nginx-proxy/test/test_fallback/test_fallback.py

import pathlib
import re
from typing import List

import backoff
import pytest
import requests


@pytest.fixture
def docker_compose_files(compose_file) -> List[str]:
    data_dir = pathlib.Path(__file__).parent.joinpath("test_fallback.data")
    return [
        data_dir.joinpath("compose.base.yml"),
        data_dir.joinpath(compose_file).as_posix()
    ]


@pytest.fixture
def docker_compose_file(data_dir, compose_file):
    return os.path.join(data_dir, compose_file)


@pytest.fixture
def get(docker_compose, nginxproxy, want_err_re):

    @backoff.on_exception(
        backoff.constant,
        requests.exceptions.SSLError,
        giveup=lambda e: want_err_re and want_err_re.search(str(e)),
        interval=.3,
        max_tries=30,
        jitter=None)
    def _get(url):
        return nginxproxy.get(url, allow_redirects=False)

    return _get


INTERNAL_ERR_RE = re.compile("TLSV1_UNRECOGNIZED_NAME")


@pytest.mark.parametrize("compose_file,url,want_code,want_err_re", [
    # Has default.crt.
    ("withdefault.yml", "http://https-and-http.nginx-proxy.test/", 301, None),
    ("withdefault.yml", "https://https-and-http.nginx-proxy.test/", 200, None),
    ("withdefault.yml", "http://https-only.nginx-proxy.test/", 503, None),
    ("withdefault.yml", "https://https-only.nginx-proxy.test/", 200, None),
    ("withdefault.yml", "http://http-only.nginx-proxy.test/", 200, None),
    ("withdefault.yml", "https://http-only.nginx-proxy.test/", 503, None),
    ("withdefault.yml", "http://missing-cert.nginx-proxy.test/", 301, None),
    ("withdefault.yml", "https://missing-cert.nginx-proxy.test/", 200, None),
    ("withdefault.yml", "http://missing-cert.default-untrusted.nginx-proxy.test/", 200, None),
    ("withdefault.yml", "https://missing-cert.default-untrusted.nginx-proxy.test/", None, INTERNAL_ERR_RE),
    ("withdefault.yml", "http://unknown.nginx-proxy.test/", 503, None),
    ("withdefault.yml", "https://unknown.nginx-proxy.test/", 503, None),
    # Same as withdefault.yml, except default.crt is not trusted (TRUST_DEFAULT_CERT=false).
    ("untrusteddefault.yml", "http://https-and-http.nginx-proxy.test/", 301, None),
    ("untrusteddefault.yml", "https://https-and-http.nginx-proxy.test/", 200, None),
    ("untrusteddefault.yml", "http://https-only.nginx-proxy.test/", 503, None),
    ("untrusteddefault.yml", "https://https-only.nginx-proxy.test/", 200, None),
    ("untrusteddefault.yml", "http://http-only.nginx-proxy.test/", 200, None),
    ("untrusteddefault.yml", "https://http-only.nginx-proxy.test/", 503, None),
    ("untrusteddefault.yml", "http://missing-cert.nginx-proxy.test/", 200, None),
    ("untrusteddefault.yml", "https://missing-cert.nginx-proxy.test/", None, INTERNAL_ERR_RE),
    ("untrusteddefault.yml", "http://unknown.nginx-proxy.test/", 503, None),
    ("untrusteddefault.yml", "https://unknown.nginx-proxy.test/", 503, None),
    # Same as withdefault.yml, except there is no default.crt.
    ("nodefault.yml", "http://https-and-http.nginx-proxy.test/", 301, None),
    ("nodefault.yml", "https://https-and-http.nginx-proxy.test/", 200, None),
    ("nodefault.yml", "http://https-only.nginx-proxy.test/", 503, None),
    ("nodefault.yml", "https://https-only.nginx-proxy.test/", 200, None),
    ("nodefault.yml", "http://http-only.nginx-proxy.test/", 200, None),
    ("nodefault.yml", "https://http-only.nginx-proxy.test/", None, INTERNAL_ERR_RE),
    ("nodefault.yml", "http://missing-cert.nginx-proxy.test/", 200, None),
    ("nodefault.yml", "https://missing-cert.nginx-proxy.test/", None, INTERNAL_ERR_RE),
    ("nodefault.yml", "http://unknown.nginx-proxy.test/", 503, None),
    ("nodefault.yml", "https://unknown.nginx-proxy.test/", None, INTERNAL_ERR_RE),
    # HTTPS_METHOD=nohttp on nginx-proxy, HTTPS_METHOD unset on the app container.
    ("nohttp.yml", "http://https-only.nginx-proxy.test/", 503, None),
    ("nohttp.yml", "https://https-only.nginx-proxy.test/", 200, None),
    ("nohttp.yml", "http://unknown.nginx-proxy.test/", 503, None),
