REGTESTS: ssl: Add a script to test the automatic SNI selection

The script reg-tests/ssl/ssl_sni_auto.vtc tests the automatic SNI selection
for regular server connections and for health-check ones. It rely on a
3.3-dev8 feature (in fact, it was pushed just after the dev8).

diff --git a/reg-tests/ssl/ssl_sni_auto.vtc b/reg-tests/ssl/ssl_sni_auto.vtc
new file mode 100644 (file)
index 0000000..99d0737
--- /dev/null
+++ b/reg-tests/ssl/ssl_sni_auto.vtc
@@ -0,0 +1,158 @@
+#REGTEST_TYPE=slow
+
+# This teg-test verifies that automatic SNI selection for server conncetions and
+# health checks.
+
+varnishtest "Test the bind 'alpn' setting"
+feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.3-dev8)'"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
+feature ignore_unknown_macro
+
+barrier b1 cond 7 -cyclic
+
+server s1 {
+       rxreq
+       expect req.http.x-sni == <undef>
+       txresp -status 200
+       barrier b1 sync
+} -start
+
+server s2 {
+       rxreq
+       expect req.http.x-sni == "www.check2.org"
+       txresp -status 200
+       barrier b1 sync
+} -start
+
+server s3 {
+       rxreq
+       expect req.http.x-sni == "www.check3.org"
+       txresp -status 200
+       barrier b1 sync
+} -start
+
+server s4 {
+       rxreq
+       expect req.http.x-sni == "www.other.org"
+       txresp -status 200
+       barrier b1 sync
+} -start
+
+server s5 {
+       rxreq
+       expect req.http.x-sni == <undef>
+       txresp -status 200
+       barrier b1 sync
+} -start
+
+server s6 {
+       rxreq
+       expect req.http.x-sni == <undef>
+       txresp -status 200
+       barrier b1 sync
+} -start
+
+
+haproxy h1 -conf {
+    global
+    .if feature(THREAD)
+        thread-groups 1
+    .endif
+
+    .if !ssllib_name_startswith(AWS-LC)
+        tune.ssl.default-dh-param 2048
+    .endif
+
+    defaults
+        mode http
+        option httplog
+        log stderr local0 debug err
+        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"
+
+    frontend fe_ssl
+        bind "fd@${fe_ssl}" ssl crt ${testdir}/common.pem
+
+        http-request return status 200 if { path /test1 } { ssl_fc_sni www.test1.org }
+        http-request return status 500 if { path /test2 } { ssl_fc_sni -m found }
+        http-request return status 200 if { path /test3 } { ssl_fc_sni www.other.org }
+        http-request deny
+
+    listen li_check_ssl
+        bind "fd@${li_check_ssl}" ssl crt ${testdir}/common.pem
+        http-request set-header x-sni %[ssl_fc_sni] if { ssl_fc_sni -m found }
+
+        use-server s1 if { path /test1 }
+        use-server s2 if { path /test2 }
+        use-server s3 if { path /test3 }
+        use-server s4 if { path /test4 }
+        use-server s5 if { path /test5 }
+        use-server s6 if { path /test6 }
+
+        server s1 ${s1_addr}:${s1_port}
+        server s2 ${s1_addr}:${s2_port}
+        server s3 ${s3_addr}:${s3_port}
+        server s4 ${s4_addr}:${s4_port}
+        server s5 ${s5_addr}:${s5_port}
+        server s6 ${s6_addr}:${s6_port}
+
+    listen li
+        bind "fd@${li}"
+        use-server s1 if { path /test1 }
+        use-server s2 if { path /test2 }
+        use-server s3 if { path /test3 }
+
+        server s1 ${h1_fe_ssl_addr}:${h1_fe_ssl_port} ssl verify none
+        server s2 ${h1_fe_ssl_addr}:${h1_fe_ssl_port} ssl verify none no-sni-auto
+        server s3 ${h1_fe_ssl_addr}:${h1_fe_ssl_port} ssl verify none sni str("www.other.org")
+
+    backend be1
+        option httpchk GET /test1 HTTP/1.1
+        server chk1 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none
+
+    backend be2
+        option httpchk GET /test2 HTTP/1.1 www.check2.org:443
+        server chk2 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none
+
+    backend be3
+        option httpchk
+        http-check send meth GET uri /test3 hdr host "www.check3.org:443"
+        server chk3 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none
+
+    backend be4
+        option httpchk
+        http-check send meth GET uri /test4 hdr host "www.check4.org:443"
+        server chk4 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none check-sni "www.other.org"
+
+    backend be5
+        option httpchk
+        http-check send meth GET uri /test5 hdr host "www.check5.org:443"
+        server chk5 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none no-check-sni-auto
+
+    backend be6
+        option httpchk GET /test6 HTTP/1.1 www.check6.org:443
+       http-check connect default
+        server chk2 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none
+
+} -start
+
+client c1 -connect ${h1_li_sock} {
+    barrier b1 sync
+
+    txreq -url "/test1" -hdr "host: www.test1.org:443"
+    rxresp
+    expect resp.status == 200
+
+    txreq -url "/test1"
+    rxresp
+    expect resp.status == 403
+
+    txreq -url "/test2" -hdr "host: www.test1.org"
+    rxresp
+    expect resp.status == 403
+
+    txreq -url "/test3" -hdr "host: www.test1.org"
+    rxresp
+    expect resp.status == 200
+} -run