trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shinr...@apache.org
Subject [trafficserver] branch master updated: Add forward_route action
Date Tue, 04 Dec 2018 22:04:14 GMT
This is an automated email from the ASF dual-hosted git repository.

shinrich pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 07fb913  Add forward_route action
07fb913 is described below

commit 07fb9130cdd458965a8631ff7cd2f1376d6ac689
Author: Susan Hinrichs <shinrich@oath.com>
AuthorDate: Thu Nov 29 21:40:12 2018 +0000

    Add forward_route action
---
 doc/admin-guide/files/ssl_server_name.yaml.en.rst |  10 ++
 iocore/net/P_SNIActionPerformer.h                 |  11 +-
 iocore/net/P_SSLNetVConnection.h                  |  12 +-
 iocore/net/SSLSNIConfig.cc                        |   2 +-
 iocore/net/SSLUtils.cc                            |   2 +-
 iocore/net/YamlSNIConfig.cc                       |   6 +
 iocore/net/YamlSNIConfig.h                        |   3 +
 proxy/http/HttpSM.cc                              |  15 ++-
 tests/gold_tests/tls/test-nc-s_client.sh          |  19 ++++
 tests/gold_tests/tls/tls_forward_nonhttp.test.py  |  77 +++++++++++++
 tests/gold_tests/tls/tls_tunnel_forward.test.py   | 132 ++++++++++++++++++++++
 11 files changed, 276 insertions(+), 13 deletions(-)

diff --git a/doc/admin-guide/files/ssl_server_name.yaml.en.rst b/doc/admin-guide/files/ssl_server_name.yaml.en.rst
index 32ab6af..66fdd55 100644
--- a/doc/admin-guide/files/ssl_server_name.yaml.en.rst
+++ b/doc/admin-guide/files/ssl_server_name.yaml.en.rst
@@ -91,6 +91,16 @@ disable_h2                :code:`true` or :code:`false`.
                           for proxy ports on which HTTP/2 is not enabled.
 
 tunnel_route              Destination as an FQDN and port, separated by a colon ``:``.
+
+
+                          This will forward all traffic to the specified destination without
first terminating 
+                          the incoming TLS connection.
+
+forward_route             Destination as an FQDN and port, separated by a colon ``:``.
+
+                          This is similar to tunnel_route, but it terminates the TLS connection
and forwards the
+                          decrypted traffic. |TS| will not interpret the decrypted data,
so the contents do not 
+                          need to be HTTP.
 ========================= ==============================================================================
 
 Client verification, via ``verify_client``, correponds to setting
diff --git a/iocore/net/P_SNIActionPerformer.h b/iocore/net/P_SNIActionPerformer.h
index 8622ff2..d515fdc 100644
--- a/iocore/net/P_SNIActionPerformer.h
+++ b/iocore/net/P_SNIActionPerformer.h
@@ -38,15 +38,17 @@
 #include <unordered_map>
 
 extern std::unordered_map<int, SSLNextProtocolSet *> snpsMap;
-// enum of all the actions
+
+/*// enum of all the actions
 enum AllActions {
   TS_DISABLE_H2 = 0,
   TS_VERIFY_CLIENT, // this applies to server side vc only
   TS_TUNNEL_ROUTE,  // blind tunnel action
 };
+*/
 
 /** action for setting next hop properties should be listed in the following enum*/
-enum PropertyActions { TS_VERIFY_SERVER = 200, TS_CLIENT_CERT };
+/* enum PropertyActions { TS_VERIFY_SERVER = 200, TS_CLIENT_CERT }; */
 
 class ActionItem
 {
@@ -78,7 +80,7 @@ public:
 class TunnelDestination : public ActionItem
 {
 public:
-  TunnelDestination(const std::string_view &dest) : destination(dest) {}
+  TunnelDestination(const std::string_view &dest, bool decrypt) : destination(dest),
tunnel_decrypt(decrypt) {}
   ~TunnelDestination() {}
 
