6 files changed, 231 insertions, 0 deletions

diff --git a/debian/tests/cli b/debian/tests/cli
new file mode 100644
index 0000000..941b4af
--- /dev/null
+++ b/debian/tests/cli
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+echo "show stat" | socat STDIO UNIX-CONNECT:/run/haproxy/admin.sock | grep "^#"
+
+echo "show info" | socat STDIO UNIX-CONNECT:/run/haproxy/admin.sock | grep "^Version:"
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..ccc2b53
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,15 @@
+Tests: cli
+Depends: haproxy, socat
+Restrictions: needs-root
+
+Tests: proxy-localhost
+Depends: haproxy, wget, apache2
+Restrictions: needs-root, allow-stderr, isolation-container
+
+Tests: proxy-ssl-termination
+Depends: haproxy, wget, apache2, gnutls-bin, ssl-cert
+Restrictions: needs-root, allow-stderr, isolation-container
+
+Tests: proxy-ssl-pass-through
+Depends: haproxy, wget, apache2, gnutls-bin, ssl-cert
+Restrictions: needs-root, allow-stderr, isolation-container
diff --git a/debian/tests/proxy-localhost b/debian/tests/proxy-localhost
new file mode 100644
index 0000000..0736985
--- /dev/null
+++ b/debian/tests/proxy-localhost
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+set -eux
+
+WDIR=$(dirname "$0")
+. "${WDIR}/utils"
+
+cat > /etc/haproxy/haproxy.cfg <<EOF
+global
+        chroot /var/lib/haproxy
+        user haproxy
+        group haproxy
+        daemon
+        maxconn 4096
+
+defaults
+        log global
+        option dontlognull
+        option redispatch
+        retries 3
+        timeout client 50s
+        timeout connect 10s
+        timeout http-request 5s
+        timeout server 50s
+        maxconn 4096
+
+frontend test-front
+    bind *:8080
+    mode http
+    default_backend test-back
+
+backend test-back
+    mode http
+    stick store-request src
+    stick-table type ip size 256k expire 30m
+    server test-1 localhost:80
+EOF
+
+service haproxy restart
+sleep 2  # Apache 2 could be still starting... See #976997.
+
+check_index_file "http://localhost:8080"
+
+exit 0
diff --git a/debian/tests/proxy-ssl-pass-through b/debian/tests/proxy-ssl-pass-through
new file mode 100644
index 0000000..aa0bd2c
--- /dev/null
+++ b/debian/tests/proxy-ssl-pass-through
@@ -0,0 +1,59 @@
+#!/bin/sh
+
+set -eux
+
+WDIR=$(dirname "$0")
+. "${WDIR}/utils"
+
+CERT_DIR=/etc/ssl/localhost
+APACHE2_CONFIG=/etc/apache2/sites-available/default-ssl.conf
+
+create_ca
+create_selfsigned_cert ${CERT_DIR}
+
+# Use the self-signed certificate in apache2 config
+sed -i "s#/etc/ssl/certs/ssl-cert-snakeoil.pem#${CERT_DIR}/localhost_cert.pem#" ${APACHE2_CONFIG}
+sed -i "s#/etc/ssl/private/ssl-cert-snakeoil.key#${CERT_DIR}/localhost_key.pem#" ${APACHE2_CONFIG}
+
+cat > /etc/haproxy/haproxy.cfg <<EOF
+global
+        chroot /var/lib/haproxy
+        user haproxy
+        group haproxy
+        daemon
+        maxconn 4096
+
+defaults
+        log global
+        option dontlognull
+        option redispatch
+        retries 3
+        timeout client 50s
+        timeout connect 10s
+        timeout http-request 5s
+        timeout server 50s
+        maxconn 4096
+
+frontend test-front
+    bind *:4433
+    mode tcp
+    option tcplog
+    default_backend test-back
+
+backend test-back
+    mode tcp
+    stick store-request src
+    stick-table type ip size 256k expire 30m
+    option ssl-hello-chk
