mirror/ nginx-proxy
1
0
Fork 0
mirror of https://github.com/nginx-proxy/nginx-proxy synced 2024-05-11 18:16:07 +02:00
Code Issues
nginx-proxy/test/test_ssl/test_dhparam.yml

53 lines
1.2 KiB
YAML
Raw Normal View History

Added dhparams test in new format
2017-03-07 20:04:37 +01:00
web5:
image: web
expose:
- "85"
environment:
WEB_PORTS: "85"
VIRTUAL_HOST: "web5.nginx-proxy.tld"
tests: Revise dhparams tests - `dhparam_generation` tests are no longer necessary, dropped. Modified the remaining `dhparam` test to use multiple `nginx-proxy` images to verify correct behavior for different configs. Tests now cover: - Default (ffdhe4096) is used. - Alternative via ENV (ffdhe2048) works correctly. - Invalid group via ENV (1024-bit) fails. - Custom DH params provided via file mount works with warning emitted. --- - `assert_log_contains`: added a `container_name` arg with `nginxproxy` as the default value. This allows multiple nginx-proxy containers to utilize this method instead. - Extracted out the `openssl` test (_to `negotiate_cipher()`_) and modified it to be a bit more flexible. It now takes a container with optional extra args to pass to `openssl` command called, as well as the `grep` string to match. This made the original test redundant, so I've dropped it. - Added two methods to use `negotiate_cipher()`, one verifies a DHE cipher suite was negotiated and checks that a DH emphermal key was also mentioned in the output. The other method verifies the expectation of failing to negotiate a valid cipher if DH params have not been set, while verifying that non-DHE cipher suites can be successfully negotiated. - Added a `get_env()` method for extracting attached environments on a container. This is useful for verifying invalid `DHPARAM_BITS` values (eg `1024`-bit). - The original `Server Temp Key` assertion was incorrect, it was expecting a value that is unrelated to DHE cipher suite support (_`X25519` is related to ECDHE_). This is due to TLS 1.3 being negotiated where you cannot use custom DH params, nor influence the negotiated cipher due to this mechanism changing from TLS 1.3. TLS 1.3 does support DH params, but it internally negotiates RFC 7919 group between server and client instead. Thus to verify expectations, the connection via `openssl` is made explicitly with TLS 1.2 instead.
2021-09-28 10:54:22 +02:00
# sut - System Under Test
chore: DRY up `test_dhparam.yml` Use YAML anchors for repeated values providing a single source of truth. I would use `x-*` convention to store anchors above service containers, but this seems to require a compose config that defines the services (and version?) keys, which this test setup was failing to be compatible with for some reason..
2021-09-29 04:19:38 +02:00
# `docker.sock` required for functionality
# `certs` required to enable HTTPS via template
tests: Revise dhparams tests - `dhparam_generation` tests are no longer necessary, dropped. Modified the remaining `dhparam` test to use multiple `nginx-proxy` images to verify correct behavior for different configs. Tests now cover: - Default (ffdhe4096) is used. - Alternative via ENV (ffdhe2048) works correctly. - Invalid group via ENV (1024-bit) fails. - Custom DH params provided via file mount works with warning emitted. --- - `assert_log_contains`: added a `container_name` arg with `nginxproxy` as the default value. This allows multiple nginx-proxy containers to utilize this method instead. - Extracted out the `openssl` test (_to `negotiate_cipher()`_) and modified it to be a bit more flexible. It now takes a container with optional extra args to pass to `openssl` command called, as well as the `grep` string to match. This made the original test redundant, so I've dropped it. - Added two methods to use `negotiate_cipher()`, one verifies a DHE cipher suite was negotiated and checks that a DH emphermal key was also mentioned in the output. The other method verifies the expectation of failing to negotiate a valid cipher if DH params have not been set, while verifying that non-DHE cipher suites can be successfully negotiated. - Added a `get_env()` method for extracting attached environments on a container. This is useful for verifying invalid `DHPARAM_BITS` values (eg `1024`-bit). - The original `Server Temp Key` assertion was incorrect, it was expecting a value that is unrelated to DHE cipher suite support (_`X25519` is related to ECDHE_). This is due to TLS 1.3 being negotiated where you cannot use custom DH params, nor influence the negotiated cipher due to this mechanism changing from TLS 1.3. TLS 1.3 does support DH params, but it internally negotiates RFC 7919 group between server and client instead. Thus to verify expectations, the connection via `openssl` is made explicitly with TLS 1.2 instead.