    ("nohttp.yml", "https://unknown.nginx-proxy.test/", 503, None),
    # HTTPS_METHOD=redirect on nginx-proxy, HTTPS_METHOD=nohttp on the app container.
    ("nohttp-on-app.yml", "http://https-only.nginx-proxy.test/", 503, None),
    ("nohttp-on-app.yml", "https://https-only.nginx-proxy.test/", 200, None),
    ("nohttp-on-app.yml", "http://unknown.nginx-proxy.test/", 503, None),
    ("nohttp-on-app.yml", "https://unknown.nginx-proxy.test/", 503, None),
    # Same as nohttp.yml, except there are two vhosts with a missing cert, the second
    # one being configured not to trust the default certificate. This causes its
    # HTTPS_METHOD=nohttp setting to effectively become HTTPS_METHOD=noredirect.
    ("nohttp-with-missing-cert.yml", "http://https-only.nginx-proxy.test/", 503, None),
    ("nohttp-with-missing-cert.yml", "https://https-only.nginx-proxy.test/", 200, None),
    ("nohttp-with-missing-cert.yml", "http://missing-cert.nginx-proxy.test/", 503, None),
    ("nohttp-with-missing-cert.yml", "https://missing-cert.nginx-proxy.test/", 200, None),
    ("nohttp-with-missing-cert.yml", "http://missing-cert.default-untrusted.nginx-proxy.test/", 200, None),
    ("nohttp-with-missing-cert.yml", "https://missing-cert.default-untrusted.nginx-proxy.test/", None, INTERNAL_ERR_RE),
    ("nohttp-with-missing-cert.yml", "http://unknown.nginx-proxy.test/", 503, None),
    ("nohttp-with-missing-cert.yml", "https://unknown.nginx-proxy.test/", 503, None),
    # HTTPS_METHOD=nohttps on nginx-proxy, HTTPS_METHOD unset on the app container.
    ("nohttps.yml", "http://http-only.nginx-proxy.test/", 200, None),
    ("nohttps.yml", "https://http-only.nginx-proxy.test/", None, INTERNAL_ERR_RE),
    ("nohttps.yml", "http://unknown.nginx-proxy.test/", 503, None),
    ("nohttps.yml", "https://unknown.nginx-proxy.test/", None, INTERNAL_ERR_RE),
    # HTTPS_METHOD=redirect on nginx-proxy, HTTPS_METHOD=nohttps on the app container.
    ("nohttps-on-app.yml", "http://http-only.nginx-proxy.test/", 200, None),
    ("nohttps-on-app.yml", "https://http-only.nginx-proxy.test/", None, INTERNAL_ERR_RE),
    ("nohttps-on-app.yml", "http://unknown.nginx-proxy.test/", 503, None),
    ("nohttps-on-app.yml", "https://unknown.nginx-proxy.test/", None, INTERNAL_ERR_RE),
    # Custom nginx config that has a `server` directive that uses `default_server` and simply
    # returns 418.  Nginx should successfully start (in particular, the `default_server` in the
    # custom config should not conflict with the fallback server generated by nginx-proxy) and nginx
    # should prefer that server for handling requests for unknown vhosts.
    ("custom-fallback.yml", "http://unknown.nginx-proxy.test/", 418, None),
])
def test_fallback(get, compose_file, url, want_code, want_err_re):
    if want_err_re is None:
        r = get(url)
        assert r.status_code == want_code
    else:
        with pytest.raises(requests.exceptions.SSLError, match=want_err_re):
            get(url)
tests: factor out base nginx-proxy config 2024-12-30 11:59:07 +01:00			`import pathlib`
fix: Emit TLS error if there are no certs available Before, if neither the vhost-specific cert nor `default.crt` existed, nginx-proxy would not create the https vhost. This resulted in nginx either refusing the connection or serving the wrong vhost depending on whether there was another https vhost with a certificate. Now nginx-proxy always creates an https server for a vhost, even if the vhost-specific certificate and the default certificate are both missing. When both certs are missing, nginx is given empty certificate data to make it possible for it to start up without an error. The empty certificate data causes the user to see a TLS error, which is much easier to troubleshoot than a connection refused error or serving the wrong vhost. 2023-02-02 22:02:06 -05:00			`import re`
tests: factor out base nginx-proxy config 2024-12-30 11:59:07 +01:00			`from typing import List`
fix: Don't create cert error https server if https is not enabled 2023-02-02 17:17:00 -05:00
			`import backoff`
			`import pytest`
			`import requests`


