Merge pull request #22 from sozu-proxy/https-redirect

Add a test to cover the HTTPS redirection feature
sozu-proxy · Oct 24, 2018 · fd07b00 · fd07b00
2 parents 29b7192 + d24554d
commit fd07b00
Show file tree

Hide file tree

Showing 11 changed files with 227 additions and 1 deletion.
diff --git a/gen-own-ssl-ca-and-cert.sh b/gen-own-ssl-ca-and-cert.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+# Create Your Own SSL Certificate Authority for Local HTTPS Development
+# $1 = hostname
+# $2 = output directory (src/test/resources/certs by default)
+
+set -e
+#set -x
+
+OUT_PATH=${2:-src/test/resources/certs}    
+
+echo $#
+
+if [ "$#" -ne 1 -o "$#" -ne 2]; then
+    echo "Illegal number of parameters"
+    echo "Usage: DOMAIN [OUT_PATH]"
+    exit 1
+fi
+
+# Generate a passphrase
+openssl rand -base64 48 > passphrase.txt
+
+# Create the Certificate Authority pem and key
+openssl genrsa -des3 -passout file:passphrase.txt -out $OUT_PATH/CA.key 2048
+openssl req -x509 -passin file:passphrase.txt -new -nodes -key $OUT_PATH/CA.key -sha256 -days 7300 -out $OUT_PATH/CA.pem \
+        -subj "/C=FR/O=clevercloud/OU=sozu/CN=ca.sozu.com"
+
+
+# Create CA-Signed certificates for the test
+openssl genrsa -passout file:passphrase.txt -out $OUT_PATH/$1.key 2048
+
+openssl req -passin file:passphrase.txt -new -key $OUT_PATH/$1.key -out $OUT_PATH/$1.csr \
+        -subj "/C=FR/O=devcompany/OU=dev/CN=$1"
+
+openssl x509 -req -passin file:passphrase.txt -in $OUT_PATH/$1.csr -CA $OUT_PATH/CA.pem -CAkey $OUT_PATH/CA.key -CAcreateserial -out $OUT_PATH/$1.crt -days 7300 -sha256
+
+# == Clean ==
+rm -f passphrase.txt
diff --git a/src/main/java/SozuContainer.java b/src/main/java/SozuContainer.java
@@ -41,6 +41,7 @@ public SozuContainer(final String pathToDockerFile) {
     @Override
     protected void configure() {
         mapResourceParameterAsVolume("sozu", "/etc");
+        mapResourceParameterAsVolume("certs", "/"); //FIXME needed only for testHttpsredirect make this more configurable
         withNetworkMode("my-net");
         addExposedPorts(DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT, 4000, 4001);
     }

diff --git a/src/test/java/SozuContainerTest.java b/src/test/java/SozuContainerTest.java
@@ -17,8 +17,10 @@
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
+import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import static java.net.HttpURLConnection.HTTP_MOVED_PERM;
 import static java.net.HttpURLConnection.HTTP_OK;
 import static java.net.HttpURLConnection.HTTP_UNAVAILABLE;
 import static org.junit.Assert.*;
@@ -263,4 +265,47 @@ public void testStickySessions () throws Exception {
         nodeBackend2.stop();
         nodeBackend3.stop();
     }
+
+    @Test
+    public void testHttpsredirect() throws Exception {
+        URL sozuUrl = sozuContainer.getBaseUrl("http", SozuContainer.DEFAULT_HTTP_PORT);
+        int sozuHttpsPort = sozuContainer.getMappedPort(SozuContainer.DEFAULT_HTTPS_PORT);
+
+
+        // Setup the backend with app-x-forwarded-proto.js as binary
+        Backend backend = new Backend("paladin", "172.18.0.14", 8006);
+        NodeBackendContainer nodeBackend = new NodeBackendContainer(backend.getAddress(), Paths.get("node-backends/app-x-forwarded-proto.js"), backend.getPort());
+        nodeBackend.start();
+        sozuContainer.addBackend("httpsredirect", backend.getId(), backend.getAddressWithPort());
+
+
+        // Verify that the proxy answers with a 301 to the HTTPS version
+        HttpResponse res = curl("-H 'Host: httpsredirect.com' " + sozuUrl.toString());
+        assertEquals(HTTP_MOVED_PERM, res.getStatusLine().getStatusCode());
+
+        String location = res.getFirstHeader("Location").getValue();
+        assertEquals("https://httpsredirect.com/", location);
+
+
+        // The client does a HTTPS request
+        // FIXME We set in a magic string the ip gateway of the bridge network until #17 is fixed
+        // TODO Maybe we should move the /certs folder in a better place
+        Process p = Runtime.getRuntime().exec("curl -s --cacert ./src/test/resources/certs/CA.pem --resolve httpsredirect.com:" + sozuHttpsPort + ":172.18.0.1 https://httpsredirect.com:" + sozuHttpsPort);
+        String stdout = IOUtils.toString(p.getInputStream(), "UTF-8");
+        String stderr = IOUtils.toString(p.getErrorStream(), "UTF-8");
+
+
+        // Verify that the server gets the correct protocol in the Forwarded-* headers
+        if(!stdout.isEmpty()) {
+            // The backend should return the x-forwarded-proto header content
+            assertEquals("https", stdout);
+        }
+        else {
+            log.log(Level.SEVERE, stderr);
+            nodeBackend.stop();
+            fail();
+        }
+
+        nodeBackend.stop();
+    }
 }
diff --git a/src/test/resources/certs/CA.key b/src/test/resources/certs/CA.key
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,59812418522C401C
+
+93f3vx2tC2EBgquJpiMQ+YjOcn3rQvpsxj5+3S3H4XmSdA5NTRUB+Zsxz+KsJ7sG
+ZDYsr0ueAivJvstwi15DVZOPIgdhxHAz/Z0132MUYrUyuWx4xf74GhdS5P6CuyNl
+NIm0g9Vr8M1tLi7PxXXAGsEHFd7/eSGbTJHWWtIWc99S8BTNA8/lNUXNN7M9noyp
+cRJybckpBHUxAEMzb7q+RC1Y9YKvvV1/ENQxVQxEh4vKtnw9EKRbk7QUB1D5MORS
+jaEuSboVRnni5kwWx7O24E51m6ilaFCq/i4JnyER8bWfVxsuQhi3+gcN0myh86/p
+KbaT0vQ8dt5Oj4rIyShVOfiufdo/klXJV55yVl//3f7oYxeQ6ORshU3d/ysNCLfJ
+kKeoPXw/SoLqn5+VZZfFwDQNEdcIM45BF5egrDo1HM5wGW1NC7bO+cHnZxHeguoI
+B8cK0+9ix0fXqNynjQSE+4PCQ5uIQq8mIeR4hXREPcpUBWcxlYy31YWMWB0V1ORn