2021-09-28 10:54:22 +02:00
with_default_group:
container_name: dh-default
chore: DRY up `test_dhparam.yml` Use YAML anchors for repeated values providing a single source of truth. I would use `x-*` convention to store anchors above service containers, but this seems to require a compose config that defines the services (and version?) keys, which this test setup was failing to be compatible with for some reason..
2021-09-29 04:19:38 +02:00
image: &img-nginxproxy nginxproxy/nginx-proxy:test
volumes: &vols-common
- &docker-sock /var/run/docker.sock:/tmp/docker.sock:ro
- &nginx-certs ./certs:/etc/nginx/certs:ro
tests: Revise dhparams tests - `dhparam_generation` tests are no longer necessary, dropped. Modified the remaining `dhparam` test to use multiple `nginx-proxy` images to verify correct behavior for different configs. Tests now cover: - Default (ffdhe4096) is used. - Alternative via ENV (ffdhe2048) works correctly. - Invalid group via ENV (1024-bit) fails. - Custom DH params provided via file mount works with warning emitted. --- - `assert_log_contains`: added a `container_name` arg with `nginxproxy` as the default value. This allows multiple nginx-proxy containers to utilize this method instead. - Extracted out the `openssl` test (_to `negotiate_cipher()`_) and modified it to be a bit more flexible. It now takes a container with optional extra args to pass to `openssl` command called, as well as the `grep` string to match. This made the original test redundant, so I've dropped it. - Added two methods to use `negotiate_cipher()`, one verifies a DHE cipher suite was negotiated and checks that a DH emphermal key was also mentioned in the output. The other method verifies the expectation of failing to negotiate a valid cipher if DH params have not been set, while verifying that non-DHE cipher suites can be successfully negotiated. - Added a `get_env()` method for extracting attached environments on a container. This is useful for verifying invalid `DHPARAM_BITS` values (eg `1024`-bit). - The original `Server Temp Key` assertion was incorrect, it was expecting a value that is unrelated to DHE cipher suite support (_`X25519` is related to ECDHE_). This is due to TLS 1.3 being negotiated where you cannot use custom DH params, nor influence the negotiated cipher due to this mechanism changing from TLS 1.3. TLS 1.3 does support DH params, but it internally negotiates RFC 7919 group between server and client instead. Thus to verify expectations, the connection via `openssl` is made explicitly with TLS 1.2 instead.
2021-09-28 10:54:22 +02:00
with_alternative_group:
container_name: dh-env
environment:
- DHPARAM_BITS=2048
chore: DRY up `test_dhparam.yml` Use YAML anchors for repeated values providing a single source of truth. I would use `x-*` convention to store anchors above service containers, but this seems to require a compose config that defines the services (and version?) keys, which this test setup was failing to be compatible with for some reason..
2021-09-29 04:19:38 +02:00
image: *img-nginxproxy
volumes: *vols-common
tests: Revise dhparams tests - `dhparam_generation` tests are no longer necessary, dropped. Modified the remaining `dhparam` test to use multiple `nginx-proxy` images to verify correct behavior for different configs. Tests now cover: - Default (ffdhe4096) is used. - Alternative via ENV (ffdhe2048) works correctly. - Invalid group via ENV (1024-bit) fails. - Custom DH params provided via file mount works with warning emitted. --- - `assert_log_contains`: added a `container_name` arg with `nginxproxy` as the default value. This allows multiple nginx-proxy containers to utilize this method instead. - Extracted out the `openssl` test (_to `negotiate_cipher()`_) and modified it to be a bit more flexible. It now takes a container with optional extra args to pass to `openssl` command called, as well as the `grep` string to match. This made the original test redundant, so I've dropped it. - Added two methods to use `negotiate_cipher()`, one verifies a DHE cipher suite was negotiated and checks that a DH emphermal key was also mentioned in the output. The other method verifies the expectation of failing to negotiate a valid cipher if DH params have not been set, while verifying that non-DHE cipher suites can be successfully negotiated. - Added a `get_env()` method for extracting attached environments on a container. This is useful for verifying invalid `DHPARAM_BITS` values (eg `1024`-bit). - The original `Server Temp Key` assertion was incorrect, it was expecting a value that is unrelated to DHE cipher suite support (_`X25519` is related to ECDHE_). This is due to TLS 1.3 being negotiated where you cannot use custom DH params, nor influence the negotiated cipher due to this mechanism changing from TLS 1.3. TLS 1.3 does support DH params, but it internally negotiates RFC 7919 group between server and client instead. Thus to verify expectations, the connection via `openssl` is made explicitly with TLS 1.2 instead.
