diff --git a/libbeat/docker-compose.yml b/libbeat/docker-compose.yml index f60976451cc..9f8a32c03ef 100644 --- a/libbeat/docker-compose.yml +++ b/libbeat/docker-compose.yml @@ -27,7 +27,9 @@ services: interval: 1s ports: - 9200:9200 - - 3128:3128 # Squid listens in the proxy service container. + # Squid listens on 3128 (HTTP) and 3129 (HTTPS) from the proxy service container. + - 3128:3128 + - 3129:3129 elasticsearchssl: extends: diff --git a/libbeat/esleg/eslegclient/connection.go b/libbeat/esleg/eslegclient/connection.go index c028d40be73..9935b5cc6f1 100644 --- a/libbeat/esleg/eslegclient/connection.go +++ b/libbeat/esleg/eslegclient/connection.go @@ -367,19 +367,18 @@ func (h *httpClientProxySettings) ProxyDialer(_ *url.URL, forward proxy.Dialer) } func (conn *Connection) testProxyDialer(d testing.Driver, forward transport.Dialer) transport.Dialer { - switch scheme := conn.Transport.Proxy.URL.Scheme; scheme { - case "http", "https": - proxy.RegisterDialerType(scheme, ((*httpClientProxySettings)(&conn.Transport.Proxy)).ProxyDialer) - } - dialer := forward - if conn.Transport.Proxy.URL.Scheme == "https" { + switch scheme := conn.Transport.Proxy.URL.Scheme; scheme { + case "https": tls, err := tlscommon.LoadTLSConfig(conn.Transport.TLS) if err != nil { d.Fatal("load tls config", err) } dialer = transport.TestTLSDialer(d, dialer, tls, conn.Transport.Timeout) + fallthrough + case "http": + proxy.RegisterDialerType(scheme, ((*httpClientProxySettings)(&conn.Transport.Proxy)).ProxyDialer) } dialer, err := transport.ProxyDialer(logp.L(), &transport.ProxyConfig{URL: conn.Transport.Proxy.URL.String()}, dialer) diff --git a/libbeat/tests/integration/cmd_test.go b/libbeat/tests/integration/cmd_test.go index 5f1d1375e2f..cc1a217f7f7 100644 --- a/libbeat/tests/integration/cmd_test.go +++ b/libbeat/tests/integration/cmd_test.go @@ -88,7 +88,7 @@ func TestCmdTestOutputBadHost(t *testing.T) { func TestCmdTestOutputProxy(t *testing.T) { esURL := GetESURL(t, "http") - proxyURL := GetProxyURL(t) + proxyURL := GetProxyURL(t, "http") mockbeat := NewBeat(t, "mockbeat", "../../libbeat.test") mockbeat.WriteConfigFile(fmt.Sprintf(CmdTestCfg, esURL.String())) mockbeat.Start("test", "output", "-E", "output.elasticsearch.proxy_url="+proxyURL.String()) @@ -101,8 +101,23 @@ func TestCmdTestOutputProxy(t *testing.T) { mockbeat.WaitStdOutContains("talk to server... OK", 10*time.Second) } +func TestCmdTestOutputProxyTLS(t *testing.T) { + esURL := GetESURL(t, "http") + proxyURL := GetProxyURL(t, "https") + mockbeat := NewBeat(t, "mockbeat", "../../libbeat.test") + mockbeat.WriteConfigFile(fmt.Sprintf(CmdTestCfg, esURL.String())) + mockbeat.Start("test", "output", "-E", "output.elasticsearch.proxy_url="+proxyURL.String(), "-E", "output.elasticsearch.ssl.verification_mode=none") + procState, err := mockbeat.Process.Wait() + require.NoError(t, err) + require.Equal(t, 0, procState.ExitCode(), "incorrect exit code") + mockbeat.WaitStdOutContains("parse