   int
@@ -87,11 +89,12 @@ public:
     // Set the netvc option?
     SSLNetVConnection *ssl_netvc = dynamic_cast<SSLNetVConnection *>(cont);
     if (ssl_netvc) {
-      ssl_netvc->set_tunnel_destination(destination);
+      ssl_netvc->set_tunnel_destination(destination, tunnel_decrypt);
     }
     return SSL_TLSEXT_ERR_OK;
   }
   std::string destination;
+  bool tunnel_decrypt = false;
 };
 
 class VerifyClient : public ActionItem
diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h
index f2eadb3..19976be 100644
--- a/iocore/net/P_SSLNetVConnection.h
+++ b/iocore/net/P_SSLNetVConnection.h
@@ -317,8 +317,16 @@ public:
     return tunnel_port;
   }
 
+  /* Returns true if this vc was configured for forward_route
+   */
+  bool
+  decrypt_tunnel()
+  {
+    return has_tunnel_destination() && tunnel_decrypt;
+  }
+
   void
-  set_tunnel_destination(const std::string_view &destination)
+  set_tunnel_destination(const std::string_view &destination, bool decrypt)
   {
     auto pos = destination.find(":");
     if (nullptr != tunnel_host) {
@@ -331,6 +339,7 @@ public:
       tunnel_port = 0;
       tunnel_host = ats_strndup(destination.data(), destination.length());
     }
+    tunnel_decrypt = decrypt;
   }
 
   int populate_protocol(std::string_view *results, int n) const override;
@@ -400,6 +409,7 @@ private:
   int64_t redoWriteSize            = 0;
   char *tunnel_host                = nullptr;
   in_port_t tunnel_port            = 0;
+  bool tunnel_decrypt              = false;
 };
 
 typedef int (SSLNetVConnection::*SSLNetVConnHandler)(int, void *);
diff --git a/iocore/net/SSLSNIConfig.cc b/iocore/net/SSLSNIConfig.cc
index 21986b7..524d2ab 100644
--- a/iocore/net/SSLSNIConfig.cc
+++ b/iocore/net/SSLSNIConfig.cc
@@ -73,7 +73,7 @@ SNIConfigParams::loadSNIConfig()
       ai->actions.push_back(std::make_unique<VerifyClient>(item.verify_client_level));
     }
     if (item.tunnel_destination.length() > 0) {
-      ai->actions.push_back(std::make_unique<TunnelDestination>(item.tunnel_destination));
+      ai->actions.push_back(std::make_unique<TunnelDestination>(item.tunnel_destination,
item.tunnel_decrypt));
     }
 
     ai->actions.push_back(std::make_unique<SNI_IpAllow>(item.ip_allow, item.fqdn));
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 9965528..5e53b0b 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -475,7 +475,7 @@ ssl_servername_only_callback(SSL *ssl, int * /* ad */, void * /*arg*/)
   if (ret != SSL_TLSEXT_ERR_OK) {
     return SSL_TLSEXT_ERR_ALERT_FATAL;
   }
-  if (netvc->has_tunnel_destination()) {
+  if (netvc->has_tunnel_destination() && !netvc->decrypt_tunnel()) {
     netvc->attributes = HttpProxyPort::TRANSPORT_BLIND_TUNNEL;
   }
 
diff --git a/iocore/net/YamlSNIConfig.cc b/iocore/net/YamlSNIConfig.cc
index 276b271..8a542cd 100644
--- a/iocore/net/YamlSNIConfig.cc
+++ b/iocore/net/YamlSNIConfig.cc
@@ -63,6 +63,7 @@ std::set<std::string> valid_sni_config_keys = {TS_fqdn,
                                                TS_disable_h2,
                                                TS_verify_client,
                                                TS_tunnel_route,
+                                               TS_forward_route,
                                                TS_verify_origin_server,
                                                TS_verify_server_policy,
                                                TS_verify_server_properties,
@@ -104,7 +105,12 @@ template <> struct convert<YamlSNIConfig::Item> {
 