			`@pytest.fixture`
tests: factor out base nginx-proxy config 2024-12-30 11:59:07 +01:00			`def docker_compose_files(compose_file) -> List[str]:`
			`data_dir = pathlib.Path(__file__).parent.joinpath("test_fallback.data")`
			`return [`
			`data_dir.joinpath("compose.base.yml"),`
			`data_dir.joinpath(compose_file).as_posix()`
			`]`
fix: Don't create cert error https server if https is not enabled 2023-02-02 17:17:00 -05:00

			`@pytest.fixture`
			`def docker_compose_file(data_dir, compose_file):`
			`return os.path.join(data_dir, compose_file)`


			`@pytest.fixture`
			`def get(docker_compose, nginxproxy, want_err_re):`

			`@backoff.on_exception(`
			`backoff.constant,`
fix: reject SSL handshake rather than using empty certificate 2024-10-03 09:07:33 +02:00			`requests.exceptions.SSLError,`
fix: Don't create cert error https server if https is not enabled 2023-02-02 17:17:00 -05:00			`giveup=lambda e: want_err_re and want_err_re.search(str(e)),`
			`interval=.3,`
			`max_tries=30,`
			`jitter=None)`
			`def _get(url):`
			`return nginxproxy.get(url, allow_redirects=False)`

			`return _get`


fix: reject SSL handshake rather than using empty certificate 2024-10-03 09:07:33 +02:00			`INTERNAL_ERR_RE = re.compile("TLSV1_UNRECOGNIZED_NAME")`
fix: Emit TLS error if there are no certs available Before, if neither the vhost-specific cert nor `default.crt` existed, nginx-proxy would not create the https vhost. This resulted in nginx either refusing the connection or serving the wrong vhost depending on whether there was another https vhost with a certificate. Now nginx-proxy always creates an https server for a vhost, even if the vhost-specific certificate and the default certificate are both missing. When both certs are missing, nginx is given empty certificate data to make it possible for it to start up without an error. The empty certificate data causes the user to see a TLS error, which is much easier to troubleshoot than a connection refused error or serving the wrong vhost. 2023-02-02 22:02:06 -05:00

