ср, 18 дек. 2019 г. в 22:34, Ciprian Dorin Craciun < ciprian.crac...@gmail.com>:
> On Wed, Dec 18, 2019 at 6:47 PM Илья Шипицин <chipits...@gmail.com> wrote: > > you are talking about testing ACL. can you provide some example ? > > > So let's assume I have a given HAProxy configuration, full of ACL's > and rules, that apply certain "firewalling", authentication / > authorization, "mangling" operations to the HTTP request (e.g. drop > "bad-bots", update headers, redirects, routing to various backends, > etc.). > > Now how can I test that the HAProxy configuration actually > "implements" what it's proposes to? I.e. how can I be sure that the > rules are in the proper order, that no ACL's are missing, etc. > > My answer would be: fire an HTTP request and see if it "does" what it > should. (Perhaps expose as HTTP headers some "state" values to help > in checking things.) > > > > > My concrete example would be this: I find HAProxy wonderful for any > non trivial HTTP deployment (and in fact anything "touched" by the > Internet); unfortunately the configuration language (with it's flat > ACL's and request / response rules) is like "assembler" (as opposed to > say Python). Therefore I've written myself a HAProxy "configurator" > in Python that based on simple Python code generates the full HAProxy > configuration. > > For example: > > > https://github.com/cipriancraciun/haproxy-configurator/blob/master/examples/example-01.py > > https://github.com/cipriancraciun/haproxy-configurator/blob/master/examples/_configs/example-01.cfg > > , the Python script is (hopefully) readable and clearly shows the > intent of the resulting configuration: > * redirect everything via HTTPS; > * redirect `example.com` to `www.example.com`; > * redirect `/admin/*` to `admin.example.com/admin/*` > <http://admin.example.com/admin/*>, same for `/blog/*`; > redirects are easy to test. using any framework. for example, jmeter (or any other http query tool) > * apply authentication for `admin`; > * force some caching headers for `web`, `static` and `media`; > same here. assert in jmeter would serve caching headers check > * apply some "sanity" checks to requests / responses (i.e. except > admin, the rest should only serve `GET` requests); > * deny any request that doesn't match a set of domains > same here. just fire random query using jmeter > > The resulting file is around 639 lines, and (given how I've chosen to > identify ACL's) is quite hard to "follow by hand". > > So my question now is how do I test it... Fire HTTP requests at it! :) > > > I hope this gives everyone a glimpse into my use-case, > Ciprian. >
