1
0

nginx.yml 9.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226
  1. name: nginx Tests
  2. # START OF COMMON SECTION
  3. on:
  4. push:
  5. branches: [ 'master', 'main', 'release/**' ]
  6. pull_request:
  7. branches: [ '*' ]
  8. concurrency:
  9. group: ${{ github.workflow }}-${{ github.ref }}
  10. cancel-in-progress: true
  11. # END OF COMMON SECTION
  12. jobs:
  13. build_wolfssl:
  14. name: Build wolfSSL
  15. if: github.repository_owner == 'wolfssl'
  16. # Just to keep it the same as the testing target
  17. runs-on: ubuntu-22.04
  18. # This should be a safe limit for the tests to run.
  19. timeout-minutes: 4
  20. steps:
  21. - if: ${{ runner.debug }}
  22. name: Enable wolfSSL debug logging
  23. run: |
  24. # We don't use --enable-debug since it makes the logs too loud
  25. echo "wolf_debug_flags= CFLAGS='-g3 -O0'" >> $GITHUB_ENV
  26. - name: Build wolfSSL
  27. uses: wolfSSL/actions-build-autotools-project@v1
  28. with:
  29. path: wolfssl
  30. configure: --enable-nginx ${{ env.wolf_debug_flags }}
  31. install: true
  32. - name: tar build-dir
  33. run: tar -zcf build-dir.tgz build-dir
  34. - name: Upload built lib
  35. uses: actions/upload-artifact@v4
  36. with:
  37. name: wolf-install-nginx
  38. path: build-dir.tgz
  39. retention-days: 5
  40. nginx_check:
  41. strategy:
  42. fail-fast: false
  43. matrix:
  44. include:
  45. # in general we want to pass all tests that match *ssl*
  46. - ref: 1.25.0
  47. test-ref: 5b2894ea1afd01a26c589ce11f310df118e42592
  48. # Following tests pass with sanitizer on
  49. sanitize-ok: >-
  50. h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t h2_ssl_verify_client.t
  51. mail_imap_ssl.t mail_ssl_conf_command.t mail_ssl_session_reuse.t
  52. mail_ssl.t proxy_ssl_certificate_empty.t proxy_ssl_certificate.t
  53. proxy_ssl_certificate_vars.t proxy_ssl_conf_command.t proxy_ssl_name.t
  54. ssl_certificate_chain.t ssl_certificate_perl.t ssl_certificates.t
  55. ssl_certificate.t ssl_client_escaped_cert.t ssl_conf_command.t
  56. ssl_crl.t ssl_curve.t ssl_engine_keys.t ssl_ocsp.t ssl_password_file.t
  57. ssl_proxy_protocol.t ssl_proxy_upgrade.t ssl_reject_handshake.t
  58. ssl_session_reuse.t ssl_session_ticket_key.t ssl_sni_reneg.t
  59. ssl_sni_sessions.t ssl_sni.t ssl_stapling.t ssl.t ssl_verify_client.t
  60. ssl_verify_depth.t stream_proxy_ssl_certificate.t stream_proxy_ssl_certificate_vars.t
  61. stream_proxy_ssl_conf_command.t stream_proxy_ssl_name_complex.t
  62. stream_proxy_ssl_name.t stream_ssl_certificate.t stream_ssl_conf_command.t
  63. stream_ssl_preread_alpn.t stream_ssl_preread_protocol.t stream_ssl_preread.t
  64. stream_ssl_realip.t stream_ssl_session_reuse.t stream_ssl.t stream_ssl_variables.t
  65. stream_ssl_verify_client.t stream_upstream_zone_ssl.t upstream_zone_ssl.t
  66. uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t uwsgi_ssl.t
  67. uwsgi_ssl_verify.t
  68. # Following tests do not pass with sanitizer on (with OpenSSL too)
  69. sanitize-not-ok: >-
  70. grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
  71. proxy_request_buffering_ssl.t proxy_ssl_keepalive.t proxy_ssl.t
  72. proxy_ssl_verify.t stream_proxy_protocol_ssl.t stream_proxy_ssl.t
  73. stream_proxy_ssl_verify.t stream_ssl_alpn.t
  74. - ref: 1.24.0
  75. test-ref: 212d9d003886e3a24542855fb60355a417f037de
  76. # Following tests pass with sanitizer on
  77. sanitize-ok: >-
  78. h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t h2_ssl_verify_client.t
  79. mail_imap_ssl.t mail_ssl_conf_command.t mail_ssl_session_reuse.t mail_ssl.t
  80. proxy_ssl_certificate_empty.t proxy_ssl_certificate.t proxy_ssl_certificate_vars.t
  81. proxy_ssl_name.t ssl_certificate_chain.t ssl_certificate_perl.t ssl_certificates.t
  82. ssl_certificate.t ssl_client_escaped_cert.t ssl_conf_command.t ssl_crl.t
  83. ssl_engine_keys.t ssl_ocsp.t ssl_password_file.t ssl_proxy_protocol.t
  84. ssl_proxy_upgrade.t ssl_reject_handshake.t ssl_session_reuse.t
  85. ssl_session_ticket_key.t ssl_sni_reneg.t ssl_sni_sessions.t ssl_sni.t
  86. ssl_stapling.t ssl.t ssl_verify_client.t stream_proxy_ssl_certificate.t
  87. stream_proxy_ssl_certificate_vars.t stream_proxy_ssl_name_complex.t
  88. stream_proxy_ssl_name.t stream_ssl_alpn.t stream_ssl_certificate.t
  89. stream_ssl_conf_command.t stream_ssl_preread_alpn.t stream_ssl_preread_protocol.t
  90. stream_ssl_preread.t stream_ssl_realip.t stream_ssl_session_reuse.t stream_ssl.t
  91. stream_ssl_variables.t stream_ssl_verify_client.t stream_upstream_zone_ssl.t
  92. upstream_zone_ssl.t uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t
  93. uwsgi_ssl.t uwsgi_ssl_verify.t
  94. # Following tests do not pass with sanitizer on (with OpenSSL too)
  95. sanitize-not-ok: >-
  96. grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
  97. proxy_request_buffering_ssl.t proxy_ssl_conf_command.t proxy_ssl_keepalive.t
  98. proxy_ssl.t proxy_ssl_verify.t ssl_curve.t ssl_verify_depth.t
  99. stream_proxy_protocol_ssl.t stream_proxy_ssl_conf_command.t stream_proxy_ssl.t
  100. stream_proxy_ssl_verify.t
  101. name: ${{ matrix.ref }}
  102. if: github.repository_owner == 'wolfssl'
  103. runs-on: ubuntu-22.04
  104. # This should be a safe limit for the tests to run.
