From 3979e206469607aba15a1833d6bdafd07ed00283 Mon Sep 17 00:00:00 2001 From: Dimitri Sokolyuk Date: Thu, 31 Mar 2016 16:27:26 +0200 Subject: Test TLS --- route.go | 13 ++++++++++--- server.go | 9 +++++++++ server_test.go | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--- 3 files changed, 74 insertions(+), 6 deletions(-) diff --git a/route.go b/route.go index 5e1b806..83998fd 100644 --- a/route.go +++ b/route.go @@ -21,10 +21,17 @@ type route struct { // GetCertificate returns certificate for SNI negotiation func (r Route) GetCertificate(h *tls.ClientHelloInfo) (*tls.Certificate, error) { - if route, ok := r[h.ServerName]; ok && route.Certificate != nil { - return route.Certificate, nil + host := h.ServerName + if v, ok := r[host]; ok && v.Certificate != nil { + return v.Certificate, nil } - return nil, errors.New("no cert for " + h.ServerName) + // HACK search for certs with port speciefied + for k, v := range r { + if k[:len(host)] == host { + return v.Certificate, nil + } + } + return nil, errors.New("no cert for " + host) } // Save routes to persistent file diff --git a/server.go b/server.go index 9ef2204..e021950 100644 --- a/server.go +++ b/server.go @@ -2,6 +2,8 @@ package goxy import ( "crypto/tls" + "fmt" + "log" "net/http" "net/http/httputil" ) @@ -47,6 +49,7 @@ func (s *Server) Update() error { tlsMux := http.NewServeMux() for _, v := range s.Route { host := v.ServerName.Host + v.ServerName.Path + log.Println("Update", host) up := v.Upstream switch v.ServerName.Scheme { case "http", "": @@ -61,6 +64,12 @@ func (s *Server) Update() error { tlsMux.Handle(host, NewWebSocketProxy(up)) } } + wwwMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + fmt.Fprintf(w, "%q", r) + }) + tlsMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + fmt.Fprintf(w, "%q", r) + }) s.wwwServer.Handler = wwwMux s.tlsServer.Handler = tlsMux return nil diff --git a/server_test.go b/server_test.go index 7f296b5..e322195 100644 --- a/server_test.go +++ b/server_test.go @@ -1,6 +1,8 @@ package goxy import ( + "crypto/tls" + "crypto/x509" "io" "io/ioutil" "log" @@ -17,6 +19,21 @@ const ( wwwServer = "localhost:8080" tlsServer = "localhost:8443" rpcServer = "localhost:8000" + cert = `-----BEGIN CERTIFICATE----- +MIIBXjCCAQygAwIBAgIRAM03h8i2NyJ7sItcK4jU1eEwCgYIKoZIzj0EAwIwEjEQ +MA4GA1UEChMHQWNtZSBDbzAeFw0xNjAzMzExMzU5NTlaFw0yNjAzMjkxMzU5NTla +MBIxEDAOBgNVBAoTB0FjbWUgQ28wTjAQBgcqhkjOPQIBBgUrgQQAIQM6AATxB9y8 +ZHzQayFNY2mrEaG7tgJKTSDOAvVSn8VsDldcZXwXuWEcNoi2LKAckCL9E2xc6bxz +AlZGXaNOMEwwDgYDVR0PAQH/BAQDAgKkMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8G +A1UdEwEB/wQFMAMBAf8wFAYDVR0RBA0wC4IJbG9jYWxob3N0MAoGCCqGSM49BAMC +A0AAMD0CHQDQCcNis9uY0lGbQ4o8qJByjd9GY3Bon3wmt/ULAhwI78yOXxyeDR1T +77Q2+pF/GmcDtCbwrVt3KpmI +-----END CERTIFICATE-----` + key = `-----BEGIN EC PRIVATE KEY----- +MGgCAQEEHHvI0aSaXHcCugwEWoBJ9R1swGVeDbTYlikuv4+gBwYFK4EEACGhPAM6 +AATxB9y8ZHzQayFNY2mrEaG7tgJKTSDOAvVSn8VsDldcZXwXuWEcNoi2LKAckCL9 +E2xc6bxzAlZGXQ== +-----END EC PRIVATE KEY-----` ) var server Server @@ -30,7 +47,16 @@ func init() { } func get(uri string) (string, error) { - resp, err := http.Get(uri) + caPool := x509.NewCertPool() + caPool.AppendCertsFromPEM([]byte(cert)) + client := http.Client{ + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{ + RootCAs: caPool, + }, + }, + } + resp, err := client.Get(uri) if err != nil { return "", err } @@ -69,12 +95,10 @@ func (c Cannary) Equal(s string) bool { } func TestReverseProxy(t *testing.T) { - // Backend server backServer := httptest.NewServer(cannary) defer backServer.Close() t.Log("start", backServer.URL) - // Test HTTP proxy e := Entry{ Host: "http://" + wwwServer, Upstream: backServer.URL, @@ -100,6 +124,34 @@ func TestReverseProxy(t *testing.T) { } func TestReverseProxyTLS(t *testing.T) { + backServer := httptest.NewServer(cannary) + defer backServer.Close() + t.Log("start", backServer.URL) + + e := Entry{ + Host: "https://" + tlsServer, + Upstream: backServer.URL, + Cert: []byte(cert), + Key: []byte(key), + } + if err := add(e); err != nil { + t.Error(err) + } + t.Log("add", e) + + resp, err := get("https://" + tlsServer) + if err != nil { + t.Error(err) + } + + if !cannary.Equal(resp) { + t.Errorf("got %q expected %q", resp, cannary) + } + + if err := del(tlsServer); err != nil { + t.Error(err) + } + t.Log("del", tlsServer) } func TestWebsocketProxy(t *testing.T) { -- cgit v1.2.3