chore(customdomains): fail on TCP_DENIED (#2041)

emosbaugh · web-flow · commit 93dfc9927d24 · 2025-03-28T20:52:01.000Z
* chore(customdomains): fail on TCP_DENIED

* chore(customdomains): fail on TCP_DENIED
diff --git a/e2e/proxy_test.go b/e2e/proxy_test.go
@@ -56,7 +56,7 @@ func TestProxiedEnvironment(t *testing.T) {
 	}
 
 	t.Cleanup(func() {
-		outputTCPDeniedLogs(t, tc)
+		failOnProxyTCPDenied(t, tc)
 	})
 
 	// bootstrap the first node and makes sure it is healthy. also executes the kots
@@ -147,7 +147,7 @@ func TestProxiedCustomCIDR(t *testing.T) {
 	}
 
 	t.Cleanup(func() {
-		outputTCPDeniedLogs(t, tc)
+		failOnProxyTCPDenied(t, tc)
 	})
 
 	// bootstrap the first node and makes sure it is healthy. also executes the kots
@@ -246,7 +246,7 @@ func TestInstallWithMITMProxy(t *testing.T) {
 	}
 
 	t.Cleanup(func() {
-		outputTCPDeniedLogs(t, tc)
+		failOnProxyTCPDenied(t, tc)
 	})
 
 	// bootstrap the first node and makes sure it is healthy. also executes the kots
@@ -288,11 +288,15 @@ func TestInstallWithMITMProxy(t *testing.T) {
 	t.Logf("%s: test complete", time.Now().Format(time.RFC3339))
 }
 
-func outputTCPDeniedLogs(t *testing.T, tc *lxd.Cluster) {
-	stdout, _, err := tc.RunCommandOnProxyNode(t, []string{"sh", "-c", "grep -A4 -B4 TCP_DENIED /var/log/squid/access.log || true"})
+func failOnProxyTCPDenied(t *testing.T, tc *lxd.Cluster) {
+	line := []string{"sh", "-c", `grep -A1 TCP_DENIED /var/log/squid/access.log | grep -v speedtest\.net`}
+	stdout, _, err := tc.RunCommandOnProxyNode(t, line)
 	if err != nil {
 		t.Fatalf("fail to check squid access log: %v", err)
 	}
 	t.Logf("TCP_DENIED logs:")
 	t.Log(stdout)
+	if strings.Contains(stdout, "TCP_DENIED") {
+		t.Fatalf("TCP_DENIED logs found")
+	}
 }
diff --git a/e2e/restore_test.go b/e2e/restore_test.go
@@ -237,7 +237,7 @@ func TestSingleNodeDisasterRecoveryWithProxy(t *testing.T) {
 	}
 
 	t.Cleanup(func() {
-		outputTCPDeniedLogs(t, tc)
+		failOnProxyTCPDenied(t, tc)
 	})
 
 	installSingleNodeWithOptions(t, tc, installOptions{
diff --git a/e2e/scripts/enable-squid-whitelist.sh b/e2e/scripts/enable-squid-whitelist.sh
@@ -62,9 +62,9 @@ function validate_whitelist() {
     fi
 
     # validate that we cannot access google.com (should be blocked)
-    status_code=$(curl -s -o /dev/null -w "%{http_connect}" -x http://10.0.0.254:3128 https://google.com)
+    status_code=$(curl -s -o /dev/null -w "%{http_connect}" -x http://10.0.0.254:3128 https://speedtest.net)
     if [ "$status_code" -ne 403 ] && [ "$status_code" -ne 407 ]; then
-        echo "Error: google.com expected status code 403 or 407 (blocked), got $status_code"
+        echo "Error: speedtest.net expected status code 403 or 407 (blocked), got $status_code"
         return 1
     fi
 

Original file line number	Diff line number	Diff line change
`@@ -237,7 +237,7 @@ func TestSingleNodeDisasterRecoveryWithProxy(t *testing.T) {`
`237`	`237`	`}`
`238`	`238`
`239`	`239`	`t.Cleanup(func() {`
`240`		`- outputTCPDeniedLogs(t, tc)`
	`240`	`+ failOnProxyTCPDenied(t, tc)`
`241`	`241`	`})`
`242`	`242`
`243`	`243`	`installSingleNodeWithOptions(t, tc, installOptions{`