Files
gost/tests/e2e/http_test.go
T
ginuerzh 69b561f944 feat: add comprehensive HTTP e2e tests covering connector, TLS, probeResist, idleTimeout, and UDP relay
Adds 12 new HTTP handler test scenarios: HTTP connector (no-auth, auth, TLS
upstream), CONNECT tunnel (no-sniffing, bypass-403), probeResist (host, web,
file, knock), idleTimeout, and UDP relay over HTTP. Introduces
RunGostContainerWithFiles helper for mounting extra files into test containers.
2026-06-26 22:00:35 +08:00

606 lines
22 KiB
Go

package e2e
import (
"context"
"encoding/base64"
"fmt"
"io"
"os"
"strings"
"testing"
"github.com/stretchr/testify/suite"
"github.com/testcontainers/testcontainers-go"
)
type HTTPSuite struct {
suite.Suite
ctx context.Context
echoC testcontainers.Container
echoIP string
}
func (s *HTTPSuite) SetupSuite() {
s.ctx = context.Background()
s.T().Logf("start tcp echo container...")
echoC, err := RunEchoContainer(s.ctx, SharedNetworkName)
s.Require().NoError(err)
s.echoC = echoC
echoIP, err := echoC.ContainerIP(s.ctx)
s.Require().NoError(err)
s.echoIP = echoIP
}
// sendRaw sends a raw HTTP request via netcat and returns the response.
// Uses base64 to avoid shell quoting issues with CRLF bytes.
func (s *HTTPSuite) sendRaw(gostC testcontainers.Container, host, port, data string) string {
encoded := base64.StdEncoding.EncodeToString([]byte(data))
cmd := []string{"sh", "-c",
fmt.Sprintf("echo %s | base64 -d | nc -w 5 %s %s", encoded, host, port)}
_, out, _ := gostC.Exec(s.ctx, cmd)
b, _ := io.ReadAll(out)
return string(b)
}
func (s *HTTPSuite) TearDownSuite() {
if s.echoC != nil {
s.echoC.Terminate(s.ctx)
}
}
// TestHTTPProxy verifies basic HTTP forward proxy (no auth, no metadata).
// Covers: handler type http, listener type tcp, basic GET via proxy.
func (s *HTTPSuite) TestHTTPProxy() {
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
"testdata/http/server.yaml", "8080/tcp")
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
// curl -x uses HTTP forward proxy (GET with absolute URL)
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
fmt.Sprintf("http://%s:5678", s.echoIP)}
code, out, err := gostC.Exec(s.ctx, cmd)
s.Require().NoError(err)
body, err := io.ReadAll(out)
s.Require().NoError(err)
if code != 0 || !strings.Contains(string(body), "hello-gost") {
DumpLogs(s.T(), s.ctx, "http-proxy logs", gostC)
}
s.Require().Equal(0, code)
s.Require().Contains(string(body), "hello-gost")
}
// TestHTTPProxyAuth verifies proxy authentication and the authBasicRealm
// metadata parameter.
