2
0

nginx.yml 9.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224
  1. name: nginx Tests
  2. # START OF COMMON SECTION
  3. on:
  4. push:
  5. branches: [ 'master', 'main', 'release/**' ]
  6. pull_request:
  7. branches: [ '*' ]
  8. concurrency:
  9. group: ${{ github.workflow }}-${{ github.ref }}
  10. cancel-in-progress: true
  11. # END OF COMMON SECTION
  12. jobs:
  13. build_wolfssl:
  14. name: Build wolfSSL
  15. # Just to keep it the same as the testing target
  16. runs-on: ubuntu-latest
  17. # This should be a safe limit for the tests to run.
  18. timeout-minutes: 4
  19. steps:
  20. - if: ${{ runner.debug }}
  21. name: Enable wolfSSL debug logging
  22. run: |
  23. # We don't use --enable-debug since it makes the logs too loud
  24. echo "wolf_debug_flags= CFLAGS='-g3 -O0'" >> $GITHUB_ENV
  25. - name: Build wolfSSL
  26. uses: wolfSSL/actions-build-autotools-project@v1
  27. with:
  28. path: wolfssl
  29. configure: --enable-nginx ${{ env.wolf_debug_flags }}
  30. install: true
  31. - name: tar build-dir
  32. run: tar -zcf build-dir.tgz build-dir
  33. - name: Upload built lib
  34. uses: actions/upload-artifact@v4
  35. with:
  36. name: wolf-install-nginx
  37. path: build-dir.tgz
  38. retention-days: 5
  39. nginx_check:
  40. strategy:
  41. fail-fast: false
  42. matrix:
  43. include:
  44. # in general we want to pass all tests that match *ssl*
  45. - ref: 1.25.0
  46. test-ref: 5b2894ea1afd01a26c589ce11f310df118e42592
  47. # Following tests pass with sanitizer on
  48. sanitize-ok: >-
  49. h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t h2_ssl_verify_client.t
  50. mail_imap_ssl.t mail_ssl_conf_command.t mail_ssl_session_reuse.t
  51. mail_ssl.t proxy_ssl_certificate_empty.t proxy_ssl_certificate.t
  52. proxy_ssl_certificate_vars.t proxy_ssl_conf_command.t proxy_ssl_name.t
  53. ssl_certificate_chain.t ssl_certificate_perl.t ssl_certificates.t
  54. ssl_certificate.t ssl_client_escaped_cert.t ssl_conf_command.t
  55. ssl_crl.t ssl_curve.t ssl_engine_keys.t ssl_ocsp.t ssl_password_file.t
  56. ssl_proxy_protocol.t ssl_proxy_upgrade.t ssl_reject_handshake.t
  57. ssl_session_reuse.t ssl_session_ticket_key.t ssl_sni_reneg.t
  58. ssl_sni_sessions.t ssl_sni.t ssl_stapling.t ssl.t ssl_verify_client.t
  59. ssl_verify_depth.t stream_proxy_ssl_certificate.t stream_proxy_ssl_certificate_vars.t
  60. stream_proxy_ssl_conf_command.t stream_proxy_ssl_name_complex.t
  61. stream_proxy_ssl_name.t stream_ssl_certificate.t stream_ssl_conf_command.t
  62. stream_ssl_preread_alpn.t stream_ssl_preread_protocol.t stream_ssl_preread.t
  63. stream_ssl_realip.t stream_ssl_session_reuse.t stream_ssl.t stream_ssl_variables.t
  64. stream_ssl_verify_client.t stream_upstream_zone_ssl.t upstream_zone_ssl.t
  65. uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t uwsgi_ssl.t
  66. uwsgi_ssl_verify.t
  67. # Following tests do not pass with sanitizer on (with OpenSSL too)
  68. sanitize-not-ok: >-
  69. grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
  70. proxy_request_buffering_ssl.t proxy_ssl_keepalive.t proxy_ssl.t
  71. proxy_ssl_verify.t stream_proxy_protocol_ssl.t stream_proxy_ssl.t
  72. stream_proxy_ssl_verify.t stream_ssl_alpn.t
  73. - ref: 1.24.0
  74. test-ref: 212d9d003886e3a24542855fb60355a417f037de
  75. # Following tests pass with sanitizer on
  76. sanitize-ok: >-
  77. h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t h2_ssl_verify_client.t
  78. mail_imap_ssl.t mail_ssl_conf_command.t mail_ssl_session_reuse.t mail_ssl.t
  79. proxy_ssl_certificate_empty.t proxy_ssl_certificate.t proxy_ssl_certificate_vars.t
  80. proxy_ssl_name.t ssl_certificate_chain.t ssl_certificate_perl.t ssl_certificates.t
  81. ssl_certificate.t ssl_client_escaped_cert.t ssl_conf_command.t ssl_crl.t
  82. ssl_engine_keys.t ssl_ocsp.t ssl_password_file.t ssl_proxy_protocol.t
  83. ssl_proxy_upgrade.t ssl_reject_handshake.t ssl_session_reuse.t
  84. ssl_session_ticket_key.t ssl_sni_reneg.t ssl_sni_sessions.t ssl_sni.t
  85. ssl_stapling.t ssl.t ssl_verify_client.t stream_proxy_ssl_certificate.t
  86. stream_proxy_ssl_certificate_vars.t stream_proxy_ssl_name_complex.t
  87. stream_proxy_ssl_name.t stream_ssl_alpn.t stream_ssl_certificate.t
  88. stream_ssl_conf_command.t stream_ssl_preread_alpn.t stream_ssl_preread_protocol.t
  89. stream_ssl_preread.t stream_ssl_realip.t stream_ssl_session_reuse.t stream_ssl.t
  90. stream_ssl_variables.t stream_ssl_verify_client.t stream_upstream_zone_ssl.t
  91. upstream_zone_ssl.t uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t
  92. uwsgi_ssl.t uwsgi_ssl_verify.t
  93. # Following tests do not pass with sanitizer on (with OpenSSL too)
  94. sanitize-not-ok: >-
  95. grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
  96. proxy_request_buffering_ssl.t proxy_ssl_conf_command.t proxy_ssl_keepalive.t
  97. proxy_ssl.t proxy_ssl_verify.t ssl_curve.t ssl_verify_depth.t
  98. stream_proxy_protocol_ssl.t stream_proxy_ssl_conf_command.t stream_proxy_ssl.t
  99. stream_proxy_ssl_verify.t
  100. name: ${{ matrix.ref }}
  101. runs-on: ubuntu-latest
  102. # This should be a safe limit for the tests to run.
