h2_to_h1() { .build() .unwrap(); - let res = client.get("https://127.0.0.1:6150").send().await.unwrap(); + let res = client + .get("https://127.0.0.1:6150") + .header("sni", "openrusty.org") + .send() + .await + .unwrap(); assert_eq!(res.status(), reqwest::StatusCode::OK); assert_eq!(res.version(), reqwest::Version::HTTP_2); @@ -104,6 +110,7 @@ async fn test_h2_to_h1() { } #[tokio::test] +#[cfg(feature = "any_tls")] async fn test_h2_to_h2() { init(); let client = reqwest::Client::builder() @@ -113,6 +120,7 @@ async fn test_h2_to_h2() { let res = client .get("https://127.0.0.1:6150") + .header("sni", "openrusty.org") .header("x-h2", "true") .send() .await @@ -189,6 +197,7 @@ async fn test_h1_on_h2c_port() { } #[tokio::test] +#[cfg(feature = "openssl_derived")] async fn test_h2_to_h2_host_override() { init(); let client = reqwest::Client::builder() @@ -212,6 +221,7 @@ async fn test_h2_to_h2_host_override() { } #[tokio::test] +#[cfg(feature = "any_tls")] async fn test_h2_to_h2_upload() { init(); let client = reqwest::Client::builder() @@ -223,6 +233,7 @@ async fn test_h2_to_h2_upload() { let res = client .get("https://127.0.0.1:6150/echo") + .header("sni", "openrusty.org") .header("x-h2", "true") .body(payload) .send() @@ -235,6 +246,7 @@ async fn test_h2_to_h2_upload() { } #[tokio::test] +#[cfg(feature = "any_tls")] async fn test_h2_to_h1_upload() { init(); let client = reqwest::Client::builder() @@ -246,6 +258,7 @@ async fn test_h2_to_h1_upload() { let res = client .get("https://127.0.0.1:6150/echo") + .header("sni", "openrusty.org") .body(payload) .send() .await @@ -313,7 +326,10 @@ async fn test_simple_proxy_uds_peer() { assert!(is_specified_port(sockaddr.port())); assert_eq!(headers["x-upstream-client-addr"], "unset"); // unnamed UDS - assert_eq!(headers["x-upstream-server-addr"], "/tmp/nginx-test.sock"); + assert_eq!( + headers["x-upstream-server-addr"], + "/tmp/pingora_nginx_test.sock" + ); let body = res.text().await.unwrap(); assert_eq!(body, "Hello World!\n"); @@ -444,6 +460,8 @@ async fn test_dropped_conn() { test_dropped_conn_post_body_over().await; } +// currently not supported with Rustls implementation +#[cfg(feature = "openssl_derived")] #[tokio::test] async fn test_tls_no_verify() { init(); @@ -457,6 +475,7 @@ async fn test_tls_no_verify() { assert_eq!(res.status(), StatusCode::OK); } +#[cfg(feature = "any_tls")] #[tokio::test] async fn test_tls_verify_sni_not_host() { init(); @@ -473,6 +492,8 @@ async fn test_tls_verify_sni_not_host() { assert_eq!(res.status(), StatusCode::OK); } +// currently not supported with Rustls implementation +#[cfg(feature = "openssl_derived")] #[tokio::test] async fn test_tls_none_verify_host() { init(); @@ -489,6 +510,7 @@ async fn test_tls_none_verify_host() { assert_eq!(res.status(), StatusCode::OK); } +#[cfg(feature = "any_tls")] #[tokio::test] async fn test_tls_verify_sni_host() { init(); @@ -506,6 +528,7 @@ async fn test_tls_verify_sni_host() { assert_eq!