//
// Covers:
// - auther: basic auth on HTTP proxy
// - authBasicRealm: custom realm string in 407 Proxy-Authenticate header
func (s *HTTPSuite) TestHTTPProxyAuth() {
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
"testdata/http/server_auth.yaml", "8080/tcp")
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
s.T().Run("no-auth-407", func(t *testing.T) {
cmd := []string{"curl", "-v", "-s", "-D", "-", "-o", "/dev/null",
"-x", "http://127.0.0.1:8080",
fmt.Sprintf("http://%s:5678", s.echoIP)}
_, out, _ := gostC.Exec(s.ctx, cmd)
body, _ := io.ReadAll(out)
output := string(body)
s.Assert().Contains(output, "407",
"no auth should return 407")
s.Assert().Contains(output, "gost-e2e-realm",
"authBasicRealm should appear in 407 Proxy-Authenticate")
})
s.T().Run("wrong-auth-407", func(t *testing.T) {
cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}",
"-x", "http://wrong:pass@127.0.0.1:8080",
fmt.Sprintf("http://%s:5678", s.echoIP)}
_, out, _ := gostC.Exec(s.ctx, cmd)
body, _ := io.ReadAll(out)
s.Assert().Contains(string(body), "407",
"wrong password should return 407")
})
s.T().Run("with-auth-success", func(t *testing.T) {
cmd := []string{"curl", "-v", "-s", "-x", "http://user:pass@127.0.0.1:8080",
fmt.Sprintf("http://%s:5678", s.echoIP)}
code, out, err := gostC.Exec(s.ctx, cmd)
s.Require().NoError(err)
body, err := io.ReadAll(out)
s.Require().NoError(err)
if code != 0 || !strings.Contains(string(body), "hello-gost") {
DumpLogs(s.T(), s.ctx, "http-proxy-auth logs", gostC)
}
s.Require().Equal(0, code)
s.Require().Contains(string(body), "hello-gost")
})
}
// TestHTTPProxyMetadata verifies:
// - probeResist: code:404 — unauthorised clients see 404 instead of 407
// - keepalive: config parsing (applied at Init time)
// - compression: config parsing (applied at Init time)
func (s *HTTPSuite) TestHTTPProxyMetadata() {
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
"testdata/http/server_metadata.yaml", "8080/tcp")
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
s.T().Run("probe-resist-404", func(t *testing.T) {
cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}",
"-x", "http://127.0.0.1:8080",
fmt.Sprintf("http://%s:5678", s.echoIP)}
_, out, _ := gostC.Exec(s.ctx, cmd)
body, _ := io.ReadAll(out)
output := string(body)
s.Assert().NotContains(output, "407",
"probeResist should hide 407 status")
s.Assert().Contains(output, "404",
"probeResist should return configured decoy code")
})
s.T().Run("with-auth-success", func(t *testing.T) {
cmd := []string{"curl", "-v", "-s", "-x", "http://user:pass@127.0.0.1:8080",
fmt.Sprintf("http://%s:5678", s.echoIP)}
code, out, err := gostC.Exec(s.ctx, cmd)
s.Require().NoError(err)
body, err := io.ReadAll(out)
s.Require().NoError(err)
if code != 0 || !strings.Contains(string(body), "hello-gost") {
DumpLogs(s.T(), s.ctx, "http-metadata logs", gostC)
}
s.Require().Equal(0, code)
s.Require().Contains(string(body), "hello-gost")
})
}
// TestHTTPProxyHeaders verifies:
// - header: custom response headers (X-Proxy-Info, X-Custom) on
// proxy-originated error responses. The header metadata is set on
// the skeleton response used for error paths after authentication.
// - proxyAgent: custom Proxy-Agent header in proxy responses.
//
// Uses a bypass matcher (0.0.0.0/0) that blocks all traffic after auth
// succeeds → requests hit 403 Forbidden path which carries custom headers.
func (s *HTTPSuite) TestHTTPProxyHeaders() {
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
"testdata/http/server_headers.yaml", "8080/tcp")
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
// Auth succeeds, but target is bypassed → 403 Forbidden
// The 403 response is built from the skeleton resp which
// carries h.md.header (custom headers) and h.md.proxyAgent.
