haproxy/reg-tests/checks/tls_health_checks.vtc

varnishtest "Health-check test over TLS/SSL"
#REQUIRE_OPTIONS=OPENSSL
#REGTEST_TYPE=slow
feature ignore_unknown_macro


# This script tests health-checks for a TLS/SSL backend with "option httpchk"
# and "check-ssl" option enabled attached to h2 haproxy process. This haproxy
# h2 process is chained to h1 other one.
#
server s1 {
    rxreq
    expect req.method == OPTIONS
    expect req.url == *
    expect req.proto == HTTP/1.1
    txresp
} -start

server s2 {
} -start

server s3 {
    rxreq
    expect req.method == OPTIONS
    expect req.url == *
    expect req.proto == HTTP/1.1
    txresp
} -start

syslog S1 -level notice {
    recv info
    expect ~ "[^:\\[ ]\\[${h1_pid}\\]: .* fe1~ be1/srv1 .* 200 [[:digit:]]+ - - ---- .* \"OPTIONS \\* HTTP/1.1\""
} -start

haproxy h1 -conf {
    global
    .if feature(THREAD)
        thread-groups 1
    .endif

    .if !ssllib_name_startswith(AWS-LC)
        tune.ssl.default-dh-param 2048
    .endif

    defaults
        mode http
        timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"

    backend be1
        server srv1 ${s1_addr}:${s1_port}

    backend be2
        server srv2 ${s2_addr}:${s2_port}

    backend be3
        server srv3 ${s3_addr}:${s3_port}

    frontend fe1
        option httplog
        log ${S1_addr}:${S1_port} len 2048 local0 debug err
        bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem
        use_backend be1

    frontend fe2
        bind "fd@${fe2}" ssl crt ${testdir}/certs/common.pem
        use_backend be2

    frontend fe3
        bind "fd@${fe3}" ssl crt ${testdir}/certs/common.pem
        use_backend be3
} -start

syslog S2 -level notice {
    recv
    expect ~ "[^:\\[ ]\\[${h2_pid}\\]: Health check for server be2/srv1 succeeded, reason: Layer7 check passed.+code: 200.+check duration: [[:digit:]]+ms, status: 1/1 UP."
} -start

syslog S4 -level notice {
    recv
    expect ~ "[^:\\[ ]\\[${h2_pid}\\]: Health check for server be4/srv2 succeeded, reason: Layer6 check passed.+check duration: [[:digit:]]+ms, status: 1/1 UP."
} -start

syslog S6 -level notice {
    recv
    expect ~ "[^:\\[ ]\\[${h2_pid}\\]: Health check for server be6/srv3 succeeded, reason: Layer7 check passed.+code: 200.+check duration: [[:digit:]]+ms, status: 1/1 UP."
} -start

haproxy h2 -conf {
    global
    .if feature(THREAD)
        thread-groups 1
    .endif

    .if !ssllib_name_startswith(AWS-LC)
        tune.ssl.default-dh-param 2048
    .endif

    defaults
        timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
        default-server downinter 1s inter 500 rise 1 fall 1

    backend be2
        option log-health-checks
        option httpchk OPTIONS * HTTP/1.1
        http-check send hdr Host www
        log ${S2_addr}:${S2_port} daemon
        server srv1 ${h1_fe1_addr}:${h1_fe1_port} ssl crt ${testdir}/certs/common.pem verify none check

    backend be4
        option log-health-checks
        log ${S4_addr}:${S4_port} daemon
        server srv2 ${h1_fe2_addr}:${h1_fe2_port} ssl crt ${testdir}/certs/common.pem verify none check-ssl check

    backend be6
        option log-health-checks
        option httpchk OPTIONS * HTTP/1.1
        http-check send hdr Host www
        log ${S6_addr}:${S6_port} daemon
        server srv3 127.0.0.1:80 crt ${testdir}/certs/common.pem verify none check check-ssl port ${h1_fe3_port} addr ${h1_fe3_addr}:80
} -start

syslog S1 -wait

syslog S2 -wait
syslog S4 -wait
syslog S6 -wait