Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add h2 static responses tests #272

Merged
merged 1 commit into from
Sep 21, 2022
Merged

add h2 static responses tests #272

merged 1 commit into from
Sep 21, 2022

Conversation

nickzaev
Copy link
Contributor

@nickzaev nickzaev commented Aug 9, 2022

These tests aim to ensure that Tempesta generates correct static responses in most common use-cases using h2 protocol.

@nickzaev
Copy link
Contributor Author

nickzaev commented Aug 9, 2022
edited
Loading

I've encountered 2 Tempesta bugs during poking around these tests:

  1. http_rules.test_http_tables.H2Redirects fails with
[Tue Aug  9 14:03:04 2022] [tempesta fw] Warning: request dropped: cannot find appropriate virtual host: 127.0.0.1

If you uncomment #-> redirection_chain; line in the main chain, the test passes. Just to make sure that this behavior is not caused by poorly formed configuration, I've provided 2 additional temporary tests (that will be deleted after we resolve corresponding Tempesta issues) that have pretty much the same configurations (except for the TLS part): http_rules.test_http_tables.HttpRedirects and http_rules.test_http_tables.HttpsRedirects. They both pass. Note that both of them don't have -> redirection_chain; in the main chain, so this h2 case is isolated. From my understanding, what happens is that Tempesta cannot match the request to any vhost because it simply doesn't have Host field within the request. I haven't digged deep enough into Tempesta code yet, so I added checks for:

            hdr "Authority" == "tempesta-tech.com" -> redirection_chain;
            hdr ":authority" == "tempesta-tech.com" -> redirection_chain;
            hdr "authority" == "tempesta-tech.com" -> redirection_chain;

as well in case if that would help, but it didn't — the test still fails.

  1. cache.test_cache.H2Cache fails with:
[Tue Aug  9 14:31:49 2022] [tempesta fw] Warning: Unable to transform HTTP/1.1 data into HTTP/2 format: free space exhausted (accumulated length: 78
[Tue Aug  9 14:31:49 2022] [tempesta tls] Warning: [::ffff:127.0.0.1] Bad TLS alert

This is a known Tempesta issue (#261, #1669).
Note that:

test (cache.test_cache.H2Cache) ... Amount of requests passed to the backend: 2
FAIL

basically means that requests get to the backend and Tempesta fails to return them back to the client.
Regarding that tempesta tls warning, I'm not aware of it's meaning at the moment, but [::ffff:127.0.0.1] is definitely not a valid IPv6 address, so that might be a separate issue.

@nickzaev nickzaev marked this pull request as draft August 9, 2022 15:03
krizhanovsky
krizhanovsky reviewed Aug 11, 2022
View reviewed changes
cache/test_cache.py Outdated
@@ -3,6 +3,7 @@
from __future__ import print_function
from testers import functional
from helpers import chains
from framework import tester

__author__ = 'Tempesta Technologies, Inc.'
__copyright__ = 'Copyright (C) 2017 Tempesta Technologies, Inc.'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update the copyright year

cache/test_cache.py Outdated

got_response = client.wait_for_response(timeout=5)

print(f"Amount of requests passed to the backend: {len(self.get_server('deproxy').requests)}")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems here should be an assertion, that backend receives only 1 request. Also too wide line

@krizhanovsky
Copy link
Contributor

krizhanovsky commented Aug 11, 2022
edited
Loading

Issue (1) looks like about tempesta-tech/tempesta#1630 - could you please disable the test pointing out the issue. I think just using authority in the rules should work, but it'd be good to leave the host rule pointing out to another chain/redirection to make sure that we process Host and authority in correct way (in terms of the cited issue).

I added comment 7 about Bad TLS alert message - this is some separate issue. ::ffff:127.0.0.1 is just a IPv4-mapped IPv6 address: Tempesta FW handles all addressed in IPv6 internally and if you use IPv4, then it maps the address(es) to IPv6.

@const-t
Copy link
Contributor

const-t commented Aug 12, 2022

Issue (1) looks like about tempesta-tech/tempesta#1630 - could you please disable the test pointing out the issue. I think just using authority in the rules should work, but it'd be good to leave the host rule pointing out to another chain/redirection to make sure that we process Host and authority in correct way (in terms of the cited issue).

I added comment 7 about Bad TLS alert message - this is some separate issue. ::ffff:127.0.0.1 is just a IPv4-mapped IPv6 address: Tempesta FW handles all addressed in IPv6 internally and if you use IPv4, then it maps the address(es) to IPv6.

No, it's not tempesta-tech/tempesta#1630, it's about matching pseudo-headers by http tables. Now we can't match any pseudo-headers by using hdr keyword in http chain. To match :authority we can use only Host keyword in http chain block.

@krizhanovsky
Copy link
Contributor

With the slack discussion it's worth testing configuration like:

hdr "authority" == "tempesta-tech.com" -> one_chain;
host == "tempesta-tech.com" -> some_other_chain;

const-t
const-t reviewed Aug 12, 2022
View reviewed changes
http_rules/test_http_tables.py Outdated
}

http_chain {
hdr "Host" == "tempesta-tech.com" -> redirection_chain;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Host can't be matched, because you don't send it. Is it expected?

cache/test_cache.py Outdated
clients = [{
'id': 'deproxy',
'type': 'deproxy_h2',
'addr': "${server_ip}",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe would be better to use ${tempesta_ip}, because tempesta and backend can be on different hosts.

@nickzaev nickzaev marked this pull request as ready for review September 4, 2022 14:54
@nickzaev
add h2 static responses tests
14d3bff 
These tests aim to ensure that Tempesta generates correct
static responses in most common use-cases using `h2` protocol.
const-t
const-t approved these changes Sep 21, 2022
View reviewed changes
Copy link
Contributor

@const-t const-t left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nickzaev nickzaev merged commit e0c5552 into master Sep 21, 2022
@nickzaev nickzaev deleted the nz-h2-static-responses branch September 21, 2022 11:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krizhanovsky krizhanovsky krizhanovsky left review comments

@const-t const-t const-t approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nickzaev @krizhanovsky @const-t