From 90d4614d3bc938bf3a886306aef49ad090d8ffe7 Mon Sep 17 00:00:00 2001 From: Windom Date: Sun, 14 Apr 2024 11:59:50 +0800 Subject: [PATCH 1/6] T6226: add HAPROXY `tcp-request` related directive to load-balancing reverse proxy config when TCP mode and ssl is configed --- data/templates/load-balancing/haproxy.cfg.j2 | 10 +++++ .../cli/test_load-balancing_reverse-proxy.py | 44 +++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2 index 849cef74d0..a0803ae633 100644 --- a/data/templates/load-balancing/haproxy.cfg.j2 +++ b/data/templates/load-balancing/haproxy.cfg.j2 @@ -69,6 +69,16 @@ frontend {{ front }} {% endif %} {% if front_config.mode is vyos_defined %} mode {{ front_config.mode }} +{# add tcp-request related directive if ssl is configed #} +{% if front_config.mode is vyos_defined('tcp') and front_config.rule is vyos_defined %} +{% for rule, rule_config in front_config.rule.items() %} +{% if rule_config.ssl is vyos_defined %} + tcp-request inspect-delay 5s + tcp-request content accept if {{ "{" }} req_ssl_hello_type 1 {{ "}" }} +{% break %} +{% endif %} +{% endfor %} +{% endif %} {% endif %} {% if front_config.rule is vyos_defined %} {% for rule, rule_config in front_config.rule.items() %} diff --git a/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py b/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py index 97304da8bc..2a6e86488f 100755 --- a/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py +++ b/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py @@ -280,6 +280,50 @@ def test_03_lb_reverse_proxy_ca_not_exists(self): self.cli_set(base_path + ['backend', 'bk-01', 'ssl', 'ca-certificate', 'smoketest']) self.cli_commit() + def test_04_lb_reverse_proxy_tcp_mode(self): + frontend = 'tcp_8443' + mode = 'tcp' + front_port = '8433' + rule_thirty = '30' + domain_bk = 'n6.example.com' + ssl_opt = "req-ssl-sni" + bk_name = 'bk-03' + bk_server = '192.0.2.11' + bk_server_port = '9090' + + back_base = base_path + ['backend'] + + self.cli_set(base_path + ['service', frontend, 'mode', mode]) + self.cli_set(base_path + ['service', frontend, 'port', front_port]) + + self.cli_set(base_path + ['service', frontend, 'rule', rule_thirty, 'domain-name', domain_bk]) + self.cli_set(base_path + ['service', frontend, 'rule', rule_thirty, 'ssl', ssl_opt]) + self.cli_set(base_path + ['service', frontend, 'rule', rule_thirty, 'set', 'backend', bk_name]) + + self.cli_set(back_base + [bk_name, 'mode', mode]) + self.cli_set(back_base + [bk_name, 'server', bk_name, 'address', bk_server]) + self.cli_set(back_base + [bk_name, 'server', bk_name, 'port', bk_server_port]) + + # commit changes + self.cli_commit() + + config = read_file(HAPROXY_CONF) + + # Frontend + self.assertIn(f'frontend {frontend}', config) + self.assertIn(f'bind :::{front_port} v4v6', config) + self.assertIn(f'mode {mode}', config) + + self.assertIn(f'tcp-request inspect-delay', config) + self.assertIn(f"tcp-request content accept if {{ req_ssl_hello_type 1 }}", config) + self.assertIn(f'acl {rule_thirty} req_ssl_sni -i {domain_bk}', config) + self.assertIn(f'use_backend {bk_name} if {rule_thirty}', config) + + # Backend + self.assertIn(f'backend {bk_name}', config) + self.assertIn(f'balance roundrobin', config) + self.assertIn(f'mode {mode}', config) + self.assertIn(f'server {bk_name} {bk_server}:{bk_server_port}', config) if __name__ == '__main__': unittest.main(verbosity=2) From 3df443360aaea69f2b40ee70b99b7e18b5f929f3 