nixpkgs/nixos/tests/sslh.nix

import ./make-test-python.nix {
  name = "sslh";

  nodes = {
    server = { pkgs, lib, ... }: {
      networking.firewall.allowedTCPPorts = [ 443 ];
      networking.interfaces.eth1.ipv6.addresses = [
        {
          address = "fe00:aa:bb:cc::2";
          prefixLength = 64;
        }
      ];
      # sslh is really slow when reverse dns does not work
      networking.hosts = {
        "fe00:aa:bb:cc::2" = [ "server" ];
        "fe00:aa:bb:cc::1" = [ "client" ];
      };
      services.sslh = {
        enable = true;
        transparent = true;
        appendConfig = ''
          protocols:
          (
            { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; probe: "builtin"; },
            { name: "http"; host: "localhost"; port: "80"; probe: "builtin"; },
          );
        '';
      };
      services.openssh.enable = true;
      users.users.root.openssh.authorizedKeys.keyFiles = [ ./initrd-network-ssh/id_ed25519.pub ];
      services.nginx = {
        enable = true;
        virtualHosts."localhost" = {
          addSSL = false;
          default = true;
          root = pkgs.runCommand "testdir" {} ''
            mkdir "$out"
            echo hello world > "$out/index.html"
          '';
        };
      };
    };
    client = { ... }: {
      networking.interfaces.eth1.ipv6.addresses = [
        {
          address = "fe00:aa:bb:cc::1";
          prefixLength = 64;
        }
      ];
      networking.hosts."fe00:aa:bb:cc::2" = [ "server" ];
      environment.etc.sshKey = {
        source = ./initrd-network-ssh/id_ed25519; # dont use this anywhere else
        mode = "0600";
      };
    };
  };

  testScript = ''
    start_all()

    server.wait_for_unit("sslh.service")
    server.wait_for_unit("nginx.service")
    server.wait_for_unit("sshd.service")
    server.wait_for_open_port(80)
    server.wait_for_open_port(443)
    server.wait_for_open_port(22)

    for arg in ["-6", "-4"]:
        client.wait_until_succeeds(f"ping {arg} -c1 server")

        # check that ssh through sslh works
        client.succeed(
            f"ssh {arg} -p 443 -i /etc/sshKey -o StrictHostKeyChecking=accept-new server 'echo $SSH_CONNECTION > /tmp/foo{arg}'"
        )

        # check that 1/ the above ssh command had an effect 2/ transparent proxying really works
        ip = "fe00:aa:bb:cc::1" if arg == "-6" else "192.168.1."
        server.succeed(f"grep '{ip}' /tmp/foo{arg}")

        # check that http through sslh works
        assert client.succeed(f"curl {arg} http://server:443").strip() == "hello world"
  '';
}
nixos: add test for sslh 2020-01-18 12:00:00 +00:00			`import ./make-test-python.nix {`
			`name = "sslh";`

			`nodes = {`
			`server = { pkgs, lib, ... }: {`
			`networking.firewall.allowedTCPPorts = [ 443 ];`
			`networking.interfaces.eth1.ipv6.addresses = [`
			`{`
			`address = "fe00:aa:bb:cc::2";`
			`prefixLength = 64;`
			`}`
			`];`
			`# sslh is really slow when reverse dns does not work`
			`networking.hosts = {`
			`"fe00:aa:bb:cc::2" = [ "server" ];`
			`"fe00:aa:bb:cc::1" = [ "client" ];`
			`};`
			`services.sslh = {`
			`enable = true;`
			`transparent = true;`
			`appendConfig = ''`
			`protocols:`
			`(`
			`{ name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; probe: "builtin"; },`
			`{ name: "http"; host: "localhost"; port: "80"; probe: "builtin"; },`
			`);`
			`'';`
			`};`
			`services.openssh.enable = true;`
			`users.users.root.openssh.authorizedKeys.keyFiles = [ ./initrd-network-ssh/id_ed25519.pub ];`
			`services.nginx = {`
			`enable = true;`
			`virtualHosts."localhost" = {`
			`addSSL = false;`
			`default = true;`
			`root = pkgs.runCommand "testdir" {} ''`
			`mkdir "$out"`
			`echo hello world > "$out/index.html"`
			`'';`
			`};`
			`};`
			`};`
			`client = { ... }: {`
			`networking.interfaces.eth1.ipv6.addresses = [`
			`{`
			`address = "fe00:aa:bb:cc::1";`
			`prefixLength = 64;`
			`}`
			`];`
			`networking.hosts."fe00:aa:bb:cc::2" = [ "server" ];`
			`environment.etc.sshKey = {`
			`source = ./initrd-network-ssh/id_ed25519; # dont use this anywhere else`
			`mode = "0600";`
			`};`
			`};`
			`};`

			`testScript = ''`
			`start_all()`

			`server.wait_for_unit("sslh.service")`
			`server.wait_for_unit("nginx.service")`
			`server.wait_for_unit("sshd.service")`
			`server.wait_for_open_port(80)`
			`server.wait_for_open_port(443)`
			`server.wait_for_open_port(22)`

			`for arg in ["-6", "-4"]:`
			`client.wait_until_succeeds(f"ping {arg} -c1 server")`

			`# check that ssh through sslh works`
			`client.succeed(`
			`f"ssh {arg} -p 443 -i /etc/sshKey -o StrictHostKeyChecking=accept-new server 'echo $SSH_CONNECTION > /tmp/foo{arg}'"`
			`)`

			`# check that 1/ the above ssh command had an effect 2/ transparent proxying really works`
			`ip = "fe00:aa:bb:cc::1" if arg == "-6" else "192.168.1."`
			`server.succeed(f"grep '{ip}' /tmp/foo{arg}")`

			`# check that http through sslh works`
			`assert client.succeed(f"curl {arg} http://server:443").strip() == "hello world"`
			`'';`
			`}`