From 7ca002f663f450be0e42ebee592842731f263543 Mon Sep 17 00:00:00 2001
From: Francesco Giacomini <francesco.giacomini@cnaf.infn.it>
Date: Tue, 14 Jan 2020 15:03:27 +0100
Subject: [PATCH 1/3] test file
Note that This test is always successful because, for some reason
(a bug?) the error.log as seen in Test::Nginx doesn't contain the
entries for the master process, although they are evailable in
the actual file. As a consequence the no_error_log check is
always satisfied, even if the segmentation fault were present
---
t/ssl_log_voms_plain_http.t | 61 +++++++++++++++++++++++++++++++++++++
1 file changed, 61 insertions(+)
create mode 100644 t/ssl_log_voms_plain_http.t
diff --git a/t/ssl_log_voms_plain_http.t b/t/ssl_log_voms_plain_http.t
new file mode 100644
index 0000000..1989c41
--- /dev/null
+++ b/t/ssl_log_voms_plain_http.t
@@ -0,0 +1,61 @@
+
+# This test is always successful because, for some reason (a bug?)
+# the error.log as seen in Test::Nginx doesn't contain the entries for
+# the master process, although they are evailable in the actual file.
+# As a consequence the no_error_log check is always satisfied,
+# even if the segmentation fault were present
+
+use Test::Nginx::Socket 'no_plan';
+
+master_on();
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: SSL server, logging a VOMS variabile, but plain HTTP request
+--- main_config
+ env X509_VOMS_DIR=t/vomsdir;
+--- http_config
+ log_format voms '$remote_addr - $remote_user [$time_local] '
+ '"$request" $status $body_bytes_sent '
+ '"$http_referer" "$http_user_agent" '
+ '[$voms_user]';
+ server {
+ error_log logs/error.log debug;
+ access_log logs/access.log voms;
+ listen 8443 ssl;
+ ssl_certificate ../../certs/nginx_voms_example.cert.pem;
+ ssl_certificate_key ../../certs/nginx_voms_example.key.pem;
+ ssl_client_certificate ../../trust-anchors/igi-test-ca.pem;
+ ssl_verify_depth 10;
+ location = / {
+ default_type text/plain;
+ echo $voms_user;
+ }
+ }
+--- config
+ location = /lua {
+ error_log logs/error-proxy.log debug;
+ access_log logs/access-proxy.log;
+ content_by_lua_block {
+ local sock = ngx.socket.tcp()
+ local ok, err = sock:connect("127.0.0.1", 8443)
+ if not ok then
+ ngx.say("failed to connect to upstream: ", err)
+ return
+ end
+ ngx.say("successfully connected to upstream!")
+ sock:send("G")
+ sock:close()
+ }
+ }
+--- request
+GET /lua
+--- error_log
+client prematurely closed connection
+retrieve_voms_ac_from_proxy
+plain http
+--- no_error_log
+signal 11
+--- error_code: 200
--
GitLab
From 9c2130f5858aba2488619e853ddd06875f2ac5aa Mon Sep 17 00:00:00 2001
From: Francesco Giacomini <francesco.giacomini@cnaf.infn.it>
Date: Tue, 14 Jan 2020 15:05:38 +0100
Subject: [PATCH 2/3] check that it's an SSL connection
fix issue #26
---
src/ngx_http_voms_module.cpp | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/ngx_http_voms_module.cpp b/src/ngx_http_voms_module.cpp
index 29ae6a9..bee998f 100644
--- a/src/ngx_http_voms_module.cpp
+++ b/src/ngx_http_voms_module.cpp
@@ -266,6 +266,11 @@ static MaybeVomsAc retrieve_voms_ac_from_proxy(ngx_http_request_t* r)
return boost::none;
}
+ if (!r->connection->ssl) {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "plain HTTP request");
+ return boost::none;
+ }
+
auto client_cert = X509Ptr{
SSL_get_peer_certificate(r->connection->ssl->connection), X509_free};
if (!client_cert) {
--
GitLab
From c90b97267d65aedbbf2271ac2aae34caab233bc8 Mon Sep 17 00:00:00 2001
From: Francesco Giacomini <francesco.giacomini@cnaf.infn.it>
Date: Tue, 14 Jan 2020 15:06:19 +0100
Subject: [PATCH 3/3] formatting
---
t/no_ssl.t | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/t/no_ssl.t b/t/no_ssl.t
index ea3fea8..c4ef07e 100644
--- a/t/no_ssl.t
+++ b/t/no_ssl.t
@@ -12,7 +12,7 @@ __DATA__
server {
error_log logs/error.log debug;
listen 8443;
- location = / {
+ location = / {
default_type text/plain;
echo $voms_user;
}
--
GitLab