Mon Sep 17 00:00:00 2001 From: Windom Date: Wed, 17 Apr 2024 07:57:44 +0800 Subject: [PATCH 2/6] T6226: move tcp-request inspect-delay in separate block; create new interface-definition for tcp-request --- data/templates/load-balancing/haproxy.cfg.j2 | 4 +++- .../include/haproxy/tcp-request.xml.i | 18 ++++++++++++++++++ .../load-balancing_reverse-proxy.xml.in | 1 + 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 interface-definitions/include/haproxy/tcp-request.xml.i diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2 index a0803ae633..533eab8a17 100644 --- a/data/templates/load-balancing/haproxy.cfg.j2 +++ b/data/templates/load-balancing/haproxy.cfg.j2 @@ -70,10 +70,12 @@ frontend {{ front }} {% if front_config.mode is vyos_defined %} mode {{ front_config.mode }} {# add tcp-request related directive if ssl is configed #} +{% if front_config["tcp-request"]["inspect-delay"] is vyos_defined %} + tcp-request inspect-delay {{ front_config["tcp-request"]["inspect-delay"] }} +{% endif %} {% if front_config.mode is vyos_defined('tcp') and front_config.rule is vyos_defined %} {% for rule, rule_config in front_config.rule.items() %} {% if rule_config.ssl is vyos_defined %} - tcp-request inspect-delay 5s tcp-request content accept if {{ "{" }} req_ssl_hello_type 1 {{ "}" }} {% break %} {% endif %} diff --git a/interface-definitions/include/haproxy/tcp-request.xml.i b/interface-definitions/include/haproxy/tcp-request.xml.i new file mode 100644 index 0000000000..26cced0625 --- /dev/null +++ b/interface-definitions/include/haproxy/tcp-request.xml.i @@ -0,0 +1,18 @@ + + + + tcp-request directive + + + + + Set the maximum allowed time to wait for data during content inspection + + u32:1-65535 + the timeout value specified in milliseconds + + + + + + diff --git a/interface-definitions/load-balancing_reverse-proxy.xml.in b/interface-definitions/load-balancing_reverse-proxy.xml.in index 2c2742dffb..fdd3f2f0b8 100644 --- a/interface-definitions/load-balancing_reverse-proxy.xml.in +++ b/interface-definitions/load-balancing_reverse-proxy.xml.in @@ -38,6 +38,7 @@ #include #include #include + #include Redirect HTTP to HTTPS From f9def9c1dc81a521fb61c8d49a5504824cdfdc04 Mon Sep 17 00:00:00 2001 From: Windom Date: Sun, 14 Apr 2024 11:59:50 +0800 Subject: [PATCH 3/6] T6226: add HAPROXY `tcp-request` related directive to load-balancing reverse proxy config when TCP mode and ssl is configed --- data/templates/load-balancing/haproxy.cfg.j2 | 10 ++++ .../cli/test_load-balancing_reverse-proxy.py | 46 +++++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2 index 83008e50a0..5e39610a2f 100644 --- a/data/templates/load-balancing/haproxy.cfg.j2 +++ b/data/templates/load-balancing/haproxy.cfg.j2 @@ -69,6 +69,16 @@ frontend {{ front }} {% endif %} {% if front_config.mode is vyos_defined %} mode {{ front_config.mode }} +{# add tcp-request related directive if ssl is configed #} +{% if front_config.mode is vyos_defined('tcp') and front_config.rule is vyos_defined %} +{% for rule, rule_config in front_config.rule.items() %} +{% if rule_config.ssl is vyos_defined %} + tcp-request inspect-delay 5s + tcp-request content accept if {{ "{" }} req_ssl_hello_type 1 {{ "}" }} +{% break %} +{% endif %} +{% endfor %} +{% endif %} {% endif %} {% if front_config.rule is vyos_defined %} {% for rule, rule_config in front_config.rule.items() %} diff --git a/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py