summaryrefslogtreecommitdiffstats
path: root/tests/conf/test-inspect-ssl.cfg
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 12:18:05 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 12:18:05 +0000
commitb46aad6df449445a9fc4aa7b32bd40005438e3f7 (patch)
tree751aa858ca01f35de800164516b298887382919d /tests/conf/test-inspect-ssl.cfg
parentInitial commit. (diff)
downloadhaproxy-b46aad6df449445a9fc4aa7b32bd40005438e3f7.tar.xz
haproxy-b46aad6df449445a9fc4aa7b32bd40005438e3f7.zip
Adding upstream version 2.9.5.upstream/2.9.5
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tests/conf/test-inspect-ssl.cfg')
-rw-r--r--tests/conf/test-inspect-ssl.cfg37
1 files changed, 37 insertions, 0 deletions
diff --git a/tests/conf/test-inspect-ssl.cfg b/tests/conf/test-inspect-ssl.cfg
new file mode 100644
index 0000000..582d1a2
--- /dev/null
+++ b/tests/conf/test-inspect-ssl.cfg
@@ -0,0 +1,37 @@
+# This is a test configuration. It listens on port 8443, waits for an incoming
+# connection, and applies the following rules :
+# - if the address is in the white list, then accept it and forward the
+# connection to the server (local port 443)
+# - if the address is in the black list, then immediately drop it
+# - otherwise, wait up to 3 seconds for valid SSL data to come in. If those
+# data are identified as SSL, the connection is immediately accepted, and
+# if they are definitely identified as non-SSL, the connection is rejected,
+# which will happen upon timeout if they still don't match SSL.
+
+listen block-non-ssl
+ log 127.0.0.1:514 local0
+ option tcplog
+
+ mode tcp
+ bind :8443
+ timeout client 6s
+ timeout server 6s
+ timeout connect 6s
+
+ tcp-request inspect-delay 4s
+
+ acl white_list src 127.0.0.2
+ acl black_list src 127.0.0.3
+
+ # note: SSLv2 is not used anymore, SSLv3.1 is TLSv1.
+ acl obsolete_ssl req_ssl_ver lt 3
+ acl correct_ssl req_ssl_ver 3.0-3.1
+ acl invalid_ssl req_ssl_ver gt 3.1
+
+ tcp-request content accept if white_list
+ tcp-request content reject if black_list
+ tcp-request content reject if !correct_ssl
+
+ balance roundrobin
+ server srv1 127.0.0.1:443
+