From fb9bfc6cb1b5c9da8be2318a35b9a3737f8dbdd0 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Mon, 16 Oct 2023 16:43:07 +0100 Subject: [PATCH 1/5] Update use of http2 listen directive to align with deprecation --- deployments/common/nginx-config.yaml | 1 + deployments/deployment/nginx-ingress.yaml | 5 +- .../deployment/nginx-plus-ingress.yaml | 5 +- .../configs/version1/nginx-plus.ingress.tmpl | 9 +- internal/configs/version1/nginx-plus.tmpl | 10 +- internal/configs/version1/nginx.ingress.tmpl | 9 +- internal/configs/version1/nginx.tmpl | 10 +- internal/configs/version1/template_test.go | 354 +++++++++++++ .../version2/nginx-plus.virtualserver.tmpl | 14 +- .../configs/version2/nginx.virtualserver.tmpl | 15 +- internal/configs/version2/templates_test.go | 465 ++++++++++++++++++ 11 files changed, 871 insertions(+), 26 deletions(-) diff --git a/deployments/common/nginx-config.yaml b/deployments/common/nginx-config.yaml index a6a6c812b5..424a63e01f 100644 --- a/deployments/common/nginx-config.yaml +++ b/deployments/common/nginx-config.yaml @@ -4,3 +4,4 @@ metadata: name: nginx-config namespace: nginx-ingress data: + http2: "true" diff --git a/deployments/deployment/nginx-ingress.yaml b/deployments/deployment/nginx-ingress.yaml index a88d38c71e..08adddedfe 100644 --- a/deployments/deployment/nginx-ingress.yaml +++ b/deployments/deployment/nginx-ingress.yaml @@ -33,7 +33,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx/nginx-ingress:3.3.0 + - image: nginx/nginx-ingress:http2 imagePullPolicy: IfNotPresent name: nginx-ingress ports: @@ -87,6 +87,7 @@ spec: fieldPath: metadata.name args: - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config + - -enable-tls-passthrough #- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret #- -include-year #- -enable-cert-manager @@ -95,7 +96,7 @@ spec: #- -report-ingress-status #- -external-service=nginx-ingress #- -enable-prometheus-metrics - #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration + - -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: # - image: nginx/nginx-ingress:3.3.0 # imagePullPolicy: IfNotPresent diff --git a/deployments/deployment/nginx-plus-ingress.yaml b/deployments/deployment/nginx-plus-ingress.yaml index 3ed54a4f87..76875c578a 100644 --- a/deployments/deployment/nginx-plus-ingress.yaml +++ b/deployments/deployment/nginx-plus-ingress.yaml @@ -33,7 +33,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx-plus-ingress:3.3.0 + - image: nginx-plus-ingress:http2 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ports: @@ -90,6 +90,7 @@ spec: args: - -nginx-plus - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config + - -enable-tls-passthrough #- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret #- -include-year #- -enable-cert-manager @@ -101,7 +102,7 @@ spec: #- -external-service=nginx-ingress #- -enable-prometheus-metrics #- -enable-service-insight - #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration + - -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: # - image: nginx/nginx-ingress:3.3.0 # imagePullPolicy: IfNotPresent diff --git a/internal/configs/version1/nginx-plus.ingress.tmpl b/internal/configs/version1/nginx-plus.ingress.tmpl index ab8760865d..e4b11629e8 100644 --- a/internal/configs/version1/nginx-plus.ingress.tmpl +++ b/internal/configs/version1/nginx-plus.ingress.tmpl @@ -36,15 +36,18 @@ server { {{if $server.SSL}} {{if $server.TLSPassthrough}} - listen unix:/var/lib/nginx/passthrough-https.sock ssl{{if $server.HTTP2}} http2{{end}} proxy_protocol; + listen unix:/var/lib/nginx/passthrough-https.sock ssl proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; {{else}} {{- range $port := $server.SSLPorts}} - listen {{$port}} ssl{{if $server.HTTP2}} http2{{end}}{{if $server.ProxyProtocol}} proxy_protocol{{end}}; - {{if not $server.DisableIPV6}}listen [::]:{{$port}} ssl{{if $server.HTTP2}} http2{{end}}{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}} + listen {{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}}; + {{if not $server.DisableIPV6}}listen [::]:{{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}} {{- end}} {{end}} + {{if $server.HTTP2}} + http2 on; + {{end}} {{if $server.SSLRejectHandshake}} ssl_reject_handshake on; {{else}} diff --git a/internal/configs/version1/nginx-plus.tmpl b/internal/configs/version1/nginx-plus.tmpl index cc8cf394dd..07273db3b1 100644 --- a/internal/configs/version1/nginx-plus.tmpl +++ b/internal/configs/version1/nginx-plus.tmpl @@ -157,12 +157,16 @@ http { {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPListenerPort }} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} {{if .TLSPassthrough}} - listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server{{if .HTTP2}} http2{{end}} proxy_protocol; + listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; {{else}} - listen {{ .DefaultHTTPSListenerPort }} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}}; - {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPSListenerPort }} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} + listen {{ .DefaultHTTPSListenerPort }} ssl default_server{{if .ProxyProtocol}} proxy_protocol{{end}}; + {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPSListenerPort }} ssl default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} + {{end}} + + {{if .HTTP2}} + http2 on; {{end}} {{if .SSLRejectHandshake}} diff --git a/internal/configs/version1/nginx.ingress.tmpl b/internal/configs/version1/nginx.ingress.tmpl index 8c1e111fb5..670ad48f06 100644 --- a/internal/configs/version1/nginx.ingress.tmpl +++ b/internal/configs/version1/nginx.ingress.tmpl @@ -26,15 +26,18 @@ server { {{if $server.SSL}} {{if $server.TLSPassthrough}} - listen unix:/var/lib/nginx/passthrough-https.sock ssl{{if $server.HTTP2}} http2{{end}} proxy_protocol; + listen unix:/var/lib/nginx/passthrough-https.sock ssl proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; {{else}} {{- range $port := $server.SSLPorts}} - listen {{$port}} ssl{{if $server.HTTP2}} http2{{end}}{{if $server.ProxyProtocol}} proxy_protocol{{end}}; - {{if not $server.DisableIPV6}}listen [::]:{{$port}} ssl{{if $server.HTTP2}} http2{{end}}{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}} + listen {{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}}; + {{if not $server.DisableIPV6}}listen [::]:{{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}} {{- end}} {{end}} + {{if $server.HTTP2}} + http2 on; + {{end}} {{if $server.SSLRejectHandshake}} ssl_reject_handshake on; {{else}} diff --git a/internal/configs/version1/nginx.tmpl b/internal/configs/version1/nginx.tmpl index c1d4ec590c..b765eec6a0 100644 --- a/internal/configs/version1/nginx.tmpl +++ b/internal/configs/version1/nginx.tmpl @@ -110,12 +110,16 @@ http { {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPListenerPort}} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} {{if .TLSPassthrough}} - listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server{{if .HTTP2}} http2{{end}} proxy_protocol; + listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; {{else}} - listen {{ .DefaultHTTPSListenerPort}} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}}; - {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPSListenerPort}} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} + listen {{ .DefaultHTTPSListenerPort}} ssl default_server{{if .ProxyProtocol}} proxy_protocol{{end}}; + {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPSListenerPort}} ssl default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} + {{end}} + + {{if .HTTP2}} + http2 on; {{end}} {{if .SSLRejectHandshake}} diff --git a/internal/configs/version1/template_test.go b/internal/configs/version1/template_test.go index 4ef7b96737..79f3aed446 100644 --- a/internal/configs/version1/template_test.go +++ b/internal/configs/version1/template_test.go @@ -665,6 +665,290 @@ func TestExecuteTemplate_ForMainForNGINXPlusWithCustomDefaultHTTPSListenerPort(t } } +func TestExecuteTemplate_ForMainForNGINXWithHTTP2On(t *testing.T) { + t.Parallel() + + tmpl := newNGINXMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfgHTTP2On) + t.Log(buf.String()) + + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "http2 on;", + } + + unwantDirectives := []string{ + "listen 443 ssl http2", + "listen [::]:443 ssl http2", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } + + for _, want := range unwantDirectives { + if strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForMainForNGINXPlusWithHTTP2On(t *testing.T) { + t.Parallel() + + tmpl := newNGINXPlusMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfgHTTP2On) + t.Log(buf.String()) + + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "http2 on;", + } + + unwantDirectives := []string{ + "listen 443 ssl http2", + "listen [::]:443 ssl http2", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } + + for _, want := range unwantDirectives { + if strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForMainForNGINXWithHTTP2Off(t *testing.T) { + t.Parallel() + + tmpl := newNGINXMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfg) + t.Log(buf.String()) + + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "listen 443 ssl", + "listen [::]:443 ssl", + } + + unwantDirectives := []string{ + "http2 on;", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } + + for _, want := range unwantDirectives { + if strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForMainForNGINXPlusWithHTTP2Off(t *testing.T) { + t.Parallel() + + tmpl := newNGINXPlusMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfg) + t.Log(buf.String()) + + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "listen 443 ssl", + "listen [::]:443 ssl", + } + + unwantDirectives := []string{ + "http2 on;", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } + + for _, want := range unwantDirectives { + if strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForIngressForNGINXPlusWithHTTP2On(t *testing.T) { + t.Parallel() + + tmpl := newNGINXPlusIngressTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, ingressCfgHTTP2On) + t.Log(buf.String()) + if err != nil { + t.Fatal(err) + } + ingConf := buf.String() + + wantDirectives := []string{ + "http2 on;", + } + + unwantDirectives := []string{ + "listen 443 ssl http2", + "listen [::]:443 ssl http2", + } + + for _, want := range wantDirectives { + if !strings.Contains(ingConf, want) { + t.Errorf("want %q in generated config", want) + } + } + + for _, want := range unwantDirectives { + if strings.Contains(ingConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForIngressForNGINXWithHTTP2On(t *testing.T) { + t.Parallel() + + tmpl := newNGINXIngressTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, ingressCfgHTTP2On) + t.Log(buf.String()) + if err != nil { + t.Fatal(err) + } + ingConf := buf.String() + + wantDirectives := []string{ + "http2 on;", + } + + unwantDirectives := []string{ + "listen 443 ssl http2", + "listen [::]:443 ssl http2", + } + + for _, want := range wantDirectives { + if !strings.Contains(ingConf, want) { + t.Errorf("want %q in generated config", want) + } + } + + for _, want := range unwantDirectives { + if strings.Contains(ingConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForIngressForNGINXPlusWithHTTP2Off(t *testing.T) { + t.Parallel() + + tmpl := newNGINXPlusIngressTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, ingressCfg) + t.Log(buf.String()) + if err != nil { + t.Fatal(err) + } + ingConf := buf.String() + + wantDirectives := []string{ + "listen 443 ssl", + "listen [::]:443 ssl", + } + + unwantDirectives := []string{ + "http2 on;", + } + + for _, want := range wantDirectives { + if !strings.Contains(ingConf, want) { + t.Errorf("want %q in generated config", want) + } + } + + for _, want := range unwantDirectives { + if strings.Contains(ingConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForIngressForNGINXWithHTTP2Off(t *testing.T) { + t.Parallel() + + tmpl := newNGINXIngressTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, ingressCfg) + t.Log(buf.String()) + if err != nil { + t.Fatal(err) + } + ingConf := buf.String() + + wantDirectives := []string{ + "listen 443 ssl", + "listen [::]:443 ssl", + } + + unwantDirectives := []string{ + "http2 on;", + } + + for _, want := range wantDirectives { + if !strings.Contains(ingConf, want) { + t.Errorf("want %q in generated config", want) + } + } + + for _, want := range unwantDirectives { + if strings.Contains(ingConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + func newNGINXPlusIngressTmpl(t *testing.T) *template.Template { t.Helper() tmpl, err := template.New("nginx-plus.ingress.tmpl").Funcs(helperFunctions).ParseFiles("nginx-plus.ingress.tmpl") @@ -1001,6 +1285,32 @@ var ( VariablesHashMaxSize: 1024, } + mainCfgHTTP2On = MainConfig{ + DefaultHTTPListenerPort: 80, + DefaultHTTPSListenerPort: 443, + HTTP2: true, + ServerNamesHashMaxSize: "512", + ServerTokens: "off", + WorkerProcesses: "auto", + WorkerCPUAffinity: "auto", + WorkerShutdownTimeout: "1m", + WorkerConnections: "1024", + WorkerRlimitNofile: "65536", + LogFormat: []string{"$remote_addr", "$remote_user"}, + LogFormatEscaping: "default", + StreamSnippets: []string{"# comment"}, + StreamLogFormat: []string{"$remote_addr", "$remote_user"}, + StreamLogFormatEscaping: "none", + ResolverAddresses: []string{"example.com", "127.0.0.1"}, + ResolverIPV6: false, + ResolverValid: "10s", + ResolverTimeout: "15s", + KeepaliveTimeout: "65s", + KeepaliveRequests: 100, + VariablesHashBucketSize: 256, + VariablesHashMaxSize: 1024, + } + mainCfgCustomTLSPassthroughPort = MainConfig{ ServerNamesHashMaxSize: "512", ServerTokens: "off", @@ -1708,6 +2018,50 @@ var ( }, }, } + + // Ingress Config example without added annotations + ingressCfgHTTP2On = IngressNginxConfig{ + Servers: []Server{ + { + Name: "test.example.com", + ServerTokens: "off", + StatusZone: "test.example.com", + SSL: true, + HTTP2: true, + SSLCertificate: "secret.pem", + SSLCertificateKey: "secret.pem", + SSLPorts: []int{443}, + SSLRedirect: true, + Locations: []Location{ + { + Path: "/tea", + Upstream: testUpstream, + ProxyConnectTimeout: "10s", + ProxyReadTimeout: "10s", + ProxySendTimeout: "10s", + ClientMaxBodySize: "2m", + MinionIngress: &Ingress{ + Name: "tea-minion", + Namespace: "default", + }, + }, + }, + HealthChecks: map[string]HealthCheck{"test": healthCheck}, + JWTRedirectLocations: []JWTRedirectLocation{ + { + Name: "@login_url-default-cafe-ingress", + LoginURL: "https://test.example.com/login", + }, + }, + }, + }, + Upstreams: []Upstream{testUpstream}, + Keepalive: "16", + Ingress: Ingress{ + Name: "cafe-ingress", + Namespace: "default", + }, + } ) var testUpstream = Upstream{ diff --git a/internal/configs/version2/nginx-plus.virtualserver.tmpl b/internal/configs/version2/nginx-plus.virtualserver.tmpl index 9e836814d8..c1e62f019c 100644 --- a/internal/configs/version2/nginx-plus.virtualserver.tmpl +++ b/internal/configs/version2/nginx-plus.virtualserver.tmpl @@ -101,21 +101,25 @@ server { {{ with $ssl := $s.SSL }} {{ if $s.TLSPassthrough }} - listen unix:/var/lib/nginx/passthrough-https.sock{{ if $ssl.HTTP2 }} http2{{ end }} proxy_protocol; + listen unix:/var/lib/nginx/passthrough-https.sock proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; {{ else }} {{ if not $s.CustomListeners }} - listen 443 ssl{{ if $ssl.HTTP2 }} http2{{ end }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; - {{ if not $s.DisableIPV6 }}listen [::]:443 ssl{{ if $ssl.HTTP2 }} http2{{ end }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} + listen 443 ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; + {{ if not $s.DisableIPV6 }}listen [::]:443 ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} {{ else }} {{ if (gt $s.HTTPSPort 0) }} - listen {{ $s.HTTPSPort }} ssl{{ if $ssl.HTTP2 }} http2{{ end }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; - {{ if not $s.DisableIPV6 }}listen [::]:{{ $s.HTTPSPort }} ssl{{ if $ssl.HTTP2 }} http2{{ end }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} + listen {{ $s.HTTPSPort }} ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; + {{ if not $s.DisableIPV6 }}listen [::]:{{ $s.HTTPSPort }} ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} {{ end }} {{ end }} {{ end }} + {{ if $ssl.HTTP2 }} + http2 on; + {{ end }} + {{ if $ssl.RejectHandshake }} ssl_reject_handshake on; {{ else if $.SpiffeCerts }} diff --git a/internal/configs/version2/nginx.virtualserver.tmpl b/internal/configs/version2/nginx.virtualserver.tmpl index 66e550b464..fee0066a24 100644 --- a/internal/configs/version2/nginx.virtualserver.tmpl +++ b/internal/configs/version2/nginx.virtualserver.tmpl @@ -61,21 +61,26 @@ server { {{ with $ssl := $s.SSL }} {{ if $s.TLSPassthrough }} - listen unix:/var/lib/nginx/passthrough-https.sock{{ if $ssl.HTTP2 }} http2{{ end }} proxy_protocol; + listen unix:/var/lib/nginx/passthrough-https.sock proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; {{ else }} {{ if not $s.CustomListeners }} - listen 443 ssl{{ if $ssl.HTTP2 }} http2{{ end }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; - {{ if not $s.DisableIPV6 }}listen [::]:443 ssl{{ if $ssl.HTTP2 }} http2{{ end }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} + listen 443 ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; + {{ if not $s.DisableIPV6 }}listen [::]:443 ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} {{ else }} {{ if (gt $s.HTTPSPort 0) }} - listen {{ $s.HTTPSPort }} ssl{{ if $ssl.HTTP2 }} http2{{ end }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; - {{ if not $s.DisableIPV6 }}listen [::]:{{ $s.HTTPSPort }} ssl{{ if $ssl.HTTP2 }} http2{{ end }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} + listen {{ $s.HTTPSPort }} ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; + {{ if not $s.DisableIPV6 }}listen [::]:{{ $s.HTTPSPort }} ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} {{ end }} {{ end }} {{ end }} + {{ if $ssl.HTTP2 }} + http2 on; + {{ end }} + + {{ if $ssl.RejectHandshake }} ssl_reject_handshake on; {{ else if $.SpiffeCerts }} diff --git a/internal/configs/version2/templates_test.go b/internal/configs/version2/templates_test.go index 98b4d9a780..112aac6dd8 100644 --- a/internal/configs/version2/templates_test.go +++ b/internal/configs/version2/templates_test.go @@ -166,6 +166,126 @@ func TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerHTTPSOnly t.Log(string(got)) } +func TestExecuteVirtualServerTemplate_RendersPlusTemplateWithHTTP2On(t *testing.T) { + t.Parallel() + executor := newTmplExecutorNGINXPlus(t) + got, err := executor.ExecuteVirtualServerTemplate(&virtualServerCfg) + if err != nil { + t.Error(err) + } + wantStrings := []string{ + "http2 on;", + } + for _, want := range wantStrings { + if !bytes.Contains(got, []byte(want)) { + t.Errorf("want `%s` in generated template", want) + } + } + + unwantStrings := []string{ + "listen 443 ssl http2", + "listen [::]:443 ssl http2", + } + + for _, want := range unwantStrings { + if bytes.Contains(got, []byte(want)) { + t.Errorf("unwant `%s` in generated template", want) + } + } + + t.Log(string(got)) +} + +func