     if (node[TS_tunnel_route]) {
       item.tunnel_destination = node[TS_tunnel_route].as<std::string>();
+      item.tunnel_decrypt     = false;
+    } else if (node[TS_forward_route]) {
+      item.tunnel_destination = node[TS_forward_route].as<std::string>();
+      item.tunnel_decrypt     = true;
     }
+
     // remove before 9.0.0 release
     // backwards compatibiity
     if (node[TS_verify_origin_server]) {
diff --git a/iocore/net/YamlSNIConfig.h b/iocore/net/YamlSNIConfig.h
index e36fe91..8926c29 100644
--- a/iocore/net/YamlSNIConfig.h
+++ b/iocore/net/YamlSNIConfig.h
@@ -31,6 +31,7 @@ TSDECL(fqdn);
 TSDECL(disable_h2);
 TSDECL(verify_client);
 TSDECL(tunnel_route);
+TSDECL(forward_route);
 TSDECL(verify_server_policy);
 TSDECL(verify_server_properties);
 TSDECL(verify_origin_server);
@@ -45,6 +46,7 @@ struct YamlSNIConfig {
     disable_h2 = start,
     verify_client,
     tunnel_route,             // blind tunnel action
+    forward_route,            // decrypt data and then blind tunnel action
     verify_server_policy,     // this applies to server side vc only
     verify_server_properties, // this applies to server side vc only
     client_cert
@@ -60,6 +62,7 @@ struct YamlSNIConfig {
     bool disable_h2             = false;
     uint8_t verify_client_level = 255;
     std::string tunnel_destination;
+    bool tunnel_decrypt               = false;
     Policy verify_server_policy       = Policy::DISABLED;
     Property verify_server_properties = Property::NONE;
     std::string client_cert;
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index 3d91e55..48ccfc6 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -517,7 +517,7 @@ HttpSM::attach_client_session(ProxyClientTransaction *client_vc, IOBufferReader
   http_parser_init(&http_parser);
 
   // Prepare raw reader which will live until we are sure this is HTTP indeed
-  if (is_transparent_passthrough_allowed()) {
+  if (is_transparent_passthrough_allowed() || (ssl_vc && ssl_vc->decrypt_tunnel()))
{
     ua_raw_buffer_reader = buffer_reader->clone();
   }
 
@@ -664,7 +664,7 @@ HttpSM::state_read_client_request_header(int event, void *data)
   // We need to handle EOS as well as READ_READY because the client
   // may have sent all of the data already followed by a fIN and that
   // should be OK.
-  if (is_transparent_passthrough_allowed() && ua_raw_buffer_reader != nullptr) {
+  if (ua_raw_buffer_reader != nullptr) {
     bool do_blind_tunnel = false;
     // If we had a parse error and we're done reading data
     // blind tunnel
@@ -686,7 +686,7 @@ HttpSM::state_read_client_request_header(int event, void *data)
       // Turn off read eventing until we get the
       // blind tunnel infrastructure set up
       if (netvc) {
-        netvc->do_io_read(this, 0, nullptr);
+        netvc->do_io_read(nullptr, 0, nullptr);
       }
 
