test: tests for HTTP/3

Co-authored-by: Nicolas Duchon <nicolas.duchon@gmail.com>
Co-authored-by: Niek <100143256+SchoNie@users.noreply.github.com>

test/test_http2/test_http2_global_disabled.py

@@ -0,0 +1,8 @@
+import pytest
+import re
+
+def test_http2_global_disabled_config(docker_compose, nginxproxy):
+    conf = nginxproxy.get_conf().decode('ASCII')
+    r = nginxproxy.get("http://http2-global-disabled.nginx-proxy.tld")
+    assert r.status_code == 200
+    assert not re.search(r"(?s)http2-global-disabled\.nginx-proxy\.tld.*http2 on", conf)

test/test_http2/test_http2_global_disabled.yml

@@ -0,0 +1,15 @@
+services:
+  http2-global-disabled:
+    image: web
+    expose:
+      - "80"
+    environment:
+      WEB_PORTS: 80
+      VIRTUAL_HOST: http2-global-disabled.nginx-proxy.tld
+
+  sut:
+    image: nginxproxy/nginx-proxy:test
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+    environment:
+      ENABLE_HTTP2: "false"

test/test_http3/test_http3_global_disabled.py

@@ -0,0 +1,19 @@
+import pytest
+import re
+
+    #Python Requests is not able to do native http3 requests. 
+    #We only check for directives which should enable http3.
+
+def test_http3_global_disabled_ALTSVC_header(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://http3-global-disabled.nginx-proxy.tld/headers")
+    assert r.status_code == 200
+    assert "Host: http3-global-disabled.nginx-proxy.tld" in r.text
+    assert not "alt-svc" in r.headers
+
+def test_http3_global_disabled_config(docker_compose, nginxproxy):
+    conf = nginxproxy.get_conf().decode('ASCII')
+    r = nginxproxy.get("http://http3-global-disabled.nginx-proxy.tld")
+    assert r.status_code == 200
+    assert not re.search(r"(?s)listen 443 quic", conf)
+    assert not re.search(r"(?s)http3 on", conf)
+    assert not re.search(r"(?s)add_header alt-svc \'h3=\":443\"; ma=86400;\'", conf)

test/test_http3/test_http3_global_disabled.yml

@@ -0,0 +1,15 @@
+services:
+  http3-global-disabled:
+    image: web
+    expose:
+      - "80"
+    environment:
+      WEB_PORTS: 80
+      VIRTUAL_HOST: http3-global-disabled.nginx-proxy.tld
+
+  sut:
+    image: nginxproxy/nginx-proxy:test
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+    #environment:
+      #ENABLE_HTTP3: "false"    #Disabled by default

test/test_http3/test_http3_global_enabled.py

@@ -0,0 +1,21 @@
+import pytest
+import re
+
+    #Python Requests is not able to do native http3 requests. 
+    #We only check for directives which should enable http3.
+
+def test_http3_global_enabled_ALTSVC_header(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://http3-global-enabled.nginx-proxy.tld/headers")
+    assert r.status_code == 200
+    assert "Host: http3-global-enabled.nginx-proxy.tld" in r.text
+    assert "alt-svc" in r.headers
+    assert r.headers["alt-svc"] == 'h3=":443"; ma=86400;'
+
+def test_http3_global_enabled_config(docker_compose, nginxproxy):
+    conf = nginxproxy.get_conf().decode('ASCII')
+    r = nginxproxy.get("http://http3-global-enabled.nginx-proxy.tld")
+    assert r.status_code == 200
+    assert re.search(r"listen 443 quic reuseport\;", conf)
+    assert re.search(r"(?s)http3-global-enabled\.nginx-proxy\.tld;.*listen 443 quic", conf)
+    assert re.search(r"(?s)http3-global-enabled\.nginx-proxy\.tld;.*http3 on\;", conf)
+    assert re.search(r"(?s)http3-global-enabled\.nginx-proxy\.tld;.*add_header alt-svc \'h3=\":443\"; ma=86400;\'", conf)

test/test_http3/test_http3_global_enabled.yml

@@ -0,0 +1,15 @@
+services:
+  http3-global-enabled:
+    image: web
+    expose:
+      - "80"
+    environment:
+      WEB_PORTS: 80
+      VIRTUAL_HOST: http3-global-enabled.nginx-proxy.tld
+
+  sut:
+    image: nginxproxy/nginx-proxy:test
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+    environment:
+      ENABLE_HTTP3: "true"

