Add an integration test for HTTPS Proxy

libbeat/docker-compose.yml

@@ -27,7 +27,9 @@ services:
       interval: 1s
     ports:
       - 9200:9200
-      - 3128:3128 # Squid listens in the proxy service container.
+      # Squid listens on 3128 (HTTP) and 3129 (HTTPS) from the proxy service container.
+      - 3128:3128
+      - 3129:3129
 
   elasticsearchssl:
     extends:

libbeat/esleg/eslegclient/connection.go

@@ -367,19 +367,18 @@ func (h *httpClientProxySettings) ProxyDialer(_ *url.URL, forward proxy.Dialer)
 }
 
 func (conn *Connection) testProxyDialer(d testing.Driver, forward transport.Dialer) transport.Dialer {
-	switch scheme := conn.Transport.Proxy.URL.Scheme; scheme {
-	case "http", "https":
-		proxy.RegisterDialerType(scheme, ((*httpClientProxySettings)(&conn.Transport.Proxy)).ProxyDialer)
-	}
-
 	dialer := forward
 
-	if conn.Transport.Proxy.URL.Scheme == "https" {
+	switch scheme := conn.Transport.Proxy.URL.Scheme; scheme {
+	case "https":
 		tls, err := tlscommon.LoadTLSConfig(conn.Transport.TLS)
 		if err != nil {
 			d.Fatal("load tls config", err)
 		}
 		dialer = transport.TestTLSDialer(d, dialer, tls, conn.Transport.Timeout)
+		fallthrough
+	case "http":
+		proxy.RegisterDialerType(scheme, ((*httpClientProxySettings)(&conn.Transport.Proxy)).ProxyDialer)
 	}
 
 	dialer, err := transport.ProxyDialer(logp.L(), &transport.ProxyConfig{URL: conn.Transport.Proxy.URL.String()}, dialer)

libbeat/tests/integration/cmd_test.go

@@ -88,7 +88,7 @@ func TestCmdTestOutputBadHost(t *testing.T) {
 
 func TestCmdTestOutputProxy(t *testing.T) {
 	esURL := GetESURL(t, "http")
-	proxyURL := GetProxyURL(t)
+	proxyURL := GetProxyURL(t, "http")
 	mockbeat := NewBeat(t, "mockbeat", "../../libbeat.test")
 	mockbeat.WriteConfigFile(fmt.Sprintf(CmdTestCfg, esURL.String()))
 	mockbeat.Start("test", "output", "-E", "output.elasticsearch.proxy_url="+proxyURL.String())
@@ -101,8 +101,23 @@ func TestCmdTestOutputProxy(t *testing.T) {
 	mockbeat.WaitStdOutContains("talk to server... OK", 10*time.Second)
 }
 
+func TestCmdTestOutputProxyTLS(t *testing.T) {
+	esURL := GetESURL(t, "http")
+	proxyURL := GetProxyURL(t, "https")
+	mockbeat := NewBeat(t, "mockbeat", "../../libbeat.test")
+	mockbeat.WriteConfigFile(fmt.Sprintf(CmdTestCfg, esURL.String()))
+	mockbeat.Start("test", "output", "-E", "output.elasticsearch.proxy_url="+proxyURL.String(), "-E", "output.elasticsearch.ssl.verification_mode=none")
+	procState, err := mockbeat.Process.Wait()
+	require.NoError(t, err)
+	require.Equal(t, 0, procState.ExitCode(), "incorrect exit code")
+	mockbeat.WaitStdOutContains("parse url... OK", 10*time.Second)
+	mockbeat.WaitStdOutContains("proxy... OK", 10*time.Second)
+	mockbeat.WaitStdOutContains("TLS... WARN secure connection disabled", 10*time.Second)
+	mockbeat.WaitStdOutContains("talk to server... OK", 10*time.Second)
+}
+
 func TestCmdTestOutputProxyBadHost(t *testing.T) {
-	proxyURL := GetProxyURL(t)
+	proxyURL := GetProxyURL(t, "http")
 	mockbeat := NewBeat(t, "mockbeat", "../../libbeat.test")
 	mockbeat.WriteConfigFile(fmt.Sprintf(CmdTestCfg, "badhost:9200"))
 	mockbeat.Start("test", "output", "-E", "output.elasticsearch.proxy_url="+proxyURL.String())

libbeat/tests/integration/framework.go

@@ -574,22 +574,24 @@ func GetKibana(t *testing.T) (url.URL, *url.Userinfo) {
 	return kibanaURL, kibanaUser
 }
 