fix: Don't create cert error https server if https is not enabled 2023-02-02 17:17:00 -05:00			`@pytest.mark.parametrize("compose_file,url,want_code,want_err_re", [`
			`# Has default.crt.`
			`("withdefault.yml", "http://https-and-http.nginx-proxy.test/", 301, None),`
			`("withdefault.yml", "https://https-and-http.nginx-proxy.test/", 200, None),`
			`("withdefault.yml", "http://https-only.nginx-proxy.test/", 503, None),`
			`("withdefault.yml", "https://https-only.nginx-proxy.test/", 200, None),`
			`("withdefault.yml", "http://http-only.nginx-proxy.test/", 200, None),`
			`("withdefault.yml", "https://http-only.nginx-proxy.test/", 503, None),`
fix: force enable HTTP when both vhost and default cert are missing 2024-11-03 21:06:23 +01:00			`("withdefault.yml", "http://missing-cert.nginx-proxy.test/", 301, None),`
feat: trust default certificate 2024-11-03 20:10:32 +01:00			`("withdefault.yml", "https://missing-cert.nginx-proxy.test/", 200, None),`
test: default cert optional trust 2024-11-04 10:19:09 +01:00			`("withdefault.yml", "http://missing-cert.default-untrusted.nginx-proxy.test/", 200, None),`
			`("withdefault.yml", "https://missing-cert.default-untrusted.nginx-proxy.test/", None, INTERNAL_ERR_RE),`
fix: Don't create cert error https server if https is not enabled 2023-02-02 17:17:00 -05:00			`("withdefault.yml", "http://unknown.nginx-proxy.test/", 503, None),`
			`("withdefault.yml", "https://unknown.nginx-proxy.test/", 503, None),`
test: globally untrusted default cert 2024-12-01 20:24:53 +01:00			`# Same as withdefault.yml, except default.crt is not trusted (TRUST_DEFAULT_CERT=false).`
			`("untrusteddefault.yml", "http://https-and-http.nginx-proxy.test/", 301, None),`
			`("untrusteddefault.yml", "https://https-and-http.nginx-proxy.test/", 200, None),`
			`("untrusteddefault.yml", "http://https-only.nginx-proxy.test/", 503, None),`
			`("untrusteddefault.yml", "https://https-only.nginx-proxy.test/", 200, None),`
			`("untrusteddefault.yml", "http://http-only.nginx-proxy.test/", 200, None),`
			`("untrusteddefault.yml", "https://http-only.nginx-proxy.test/", 503, None),`
			`("untrusteddefault.yml", "http://missing-cert.nginx-proxy.test/", 200, None),`
			`("untrusteddefault.yml", "https://missing-cert.nginx-proxy.test/", None, INTERNAL_ERR_RE),`
			`("untrusteddefault.yml", "http://unknown.nginx-proxy.test/", 503, None),`
			`("untrusteddefault.yml", "https://unknown.nginx-proxy.test/", 503, None),`
fix: Emit TLS error if there are no certs available Before, if neither the vhost-specific cert nor `default.crt` existed, nginx-proxy would not create the https vhost. This resulted in nginx either refusing the connection or serving the wrong vhost depending on whether there was another https vhost with a certificate. Now nginx-proxy always creates an https server for a vhost, even if the vhost-specific certificate and the default certificate are both missing. When both certs are missing, nginx is given empty certificate data to make it possible for it to start up without an error. The empty certificate data causes the user to see a TLS error, which is much easier to troubleshoot than a connection refused error or serving the wrong vhost. 2023-02-02 22:02:06 -05:00			`# Same as withdefault.yml, except there is no default.crt.`
			`("nodefault.yml", "http://https-and-http.nginx-proxy.test/", 301, None),`
			`("nodefault.yml", "https://https-and-http.nginx-proxy.test/", 200, None),`
			`("nodefault.yml", "http://https-only.nginx-proxy.test/", 503, None),`
			`("nodefault.yml", "https://https-only.nginx-proxy.test/", 200, None),`
			`("nodefault.yml", "http://http-only.nginx-proxy.test/", 200, None),`
			`("nodefault.yml", "https://http-only.nginx-proxy.test/", None, INTERNAL_ERR_RE),`
			`("nodefault.yml", "http://missing-cert.nginx-proxy.test/", 200, None),`
			`("nodefault.yml", "https://missing-cert.nginx-proxy.test/", None, INTERNAL_ERR_RE),`
			`("nodefault.yml", "http://unknown.nginx-proxy.test/", 503, None),`
			`("nodefault.yml", "https://unknown.nginx-proxy.test/", None, INTERNAL_ERR_RE),`
test: default cert optional trust 2024-11-04 10:19:09 +01:00			`# HTTPS_METHOD=nohttp on nginx-proxy, HTTPS_METHOD unset on the app container.`
fix: constistent behavior for `HTTPS_METHOD=nohttp` Without this fix the response of nohttp sites to HTTP requests changes depending on the existence of at least one HTTP enabled site: * no HTTP enabled sites -> connection refused * at least one HTTP enabled site -> 503 This fix ensures the response is always 503. 2024-05-14 22:30:06 +02:00			`("nohttp.yml", "http://https-only.nginx-proxy.test/", 503, None),`