b/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py index 8ccf2cf97c..a0eb8b0b8d 100755 --- a/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py +++ b/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py @@ -280,6 +280,7 @@ def test_03_lb_reverse_proxy_ca_not_exists(self): self.cli_set(base_path + ['backend', 'bk-01', 'ssl', 'ca-certificate', 'smoketest']) self.cli_commit() + def test_04_lb_reverse_proxy_backend_ssl_no_verify(self): # Setup base self.configure_pki() @@ -314,5 +315,50 @@ def test_05_lb_reverse_proxy_backend_http_check(self): self.assertIn('http-check send meth GET uri /health', config) self.assertIn('http-check expect status 200', config) + def test_05_lb_reverse_proxy_tcp_mode(self): + frontend = 'tcp_8443' + mode = 'tcp' + front_port = '8433' + rule_thirty = '30' + domain_bk = 'n6.example.com' + ssl_opt = "req-ssl-sni" + bk_name = 'bk-03' + bk_server = '192.0.2.11' + bk_server_port = '9090' + + back_base = base_path + ['backend'] + + self.cli_set(base_path + ['service', frontend, 'mode', mode]) + self.cli_set(base_path + ['service', frontend, 'port', front_port]) + + self.cli_set(base_path + ['service', frontend, 'rule', rule_thirty, 'domain-name', domain_bk]) + self.cli_set(base_path + ['service', frontend, 'rule', rule_thirty, 'ssl', ssl_opt]) + self.cli_set(base_path + ['service', frontend, 'rule', rule_thirty, 'set', 'backend', bk_name]) + + self.cli_set(back_base + [bk_name, 'mode', mode]) + self.cli_set(back_base + [bk_name, 'server', bk_name, 'address', bk_server]) + self.cli_set(back_base + [bk_name, 'server', bk_name, 'port', bk_server_port]) + + # commit changes + self.cli_commit() + + config = read_file(HAPROXY_CONF) + + # Frontend + self.assertIn(f'frontend {frontend}', config) + self.assertIn(f'bind :::{front_port} v4v6', config) + self.assertIn(f'mode {mode}', config) + + self.assertIn(f'tcp-request inspect-delay', config) + self.assertIn(f"tcp-request content accept if {{ req_ssl_hello_type 1 }}", config) + self.assertIn(f'acl {rule_thirty} req_ssl_sni -i {domain_bk}', config) + self.assertIn(f'use_backend {bk_name} if {rule_thirty}', config) + + # Backend + self.assertIn(f'backend {bk_name}', config) + self.assertIn(f'balance roundrobin', config) + self.assertIn(f'mode {mode}', config) + self.assertIn(f'server {bk_name} {bk_server}:{bk_server_port}', config) + if __name__ == '__main__': unittest.main(verbosity=2) From 332b4ccc106e48bb319a667bf4b8a89cda2a38bd Mon Sep 17 00:00:00 2001 From: Windom Date: Wed, 17 Apr 2024 07:57:44 +0800 Subject: [PATCH 4/6] T6226: move tcp-request inspect-delay in separate block; create new interface-definition for tcp-request --- data/templates/load-balancing/haproxy.cfg.j2 | 4 +++- .../include/haproxy/tcp-request.xml.i | 18 ++++++++++++++++++ .../load-balancing_reverse-proxy.xml.in | 1 + 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 interface-definitions/include/haproxy/tcp-request.xml.i diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2 index 5e39610a2f..c0fef142cd 100644 --- a/data/templates/load-balancing/haproxy.cfg.j2 +++ b/data/templates/load-balancing/haproxy.cfg.j2 @@ -70,10 +70,12 @@ frontend {{ front }} {% if front_config.mode is vyos_defined %} mode {{ front_config.mode }} {# add tcp-request related directive if ssl is configed #} +{% if front_config["tcp-request"]["inspect-delay"] is vyos_defined %} + tcp-request inspect-delay {{ front_config["tcp-request"]["inspect-delay"] }} +{% endif %} {% if front_config.mode is vyos_defined('tcp') and front_config.rule is vyos_defined %} {% for rule, rule_config in front_config.rule.items() %} {% if rule_config.ssl is vyos_defined %} - tcp-request inspect-delay 5s tcp-request content accept if {{ "{" }} req_ssl_hello_type 1 {{ "}" }} {% break %} {% endif %} diff --git a/interface-definitions/include/haproxy/tcp-request.xml.i b/interface-definitions/include/haproxy/tcp-request.xml.i new file mode 100644 index 0000000000..26cced0625 --- /dev/null +++ b/interface-definitions/include/haproxy/tcp-request.xml.i @@ -0,0 +1,18 @@ + + + + tcp-request directive + + + + + Set the maximum allowed time to wait for data during content inspection + + u32:1-65535 + the timeout value specified in milliseconds + + + + + + diff --git a/interface-definitions/load-balancing_reverse-proxy.xml.in b/interface-definitions/load-balancing_reverse-proxy.xml.in index 645fe30c76..1b13c6f17e 100644 --- a/interface-definitions/load-balancing_reverse-proxy.xml.in +++ b/interface-definitions/load-balancing_reverse-proxy.xml.in @@ -38,6 +38,7 @@ #include #include #include + #include Redirect HTTP to HTTPS From 06cdc907a62c4b7a4111b013f7bd7ea45fe725f7 Mon Sep 17 00:00:00 2001 From: Windom Date: Sat, 20 Apr 2024 09:14:17 +0800 Subject: [PATCH 5/6] T6226: move lb reverse-proxy tcp mode test to 06 --- .../cli/test_load-balancing_reverse-proxy.py | 47 +------------------ 1 file changed, 1 insertion(+), 46 deletions(-) diff --git a/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py b/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py index 5394ed5fbc..8afeca9f2f 100755 --- a/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py +++ b/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py @@ -280,51 +280,6 @@ def test_03_lb_reverse_proxy_ca_not_exists(self): self.cli_set(base_path + ['backend', 'bk-01', 'ssl', 'ca-certificate', 'smoketest']) self.cli_commit() - def test_04_lb_reverse_proxy_tcp_mode(self): - frontend = 'tcp_8443' - mode = 'tcp' - front_port = '8433' - rule_thirty = '30' - domain_bk = 'n6.example.com' - ssl_opt = "req-ssl-sni" - bk_name = 'bk-03' - bk_server = '192.0.2.11' - bk_server_port = '9090' - - back_base = base_path + ['backend'] - - self.cli_set(base_path + ['service', frontend, 'mode', mode]) - self.cli_set(base_path + ['service', frontend, 'port', front_port]) - - self.cli_set(base_path + ['service', frontend, 'rule', rule_thirty, 'domain-name', domain_bk]) - self.cli_set(base_path + ['service', frontend, 'rule', rule_thirty, 'ssl', ssl_opt]) - self.cli_set(base_path + ['service', frontend, 'rule', rule_thirty, 'set', 'backend', bk_name]) - - self.cli_set(back_base + [bk_name, 'mode', mode]) - self.cli_set(back_base + [bk_name, 'server', bk_name, 'address', bk_server]) - self.cli_set(back_base + [bk_name, 'server', bk_name, 'port', bk_server_port]) - - # commit changes - self.cli_commit() - - config = read_file(HAPROXY_CONF) - - # Frontend - self.assertIn(f'frontend {frontend}', config) - self.assertIn(f'bind :::{front_port} v4v6', config) - self.assertIn(f'mode {mode}', config) - - self.assertIn(f'tcp-request inspect-delay', config) - self.assertIn(f"tcp-request content accept if {{ req_ssl_hello_type 1 }}", config) - self.assertIn(f'acl {rule_thirty} req_ssl_sni -i {domain_bk}', config) - self.assertIn(f'use_backend {bk_name} if {rule_thirty}', config) - - # Backend - self.assertIn(f'backend {bk_name}', config) - self.assertIn(f'balance roundrobin', config) - self.assertIn(f'mode {mode}', config) - self.assertIn(f'server {bk_name} {bk_server}:{bk_server_port}', config) - def test_04_lb_reverse_proxy_backend_ssl_no_verify(self): # Setup base self.configure_pki() @@ -359,7 +314,7 @@ def test_05_lb_reverse_proxy_backend_http_check(self): self.assertIn('http-check send meth GET uri /health', config) self.assertIn('http-check expect status 200', config) - def test_05_lb_reverse_proxy_tcp_mode(self): + def test_06_lb_reverse_proxy_tcp_mode(self): frontend = 'tcp_8443' mode = 'tcp' front_port = '8433' From 124957f9a085764cb411fc3b3b830970af5a39b2 Mon Sep 17 00:00:00 2001 From: WindomWU Date: Sun, 21 Apr 2024 02:56:32 +0800 Subject: [PATCH 6/6] T6226: update test case, fix haproxy j2 template variable --- data/templates/load-balancing/haproxy.cfg.j2 | 6 +++--- smoketest/scripts/cli/test_load-balancing_reverse-proxy.py | 4 +++- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2 index c0fef142cd..b09c1f0340 100644 --- a/data/templates/load-balancing/haproxy.cfg.j2 +++ b/data/templates/load-balancing/haproxy.cfg.j2 @@ -70,13 +70,13 @@ frontend {{ front }} {% if front_config.mode is vyos_defined %} mode {{ front_config.mode }} {# add tcp-request related directive if ssl is configed #} -{% if front_config["tcp-request"]["inspect-delay"] is vyos_defined %} - tcp-request inspect-delay {{ front_config["tcp-request"]["inspect-delay"] }} +{% if front_config.tcp_request.inspect_delay is vyos_defined %} + tcp-request inspect-delay {{ front_config.tcp_request.inspect_delay }} {% endif %} {% if front_config.mode is vyos_defined('tcp') and front_config.rule is vyos_defined %} {% for rule, rule_config in front_config.rule.items() %} {% if rule_config.ssl is vyos_defined %} - tcp-request content accept if {{ "{" }} req_ssl_hello_type 1 {{ "}" }} + tcp-request content accept if { req_ssl_hello_type 1 } {% break %} {% endif %} {% endfor %} diff --git a/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py b/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py index 8afeca9f2f..00bfbf71b0 100755 --- a/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py +++ b/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py @@ -318,6 +318,7 @@ def test_06_lb_reverse_proxy_tcp_mode(self): frontend = 'tcp_8443' mode = 'tcp' front_port = '8433' + tcp_request_delay = "5000" rule_thirty = '30' domain_bk = 'n6.example.com' ssl_opt = "req-ssl-sni" @@ -329,6 +330,7 @@ def test_06_lb_reverse_proxy_tcp_mode(self): self.cli_set(base_path + ['service', frontend, 'mode', mode]) self.cli_set(base_path + ['service', frontend, 'port', front_port]) + self.cli_set(base_path + ['service', frontend, 'tcp-request', 'inspect-delay', tcp_request_delay]) self.cli_set(base_path + ['service', frontend, 'rule', rule_thirty, 'domain-name', domain_bk]) self.cli_set(base_path + ['service', frontend, 'rule', rule_thirty, 'ssl', ssl_opt]) @@ -348,7 +350,7 @@ def test_06_lb_reverse_proxy_tcp_mode(self): self.assertIn(f'bind :::{front_port} v4v6', config) self.assertIn(f'mode {mode}', config) - self.assertIn(f'tcp-request inspect-delay', config) + self.assertIn(f'tcp-request inspect-delay {tcp_request_delay}', config) self.assertIn(f"tcp-request content accept if {{ req_ssl_hello_type 1 }}", config) self.assertIn(f'acl {rule_thirty} req_ssl_sni -i {domain_bk}', config) self.assertIn(f'use_backend {bk_name} if {rule_thirty}', config)