Merge pull request #262 from b1tamara/master

Add alpn option to the crt-list

Author: peterellisjones

acceptance-tests/http.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"fmt"
 	"net"
 	"net/http"
 	"net/http/httptest"
@@ -84,3 +85,15 @@ func buildHTTP2Client(caCerts []string, addressMap map[string]string, clientCert
 
 	return &http.Client{Transport: transport}
 }
+
+func connectTLSALPNNegotiatedProtocol(protos []string, publicIP string, ca string, sni string) (string, error) {
+	config := buildTLSConfig([]string{ca}, []tls.Certificate{}, sni)
+	config.NextProtos = protos
+	conn, err := tls.Dial("tcp", fmt.Sprintf("%s:443", publicIP), config)
+	if err != nil {
+		return "", err
+	}
+	defer conn.Close()
+
+	return conn.ConnectionState().NegotiatedProtocol, nil
+}

acceptance-tests/https_frontend_test.go

@@ -16,6 +16,7 @@ var _ = Describe("HTTPS Frontend", func() {
 	var closeLocalServer func()
 	enableHTTP2 := false
 	var http1Client *http.Client
+	var http2Client *http.Client
 
 	haproxyBackendPort := 12000
 	opsfileHTTPS := `---
@@ -32,6 +33,36 @@ var _ = Describe("HTTPS Frontend", func() {
     ssl_pem:
       cert_chain: ((https_frontend.certificate))((https_frontend_ca.certificate))
       private_key: ((https_frontend.private_key))
+# Configure CA and cert chain
+- type: replace
+  path: /instance_groups/name=haproxy/jobs/name=haproxy/properties/ha_proxy/crt_list?/-
+  value:
+    snifilter:
+    - haproxy.h2.internal
+    ssl_pem:
+      cert_chain: ((https_frontend.certificate))((https_frontend_ca.certificate))
+      private_key: ((https_frontend.private_key))
+    alpn: ['h2']
+# Configure CA and cert chain
+- type: replace
+  path: /instance_groups/name=haproxy/jobs/name=haproxy/properties/ha_proxy/crt_list?/-
+  value:
+    snifilter:
+    - haproxy.http11.internal
+    ssl_pem:
+      cert_chain: ((https_frontend.certificate))((https_frontend_ca.certificate))
+      private_key: ((https_frontend.private_key))
+    alpn: ['http/1.1']
+# Configure CA and cert chain
+- type: replace
+  path: /instance_groups/name=haproxy/jobs/name=haproxy/properties/ha_proxy/crt_list?/-
+  value:
+    snifilter:
+    - haproxy.h2-http11.internal
+    ssl_pem:
+      cert_chain: ((https_frontend.certificate))((https_frontend_ca.certificate))
+      private_key: ((https_frontend.private_key))
+    alpn: ['h2', 'http/1.1']
 # Declare certs
 - type: replace
   path: /variables?/-
@@ -49,7 +80,7 @@ var _ = Describe("HTTPS Frontend", func() {
     options:
       ca: https_frontend_ca
       common_name: haproxy.internal
-      alternative_names: [haproxy.internal]
+      alternative_names: [haproxy.internal, haproxy.h2.internal, haproxy.http11.internal, haproxy.h2-http11.internal]
 `
 
 	var creds struct {
@@ -77,11 +108,14 @@ var _ = Describe("HTTPS Frontend", func() {
 		closeLocalServer, localPort = startDefaultTestServer()
 		closeTunnel = setupTunnelFromHaproxyToTestServer(haproxyInfo, haproxyBackendPort, localPort)
 
-		http1Client = buildHTTPClient(
-			[]string{creds.HTTPSFrontend.CA},
-			map[string]string{"haproxy.internal:443": fmt.Sprintf("%s:443", haproxyInfo.PublicIP)},
-			[]tls.Certificate{}, "",
-		)
+		addresses := map[string]string{
+			"haproxy.internal:443":        fmt.Sprintf("%s:443", haproxyInfo.PublicIP),
+			"haproxy.h2.internal:443":     fmt.Sprintf("%s:443", haproxyInfo.PublicIP),
+			"haproxy.http11.internal:443": fmt.Sprintf("%s:443", haproxyInfo.PublicIP),
+		}
+
+		http1Client = buildHTTPClient([]string{creds.HTTPSFrontend.CA}, addresses, []tls.Certificate{}, "")
+		http2Client = buildHTTP2Client([]string{creds.HTTPSFrontend.CA}, addresses, []tls.Certificate{})
 	})
 