       /* establish blind tunnel */
@@ -1578,14 +1578,17 @@ void
 HttpSM::handle_api_return()
 {
   switch (t_state.api_next_action) {
-  case HttpTransact::SM_ACTION_API_SM_START:
-    if (t_state.client_info.port_attribute == HttpProxyPort::TRANSPORT_BLIND_TUNNEL) {
+  case HttpTransact::SM_ACTION_API_SM_START: {
+    NetVConnection *netvc     = ua_txn->get_netvc();
+    SSLNetVConnection *ssl_vc = dynamic_cast<SSLNetVConnection *>(netvc);
+    bool forward_dest         = ssl_vc != nullptr && ssl_vc->decrypt_tunnel();
+    if (t_state.client_info.port_attribute == HttpProxyPort::TRANSPORT_BLIND_TUNNEL || forward_dest)
{
       setup_blind_tunnel_port();
     } else {
       setup_client_read_request_header();
     }
     return;
-
+  }
   case HttpTransact::SM_ACTION_API_CACHE_LOOKUP_COMPLETE:
   case HttpTransact::SM_ACTION_API_READ_CACHE_HDR:
     if (t_state.api_cleanup_cache_read && t_state.api_update_cached_object != HttpTransact::UPDATE_CACHED_OBJECT_PREPARE)
{
diff --git a/tests/gold_tests/tls/test-nc-s_client.sh b/tests/gold_tests/tls/test-nc-s_client.sh
new file mode 100644
index 0000000..a11a80c
--- /dev/null
+++ b/tests/gold_tests/tls/test-nc-s_client.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+nc -l -p $1  -c 'echo -e "This is a reply"'  -o test.out &
+echo "This is a test" | openssl s_client -servername bar.com -connect localhost:$2 -ign_eof

