-
Notifications
You must be signed in to change notification settings - Fork 834
219 lines (195 loc) · 9.41 KB
/
nginx.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
name: nginx Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
# Just to keep it the same as the testing target
runs-on: ubuntu-latest
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
- if: ${{ runner.debug }}
name: Enable wolfSSL debug logging
run: |
# We don't use --enable-debug since it makes the logs too loud
echo "wolf_debug_flags= CFLAGS='-g3 -O0'" >> $GITHUB_ENV
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-nginx ${{ env.wolf_debug_flags }}
install: true
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-nginx
path: build-dir
retention-days: 5
nginx_check:
strategy:
fail-fast: false
matrix:
include:
# in general we want to pass all tests that match *ssl*
- ref: 1.25.0
test-ref: 5b2894ea1afd01a26c589ce11f310df118e42592
# Following tests pass with sanitizer on
sanitize-ok: >-
h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t h2_ssl_verify_client.t
mail_imap_ssl.t mail_ssl_conf_command.t mail_ssl_session_reuse.t
mail_ssl.t proxy_ssl_certificate_empty.t proxy_ssl_certificate.t
proxy_ssl_certificate_vars.t proxy_ssl_conf_command.t proxy_ssl_name.t
ssl_certificate_chain.t ssl_certificate_perl.t ssl_certificates.t
ssl_certificate.t ssl_client_escaped_cert.t ssl_conf_command.t
ssl_crl.t ssl_curve.t ssl_engine_keys.t ssl_ocsp.t ssl_password_file.t
ssl_proxy_protocol.t ssl_proxy_upgrade.t ssl_reject_handshake.t
ssl_session_reuse.t ssl_session_ticket_key.t ssl_sni_reneg.t
ssl_sni_sessions.t ssl_sni.t ssl_stapling.t ssl.t ssl_verify_client.t
ssl_verify_depth.t stream_proxy_ssl_certificate.t stream_proxy_ssl_certificate_vars.t
stream_proxy_ssl_conf_command.t stream_proxy_ssl_name_complex.t
stream_proxy_ssl_name.t stream_ssl_certificate.t stream_ssl_conf_command.t
stream_ssl_preread_alpn.t stream_ssl_preread_protocol.t stream_ssl_preread.t
stream_ssl_realip.t stream_ssl_session_reuse.t stream_ssl.t stream_ssl_variables.t
stream_ssl_verify_client.t stream_upstream_zone_ssl.t upstream_zone_ssl.t
uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t uwsgi_ssl.t
uwsgi_ssl_verify.t
# Following tests do not pass with sanitizer on (with OpenSSL too)
sanitize-not-ok: >-
grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
proxy_request_buffering_ssl.t proxy_ssl_keepalive.t proxy_ssl.t
proxy_ssl_verify.t stream_proxy_protocol_ssl.t stream_proxy_ssl.t
stream_proxy_ssl_verify.t stream_ssl_alpn.t
- ref: 1.24.0
test-ref: 212d9d003886e3a24542855fb60355a417f037de
# Following tests pass with sanitizer on
sanitize-ok: >-
h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t h2_ssl_verify_client.t
mail_imap_ssl.t mail_ssl_conf_command.t mail_ssl_session_reuse.t mail_ssl.t
proxy_ssl_certificate_empty.t proxy_ssl_certificate.t proxy_ssl_certificate_vars.t
proxy_ssl_name.t ssl_certificate_chain.t ssl_certificate_perl.t ssl_certificates.t
ssl_certificate.t ssl_client_escaped_cert.t ssl_conf_command.t ssl_crl.t
ssl_engine_keys.t ssl_ocsp.t ssl_password_file.t ssl_proxy_protocol.t
ssl_proxy_upgrade.t ssl_reject_handshake.t ssl_session_reuse.t
ssl_session_ticket_key.t ssl_sni_reneg.t ssl_sni_sessions.t ssl_sni.t
ssl_stapling.t ssl.t ssl_verify_client.t stream_proxy_ssl_certificate.t
stream_proxy_ssl_certificate_vars.t stream_proxy_ssl_name_complex.t
stream_proxy_ssl_name.t stream_ssl_alpn.t stream_ssl_certificate.t
stream_ssl_conf_command.t stream_ssl_preread_alpn.t stream_ssl_preread_protocol.t