(res.status(), StatusCode::OK); } +#[cfg(feature = "any_tls")] #[tokio::test] async fn test_tls_underscore_sub_sni_verify_host() { init(); @@ -523,6 +546,7 @@ async fn test_tls_underscore_sub_sni_verify_host() { assert_eq!(res.status(), StatusCode::OK); } +#[cfg(feature = "any_tls")] #[tokio::test] async fn test_tls_underscore_non_sub_sni_verify_host() { init(); @@ -542,6 +566,7 @@ async fn test_tls_underscore_non_sub_sni_verify_host() { assert_eq!(headers[header::CONNECTION], "close"); } +#[cfg(feature = "any_tls")] #[tokio::test] async fn test_tls_alt_verify_host() { init(); @@ -560,6 +585,7 @@ async fn test_tls_alt_verify_host() { assert_eq!(res.status(), StatusCode::OK); } +#[cfg(feature = "any_tls")] #[tokio::test] async fn test_tls_underscore_sub_alt_verify_host() { init(); @@ -578,6 +604,7 @@ async fn test_tls_underscore_sub_alt_verify_host() { assert_eq!(res.status(), StatusCode::OK); } +#[cfg(feature = "any_tls")] #[tokio::test] async fn test_tls_underscore_non_sub_alt_verify_host() { init(); @@ -691,6 +718,7 @@ async fn test_connect_close() { } #[tokio::test] +#[cfg(feature = "any_tls")] async fn test_mtls_no_client_cert() { init(); let client = reqwest::Client::new(); @@ -709,6 +737,7 @@ async fn test_mtls_no_client_cert() { assert_eq!(res.status(), StatusCode::BAD_REQUEST); } +#[cfg(feature = "any_tls")] #[tokio::test] async fn test_mtls_no_intermediate_cert() { init(); @@ -730,6 +759,7 @@ async fn test_mtls_no_intermediate_cert() { } #[tokio::test] +#[cfg(feature = "any_tls")] async fn test_mtls() { init(); let client = reqwest::Client::new(); @@ -748,6 +778,7 @@ async fn test_mtls() { assert_eq!(res.status(), StatusCode::OK); } +#[cfg(feature = "any_tls")] async fn assert_reuse(req: reqwest::RequestBuilder) { req.try_clone().unwrap().send().await.unwrap(); let res = req.send().await.unwrap(); @@ -755,6 +786,7 @@ async fn assert_reuse(req: reqwest::RequestBuilder) { assert!(headers.get("x-conn-reuse").is_some()); } +#[cfg(feature = "any_tls")] #[tokio::test] async fn test_mtls_diff_cert_no_reuse() { init(); @@ -789,6 +821,7 @@ async fn test_mtls_diff_cert_no_reuse() { assert!(headers.get("x-conn-reuse").is_none()); } +#[cfg(feature = "any_tls")] #[tokio::test] async fn test_tls_diff_verify_no_reuse() { init(); @@ -815,6 +848,7 @@ async fn test_tls_diff_verify_no_reuse() { assert!(headers.get("x-conn-reuse").is_none()); } +#[cfg(feature = "any_tls")] #[tokio::test] async fn test_tls_diff_verify_host_no_reuse() { init(); @@ -843,6 +877,7 @@ async fn test_tls_diff_verify_host_no_reuse() { assert!(headers.get("x-conn-reuse").is_none()); } +#[cfg(feature = "any_tls")] #[tokio::test] async fn test_tls_diff_alt_cnt_no_reuse() { init(); diff --git a/pingora-proxy/tests/utils/cert.rs b/pingora-proxy/tests/utils/cert.rs index 674a3ac..fb6f54c 100644 --- a/pingora-proxy/tests/utils/cert.rs +++ b/pingora-proxy/tests/utils/cert.rs @@ -13,35 +13,64 @@ // limitations under the License. use once_cell::sync::Lazy; -use pingora_core::tls::pkey::{PKey, Private}; -use pingora_core::tls::x509::X509; +#[cfg(feature = "rustls")] +use pingora_core::tls::{load_pem_file_ca, load_pem_file_private_key}; +#[cfg(feature = "openssl_derived")] +use pingora_core::tls::{ + pkey::{PKey, Private}, + x509::X509, +}; use std::fs; -pub static ROOT_CERT: Lazy<X509> = Lazy::new(|| load_cert("keys/root.crt")); -pub static ROOT_KEY: Lazy<PKey<Private>> = Lazy::new(|| load_key("keys/root.key")); -pub static INTERMEDIATE_CERT: Lazy<X509> = Lazy::new(|| load_cert("keys/intermediate.crt")); -pub static INTERMEDIATE_KEY: Lazy<PKey<Private>> = Lazy::new(|| load_key("keys/intermediate.key")); -pub static LEAF_CERT: Lazy<X509> = Lazy::new(|| load_cert("keys/leaf.crt")); -pub static LEAF2_CERT: Lazy<X509> = Lazy::new(|| load_cert("keys/leaf2.crt")); -pub static LEAF_KEY: Lazy<PKey<Private>> = Lazy::new(|| load_key("keys/leaf.key")); -pub static LEAF2_KEY: Lazy<PKey<Private>> = Lazy::new(|| load_key("keys/leaf2.key")); -pub static SERVER_CERT: Lazy<X509> = Lazy::new(|| load_cert("keys/server.crt")); -pub static SERVER_KEY: Lazy<PKey<Private>> = Lazy::new(|| load_key("keys/key.pem")); -pub static CURVE_521_TEST_KEY: Lazy<PKey<Private>> = +#[cfg(feature = "openssl_derived")] +mod key_types { + use super::*; + pub type PrivateKeyType = PKey<Private>; + pub type CertType = X509; +} + +#[cfg(feature = "rustls")] +mod key_types { + use super::*; + pub type PrivateKeyType = Vec<u8>; + pub type CertType = Vec<u8>; +} + +use key_types::*; + +pub static INTERMEDIATE_CERT: Lazy<CertType> = Lazy::new(|| load_cert("keys/intermediate.crt")); +pub static LEAF_CERT: Lazy<CertType> = Lazy::new(|| load_cert("keys/leaf.crt")); +pub static LEAF2_CERT: Lazy<CertType> = Lazy::new(|| load_cert("keys/leaf2.crt")); +pub static LEAF_KEY: Lazy<PrivateKeyType> = Lazy::new(|| load_key("keys/leaf.key")); +pub static LEAF2_KEY: Lazy<PrivateKeyType> = Lazy::new(|| load_key("keys/leaf2.key")); +pub static CURVE_521_TEST_KEY: Lazy<PrivateKeyType> = Lazy::new(|| load_key("keys/curve_test.521.key.pem")); -pub static CURVE_521_TEST_CERT: Lazy<X509> = Lazy::new(|| load_cert("keys/curve_test.521.crt")); -pub static CURVE_384_TEST_KEY: Lazy<PKey<Private>> = +pub static CURVE_521_TEST_CERT: Lazy<CertType> = Lazy::new(|| load_cert("keys/curve_test.521.crt")); +pub static CURVE_384_TEST_KEY: Lazy<PrivateKeyType> = Lazy::new(|| load_key("keys/curve_test.384.key.pem")); -pub static CURVE_384_TEST_CERT: Lazy<X509> = Lazy::new(|| load_cert("keys/curve_test.384.crt")); +pub static CURVE_384_TEST_CERT: Lazy<CertType> = Lazy::new(|| load_cert("keys/curve_test.384.crt")); +#[cfg(feature = "openssl_derived")] fn load_cert(path: &str) -> X509 { let path = format!("{}/{path}", super::conf_dir()); let cert_bytes = fs::read(path).unwrap(); X509::from_pem(&cert_bytes).unwrap() } - +#[cfg(feature = "openssl_derived")] fn load_key(path: &str) -> PKey<Private> { let path = format!("{}/{path}", super::conf_dir()); let key_bytes = fs::read(path).unwrap(); PKey::private_key_from_pem(&key_bytes).unwrap() } + +#[cfg(feature = "rustls")] +fn load_cert(path: &str) -> Vec<u8> { + let path = format!("{}/{path}", super::conf_dir()); + load_pem_file_ca(&path) +} + +#[cfg(feature = "rustls")] +fn load_key(path: &str) -> Vec<u8> { + let path = format!