test/test_http3/test_http3_vhost.py

@@ -0,0 +1,49 @@
+import pytest
+import re
+
+    #Python Requests is not able to do native http3 requests. 
+    #We only check for directives which should enable http3.
+
+def test_http3_vhost_enabled_ALTSVC_header(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://http3-vhost-enabled.nginx-proxy.tld/headers")
+    assert r.status_code == 200
+    assert "Host: http3-vhost-enabled.nginx-proxy.tld" in r.text
+    assert "alt-svc" in r.headers
+    assert r.headers["alt-svc"] == 'h3=":443"; ma=86400;'
+
+def test_http3_vhost_enabled_config(docker_compose, nginxproxy):
+    conf = nginxproxy.get_conf().decode('ASCII')
+    r = nginxproxy.get("http://http3-vhost-enabled.nginx-proxy.tld")
+    assert r.status_code == 200
+    assert re.search(r"listen 443 quic reuseport\;", conf)
+    assert re.search(r"(?s)http3-vhost-enabled\.nginx-proxy\.tld;.*listen 443 quic", conf)
+    assert re.search(r"(?s)http3-vhost-enabled\.nginx-proxy\.tld;.*http3 on\;", conf)
+    assert re.search(r"(?s)http3-vhost-enabled\.nginx-proxy\.tld;.*add_header alt-svc \'h3=\":443\"; ma=86400;\'", conf)
+
+def test_http3_vhost_disabled_ALTSVC_header(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://http3-vhost-disabled.nginx-proxy.tld/headers")
+    assert r.status_code == 200
+    assert "Host: http3-vhost-disabled.nginx-proxy.tld" in r.text
+    assert not "alt-svc" in r.headers
+
+def test_http3_vhost_disabled_config(docker_compose, nginxproxy):
+    conf = nginxproxy.get_conf().decode('ASCII')
+    r = nginxproxy.get("http://http3-vhost-disabled.nginx-proxy.tld")
+    assert r.status_code == 200
+    assert not re.search(r"(?s)http3-vhost-disabled\.nginx-proxy\.tld.*listen 443 quic.*\# http3-vhost-enabled\.nginx-proxy\.tld", conf)
+    assert not re.search(r"(?s)http3-vhost-disabled\.nginx-proxy\.tld.*http3 on.*\# http3-vhost-enabled\.nginx-proxy\.tld", conf)
+    assert not re.search(r"(?s)http3-vhost-disabled\.nginx-proxy\.tld;.*add_header alt-svc \'h3=\":443\"; ma=86400;\'.*\# http3-vhost-enabled\.nginx-proxy\.tld", conf)
+
+def test_http3_vhost_disabledbydefault_ALTSVC_header(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://http3-vhost-default-disabled.nginx-proxy.tld/headers")
+    assert r.status_code == 200
+    assert "Host: http3-vhost-default-disabled.nginx-proxy.tld" in r.text
+    assert not "alt-svc" in r.headers
+
+def test_http3_vhost_disabledbydefault_config(docker_compose, nginxproxy):
+    conf = nginxproxy.get_conf().decode('ASCII')
+    r = nginxproxy.get("http://http3-vhost-default-disabled.nginx-proxy.tld")
+    assert r.status_code == 200
+    assert not re.search(r"(?s)http3-vhost-default-disabled\.nginx-proxy\.tld.*listen 443 quic.*\# http3-vhost-disabled\.nginx-proxy\.tld", conf)
+    assert not re.search(r"(?s)http3-vhost-default-disabled\.nginx-proxy\.tld.*http3 on.*\# http3-vhost-disabled\.nginx-proxy\.tld", conf)
+    assert not re.search(r"(?s)http3-vhost-default-disabled\.nginx-proxy\.tld;.*add_header alt-svc \'h3=\":443\"; ma=86400;\'.*\# http3-vhost-disabled\.nginx-proxy\.tld", conf)

test/test_http3/test_http3_vhost.yml

@@ -0,0 +1,33 @@
+services:
+  http3-vhost-enabled:
+    image: web
+    expose:
+      - "80"
+    environment:
+      WEB_PORTS: 80
+      VIRTUAL_HOST: http3-vhost-enabled.nginx-proxy.tld
+    labels:
+      com.github.nginx-proxy.nginx-proxy.http3.enable: "true"
+
+  http3-vhost-disabled:
+    image: web
+    expose:
+      - "80"
+    environment:
+      WEB_PORTS: 80
+      VIRTUAL_HOST: http3-vhost-disabled.nginx-proxy.tld
+    labels:
+      com.github.nginx-proxy.nginx-proxy.http3.enable: "false"
+
+  http3-vhost-default-disabled:
+    image: web
+    expose:
+      - "80"
+    environment:
+      WEB_PORTS: 80
+      VIRTUAL_HOST: http3-vhost-default-disabled.nginx-proxy.tld
+
+  sut:
+    image: nginxproxy/nginx-proxy:test
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro

test/test_ssl/test_hsts.py

@@ -31,3 +31,11 @@ def test_web4_HSTS_off_noredirect(docker_compose, nginxproxy):
     r = nginxproxy.get("https://web4.nginx-proxy.tld/port", allow_redirects=False)
     assert "answer from port 81\n" in r.text
     assert "Strict-Transport-Security" not in r.headers
+
+def test_http3_vhost_enabled_HSTS_default(docker_compose, nginxproxy):
+    r = nginxproxy.get("https://http3-vhost-enabled.nginx-proxy.tld/port", allow_redirects=False)
+    assert "answer from port 81\n" in r.text
+    assert "Strict-Transport-Security" in r.headers
+    assert "max-age=31536000" == r.headers["Strict-Transport-Security"]
+    assert "alt-svc" in r.headers
+    assert r.headers["alt-svc"] == 'h3=":443"; ma=86400;'

test/test_ssl/test_hsts.yml

@@ -34,6 +34,16 @@ web4:
     HSTS: "off"
     HTTPS_METHOD: "noredirect"
 
+web5:
+  image: web
+  expose:
+    - "81"
+  environment:
+    WEB_PORTS: "81"
+    VIRTUAL_HOST: http3-vhost-enabled.nginx-proxy.tld
+  labels:
+    com.github.nginx-proxy.nginx-proxy.http3.enable: "true"
+
 sut:
   image: nginxproxy/nginx-proxy:test
   volumes: