This is an automated email from the ASF dual-hosted git repository. masaori pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push: new 362786af70 Improve performance of finding SNI Actions (#9736) 362786af70 is described below commit 362786af705894caee880d4a4f81514495c687bd Author: Masaori Koshiba <masa...@apache.org> AuthorDate: Sun Oct 8 19:32:31 2023 +0900 Improve performance of finding SNI Actions (#9736) * Improve performance of finding SNI Actions * Fix AuTest --- include/tscpp/util/Convert.h | 46 +++++++++++ iocore/net/SSLCertLookup.cc | 31 +++----- iocore/net/SSLSNIConfig.cc | 89 +++++++++++++++++++--- iocore/net/SSLSNIConfig.h | 12 +-- iocore/net/unit_tests/sni_conf_test.yaml | 11 +++ iocore/net/unit_tests/test_SSLSNIConfig.cc | 10 ++- iocore/net/unit_tests/test_YamlSNIConfig.cc | 2 +- iocore/net/unit_tests/unit_test_main.cc | 5 ++ tests/gold_tests/h2/h2disable.test.py | 2 +- .../h2/h2disable_no_accept_threads.test.py | 2 +- tests/gold_tests/h2/h2enable.test.py | 2 +- .../h2/h2enable_no_accept_threads.test.py | 2 +- tests/gold_tests/tls/tls_client_cert2.test.py | 4 +- .../gold_tests/tls/tls_client_cert2_plugin.test.py | 4 +- tests/gold_tests/tls/tls_client_verify.test.py | 8 +- tests/gold_tests/tls/tls_client_verify2.test.py | 4 +- tests/gold_tests/tls/tls_tunnel.test.py | 16 ++-- tests/gold_tests/tls/tls_verify3.test.py | 10 +-- 18 files changed, 197 insertions(+), 63 deletions(-) diff --git a/include/tscpp/util/Convert.h b/include/tscpp/util/Convert.h new file mode 100644 index 0000000000..b95fc3675a --- /dev/null +++ b/include/tscpp/util/Convert.h @@ -0,0 +1,46 @@ +/** @file + + Collection of utility functions for converting between different chars. + + @section license License + + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */ + +#pragma once + +#include "swoc/MemSpan.h" + +#include <string_view> + +namespace ts +{ +/** Copy @a src to @a dst, transforming to lower case. + * + * @param src Input string. + * @param dst Output buffer. + */ +inline void +transform_lower(std::string_view src, swoc::MemSpan<char> dst) +{ + if (src.size() > dst.size() - 1) { // clip @a src, reserving space for the terminal nul. + src = std::string_view{src.data(), dst.size() - 1}; + } + auto final = std::transform(src.begin(), src.end(), dst.data(), [](char c) -> char { return std::tolower(c); }); + *final++ = '\0'; +} +} // namespace ts diff --git a/iocore/net/SSLCertLookup.cc b/iocore/net/SSLCertLookup.cc index f736f84db8..ac570e28ea 100644 --- a/iocore/net/SSLCertLookup.cc +++ b/iocore/net/SSLCertLookup.cc @@ -35,6 +35,8 @@ #include "tscore/TestBox.h" +#include "tscpp/util/Convert.h" + #include "I_EventSystem.h" #include "P_SSLUtils.h" @@ -143,24 +145,6 @@ private: int store(SSLCertContext const &cc); }; -namespace -{ -/** Copy @a src to @a dst, transforming to lower case. - * - * @param src Input string. - * @param dst Output buffer. - */ -inline void -transform_lower(std::string_view src, swoc::MemSpan<char> dst) -{ - if (src.size() > dst.size() - 1) { // clip @a src, reserving space for the terminal nul. - src = std::string_view{src.data(), dst.size() - 1}; - } - auto final = std::transform(src.begin(), src.end(), dst.data(), [](char c) -> char { return std::tolower(c); }); - *final++ = '\0'; -} -} // namespace - // Zero out and free the heap space allocated for ticket keys to avoid leaking secrets. // The first several bytes stores the number of keys and the rest stores the ticket keys. void @@ -461,7 +445,7 @@ SSLContextStorage::insert(const char *name, int idx) { ats_wildcard_matcher wildcard; char lower_case_name[TS_MAX_HOST_NAME_LEN + 1]; - transform_lower(name, lower_case_name); + ts::transform_lower(name, lower_case_name); shared_SSL_CTX ctx = this->ctx_store[idx].getCtx(); if (wildcard.match(lower_case_name)) { @@ -512,7 +496,7 @@ SSLContextStorage::lookup(const std::string &name) } // Try lower casing it char lower_case_name[TS_MAX_HOST_NAME_LEN + 1]; - transform_lower(name, lower_case_name); + ts::transform_lower(name, lower_case_name); if (auto it_lower = this->hostnames.find(lower_case_name); it_lower != this->hostnames.end()) { return &(this->ctx_store[it_lower->second]); } @@ -557,7 +541,7 @@ reverse_dns_name(const char *hostname, char (&reversed)[TS_MAX_HOST_NAME_LEN + 1 *(--ptr) = '.'; } } - transform_lower(ptr, {ptr, strlen(ptr) + 1}); + ts::transform_lower(ptr, {ptr, strlen(ptr) + 1}); return ptr; } @@ -572,8 +556,13 @@ REGRESSION_TEST(SSLWildcardMatch)(RegressionTest *t, int /* atype ATS_UNUSED */, box.check(wildcard.match("foo.com") == false, "foo.com is not a wildcard"); box.check(wildcard.match("*.foo.com") == true, "*.foo.com is a wildcard"); box.check(wildcard.match("bar*.foo.com") == false, "bar*.foo.com not a wildcard"); + box.check(wildcard.match("*bar.foo.com") == false, "*bar.foo.com not a wildcard"); + box.check(wildcard.match("b*ar.foo.com") == false, "*bar.foo.com not a wildcard"); + box.check(wildcard.match("bar.*.foo.com") == false, "bar.*.foo.com not a wildcard"); + box.check(wildcard.match("*.*.foo.com") == false, "multiple *"); box.check(wildcard.match("*") == false, "* is not a wildcard"); box.check(wildcard.match("") == false, "'' is not a wildcard"); + box.check(wildcard.match("foo[0-9]+.example.com") == false, "regex is not wildcard"); } REGRESSION_TEST(SSLReverseHostname)(RegressionTest *t, int /* atype ATS_UNUSED */, int *pstatus) diff --git a/iocore/net/SSLSNIConfig.cc b/iocore/net/SSLSNIConfig.cc index e3aada4dc6..1124b76a2f 100644 --- a/iocore/net/SSLSNIConfig.cc +++ b/iocore/net/SSLSNIConfig.cc @@ -40,6 +40,9 @@ #include "tscore/I_Layout.h" #include "tscpp/util/ts_ip.h" +#include "tscpp/util/Convert.h" + +#include "swoc/TextView.h" #include <netinet/in.h> @@ -53,6 +56,16 @@ static constexpr int OVECSIZE{30}; static DbgCtl dbg_ctl_ssl{"ssl"}; static DbgCtl dbg_ctl_ssl_sni{"ssl_sni"}; +namespace +{ +bool +is_port_in_the_ranges(const std::vector<ts::port_range_t> &port_ranges, in_port_t port) +{ + return std::any_of(port_ranges.begin(), port_ranges.end(), + [port](ts::port_range_t const &port_range) { return port_range.contains(port); }); +} +} // namespace + //// // NamedElement // @@ -117,13 +130,36 @@ SNIConfigParams::get_property_config(const std::string &servername) const bool SNIConfigParams::load_sni_config() { + uint32_t count = 0; + ats_wildcard_matcher wildcard; + for (auto &item : yaml_sni.items) { - auto &ai = sni_action_list.emplace_back(); - ai.set_glob_name(item.fqdn); - ai.inbound_port_ranges = item.inbound_port_ranges; Dbg(dbg_ctl_ssl, "name: %s", item.fqdn.data()); - item.populate_sni_actions(ai.actions); + ActionElement *element = nullptr; + + // servername is case-insensitive, store & find it in lower case + char lower_case_name[TS_MAX_HOST_NAME_LEN + 1]; + ts::transform_lower(item.fqdn, lower_case_name); + + if (wildcard.match(lower_case_name)) { + auto &ai = sni_action_list.emplace_back(); + ai.set_glob_name(lower_case_name); + element = &ai; + } else { + auto it = sni_action_map.emplace(std::make_pair(lower_case_name, ActionElement())); + if (it == sni_action_map.end()) { + Error("error on loading sni yaml - fqdn=%s", item.fqdn.c_str()); + return false; + } + + element = &it->second; + } + + element->inbound_port_ranges = item.inbound_port_ranges; + element->rank = count++; + + item.populate_sni_actions(element->actions); if (!set_next_hop_properties(item)) { return false; } @@ -167,20 +203,50 @@ SNIConfigParams::load_certs_if_client_cert_specified(YamlSNIConfig::Item const & return true; } +/** + CAVEAT: the "fqdn" field in the sni.yaml accepts wildcards (*), but it has a negative performance impact. + */ std::pair<const ActionVector *, ActionItem::Context> SNIConfigParams::get(std::string_view servername, in_port_t dest_incoming_port) const { + const ActionElement *element = nullptr; + + // Check for exact matches + char lower_case_name[TS_MAX_HOST_NAME_LEN + 1]; + ts::transform_lower(servername, lower_case_name); + + Debug("sni", "lower_case_name=%s", lower_case_name); + + auto range = sni_action_map.equal_range(lower_case_name); + for (auto it = range.first; it != range.second; ++it) { + Debug("sni", "match with %s", it->first.c_str()); + + if (!is_port_in_the_ranges(it->second.inbound_port_ranges, dest_incoming_port)) { + continue; + } + + const ActionElement *candidate = &it->second; + if (element == nullptr) { + element = candidate; + } else if (candidate->rank < element->rank) { + element = &it->second; + } + } + + // Check for wildcard matches int ovector[OVECSIZE]; for (auto const &retval : sni_action_list) { + if (element != nullptr && element->rank < retval.rank) { + break; + } + int length = servername.length(); if (retval.match == nullptr && length == 0) { return {&retval.actions, {}}; } else if (auto offset = pcre_exec(retval.match.get(), nullptr, servername.data(), length, 0, 0, ovector, OVECSIZE); offset >= 0) { - if (std::none_of( - retval.inbound_port_ranges.begin(), retval.inbound_port_ranges.end(), - [dest_incoming_port](ts::port_range_t const &port_range) { return port_range.contains(dest_incoming_port); })) { + if (!is_port_in_the_ranges(retval.inbound_port_ranges, dest_incoming_port)) { continue; } if (offset == 1) { @@ -209,7 +275,12 @@ SNIConfigParams::get(std::string_view servername, in_port_t dest_incoming_port) return {&retval.actions, {std::move(groups)}}; } } - return {nullptr, {}}; + + if (element != nullptr) { + return {&element->actions, {}}; + } else { + return {nullptr, {}}; + } } bool @@ -251,7 +322,7 @@ SNIConfigParams::initialize(std::string const &sni_filename) SNIConfigParams::~SNIConfigParams() { - // sni_action_list and next_hop_list should cleanup with the params object + // sni_action_map, sni_action_list and next_hop_list should cleanup with the params object } //// diff --git a/iocore/net/SSLSNIConfig.h b/iocore/net/SSLSNIConfig.h index 6affb09d9f..88c714a26c 100644 --- a/iocore/net/SSLSNIConfig.h +++ b/iocore/net/SSLSNIConfig.h @@ -30,6 +30,8 @@ ****************************************************************************/ #pragma once +#include <string> +#include <unordered_map> #include <vector> #include <string_view> #include <strings.h> @@ -74,6 +76,8 @@ struct NamedElement { std::vector<ts::port_range_t> inbound_port_ranges; std::unique_ptr<pcre, PcreFreer> match; + + uint32_t rank = 0; ///< order of the config. smaller is higher. }; struct ActionElement : public NamedElement { @@ -84,9 +88,6 @@ struct NextHopItem : public NamedElement { NextHopProperty prop; }; -using SNIList = std::vector<ActionElement>; -using NextHopPropertyList = std::vector<NextHopItem>; - class SNIConfigParams : public ConfigInfo { public: @@ -102,8 +103,9 @@ public: bool load_sni_config(); std::pair<const ActionVector *, ActionItem::Context> get(std::string_view servername, uint16_t dest_incoming_port) const; - SNIList sni_action_list; - NextHopPropertyList next_hop_list; + std::unordered_multimap<std::string, ActionElement> sni_action_map; ///< for exact fqdn matching + std::vector<ActionElement> sni_action_list; ///< for regex fqdn matching + std::vector<NextHopItem> next_hop_list; YamlSNIConfig yaml_sni; private: diff --git a/iocore/net/unit_tests/sni_conf_test.yaml b/iocore/net/unit_tests/sni_conf_test.yaml index 84123c675c..d8b264a503 100644 --- a/iocore/net/unit_tests/sni_conf_test.yaml +++ b/iocore/net/unit_tests/sni_conf_test.yaml @@ -25,3 +25,14 @@ sni: inbound_port_ranges: 8080-65535 - fqdn: oneport.com inbound_port_ranges: 433 + +# order check +- fqdn: foo.bar.com + http2: true + http2_buffer_water_mark: 256 + http2_initial_window_size_in: 256 +- fqdn: "*.bar.com" + http2: true + http2_buffer_water_mark: 256 +- fqdn: foo.bar.com + http2: false diff --git a/iocore/net/unit_tests/test_SSLSNIConfig.cc b/iocore/net/unit_tests/test_SSLSNIConfig.cc index 7d50bf3b1b..e7f24c7bb2 100644 --- a/iocore/net/unit_tests/test_SSLSNIConfig.cc +++ b/iocore/net/unit_tests/test_SSLSNIConfig.cc @@ -37,7 +37,7 @@ TEST_CASE("Test SSLSNIConfig") { SNIConfigParams params; - params.initialize(_XSTR(LIBINKNET_UNIT_TEST_DIR) "/sni_conf_test.yaml"); + REQUIRE(params.initialize(_XSTR(LIBINKNET_UNIT_TEST_DIR) "/sni_conf_test.yaml")); SECTION("The config does not match any SNIs for someport.com:577") { @@ -105,4 +105,12 @@ TEST_CASE("Test SSLSNIConfig") REQUIRE(actions.first); REQUIRE(actions.first->size() == 3); } + + SECTION("Matching order") + { + std::string_view target = "foo.bar.com"; + auto const &actions{params.get(target, 443)}; + REQUIRE(actions.first); + REQUIRE(actions.first->size() == 5); ///< three H2 config + early data + fqdn + } } diff --git a/iocore/net/unit_tests/test_YamlSNIConfig.cc b/iocore/net/unit_tests/test_YamlSNIConfig.cc index 7cefd9f273..ad1b3f217d 100644 --- a/iocore/net/unit_tests/test_YamlSNIConfig.cc +++ b/iocore/net/unit_tests/test_YamlSNIConfig.cc @@ -55,7 +55,7 @@ TEST_CASE("YamlSNIConfig sets port ranges appropriately") FAIL(errorstream.str()); } REQUIRE(zret.isOK()); - REQUIRE(conf.items.size() == 4); + REQUIRE(conf.items.size() == 7); SECTION("If no ports were specified, port range should contain all ports.") { diff --git a/iocore/net/unit_tests/unit_test_main.cc b/iocore/net/unit_tests/unit_test_main.cc index 701b818c43..42ec30bc89 100644 --- a/iocore/net/unit_tests/unit_test_main.cc +++ b/iocore/net/unit_tests/unit_test_main.cc @@ -46,6 +46,11 @@ public: Layout::create(); BaseLogFile *base_log_file = new BaseLogFile("stderr"); DiagsPtr::set(new Diags(testRunInfo.name, "" /* tags */, "" /* actions */, base_log_file)); + + diags()->activate_taglist("sni", DiagsTagType_Debug); + diags()->config.enabled(DiagsTagType_Debug, 0); // set 1 if you want to see debug log + diags()->show_location = SHOW_LOCATION_DEBUG; + RecProcessInit(); LibRecordsConfigInit(); diff --git a/tests/gold_tests/h2/h2disable.test.py b/tests/gold_tests/h2/h2disable.test.py index e7cb6649be..355a70e4f0 100644 --- a/tests/gold_tests/h2/h2disable.test.py +++ b/tests/gold_tests/h2/h2disable.test.py @@ -57,7 +57,7 @@ ts.Disk.sni_yaml.AddLines([ 'sni:', '- fqdn: bar.com', ' http2: off', - '- fqdn: bob.*.com', + '- fqdn: "*.foo.com"', ' http2: off', ]) diff --git a/tests/gold_tests/h2/h2disable_no_accept_threads.test.py b/tests/gold_tests/h2/h2disable_no_accept_threads.test.py index a332bdcd9c..2a00febe85 100644 --- a/tests/gold_tests/h2/h2disable_no_accept_threads.test.py +++ b/tests/gold_tests/h2/h2disable_no_accept_threads.test.py @@ -57,7 +57,7 @@ ts.Disk.sni_yaml.AddLines([ 'sni:', '- fqdn: bar.com', ' http2: off', - '- fqdn: bob.*.com', + '- fqdn: "*.foo.com"', ' http2: off', ]) diff --git a/tests/gold_tests/h2/h2enable.test.py b/tests/gold_tests/h2/h2enable.test.py index d0bdba79ec..fd669f1dec 100644 --- a/tests/gold_tests/h2/h2enable.test.py +++ b/tests/gold_tests/h2/h2enable.test.py @@ -57,7 +57,7 @@ ts.Disk.sni_yaml.AddLines([ 'sni:', '- fqdn: bar.com', ' http2: on', - '- fqdn: bob.*.com', + '- fqdn: "*.foo.com"', ' http2: on', ]) diff --git a/tests/gold_tests/h2/h2enable_no_accept_threads.test.py b/tests/gold_tests/h2/h2enable_no_accept_threads.test.py index 91af61f15e..b756ba25ce 100644 --- a/tests/gold_tests/h2/h2enable_no_accept_threads.test.py +++ b/tests/gold_tests/h2/h2enable_no_accept_threads.test.py @@ -57,7 +57,7 @@ ts.Disk.sni_yaml.AddLines([ 'sni:', '- fqdn: bar.com', ' http2: on', - '- fqdn: bob.*.com', + '- fqdn: "*.foo.com"', ' http2: on', ]) diff --git a/tests/gold_tests/tls/tls_client_cert2.test.py b/tests/gold_tests/tls/tls_client_cert2.test.py index c2f460d217..d7a5c3484a 100644 --- a/tests/gold_tests/tls/tls_client_cert2.test.py +++ b/tests/gold_tests/tls/tls_client_cert2.test.py @@ -95,9 +95,9 @@ ts.Disk.sni_yaml.AddLines([ '- fqdn: bob.bar.com', ' client_cert: signed-bar.pem', ' client_key: signed-bar.key', - '- fqdn: bob.*.com', + '- fqdn: "bob.foo.com"', ' client_cert: {0}/combo-signed-foo.pem'.format(ts.Variables.SSLDir), - '- fqdn: "*bar.com"', + '- fqdn: "*.bar.com"', ' client_cert: {0}/signed2-bar.pem'.format(ts.Variables.SSLDir), ' client_key: {0}/signed-bar.key'.format(ts.Variables.SSLDir), '- fqdn: "foo.com"', diff --git a/tests/gold_tests/tls/tls_client_cert2_plugin.test.py b/tests/gold_tests/tls/tls_client_cert2_plugin.test.py index 843606b101..a74ac1a5de 100644 --- a/tests/gold_tests/tls/tls_client_cert2_plugin.test.py +++ b/tests/gold_tests/tls/tls_client_cert2_plugin.test.py @@ -104,9 +104,9 @@ ts.Disk.sni_yaml.AddLines([ '- fqdn: bob.bar.com', ' client_cert: {0}/../signed-bar.pem'.format(ts.Variables.SSLDir), ' client_key: {0}/../signed-bar.key'.format(ts.Variables.SSLDir), - '- fqdn: bob.*.com', + '- fqdn: "bob.foo.com"', ' client_cert: {0}/../combo-signed-foo.pem'.format(ts.Variables.SSLDir), - '- fqdn: "*bar.com"', + '- fqdn: "*.bar.com"', ' client_cert: {0}/../signed2-bar.pem'.format(ts.Variables.SSLDir), ' client_key: {0}/../signed-bar.key'.format(ts.Variables.SSLDir), '- fqdn: "foo.com"', diff --git a/tests/gold_tests/tls/tls_client_verify.test.py b/tests/gold_tests/tls/tls_client_verify.test.py index e94268f2ea..8562e3cd00 100644 --- a/tests/gold_tests/tls/tls_client_verify.test.py +++ b/tests/gold_tests/tls/tls_client_verify.test.py @@ -65,9 +65,9 @@ ts.Disk.sni_yaml.AddLines([ ' verify_client: NONE', '- fqdn: "bob.com"', ' verify_client: STRICT', - '- fqdn: bob.*.com', + '- fqdn: "*.foo.com"', ' verify_client: NONE', - '- fqdn: "*bar.com"', + '- fqdn: "*.bar.com"', ' verify_client: STRICT', ]) @@ -205,10 +205,10 @@ tr.Processes.Default.Command = "curl --tls-max 1.2 -k --resolve 'bob.com:{0}:127 ts.Variables.ssl_port) tr.Processes.Default.ReturnCode = 35 -tr = Test.AddTestRun("Connect to bob.com.com without cert, should succeed") +tr = Test.AddTestRun("Connect to bob.foo.com without cert, should succeed") tr.StillRunningAfter = ts tr.StillRunningAfter = server -tr.Processes.Default.Command = "curl --tls-max 1.2 -k --resolve 'bob.com.com:{0}:127.0.0.1' https://bob.com.com:{0}/case14".format( +tr.Processes.Default.Command = "curl --tls-max 1.2 -k --resolve 'bob.foo.com:{0}:127.0.0.1' https://bob.foo.com:{0}/case14".format( ts.Variables.ssl_port) tr.Processes.Default.ReturnCode = 0 diff --git a/tests/gold_tests/tls/tls_client_verify2.test.py b/tests/gold_tests/tls/tls_client_verify2.test.py index 32042c0344..27c6cbd57e 100644 --- a/tests/gold_tests/tls/tls_client_verify2.test.py +++ b/tests/gold_tests/tls/tls_client_verify2.test.py @@ -61,9 +61,9 @@ ts.Disk.sni_yaml.AddLines([ 'sni:', '- fqdn: bob.bar.com', ' verify_client: STRICT', - '- fqdn: bob.*.com', + '- fqdn: "*.foo.com"', ' verify_client: STRICT', - '- fqdn: "*bar.com"', + '- fqdn: "*.bar.com"', ' verify_client: NONE', ]) diff --git a/tests/gold_tests/tls/tls_tunnel.test.py b/tests/gold_tests/tls/tls_tunnel.test.py index af4cd8f715..938ee27b74 100644 --- a/tests/gold_tests/tls/tls_tunnel.test.py +++ b/tests/gold_tests/tls/tls_tunnel.test.py @@ -93,22 +93,24 @@ ts.Disk.sni_yaml.AddLines([ 'sni:', '- fqdn: foo.com', " tunnel_route: localhost:{0}".format(server_foo.Variables.SSL_Port), - "- fqdn: bob.*.com", + "- fqdn: '*.bar.com'", " tunnel_route: localhost:{0}".format(server_foo.Variables.SSL_Port), "- fqdn: '*.match.com'", " tunnel_route: $1.testmatch:{0}".format(server_foo.Variables.SSL_Port), - "- fqdn: '*.ok.*.com'", - " tunnel_route: $2.example.$1:{0}".format(server_foo.Variables.SSL_Port), + "- fqdn: '*.ok.two.com'", + " tunnel_route: two.example.$1:{0}".format(server_foo.Variables.SSL_Port), "- fqdn: ''", # No SNI sent " tunnel_route: localhost:{0}".format(server_bar.Variables.SSL_Port), "- fqdn: 'incoming.port.com'", " tunnel_route: backend.incoming.port.com:{inbound_local_port}", "- fqdn: 'proxy.protocol.port.com'", " tunnel_route: backend.proxy.protocol.port.com:{proxy_protocol_port}", - "- fqdn: '*.*.incoming.port.com'", - " tunnel_route: backend.$1.$2.incoming.port.com:{inbound_local_port}", - "- fqdn: '*.*.proxy.protocol.port.com'", - " tunnel_route: backend.$1.$2.proxy.protocol.port.com:{proxy_protocol_port}", + "- fqdn: '*.backend.incoming.port.com'", + " tunnel_route: backend.$1.incoming.port.com:{inbound_local_port}", + "- fqdn: '*.with.incoming.port.com'", + " tunnel_route: backend.$1.with.incoming.port.com:{inbound_local_port}", + "- fqdn: '*.with.proxy.protocol.port.com'", + " tunnel_route: backend.$1.with.proxy.protocol.port.com:{proxy_protocol_port}", ]) tr = Test.AddTestRun("foo.com Tunnel-test") diff --git a/tests/gold_tests/tls/tls_verify3.test.py b/tests/gold_tests/tls/tls_verify3.test.py index 4e4db2bd9a..53678d1517 100644 --- a/tests/gold_tests/tls/tls_verify3.test.py +++ b/tests/gold_tests/tls/tls_verify3.test.py @@ -86,10 +86,10 @@ ts.Disk.sni_yaml.AddLines([ '- fqdn: bob.bar.com', ' verify_server_policy: ENFORCED', ' verify_server_properties: ALL', - '- fqdn: bob.*.com', + '- fqdn: "*.foo.com"', ' verify_server_policy: ENFORCED', ' verify_server_properties: SIGNATURE', - "- fqdn: '*bar.com'", + "- fqdn: '*.bar.com'", ' verify_server_policy: DISABLED', ]) @@ -108,8 +108,8 @@ tr.StillRunningAfter = server tr.StillRunningAfter = ts tr.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Curl attempt should have succeeded") -tr = Test.AddTestRun("my.foo.com Permissive-Test log failure") -tr.Processes.Default.Command = "curl -v -k --resolve 'my.foo.com:{0}:127.0.0.1' https://my.foo.com:{0}".format( +tr = Test.AddTestRun("my.random.com Permissive-Test log failure") +tr.Processes.Default.Command = "curl -v -k --resolve 'my.random.com:{0}:127.0.0.1' https://my.random.com:{0}".format( ts.Variables.ssl_port) tr.ReturnCode = 0 tr.StillRunningAfter = server @@ -146,5 +146,5 @@ tr3.StillRunningAfter = ts ts.Disk.diags_log.Content = Testers.ContainsExpression( r"WARNING: SNI \(bob.bar.com\) not in certificate", "Make sure bob.bar name checked failed.") ts.Disk.diags_log.Content += Testers.ContainsExpression( - r"WARNING: Core server certificate verification failed for \(my.foo.com\). Action=Continue", + r"WARNING: Core server certificate verification failed for \(my.random.com\). Action=Continue", "Make sure default permissive action takes")