diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:35:11 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:35:11 +0000 |
commit | da76459dc21b5af2449af2d36eb95226cb186ce2 (patch) | |
tree | 542ebb3c1e796fac2742495b8437331727bbbfa0 /tests/conf/test-inspect-ssl.cfg | |
parent | Initial commit. (diff) | |
download | haproxy-upstream/2.6.12.tar.xz haproxy-upstream/2.6.12.zip |
Adding upstream version 2.6.12.upstream/2.6.12upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tests/conf/test-inspect-ssl.cfg')
-rw-r--r-- | tests/conf/test-inspect-ssl.cfg | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/tests/conf/test-inspect-ssl.cfg b/tests/conf/test-inspect-ssl.cfg new file mode 100644 index 0000000..582d1a2 --- /dev/null +++ b/tests/conf/test-inspect-ssl.cfg @@ -0,0 +1,37 @@ +# This is a test configuration. It listens on port 8443, waits for an incoming +# connection, and applies the following rules : +# - if the address is in the white list, then accept it and forward the +# connection to the server (local port 443) +# - if the address is in the black list, then immediately drop it +# - otherwise, wait up to 3 seconds for valid SSL data to come in. If those +# data are identified as SSL, the connection is immediately accepted, and +# if they are definitely identified as non-SSL, the connection is rejected, +# which will happen upon timeout if they still don't match SSL. + +listen block-non-ssl + log 127.0.0.1:514 local0 + option tcplog + + mode tcp + bind :8443 + timeout client 6s + timeout server 6s + timeout connect 6s + + tcp-request inspect-delay 4s + + acl white_list src 127.0.0.2 + acl black_list src 127.0.0.3 + + # note: SSLv2 is not used anymore, SSLv3.1 is TLSv1. + acl obsolete_ssl req_ssl_ver lt 3 + acl correct_ssl req_ssl_ver 3.0-3.1 + acl invalid_ssl req_ssl_ver gt 3.1 + + tcp-request content accept if white_list + tcp-request content reject if black_list + tcp-request content reject if !correct_ssl + + balance roundrobin + server srv1 127.0.0.1:443 + |