diff --git a/tests/gold_tests/tls/tls_forward_nonhttp.test.py b/tests/gold_tests/tls/tls_forward_nonhttp.test.py
new file mode 100644
index 0000000..2fb8b90
--- /dev/null
+++ b/tests/gold_tests/tls/tls_forward_nonhttp.test.py
@@ -0,0 +1,77 @@
+'''
+'''
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+import os
+Test.Summary = '''
+Forwarding a non-HTTP protocol out of TLS
+'''
+
+# need Curl
+Test.SkipUnless(
+    Condition.HasProgram("curl", "Curl need to be installed on system for this test to work")
+)
+
+# Define default ATS
+ts = Test.MakeATSProcess("ts", select_ports=False)
+
+# add ssl materials like key, certificates for the server
+ts.addSSLfile("ssl/server.pem")
+ts.addSSLfile("ssl/server.key")
+
+ts.Variables.ssl_port = 4443
+
+# Need no remap rules.  Everything should be proccessed by ssl_server_name
+
+# Make sure the TS server certs are different from the origin certs
+ts.Disk.ssl_multicert_config.AddLine(
+    'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+# Case 1, global config policy=permissive properties=signature
+#         override for foo.com policy=enforced properties=all
+ts.Disk.records_config.update({
+    'proxy.config.diags.debug.enabled': 1,
+    'proxy.config.diags.debug.tags': 'http|ssl',
+    'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
+    'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
+    # enable ssl port
+    'proxy.config.http.server_ports': '{0} {1}:proto=http2;http:ssl'.format(ts.Variables.port,
ts.Variables.ssl_port),
+    'proxy.config.http.connect_ports': '{0} 4444'.format(ts.Variables.ssl_port),
+    'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
+    'proxy.config.url_remap.pristine_host_hdr': 1
+})
+
+# foo.com should not terminate.  Just tunnel to server_foo
+# bar.com should terminate.  Forward its tcp stream to server_bar
+ts.Disk.ssl_server_name_yaml.AddLines([
+  "- fqdn: bar.com",
+  "  forward_route: localhost:4444"
+  ])
+
+tr = Test.AddTestRun("forward-non-http")
+tr.Setup.Copy("test-nc-s_client.sh")
+tr.Processes.Default.Command = "sh test-nc-s_client.sh 4444 4443"
+tr.ReturnCode = 0
+tr.Processes.Default.StartBefore(Test.Processes.ts, ready=When.PortOpen(ts.Variables.ssl_port))
+tr.StillRunningAfter = ts
+tr.Processes.Default.TimeOut = 5
+tr.TimeOut = 5
+testout_path = os.path.join(Test.RunDirectory, "test.out")
+tr.Disk.File(testout_path, id = "testout")
+tr.Processes.Default.Streams.All += Testers.IncludesExpression("This is a reply", "s_client
should get response")
+
diff --git a/tests/gold_tests/tls/tls_tunnel_forward.test.py b/tests/gold_tests/tls/tls_tunnel_forward.test.py
new file mode 100644
index 0000000..ce03151
--- /dev/null
+++ b/tests/gold_tests/tls/tls_tunnel_forward.test.py
@@ -0,0 +1,132 @@
+'''
+'''
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+import os
+Test.Summary = '''
+Test tunneling and forwarding based on SNI
+'''
+
+# need Curl
+Test.SkipUnless(
+    Condition.HasProgram("curl", "Curl need to be installed on system for this test to work")
+)
+
+# Define default ATS
+ts = Test.MakeATSProcess("ts", select_ports=False)
+server_foo = Test.MakeOriginServer("server_foo", ssl=True)
+server_bar = Test.MakeOriginServer("server_bar", ssl=False)
+server_random = Test.MakeOriginServer("server_random", ssl=False)
+
+request_foo_header = {"headers": "GET / HTTP/1.1\r\nHost: foo.com\r\n\r\n", "timestamp":
"1469733493.993", "body": ""}
+request_bar_header = {"headers": "GET / HTTP/1.1\r\nHost: bar.com\r\n\r\n", "timestamp":
"1469733493.993", "body": ""}
+request_random_header = {"headers": "GET / HTTP/1.1\r\nHost: random.com\r\n\r\n", "timestamp":
"1469733493.993", "body": ""}
+response_foo_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp":
"1469733493.993", "body": "ok foo"}
+response_bar_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp":
"1469733493.993", "body": "ok bar"}
+response_random_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp":
"1469733493.993", "body": "ok random"}
+server_foo.addResponse("sessionlog_foo.json", request_foo_header, response_foo_header)
+server_bar.addResponse("sessionlog_bar.json", request_bar_header, response_bar_header)
+server_random.addResponse("sessionlog_random.json", request_random_header, response_random_header)
+
+# add ssl materials like key, certificates for the server
+ts.addSSLfile("ssl/signed-foo.pem")
+ts.addSSLfile("ssl/signed-foo.key")
+ts.addSSLfile("ssl/signed-bar.pem")
+ts.addSSLfile("ssl/signed-bar.key")
+ts.addSSLfile("ssl/server.pem")
+ts.addSSLfile("ssl/server.key")
+ts.addSSLfile("ssl/signer.pem")
+ts.addSSLfile("ssl/signer.key")
+
+ts.Variables.ssl_port = 4443
+