TestExecuteVirtualServerTemplate_RendersPlusTemplateWithHTTP2Off(t *testing.T) { + t.Parallel() + executor := newTmplExecutorNGINXPlus(t) + got, err := executor.ExecuteVirtualServerTemplate(&virtualServerCfgWithHTTP2Off) + if err != nil { + t.Error(err) + } + wantStrings := []string{ + "listen 443 ssl", + "listen [::]:443 ssl", + } + for _, want := range wantStrings { + if !bytes.Contains(got, []byte(want)) { + t.Errorf("want `%s` in generated template", want) + } + } + + unwantStrings := []string{ + "http2 on;", + } + + for _, want := range unwantStrings { + if bytes.Contains(got, []byte(want)) { + t.Errorf("unwant `%s` in generated template", want) + } + } + + t.Log(string(got)) +} + +func TestExecuteVirtualServerTemplate_RendersOSSTemplateWithHTTP2On(t *testing.T) { + t.Parallel() + executor := newTmplExecutorNGINX(t) + got, err := executor.ExecuteVirtualServerTemplate(&virtualServerCfg) + if err != nil { + t.Error(err) + } + wantStrings := []string{ + "http2 on;", + } + for _, want := range wantStrings { + if !bytes.Contains(got, []byte(want)) { + t.Errorf("want `%s` in generated template", want) + } + } + + unwantStrings := []string{ + "listen 443 ssl http2", + "listen [::]:443 ssl http2", + } + + for _, want := range unwantStrings { + if bytes.Contains(got, []byte(want)) { + t.Errorf("unwant `%s` in generated template", want) + } + } + + t.Log(string(got)) +} + +func TestExecuteVirtualServerTemplate_RendersOSSTemplateWithHTTP2Off(t *testing.T) { + t.Parallel() + executor := newTmplExecutorNGINX(t) + got, err := executor.ExecuteVirtualServerTemplate(&virtualServerCfgWithHTTP2Off) + if err != nil { + t.Error(err) + } + wantStrings := []string{ + "listen 443 ssl", + "listen [::]:443 ssl", + } + for _, want := range wantStrings { + if !bytes.Contains(got, []byte(want)) { + t.Errorf("want `%s` in generated template", want) + } + } + + unwantStrings := []string{ + "http2 on;", + } + + for _, want := range unwantStrings { + if bytes.Contains(got, []byte(want)) { + t.Errorf("unwant `%s` in generated template", want) + } + } + + t.Log(string(got)) +} + func TestVirtualServerForNginxPlusWithWAFApBundle(t *testing.T) { t.Parallel() executor := newTmplExecutorNGINXPlus(t) @@ -614,6 +734,351 @@ var ( }, } + virtualServerCfgWithHTTP2Off = VirtualServerConfig{ + LimitReqZones: []LimitReqZone{ + { + ZoneName: "pol_rl_test_test_test", Rate: "10r/s", ZoneSize: "10m", Key: "$url", + }, + }, + Upstreams: []Upstream{ + { + Name: "test-upstream", + Servers: []UpstreamServer{ + { + Address: "10.0.0.20:8001", + }, + }, + LBMethod: "random", + Keepalive: 32, + MaxFails: 4, + FailTimeout: "10s", + MaxConns: 31, + SlowStart: "10s", + UpstreamZoneSize: "256k", + Queue: &Queue{Size: 10, Timeout: "60s"}, + SessionCookie: &SessionCookie{Enable: true, Name: "test", Path: "/tea", Expires: "25s"}, + NTLM: true, + }, + { + Name: "coffee-v1", + Servers: []UpstreamServer{ + { + Address: "10.0.0.31:8001", + }, + }, + MaxFails: 8, + FailTimeout: "15s", + MaxConns: 2, + UpstreamZoneSize: "256k", + }, + { + Name: "coffee-v2", + Servers: []UpstreamServer{ + { + Address: "10.0.0.32:8001", + }, + }, + MaxFails: 12, + FailTimeout: "20s", + MaxConns: 4, + UpstreamZoneSize: "256k", + }, + }, + SplitClients: []SplitClient{ + { + Source: "$request_id", + Variable: "$split_0", + Distributions: []Distribution{ + { + Weight: "50%", + Value: "@loc0", + }, + { + Weight: "50%", + Value: "@loc1", + }, + }, + }, + }, + Maps: []Map{ + { + Source: "$match_0_0", + Variable: "$match", + Parameters: []Parameter{ + { + Value: "~^1", + Result: "@match_loc_0", + }, + { + Value: "default", + Result: "@match_loc_default", + }, + }, + }, + { + Source: "$http_x_version", + Variable: "$match_0_0", + Parameters: []Parameter{ + { + Value: "v2", + Result: "1", + }, + { + Value: "default", + Result: "0", + }, + }, + }, + }, + HTTPSnippets: []string{"# HTTP snippet"}, + Server: Server{ + ServerName: "example.com", + StatusZone: "example.com", + ProxyProtocol: true, + SSL: &SSL{ + HTTP2: false, + Certificate: "cafe-secret.pem", + CertificateKey: "cafe-secret.pem", + }, + TLSRedirect: &TLSRedirect{ + BasedOn: "$scheme", + Code: 301, + }, + ServerTokens: "off", + SetRealIPFrom: []string{"0.0.0.0/0"}, + RealIPHeader: "X-Real-IP", + RealIPRecursive: true, + Allow: []string{"127.0.0.1"}, + Deny: []string{"127.0.0.1"}, + LimitReqs: []LimitReq{ + { + ZoneName: "pol_rl_test_test_test", + Delay: 10, + Burst: 5, + }, + }, + LimitReqOptions: LimitReqOptions{ + LogLevel: "error", + RejectCode: 503, + }, + JWTAuth: &JWTAuth{ + Realm: "My Api", + Secret: "jwk-secret", + }, + IngressMTLS: &IngressMTLS{ + ClientCert: "ingress-mtls-secret", + VerifyClient: "on", + VerifyDepth: 2, + }, + WAF: &WAF{ + ApPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm", + ApSecurityLogEnable: true, + ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf"}, + }, + Snippets: []string{"# server snippet"}, + InternalRedirectLocations: []InternalRedirectLocation{ + { + Path: "/split", + Destination: "@split_0", + }, + { + Path: "/coffee", + Destination: "@match", + }, + }, + HealthChecks: []HealthCheck{ + { + Name: "coffee", + URI: "/", + Interval: "5s", + Jitter: "0s", + Fails: 1, + Passes: 1, + Port: 50, + ProxyPass: "http://coffee-v2", + Mandatory: true, + Persistent: true, + }, + { + Name: "tea", + Interval: "5s", + Jitter: "0s", + Fails: 1, + Passes: 1, + Port: 50, + ProxyPass: "http://tea-v2", + GRPCPass: "grpc://tea-v3", + GRPCStatus: createPointerFromInt(12), + GRPCService: "tea-servicev2", + }, + }, + Locations: []Location{ + { + Path: "/", + Snippets: []string{"# location snippet"}, + Allow: []string{"127.0.0.1"}, + Deny: []string{"127.0.0.1"}, + LimitReqs: []LimitReq{ + { + ZoneName: "loc_pol_rl_test_test_test", + }, + }, + ProxyConnectTimeout: "30s", + ProxyReadTimeout: "31s", + ProxySendTimeout: "32s", + ClientMaxBodySize: "1m", + ProxyBuffering: true, + ProxyBuffers: "8 4k", + ProxyBufferSize: "4k", + ProxyMaxTempFileSize: "1024m", + ProxyPass: "http://test-upstream", + ProxyNextUpstream: "error timeout", + ProxyNextUpstreamTimeout: "5s", + Internal: true, + ProxyPassRequestHeaders: false, + ProxyPassHeaders: []string{"Host"}, + ProxyPassRewrite: "$request_uri", + ProxyHideHeaders: []string{"Header"}, + ProxyIgnoreHeaders: "Cache", + Rewrites: []string{"$request_uri $request_uri", "$request_uri $request_uri"}, + AddHeaders: []AddHeader{ + { + Header: Header{ + Name: "Header-Name", + Value: "Header Value", + }, + Always: true, + }, + }, + EgressMTLS: &EgressMTLS{ + Certificate: "egress-mtls-secret.pem", + CertificateKey: "egress-mtls-secret.pem", + VerifyServer: true, + VerifyDepth: 1, + Ciphers: "DEFAULT", + Protocols: "TLSv1.3", + TrustedCert: "trusted-cert.pem", + SessionReuse: true, + ServerName: true, + }, + }, + { + Path: "@loc0", + ProxyConnectTimeout: "30s", + ProxyReadTimeout: "31s", + ProxySendTimeout: "32s", + ClientMaxBodySize: "1m", + ProxyPass: "http://coffee-v1", + ProxyNextUpstream: "error timeout", + ProxyNextUpstreamTimeout: "5s", + ProxyInterceptErrors: true, + ErrorPages: []ErrorPage{ + { + Name: "@error_page_1", + Codes: "400 500", + ResponseCode: 200, + }, + { + Name: "@error_page_2", + Codes: "500", + ResponseCode: 0, + }, + }, + }, + { + Path: "@loc1", + ProxyConnectTimeout: "30s", + ProxyReadTimeout: "31s", + ProxySendTimeout: "32s", + ClientMaxBodySize: "1m", + ProxyPass: "http://coffee-v2", + ProxyNextUpstream: "error timeout", + ProxyNextUpstreamTimeout: "5s", + }, + { + Path: "@loc2", + ProxyConnectTimeout: "30s", + ProxyReadTimeout: "31s", + ProxySendTimeout: "32s", + ClientMaxBodySize: "1m", + ProxyPass: "http://coffee-v2", + GRPCPass: "grpc://coffee-v3", + }, + { + Path: "@match_loc_0", + ProxyConnectTimeout: "30s", + ProxyReadTimeout: "31s", + ProxySendTimeout: "32s", + ClientMaxBodySize: "1m", + ProxyPass: "http://coffee-v2", + ProxyNextUpstream: "error timeout", + ProxyNextUpstreamTimeout: "5s", + }, + { + Path: "@match_loc_default", + ProxyConnectTimeout: "30s", + ProxyReadTimeout: "31s", + ProxySendTimeout: "32s", + ClientMaxBodySize: "1m", + ProxyPass: "http://coffee-v1", + ProxyNextUpstream: "error timeout", + ProxyNextUpstreamTimeout: "5s", + }, + { + Path: "/return", + ProxyInterceptErrors: true, + ErrorPages: []ErrorPage{ + { + Name: "@return_0", + Codes: "418", + ResponseCode: 200, + }, + }, + InternalProxyPass: "http://unix:/var/lib/nginx/nginx-418-server.sock", + }, + }, + ErrorPageLocations: []ErrorPageLocation{ + { + Name: "@vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0", + DefaultType: "application/json", + Return: &Return{ + Code: 200, + Text: "Hello World", + }, + Headers: nil, + }, + { + Name: "@vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1", + DefaultType: "", + Return: &Return{ + Code: 200, + Text: "Hello World", + }, + Headers: []Header{ + { + Name: "Set-Cookie", + Value: "cookie1=test", + }, + { + Name: "Set-Cookie", + Value: "cookie2=test; Secure", + }, + }, + }, + }, + ReturnLocations: []ReturnLocation{ + { + Name: "@return_0", + DefaultType: "text/html", + Return: Return{ + Code: 200, + Text: "Hello!", + }, + }, + }, + }, + } + virtualServerCfgWithGunzipOn = VirtualServerConfig{ LimitReqZones: []LimitReqZone{ { From 4538c8b7b76a8266e422026c84d6e4fc09ec6328 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 17 Oct 2023 10:58:50 +0100 Subject: [PATCH 2/5] Revert deployment files --- deployments/common/nginx-config.yaml | 3 +-- deployments/deployment/nginx-ingress.yaml | 4 ++-- deployments/deployment/nginx-plus-ingress.yaml | 5 ++--- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/deployments/common/nginx-config.yaml