Página inicial Explorar Ajuda
Entrar
mirrors
/
nginx-proxy
mirror de https://github.com/nginx-proxy/nginx-proxy.git
2
0
Fork 0
Arquivos
Ver código fonte

tests: Verify site-specific DH params feature works correctly

This addition requires usage of `DEFAULT_HOST` on containers tested to ensure they don't accidentally use `web2` as their default fallback (due to no SNI / `-servername` requested in openssl queries), otherwise they would be testing against the incorrect DH params response.

They could alternatively request an FQDN explicitly as well, instead of relying on implicit fallback/default server selection behaviour.

---

`web2.nginx-proxy.tld.dhparam.pem` is a copy of `ffdhe2048.pem`.
polarathene 3 anos atrás
pai
0f15130476
commit
9dc9d90d34
3 arquivos alterados com 52 adições e 0 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 8 0
      test/test_ssl/certs/web2.nginx-proxy.tld.dhparam.pem
  2. 24 0
      test/test_ssl/test_dhparam.py
  3. 20 0
      test/test_ssl/test_dhparam.yml

+ 8 - 0
test/test_ssl/certs/web2.nginx-proxy.tld.dhparam.pem
Ver arquivo 

@@ -0,0 +1,8 @@
 
+-----BEGIN DH PARAMETERS-----
 
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
 
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
 
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
 
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
 
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
 
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
 
+-----END DH PARAMETERS-----

+ 24 - 0
test/test_ssl/test_dhparam.py
Ver arquivo 

@@ -200,6 +200,30 @@ def test_custom_dhparam_is_supported(docker_compose):
 
     can_negotiate_dhe_ciphersuite(sut_container, 3072)
 
 
 
+# Only `web2` has a site-specific DH param file (which overrides all other DH config)
 
+# Other tests here use `web5` explicitly, or implicitly (via ENV `DEFAULT_HOST`, otherwise first HTTPS server)
 
+def test_custom_dhparam_is_supported_per_site(docker_compose):
 
+    container_name="dh-file"
 
+    sut_container = docker_client.containers.get(container_name)
 
+    assert sut_container.status == "running"
 
+
 
+    # A site specific `dhparam.pem` with DH group size of 2048-bit.
 
+    # DH group size should not match the:
 
+    # - 4096-bit default.
 
+    # - 3072-bit default, overriden by file.
 
+    should_be_equivalent_content(
 
+        sut_container,
 
+        "/app/dhparam/ffdhe2048.pem",
 
+        "/etc/nginx/certs/web2.nginx-proxy.tld.dhparam.pem"
 
+    )
 
+
 
+    # `-servername` required for nginx-proxy to respond with site-specific DH params used:
 
+    can_negotiate_dhe_ciphersuite(sut_container, 2048, '-servername web2.nginx-proxy.tld')
 
+
 
+
 
+# NOTE: These two tests will fail without the ENV `DEFAULT_HOST` to prevent
 
+# accidentally falling back to `web2` as the default server, which has explicit DH params configured.
 
+# Only copying DH params is skipped, not explicit usage via user providing custom files.
 
 def test_can_skip_dhparam(docker_compose):
 
     container_name="dh-skip"
 
     sut_container = docker_client.containers.get(container_name)

+ 20 - 0
test/test_ssl/test_dhparam.yml
Ver arquivo 

@@ -6,12 +6,27 @@ web5:
 
     WEB_PORTS: "85"
 
     VIRTUAL_HOST: "web5.nginx-proxy.tld"
 
 
+# Intended for testing with `dh-file` container.
 
+# VIRTUAL_HOST is paired with site-specific DH param file.
 
+# DEFAULT_HOST is required to avoid defaulting to web2,
 
+# if not specifying FQDN (`-servername`) in openssl queries.
 
+web2:
 
+  image: web
 
+  expose:
 
+    - "85"
 
+  environment:
 
+    WEB_PORTS: "85"
 
+    VIRTUAL_HOST: "web2.nginx-proxy.tld"
 
+
 
+
 
 # sut - System Under Test
 
 # `docker.sock` required for functionality
 
 # `certs` required to enable HTTPS via template
 
 with_default_group:
 
   container_name: dh-default
 
   image: &img-nginxproxy nginxproxy/nginx-proxy:test
 
+  environment: &env-common
 
+    - &default-host DEFAULT_HOST=web5.nginx-proxy.tld
 
   volumes: &vols-common
 
     - &docker-sock /var/run/docker.sock:/tmp/docker.sock:ro
 
     - &nginx-certs ./certs:/etc/nginx/certs:ro
 
@@ -20,6 +35,7 @@ with_alternative_group:
 
   container_name: dh-env
 
   environment:
 
     - DHPARAM_BITS=3072
 
+    - *default-host
 
   image: *img-nginxproxy
 
   volumes: *vols-common
 
 
@@ -27,12 +43,14 @@ with_invalid_group:
 
   container_name: invalid-group-1024
 
   environment:
 
     - DHPARAM_BITS=1024
 
+    - *default-host
 
   image: *img-nginxproxy
 
   volumes: *vols-common
 
 
 with_custom_file:
 
   container_name: dh-file
 
   image: *img-nginxproxy
 
+  environment: *env-common
 
   volumes:
 
     - *docker-sock
 
     - *nginx-certs
 
@@ -42,6 +60,7 @@ with_skip:
 
   container_name: dh-skip
 
   environment:
 
     - DHPARAM_SKIP=true
 
+    - *default-host
 
   image: *img-nginxproxy
 
   volumes: *vols-common
 
 
@@ -49,5 +68,6 @@ with_skip_backward:
 
   container_name: dh-skip-backward
 
   environment:
 
     - DHPARAM_GENERATION=false
 
+    - *default-host
 
   image: *img-nginxproxy
 
   volumes: *vols-common