("{}/{path}", super::conf_dir()); + load_pem_file_private_key(&path) +} diff --git a/pingora-proxy/tests/utils/conf/keys/README.md b/pingora-proxy/tests/utils/conf/keys/README.md index 13965cd..44944ab 100644 --- a/pingora-proxy/tests/utils/conf/keys/README.md +++ b/pingora-proxy/tests/utils/conf/keys/README.md @@ -16,3 +16,12 @@ openssl ecparam -genkey -name secp256r1 -noout -out test_key.pem openssl req -new -key test_key.pem -out test.csr openssl x509 -req -in test.csr -CA server.crt -CAkey key.pem -CAcreateserial -CAserial test.srl -out test.crt -days 3650 -sha256 ``` + +``` +openssl version +# OpenSSL 3.1.1 +echo '[v3_req]' > openssl.cnf +openssl req -config openssl.cnf -new -x509 -key key.pem -out server_rustls.crt -days 3650 -sha256 \ + -subj '/C=US/ST=CA/L=San Francisco/O=Cloudflare, Inc/CN=openrusty.org' \ + -addext "subjectAltName=DNS:*.openrusty.org,DNS:openrusty.org,DNS:cat.com,DNS:dog.com" +```
\ No newline at end of file diff --git a/pingora-proxy/tests/utils/conf/keys/server_boringssl_openssl.crt b/pingora-proxy/tests/utils/conf/keys/server_boringssl_openssl.crt new file mode 100644 index 0000000..afb2d1e --- /dev/null +++ b/pingora-proxy/tests/utils/conf/keys/server_boringssl_openssl.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB9zCCAZ2gAwIBAgIUMI7aLvTxyRFCHhw57hGt4U6yupcwCgYIKoZIzj0EAwIw +ZDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNp +c2NvMRgwFgYDVQQKDA9DbG91ZGZsYXJlLCBJbmMxFjAUBgNVBAMMDW9wZW5ydXN0 +eS5vcmcwHhcNMjIwNDExMjExMzEzWhcNMzIwNDA4MjExMzEzWjBkMQswCQYDVQQG +EwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xGDAWBgNV +BAoMD0Nsb3VkZmxhcmUsIEluYzEWMBQGA1UEAwwNb3BlbnJ1c3R5Lm9yZzBZMBMG +ByqGSM49AgEGCCqGSM49AwEHA0IABNn/9RZtR48knaJD6tk9BdccaJfZ0hGEPn6B +SDXmlmJPhcTBqa4iUwW/ABpGvO3FpJcNWasrX2k+qZLq3g205MKjLTArMCkGA1Ud +EQQiMCCCDyoub3BlbnJ1c3R5Lm9yZ4INb3BlbnJ1c3R5Lm9yZzAKBggqhkjOPQQD +AgNIADBFAiAjISZ9aEKmobKGlT76idO740J6jPaX/hOrm41MLeg69AIhAJqKrSyz +wD/AAF5fR6tXmBqlnpQOmtxfdy13wDr4MT3h +-----END CERTIFICATE----- diff --git a/pingora-proxy/tests/utils/conf/keys/server.csr b/pingora-proxy/tests/utils/conf/keys/server_boringssl_openssl.csr index ca75dce..ca75dce 100644 --- a/pingora-proxy/tests/utils/conf/keys/server.csr +++ b/pingora-proxy/tests/utils/conf/keys/server_boringssl_openssl.csr diff --git a/pingora-proxy/tests/utils/conf/keys/server_rustls.crt b/pingora-proxy/tests/utils/conf/keys/server_rustls.crt new file mode 100644 index 0000000..28cdadf --- /dev/null +++ b/pingora-proxy/tests/utils/conf/keys/server_rustls.crt @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICJzCCAc6gAwIBAgIUU+G0acG/uiMu1ZDSjlcoY4gH53QwCgYIKoZIzj0EAwIw +ZDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNp +c2NvMRgwFgYDVQQKDA9DbG91ZGZsYXJlLCBJbmMxFjAUBgNVBAMMDW9wZW5ydXN0 +eS5vcmcwHhcNMjQwNzI0MTMzOTQ4WhcNMzQwNzIyMTMzOTQ4WjBkMQswCQYDVQQG +EwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xGDAWBgNV +BAoMD0Nsb3VkZmxhcmUsIEluYzEWMBQGA1UEAwwNb3BlbnJ1c3R5Lm9yZzBZMBMG +ByqGSM49AgEGCCqGSM49AwEHA0IABNn/9RZtR48knaJD6tk9BdccaJfZ0hGEPn6B +SDXmlmJPhcTBqa4iUwW/ABpGvO3FpJcNWasrX2k+qZLq3g205MKjXjBcMDsGA1Ud +EQQ0MDKCDyoub3BlbnJ1c3R5Lm9yZ4INb3BlbnJ1c3R5Lm9yZ4IHY2F0LmNvbYIH +ZG9nLmNvbTAdBgNVHQ4EFgQUnfYAFWyQnSN57IGokj7jcz8ChJQwCgYIKoZIzj0E +AwIDRwAwRAIgQr+Ly2cH04CncbnbhUf4hBl5frTp1pXgGnn8dYjd+UcCICuunEtp +H/a42/sVGBFvjS6FOFe6ZDs4oWBNEqQSw0S2 +-----END CERTIFICATE-----