  105. timeout-minutes: 6
  106. needs: build_wolfssl
  107. steps:
  108. - name: Download lib
  109. uses: actions/download-artifact@v4
  110. with:
  111. name: wolf-install-nginx
  112. - name: untar build-dir
  113. run: tar -xf build-dir.tgz
  114. - name: Install dependencies
  115. run: |
  116. sudo cpan -iT Proc::Find Net::SSLeay IO::Socket::SSL
  117. - name: Checkout wolfssl-nginx
  118. uses: actions/checkout@v4
  119. with:
  120. repository: wolfssl/wolfssl-nginx
  121. path: wolfssl-nginx
  122. - name: Checkout nginx
  123. uses: actions/checkout@v4
  124. with:
  125. repository: nginx/nginx
  126. path: nginx
  127. ref: release-${{ matrix.ref }}
  128. - name: Apply nginx patch
  129. working-directory: nginx
  130. run: patch -p1 < ../wolfssl-nginx/nginx-${{ matrix.ref }}-wolfssl.patch
  131. - if: ${{ runner.debug }}
  132. name: Apply nginx debug patch
  133. working-directory: nginx
  134. run: patch -p1 < ../wolfssl-nginx/nginx-${{ matrix.ref }}-wolfssl-debug.patch
  135. - name: Checkout nginx-tests
  136. uses: actions/checkout@v4
  137. with:
  138. repository: nginx/nginx-tests
  139. path: nginx-tests
  140. ref: ${{ matrix.test-ref }}
  141. - name: Apply nginx-tests patch
  142. working-directory: nginx-tests
  143. run: patch -p1 < ../wolfssl-nginx/nginx-tests-patches/*${{ matrix.test-ref }}.patch
  144. - name: Build nginx without sanitizer
  145. working-directory: nginx
  146. run: |
  147. ./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \
  148. --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
  149. --with-http_v2_module --with-mail --with-mail_ssl_module
  150. make -j
  151. - name: Confirm nginx built with wolfSSL
  152. working-directory: nginx
  153. run: ldd objs/nginx | grep wolfssl
  154. - if: ${{ runner.debug }}
  155. name: Run nginx-tests without sanitizer (debug)
  156. working-directory: nginx-tests
  157. run: |
  158. LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
  159. TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y \
  160. TEST_NGINX_BINARY=../nginx/objs/nginx prove -v ${{ matrix.sanitize-not-ok }}
  161. - if: ${{ !runner.debug }}
  162. name: Run nginx-tests without sanitizer
  163. working-directory: nginx-tests
  164. run: |
  165. LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
  166. TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
  167. prove ${{ matrix.sanitize-not-ok }}
  168. - if: ${{ runner.debug }}
  169. name: Enable wolfSSL debug logging
  170. run: |
  171. echo "nginx_c_flags=-O0" >> $GITHUB_ENV
  172. - name: workaround high-entropy ASLR
  173. # not needed after either an update to llvm or runner is done
  174. run: sudo sysctl vm.mmap_rnd_bits=28
  175. - name: Build nginx with sanitizer
  176. working-directory: nginx
  177. run: |
  178. ./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \
  179. --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
  180. --with-http_v2_module --with-mail --with-mail_ssl_module \
  181. --with-cc-opt='-fsanitize=address -DNGX_DEBUG_PALLOC=1 -g3 ${{ env.nginx_c_flags }}' \
  182. --with-ld-opt='-fsanitize=address ${{ env.nginx_c_flags }}'
  183. make -j
  184. - name: Confirm nginx built with wolfSSL
  185. working-directory: nginx
  186. run: ldd objs/nginx | grep wolfssl
  187. - if: ${{ runner.debug }}
  188. name: Run nginx-tests with sanitizer (debug)
  189. working-directory: nginx-tests
  190. run: |
  191. LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
  192. TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y \
  193. TEST_NGINX_BINARY=../nginx/objs/nginx prove -v ${{ matrix.sanitize-ok }}
  194. - if: ${{ !runner.debug }}
  195. name: Run nginx-tests with sanitizer
  196. working-directory: nginx-tests
  197. run: |
  198. LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
  199. TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
  200. prove ${{ matrix.sanitize-ok }}