chn/nixpkgs
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixpkgs.git synced 2026-01-12 02:40:31 +08:00
Code Issues Packages Projects Releases Wiki Activity

squid: add inverse test

Browse Source
This commit is contained in:
Joshua Kobschätzki
2025-02-25 12:37:26 +01:00
parent 744a9430aa
commit 019f100d17
3 changed files with 37 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
doc/release-notes/rl-2505.section.md
View File

@@ -4,6 +4,13 @@
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- `services.rippled` has been removed, as `rippled` was broken and had not been updated since 2022.
- `services.rippleDataApi` has been removed, as `ripple-data-api` was broken and had not been updated since 2022.
- `squid` has been updated to version 7, this release includes multiple breaking changes, like ESI removal.
For more information, [check the release notes](https://github.com/squid-cache/squid/releases/tag/SQUID_7_0_1).
- The [`no-broken-symlinks` hook](https://nixos.org/manual/nixpkgs/unstable/#no-broken-symlinks.sh) was added to catch builds containing dangling or reflexive symlinks, as these are indicative of problems with packaging.
The hook can be disabled by providing `dontCheckForBrokenSymlinks = true;` as an argument to `mkDerivation`.
For more information, [check the docs](https://nixos.org/manual/nixpkgs/unstable/#no-broken-symlinks.sh) or [see this PR](https://github.com/NixOS/nixpkgs/pull/370750).

2
nixos/modules/services/networking/squid.nix
View File

@@ -67,7 +67,7 @@ let
http_access deny to_localhost
# Application logs to syslog, access and store logs have specific files
cache_log syslog
cache_log stdio:/var/log/squid/cache.log
access_log stdio:/var/log/squid/access.log
cache_store_log stdio:/var/log/squid/store.log

35
nixos/tests/squid.nix
View File

@@ -56,6 +56,24 @@ import ./make-test-python.nix (
{
virtualisation.vlans = [ 1 ];
networking.firewall.enable = true;
# NOTE: the client doesn't need a HTTP server, this is here to allow a validation of the proxy acl
networking.firewall.allowedTCPPorts = [ 80 ];
services.nginx = {
enable = true;
virtualHosts."server" = {
root = "/etc";
locations."/".index = "hostname";
listen = [
{
addr = "0.0.0.0";
port = 80;
}
];
};
};
}
];
@@ -68,6 +86,8 @@ import ./make-test-python.nix (
lib.mkMerge [
commonConfig
{
nixpkgs.config.permittedInsecurePackages = [ "squid-7.0.1" ];
virtualisation.vlans = [
1
2
@@ -75,10 +95,6 @@ import ./make-test-python.nix (
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ config.services.squid.proxyPort ];
nixpkgs.config.permittedInsecurePackages = [
"squid-6.12"
];
services.squid = {
enable = true;
@@ -86,6 +102,7 @@ import ./make-test-python.nix (
acl client src ${clientIp}
acl server dst ${serverIp}
http_access allow client server
http_access deny all
'';
};
}
@@ -157,9 +174,15 @@ import ./make-test-python.nix (
with subtest("HTTP"):
# the client cannot reach the server directly over HTTP
client.fail('[[ `timeout 3 curl http://${serverIp}` ]]')
client.fail('[[ `timeout 3 curl --fail-with-body http://${serverIp}` ]]')
# ... but can with the proxy
client.succeed('[[ `timeout 3 curl --proxy http://${proxyInternalIp}:3128 http://${serverIp}` == "server" ]]')
client.succeed('[[ `timeout 3 curl --fail-with-body --proxy http://${proxyInternalIp}:3128 http://${serverIp}` == "server" ]]')
# and cannot from the server (with a 4xx error code) and ...
server.fail('[[ `timeout 3 curl --fail-with-body --proxy http://${proxyExternalIp}:3128 http://${clientIp}` == "client" ]]')
# .. not the client hostname
server.fail('[[ `timeout 3 curl --proxy http://${proxyExternalIp}:3128 http://${clientIp}` == "client" ]]')
# with an explicit deny message (no --fail because we want to parse the returned message)
server.succeed('[[ `timeout 3 curl --proxy http://${proxyExternalIp}:3128 http://${clientIp}` == *"ERR_ACCESS_DENIED"* ]]')
'';
}
)