s.T().Log("bypass: expect 403 with custom headers")
cmd := []string{"curl", "-v", "-s", "-D", "-", "-o", "/dev/null",
"-x", "http://user:pass@127.0.0.1:8080",
fmt.Sprintf("http://%s:5678", s.echoIP)}
_, out, _ := gostC.Exec(s.ctx, cmd)
headers, _ := io.ReadAll(out)
output := string(headers)
// Bypass → 403 Forbidden
s.Assert().Contains(output, "403",
"bypass should return 403")
// header: custom X-Proxy-Info header on error response
s.Assert().Contains(output, "X-Proxy-Info: gost-e2e",
"custom header should appear in 403 response")
// header: custom X-Custom header on error response
s.Assert().Contains(output, "X-Custom: test-value",
"custom header should appear in 403 response")
// proxyAgent: custom Proxy-Agent header on error response
s.Assert().Contains(output, "Proxy-Agent: gost-e2e/1.0",
"proxyAgent should appear in 403 response")
}
// TestHTTPConnect verifies HTTP CONNECT tunnel:
// - sniffing-enabled: sniffing:true + sniffing.timeout:2s
// - no-sniffing: plain CONNECT (default, no metadata)
// - bypass-403: CONNECT blocked by (0.0.0.0/0) bypass
//
// Uses curl --proxytunnel (-p) to force CONNECT method instead of GET.
func (s *HTTPSuite) TestHTTPConnect() {
s.T().Run("sniffing-enabled", func(t *testing.T) {
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
"testdata/http/server_connect.yaml", "8080/tcp")
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
cmd := []string{"curl", "-v", "-s", "-p", "-x", "http://127.0.0.1:8080",
fmt.Sprintf("http://%s:5678", s.echoIP)}
code, out, err := gostC.Exec(s.ctx, cmd)
s.Require().NoError(err)
body, err := io.ReadAll(out)
s.Require().NoError(err)
if code != 0 || !strings.Contains(string(body), "hello-gost") {
DumpLogs(s.T(), s.ctx, "http-connect sniffing logs", gostC)
}
s.Require().Equal(0, code)
s.Require().Contains(string(body), "hello-gost")
})
s.T().Run("no-sniffing", func(t *testing.T) {
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
"testdata/http/server.yaml", "8080/tcp")
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
cmd := []string{"curl", "-v", "-s", "-p", "-x", "http://127.0.0.1:8080",
fmt.Sprintf("http://%s:5678", s.echoIP)}
code, out, err := gostC.Exec(s.ctx, cmd)
s.Require().NoError(err)
body, err := io.ReadAll(out)
s.Require().NoError(err)
if code != 0 || !strings.Contains(string(body), "hello-gost") {
DumpLogs(s.T(), s.ctx, "http-connect no-sniffing logs", gostC)
}
s.Require().Equal(0, code)
s.Require().Contains(string(body), "hello-gost")
})
s.T().Run("bypass-403", func(t *testing.T) {
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
"testdata/http/server_connect_bypass.yaml", "8080/tcp")
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
cmd := []string{"curl", "-v", "-s", "-D", "-", "-o", "/dev/null",
"-p", "-x", "http://user:pass@127.0.0.1:8080",
fmt.Sprintf("http://%s:5678", s.echoIP)}
_, out, _ := gostC.Exec(s.ctx, cmd)
body, _ := io.ReadAll(out)
output := string(body)
s.Assert().Contains(output, "403",
"CONNECT bypass should return 403")
})
}
// TestHTTPProxyDirectRequest verifies that a non-proxy-form HTTP request
// (raw GET / sent to the proxy port) is rejected with 400 Bad Request.
// A raw request with empty Host header has no valid scheme to infer,
// so the handler returns 400.
func (s *HTTPSuite) TestHTTPProxyDirectRequest() {
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
"testdata/http/server.yaml", "8080/tcp")
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
"GET / HTTP/1.0\r\nHost: bad!\r\n\r\n")
s.Assert().Contains(resp, "400",
"non-proxy GET should return 400")
}
// TestHTTPProxyPOST verifies that POST method forwarding works through
// the HTTP forward proxy. The echo server only handles GET, so the proxy
// should forward the POST request and return whatever the upstream sends
// back (501 Not Implemented from the echo server — not a proxy error).
// 501 is the real upstream response, proving the proxy forwarded it.
func (s *HTTPSuite) TestHTTPProxyPOST() {
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
"testdata/http/server.yaml", "8080/tcp")
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}",
"-X", "POST", "-x", "http://127.0.0.1:8080",
fmt.Sprintf("http://%s:5678/", s.echoIP)}
_, out, _ := gostC.Exec(s.ctx, cmd)
body, _ := io.ReadAll(out)
output := string(body)
// The echo server's BaseHTTPRequestHandler defaults to 501 for POST.