b/deployments/common/nginx-config.yaml index 424a63e01f..bc905439b6 100644 --- a/deployments/common/nginx-config.yaml +++ b/deployments/common/nginx-config.yaml @@ -3,5 +3,4 @@ apiVersion: v1 metadata: name: nginx-config namespace: nginx-ingress -data: - http2: "true" +data: \ No newline at end of file diff --git a/deployments/deployment/nginx-ingress.yaml b/deployments/deployment/nginx-ingress.yaml index 08adddedfe..40c555d430 100644 --- a/deployments/deployment/nginx-ingress.yaml +++ b/deployments/deployment/nginx-ingress.yaml @@ -33,7 +33,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx/nginx-ingress:http2 + - image: nginx/nginx-ingress:3.3.0 imagePullPolicy: IfNotPresent name: nginx-ingress ports: @@ -96,7 +96,7 @@ spec: #- -report-ingress-status #- -external-service=nginx-ingress #- -enable-prometheus-metrics - - -global-configuration=$(POD_NAMESPACE)/nginx-configuration + #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: # - image: nginx/nginx-ingress:3.3.0 # imagePullPolicy: IfNotPresent diff --git a/deployments/deployment/nginx-plus-ingress.yaml b/deployments/deployment/nginx-plus-ingress.yaml index 76875c578a..3ed54a4f87 100644 --- a/deployments/deployment/nginx-plus-ingress.yaml +++ b/deployments/deployment/nginx-plus-ingress.yaml @@ -33,7 +33,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx-plus-ingress:http2 + - image: nginx-plus-ingress:3.3.0 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ports: @@ -90,7 +90,6 @@ spec: args: - -nginx-plus - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config - - -enable-tls-passthrough #- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret #- -include-year #- -enable-cert-manager @@ -102,7 +101,7 @@ spec: #- -external-service=nginx-ingress #- -enable-prometheus-metrics #- -enable-service-insight - - -global-configuration=$(POD_NAMESPACE)/nginx-configuration + #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: # - image: nginx/nginx-ingress:3.3.0 # imagePullPolicy: IfNotPresent From 5909ec7be70a05f64e3457270b8b3c018fd21714 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 17 Oct 2023 10:59:51 +0100 Subject: [PATCH 3/5] Revert configmap --- deployments/common/nginx-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/common/nginx-config.yaml b/deployments/common/nginx-config.yaml index bc905439b6..a6a6c812b5 100644 --- a/deployments/common/nginx-config.yaml +++ b/deployments/common/nginx-config.yaml @@ -3,4 +3,4 @@ apiVersion: v1 metadata: name: nginx-config namespace: nginx-ingress -data: \ No newline at end of file +data: From 06ed0509d0c3fe536438f3bac2944ae47991cc12 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 17 Oct 2023 11:00:37 +0100 Subject: [PATCH 4/5] Revert cli arg --- deployments/deployment/nginx-ingress.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/deployments/deployment/nginx-ingress.yaml b/deployments/deployment/nginx-ingress.yaml index 41ad346972..eeba97c459 100644 --- a/deployments/deployment/nginx-ingress.yaml +++ b/deployments/deployment/nginx-ingress.yaml @@ -87,7 +87,6 @@ spec: fieldPath: metadata.name args: - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config - - -enable-tls-passthrough #- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret #- -include-year #- -enable-cert-manager From 17355aafd1f35181575b0db0b9c36fa9ba7a745a Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 17 Oct 2023 13:46:20 +0100 Subject: [PATCH 5/5] Update tests --- internal/configs/version1/template_test.go | 40 +++++++++++-------- internal/configs/version2/templates_test.go | 20 ++++++---- .../test_virtual_server_configmap_keys.py | 5 ++- 3 files changed, 39 insertions(+), 26 deletions(-) diff --git a/internal/configs/version1/template_test.go b/internal/configs/version1/template_test.go index 79f3aed446..2285b60ece 100644 --- a/internal/configs/version1/template_test.go +++ b/internal/configs/version1/template_test.go @@ -679,12 +679,14 @@ func TestExecuteTemplate_ForMainForNGINXWithHTTP2On(t *testing.T) { } wantDirectives := []string{ + "listen 443 ssl default_server;", + "listen [::]:443 ssl default_server;", "http2 on;", } unwantDirectives := []string{ - "listen 443 ssl http2", - "listen [::]:443 ssl http2", + "listen 443 ssl default_server http2;", + "listen [::]:443 ssl default_server http2;", } mainConf := buf.String() @@ -715,12 +717,14 @@ func TestExecuteTemplate_ForMainForNGINXPlusWithHTTP2On(t *testing.T) { } wantDirectives := []string{ + "listen 443 ssl default_server;", + "listen [::]:443 ssl default_server;", "http2 on;", } unwantDirectives := []string{ - "listen 443 ssl http2", - "listen [::]:443 ssl http2", + "listen 443 ssl default_server http2;", + "listen [::]:443 ssl default_server http2;", } mainConf := buf.String() @@ -751,8 +755,8 @@ func TestExecuteTemplate_ForMainForNGINXWithHTTP2Off(t *testing.T) { } wantDirectives := []string{ - "listen 443 ssl", - "listen [::]:443 ssl", + "listen 443 ssl default_server;", + "listen [::]:443 ssl default_server;", } unwantDirectives := []string{ @@ -787,8 +791,8 @@ func TestExecuteTemplate_ForMainForNGINXPlusWithHTTP2Off(t *testing.T) { } wantDirectives := []string{ - "listen 443 ssl", - "listen [::]:443 ssl", + "listen 443 ssl default_server;", + "listen [::]:443 ssl default_server;", } unwantDirectives := []string{ @@ -823,12 +827,14 @@ func TestExecuteTemplate_ForIngressForNGINXPlusWithHTTP2On(t *testing.T) { ingConf := buf.String() wantDirectives := []string{ + "listen 443 ssl;", + "listen [::]:443 ssl;", "http2 on;", } unwantDirectives := []string{ - "listen 443 ssl http2", - "listen [::]:443 ssl http2", + "listen 443 ssl http2;", + "listen [::]:443 ssl http2;", } for _, want := range wantDirectives { @@ -858,12 +864,14 @@ func TestExecuteTemplate_ForIngressForNGINXWithHTTP2On(t *testing.T) { ingConf := buf.String() wantDirectives := []string{ + "listen 443 ssl;", + "listen [::]:443 ssl;", "http2 on;", } unwantDirectives := []string{ - "listen 443 ssl http2", - "listen [::]:443 ssl http2", + "listen 443 ssl http2;", + "listen [::]:443 ssl http2;", } for _, want := range wantDirectives { @@ -893,8 +901,8 @@ func TestExecuteTemplate_ForIngressForNGINXPlusWithHTTP2Off(t *testing.T) { ingConf := buf.String() wantDirectives := []string{ - "listen 443 ssl", - "listen [::]:443 ssl", + "listen 443 ssl;", + "listen [::]:443 ssl;", } unwantDirectives := []string{ @@ -928,8 +936,8 @@ func TestExecuteTemplate_ForIngressForNGINXWithHTTP2Off(t *testing.T) { ingConf := buf.String() wantDirectives := []string{ - "listen 443 ssl", - "listen [::]:443 ssl", + "listen 443 ssl;", + "listen [::]:443 ssl;", } unwantDirectives := []string{ diff --git a/internal/configs/version2/templates_test.go b/internal/configs/version2/templates_test.go index 112aac6dd8..9e9968c6c0 100644 --- a/internal/configs/version2/templates_test.go +++ b/internal/configs/version2/templates_test.go @@ -174,6 +174,8 @@ func TestExecuteVirtualServerTemplate_RendersPlusTemplateWithHTTP2On(t *testing. t.Error(err) } wantStrings := []string{ + "listen 443 ssl proxy_protocol;", + "listen [::]:443 ssl proxy_protocol;", "http2 on;", } for _, want := range wantStrings { @@ -183,8 +185,8 @@ func TestExecuteVirtualServerTemplate_RendersPlusTemplateWithHTTP2On(t *testing. } unwantStrings := []string{ - "listen 443 ssl http2", - "listen [::]:443 ssl http2", + "listen 443 ssl http2 proxy_protocol;", + "listen [::]:443 ssl http2 proxy_protocol;", } for _, want := range unwantStrings { @@ -204,8 +206,8 @@ func TestExecuteVirtualServerTemplate_RendersPlusTemplateWithHTTP2Off(t *testing t.Error(err) } wantStrings := []string{ - "listen 443 ssl", - "listen [::]:443 ssl", + "listen 443 ssl proxy_protocol;", + "listen [::]:443 ssl proxy_protocol;", } for _, want := range wantStrings { if !bytes.Contains(got, []byte(want)) { @@ -234,6 +236,8 @@ func TestExecuteVirtualServerTemplate_RendersOSSTemplateWithHTTP2On(t *testing.T t.Error(err) } wantStrings := []string{ + "listen 443 ssl proxy_protocol;", + "listen [::]:443 ssl proxy_protocol;", "http2 on;", } for _, want := range wantStrings { @@ -243,8 +247,8 @@ func TestExecuteVirtualServerTemplate_RendersOSSTemplateWithHTTP2On(t *testing.T } unwantStrings := []string{ - "listen 443 ssl http2", - "listen [::]:443 ssl http2", + "listen 443 ssl http2 proxy_protocol;", + "listen [::]:443 ssl http2 proxy_protocol;", } for _, want := range unwantStrings { @@ -264,8 +268,8 @@ func TestExecuteVirtualServerTemplate_RendersOSSTemplateWithHTTP2Off(t *testing. t.Error(err) } wantStrings := []string{ - "listen 443 ssl", - "listen [::]:443 ssl", + "listen 443 ssl proxy_protocol;", + "listen [::]:443 ssl proxy_protocol;", } for _, want := range wantStrings { if !bytes.Contains(got, []byte(want)) { diff --git a/tests/suite/test_virtual_server_configmap_keys.py b/tests/suite/test_virtual_server_configmap_keys.py index c49b2972d3..1fe9ceb276 100644 --- a/tests/suite/test_virtual_server_configmap_keys.py +++ b/tests/suite/test_virtual_server_configmap_keys.py @@ -114,13 +114,14 @@ def assert_defaults_of_keys_with_validation_in_main_config(config, unexpected_va def assert_ssl_keys(config): # based on f"{TEST_DATA}/virtual-server-configmap-keys/configmap-ssl-keys.yaml" assert "if ($schema = 'http') {" not in config - assert "listen 443 ssl http2 proxy_protocol;" in config + assert "listen 443 ssl proxy_protocol;" in config + assert "http2 on;" in config def assert_defaults_of_ssl_keys(config): assert "if ($schema = 'http') {" not in config assert "listen 443 ssl;" in config - assert "http2" not in config + assert "http2 on;" not in config @pytest.fixture(scope="function")