fix: Don't create fallback http(s) server when http(s) disabled Before, a fallback http server was created to handle requests for unknown virtual hosts even when `HTTPS_METHOD=nohttp`. (In this case, all http vhosts would be unknown.) Likewise, a catch-all fallback https server was still created even if `HTTPS_METHOD=nohttps`. Now the fallback servers are created only if needed. This brings the behavior in line with the documentation and user expectation. It will also make it easier to implement a planned feature: different servers on different ports. 2023-02-04 18:59:38 -05:00			`("nohttp.yml", "https://https-only.nginx-proxy.test/", 200, None),`
fix: constistent behavior for `HTTPS_METHOD=nohttp` Without this fix the response of nohttp sites to HTTP requests changes depending on the existence of at least one HTTP enabled site: * no HTTP enabled sites -> connection refused * at least one HTTP enabled site -> 503 This fix ensures the response is always 503. 2024-05-14 22:30:06 +02:00			`("nohttp.yml", "http://unknown.nginx-proxy.test/", 503, None),`
test: default cert optional trust 2024-11-04 10:19:09 +01:00			`("nohttp.yml", "https://unknown.nginx-proxy.test/", 503, None),`
			`# HTTPS_METHOD=redirect on nginx-proxy, HTTPS_METHOD=nohttp on the app container.`
fix: constistent behavior for `HTTPS_METHOD=nohttp` Without this fix the response of nohttp sites to HTTP requests changes depending on the existence of at least one HTTP enabled site: * no HTTP enabled sites -> connection refused * at least one HTTP enabled site -> 503 This fix ensures the response is always 503. 2024-05-14 22:30:06 +02:00			`("nohttp-on-app.yml", "http://https-only.nginx-proxy.test/", 503, None),`
fix: Don't create fallback http(s) server when http(s) disabled Before, a fallback http server was created to handle requests for unknown virtual hosts even when `HTTPS_METHOD=nohttp`. (In this case, all http vhosts would be unknown.) Likewise, a catch-all fallback https server was still created even if `HTTPS_METHOD=nohttps`. Now the fallback servers are created only if needed. This brings the behavior in line with the documentation and user expectation. It will also make it easier to implement a planned feature: different servers on different ports. 2023-02-04 18:59:38 -05:00			`("nohttp-on-app.yml", "https://https-only.nginx-proxy.test/", 200, None),`
fix: constistent behavior for `HTTPS_METHOD=nohttp` Without this fix the response of nohttp sites to HTTP requests changes depending on the existence of at least one HTTP enabled site: * no HTTP enabled sites -> connection refused * at least one HTTP enabled site -> 503 This fix ensures the response is always 503. 2024-05-14 22:30:06 +02:00			`("nohttp-on-app.yml", "http://unknown.nginx-proxy.test/", 503, None),`
test: default cert optional trust 2024-11-04 10:19:09 +01:00			`("nohttp-on-app.yml", "https://unknown.nginx-proxy.test/", 503, None),`
			`# Same as nohttp.yml, except there are two vhosts with a missing cert, the second`
			`# one being configured not to trust the default certificate. This causes its`
fix: constistent behavior for `HTTPS_METHOD=nohttp` Without this fix the response of nohttp sites to HTTP requests changes depending on the existence of at least one HTTP enabled site: * no HTTP enabled sites -> connection refused * at least one HTTP enabled site -> 503 This fix ensures the response is always 503. 2024-05-14 22:30:06 +02:00			`# HTTPS_METHOD=nohttp setting to effectively become HTTPS_METHOD=noredirect.`
fix: Don't create fallback http(s) server when http(s) disabled Before, a fallback http server was created to handle requests for unknown virtual hosts even when `HTTPS_METHOD=nohttp`. (In this case, all http vhosts would be unknown.) Likewise, a catch-all fallback https server was still created even if `HTTPS_METHOD=nohttps`. Now the fallback servers are created only if needed. This brings the behavior in line with the documentation and user expectation. It will also make it easier to implement a planned feature: different servers on different ports. 2023-02-04 18:59:38 -05:00			`("nohttp-with-missing-cert.yml", "http://https-only.nginx-proxy.test/", 503, None),`
			`("nohttp-with-missing-cert.yml", "https://https-only.nginx-proxy.test/", 200, None),`
test: default cert optional trust 2024-11-04 10:19:09 +01:00			`("nohttp-with-missing-cert.yml", "http://missing-cert.nginx-proxy.test/", 503, None),`
			`("nohttp-with-missing-cert.yml", "https://missing-cert.nginx-proxy.test/", 200, None),`
			`("nohttp-with-missing-cert.yml", "http://missing-cert.default-untrusted.nginx-proxy.test/", 200, None),`
			`("nohttp-with-missing-cert.yml", "https://missing-cert.default-untrusted.nginx-proxy.test/", None, INTERNAL_ERR_RE),`
fix: Don't create fallback http(s) server when http(s) disabled Before, a fallback http server was created to handle requests for unknown virtual hosts even when `HTTPS_METHOD=nohttp`. (In this case, all http vhosts would be unknown.) Likewise, a catch-all fallback https server was still created even if `HTTPS_METHOD=nohttps`. Now the fallback servers are created only if needed. This brings the behavior in line with the documentation and user expectation. It will also make it easier to implement a planned feature: different servers on different ports. 2023-02-04 18:59:38 -05:00			`("nohttp-with-missing-cert.yml", "http://unknown.nginx-proxy.test/", 503, None),`