url... OK", 10*time.Second) + mockbeat.WaitStdOutContains("proxy... OK", 10*time.Second) + mockbeat.WaitStdOutContains("TLS... WARN secure connection disabled", 10*time.Second) + mockbeat.WaitStdOutContains("talk to server... OK", 10*time.Second) +} + func TestCmdTestOutputProxyBadHost(t *testing.T) { - proxyURL := GetProxyURL(t) + proxyURL := GetProxyURL(t, "http") mockbeat := NewBeat(t, "mockbeat", "../../libbeat.test") mockbeat.WriteConfigFile(fmt.Sprintf(CmdTestCfg, "badhost:9200")) mockbeat.Start("test", "output", "-E", "output.elasticsearch.proxy_url="+proxyURL.String()) diff --git a/libbeat/tests/integration/framework.go b/libbeat/tests/integration/framework.go index 5e97f329f83..3f8254e68af 100644 --- a/libbeat/tests/integration/framework.go +++ b/libbeat/tests/integration/framework.go @@ -574,14 +574,9 @@ func GetKibana(t *testing.T) (url.URL, *url.Userinfo) { return kibanaURL, kibanaUser } -func GetProxyURL(t *testing.T) url.URL { +func GetProxyURL(t *testing.T, scheme string) url.URL { t.Helper() - scheme := os.Getenv("PROXY_SCHEME") - if scheme == "" { - scheme = "http" - } - proxyHost := os.Getenv("PROXY_HOST") if proxyHost == "" { proxyHost = "localhost" @@ -589,7 +584,14 @@ func GetProxyURL(t *testing.T) url.URL { proxyPort := os.Getenv("PROXY_PORT") if proxyPort == "" { - proxyPort = "3128" + switch scheme { + case "http": + proxyPort = "3128" + case "https": + proxyPort = "3129" + default: + t.Fatalf("could not determine port from env variable: PROXY_PORT=%s", proxyPort) + } } user := os.Getenv("PROXY_USER") diff --git a/testing/environments/docker/proxy/Dockerfile b/testing/environments/docker/proxy/Dockerfile index 76c83218e89..7753149ca6b 100644 --- a/testing/environments/docker/proxy/Dockerfile +++ b/testing/environments/docker/proxy/Dockerfile @@ -3,6 +3,11 @@ FROM alpine:edge RUN apk add --no-cache squid bash COPY squid.conf /etc/squid/squid.conf +COPY pki /etc/pki + +RUN chmod 600 /etc/squid/squid.conf; \ + chmod 600 /etc/pki/tls/certs/*; \ + chmod 600 /etc/pki/tls/private/*; HEALTHCHECK --interval=1s --retries=600 CMD nc -z localhost 3128 EXPOSE 3128 diff --git a/testing/environments/docker/proxy/pki/tls/certs/proxy.crt b/testing/environments/docker/proxy/pki/tls/certs/proxy.crt new file mode 100644 index 00000000000..cd41e0ebcd3 --- /dev/null +++ b/testing/environments/docker/proxy/pki/tls/certs/proxy.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDAzCCAeugAwIBAgIUGQ2GT9PuU7bTNxYTQeSqbYarkXAwDQYJKoZIhvcNAQEL +BQAwEDEOMAwGA1UEAwwFcHJveHkwIBcNMjMxMDI5MTUxNjMzWhgPMjEyMzEwMDUx +NTE2MzNaMBAxDjAMBgNVBAMMBXByb3h5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAsbbY3X+eSd2qMF55M4IRG91IQuj8H1mqvG+QfndvU6mKVGhw4rEf +S3a1CgK2WbsDvJORteRYn6FZK8owfGx/pYlHWYfYB4+7rmBIn5Z5EmFhyj9SbRRk +N0nlHH/NsbOExhSg4scfhIUlZiYbjG8dPdprU4db4Qm+zls/Opl/Vc9xdMPdJqQ8 +JTB1or7KLFK3KcbaoIGGSZ8KkboMBN3hYv6KcjkgH/nsXgaqQZHw/FyoHZDXlff3 +JXJdtU936vC96qQONs1qPgmgquGWst616KH9t9Y1+S4DItqBm2pQ1q+pm832zkRi +i4PxSkmVvSfBOXlrIh/vqmyDIRa/Vd6aKQIDAQABo1MwUTAdBgNVHQ4EFgQUTe7E +Hwu56Ojzyj0rfCnU5gsT/fgwHwYDVR0jBBgwFoAUTe7EHwu56Ojzyj0rfCnU5gsT +/fgwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAZ8jCSIToxPVT +dVl28Eb4bByHkcwwJj2qNaBGsxDEd45I6OQOyMvGziYvw7lFNeu12aqCPBMNXwqS +1Ffl/XrU5FuAg0B+Z3BDMq6T0sPCldfCU5ERJjyJGXBP7O+C4b8Jf0V/RAO+ylM9 +ulroC+RoU8xpf9e1LOJDOf75owm29OU2Vi31SCpJmx51okqc5fWJcc+o414/1zL1 +NqNN8FHxfDcquP5Aj9xEEAmazt4Nh1htaYW691BoBNwDjyYQmZleUlpJf6M9Rcfe +cNqicJZkBBwcWuCYvfMMhDdR/qgQVH3cEtC5NVZcCK2gaFW1HDPEqODV1y4gXUnh +fncmlS8pww== +-----END CERTIFICATE----- diff --git a/testing/environments/docker/proxy/pki/tls/private/proxy.key b/testing/environments/docker/proxy/pki/tls/private/proxy.key new file mode 100644 index 00000000000..9321393bb05 --- /dev/null +++ b/testing/environments/docker/proxy/pki/tls/private/proxy.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCxttjdf55J3aow +XnkzghEb3UhC6PwfWaq8b5B+d29TqYpUaHDisR9LdrUKArZZuwO8k5G15FifoVkr +yjB8bH+liUdZh9gHj7uuYEiflnkSYWHKP1JtFGQ3SeUcf82xs4TGFKDixx+EhSVm +JhuMbx092mtTh1vhCb7OWz86mX9Vz3F0w90mpDwlMHWivsosUrcpxtqggYZJnwqR +ugwE3eFi/opyOSAf+exeBqpBkfD8XKgdkNeV9/clcl21T3fq8L3qpA42zWo+CaCq +4Zay3rXoof231jX5LgMi2oGbalDWr6mbzfbORGKLg/FKSZW9J8E5eWsiH++qbIMh +Fr9V3popAgMBAAECggEABn46RTmE9IjzT2ocPowJiP2YRs2RbKnPiav/2QcPG7zt +j3DzcuzqykyPh8qalAO3urufjshFjquMAQQVqm4iac9uunAyrfAL+O6OqLoMOWYy +dvvCTLb6hGSgSN7Iiq4W80/MowyIc8STnbxVtFdY96oT0sz2x+2duZdu43q5Qs7O +T+dfaqXsS6P9+YmIUj65vqHSMHB2hRfg59SXwo8WZz28T89u0ga6AGhcc8N/GgAF +Yax3CK5G2ctn2zlDsuQCcSXy542hKZAQ5X+ktG75y6kJUuBgD2n386t3d8BbA4Oe +fIA+6sqatiCJCEwKvHDgAH5F5/uvlJ54C1pdPQEtgQKBgQDxC9hJ1s6lw18J3Sho +N6JcHAnDSDQhICDxrPA22j5DkI3VRhq2LHEG6+TSGYKMcoFepb79i62n4knqH2Q0 +5o1kgnTJx01D5GVDraOw0jU5QLM0tTnmTpsB1PW/ZNDh86smEopH81ltHhLrYAZo +QdkdsDzNfdW4PPLeli+bbuSoSQKBgQC8vTNHZv9zCn5x+DWW2PC3tTVwez8FGI7U +O+vthrDVU9eNE1e0Xb8Y9oDnYMhB5kTEnAaXJr+/rB4r/pKWOzYkvHFVRh9DyKU5 +D1vrG6hyYL9fH52nhEv6BP0Q+97KXRi4VnTfA88pTvH+t2r/q/5asJq1dKaihUH6 +TgbGviUi4QKBgCtJXkD8U0XPTOzfi1cTzpNN8a7g84OTWncsAENJc+78MYxAN6HJ +X07H4+Ka9Ce2lGbjyuWLRNcmOvHRS1R4pqGLD+AAa26qwEikEQY66ZXreYMYnFow +eYOds7f4Kc65zF1c7Po4yDFhOjKMnvnwAUZklLauR0f7of246Lm381YJAoGADRPb +Ar6LQrBedI0rQWmEvGXs7v9LLZI3C1OflFS52f42OEs3z4KTZCpoYh/doFtRNoJN +HpoLvT8y0/+OrqQpqz/3Zl42el7ju+FpkA/ZixtTB0dMiDftf8RquIuLM2Bh/xvW +e0FrUERtFiYlXtPPCv+jqKENjsNHAA36ADlan2ECgYBaMmZqbpd2Q0j4GOcyvpM1 +VZHF4+W6l+BfNzRK/fo6uVJQWt7SaXIzKF1qoCNlWEfa6FcaptoAoCgK0zTtZmX6 +89R+AKpMY/81XvzX2J3s/KmVa7BLvhILFjfL9TeLTaR1fA3MEnVU8h5PimwEjJL8 +hWcwalivszosnKl+gs7SaA== +-----END PRIVATE KEY----- diff --git a/testing/environments/docker/proxy/squid.conf b/testing/environments/docker/proxy/squid.conf index fb2ca819e41..6a334ae3185 100644 --- a/testing/environments/docker/proxy/squid.conf +++ b/testing/environments/docker/proxy/squid.conf @@ -20,4 +20,5 @@ http_access deny all # General settings http_port 3128 +https_port 3129 cert=/etc/pki/tls/certs/proxy.crt key=/etc/pki/tls/private/proxy.key dns_timeout 3 seconds