 	AfterEach(func() {
@@ -134,12 +168,6 @@ var _ = Describe("HTTPS Frontend", func() {
 			Expect(resp.StatusCode).To(Equal(http.StatusOK))
 			Eventually(gbytes.BufferReader(resp.Body)).Should(gbytes.Say("Hello cloud foundry"))
 
-			http2Client := buildHTTP2Client(
-				[]string{creds.HTTPSFrontend.CA},
-				map[string]string{"haproxy.internal:443": fmt.Sprintf("%s:443", haproxyInfo.PublicIP)},
-				[]tls.Certificate{},
-			)
-
 			By("Sending a request to HAProxy using HTTP 2")
 			resp, err = http2Client.Get("https://haproxy.internal:443")
 			Expect(err).NotTo(HaveOccurred())
@@ -150,4 +178,43 @@ var _ = Describe("HTTPS Frontend", func() {
 			Eventually(gbytes.BufferReader(resp.Body)).Should(gbytes.Say("Hello cloud foundry"))
 		})
 	})
+
+	Context("ALPN Configuration via CRT list", func() {
+		BeforeEach(func() {
+			// Do not enable HTTP globally, since we are adding it via crt-list entries
+			enableHTTP2 = false
+		})
+
+		It("Negotiates the correct ALPN protocol", func() {
+			// H2 endpoint should negotiate H2 if the client supports it
+			alpnProto, err := connectTLSALPNNegotiatedProtocol([]string{"http/1.1", "h2"}, haproxyInfo.PublicIP, creds.HTTPSFrontend.CA, "haproxy.h2.internal")
+			Expect(err).NotTo(HaveOccurred())
+			Expect(alpnProto).To(Equal("h2"))
+
+			// HTTP/1.1 endpoint should negotiate HTTP/1.1 if the client supports it
+			alpnProto, err = connectTLSALPNNegotiatedProtocol([]string{"h2", "http/1.1"}, haproxyInfo.PublicIP, creds.HTTPSFrontend.CA, "haproxy.http11.internal")
+			Expect(err).NotTo(HaveOccurred())
+			Expect(alpnProto).To(Equal("http/1.1"))
+
+			// H2+HTTP/1.1 endpoint should negotiate H2 if the client supports it
+			alpnProto, err = connectTLSALPNNegotiatedProtocol([]string{"h2"}, haproxyInfo.PublicIP, creds.HTTPSFrontend.CA, "haproxy.h2-http11.internal")
+			Expect(err).NotTo(HaveOccurred())
+			Expect(alpnProto).To(Equal("h2"))
+
+			// H2+HTTP/1.1 endpoint should negotiate HTTP/1.1 if the client supports it
+			alpnProto, err = connectTLSALPNNegotiatedProtocol([]string{"http/1.1"}, haproxyInfo.PublicIP, creds.HTTPSFrontend.CA, "haproxy.h2-http11.internal")
+			Expect(err).NotTo(HaveOccurred())
+			Expect(alpnProto).To(Equal("http/1.1"))
+
+			// H2 endpoint should not use ALPN if client does not support H2
+			alpnProto, err = connectTLSALPNNegotiatedProtocol([]string{"http/1.1"}, haproxyInfo.PublicIP, creds.HTTPSFrontend.CA, "haproxy.h2.internal")
+			Expect(err).NotTo(HaveOccurred())
+			Expect(alpnProto).To(Equal(""))
+
+			// HTTP/1.1 endpoint should not use ALPN if client does not support HTTP/1.1
+			alpnProto, err = connectTLSALPNNegotiatedProtocol([]string{"h2"}, haproxyInfo.PublicIP, creds.HTTPSFrontend.CA, "haproxy.http11.internal")
+			Expect(err).NotTo(HaveOccurred())
+			Expect(alpnProto).To(Equal(""))
+		})
+	})
 })

ci/release_notes.md

@@ -1,6 +1,8 @@
 # New Features
 - New property `disable_backend_http2_websockets` to force backend websocket connections to use HTTP/1.1 (default `false`) #263 / #261
+- Support for `alpn` property in crt-list was added #262
+
 