// If we get 501 through the proxy, it means the method was forwarded.
s.Assert().Contains(output, "501",
"POST through proxy should be forwarded, echo server returns 501")
}
// TestHTTPConnectUnreachable verifies that CONNECT to an unreachable target
// returns 503 Service Unavailable.
func (s *HTTPSuite) TestHTTPConnectUnreachable() {
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
"testdata/http/server_connect.yaml", "8080/tcp")
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
// Send a raw CONNECT request to a port where nothing is listening.
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
fmt.Sprintf("CONNECT %s:1 HTTP/1.0\r\nHost: %s:1\r\n\r\n", s.echoIP, s.echoIP))
s.Assert().Contains(resp, "503",
"CONNECT to unreachable target should return 503")
}
// TestHTTPConnector verifies HTTP connector type: a gost client uses an HTTP
// connector to forward through an upstream HTTP proxy (no auth), reaching the
// target via the proxy chain. This covers the server+client two-container
// pattern where the client connects to the server via connector type: http.
func (s *HTTPSuite) TestHTTPConnector() {
// Start upstream HTTP proxy server (no auth).
serverC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName,
"testdata/http/server.yaml", []string{"http-server"}, []string{"8080/tcp"})
s.Require().NoError(err)
defer serverC.Terminate(s.ctx)
// Render client config that chains through the upstream server.
rendered, err := RenderConfig("testdata/http/client_connector.yaml",
ConfigData{ServerAddr: "http-server:8080"})
s.Require().NoError(err)
defer os.Remove(rendered)
// Start client with the rendered config.
clientC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
rendered, "8080/tcp")
s.Require().NoError(err)
defer clientC.Terminate(s.ctx)
// Request through client proxy → HTTP connector → upstream HTTP server → target.
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
fmt.Sprintf("http://%s:5678", s.echoIP)}
code, out, err := clientC.Exec(s.ctx, cmd)
s.Require().NoError(err)
body, err := io.ReadAll(out)
s.Require().NoError(err)
if code != 0 || !strings.Contains(string(body), "hello-gost") {
DumpLogs(s.T(), s.ctx, "http-connector client logs", clientC)
DumpLogs(s.T(), s.ctx, "http-connector server logs", serverC)
}
s.Require().Equal(0, code)
s.Require().Contains(string(body), "hello-gost")
}
// TestHTTPConnectorAuth verifies HTTP connector with authentication:
// no-auth → 407, correct auth → success.
func (s *HTTPSuite) TestHTTPConnectorAuth() {
// Start upstream HTTP proxy with auth and network alias.
serverC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName,
"testdata/http/server_auth.yaml", []string{"http-server"}, []string{"8080/tcp"})
s.Require().NoError(err)
defer serverC.Terminate(s.ctx)
s.T().Run("no-auth-407", func(t *testing.T) {
// Send raw request directly to server container (no auth) → 407.
resp := s.sendRaw(serverC, "127.0.0.1", "8080",
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
s.Assert().Contains(resp, "407",
"no auth via upstream should return 407")
})
s.T().Run("correct-auth-success", func(t *testing.T) {
rendered, err := RenderConfig("testdata/http/client_connector_auth.yaml",
ConfigData{ServerAddr: "http-server:8080"})
s.Require().NoError(err)
defer os.Remove(rendered)
clientC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
rendered, "8080/tcp")
s.Require().NoError(err)
defer clientC.Terminate(s.ctx)
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
fmt.Sprintf("http://%s:5678", s.echoIP)}
code, out, err := clientC.Exec(s.ctx, cmd)
s.Require().NoError(err)
body, err := io.ReadAll(out)
s.Require().NoError(err)
if code != 0 || !strings.Contains(string(body), "hello-gost") {
DumpLogs(s.T(), s.ctx, "http-connector-auth client logs", clientC)
DumpLogs(s.T(), s.ctx, "http-connector-auth server logs", serverC)
}
s.Require().Equal(0, code)
s.Require().Contains(string(body), "hello-gost")
})
}
// TestHTTPProbeResistHost verifies probeResist host type.
