nginx.yml 9.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210
  1. name: nginx Tests
  2. on:
  3. workflow_call:
  4. jobs:
  5. build_wolfssl:
  6. name: Build wolfSSL
  7. # Just to keep it the same as the testing target
  8. runs-on: ubuntu-latest
  9. # This should be a safe limit for the tests to run.
  10. timeout-minutes: 4
  11. steps:
  12. - if: ${{ runner.debug }}
  13. name: Enable wolfSSL debug logging
  14. run: |
  15. # We don't use --enable-debug since it makes the logs too loud
  16. echo "wolf_debug_flags= CFLAGS='-g3 -O0'" >> $GITHUB_ENV
  17. - name: Build wolfSSL
  18. uses: wolfSSL/actions-build-autotools-project@v1
  19. with:
  20. path: wolfssl
  21. configure: --enable-nginx ${{ env.wolf_debug_flags }}
  22. install: true
  23. - name: Upload built lib
  24. uses: actions/upload-artifact@v4
  25. with:
  26. name: wolf-install-nginx
  27. path: build-dir
  28. retention-days: 5
  29. nginx_check:
  30. strategy:
  31. fail-fast: false
  32. matrix:
  33. include:
  34. # in general we want to pass all tests that match *ssl*
  35. - ref: 1.25.0
  36. test-ref: 5b2894ea1afd01a26c589ce11f310df118e42592
  37. # Following tests pass with sanitizer on
  38. sanitize-ok: >-
  39. h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t h2_ssl_verify_client.t
  40. mail_imap_ssl.t mail_ssl_conf_command.t mail_ssl_session_reuse.t
  41. mail_ssl.t proxy_ssl_certificate_empty.t proxy_ssl_certificate.t
  42. proxy_ssl_certificate_vars.t proxy_ssl_conf_command.t proxy_ssl_name.t
  43. ssl_certificate_chain.t ssl_certificate_perl.t ssl_certificates.t
  44. ssl_certificate.t ssl_client_escaped_cert.t ssl_conf_command.t
  45. ssl_crl.t ssl_curve.t ssl_engine_keys.t ssl_ocsp.t ssl_password_file.t
  46. ssl_proxy_protocol.t ssl_proxy_upgrade.t ssl_reject_handshake.t
  47. ssl_session_reuse.t ssl_session_ticket_key.t ssl_sni_reneg.t
  48. ssl_sni_sessions.t ssl_sni.t ssl_stapling.t ssl.t ssl_verify_client.t
  49. ssl_verify_depth.t stream_proxy_ssl_certificate.t stream_proxy_ssl_certificate_vars.t
  50. stream_proxy_ssl_conf_command.t stream_proxy_ssl_name_complex.t
  51. stream_proxy_ssl_name.t stream_ssl_certificate.t stream_ssl_conf_command.t
  52. stream_ssl_preread_alpn.t stream_ssl_preread_protocol.t stream_ssl_preread.t
  53. stream_ssl_realip.t stream_ssl_session_reuse.t stream_ssl.t stream_ssl_variables.t
  54. stream_ssl_verify_client.t stream_upstream_zone_ssl.t upstream_zone_ssl.t
  55. uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t uwsgi_ssl.t
  56. uwsgi_ssl_verify.t
  57. # Following tests do not pass with sanitizer on (with OpenSSL too)
  58. sanitize-not-ok: >-
  59. grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
  60. proxy_request_buffering_ssl.t proxy_ssl_keepalive.t proxy_ssl.t
  61. proxy_ssl_verify.t stream_proxy_protocol_ssl.t stream_proxy_ssl.t
  62. stream_proxy_ssl_verify.t stream_ssl_alpn.t
  63. - ref: 1.24.0
  64. test-ref: 212d9d003886e3a24542855fb60355a417f037de
  65. # Following tests pass with sanitizer on
  66. sanitize-ok: >-
  67. h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t h2_ssl_verify_client.t
  68. mail_imap_ssl.t mail_ssl_conf_command.t mail_ssl_session_reuse.t mail_ssl.t
  69. proxy_ssl_certificate_empty.t proxy_ssl_certificate.t proxy_ssl_certificate_vars.t
  70. proxy_ssl_name.t ssl_certificate_chain.t ssl_certificate_perl.t ssl_certificates.t
  71. ssl_certificate.t ssl_client_escaped_cert.t ssl_conf_command.t ssl_crl.t
  72. ssl_engine_keys.t ssl_ocsp.t ssl_password_file.t ssl_proxy_protocol.t
  73. ssl_proxy_upgrade.t ssl_reject_handshake.t ssl_session_reuse.t
  74. ssl_session_ticket_key.t ssl_sni_reneg.t ssl_sni_sessions.t ssl_sni.t
  75. ssl_stapling.t ssl.t ssl_verify_client.t stream_proxy_ssl_certificate.t
  76. stream_proxy_ssl_certificate_vars.t stream_proxy_ssl_name_complex.t
  77. stream_proxy_ssl_name.t stream_ssl_alpn.t stream_ssl_certificate.t
  78. stream_ssl_conf_command.t stream_ssl_preread_alpn.t stream_ssl_preread_protocol.t
  79. stream_ssl_preread.t stream_ssl_realip.t stream_ssl_session_reuse.t stream_ssl.t
  80. stream_ssl_variables.t stream_ssl_verify_client.t stream_upstream_zone_ssl.t
  81. upstream_zone_ssl.t uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t
  82. uwsgi_ssl.t uwsgi_ssl_verify.t
  83. # Following tests do not pass with sanitizer on (with OpenSSL too)
  84. sanitize-not-ok: >-
  85. grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
  86. proxy_request_buffering_ssl.t proxy_ssl_conf_command.t proxy_ssl_keepalive.t
  87. proxy_ssl.t proxy_ssl_verify.t ssl_curve.t ssl_verify_depth.t
  88. stream_proxy_protocol_ssl.t stream_proxy_ssl_conf_command.t stream_proxy_ssl.t
  89. stream_proxy_ssl_verify.t
  90. name: ${{ matrix.ref }}
  91. runs-on: ubuntu-latest
  92. # This should be a safe limit for the tests to run.
