Merge pull request #5 from Shopify/custom-server-name-option

ElvinEfendi · web-flow · commit 42bde72b0ac8 · 2017-02-22T18:11:28.000-05:00
let users to pass custom server_name to tcpsock:sslhandshake function
diff --git a/README.markdown b/README.markdown
@@ -58,6 +58,7 @@ http {
             type = "http",
             -- type = "https",
             -- ssl_verify = true, -- verify SSL certs
+            -- ssl_server_name = "custom_server_name" -- if given, will be passed to tcpsock:sslhandshake as server_name instead of peer.name
             -- ssl_reuse_session = true, -- this makes sure SSL session will be reused
             
             http_req = "GET /status HTTP/1.0\r\nHost: foo.com\r\n\r\n",
diff --git a/lib/resty/upstream/healthcheck.lua b/lib/resty/upstream/healthcheck.lua
@@ -235,7 +235,8 @@ local function check_peer(ctx, id, peer, is_backup)
     end
 
     if ctx.type == "https" then
-        local session, err = sock:sslhandshake(ctx.session, name,
+        local session, err = sock:sslhandshake(ctx.session,
+                                               ctx.ssl_server_name or name,
                                                ctx.ssl_verify)
         if not session then
             peer_error(ctx, is_backup, id, peer,
@@ -629,6 +630,7 @@ function _M.spawn_checker(opts)
         type = typ,
         ssl_verify = ssl_verify,
         ssl_reuse_session = ssl_reuse_session,
+        ssl_server_name = opts.ssl_server_name,
         http_req = http_req,
         timeout = timeout,
         interval = interval,
diff --git a/t/sanity.t b/t/sanity.t
@@ -9,7 +9,7 @@ use Cwd qw(cwd);
 
 #repeat_each(2);
 
-plan tests => repeat_each() * (blocks() * 6 - 6);
+plan tests => repeat_each() * (blocks() * 6 - 13);
 
 my $pwd = cwd();
 
