tests: Verify site-specific DH params feature works correctly

This addition requires usage of `DEFAULT_HOST` on containers tested to ensure they don't accidentally use `web2` as their default fallback (due to no SNI / `-servername` requested in openssl queries), otherwise they would be testing against the incorrect DH params response. They could alternatively request an FQDN explicitly as well, instead of relying on implicit fallback/default server selection behaviour. --- `web2.nginx-proxy.tld.dhparam.pem` is a copy of `ffdhe2048.pem`.
2024-05-19 05:56:07 +02:00 · 2021-12-21 17:50:58 +13:00 · 2021-12-21 17:50:58 +13:00 · 9dc9d90d34
parent 0f15130476
commit 9dc9d90d34
3 changed files with 52 additions and 0 deletions
--- a/test/test_ssl/certs/web2.nginx-proxy.tld.dhparam.pem
+++ b/test/test_ssl/certs/web2.nginx-proxy.tld.dhparam.pem
@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
--- a/test/test_ssl/test_dhparam.py
+++ b/test/test_ssl/test_dhparam.py
@ -200,6 +200,30 @@ def test_custom_dhparam_is_supported(docker_compose):
    can_negotiate_dhe_ciphersuite(sut_container, 3072)


+# Only `web2` has a site-specific DH param file (which overrides all other DH config)
+# Other tests here use `web5` explicitly, or implicitly (via ENV `DEFAULT_HOST`, otherwise first HTTPS server)
+def test_custom_dhparam_is_supported_per_site(docker_compose):
+    container_name="dh-file"
+    sut_container = docker_client.containers.get(container_name)
+    assert sut_container.status == "running"
+
+    # A site specific `dhparam.pem` with DH group size of 2048-bit.
+    # DH group size should not match the:
+    # - 4096-bit default.
+    # - 3072-bit default, overriden by file.
+    should_be_equivalent_content(
+        sut_container,
+        "/app/dhparam/ffdhe2048.pem",
+        "/etc/nginx/certs/web2.nginx-proxy.tld.dhparam.pem"
+    )
+
+    # `-servername` required for nginx-proxy to respond with site-specific DH params used:
+    can_negotiate_dhe_ciphersuite(sut_container, 2048, '-servername web2.nginx-proxy.tld')
+
+
+# NOTE: These two tests will fail without the ENV `DEFAULT_HOST` to prevent
+# accidentally falling back to `web2` as the default server, which has explicit DH params configured.
+# Only copying DH params is skipped, not explicit usage via user providing custom files.
 def test_can_skip_dhparam(docker_compose):
    container_name="dh-skip"
    sut_container = docker_client.containers.get(container_name)
--- a/test/test_ssl/test_dhparam.yml
+++ b/test/test_ssl/test_dhparam.yml
@ -6,12 +6,27 @@ web5:
    WEB_PORTS: "85"
    VIRTUAL_HOST: "web5.nginx-proxy.tld"

+# Intended for testing with `dh-file` container.
+# VIRTUAL_HOST is paired with site-specific DH param file.
+# DEFAULT_HOST is required to avoid defaulting to web2,
+# if not specifying FQDN (`-servername`) in openssl queries.
+web2:
+  image: web
+  expose:
+    - "85"
+  environment:
+    WEB_PORTS: "85"
+    VIRTUAL_HOST: "web2.nginx-proxy.tld"
+
+
 # sut - System Under Test
 # `docker.sock` required for functionality
 # `certs` required to enable HTTPS via template
 with_default_group:
  container_name: dh-default
  image: &img-nginxproxy nginxproxy/nginx-proxy:test
+  environment: &env-common
+    - &default-host DEFAULT_HOST=web5.nginx-proxy.tld
  volumes: &vols-common
    - &docker-sock /var/run/docker.sock:/tmp/docker.sock:ro
    - &nginx-certs ./certs:/etc/nginx/certs:ro
@ -20,6 +35,7 @@ with_alternative_group:
  container_name: dh-env
  environment:
    - DHPARAM_BITS=3072
+    - *default-host
  image: *img-nginxproxy
  volumes: *vols-common

@ -27,12 +43,14 @@ with_invalid_group:
  container_name: invalid-group-1024
  environment:
    - DHPARAM_BITS=1024
+    - *default-host
  image: *img-nginxproxy
  volumes: *vols-common

 with_custom_file:
  container_name: dh-file
  image: *img-nginxproxy
+  environment: *env-common
  volumes:
    - *docker-sock
    - *nginx-certs
@ -42,6 +60,7 @@ with_skip:
  container_name: dh-skip
  environment:
    - DHPARAM_SKIP=true
+    - *default-host
  image: *img-nginxproxy
  volumes: *vols-common

@ -49,5 +68,6 @@ with_skip_backward:
  container_name: dh-skip-backward
  environment:
    - DHPARAM_GENERATION=false
+    - *default-host
  image: *img-nginxproxy
  volumes: *vols-common