  93. timeout-minutes: 6
  94. needs: build_wolfssl
  95. steps:
  96. - name: Download lib
  97. uses: actions/download-artifact@v4
  98. with:
  99. name: wolf-install-nginx
  100. path: build-dir
  101. - name: Install dependencies
  102. run: |
  103. sudo cpan -iT Proc::Find Net::SSLeay IO::Socket::SSL
  104. - name: Checkout wolfssl-nginx
  105. uses: actions/checkout@v4
  106. with:
  107. repository: wolfssl/wolfssl-nginx
  108. path: wolfssl-nginx
  109. - name: Checkout nginx
  110. uses: actions/checkout@v4
  111. with:
  112. repository: nginx/nginx
  113. path: nginx
  114. ref: release-${{ matrix.ref }}
  115. - name: Apply nginx patch
  116. working-directory: nginx
  117. run: patch -p1 < ../wolfssl-nginx/nginx-${{ matrix.ref }}-wolfssl.patch
  118. - if: ${{ runner.debug }}
  119. name: Apply nginx debug patch
  120. working-directory: nginx
  121. run: patch -p1 < ../wolfssl-nginx/nginx-${{ matrix.ref }}-wolfssl-debug.patch
  122. - name: Checkout nginx-tests
  123. uses: actions/checkout@v4
  124. with:
  125. repository: nginx/nginx-tests
  126. path: nginx-tests
  127. ref: ${{ matrix.test-ref }}
  128. - name: Apply nginx-tests patch
  129. working-directory: nginx-tests
  130. run: patch -p1 < ../wolfssl-nginx/nginx-tests-patches/*${{ matrix.test-ref }}.patch
  131. - name: Build nginx without sanitizer
  132. working-directory: nginx
  133. run: |
  134. ./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \
  135. --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
  136. --with-http_v2_module --with-mail --with-mail_ssl_module
  137. make -j
  138. - name: Confirm nginx built with wolfSSL
  139. working-directory: nginx
  140. run: ldd objs/nginx | grep wolfssl
  141. - if: ${{ runner.debug }}
  142. name: Run nginx-tests without sanitizer (debug)
  143. working-directory: nginx-tests
  144. run: |
  145. LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
  146. TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y \
  147. TEST_NGINX_BINARY=../nginx/objs/nginx prove -v ${{ matrix.sanitize-not-ok }}
  148. - if: ${{ !runner.debug }}
  149. name: Run nginx-tests without sanitizer
  150. working-directory: nginx-tests
  151. run: |
  152. LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
  153. TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
  154. prove ${{ matrix.sanitize-not-ok }}
  155. - if: ${{ runner.debug }}
  156. name: Enable wolfSSL debug logging
  157. run: |
  158. echo "nginx_c_flags=-O0" >> $GITHUB_ENV
  159. - name: workaround high-entropy ASLR
  160. # not needed after either an update to llvm or runner is done
  161. run: sudo sysctl vm.mmap_rnd_bits=28
  162. - name: Build nginx with sanitizer
  163. working-directory: nginx
  164. run: |
  165. ./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \
  166. --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
  167. --with-http_v2_module --with-mail --with-mail_ssl_module \
  168. --with-cc-opt='-fsanitize=address -DNGX_DEBUG_PALLOC=1 -g3 ${{ env.nginx_c_flags }}' \
  169. --with-ld-opt='-fsanitize=address ${{ env.nginx_c_flags }}'
  170. make -j
  171. - name: Confirm nginx built with wolfSSL
  172. working-directory: nginx
  173. run: ldd objs/nginx | grep wolfssl
  174. - if: ${{ runner.debug }}
  175. name: Run nginx-tests with sanitizer (debug)
  176. working-directory: nginx-tests
  177. run: |
  178. LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
  179. TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y \
  180. TEST_NGINX_BINARY=../nginx/objs/nginx prove -v ${{ matrix.sanitize-ok }}
  181. - if: ${{ !runner.debug }}
  182. name: Run nginx-tests with sanitizer
  183. working-directory: nginx-tests
  184. run: |
  185. LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
  186. TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
  187. prove ${{ matrix.sanitize-ok }}