stream_ssl_preread.t stream_ssl_realip.t stream_ssl_session_reuse.t stream_ssl.t
stream_ssl_variables.t stream_ssl_verify_client.t stream_upstream_zone_ssl.t
upstream_zone_ssl.t uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t
uwsgi_ssl.t uwsgi_ssl_verify.t
# Following tests do not pass with sanitizer on (with OpenSSL too)
sanitize-not-ok: >-
grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
proxy_request_buffering_ssl.t proxy_ssl_conf_command.t proxy_ssl_keepalive.t
proxy_ssl.t proxy_ssl_verify.t ssl_curve.t ssl_verify_depth.t
stream_proxy_protocol_ssl.t stream_proxy_ssl_conf_command.t stream_proxy_ssl.t
stream_proxy_ssl_verify.t
name: ${{ matrix.ref }}
runs-on: ubuntu-latest
# This should be a safe limit for the tests to run.
timeout-minutes: 6
needs: build_wolfssl
steps:
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-nginx
path: build-dir
- name: Install dependencies
run: |
sudo cpan -iT Proc::Find Net::SSLeay IO::Socket::SSL
- name: Checkout wolfssl-nginx
uses: actions/checkout@v4
with:
repository: wolfssl/wolfssl-nginx
path: wolfssl-nginx
- name: Checkout nginx
uses: actions/checkout@v4
with:
repository: nginx/nginx
path: nginx
ref: release-${{ matrix.ref }}
- name: Apply nginx patch
working-directory: nginx
run: patch -p1 < ../wolfssl-nginx/nginx-${{ matrix.ref }}-wolfssl.patch
- if: ${{ runner.debug }}
name: Apply nginx debug patch
working-directory: nginx
run: patch -p1 < ../wolfssl-nginx/nginx-${{ matrix.ref }}-wolfssl-debug.patch
- name: Checkout nginx-tests
uses: actions/checkout@v4
with:
repository: nginx/nginx-tests
path: nginx-tests
ref: ${{ matrix.test-ref }}
- name: Apply nginx-tests patch
working-directory: nginx-tests
run: patch -p1 < ../wolfssl-nginx/nginx-tests-patches/*${{ matrix.test-ref }}.patch
- name: Build nginx without sanitizer
working-directory: nginx
run: |
./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \
--with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
--with-http_v2_module --with-mail --with-mail_ssl_module
make -j
- name: Confirm nginx built with wolfSSL
working-directory: nginx
run: ldd objs/nginx | grep wolfssl
- if: ${{ runner.debug }}
name: Run nginx-tests without sanitizer (debug)
working-directory: nginx-tests
run: |
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y \
TEST_NGINX_BINARY=../nginx/objs/nginx prove -v ${{ matrix.sanitize-not-ok }}
- if: ${{ !runner.debug }}
name: Run nginx-tests without sanitizer
working-directory: nginx-tests
run: |
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
prove ${{ matrix.sanitize-not-ok }}
- if: ${{ runner.debug }}
name: Enable wolfSSL debug logging
run: |
echo "nginx_c_flags=-O0" >> $GITHUB_ENV
- name: workaround high-entropy ASLR
# not needed after either an update to llvm or runner is done
run: sudo sysctl vm.mmap_rnd_bits=28
- name: Build nginx with sanitizer
working-directory: nginx
run: |
./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \
--with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
--with-http_v2_module --with-mail --with-mail_ssl_module \
--with-cc-opt='-fsanitize=address -DNGX_DEBUG_PALLOC=1 -g3 ${{ env.nginx_c_flags }}' \
--with-ld-opt='-fsanitize=address ${{ env.nginx_c_flags }}'
make -j
- name: Confirm nginx built with wolfSSL
working-directory: nginx
run: ldd objs/nginx | grep wolfssl
- if: ${{ runner.debug }}
name: Run nginx-tests with sanitizer (debug)
working-directory: nginx-tests
run: |
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y \
TEST_NGINX_BINARY=../nginx/objs/nginx prove -v ${{ matrix.sanitize-ok }}
- if: ${{ !runner.debug }}
name: Run nginx-tests with sanitizer
working-directory: nginx-tests
run: |
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
prove ${{ matrix.sanitize-ok }}