-func GetProxyURL(t *testing.T) url.URL {
+func GetProxyURL(t *testing.T, scheme string) url.URL {
 	t.Helper()
 
-	scheme := os.Getenv("PROXY_SCHEME")
-	if scheme == "" {
-		scheme = "http"
-	}
-
 	proxyHost := os.Getenv("PROXY_HOST")
 	if proxyHost == "" {
 		proxyHost = "localhost"
 	}
 
 	proxyPort := os.Getenv("PROXY_PORT")
 	if proxyPort == "" {
-		proxyPort = "3128"
+		switch scheme {
+		case "http":
+			proxyPort = "3128"
+		case "https":
+			proxyPort = "3129"
+		default:
+			t.Fatalf("could not determine port from env variable: PROXY_PORT=%s", proxyPort)
+		}
 	}
 
 	user := os.Getenv("PROXY_USER")

testing/environments/docker/proxy/Dockerfile

@@ -3,6 +3,11 @@ FROM alpine:edge
 RUN apk add --no-cache squid bash
 
 COPY squid.conf /etc/squid/squid.conf
+COPY pki /etc/pki
+
+RUN chmod 600 /etc/squid/squid.conf; \
+	chmod 600 /etc/pki/tls/certs/*; \
+	chmod 600 /etc/pki/tls/private/*;
 
 HEALTHCHECK --interval=1s --retries=600 CMD nc -z localhost 3128
 EXPOSE 3128

testing/environments/docker/proxy/pki/tls/certs/proxy.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAzCCAeugAwIBAgIUGQ2GT9PuU7bTNxYTQeSqbYarkXAwDQYJKoZIhvcNAQEL
+BQAwEDEOMAwGA1UEAwwFcHJveHkwIBcNMjMxMDI5MTUxNjMzWhgPMjEyMzEwMDUx
+NTE2MzNaMBAxDjAMBgNVBAMMBXByb3h5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAsbbY3X+eSd2qMF55M4IRG91IQuj8H1mqvG+QfndvU6mKVGhw4rEf
+S3a1CgK2WbsDvJORteRYn6FZK8owfGx/pYlHWYfYB4+7rmBIn5Z5EmFhyj9SbRRk
+N0nlHH/NsbOExhSg4scfhIUlZiYbjG8dPdprU4db4Qm+zls/Opl/Vc9xdMPdJqQ8
+JTB1or7KLFK3KcbaoIGGSZ8KkboMBN3hYv6KcjkgH/nsXgaqQZHw/FyoHZDXlff3
+JXJdtU936vC96qQONs1qPgmgquGWst616KH9t9Y1+S4DItqBm2pQ1q+pm832zkRi
+i4PxSkmVvSfBOXlrIh/vqmyDIRa/Vd6aKQIDAQABo1MwUTAdBgNVHQ4EFgQUTe7E
+Hwu56Ojzyj0rfCnU5gsT/fgwHwYDVR0jBBgwFoAUTe7EHwu56Ojzyj0rfCnU5gsT
+/fgwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAZ8jCSIToxPVT
+dVl28Eb4bByHkcwwJj2qNaBGsxDEd45I6OQOyMvGziYvw7lFNeu12aqCPBMNXwqS
+1Ffl/XrU5FuAg0B+Z3BDMq6T0sPCldfCU5ERJjyJGXBP7O+C4b8Jf0V/RAO+ylM9
+ulroC+RoU8xpf9e1LOJDOf75owm29OU2Vi31SCpJmx51okqc5fWJcc+o414/1zL1
+NqNN8FHxfDcquP5Aj9xEEAmazt4Nh1htaYW691BoBNwDjyYQmZleUlpJf6M9Rcfe
+cNqicJZkBBwcWuCYvfMMhDdR/qgQVH3cEtC5NVZcCK2gaFW1HDPEqODV1y4gXUnh
+fncmlS8pww==
+-----END CERTIFICATE-----