2021-09-28 10:54:22 +02:00
with_invalid_group:
container_name: invalid-group-1024
environment:
- DHPARAM_BITS=1024
chore: DRY up `test_dhparam.yml` Use YAML anchors for repeated values providing a single source of truth. I would use `x-*` convention to store anchors above service containers, but this seems to require a compose config that defines the services (and version?) keys, which this test setup was failing to be compatible with for some reason..
2021-09-29 04:19:38 +02:00
image: *img-nginxproxy
volumes: *vols-common
Added dhparams test in new format
2017-03-07 20:04:37 +01:00
tests: Revise dhparams tests - `dhparam_generation` tests are no longer necessary, dropped. Modified the remaining `dhparam` test to use multiple `nginx-proxy` images to verify correct behavior for different configs. Tests now cover: - Default (ffdhe4096) is used. - Alternative via ENV (ffdhe2048) works correctly. - Invalid group via ENV (1024-bit) fails. - Custom DH params provided via file mount works with warning emitted. --- - `assert_log_contains`: added a `container_name` arg with `nginxproxy` as the default value. This allows multiple nginx-proxy containers to utilize this method instead. - Extracted out the `openssl` test (_to `negotiate_cipher()`_) and modified it to be a bit more flexible. It now takes a container with optional extra args to pass to `openssl` command called, as well as the `grep` string to match. This made the original test redundant, so I've dropped it. - Added two methods to use `negotiate_cipher()`, one verifies a DHE cipher suite was negotiated and checks that a DH emphermal key was also mentioned in the output. The other method verifies the expectation of failing to negotiate a valid cipher if DH params have not been set, while verifying that non-DHE cipher suites can be successfully negotiated. - Added a `get_env()` method for extracting attached environments on a container. This is useful for verifying invalid `DHPARAM_BITS` values (eg `1024`-bit). - The original `Server Temp Key` assertion was incorrect, it was expecting a value that is unrelated to DHE cipher suite support (_`X25519` is related to ECDHE_). This is due to TLS 1.3 being negotiated where you cannot use custom DH params, nor influence the negotiated cipher due to this mechanism changing from TLS 1.3. TLS 1.3 does support DH params, but it internally negotiates RFC 7919 group between server and client instead. Thus to verify expectations, the connection via `openssl` is made explicitly with TLS 1.2 instead.
2021-09-28 10:54:22 +02:00
with_custom_file:
container_name: dh-file
chore: DRY up `test_dhparam.yml` Use YAML anchors for repeated values providing a single source of truth. I would use `x-*` convention to store anchors above service containers, but this seems to require a compose config that defines the services (and version?) keys, which this test setup was failing to be compatible with for some reason..
2021-09-29 04:19:38 +02:00
image: *img-nginxproxy
volumes:
- *docker-sock
- *nginx-certs
test: replace test dhparam.pem with ffdhe3072.pem
2021-10-20 21:04:29 +02:00
- ../../dhparam/ffdhe3072.pem:/etc/nginx/dhparam/dhparam.pem:ro
feat: Bring back ability to skip default DH params Adds back the ability to avoid using DH params, provided no file was explicitly supplied. This used to be `DHPARAM_GENERATION=false`, the equivalent is now `DHPARAM_SKIP=1` (default 0). Previous name was no longer appropriate. Ensures that if a user has explicitly provided their own dhparam file to still output a warning instead of the skip message, since `DHPARAM_SKIP=1` doesn't disable the support in nginx.
2021-09-28 10:49:06 +02:00
with_skip:
container_name: dh-skip
environment:
fix: backward compatibility w/ DHPARAM_GENERATION Also use true rather than 1 to stay consistent with other boolean environment variables
2021-10-20 19:15:27 +02:00
- DHPARAM_SKIP=true
image: *img-nginxproxy
volumes: *vols-common
with_skip_backward:
container_name: dh-skip-backward
environment:
- DHPARAM_GENERATION=false
chore: DRY up `test_dhparam.yml` Use YAML anchors for repeated values providing a single source of truth. I would use `x-*` convention to store anchors above service containers, but this seems to require a compose config that defines the services (and version?) keys, which this test setup was failing to be compatible with for some reason..
2021-09-29 04:19:38 +02:00
image: *img-nginxproxy
volumes: *vols-common