\ No newline at end of file diff --git a/pingora-proxy/tests/utils/conf/origin/conf/nginx.conf b/pingora-proxy/tests/utils/conf/origin/conf/nginx.conf index 6d5abd7..2718f88 100644 --- a/pingora-proxy/tests/utils/conf/origin/conf/nginx.conf +++ b/pingora-proxy/tests/utils/conf/origin/conf/nginx.conf @@ -6,7 +6,7 @@ error_log /dev/stdout; #error_log logs/error.log notice; #error_log logs/error.log info; -pid /tmp/mock_origin.pid; +pid /tmp/pingora_mock_origin.pid; master_process off; daemon off; @@ -85,7 +85,7 @@ http { listen 8001; listen [::]:8000; #listen 8443 ssl; - listen unix:/tmp/nginx-test.sock; + listen unix:/tmp/pingora_nginx_test.sock; listen 8443 ssl http2; server_name localhost; @@ -97,6 +97,9 @@ http { # for benchmark http2_max_requests 999999; + # increase max body size for /upload/ test + client_max_body_size 128m; + #charset koi8-r; #access_log logs/host.access.log main; diff --git a/pingora-proxy/tests/utils/mock_origin.rs b/pingora-proxy/tests/utils/mock_origin.rs index db84f8d..ec59e51 100644 --- a/pingora-proxy/tests/utils/mock_origin.rs +++ b/pingora-proxy/tests/utils/mock_origin.rs @@ -13,15 +13,38 @@ // limitations under the License. use once_cell::sync::Lazy; +use std::path::Path; use std::process; use std::{thread, time}; pub static MOCK_ORIGIN: Lazy<bool> = Lazy::new(init); fn init() -> bool { + #[cfg(feature = "rustls")] + let src_cert_path = format!( + "{}/tests/utils/conf/keys/server_rustls.crt", + env!("CARGO_MANIFEST_DIR") + ); + #[cfg(feature = "openssl_derived")] + let src_cert_path = format!( + "{}/tests/utils/conf/keys/server_boringssl_openssl.crt", + env!("CARGO_MANIFEST_DIR") + ); + + #[cfg(feature = "any_tls")] + { + let mut dst_cert_path = format!("{}/tests/keys/server.crt", env!("CARGO_MANIFEST_DIR")); + std::fs::copy(Path::new(&src_cert_path), Path::new(&dst_cert_path)); + dst_cert_path = format!( + "{}/tests/utils/conf/keys/server.crt", + env!("CARGO_MANIFEST_DIR") + ); + std::fs::copy(Path::new(&src_cert_path), Path::new(&dst_cert_path)); + } + // TODO: figure out a way to kill openresty when exiting process::Command::new("pkill") - .args(["-F", "/tmp/mock_origin.pid"]) + .args(["-F", "/tmp/pingora_mock_origin.pid"]) .spawn() .unwrap(); let _origin = thread::spawn(|| { diff --git a/pingora-proxy/tests/utils/mod.rs b/pingora-proxy/tests/utils/mod.rs index 6a5a1c9..df769e5 100644 --- a/pingora-proxy/tests/utils/mod.rs +++ b/pingora-proxy/tests/utils/mod.rs @@ -14,7 +14,9 @@ #![allow(unused)] +#[cfg(feature = "any_tls")] pub mod cert; + pub mod mock_origin; pub mod server_utils; pub mod websocket; diff --git a/pingora-proxy/tests/utils/server_utils.rs b/pingora-proxy/tests/utils/server_utils.rs index 885fcb1..62b5882 100644 --- a/pingora-proxy/tests/utils/server_utils.rs +++ b/pingora-proxy/tests/utils/server_utils.rs @@ -12,6 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. +#[cfg(feature = "any_tls")] use super::cert; use async_trait::async_trait; use clap::Parser; @@ -32,7 +33,7 @@ use pingora_core::protocols::{l4::socket::SocketAddr, Digest}; use pingora_core::server::configuration::Opt; use pingora_core::services::Service; use pingora_core::upstreams::peer::HttpPeer; -use pingora_core::utils::CertKey; +use pingora_core::utils::tls::CertKey; use pingora_error::{Error, ErrorSource, Result}; use pingora_http::{RequestHeader, ResponseHeader}; use pingora_proxy::{ProxyHttp, Session}; @@ -106,6 +107,7 @@ fn response_filter_common( } #[async_trait] +#[cfg(feature = "any_tls")] impl ProxyHttp for ExampleProxyHttps { type CTX = CTX; fn new_ctx(&self) -> Self::CTX { @@ -283,7 +285,7 @@ impl ProxyHttp for ExampleProxyHttp { #[cfg(unix)] if req.headers.contains_key("x-uds-peer") { return Ok(Box::new(HttpPeer::new_uds( - "/tmp/nginx-test.sock", + "/tmp/pingora_nginx_test.sock", false, "".to_string(), )?)); @@ -558,27 +560,36 @@ fn test_main() { http_logic.server_options = Some(http_server_options); proxy_service_h2c.add_tcp("0.0.0.0:6146"); - let mut proxy_service_https = - pingora_proxy::http_proxy_service(&my_server.configuration, ExampleProxyHttps {}); - proxy_service_https.add_tcp("0.0.0.0:6149"); - let cert_path = format!("{}/tests/keys/server.crt", env!("CARGO_MANIFEST_DIR")); - let key_path = format!("{}/tests/keys/key.pem", env!("CARGO_MANIFEST_DIR")); - let mut tls_settings = - pingora_core::listeners::TlsSettings::intermediate(&cert_path, &key_path).unwrap(); - tls_settings.enable_h2(); - proxy_service_https.add_tls_with_settings("0.0.0.0:6150", None, tls_settings); + let mut proxy_service_https_opt: Option<Box<dyn Service>> = None; + + #[cfg(feature = "any_tls")] + { + let mut proxy_service_https = + pingora_proxy::http_proxy_service(&my_server.configuration, ExampleProxyHttps {}); + proxy_service_https.add_tcp("0.0.0.0:6149"); + let cert_path = format!("{}/tests/keys/server.crt", env!("CARGO_MANIFEST_DIR")); + let key_path = format!("{}/tests/keys/key.pem", env!("CARGO_MANIFEST_DIR")); + let mut tls_settings = + pingora_core::listeners::tls::TlsSettings::intermediate(&cert_path, &key_path).unwrap(); + tls_settings.enable_h2(); + proxy_service_https.add_tls_with_settings("0.0.0.0:6150", None, tls_settings); + proxy_service_https_opt = Some(Box::new(proxy_service_https)) + } let mut proxy_service_cache = pingora_proxy::http_proxy_service(&my_server.configuration, ExampleProxyCache {}); proxy_service_cache.add_tcp("0.0.0.0:6148"); - let services: Vec<Box<dyn Service>> = vec![ + let mut services: Vec<Box<dyn Service>> = vec![ Box::new(proxy_service_h2c), Box::new(proxy_service_http), - Box::new(proxy_service_https), Box::new(proxy_service_cache), ]; + if let Some(proxy_service_https) = proxy_service_https_opt { + services.push(proxy_service_https) + } + set_compression_dict_path("tests/headers.dict"); my_server.add_services(services); my_server.run_forever(); |