@@ -1685,3 +1685,206 @@ Upstream foo.com
 
 --- no_error_log
 SSL reused session
+
+
+
+=== TEST 20: SSL health check with certificate created with a different server name should work when ssl_verify is false
+--- http_config eval
+"$::HttpConfig"
+. q{
+lua_ssl_trusted_certificate ../../ssl/foo_bar.crt;
+
+upstream foo.com {
+    server 127.0.0.1:12355;
+}
+
+server {
+    listen 12355;
+    ssl on;
+    ssl_certificate ../../ssl/foo_bar.crt;
+    ssl_certificate_key ../../ssl/foo_bar.key;
+    location = /status {
+        return 200;
+    }
+}
+
+lua_shared_dict healthcheck 1m;
+init_worker_by_lua_block {
+    ngx.shared.healthcheck:flush_all()
+    local hc = require "resty.upstream.healthcheck"
+    local ok, err = hc.spawn_checker{
+        shm = "healthcheck",
+        upstream = "foo.com",
+        type = "https",
+        ssl_verify = false,
+        ssl_reuse_session = true,
+        http_req = "GET /status HTTP/1.0\r\nHost: localhost\r\n\r\n",
+        interval = 100,  -- 100ms
+        fall = 2,
+        valid_statuses = {200},
+    }
+    if not ok then
+        ngx.log(ngx.ERR, "failed to spawn health checker: ", err)
+        return
+    end
+}
+}
+--- config
+    location = /t {
+        access_log off;
+        content_by_lua_block {
+            ngx.sleep(0.52)
+
+            local hc = require "resty.upstream.healthcheck"
+            ngx.print(hc.status_page())
+        }
+    }
+--- request
+GET /t
+
+--- response_body
+Upstream foo.com
+    Primary Peers
+        127.0.0.1:12355 up
+    Backup Peers
+
+--- error_log
+SSL reused session
+
+--- no_error_log
+certificate host mismatch
+
+
+
+=== TEST 21: SSL health check with certificate created with a different server name should fail when ssl_verify is true
+--- http_config eval
+"$::HttpConfig"
+. q{
+lua_ssl_trusted_certificate ../../ssl/foo_bar.crt;
+
+upstream foo.com {
+    server 127.0.0.1:12355;
+}
+
+server {
+    listen 12355;
+    ssl on;
+    ssl_certificate ../../ssl/foo_bar.crt;
+    ssl_certificate_key ../../ssl/foo_bar.key;
+    location = /status {
+        return 200;
+    }
+}
+
+lua_shared_dict healthcheck 1m;
+init_worker_by_lua_block {
+    ngx.shared.healthcheck:flush_all()
+    local hc = require "resty.upstream.healthcheck"
+    local ok, err = hc.spawn_checker{
+        shm = "healthcheck",
+        upstream = "foo.com",
+        type = "https",
+        ssl_verify = true,
+        ssl_reuse_session = true,
+        http_req = "GET /status HTTP/1.0\r\nHost: localhost\r\n\r\n",
+        interval = 100,  -- 100ms
+        fall = 2,
+        valid_statuses = {200},
+    }
+    if not ok then
+        ngx.log(ngx.ERR, "failed to spawn health checker: ", err)
+        return
+    end
+}
+}
+--- config
+    location = /t {
+        access_log off;
+        content_by_lua_block {
+            ngx.sleep(0.52)
+
+            local hc = require "resty.upstream.healthcheck"
+            ngx.print(hc.status_page())
+        }
+    }
+--- request
+GET /t
+
+--- response_body
+Upstream foo.com
+    Primary Peers
+        127.0.0.1:12355 DOWN
+    Backup Peers
+
+--- error_log
+certificate host mismatch
+
+
+
+
+=== TEST 22: SSL health check with certificate created with a different server name should work when ssl_verify is true and correct server name is given
+--- http_config eval
+"$::HttpConfig"
+. q{
+lua_ssl_trusted_certificate ../../ssl/foo_bar.crt;
+
+upstream foo.com {
+    server 127.0.0.1:12355;
+}
+
+server {
+    listen 12355;
+    ssl on;
+    ssl_certificate ../../ssl/foo_bar.crt;
+    ssl_certificate_key ../../ssl/foo_bar.key;
+    location = /status {
+        return 200;
+    }
+}
+
+lua_shared_dict healthcheck 1m;
+init_worker_by_lua_block {
+    ngx.shared.healthcheck:flush_all()
+    local hc = require "resty.upstream.healthcheck"
+    local ok, err = hc.spawn_checker{
+        shm = "healthcheck",
+        upstream = "foo.com",
+        type = "https",
+        ssl_verify = true,
+        ssl_reuse_session = true,