+45Lm1eNp6UP77f8wxMm+DnSYJhi/LZQj23ZR6J32nn6BI7zHwq2KaJA0B75qQxO+
+GA4CdRtf6cPY8wGv4HO/QSpWGKQaBAtWzfst0EFz07oGfDqMmhLkw1edIzxSfHiD
+wVrTpPT9irKAOOmlDbkwDA0VkCJXod6yBXlkBW56UaYK3FxB/mGC+ulaHy/ixmOV
+pKeEx4jHPAUa1u28dNcyrLd+H02RyUeYftKbPD38vpVO1TfTRiXH1uRiRmAf2C8T
+lKJ0AcvEEQ9RTFDM1xQ5kC3cR9AyAEa0+xIWEEXXfBMpljJH3sGnPPo4T5TqB8h+
+K79A9/m7tqnMEX14V5Sr8TXRZHg4rKnebPHuhJ9D7fEqUBrVjk+YtqwadBaAJ7kC
+6DMVYZHrsnud7T69IR0ModHi/U3xAP1+RtweSQmMfp86TDc+ZTcmBpKEbHLiTW3y
+5Yz20JGltR2MbgJukEpb8n0x8Jpao9hSmkE9PfT7UpzM6tVctMIpej//5vTWw4lq
+3npWVRNivyH5L77UKtx7R5UdGeli4HeCl39+avurB/RyCy/V4BLXDEH5PfGrOu8j
+v7UruZKdkMGEXLlARo4JqdC24T6UD6TYHQuA4TlNReQ0BHoXIrCUFpSfQ+2cJ+B4
+ZJopHa/n5+XBjAWm0BpUoRU6YYUYprUGALNTM+8Si8Uz8Am6HrSqymCRfwjIfQme
+lcf0PW6bSO58WDPKXgQAiw7CddZQioNkeOiI3Z3lyYYVxcCcxsg889W6YD9R7VIe
+Nn4smlo3yJ6nq6/dM/GgMmiT7YWaChSlDgJNk/hAoiOPD7XLr6aOz4Z+LPdNLemK
+xShxrn2nxXLCzQ8A5dOKEcEjtY5YJcA2XDrUZ9eSAJNKUJzNtoRETgMnp1pxcxQW
+y/4ynCnrE5edEXsTT2ENQISOx3dsipzdE9HeZRCoX4btn2W/UzeJx4OPnytyq3Cs
+XzaiplFPVeQXNgjeieI0bkWvQzLzNEJ6qeDv5JJIav7zqZppx0rR+s95ivtNPz5b
+sxWmMtYDyhKrgs0SVhTBpDocZWDM/pmGw8z/e4sp0VI/PM8SC1PXHqWT6jYvnCnI
+-----END RSA PRIVATE KEY-----
diff --git a/src/test/resources/certs/CA.pem b/src/test/resources/certs/CA.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZjCCAk6gAwIBAgIJALFeYtVRE2D2MA0GCSqGSIb3DQEBCwUAMEgxCzAJBgNV
+BAYTAkZSMRQwEgYDVQQKDAtjbGV2ZXJjbG91ZDENMAsGA1UECwwEc296dTEUMBIG
+A1UEAwwLY2Euc296dS5jb20wHhcNMTgxMDIyMTkzMTM2WhcNMzgxMDE3MTkzMTM2
+WjBIMQswCQYDVQQGEwJGUjEUMBIGA1UECgwLY2xldmVyY2xvdWQxDTALBgNVBAsM
+BHNvenUxFDASBgNVBAMMC2NhLnNvenUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAwClI9TYCvgHsxV0vW9ruyaGzEAcE1JdJRqIos2ver1nhHjqV
+jRpjm2FhniByXZN73bS1h3VyybLlvp2buShX3phMer+yaM+NZpHEUCSXTs6dT7EH
+pONbLvIqq2dDgc/lWpstwsS4pPn2AAiCQnF2F/QLm+49ZgO4EcHvLArfXi2SYRMR
+eg86BW7onygzXH/6rxXt0nhF0ht0R1FRMWEMlnJzmb540PT/5Q41mQRQZBYZn26P
+cucOEILC0pLfyIAcCGYRuo+o1fknvy8Es7m8/pONQ9HaG4Trz7zQ0xGd6NkKgxaq
+6+Fdy+ypWwLY7FToIAeBBqdjM9TMMIF9C2PbPwIDAQABo1MwUTAdBgNVHQ4EFgQU
+ggJahkhIR8sneZM/Zs4By86ld1QwHwYDVR0jBBgwFoAUggJahkhIR8sneZM/Zs4B
+y86ld1QwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAvu4ZeQ04
+IoHW4JE3WLOzGxbD9ul0AQyRjmvmcTuMnMWZyPigyJRqoMfGsijuf3kustVGq0QH
+XTP1I5Xh1y2pTRHgtOOFApQxPWqyxPm/FnjhCsKGB4b98ApXVWdfMJ1XUO+BvNn0
+w2+7M6m9mYY89loktYuNw2fl68llMq/xG4R9RCCmCzZt8u6JeGW+KODgqyW9OXwp
+imzsDJRxeiV2b48aIu666szi9wokB0IR242Yx9UJ6zHD0EeueFvVPspL/NJsuoNZ
+cQsGPLqOMzLSHzblG9KITxktA4So7GVOcB41elB/Rg2pL1aOeMgl2xewKOMBtE4i
+y+/AeyJmz8DOUQ==
+-----END CERTIFICATE-----
diff --git a/src/test/resources/certs/CA.srl b/src/test/resources/certs/CA.srl
@@ -0,0 +1 @@
+9578BAE2065F5060