testing/environments/docker/proxy/pki/tls/private/proxy.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCxttjdf55J3aow
+XnkzghEb3UhC6PwfWaq8b5B+d29TqYpUaHDisR9LdrUKArZZuwO8k5G15FifoVkr
+yjB8bH+liUdZh9gHj7uuYEiflnkSYWHKP1JtFGQ3SeUcf82xs4TGFKDixx+EhSVm
+JhuMbx092mtTh1vhCb7OWz86mX9Vz3F0w90mpDwlMHWivsosUrcpxtqggYZJnwqR
+ugwE3eFi/opyOSAf+exeBqpBkfD8XKgdkNeV9/clcl21T3fq8L3qpA42zWo+CaCq
+4Zay3rXoof231jX5LgMi2oGbalDWr6mbzfbORGKLg/FKSZW9J8E5eWsiH++qbIMh
+Fr9V3popAgMBAAECggEABn46RTmE9IjzT2ocPowJiP2YRs2RbKnPiav/2QcPG7zt
+j3DzcuzqykyPh8qalAO3urufjshFjquMAQQVqm4iac9uunAyrfAL+O6OqLoMOWYy
+dvvCTLb6hGSgSN7Iiq4W80/MowyIc8STnbxVtFdY96oT0sz2x+2duZdu43q5Qs7O
+T+dfaqXsS6P9+YmIUj65vqHSMHB2hRfg59SXwo8WZz28T89u0ga6AGhcc8N/GgAF
+Yax3CK5G2ctn2zlDsuQCcSXy542hKZAQ5X+ktG75y6kJUuBgD2n386t3d8BbA4Oe
+fIA+6sqatiCJCEwKvHDgAH5F5/uvlJ54C1pdPQEtgQKBgQDxC9hJ1s6lw18J3Sho
+N6JcHAnDSDQhICDxrPA22j5DkI3VRhq2LHEG6+TSGYKMcoFepb79i62n4knqH2Q0
+5o1kgnTJx01D5GVDraOw0jU5QLM0tTnmTpsB1PW/ZNDh86smEopH81ltHhLrYAZo
+QdkdsDzNfdW4PPLeli+bbuSoSQKBgQC8vTNHZv9zCn5x+DWW2PC3tTVwez8FGI7U
+O+vthrDVU9eNE1e0Xb8Y9oDnYMhB5kTEnAaXJr+/rB4r/pKWOzYkvHFVRh9DyKU5
+D1vrG6hyYL9fH52nhEv6BP0Q+97KXRi4VnTfA88pTvH+t2r/q/5asJq1dKaihUH6
+TgbGviUi4QKBgCtJXkD8U0XPTOzfi1cTzpNN8a7g84OTWncsAENJc+78MYxAN6HJ
+X07H4+Ka9Ce2lGbjyuWLRNcmOvHRS1R4pqGLD+AAa26qwEikEQY66ZXreYMYnFow
+eYOds7f4Kc65zF1c7Po4yDFhOjKMnvnwAUZklLauR0f7of246Lm381YJAoGADRPb
+Ar6LQrBedI0rQWmEvGXs7v9LLZI3C1OflFS52f42OEs3z4KTZCpoYh/doFtRNoJN
+HpoLvT8y0/+OrqQpqz/3Zl42el7ju+FpkA/ZixtTB0dMiDftf8RquIuLM2Bh/xvW
+e0FrUERtFiYlXtPPCv+jqKENjsNHAA36ADlan2ECgYBaMmZqbpd2Q0j4GOcyvpM1
+VZHF4+W6l+BfNzRK/fo6uVJQWt7SaXIzKF1qoCNlWEfa6FcaptoAoCgK0zTtZmX6
+89R+AKpMY/81XvzX2J3s/KmVa7BLvhILFjfL9TeLTaR1fA3MEnVU8h5PimwEjJL8
+hWcwalivszosnKl+gs7SaA==
+-----END PRIVATE KEY-----

testing/environments/docker/proxy/squid.conf

@@ -20,4 +20,5 @@ http_access deny all
 
 # General settings
 http_port 3128
+https_port 3129 cert=/etc/pki/tls/certs/proxy.crt key=/etc/pki/tls/private/proxy.key
 dns_timeout 3 seconds