  103. timeout-minutes: 6
  104. needs: build_wolfssl
  105. steps:
  106. - name: Download lib
  107. uses: actions/download-artifact@v4
  108. with:
  109. name: wolf-install-nginx
  110. - name: untar build-dir
  111. run: tar -xf build-dir.tgz
  112. - name: Install dependencies
  113. run: |
  114. sudo cpan -iT Proc::Find Net::SSLeay IO::Socket::SSL
  115. - name: Checkout wolfssl-nginx
  116. uses: actions/checkout@v4
  117. with:
  118. repository: wolfssl/wolfssl-nginx
  119. path: wolfssl-nginx
  120. - name: Checkout nginx
  121. uses: actions/checkout@v4
  122. with:
  123. repository: nginx/nginx
  124. path: nginx
  125. ref: release-${{ matrix.ref }}
  126. - name: Apply nginx patch
  127. working-directory: nginx
  128. run: patch -p1 < ../wolfssl-nginx/nginx-${{ matrix.ref }}-wolfssl.patch
  129. - if: ${{ runner.debug }}
  130. name: Apply nginx debug patch
  131. working-directory: nginx
  132. run: patch -p1 < ../wolfssl-nginx/nginx-${{ matrix.ref }}-wolfssl-debug.patch
  133. - name: Checkout nginx-tests
  134. uses: actions/checkout@v4
  135. with:
  136. repository: nginx/nginx-tests
  137. path: nginx-tests
  138. ref: ${{ matrix.test-ref }}
  139. - name: Apply nginx-tests patch
  140. working-directory: nginx-tests
  141. run: patch -p1 < ../wolfssl-nginx/nginx-tests-patches/*${{ matrix.test-ref }}.patch
  142. - name: Build nginx without sanitizer
  143. working-directory: nginx
  144. run: |
  145. ./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \
  146. --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
  147. --with-http_v2_module --with-mail --with-mail_ssl_module
  148. make -j
  149. - name: Confirm nginx built with wolfSSL
  150. working-directory: nginx
  151. run: ldd objs/nginx | grep wolfssl
  152. - if: ${{ runner.debug }}
  153. name: Run nginx-tests without sanitizer (debug)
  154. working-directory: nginx-tests
  155. run: |
  156. LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
  157. TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y \
  158. TEST_NGINX_BINARY=../nginx/objs/nginx prove -v ${{ matrix.sanitize-not-ok }}
  159. - if: ${{ !runner.debug }}
  160. name: Run nginx-tests without sanitizer
  161. working-directory: nginx-tests
  162. run: |
  163. LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
  164. TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
  165. prove ${{ matrix.sanitize-not-ok }}
  166. - if: ${{ runner.debug }}
  167. name: Enable wolfSSL debug logging
  168. run: |
  169. echo "nginx_c_flags=-O0" >> $GITHUB_ENV
  170. - name: workaround high-entropy ASLR
  171. # not needed after either an update to llvm or runner is done
  172. run: sudo sysctl vm.mmap_rnd_bits=28
  173. - name: Build nginx with sanitizer
  174. working-directory: nginx
  175. run: |
  176. ./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \
  177. --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
  178. --with-http_v2_module --with-mail --with-mail_ssl_module \
  179. --with-cc-opt='-fsanitize=address -DNGX_DEBUG_PALLOC=1 -g3 ${{ env.nginx_c_flags }}' \
  180. --with-ld-opt='-fsanitize=address ${{ env.nginx_c_flags }}'
  181. make -j
  182. - name: Confirm nginx built with wolfSSL
  183. working-directory: nginx
  184. run: ldd objs/nginx | grep wolfssl
  185. - if: ${{ runner.debug }}
  186. name: Run nginx-tests with sanitizer (debug)
  187. working-directory: nginx-tests
  188. run: |
  189. LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
  190. TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y \
  191. TEST_NGINX_BINARY=../nginx/objs/nginx prove -v ${{ matrix.sanitize-ok }}
  192. - if: ${{ !runner.debug }}
  193. name: Run nginx-tests with sanitizer
  194. working-directory: nginx-tests
  195. run: |
  196. LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
  197. TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
  198. prove ${{ matrix.sanitize-ok }}