From: Alan T. DeKok Date: Wed, 5 Apr 2023 20:48:55 +0000 (-0400) Subject: configuration and scripts to test high load UDP -> TLS proxying X-Git-Tag: release_3_2_3~92 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f2e47c32e7912209f644da16d9cc87e56d72c73;p=thirdparty%2Ffreeradius-server.git configuration and scripts to test high load UDP -> TLS proxying --- diff --git a/src/tests/tls/README.md b/src/tests/tls/README.md new file mode 100644 index 0000000000..e614c5905b --- /dev/null +++ b/src/tests/tls/README.md @@ -0,0 +1,34 @@ +# Tests for TLS + +You will need at least 3 terminal windows: + +1. Home Server + +``` +./radiusd-home.sh +``` + +This server receives Access-Request packets over TLS, and sends Access-Accept. + +2. Proxy server + +``` +./radiusd-proxy.sh +``` + +This server receives Access-Request packets over UDP, and proxies them to the home server. + +3. Client(s) + +Send one packet: + +``` +./radclient.sh +``` + +Send 500,000 packets: + +``` +./radclient.sh -c 500000 +``` + diff --git a/src/tests/tls/home/radiusd.conf b/src/tests/tls/home/radiusd.conf new file mode 100644 index 0000000000..46e66a85f4 --- /dev/null +++ b/src/tests/tls/home/radiusd.conf @@ -0,0 +1,69 @@ +# +# Minimal radiusd.conf for testing +# +raddb = $ENV{RADDB} +modconfdir = ${raddb}/mods-config +testdir = $ENV{TEST_PATH} +pidfile = ${testdir}/radiusd.pid +panic_action = "gdb -batch -x $${testdir}/panic.gdb %e %p > $${testdir}/gdb-radiusd.log 2>&1; cat $${testdir}/gdb-radiusd.log" +certdir = ${raddb}/certs +cadir = ${raddb}/certs +libdir = $ENV{LIB_PATH} + +max_requests = 1048576 + +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 + cleanup_delay = 5 + max_queue_size = 65536 + auto_limit_acct = no +} + +# +# Referenced by some modules for default thread pool configuration +# +modules { +} + +clients radsec { + client home { + ipaddr = 127.0.0.1 + proto = tls + } +} + +listen { + type = auth + + ipaddr = 127.0.0.1 + port = 2083 + proto = tcp + + clients = radsec + + virtual_server = default + + tls { + private_key_password = whatever + private_key_file = ${certdir}/server.pem + certificate_file = ${certdir}/server.pem + ca_file = ${cadir}/ca.pem + fragment_size = 8192 + ca_path = ${cadir} + cipher_list = "DEFAULT" + tls_min_version = "1.3" + tls_max_version = "1.3" + } +} + +server default { + authorize { + update control { + Auth-Type := accept + } + } +} diff --git a/src/tests/tls/proxy/proxy.conf b/src/tests/tls/proxy/proxy.conf new file mode 100644 index 0000000000..56b345340e --- /dev/null +++ b/src/tests/tls/proxy/proxy.conf @@ -0,0 +1,29 @@ +home_server home { + ipaddr = 127.0.0.1 + port = 2083 + type = auth + secret = radsec + proto = tcp + status_check = none + +# nonblock = yes + + revive_interval = 10 + + tls { + private_key_password = whatever + private_key_file = ${certdir}/client.pem + certificate_file = ${certdir}/client.pem + ca_file = ${cadir}/ca.pem + fragment_size = 8192 + ca_path = ${cadir} + cipher_list = "DEFAULT" + tls_min_version = "1.3" + tls_max_version = "1.3" + } +} + +home_server_pool home { + type = fail-over + home_server = home +} diff --git a/src/tests/tls/proxy/radiusd.conf b/src/tests/tls/proxy/radiusd.conf new file mode 100644 index 0000000000..605d531e55 --- /dev/null +++ b/src/tests/tls/proxy/radiusd.conf @@ -0,0 +1,48 @@ +raddb = $ENV{RADDB} +modconfdir = ${raddb}/mods-config +testdir = $ENV{TEST_PATH}/proxy +pidfile = ${testdir}/radiusd.pid +panic_action = "gdb -batch -x $${testdir}/panic.gdb %e %p > $${testdir}/gdb-radiusd.log 2>&1; cat $${testdir}/gdb-radiusd.log" +certdir = ${raddb}/certs +cadir = ${raddb}/certs +libdir = $ENV{LIB_PATH} + +max_requests = 1048576 + +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 + cleanup_delay = 5 + max_queue_size = 65536 + auto_limit_acct = no +} + +# +# Minimum configuration for Proxy Server -> SRADIUSD +# +$INCLUDE ${testdir}/proxy.conf + +client local_test { + ipaddr = 127.0.0.1 + secret = testing123 + proto = * +} + +listen { + type = auth + ipaddr = 127.0.0.1 + port = 1812 + proto = udp + virtual_server = default +} + +server default { + authorize { + update control { + &Home-Server-Pool = "home" + } + } +} diff --git a/src/tests/tls/radclient.sh b/src/tests/tls/radclient.sh new file mode 100755 index 0000000000..4b38168ba7 --- /dev/null +++ b/src/tests/tls/radclient.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +# +# Run the home server. +# + +DIR=$(dirname $0)/../../.. +PROGRAM=$(basename $0) + +export RADDB=$DIR/raddb +export TEST_PATH=$(dirname $0)/ +export LIB_PATH=$DIR/build/lib/local/ + +exec $DIR/build/make/jlibtool --mode=execute $FR_DEBUGGER $DIR/build/bin/local/radclient -d $(dirname $0)/home -D $DIR/share/ -f user_password $@ localhost auth testing123 diff --git a/src/tests/tls/radiusd-home.sh b/src/tests/tls/radiusd-home.sh new file mode 100755 index 0000000000..fb1f6780c0 --- /dev/null +++ b/src/tests/tls/radiusd-home.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +# +# Run the home server. +# + +DIR=$(dirname $0)/../../.. +PROGRAM=$(basename $0) + +export RADDB=$DIR/raddb +export TEST_PATH=$(dirname $0)/ +export LIB_PATH=$DIR/build/lib/local/ + +exec $DIR/build/make/jlibtool --mode=execute $FR_DEBUGGER $DIR/build/bin/local/radiusd -d $(dirname $0)/home -D $DIR/share/ -fxx -l stdout $@ diff --git a/src/tests/tls/radiusd-proxy.sh b/src/tests/tls/radiusd-proxy.sh new file mode 100755 index 0000000000..12e8d81bd4 --- /dev/null +++ b/src/tests/tls/radiusd-proxy.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +# +# Run the home server. +# + +DIR=$(dirname $0)/../../.. +PROGRAM=$(basename $0) + +export RADDB=$DIR/raddb +export TEST_PATH=$(dirname $0)/ +export LIB_PATH=$DIR/build/lib/local/ + +exec $DIR/build/make/jlibtool --mode=execute $FR_DEBUGGER $DIR/build/bin/local/radiusd -d $(dirname $0)/proxy -D $DIR/share/ -fxx -l stdout $@ diff --git a/src/tests/tls/user_password b/src/tests/tls/user_password new file mode 100644 index 0000000000..9d0a12cb36 --- /dev/null +++ b/src/tests/tls/user_password @@ -0,0 +1,3 @@ +User-Name = "bob" +User-Password = "bob" +Message-Authenticator = 0x00