+        ssl_server_name = "foo.bar",
+        http_req = "GET /status HTTP/1.0\r\nHost: localhost\r\n\r\n",
+        interval = 100,  -- 100ms
+        fall = 2,
+        valid_statuses = {200},
+    }
+    if not ok then
+        ngx.log(ngx.ERR, "failed to spawn health checker: ", err)
+        return
+    end
+}
+}
+--- config
+    location = /t {
+        access_log off;
+        content_by_lua_block {
+            ngx.sleep(0.52)
+
+            local hc = require "resty.upstream.healthcheck"
+            ngx.print(hc.status_page())
+        }
+    }
+--- request
+GET /t
+
+--- response_body
+Upstream foo.com
+    Primary Peers
+        127.0.0.1:12355 up
+    Backup Peers
+
+--- error_log
+SSL reused session
+
+--- no_error_log
+certificate host mismatch
diff --git a/t/ssl/foo_bar.crt b/t/ssl/foo_bar.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID7TCCAtWgAwIBAgIJAICJM4WgN4tdMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMTB2Zvby5iYXIwHhcNMTcwMjIyMjIwOTIx
+WhcNMjcwMjIwMjIwOTIxWjBXMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1T
+dGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYDVQQD
+Ewdmb28uYmFyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArI75zE4O
+cwwZ0wFz6aC17hgDd+GdhcRxhQFyY+TMCaq1cffOvgeoFdz33vWoWK6bxWlaY6ik
+6J1YvYZwtXmhtevVCGGhNAGb/4P/ebexYZt2ZnqLokLeZwzcWhcJdZxhxAMPO4pH
+ah+fL8SlOeYh+DZ44lUkVK2LPfywcxAEdXTxTzKaplXtoNyUbTEV8KYVZRejOqZw
+I7gamUhih7ETYYbjEAtcPszfftAsFn4BBPqOxfCsDRMo3zgTeMkENpp6mrSDSVXh
+ZB3tHrph7ZxZYVHgimswVlHFHuzKGKVSXwMh+IW3nPAJuEE21a4UkZv3/bd30eGc
+YLZraclhUzKNvQIDAQABo4G7MIG4MB0GA1UdDgQWBBTzWsRjCS+iM9IFKRkRObEp
+MzIMvTCBiAYDVR0jBIGAMH6AFPNaxGMJL6Iz0gUpGRE5sSkzMgy9oVukWTBXMQsw
+CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
+ZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYDVQQDEwdmb28uYmFyggkAgIkzhaA3i10w
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAQTOtOjA8cRpVO7Pn8Cr7
+e0Zw7wb8vM4oLND50KmK1V7xz2FG1Mn6He7ppc7tWAs3KAy0+hjudk8rk4TEYc5G
+eVYljDVG3kv05N/PjVpoyYGpOq/ZQZJvK3tMGfz8arHyq4u1GDBZ4Y8v/uJ09Qq4
+Zub88DN71MLdE+duv1LH4LrqsCGch0piZC9azP4meJ/HE2xLvRVyo4lSEKJTMnx/
+7kXTsGEEuXzJ0HBqLT0jp7nSEZK+SoCD1k9DE9T793gn8OWyhsQgq8B7ve3we6DL
+ePTxz0rtiZHu2xKwcEqfMMJZt2xAKKmZQ2F0ADXvuXvln9Bn02z/Z5PB03V770Pc
+aA==
+-----END CERTIFICATE-----
diff --git a/t/ssl/foo_bar.key b/t/ssl/foo_bar.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEArI75zE4OcwwZ0wFz6aC17hgDd+GdhcRxhQFyY+TMCaq1cffO
+vgeoFdz33vWoWK6bxWlaY6ik6J1YvYZwtXmhtevVCGGhNAGb/4P/ebexYZt2ZnqL
+okLeZwzcWhcJdZxhxAMPO4pHah+fL8SlOeYh+DZ44lUkVK2LPfywcxAEdXTxTzKa
+plXtoNyUbTEV8KYVZRejOqZwI7gamUhih7ETYYbjEAtcPszfftAsFn4BBPqOxfCs
+DRMo3zgTeMkENpp6mrSDSVXhZB3tHrph7ZxZYVHgimswVlHFHuzKGKVSXwMh+IW3
+nPAJuEE21a4UkZv3/bd30eGcYLZraclhUzKNvQIDAQABAoIBAQCrOeiHoYDXCk/p
+wExLrIw6qRtv7rGHVgmrCGeA1jzc7sbDQzmj+ScCItTXKf6VmRW7CzKFJ4gTxmaT
+Ef9vJDWhtlUazv3OBDbOkiWEmxFpoIEZaUp7hUz5Bpr0zl01liqw/LQ1yZ3ZoW0t
+Ujz9ue1FRpAnToMRf29m4AIa+u7huLkghgQBieerfDMfVyXo18U4NdwcJMdDUiQC
+P77qwkoSnlN7fpVbKCUtKNMDkOzxWt/VEkiIYaPzSphv4dCYBUXkjJ+TewMDmuCO
+gBMTgIgXKlz8+vRAPLUAtjNQWS3c1Gc1tp70TZKOVckhXfKQrDN6prCjngFcERN0
+9ZB8jZMlAoGBAOXBp95wZBOoR4l37qFUTwdCIOKtIohq1EMpG6grcR9NAiwwzSjs
+fTapO6NGDE8EE5tLLZ9sEMNZS4Eg7551emipDc7LGBGcO0bmh5vhSY5TFrmoTNsj
+ymNUCMp/EdKgMNIPFTOqMphKu6cv7SCcYQSlk17GznpvkCikBzfEBjaTAoGBAMBE
+yRGk69vxFF+HjMPy2wpvrwO4Ada9Sh3ctRIm7Y+3oRO4lN5wH/htSMs7Ehfno0vV
+GybSAuMo1GHlzi0knXZi97kwZqvjdyoG1MICyF1kNEszasO9Zl5t1jtrBy69A3rd
+DT91tkdvx6yZtyCkwnF5GPC+RPpK3MxVFN5DhgxvAoGACGygXhya3smlzdmS62Fv
+AGIhWI5mnL/mBoxkUjc9j5tAQCSN8TkyoiV0ZVk1LFSG74PDKXxJ5Q/KH/L4NkQy
+d9HzCqkRuduTpNbhFAsfqlNLmwUbxFE8o4W6SMp9+c4b3CfnbByKfGEJHmk4daCm
+QghcLfZ2LbEXhRX2mcnbPHcCgYAuP11uFRF2siKIZ/6AE6aEeCDM8DHhCV8Ol8wm
+NZ7m9vCT4c5NQwMtqnvcBrVvcpRg5T3GtLVlFqkfczuIuEn39A5KSU4pAmnjfgkn
+MawoarX5cMC5nJFHHXxuhmwP3f88SnepUBMsU8LfzYmzHG55BPvuzJWi7ub1b3G5
+lNxlmQKBgQCuoTK8E95zIzfI5xdjhLGuHGOPY6iKUBJ45etcaDpW8xzzk5qPehOn
+a6A5C9owcoGUcYhyU3qFZ3Ah7a7++wPQFvrs1ayUHaP+yVLkbcKxi7L1AcsBCOSX
+D8N9Z7w4nWjel50x+UOSUCr+hQmy9XrGevQzfkmFWc8I2G+QVH614A==
+-----END RSA PRIVATE KEY-----