+# Need no remap rules.  Everything should be proccessed by ssl_server_name
+
+# Make sure the TS server certs are different from the origin certs
+ts.Disk.ssl_multicert_config.AddLine(
+    'dest_ip=* ssl_cert_name=signed-foo.pem ssl_key_name=signed-foo.key'
+)
+
+# Case 1, global config policy=permissive properties=signature
+#         override for foo.com policy=enforced properties=all
+ts.Disk.records_config.update({
+    'proxy.config.diags.debug.enabled': 1,
+    'proxy.config.diags.debug.tags': 'http|ssl',
+    'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
+    'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
+    # enable ssl port
+    'proxy.config.http.server_ports': '{0} {1}:proto=http2;http:ssl'.format(ts.Variables.port,
ts.Variables.ssl_port),
+    'proxy.config.http.connect_ports': '{0} {1} {2} {3}'.format(ts.Variables.ssl_port,server_foo.Variables.Port,server_bar.Variables.Port,server_random.Variables.Port),
+    'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
+    'proxy.config.ssl.client.CA.cert.path': '{0}'.format(ts.Variables.SSLDir),
+    'proxy.config.ssl.client.CA.cert.filename': 'signer.pem',
+    'proxy.config.url_remap.pristine_host_hdr': 1
+})
+
+# foo.com should not terminate.  Just tunnel to server_foo
+# bar.com should terminate.  Forward its tcp stream to server_bar
+ts.Disk.ssl_server_name_yaml.AddLines([
+  "- fqdn: 'foo.com'",
+  "  tunnel_route: 'localhost:{0}'".format(server_foo.Variables.Port),
+  "- fqdn: 'bar.com'",
+  "  forward_route: 'localhost:{0}'".format(server_bar.Variables.Port),
+  "- fqdn: ''",  #default case
+  "  forward_route: 'localhost:{0}'".format(server_random.Variables.Port),
+  ])
+
+tr = Test.AddTestRun("Tunnel-test")
+tr.Processes.Default.Command = "curl -v  --resolve 'foo.com:{0}:127.0.0.1' -k  https://foo.com:{0}".format(ts.Variables.ssl_port)
+tr.ReturnCode = 0
+tr.Processes.Default.StartBefore(server_foo)
+tr.Processes.Default.StartBefore(server_bar)
+tr.Processes.Default.StartBefore(server_random)
+tr.Processes.Default.StartBefore(Test.Processes.ts, ready=When.PortOpen(ts.Variables.ssl_port))
+tr.StillRunningAfter = ts
+tr.Processes.Default.TimeOut = 5
+tr.TimeOut = 5
+tr.Processes.Default.Streams.All += Testers.ExcludesExpression("Could Not Connect", "Curl
attempt should have succeeded")
+tr.Processes.Default.Streams.All += Testers.ExcludesExpression("Not Found on Accelerato",
"Should not try to remap on Traffic Server")
+tr.Processes.Default.Streams.All += Testers.ExcludesExpression("CN=foo.com", "Should not
TLS terminate on Traffic Server")
+tr.Processes.Default.Streams.All += Testers.ContainsExpression("HTTP/1.1 200 OK", "Should
get a successful response")
+tr.Processes.Default.Streams.All += Testers.ContainsExpression("ok foo", "Body is expected")
+
+tr2 = Test.AddTestRun("Forward-test")
+tr2.Processes.Default.Command = "curl -v --http1.1  -H 'host:bar.com' --resolve 'bar.com:{0}:127.0.0.1'
-k https://bar.com:{0}".format(ts.Variables.ssl_port)
+tr2.ReturnCode = 0
+tr2.StillRunningAfter = server_bar
+tr2.Processes.Default.TimeOut = 5
+tr2.StillRunningAfter = ts
+tr2.TimeOut = 5
+tr2.Processes.Default.Streams.All += Testers.ExcludesExpression("Could Not Connect", "Curl
attempt should have succeeded")
+tr2.Processes.Default.Streams.All += Testers.ExcludesExpression("Not Found on Accelerato",
"Should not try to remap on Traffic Server")
+tr2.Processes.Default.Streams.All += Testers.ContainsExpression("CN=foo.com", "Should TLS
terminate on Traffic Server")
+tr2.Processes.Default.Streams.All += Testers.ContainsExpression("HTTP/1.1 200 OK", "Should
get a successful response")
+tr2.Processes.Default.Streams.All += Testers.ContainsExpression("ok bar", "Body is expected")
+
+tr3 = Test.AddTestRun("no-sni-forward-test")
+tr3.Processes.Default.Command = "curl --http1.1 -v -k -H 'host:random.com' https://127.0.0.1:{0}".format(ts.Variables.ssl_port)
+tr3.ReturnCode = 0
+tr3.StillRunningAfter = server_random
+tr3.Processes.Default.TimeOut = 5
+tr3.StillRunningAfter = ts
+tr3.TimeOut = 5
+tr3.Processes.Default.Streams.All += Testers.ExcludesExpression("Could Not Connect", "Curl
attempt should have succeeded")
+tr3.Processes.Default.Streams.All += Testers.ExcludesExpression("Not Found on Accelerato",
"Should not try to remap on Traffic Server")
+tr3.Processes.Default.Streams.All += Testers.ContainsExpression("CN=foo.com", "Should TLS
terminate on Traffic Server")
+tr3.Processes.Default.Streams.All += Testers.ContainsExpression("HTTP/1.1 200 OK", "Should
get a successful response")
+tr3.Processes.Default.Streams.All += Testers.ContainsExpression("ok random", "Body is expected")
+


Mime
View raw message