// When auth fails, the handler pipes the raw request to
// the decoy host (tcp-echo:5678). The TCP echo server echoes
// back the request bytes rather than returning a 407.
func (s *HTTPSuite) TestHTTPProbeResistHost() {
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
"testdata/http/server_proberesist_host.yaml", "8080/tcp")
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
// Without auth, probeResist host pipes the raw request to tcp-echo:5678.
// The HTTP echo server returns 200 OK with "hello-gost", proving the
// request reached the decoy host rather than getting a 407 response.
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
s.Assert().NotContains(resp, "407",
"probeResist host should hide 407 response")
s.Assert().Contains(resp, "hello-gost",
"probeResist host should pipe request to decoy host")
}
// TestHTTPProbeResistKnock verifies probeResist knock mechanism.
// Clients that connect with a recognized knock Host header
// get a normal 407 auth challenge instead of the decoy response.
//
// Uses server_proberesist_knock.yaml:
// - probeResist: code:404 (decoy 404 for unknown hosts)
// - knock: secret.example.com (known hosts get normal 407)
func (s *HTTPSuite) TestHTTPProbeResistKnock() {
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
"testdata/http/server_proberesist_knock.yaml", "8080/tcp")
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
s.T().Run("unknown-host-decoy", func(t *testing.T) {
// URL hostname doesn't match knock list → probeResist fires → 404
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
s.Assert().Contains(resp, "404",
"unknown host should get decoy 404")
s.Assert().NotContains(resp, "407",
"unknown host should NOT get 407")
})
s.T().Run("knock-host-407", func(t *testing.T) {
// URL hostname matches knock list → normal 407 auth challenge.
// Note: knock checks req.URL.Hostname(), not the Host header.
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
"GET http://secret.example.com:5678/ HTTP/1.0\r\nHost: secret.example.com\r\n\r\n")
s.Assert().Contains(resp, "407",
"knock host should get normal 407")
})
}
// TestHTTPConnectorTLS verifies HTTP connector using TLS dialer
// to upstream HTTPS proxy (listener type: tls).
// The TLS listener auto-generates a self-signed cert;
// the TLS dialer defaults to InsecureSkipVerify=true, so
// handshake succeeds without explicit cert configuration.
func (s *HTTPSuite) TestHTTPConnectorTLS() {
serverC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName,
"testdata/http/server_tls.yaml", []string{"tls-server"}, []string{"8443/tcp"})
s.Require().NoError(err)
defer serverC.Terminate(s.ctx)
rendered, err := RenderConfig("testdata/http/client_connector_tls.yaml",
ConfigData{ServerAddr: "tls-server:8443"})
s.Require().NoError(err)
defer os.Remove(rendered)
clientC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
rendered, "8080/tcp")
s.Require().NoError(err)
defer clientC.Terminate(s.ctx)
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
fmt.Sprintf("http://%s:5678", s.echoIP)}
code, out, err := clientC.Exec(s.ctx, cmd)
s.Require().NoError(err)
body, err := io.ReadAll(out)
s.Require().NoError(err)
if code != 0 || !strings.Contains(string(body), "hello-gost") {
DumpLogs(s.T(), s.ctx, "http-connector-tls client logs", clientC)
DumpLogs(s.T(), s.ctx, "http-connector-tls server logs", serverC)
}
s.Require().Equal(0, code)
s.Require().Contains(string(body), "hello-gost")
}
// TestHTTPProbeResistWeb verifies probeResist web type.