+    server test-1 localhost:443 check
+EOF
+
+systemctl restart haproxy
+a2enmod ssl
+a2ensite default-ssl
+systemctl restart apache2
+sleep 5  # Apache 2 could be still starting... See #976997. It needs some extra seconds because of SSL
+
+check_index_file "https://localhost:4433"
+
+exit 0
diff --git a/debian/tests/proxy-ssl-termination b/debian/tests/proxy-ssl-termination
new file mode 100644
index 0000000..6cc1bcc
--- /dev/null
+++ b/debian/tests/proxy-ssl-termination
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+set -eux
+
+WDIR=$(dirname "$0")
+. "${WDIR}/utils"
+
+CERT_DIR=/etc/ssl/localhost
+create_ca
+create_selfsigned_cert ${CERT_DIR}
+
+cat > /etc/haproxy/haproxy.cfg <<EOF
+global
+        chroot /var/lib/haproxy
+        user haproxy
+        group haproxy
+        daemon
+        maxconn 4096
+        ssl-default-bind-options ssl-min-ver SSLv3
+
+defaults
+        log global
+        option dontlognull
+        option redispatch
+        retries 3
+        timeout client 50s
+        timeout connect 10s
+        timeout http-request 5s
+        timeout server 50s
+        maxconn 4096
+
+frontend test-front
+    bind *:443 ssl crt ${CERT_DIR}/localhost.pem
+    default_backend test-back
+
+backend test-back
+    mode http
+    stick store-request src
+    stick-table type ip size 256k expire 30m
+    server test-1 localhost:80 check
+EOF
+
+systemctl restart haproxy
+sleep 2  # Apache 2 could be still starting... See #976997.
+
+check_index_file "https://localhost"
+
+exit 0
diff --git a/debian/tests/utils b/debian/tests/utils
new file mode 100644
index 0000000..df11b55
--- /dev/null
+++ b/debian/tests/utils
@@ -0,0 +1,58 @@
+
+create_ca() {
+  certtool --generate-privkey --bits 4096 --outfile /etc/ssl/private/mycakey.pem
+
+  cat <<EOF > /etc/ssl/ca.info
+cn = Example Company
+ca
+cert_signing_key
+expiration_days = 3650
+EOF
+
+  certtool --generate-self-signed \
+        --load-privkey /etc/ssl/private/mycakey.pem \
+        --template /etc/ssl/ca.info \
+        --outfile /usr/local/share/ca-certificates/mycacert.crt
+
+  update-ca-certificates
+}
+
+create_selfsigned_cert() {
+  dir="$1"
+  mkdir -p "${dir}"
+
+  certtool --generate-privkey --bits 2048 --outfile "${dir}/localhost_key.pem"
+
+  cat <<EOF > "${dir}/localhost.info"
+organization = Example Company
+cn = localhost
+tls_www_server
+encryption_key
+signing_key
+expiration_days = 365
+EOF
+
+  certtool --generate-certificate \
+        --load-privkey "${dir}/localhost_key.pem" \
+        --load-ca-certificate /etc/ssl/certs/mycacert.pem \
+        --load-ca-privkey /etc/ssl/private/mycakey.pem \
+        --template "${dir}/localhost.info" \
+        --outfile "${dir}/localhost_cert.pem"
+
+  cat "${dir}/localhost_cert.pem" "${dir}/localhost_key.pem" | tee "${dir}/localhost.pem"
+  chgrp haproxy "${dir}/localhost_key.pem" "${dir}/localhost.pem"
+  chmod 0640 "${dir}/localhost_key.pem" "${dir}/localhost.pem"
+}
+
+check_index_file() {
+  haproxy_url="$1"
+  # index.html is shipped with apache2
+  # Download it via haproxy and compare
+  if wget -t1 "${haproxy_url}" -O- | cmp /var/www/html/index.html -; then
+      echo "OK: index.html downloaded via haproxy matches the source file."
+  else
+      echo "FAIL: downloaded index.html via haproxy is different from the"
+      echo "      file delivered by apache."
+      exit 1
+  fi
+}