1
0

nginx.yml 9.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219
  1. name: nginx Tests
  2. # START OF COMMON SECTION
  3. on:
  4. push:
  5. branches: [ 'master', 'main', 'release/**' ]
  6. pull_request:
  7. branches: [ '*' ]
  8. concurrency:
  9. group: ${{ github.workflow }}-${{ github.ref }}
  10. cancel-in-progress: true
  11. # END OF COMMON SECTION
  12. jobs:
  13. build_wolfssl:
  14. name: Build wolfSSL
  15. # Just to keep it the same as the testing target
  16. runs-on: ubuntu-latest
  17. # This should be a safe limit for the tests to run.
  18. timeout-minutes: 4
  19. steps:
  20. - if: ${{ runner.debug }}
  21. name: Enable wolfSSL debug logging
  22. run: |
  23. # We don't use --enable-debug since it makes the logs too loud
  24. echo "wolf_debug_flags= CFLAGS='-g3 -O0'" >> $GITHUB_ENV
  25. - name: Build wolfSSL
  26. uses: wolfSSL/actions-build-autotools-project@v1
  27. with:
  28. path: wolfssl
  29. configure: --enable-nginx ${{ env.wolf_debug_flags }}
  30. install: true
  31. - name: Upload built lib
  32. uses: actions/upload-artifact@v4
  33. with:
  34. name: wolf-install-nginx
  35. path: build-dir
  36. retention-days: 5
  37. nginx_check:
  38. strategy:
  39. fail-fast: false
  40. matrix:
  41. include:
  42. # in general we want to pass all tests that match *ssl*
  43. - ref: 1.25.0
  44. test-ref: 5b2894ea1afd01a26c589ce11f310df118e42592
  45. # Following tests pass with sanitizer on
  46. sanitize-ok: >-
  47. h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t h2_ssl_verify_client.t
  48. mail_imap_ssl.t mail_ssl_conf_command.t mail_ssl_session_reuse.t
  49. mail_ssl.t proxy_ssl_certificate_empty.t proxy_ssl_certificate.t
  50. proxy_ssl_certificate_vars.t proxy_ssl_conf_command.t proxy_ssl_name.t
  51. ssl_certificate_chain.t ssl_certificate_perl.t ssl_certificates.t
  52. ssl_certificate.t ssl_client_escaped_cert.t ssl_conf_command.t
  53. ssl_crl.t ssl_curve.t ssl_engine_keys.t ssl_ocsp.t ssl_password_file.t
  54. ssl_proxy_protocol.t ssl_proxy_upgrade.t ssl_reject_handshake.t
  55. ssl_session_reuse.t ssl_session_ticket_key.t ssl_sni_reneg.t
  56. ssl_sni_sessions.t ssl_sni.t ssl_stapling.t ssl.t ssl_verify_client.t
  57. ssl_verify_depth.t stream_proxy_ssl_certificate.t stream_proxy_ssl_certificate_vars.t
  58. stream_proxy_ssl_conf_command.t stream_proxy_ssl_name_complex.t
  59. stream_proxy_ssl_name.t stream_ssl_certificate.t stream_ssl_conf_command.t
  60. stream_ssl_preread_alpn.t stream_ssl_preread_protocol.t stream_ssl_preread.t
  61. stream_ssl_realip.t stream_ssl_session_reuse.t stream_ssl.t stream_ssl_variables.t
  62. stream_ssl_verify_client.t stream_upstream_zone_ssl.t upstream_zone_ssl.t
  63. uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t uwsgi_ssl.t
  64. uwsgi_ssl_verify.t
  65. # Following tests do not pass with sanitizer on (with OpenSSL too)
  66. sanitize-not-ok: >-
  67. grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
  68. proxy_request_buffering_ssl.t proxy_ssl_keepalive.t proxy_ssl.t
  69. proxy_ssl_verify.t stream_proxy_protocol_ssl.t stream_proxy_ssl.t
  70. stream_proxy_ssl_verify.t stream_ssl_alpn.t
  71. - ref: 1.24.0
  72. test-ref: 212d9d003886e3a24542855fb60355a417f037de
  73. # Following tests pass with sanitizer on
  74. sanitize-ok: >-
  75. h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t h2_ssl_verify_client.t
  76. mail_imap_ssl.t mail_ssl_conf_command.t mail_ssl_session_reuse.t mail_ssl.t
  77. proxy_ssl_certificate_empty.t proxy_ssl_certificate.t proxy_ssl_certificate_vars.t
  78. proxy_ssl_name.t ssl_certificate_chain.t ssl_certificate_perl.t ssl_certificates.t
  79. ssl_certificate.t ssl_client_escaped_cert.t ssl_conf_command.t ssl_crl.t
  80. ssl_engine_keys.t ssl_ocsp.t ssl_password_file.t ssl_proxy_protocol.t
  81. ssl_proxy_upgrade.t ssl_reject_handshake.t ssl_session_reuse.t
  82. ssl_session_ticket_key.t ssl_sni_reneg.t ssl_sni_sessions.t ssl_sni.t
  83. ssl_stapling.t ssl.t ssl_verify_client.t stream_proxy_ssl_certificate.t
  84. stream_proxy_ssl_certificate_vars.t stream_proxy_ssl_name_complex.t
  85. stream_proxy_ssl_name.t stream_ssl_alpn.t stream_ssl_certificate.t
  86. stream_ssl_conf_command.t stream_ssl_preread_alpn.t stream_ssl_preread_protocol.t
  87. stream_ssl_preread.t stream_ssl_realip.t stream_ssl_session_reuse.t stream_ssl.t
  88. stream_ssl_variables.t stream_ssl_verify_client.t stream_upstream_zone_ssl.t
  89. upstream_zone_ssl.t uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t
  90. uwsgi_ssl.t uwsgi_ssl_verify.t
  91. # Following tests do not pass with sanitizer on (with OpenSSL too)
  92. sanitize-not-ok: >-
  93. grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
  94. proxy_request_buffering_ssl.t proxy_ssl_conf_command.t proxy_ssl_keepalive.t
  95. proxy_ssl.t proxy_ssl_verify.t ssl_curve.t ssl_verify_depth.t
  96. stream_proxy_protocol_ssl.t stream_proxy_ssl_conf_command.t stream_proxy_ssl.t
  97. stream_proxy_ssl_verify.t
  98. name: ${{ matrix.ref }}
  99. runs-on: ubuntu-latest
  100. # This should be a safe limit for the tests to run.