 # Acknowledgements
 
-Thanks @46bit for the PR
+Thanks @46bit and @b1tamara!

jobs/haproxy/spec

@@ -107,6 +107,7 @@ properties:
       Array of private keys and certificates used for TLS handshakes with downstream clients. Each element in the array is an object containing at least the field 'ssl_pem'.
       The field 'ssl_pem' itself is either an object containing fields 'cert_chain' and 'private_key', or a single string containing the cert chain and the private key.
       The following fields are optional:
+      - 'alpn' (a optional array of strings). If both HTTP/2 and HTTP/1.1 are expected to be supported, both versions can be advertised, in order of preference
       - 'client_ca_file' (replaces ha_proxy.client_ca_file)
       - 'verify' (allowed values: [none|optional|required])
       - 'ssl_ciphers' (overrides ha_proxy.ssl_ciphers)
@@ -145,6 +146,9 @@ properties:
         ssl_ciphersuites: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
         ssl_min_version: TLSv1.2
         ssl_max_version: TLSv1.3
+        alpn: 
+        - h2
+        - http/1.1
         client_revocation_list: |
           -----BEGIN X509 CRL-----
           -----END X509 CRL-----

jobs/haproxy/templates/certs.ttar.erb

@@ -53,6 +53,9 @@ if_p("ha_proxy.crt_list") do |crt_list|
     if list_entry.key?("ssl_max_version")
       sslbindconf += " ssl-max-ver " + list_entry["ssl_max_version"]
     end
+    if list_entry.key?("alpn")
+      sslbindconf += " alpn #{list_entry["alpn"].join(",")} "
+    end
 
     if sslbindconf != ""
       sslbindconf = " ["+sslbindconf.strip+"]"

spec/haproxy/templates/certs.ttar_spec.rb

@@ -413,6 +413,72 @@
     end
   end
 
+  describe 'ha_proxy.crt_list[].alpn only h2' do
+    let(:ttar) do
+      template.render({
+        'ha_proxy' => {
+          'crt_list' => [{
+            'alpn' => ['h2'],
+            'ssl_pem' => 'ssl_pem contents'
+          }]
+        }
+      })
+    end
+
+    it 'is included in the crt list' do
+      expect(ttar_entry(ttar, '/var/vcap/jobs/haproxy/config/ssl/crt-list')).to eq(<<~EXPECTED)
+
+        /var/vcap/jobs/haproxy/config/ssl/cert-0.pem [alpn h2]
+
+
+      EXPECTED
+    end
+  end
+
+  describe 'ha_proxy.crt_list[].alpn h2 and http/1.1' do
+    let(:ttar) do
+      template.render({
+        'ha_proxy' => {
+          'crt_list' => [{
+            'alpn' => ['h2', 'http/1.1'],
+            'ssl_pem' => 'ssl_pem contents'
+          }]
+        }
+      })
+    end
+
+    it 'is included in the crt list' do
+      expect(ttar_entry(ttar, '/var/vcap/jobs/haproxy/config/ssl/crt-list')).to eq(<<~EXPECTED)
+
+        /var/vcap/jobs/haproxy/config/ssl/cert-0.pem [alpn h2,http/1.1]
+
+
+      EXPECTED
+    end
+  end
+
+  describe 'ha_proxy.crt_list[].alpn prefer http/1.1 to h2' do
+    let(:ttar) do
+      template.render({
+        'ha_proxy' => {
+          'crt_list' => [{
+            'alpn' => ['http/1.1', 'h2'],
+            'ssl_pem' => 'ssl_pem contents'
+          }]
+        }
+      })
+    end
+
+    it 'is included in the crt list' do
+      expect(ttar_entry(ttar, '/var/vcap/jobs/haproxy/config/ssl/crt-list')).to eq(<<~EXPECTED)
+
+        /var/vcap/jobs/haproxy/config/ssl/cert-0.pem [alpn http/1.1,h2]
+
+
+      EXPECTED
+    end
+  end
+
   describe 'ha_proxy.ext_crt_list' do
     context 'when there are no internal certificates' do
       let(:ttar) do