diff --git a/src/test/resources/certs/httpsredirect.com.crt b/src/test/resources/certs/httpsredirect.com.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEDCCAfgCCQCVeLriBl9QYDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJG
+UjEUMBIGA1UECgwLY2xldmVyY2xvdWQxDTALBgNVBAsMBHNvenUxFDASBgNVBAMM
+C2NhLnNvenUuY29tMB4XDTE4MTAyMjE5MzEzNloXDTM4MTAxNzE5MzEzNlowTDEL
+MAkGA1UEBhMCRlIxEzARBgNVBAoMCmRldmNvbXBhbnkxDDAKBgNVBAsMA2RldjEa
+MBgGA1UEAwwRaHR0cHNyZWRpcmVjdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDXowLkr/VPKTTnuzxF1bUHcCG81E3z5iJ/jm9TjJ5JGSZcxI22
+Z11aR7WapPnlab/nB9RW0jpk8YxD/To2WH78OOP3hFG8GsDn37bGN6E290iv8O1C
+0m+3tX7BYDq9P3CR9CcPYsmLiXiC4AkImgn3eEgrjM76nqebvGEvs04Py+yaDnwr
+/xiZoB7zWU1+Nw4jahFuD7PGusN+ifFOYXrGdSPM0GCjjS8WDEtgp12ed7BBewyL
+/V6pSoQR/d+zt2rpD1tiHjPymv4/zit+zqBSVks+HlJnCrWRNZa2ALE0HDwtQUF4
+zRawlTR0Y1b+/iSZy3n3zXeNyo3hcjlwMK4LAgMBAAEwDQYJKoZIhvcNAQELBQAD
+ggEBABG3ocszFSangqqihhK/1cjRo+KKoK6f2lVmD6U7ZAAqTucC9oB1yv0i/5fx
+wQgcdZm8Q8czIh5TFFM/CPsjAx2FaETa+MDxMAMWuzrcthw54+RncJ6crAP7UUTX
+Gpq+Kq7ImQBr1xeC7zlo3CIeKM+rH/YyHkhUWmtmo0IYmbF9krtrKHoBvoEhL8SQ
+gn4xxui0THCyuWrtUoRXhEm+G17x7npIaEMNGIW0XF7zl1BuCEWpKUOW1UZEEI30
+h7jywJiuK+Hb5/BSc2iQ5cJ4dllgiTdusGjANQQuUr5yVW+QCXxLV39NhDSNmHif
+hRApE2QuxAtkuEyMZzohB2uux0w=
+-----END CERTIFICATE-----
diff --git a/src/test/resources/certs/httpsredirect.com.csr b/src/test/resources/certs/httpsredirect.com.csr
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICkTCCAXkCAQAwTDELMAkGA1UEBhMCRlIxEzARBgNVBAoMCmRldmNvbXBhbnkx
+DDAKBgNVBAsMA2RldjEaMBgGA1UEAwwRaHR0cHNyZWRpcmVjdC5jb20wggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXowLkr/VPKTTnuzxF1bUHcCG81E3z
+5iJ/jm9TjJ5JGSZcxI22Z11aR7WapPnlab/nB9RW0jpk8YxD/To2WH78OOP3hFG8
+GsDn37bGN6E290iv8O1C0m+3tX7BYDq9P3CR9CcPYsmLiXiC4AkImgn3eEgrjM76
+nqebvGEvs04Py+yaDnwr/xiZoB7zWU1+Nw4jahFuD7PGusN+ifFOYXrGdSPM0GCj
+jS8WDEtgp12ed7BBewyL/V6pSoQR/d+zt2rpD1tiHjPymv4/zit+zqBSVks+HlJn
+CrWRNZa2ALE0HDwtQUF4zRawlTR0Y1b+/iSZy3n3zXeNyo3hcjlwMK4LAgMBAAGg
+ADANBgkqhkiG9w0BAQsFAAOCAQEAOu1OjSdb/2jdD652asZtY3h/0m/uOXpJ7yCD
+t5c5c7YvbLswHVUElohG4fQtV1bd4wDYr6MH/D4gd6e6deK55dqj8UcKIoUAXpfm
+3M7EhTwCYYBrqzfr6r4wq8d/QP/Xuq0ucK7Pgm7/pfdX9JOim0ac9sV3h2Iujpx+
+MzZjFTlW5Rv2yDBueLkshy1FB1HDvALk958/kAQUrh50Glsw+f6YX3ThW8kyMJWi
+P2FROCh+drPUUFG4+fGb0+vZL1i74qr95c3rdVowZ52dR/PsSSMmWlQV6jrXRJvg
+AFXrI12WNR/hcJPhLFOOnCgD6wAgsrg9OlF+z7Egvc6YeqBvOA==
+-----END CERTIFICATE REQUEST-----
diff --git a/src/test/resources/certs/httpsredirect.com.key b/src/test/resources/certs/httpsredirect.com.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA16MC5K/1Tyk057s8RdW1B3AhvNRN8+Yif45vU4yeSRkmXMSN
+tmddWke1mqT55Wm/5wfUVtI6ZPGMQ/06Nlh+/Djj94RRvBrA59+2xjehNvdIr/Dt
+QtJvt7V+wWA6vT9wkfQnD2LJi4l4guAJCJoJ93hIK4zO+p6nm7xhL7NOD8vsmg58
+K/8YmaAe81lNfjcOI2oRbg+zxrrDfonxTmF6xnUjzNBgo40vFgxLYKddnnewQXsM
