Add basic testing of haproxy

This covers both front- and back-end TLS.  The back-end server is
`openssl s_server`.  We also test the front-end separately using the
stats interface, to reduce the number of things tested at once.

Author: ctz

.github/workflows/libssl.yaml

@@ -32,8 +32,8 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Install build dependencies
-        run: sudo apt-get update && sudo apt-get install -y openssl libssl3 libssl-dev lld
+      - name: Install build + integration test dependencies
+        run: sudo apt-get update && sudo apt-get install -y openssl libssl3 libssl-dev lld haproxy
 
       - name: Install ${{ matrix.rust }} toolchain
         uses: dtolnay/rust-toolchain@master
@@ -68,8 +68,8 @@ jobs:
         uses: dtolnay/rust-toolchain@stable
       - name: Install valgrind
         run: sudo apt-get update && sudo apt-get install -y valgrind
-      - name: Install build dependencies
-        run: sudo apt-get update && sudo apt-get install -y openssl libssl3 libssl-dev lld
+      - name: Install build + integration test dependencies
+        run: sudo apt-get update && sudo apt-get install -y openssl libssl3 libssl-dev lld haproxy
       - run: VALGRIND="valgrind -q" make PROFILE=release test integration
 
   docs:
@@ -81,8 +81,8 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Install build dependencies
-        run: sudo apt-get update && sudo apt-get install -y openssl libssl3 libssl-dev lld
+      - name: Install build + integration test dependencies
+        run: sudo apt-get update && sudo apt-get install -y openssl libssl3 libssl-dev lld haproxy
 
       - name: Install rust toolchain
         uses: dtolnay/rust-toolchain@nightly

tests/haproxy.conf

@@ -0,0 +1,15 @@
+frontend f
+  bind :9443 ssl crt "test-ca/rsa/server.both"
+  stats enable
+  stats uri /monitor
+  stats refresh 5s
+  mode http
+  timeout client 10s
+  default_backend b
+
+backend b
+  mode http
+  timeout connect 10s
+  timeout server 10s
+  balance roundrobin
+  server s1 localhost:10443 ssl ca-file "test-ca/ecdsa-p256/ca.cert"

tests/runner.rs

@@ -781,6 +781,114 @@ fn nginx_version() -> (u32, u32) {
     )
 }
 
+#[test]
+#[ignore]
+fn haproxy() {
+    fs::write(
+        "test-ca/rsa/server.both",
+        (fs::read_to_string("test-ca/rsa/server.key").unwrap()
+            + &fs::read_to_string("test-ca/rsa/server.cert").unwrap())
+            .as_bytes(),
+    )
+    .unwrap();
+
+    let mut haproxy_server = KillOnDrop(Some(
+        Command::new("tests/maybe-valgrind.sh")
+            .args(["haproxy", "-VVV", "-dv", "--", "tests/haproxy.conf"])
+            .stdout(Stdio::piped())
+            .stderr(Stdio::piped())
+            .spawn()
+            .unwrap(),
+    ));
+    wait_for_port(9443);
+
+    // Check front-end TLS works via status monitor
+    assert!(Command::new("curl")
+        .env("LD_LIBRARY_PATH", "")
+        .args([
+            "-s",
+            "--cacert",
+            "test-ca/rsa/ca.cert",
+            "https://localhost:9443/monitor"
+        ])
+        .stdout(Stdio::piped())
+        .status()
+        .unwrap()
+        .success());
+
+    // Run backend server and check haproxy can connect
+    let backend = KillOnDrop(Some(
+        Command::new("openssl")
+            .env("LD_LIBRARY_PATH", "")
+            .args([
+                "s_server",
+                "-cert",
+                "test-ca/ecdsa-p256/server.cert",
+                "-key",
+                "test-ca/ecdsa-p256/server.key",
+                "-accept",
+                "localhost:10443",
+                "-www",
+            ])
+            .stdout(Stdio::piped())
+            .spawn()
+            .expect("failed to start openssl s_server"),
+    ));
+    wait_for_port(10443);
+
+    // Check frontend & backend TLS works
+    assert!(String::from_utf8(
+        Command::new("curl")
+            .env("LD_LIBRARY_PATH", "")
+            .args([
+                "-s",
+                "--cacert",
+                "test-ca/rsa/ca.cert",
+                "https://localhost:9443/",
+            ])
+            .stdout(Stdio::piped())
+            .output()
+            .map(print_output)
+            .unwrap()
+            .stdout
+            .clone(),
+    )
+    .expect("stdout contained invalid utf8")
+    .contains("Ciphers common between both SSL end points:"));
+
+    // And check it was actually talking to the backend
+    drop(backend);
+    assert!(String::from_utf8(
+        Command::new("curl")
+            .env("LD_LIBRARY_PATH", "")
+            .args([
+                "-s",
+                "--cacert",
+                "test-ca/rsa/ca.cert",
+                "https://localhost:9443/",
+            ])
+            .stdout(Stdio::piped())
+            .output()
+            .map(print_output)
+            .unwrap()
+            .stdout
+            .clone()
+    )
+    .expect("stdout contained invalid utf8")
+    .contains("503 Service Unavailable"));
+
+    // evaluate errors output by haproxy to stderr.
+    let mut child = haproxy_server.take_inner();
+    child.kill().unwrap();
+    let output = child.wait_with_output().unwrap();
+    let output = print_output(output);
+    let stderr =
+        String::from_utf8(output.stderr.clone()).expect("haproxy stderr is not valid utf8");
+
+    // eventually we will want there to be zero of these.
+    assert!(stderr.matches("OpenSSL error").count() > 0);
+}
+
 struct KillOnDrop(Option<Child>);
 
 impl KillOnDrop {