8000 Merge pull request #2452 from pini-gh/pini-enforce-HTTPS_METHOD · nginx-proxy/nginx-proxy@50608d7 · GitHub
[go: up one dir, main page]
Skip to content

Commit 50608d7

Browse files
buchdagbuchdag
authored
Merge pull request #2452 from pini-gh/pini-enforce-HTTPS_METHOD
fix: enforce HTTPS_METHOD on missing cert as well
2 parents 9506e60 + 60b123d commit 50608d7

File tree

4 files changed

+67
-1
lines changed

4 files changed

+67
-1
lines changed

docs/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -582,6 +582,7 @@ If no matching certificate is found for a given virtual host, nginx-proxy will:
582582

583583
- configure nginx to use the default certificate (`default.crt` with `default.key`) and return a 500 error for HTTPS,
584584
- force enable HTTP; i.e. `HTTPS_METHOD` will switch to `noredirect` if it was set to `nohttp` or `redirect`.
585+
If this switch to HTTP is not wanted set `ENABLE_HTTP_ON_MISSING_CERT=false` (default is `true`).
585586

586587
If the default certificate is also missing, nginx-proxy will configure nginx to accept HTTPS connections but fail the TLS negotiation. Client browsers will render a TLS error page. As of March 2023, web browsers display the following error messages:
587588

nginx.tmpl

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -590,8 +590,9 @@ proxy_set_header Proxy "";
590590

591591
{{- $default := eq $globals.Env.DEFAULT_HOST $hostname }}
592592
{{- $https_method := or (first (groupByKeys $vhost_containers "Env.HTTPS_METHOD")) $globals.Env.HTTPS_METHOD "redirect" }}
593+
{{- $enable_http_on_missing_cert := parseBool (or (first (groupByKeys $vhost_containers "Env.ENABLE_HTTP_ON_MISSING_CERT")) $globals.Env.ENABLE_HTTP_ON_MISSING_CERT "true") }}
593594
{{- /* When the certificate is missing we want to ensure that HTTP is enabled; hence switching from 'nohttp' or 'redirect' to 'noredirect' */}}
594-
{{- if (and (not $cert_ok) (or (eq $https_method "nohttp") (eq $https_method "redirect"))) }}
595+
{{- if (and $enable_http_on_missing_cert (not $cert_ok) (or (eq $https_method "nohttp") (eq $https_method "redirect"))) }}
595596
{{- $https_method = "noredirect" }}
596597
{{- end }}
597598
{{- $http2_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable"))) $globals.Env.ENABLE_HTTP2 "true")}}

test/test_enable_http_on_missing_cert.py

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
import pytest
2+
3+
4+
def test_nohttp_missing_cert_disabled(docker_compose, nginxproxy):
5+
r = nginxproxy.get("http://nohttp-missing-cert-disabled.nginx-proxy.tld/", allow_redirects=False)
6+
assert r.status_code == 503
7+
8+
def test_nohttp_missing_cert_enabled(docker_compose, nginxproxy):
9+
r = nginxproxy.get("http://nohttp-missing-cert-enabled.nginx-proxy.tld/", allow_redirects=False)
10+
assert r.status_code == 200
11+
12+
def test_redirect_missing_cert_disabled(docker_compose, nginxproxy):
13+
r = nginxproxy.get("http://redirect-missing-cert-disabled.nginx-proxy.tld/", allow_redirects=False)
14+
assert r.status_code == 301
15+
16+
def test_redirect_missing_cert_enabled(docker_compose, nginxproxy):
17+
r = nginxproxy.get("http://redirect-missing-cert-enabled.nginx-proxy.tld/", allow_redirects=False)
18+
assert r.status_code == 200

test/test_enable_http_on_missing_cert.yml

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
version: "2"
2+
3+
services:
4+
sut:
5+
image: nginxproxy/nginx-proxy:test
6+
volumes:
7+
- /var/run/docker.sock:/tmp/docker.sock:ro
8+
- ./withdefault.certs:/etc/nginx/certs:ro
9+
environment:
10+
ENABLE_HTTP_ON_MISSING_CERT: "false"
11+
12+
nohttp-missing-cert-disabled:
13+
image: web
14+
expose:
15+
- "81"
16+
environment:
17+
WEB_PORTS: "81"
18+
VIRTUAL_HOST: nohttp-missing-cert-disabled.nginx-proxy.tld
19+
HTTPS_METHOD: nohttp
20+
21+
nohttp-missing-cert-enabled:
22+
image: web
23+
expose:
24+
- "82"
25+
environment:
26+
WEB_PORTS: "82"
27+
VIRTUAL_HOST: nohttp-missing-cert-enabled.nginx-proxy.tld
28+
HTTPS_METHOD: nohttp
29+
ENABLE_HTTP_ON_MISSING_CERT: "true"
30+
31+
redirect-missing-cert-disabled:
32+
image: web
33+
expose:
34+
- "83"
35+
environment:
36+
WEB_PORTS: "83"
37+
VIRTUAL_HOST: redirect-missing-cert-disabled.nginx-proxy.tld
38+
39+
redirect-missing-cert-enabled:
40+
image: web
41+
expose:
42+
- "84"
43+
environment:
44+
WEB_PORTS: "84"
45+
VIRTUAL_HOST: redirect-missing-cert-enabled.nginx-proxy.tld
46+
ENABLE_HTTP_ON_MISSING_CERT: "true"

0 commit comments

Comments
 (0)
0