+i/1eqUqEEf3fs7dq6Q9bYh4z8pr+P84rfs6gUlZLPh5SZwq1kTWWtgCxNBw8LUFB
+eM0WsJU0dGNW/v4kmct59813jcqN4XI5cDCuCwIDAQABAoIBAE+qNaNvLl20h4sl
+LTtPnLXGw3ATr0jwOMaPRKnFRaUT2YxkQUamIWL9Iyai1H/g9bjQt63rtQ8d/ggQ
+QbVaNG/SRMZo6BlqeOIxUEEixDieWwhFJiKNxCBGuTGP76ODEH+bh+KzSGp4u0D+
+q9e1sQDwOxl7x+vnOVzb17vbrnc+3WHduWLpq2QgpY+ngyjcQIUt5bHWY0xNn9lB
+o2N1eQeTgDlMdrDUL+FsXH/NS8o2tHD5z2TG8uNnU3nS4HhQxxsDuclR7JIv3VP9
+O8Mu+jQMMvAA1fpUhOoLTOG35K9Wq5QY1JF4Mbfwa93OSgfjGWYnv3HD1gwbyiM1
+IAYBLkECgYEA/jHbRsJ5OcJILUtbSeK/gWnMUDeLM7EWRohssPdhRVrsU7hCMevJ
+IbrJfaAw7ccHLWhhXuwa60jfpbDMnYcPqAlWaV1InyrcBOHvhbSBQk4NQfnZAn49
+xm4sLVVXGYdguYSu2h4bEpSSdSBWewJY+3jUuaMVtG2eSfoRtieGQ9MCgYEA2SsN
+vrBU3ugiK+7SYVMm7KxEsopBysm3eeLFRmBL0tLkohlpbg8nur23eFFsoRNtT6Jv
+EGTRlExOCWEq4+llaNWKy5A8P693FLtaRd15bAarrKSIPbtvme521c5nodVMYCkN
+ztI1IhgDNvOvDhTIVbwVL3YNaF2FT4uGND9OYekCgYEAlstAx6NKgucsJiKUDyrC
+bKU0nUm1/H5LNqBryjeWrqwXkjq2miLD+Ix0R2AmZogxS9CmIsdx2K4sboCJgdHD
+ie2wI2VBVZr5VrQpgWnpXEotNzxebkoxn2twLZx4xR44VRXPHHnLmaQllfIPG33z
+B4tQtqd2ksiMpFoC88pSrh0CgYEAoWtADzIwE3PGGpOsqozNDPRLJ85ecuYWy7FE
+Yzgmg/Ef4mEzHYyEQmjL29HiBaRUBvI8zZmysiE5i/0+jSOprg+z1/VA4zGAONe9
+lNq3axVWO8AcSI5uuKMoj2mZXBAYcg1x5v4WYl4o3Yqp3rSR6DAiKyH7e0ywT1zt
+Bx7bGykCgYEAkrbIv9OhBNNCG9zGZxeKgh2n1cZInFf0qAvZ9klNl22nC7avQBNl
+JE0KFrzFSpbsG39Nzwa7g6dLAfiIYQypL4Hh3z8LCXhA8rbhkAbhBn32PmtYeK2e
+3Cwfk1Z6lDFo/y9lOmV3udOyHgCU4sLL/bx03ISjJdq+HCDa8SFCfuY=
+-----END RSA PRIVATE KEY-----
diff --git a/src/test/resources/node-backends/app-x-forwarded-proto.js b/src/test/resources/node-backends/app-x-forwarded-proto.js
@@ -0,0 +1,16 @@
+const http = require('http')
+const port = process.env.PORT || 8080
+
+const requestHandler = (request, response) => {
+    response.end(request.headers['x-forwarded-proto'])
+}
+
+const server = http.createServer(requestHandler)
+
+server.listen(port, (err) => {
+    if (err) {
+        return console.log('something bad happened', err)
+    }
+
+    console.log(`server simple is listening on ${port}`)
+})
diff --git a/src/test/resources/sozu/config.toml b/src/test/resources/sozu/config.toml
@@ -23,6 +23,10 @@ protocol = "http"
 address = "0.0.0.0:80"
 sticky_name = "SOZUBALANCEID"
 
+[[listeners]]
+protocol = "https"
+address = "0.0.0.0:443"
+
 
 [[listeners]]
 protocol = "http"
@@ -115,4 +119,13 @@ frontends = [
 backends = [
     { address = "172.18.0.10:8002", sticky_id = "rogue" },
     { address = "172.18.0.11:8003", sticky_id = "war" },
-]
+]
+
+[applications.httpsredirect]
+https_redirect = true
+protocol = "http"
+frontends = [
+    { address = "0.0.0.0:80", hostname = "httpsredirect.com" },
+    { address = "0.0.0.0:443", hostname = "httpsredirect.com",  certificate = "/certs/httpsredirect.com.crt", key = "/certs/httpsredirect.com.key" },
+]
+backends = []