Verify node-level routing matchers via a two-proxy relay: a forward
proxy whose only chain node carries matcher Host(`tcp-echo`) is only
eligible for a matching Host, so the request is relayed upstream to the
echo server; a non-matching Host is excluded (no eligible node) and never
reaches the echo server. Mirrors the resolver/ingress e2e pattern.
Verifies that a configured resolver drives the proxy's outbound DNS
resolution. A gost HTTP proxy uses a resolver whose only nameserver is a
test responder answering echo.test with the real echo server IP and
NXDOMAIN for everything else. A request to echo.test is resolved by the
custom resolver and reaches the echo server; an unmapped host fails to
resolve. Adds a parametrized DNS responder script and container helper.
Verifies hostname→endpoint routing at the reverse-proxy tunnel
entrypoint. A public gost runs a tunnel handler with an ingress
mapping example.local→tunnel-UUID and an HTTP entrypoint; an internal
client binds a reverse tunnel forwarding to the echo server. A request
with a mapped Host is routed through the tunnel to the echo server,
while an unmapped Host matches no ingress rule and is rejected.
Verify the static hosts mapping (HostMapper) overrides DNS: a mapped
hostname resolves to the configured IP and reaches the echo server,
while an unmapped hostname fails to resolve.
Verify HTTP proxy authentication for both inline single-user auth and a
named auther with multiple users. Covers valid credentials, wrong
password, missing credentials, and any-user-in-auther acceptance.
Verify service-level admission control gating by client source IP, in
both whitelist and blacklist modes. Contrasts a loopback client (curl
inside the gost container) against an external client (curl inside the
echo container) to exercise both admit and deny paths.
Verify both blacklist and whitelist bypass modes: a matching destination
skips the dead chain node and connects directly to the echo server, while a
non-matching destination is forced through the dead node and never reaches it.
Merge parallel_selector_test.go into selector_test.go and add e2e coverage
for the round-robin + fail filter, fifo sticky fallback, and backup filter
strategies. Each test drives requests through a hop with one dead node and
asserts the selector marks and skips it so traffic converges on the live node.
Co-Authored-By: Claude <noreply@anthropic.com>
Adds an e2e suite (tests/e2e/utls_test.go + testdata/utls/*)
that exercises the utls dialer in a forward-proxy chain:
curl -> client gost (http proxy :8080)
-> chain node (http connector + utls dialer)
-> server gost (http over TLS listener :8443)
-> tcp-echo
Two cases:
- TestUTLSInsecure: regression for go-gost/gost#887. A utls
dialer with `secure: false` must still complete the handshake
(InsecureSkipVerify must be honoured). The old unsafe cast read
garbage for InsecureSkipVerify and the handshake failed.
- TestUTLSSecureWithCA: exercises the converter's RootCAs /
ServerName path with a CA-signed server cert.
Uses the deterministic `Chrome` fingerprint (not `randomized`, which
randomises the ClientHello and is flaky against a standard Go TLS
server).
Bumps github.com/go-gost/x to v0.13.11, which fixes the
second half of #887: the curve-preference enum divergence between
crypto/tls and utls (Go 1.24+ appends PQC hybrid curves that
utls does not define).
Related: go-gost/gost#887, go-gost/x#111, go-gost/x#112
Add tests/e2e/http2_test.go covering the http2 handler/listener/connector/dialer
end-to-end through the canonical gost-as-client pattern (8 subtests: forward,
auth, bypass, probeResist/metadata, h2 stream multiplexing). Include
testdata/http2/{server,server_auth,server_bypass,server_proberesist,client,
client_auth}.yaml. Note that h2/h2c listeners pair with the tunnel handler
and only http2 listener pairs with handler http2 (reads r/w from metadata).
Tighten TestDNSHostMapper by pointing the handler at an unreachable upstream
so unmapped names fail at the exchanger, confirming the host-mapper path was
the sole reason mapped names resolved. Fix http_idle_timeout.py to speak HTTP
through the CONNECT tunnel rather than a raw ping, matching the echo backend.
Co-Authored-By: Claude <noreply@anthropic.com>
Adds 22 DNS e2e subtests across 8 test methods covering: upstream
resolution (A, AAAA, multi-A), TCP mode, bypass rules, host mapper,
exchange failure (graceful error recovery), rate limiter wiring,
invalid query handling, and DNS over TLS (mode: tls).
Includes two authoritative DNS responders (UDP/TCP), a standalone
DNS query client, and a TLS DNS query script.
Adds 5 test methods (7 test cases) for the file handler:
GET existing file, GET nonexistent file, GET index.html, PUT upload,
PUT without permission, and auth (no-auth-401, with-auth-success).
Includes test data files and server YAML configs under
tests/e2e/testdata/file/.
Adds 12 new HTTP handler test scenarios: HTTP connector (no-auth, auth, TLS
upstream), CONNECT tunnel (no-sniffing, bypass-403), probeResist (host, web,
file, knock), idleTimeout, and UDP relay over HTTP. Introduces
RunGostContainerWithFiles helper for mounting extra files into test containers.