// On auth failure, the handler fetches the decoy URL
// (tcp-echo:5678) and returns its response body.
func (s *HTTPSuite) TestHTTPProbeResistWeb() {
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
"testdata/http/server_proberesist_web.yaml", "8080/tcp")
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
// Without auth, probeResist web fetches http://tcp-echo:5678
// and returns the echo server's response ("hello-gost").
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
s.Assert().NotContains(resp, "407",
"probeResist web should hide 407 response")
s.Assert().Contains(resp, "hello-gost",
"probeResist web should return decoy response body")
}
// TestHTTPProbeResistFile verifies probeResist file type.
// On auth failure, the handler reads a local file and
// returns its contents as the HTTP response body.
func (s *HTTPSuite) TestHTTPProbeResistFile() {
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
"testdata/http/server_proberesist_file.yaml",
[]testcontainers.ContainerFile{
{HostFilePath: "testdata/http/decoy.html", ContainerFilePath: "/tmp/decoy.html", FileMode: 0644},
},
"8080/tcp")
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
// Without auth, probeResist file reads /tmp/decoy.html and
// returns "decoy-response" rather than a 407.
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
s.Assert().NotContains(resp, "407",
"probeResist file should hide 407 response")
s.Assert().Contains(resp, "decoy-response",
"probeResist file should return decoy file content")
}
// TestHTTPIdleTimeout verifies idleTimeout on CONNECT tunnels.
// After the configured idle timeout, the pipe between client
// and target should close.
func (s *HTTPSuite) TestHTTPIdleTimeout() {
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
"testdata/http/server_idle_timeout.yaml",
[]testcontainers.ContainerFile{
{HostFilePath: "scripts/http_idle_timeout.py", ContainerFilePath: "/scripts/http_idle_timeout.py", FileMode: 0644},
},
"8080/tcp")
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
// The Python script:
// 1. Opens a CONNECT tunnel to tcp-echo:5678
// 2. Sends and receives data (confirm tunnel is alive)
// 3. Waits > idleTimeout (3s + 2s buffer)
// 4. Sends more data — expects connection to be closed
code, out, err := gostC.Exec(s.ctx, []string{
"python3", "/scripts/http_idle_timeout.py",
"127.0.0.1", "8080", "3",
})
output, _ := io.ReadAll(out)
s.T().Logf("idle timeout output:\n%s", string(output))
if code != 0 {
DumpLogs(s.T(), s.ctx, "http-idle-timeout logs", gostC)
}
s.Require().Equal(0, code, "idle timeout test script should exit 0")
}
// TestHTTPUDPRelay verifies UDP relay over HTTP. Uses
// X-Gost-Protocol: udp in the CONNECT request to establish
// a SOCKS5 UDP tunnel through the HTTP handler.
func (s *HTTPSuite) TestHTTPUDPRelay() {
// Start UDP echo container on the shared network.
udpC, err := RunUDPEchoContainer(s.ctx, SharedNetworkName)
s.Require().NoError(err)
defer udpC.Terminate(s.ctx)
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
"testdata/http/server_udp.yaml",
[]testcontainers.ContainerFile{
{HostFilePath: "scripts/http_udp_relay.py", ContainerFilePath: "/scripts/http_udp_relay.py", FileMode: 0644},
},
"8080/tcp")
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
// The Python script:
// 1. Connects to gost HTTP proxy
// 2. Sends CONNECT with X-Gost-Protocol: udp
// 3. After 200 OK, sends a SOCKS5 UDP frame targeting udp-echo:5679
// 4. Reads back the echoed frame
code, out, err := gostC.Exec(s.ctx, []string{
"python3", "/scripts/http_udp_relay.py",
"127.0.0.1", "8080",
})
output, _ := io.ReadAll(out)
s.T().Logf("udp relay output:\n%s", string(output))
if code != 0 {
DumpLogs(s.T(), s.ctx, "http-udp logs", gostC)
}
s.Require().Equal(0, code, "udp relay test script should exit 0")
}
func TestHTTPSuite(t *testing.T) {
suite.Run(t, new(HTTPSuite))
}