  101. timeout-minutes: 6
  102. needs: build_wolfssl
  103. steps:
  104. - name: Download lib
  105. uses: actions/download-artifact@v4
  106. with:
  107. name: wolf-install-nginx
  108. path: build-dir
  109. - name: Install dependencies
  110. run: |
  111. sudo cpan -iT Proc::Find Net::SSLeay IO::Socket::SSL
  112. - name: Checkout wolfssl-nginx
  113. uses: actions/checkout@v4
  114. with:
  115. repository: wolfssl/wolfssl-nginx
  116. path: wolfssl-nginx
  117. - name: Checkout nginx
  118. uses: actions/checkout@v4
  119. with:
  120. repository: nginx/nginx
  121. path: nginx
  122. ref: release-${{ matrix.ref }}
  123. - name: Apply nginx patch
  124. working-directory: nginx
  125. run: patch -p1 < ../wolfssl-nginx/nginx-${{ matrix.ref }}-wolfssl.patch
  126. - if: ${{ runner.debug }}
  127. name: Apply nginx debug patch
  128. working-directory: nginx
  129. run: patch -p1 < ../wolfssl-nginx/nginx-${{ matrix.ref }}-wolfssl-debug.patch
  130. - name: Checkout nginx-tests
  131. uses: actions/checkout@v4
  132. with:
  133. repository: nginx/nginx-tests
  134. path: nginx-tests
  135. ref: ${{ matrix.test-ref }}
  136. - name: Apply nginx-tests patch
  137. working-directory: nginx-tests
  138. run: patch -p1 < ../wolfssl-nginx/nginx-tests-patches/*${{ matrix.test-ref }}.patch
  139. - name: Build nginx without sanitizer
  140. working-directory: nginx
  141. run: |
  142. ./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \
  143. --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
  144. --with-http_v2_module --with-mail --with-mail_ssl_module
  145. make -j
  146. - name: Confirm nginx built with wolfSSL
  147. working-directory: nginx
  148. run: ldd objs/nginx | grep wolfssl
  149. - if: ${{ runner.debug }}
  150. name: Run nginx-tests without sanitizer (debug)
  151. working-directory: nginx-tests
  152. run: |
  153. LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
  154. TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y \
  155. TEST_NGINX_BINARY=../nginx/objs/nginx prove -v ${{ matrix.sanitize-not-ok }}
  156. - if: ${{ !runner.debug }}
  157. name: Run nginx-tests without sanitizer
  158. working-directory: nginx-tests
  159. run: |
  160. LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
  161. TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
  162. prove ${{ matrix.sanitize-not-ok }}
  163. - if: ${{ runner.debug }}
  164. name: Enable wolfSSL debug logging
  165. run: |
  166. echo "nginx_c_flags=-O0" >> $GITHUB_ENV
  167. - name: workaround high-entropy ASLR
  168. # not needed after either an update to llvm or runner is done
  169. run: sudo sysctl vm.mmap_rnd_bits=28
  170. - name: Build nginx with sanitizer
  171. working-directory: nginx
  172. run: |
  173. ./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \
  174. --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
  175. --with-http_v2_module --with-mail --with-mail_ssl_module \
  176. --with-cc-opt='-fsanitize=address -DNGX_DEBUG_PALLOC=1 -g3 ${{ env.nginx_c_flags }}' \
  177. --with-ld-opt='-fsanitize=address ${{ env.nginx_c_flags }}'
  178. make -j
  179. - name: Confirm nginx built with wolfSSL
  180. working-directory: nginx
  181. run: ldd objs/nginx | grep wolfssl
  182. - if: ${{ runner.debug }}
  183. name: Run nginx-tests with sanitizer (debug)
  184. working-directory: nginx-tests
  185. run: |
  186. LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
  187. TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y \
  188. TEST_NGINX_BINARY=../nginx/objs/nginx prove -v ${{ matrix.sanitize-ok }}
  189. - if: ${{ !runner.debug }}
  190. name: Run nginx-tests with sanitizer
  191. working-directory: nginx-tests
  192. run: |
  193. LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
  194. TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
  195. prove ${{ matrix.sanitize-ok }}