diff --git a/internal/configs/version1/nginx-plus.ingress.tmpl b/internal/configs/version1/nginx-plus.ingress.tmpl index ab8760865d..e4b11629e8 100644 --- a/internal/configs/version1/nginx-plus.ingress.tmpl +++ b/internal/configs/version1/nginx-plus.ingress.tmpl @@ -36,15 +36,18 @@ server { {{if $server.SSL}} {{if $server.TLSPassthrough}} - listen unix:/var/lib/nginx/passthrough-https.sock ssl{{if $server.HTTP2}} http2{{end}} proxy_protocol; + listen unix:/var/lib/nginx/passthrough-https.sock ssl proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; {{else}} {{- range $port := $server.SSLPorts}} - listen {{$port}} ssl{{if $server.HTTP2}} http2{{end}}{{if $server.ProxyProtocol}} proxy_protocol{{end}}; - {{if not $server.DisableIPV6}}listen [::]:{{$port}} ssl{{if $server.HTTP2}} http2{{end}}{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}} + listen {{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}}; + {{if not $server.DisableIPV6}}listen [::]:{{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}} {{- end}} {{end}} + {{if $server.HTTP2}} + http2 on; + {{end}} {{if $server.SSLRejectHandshake}} ssl_reject_handshake on; {{else}} diff --git a/internal/configs/version1/nginx-plus.tmpl b/internal/configs/version1/nginx-plus.tmpl index cc8cf394dd..07273db3b1 100644 --- a/internal/configs/version1/nginx-plus.tmpl +++ b/internal/configs/version1/nginx-plus.tmpl @@ -157,12 +157,16 @@ http { {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPListenerPort }} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} {{if .TLSPassthrough}} - listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server{{if .HTTP2}} http2{{end}} proxy_protocol; + listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; {{else}} - listen {{ .DefaultHTTPSListenerPort }} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}}; - {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPSListenerPort }} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} + listen {{ .DefaultHTTPSListenerPort }} ssl default_server{{if .ProxyProtocol}} proxy_protocol{{end}}; + {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPSListenerPort }} ssl default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} + {{end}} + + {{if .HTTP2}} + http2 on; {{end}} {{if .SSLRejectHandshake}} diff --git a/internal/configs/version1/nginx.ingress.tmpl b/internal/configs/version1/nginx.ingress.tmpl index 8c1e111fb5..670ad48f06 100644 --- a/internal/configs/version1/nginx.ingress.tmpl +++ b/internal/configs/version1/nginx.ingress.tmpl @@ -26,15 +26,18 @@ server { {{if $server.SSL}} {{if $server.TLSPassthrough}} - listen unix:/var/lib/nginx/passthrough-https.sock ssl{{if $server.HTTP2}} http2{{end}} proxy_protocol; + listen unix:/var/lib/nginx/passthrough-https.sock ssl proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; {{else}} {{- range $port := $server.SSLPorts}} - listen {{$port}} ssl{{if $server.HTTP2}} http2{{end}}{{if $server.ProxyProtocol}} proxy_protocol{{end}}; - {{if not $server.DisableIPV6}}listen [::]:{{$port}} ssl{{if $server.HTTP2}} http2{{end}}{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}} + listen {{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}}; + {{if not $server.DisableIPV6}}listen [::]:{{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}} {{- end}} {{end}} + {{if $server.HTTP2}} + http2 on; + {{end}} {{if $server.SSLRejectHandshake}} ssl_reject_handshake on; {{else}} diff --git a/internal/configs/version1/nginx.tmpl b/internal/configs/version1/nginx.tmpl index c1d4ec590c..b765eec6a0 100644 --- a/internal/configs/version1/nginx.tmpl +++ b/internal/configs/version1/nginx.tmpl @@ -110,12 +110,16 @@ http { {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPListenerPort}} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} {{if .TLSPassthrough}} - listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server{{if .HTTP2}} http2{{end}} proxy_protocol; + listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; {{else}} - listen {{ .DefaultHTTPSListenerPort}} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}}; - {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPSListenerPort}} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} + listen {{ .DefaultHTTPSListenerPort}} ssl default_server{{if .ProxyProtocol}} proxy_protocol{{end}}; + {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPSListenerPort}} ssl default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} + {{end}} + + {{if .HTTP2}} + http2 on; {{end}} {{if .SSLRejectHandshake}} diff --git a/internal/configs/version1/template_test.go b/internal/configs/version1/template_test.go index 4ef7b96737..2285b60ece 100644 --- a/internal/configs/version1/template_test.go +++ b/internal/configs/version1/template_test.go @@ -665,6 +665,298 @@ func TestExecuteTemplate_ForMainForNGINXPlusWithCustomDefaultHTTPSListenerPort(t } } +func TestExecuteTemplate_ForMainForNGINXWithHTTP2On(t *testing.T) { + t.Parallel() + + tmpl := newNGINXMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfgHTTP2On) + t.Log(buf.String()) + + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "listen 443 ssl default_server;", + "listen [::]:443 ssl default_server;", + "http2 on;", + } + + unwantDirectives := []string{ + "listen 443 ssl default_server http2;", + "listen [::]:443 ssl default_server http2;", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } + + for _, want := range unwantDirectives { + if strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForMainForNGINXPlusWithHTTP2On(t *testing.T) { + t.Parallel() + + tmpl := newNGINXPlusMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfgHTTP2On) + t.Log(buf.String()) + + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "listen 443 ssl default_server;", + "listen [::]:443 ssl default_server;", + "http2 on;", + } + + unwantDirectives := []string{ + "listen 443 ssl default_server http2;", + "listen [::]:443 ssl default_server http2;", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } + + for _, want := range unwantDirectives { + if strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForMainForNGINXWithHTTP2Off(t *testing.T) { + t.Parallel() + + tmpl := newNGINXMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfg) + t.Log(buf.String()) + + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "listen 443 ssl default_server;", + "listen [::]:443 ssl default_server;", + } + + unwantDirectives := []string{ + "http2 on;", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } + + for _, want := range unwantDirectives { + if strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForMainForNGINXPlusWithHTTP2Off(t *testing.T) { + t.Parallel() + + tmpl := newNGINXPlusMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfg) + t.Log(buf.String()) + + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "listen 443 ssl default_server;", + "listen [::]:443 ssl default_server;", + } + + unwantDirectives := []string{ + "http2 on;", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } + + for _, want := range unwantDirectives { + if strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForIngressForNGINXPlusWithHTTP2On(t *testing.T) { + t.Parallel() + + tmpl := newNGINXPlusIngressTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, ingressCfgHTTP2On) + t.Log(buf.String()) + if err != nil { + t.Fatal(err) + } + ingConf := buf.String() + + wantDirectives := []string{ + "listen 443 ssl;", + "listen [::]:443 ssl;", + "http2 on;", + } + + unwantDirectives := []string{ + "listen 443 ssl http2;", + "listen [::]:443 ssl http2;", + } + + for _, want := range wantDirectives { + if !strings.Contains(ingConf, want) { + t.Errorf("want %q in generated config", want) + } + } + + for _, want := range unwantDirectives { + if strings.Contains(ingConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForIngressForNGINXWithHTTP2On(t *testing.T) { + t.Parallel() + + tmpl := newNGINXIngressTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, ingressCfgHTTP2On) + t.Log(buf.String()) + if err != nil { + t.Fatal(err) + } + ingConf := buf.String() + + wantDirectives := []string{ + "listen 443 ssl;", + "listen [::]:443 ssl;", + "http2 on;", + } + + unwantDirectives := []string{ + "listen 443 ssl http2;", + "listen [::]:443 ssl http2;", + } + + for _, want := range wantDirectives { + if !strings.Contains(ingConf, want) { + t.Errorf("want %q in generated config", want) + } + } + + for _, want := range unwantDirectives { + if strings.Contains(ingConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForIngressForNGINXPlusWithHTTP2Off(t *testing.T) { + t.Parallel() + + tmpl := newNGINXPlusIngressTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, ingressCfg) + t.Log(buf.String()) + if err != nil { + t.Fatal(err) + } + ingConf := buf.String() + + wantDirectives := []string{ + "listen 443 ssl;", + "listen [::]:443 ssl;", + } + + unwantDirectives := []string{ + "http2 on;", + } + + for _, want := range wantDirectives { + if !strings.Contains(ingConf, want) { + t.Errorf("want %q in generated config", want) + } + } + + for _, want := range unwantDirectives { + if strings.Contains(ingConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForIngressForNGINXWithHTTP2Off(t *testing.T) { + t.Parallel() + + tmpl := newNGINXIngressTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, ingressCfg) + t.Log(buf.String()) + if err != nil { + t.Fatal(err) + } + ingConf := buf.String() + + wantDirectives := []string{ + "listen 443 ssl;", + "listen [::]:443 ssl;", + } + + unwantDirectives := []string{ + "http2 on;", + } + + for _, want := range wantDirectives { + if !strings.Contains(ingConf, want) { + t.Errorf("want %q in generated config", want) + } + } + + for _, want := range unwantDirectives { + if strings.Contains(ingConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + func newNGINXPlusIngressTmpl(t *testing.T) *template.Template { t.Helper() tmpl, err := template.New("nginx-plus.ingress.tmpl").Funcs(helperFunctions).ParseFiles("nginx-plus.ingress.tmpl") @@ -1001,6 +1293,32 @@ var ( VariablesHashMaxSize: 1024, } + mainCfgHTTP2On = MainConfig{ + DefaultHTTPListenerPort: 80, + DefaultHTTPSListenerPort: 443, + HTTP2: true, + ServerNamesHashMaxSize: "512", + ServerTokens: "off", + WorkerProcesses: "auto", + WorkerCPUAffinity: "auto", + WorkerShutdownTimeout: "1m", + WorkerConnections: "1024", + WorkerRlimitNofile: "65536", + LogFormat: []string{"$remote_addr", "$remote_user"}, + LogFormatEscaping: "default", + StreamSnippets: []string{"# comment"}, + StreamLogFormat: []string{"$remote_addr", "$remote_user"}, + StreamLogFormatEscaping: "none", + ResolverAddresses: []string{"example.com", "127.0.0.1"}, + ResolverIPV6: false, + ResolverValid: "10s", + ResolverTimeout: "15s", + KeepaliveTimeout: "65s", + KeepaliveRequests: 100, + VariablesHashBucketSize: 256, + VariablesHashMaxSize: 1024, + } + mainCfgCustomTLSPassthroughPort = MainConfig{ ServerNamesHashMaxSize: "512", ServerTokens: "off", @@ -1708,6 +2026,50 @@ var ( }, }, } + + // Ingress Config example without added annotations + ingressCfgHTTP2On = IngressNginxConfig{ + Servers: []Server{ + { + Name: "test.example.com", + ServerTokens: "off", + StatusZone: "test.example.com", + SSL: true, + HTTP2: true, + SSLCertificate: "secret.pem", + SSLCertificateKey: "secret.pem", + SSLPorts: []int{443}, + SSLRedirect: true, + Locations: []Location{ + { + Path: "/tea", + Upstream: testUpstream, + ProxyConnectTimeout: "10s", + ProxyReadTimeout: "10s", + ProxySendTimeout: "10s", + ClientMaxBodySize: "2m", + MinionIngress: &Ingress{ + Name: "tea-minion", + Namespace: "default", + }, + }, + }, + HealthChecks: map[string]HealthCheck{"test": healthCheck}, + JWTRedirectLocations: []JWTRedirectLocation{ + { + Name: "@login_url-default-cafe-ingress", + LoginURL: "https://test.example.com/login", + }, + }, + }, + }, + Upstreams: []Upstream{testUpstream}, + Keepalive: "16", + Ingress: Ingress{ + Name: "cafe-ingress", + Namespace: "default", + }, + } ) var testUpstream = Upstream{ diff --git a/internal/configs/version2/nginx-plus.virtualserver.tmpl b/internal/configs/version2/nginx-plus.virtualserver.tmpl index 9e836814d8..c1e62f019c 100644 --- a/internal/configs/version2/nginx-plus.virtualserver.tmpl +++ b/internal/configs/version2/nginx-plus.virtualserver.tmpl @@ -101,21 +101,25 @@ server { {{ with $ssl := $s.SSL }} {{ if $s.TLSPassthrough }} - listen unix:/var/lib/nginx/passthrough-https.sock{{ if $ssl.HTTP2 }} http2{{ end }} proxy_protocol; + listen unix:/var/lib/nginx/passthrough-https.sock proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; {{ else }} {{ if not $s.CustomListeners }} - listen 443 ssl{{ if $ssl.HTTP2 }} http2{{ end }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; - {{ if not $s.DisableIPV6 }}listen [::]:443 ssl{{ if $ssl.HTTP2 }} http2{{ end }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} + listen 443 ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; + {{ if not $s.DisableIPV6 }}listen [::]:443 ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} {{ else }} {{ if (gt $s.HTTPSPort 0) }} - listen {{ $s.HTTPSPort }} ssl{{ if $ssl.HTTP2 }} http2{{ end }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; - {{ if not $s.DisableIPV6 }}listen [::]:{{ $s.HTTPSPort }} ssl{{ if $ssl.HTTP2 }} http2{{ end }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} + listen {{ $s.HTTPSPort }} ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; + {{ if not $s.DisableIPV6 }}listen [::]:{{ $s.HTTPSPort }} ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} {{ end }} {{ end }} {{ end }} + {{ if $ssl.HTTP2 }} + http2 on; + {{ end }} + {{ if $ssl.RejectHandshake }} ssl_reject_handshake on; {{ else if $.SpiffeCerts }} diff --git a/internal/configs/version2/nginx.virtualserver.tmpl b/internal/configs/version2/nginx.virtualserver.tmpl index 66e550b464..fee0066a24 100644 --- a/internal/configs/version2/nginx.virtualserver.tmpl +++ b/internal/configs/version2/nginx.virtualserver.tmpl @@ -61,21 +61,26 @@ server { {{ with $ssl := $s.SSL }} {{ if $s.TLSPassthrough }} - listen unix:/var/lib/nginx/passthrough-https.sock{{ if $ssl.HTTP2 }} http2{{ end }} proxy_protocol; + listen unix:/var/lib/nginx/passthrough-https.sock proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; {{ else }} {{ if not $s.CustomListeners }} - listen 443 ssl{{ if $ssl.HTTP2 }} http2{{ end }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; - {{ if not $s.DisableIPV6 }}listen [::]:443 ssl{{ if $ssl.HTTP2 }} http2{{ end }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} + listen 443 ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; + {{ if not $s.DisableIPV6 }}listen [::]:443 ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} {{ else }} {{ if (gt $s.HTTPSPort 0) }} - listen {{ $s.HTTPSPort }} ssl{{ if $ssl.HTTP2 }} http2{{ end }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; - {{ if not $s.DisableIPV6 }}listen [::]:{{ $s.HTTPSPort }} ssl{{ if $ssl.HTTP2 }} http2{{ end }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} + listen {{ $s.HTTPSPort }} ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; + {{ if not $s.DisableIPV6 }}listen [::]:{{ $s.HTTPSPort }} ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} {{ end }} {{ end }} {{ end }} + {{ if $ssl.HTTP2 }} + http2 on; + {{ end }} + + {{ if $ssl.RejectHandshake }} ssl_reject_handshake on; {{ else if $.SpiffeCerts }} diff --git a/internal/configs/version2/templates_test.go b/internal/configs/version2/templates_test.go index 98b4d9a780..9e9968c6c0 100644 --- a/internal/configs/version2/templates_test.go +++ b/internal/configs/version2/templates_test.go @@ -166,6 +166,130 @@ func TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerHTTPSOnly t.Log(string(got)) } +func TestExecuteVirtualServerTemplate_RendersPlusTemplateWithHTTP2On(t *testing.T) { + t.Parallel() + executor := newTmplExecutorNGINXPlus(t) + got, err := executor.ExecuteVirtualServerTemplate(&virtualServerCfg) + if err != nil { + t.Error(err) + } + wantStrings := []string{ + "listen 443 ssl proxy_protocol;", + "listen [::]:443 ssl proxy_protocol;", + "http2 on;", + } + for _, want := range wantStrings { + if !bytes.Contains(got, []byte(want)) { + t.Errorf("want `%s` in generated template", want) + } + } + + unwantStrings := []string{ + "listen 443 ssl http2 proxy_protocol;", + "listen [::]:443 ssl http2 proxy_protocol;", + } + + for _, want := range unwantStrings { + if bytes.Contains(got, []byte(want)) { + t.Errorf("unwant `%s` in generated template", want) + } + } + + t.Log(string(got)) +} + +func TestExecuteVirtualServerTemplate_RendersPlusTemplateWithHTTP2Off(t *testing.T) { + t.Parallel() + executor := newTmplExecutorNGINXPlus(t) + got, err := executor.ExecuteVirtualServerTemplate(&virtualServerCfgWithHTTP2Off) + if err != nil { + t.Error(err) + } + wantStrings := []string{ + "listen 443 ssl proxy_protocol;", + "listen [::]:443 ssl proxy_protocol;", + } + for _, want := range wantStrings { + if !bytes.Contains(got, []byte(want)) { + t.Errorf("want `%s` in generated template", want) + } + } + + unwantStrings := []string{ + "http2 on;", + } + + for _, want := range unwantStrings { + if bytes.Contains(got, []byte(want)) { + t.Errorf("unwant `%s` in generated template", want) + } + } + + t.Log(string(got)) +} + +func TestExecuteVirtualServerTemplate_RendersOSSTemplateWithHTTP2On(t *testing.T) { + t.Parallel() + executor := newTmplExecutorNGINX(t) + got, err := executor.ExecuteVirtualServerTemplate(&virtualServerCfg) + if err != nil { + t.Error(err) + } + wantStrings := []string{ + "listen 443 ssl proxy_protocol;", + "listen [::]:443 ssl proxy_protocol;", + "http2 on;", + } + for _, want := range wantStrings { + if !bytes.Contains(got, []byte(want)) { + t.Errorf("want `%s` in generated template", want) + } + } + + unwantStrings := []string{ + "listen 443 ssl http2 proxy_protocol;", + "listen [::]:443 ssl http2 proxy_protocol;", + } + + for _, want := range unwantStrings { + if bytes.Contains(got, []byte(want)) { + t.Errorf("unwant `%s` in generated template", want) + } + } + + t.Log(string(got)) +} + +func TestExecuteVirtualServerTemplate_RendersOSSTemplateWithHTTP2Off(t *testing.T) { + t.Parallel() + executor := newTmplExecutorNGINX(t) + got, err := executor.ExecuteVirtualServerTemplate(&virtualServerCfgWithHTTP2Off) + if err != nil { + t.Error(err) + } + wantStrings := []string{ + "listen 443 ssl proxy_protocol;", + "listen [::]:443 ssl proxy_protocol;", + } + for _, want := range wantStrings { + if !bytes.Contains(got, []byte(want)) { + t.Errorf("want `%s` in generated template", want) + } + } + + unwantStrings := []string{ + "http2 on;", + } + + for _, want := range unwantStrings { + if bytes.Contains(got, []byte(want)) { + t.Errorf("unwant `%s` in generated template", want) + } + } + + t.Log(string(got)) +} + func TestVirtualServerForNginxPlusWithWAFApBundle(t *testing.T) { t.Parallel() executor := newTmplExecutorNGINXPlus(t) @@ -614,6 +738,351 @@ var ( }, } + virtualServerCfgWithHTTP2Off = VirtualServerConfig{ + LimitReqZones: []LimitReqZone{ + { + ZoneName: "pol_rl_test_test_test", Rate: "10r/s", ZoneSize: "10m", Key: "$url", + }, + }, + Upstreams: []Upstream{ + { + Name: "test-upstream", + Servers: []UpstreamServer{ + { + Address: "10.0.0.20:8001", + }, + }, + LBMethod: "random", + Keepalive: 32, + MaxFails: 4, + FailTimeout: "10s", + MaxConns: 31, + SlowStart: "10s", + UpstreamZoneSize: "256k", + Queue: &Queue{Size: 10, Timeout: "60s"}, + SessionCookie: &SessionCookie{Enable: true, Name: "test", Path: "/tea", Expires: "25s"}, + NTLM: true, + }, + { + Name: "coffee-v1", + Servers: []UpstreamServer{ + { + Address: "10.0.0.31:8001", + }, + }, + MaxFails: 8, + FailTimeout: "15s", + MaxConns: 2, + UpstreamZoneSize: "256k", + }, + { + Name: "coffee-v2", + Servers: []UpstreamServer{ + { + Address: "10.0.0.32:8001", + }, + }, + MaxFails: 12, + FailTimeout: "20s", + MaxConns: 4, + UpstreamZoneSize: "256k", + }, + }, + SplitClients: []SplitClient{ + { + Source: "$request_id", + Variable: "$split_0", + Distributions: []Distribution{ + { + Weight: "50%", + Value: "@loc0", + }, + { + Weight: "50%", + Value: "@loc1", + }, + }, + }, + }, + Maps: []Map{ + { + Source: "$match_0_0", + Variable: "$match", + Parameters: []Parameter{ + { + Value: "~^1", + Result: "@match_loc_0", + }, + { + Value: "default", + Result: "@match_loc_default", + }, + }, + }, + { + Source: "$http_x_version", + Variable: "$match_0_0", + Parameters: []Parameter{ + { + Value: "v2", + Result: "1", + }, + { + Value: "default", + Result: "0", + }, + }, + }, + }, + HTTPSnippets: []string{"# HTTP snippet"}, + Server: Server{ + ServerName: "example.com", + StatusZone: "example.com", + ProxyProtocol: true, + SSL: &SSL{ + HTTP2: false, + Certificate: "cafe-secret.pem", + CertificateKey: "cafe-secret.pem", + }, + TLSRedirect: &TLSRedirect{ + BasedOn: "$scheme", + Code: 301, + }, + ServerTokens: "off", + SetRealIPFrom: []string{"0.0.0.0/0"}, + RealIPHeader: "X-Real-IP", + RealIPRecursive: true, + Allow: []string{"127.0.0.1"}, + Deny: []string{"127.0.0.1"}, + LimitReqs: []LimitReq{ + { + ZoneName: "pol_rl_test_test_test", + Delay: 10, + Burst: 5, + }, + }, + LimitReqOptions: LimitReqOptions{ + LogLevel: "error", + RejectCode: 503, + }, + JWTAuth: &JWTAuth{ + Realm: "My Api", + Secret: "jwk-secret", + }, + IngressMTLS: &IngressMTLS{ + ClientCert: "ingress-mtls-secret", + VerifyClient: "on", + VerifyDepth: 2, + }, + WAF: &WAF{ + ApPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm", + ApSecurityLogEnable: true, + ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf"}, + }, + Snippets: []string{"# server snippet"}, + InternalRedirectLocations: []InternalRedirectLocation{ + { + Path: "/split", + Destination: "@split_0", + }, + { + Path: "/coffee", + Destination: "@match", + }, + }, + HealthChecks: []HealthCheck{ + { + Name: "coffee", + URI: "/", + Interval: "5s", + Jitter: "0s", + Fails: 1, + Passes: 1, + Port: 50, + ProxyPass: "http://coffee-v2", + Mandatory: true, + Persistent: true, + }, + { + Name: "tea", + Interval: "5s", + Jitter: "0s", + Fails: 1, + Passes: 1, + Port: 50, + ProxyPass: "http://tea-v2", + GRPCPass: "grpc://tea-v3", + GRPCStatus: createPointerFromInt(12), + GRPCService: "tea-servicev2", + }, + }, + Locations: []Location{ + { + Path: "/", + Snippets: []string{"# location snippet"}, + Allow: []string{"127.0.0.1"}, + Deny: []string{"127.0.0.1"}, + LimitReqs: []LimitReq{ + { + ZoneName: "loc_pol_rl_test_test_test", + }, + }, + ProxyConnectTimeout: "30s", + ProxyReadTimeout: "31s", + ProxySendTimeout: "32s", + ClientMaxBodySize: "1m", + ProxyBuffering: true, + ProxyBuffers: "8 4k", + ProxyBufferSize: "4k", + ProxyMaxTempFileSize: "1024m", + ProxyPass: "http://test-upstream", + ProxyNextUpstream: "error timeout", + ProxyNextUpstreamTimeout: "5s", + Internal: true, + ProxyPassRequestHeaders: false, + ProxyPassHeaders: []string{"Host"}, + ProxyPassRewrite: "$request_uri", + ProxyHideHeaders: []string{"Header"}, + ProxyIgnoreHeaders: "Cache", + Rewrites: []string{"$request_uri $request_uri", "$request_uri $request_uri"}, + AddHeaders: []AddHeader{ + { + Header: Header{ + Name: "Header-Name", + Value: "Header Value", + }, + Always: true, + }, + }, + EgressMTLS: &EgressMTLS{ + Certificate: "egress-mtls-secret.pem", + CertificateKey: "egress-mtls-secret.pem", + VerifyServer: true, + VerifyDepth: 1, + Ciphers: "DEFAULT", + Protocols: "TLSv1.3", + TrustedCert: "trusted-cert.pem", + SessionReuse: true, + ServerName: true, + }, + }, + { + Path: "@loc0", + ProxyConnectTimeout: "30s", + ProxyReadTimeout: "31s", + ProxySendTimeout: "32s", + ClientMaxBodySize: "1m", + ProxyPass: "http://coffee-v1", + ProxyNextUpstream: "error timeout", + ProxyNextUpstreamTimeout: "5s", + ProxyInterceptErrors: true, + ErrorPages: []ErrorPage{ + { + Name: "@error_page_1", + Codes: "400 500", + ResponseCode: 200, + }, + { + Name: "@error_page_2", + Codes: "500", + ResponseCode: 0, + }, + }, + }, + { + Path: "@loc1", + ProxyConnectTimeout: "30s", + ProxyReadTimeout: "31s", + ProxySendTimeout: "32s", + ClientMaxBodySize: "1m", + ProxyPass: "http://coffee-v2", + ProxyNextUpstream: "error timeout", + ProxyNextUpstreamTimeout: "5s", + }, + { + Path: "@loc2", + ProxyConnectTimeout: "30s", + ProxyReadTimeout: "31s", + ProxySendTimeout: "32s", + ClientMaxBodySize: "1m", + ProxyPass: "http://coffee-v2", + GRPCPass: "grpc://coffee-v3", + }, + { + Path: "@match_loc_0", + ProxyConnectTimeout: "30s", + ProxyReadTimeout: "31s", + ProxySendTimeout: "32s", + ClientMaxBodySize: "1m", + ProxyPass: "http://coffee-v2", + ProxyNextUpstream: "error timeout", + ProxyNextUpstreamTimeout: "5s", + }, + { + Path: "@match_loc_default", + ProxyConnectTimeout: "30s", + ProxyReadTimeout: "31s", + ProxySendTimeout: "32s", + ClientMaxBodySize: "1m", + ProxyPass: "http://coffee-v1", + ProxyNextUpstream: "error timeout", + ProxyNextUpstreamTimeout: "5s", + }, + { + Path: "/return", + ProxyInterceptErrors: true, + ErrorPages: []ErrorPage{ + { + Name: "@return_0", + Codes: "418", + ResponseCode: 200, + }, + }, + InternalProxyPass: "http://unix:/var/lib/nginx/nginx-418-server.sock", + }, + }, + ErrorPageLocations: []ErrorPageLocation{ + { + Name: "@vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0", + DefaultType: "application/json", + Return: &Return{ + Code: 200, + Text: "Hello World", + }, + Headers: nil, + }, + { + Name: "@vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1", + DefaultType: "", + Return: &Return{ + Code: 200, + Text: "Hello World", + }, + Headers: []Header{ + { + Name: "Set-Cookie", + Value: "cookie1=test", + }, + { + Name: "Set-Cookie", + Value: "cookie2=test; Secure", + }, + }, + }, + }, + ReturnLocations: []ReturnLocation{ + { + Name: "@return_0", + DefaultType: "text/html", + Return: Return{ + Code: 200, + Text: "Hello!", + }, + }, + }, + }, + } + virtualServerCfgWithGunzipOn = VirtualServerConfig{ LimitReqZones: []LimitReqZone{ { diff --git a/tests/suite/test_virtual_server_configmap_keys.py b/tests/suite/test_virtual_server_configmap_keys.py index c49b2972d3..1fe9ceb276 100644 --- a/tests/suite/test_virtual_server_configmap_keys.py +++ b/tests/suite/test_virtual_server_configmap_keys.py @@ -114,13 +114,14 @@ def assert_defaults_of_keys_with_validation_in_main_config(config, unexpected_va def assert_ssl_keys(config): # based on f"{TEST_DATA}/virtual-server-configmap-keys/configmap-ssl-keys.yaml" assert "if ($schema = 'http') {" not in config - assert "listen 443 ssl http2 proxy_protocol;" in config + assert "listen 443 ssl proxy_protocol;" in config + assert "http2 on;" in config def assert_defaults_of_ssl_keys(config): assert "if ($schema = 'http') {" not in config assert "listen 443 ssl;" in config - assert "http2" not in config + assert "http2 on;" not in config @pytest.fixture(scope="function")