test: default cert optional trust 2024-11-04 10:19:09 +01:00			`("nohttp-with-missing-cert.yml", "https://unknown.nginx-proxy.test/", 503, None),`
fix: Don't create fallback http(s) server when http(s) disabled Before, a fallback http server was created to handle requests for unknown virtual hosts even when `HTTPS_METHOD=nohttp`. (In this case, all http vhosts would be unknown.) Likewise, a catch-all fallback https server was still created even if `HTTPS_METHOD=nohttps`. Now the fallback servers are created only if needed. This brings the behavior in line with the documentation and user expectation. It will also make it easier to implement a planned feature: different servers on different ports. 2023-02-04 18:59:38 -05:00			`# HTTPS_METHOD=nohttps on nginx-proxy, HTTPS_METHOD unset on the app container.`
			`("nohttps.yml", "http://http-only.nginx-proxy.test/", 200, None),`
fix: nohttp(s) shouldn't disable fallback server Say we have two containers: - `app1` with `HTTPS_METHOD=redirect` - `app2` with `HTTPS_METHOD=nohttps` Without this change the fallback answer on an HTTPS request to an unknown server would change depending on whether `app1` is up (503) or not (connection refused). This is not wanted. In case someone doesn't want HTTPS at all, they just have to not bind port 443. 2024-06-06 21:44:45 +02:00			`("nohttps.yml", "https://http-only.nginx-proxy.test/", None, INTERNAL_ERR_RE),`
fix: Don't create fallback http(s) server when http(s) disabled Before, a fallback http server was created to handle requests for unknown virtual hosts even when `HTTPS_METHOD=nohttp`. (In this case, all http vhosts would be unknown.) Likewise, a catch-all fallback https server was still created even if `HTTPS_METHOD=nohttps`. Now the fallback servers are created only if needed. This brings the behavior in line with the documentation and user expectation. It will also make it easier to implement a planned feature: different servers on different ports. 2023-02-04 18:59:38 -05:00			`("nohttps.yml", "http://unknown.nginx-proxy.test/", 503, None),`
fix: nohttp(s) shouldn't disable fallback server Say we have two containers: - `app1` with `HTTPS_METHOD=redirect` - `app2` with `HTTPS_METHOD=nohttps` Without this change the fallback answer on an HTTPS request to an unknown server would change depending on whether `app1` is up (503) or not (connection refused). This is not wanted. In case someone doesn't want HTTPS at all, they just have to not bind port 443. 2024-06-06 21:44:45 +02:00			`("nohttps.yml", "https://unknown.nginx-proxy.test/", None, INTERNAL_ERR_RE),`
fix: Don't create fallback http(s) server when http(s) disabled Before, a fallback http server was created to handle requests for unknown virtual hosts even when `HTTPS_METHOD=nohttp`. (In this case, all http vhosts would be unknown.) Likewise, a catch-all fallback https server was still created even if `HTTPS_METHOD=nohttps`. Now the fallback servers are created only if needed. This brings the behavior in line with the documentation and user expectation. It will also make it easier to implement a planned feature: different servers on different ports. 2023-02-04 18:59:38 -05:00			`# HTTPS_METHOD=redirect on nginx-proxy, HTTPS_METHOD=nohttps on the app container.`
			`("nohttps-on-app.yml", "http://http-only.nginx-proxy.test/", 200, None),`
fix: nohttp(s) shouldn't disable fallback server Say we have two containers: - `app1` with `HTTPS_METHOD=redirect` - `app2` with `HTTPS_METHOD=nohttps` Without this change the fallback answer on an HTTPS request to an unknown server would change depending on whether `app1` is up (503) or not (connection refused). This is not wanted. In case someone doesn't want HTTPS at all, they just have to not bind port 443. 2024-06-06 21:44:45 +02:00			`("nohttps-on-app.yml", "https://http-only.nginx-proxy.test/", None, INTERNAL_ERR_RE),`
fix: Don't create fallback http(s) server when http(s) disabled Before, a fallback http server was created to handle requests for unknown virtual hosts even when `HTTPS_METHOD=nohttp`. (In this case, all http vhosts would be unknown.) Likewise, a catch-all fallback https server was still created even if `HTTPS_METHOD=nohttps`. Now the fallback servers are created only if needed. This brings the behavior in line with the documentation and user expectation. It will also make it easier to implement a planned feature: different servers on different ports. 2023-02-04 18:59:38 -05:00			`("nohttps-on-app.yml", "http://unknown.nginx-proxy.test/", 503, None),`
fix: nohttp(s) shouldn't disable fallback server Say we have two containers: - `app1` with `HTTPS_METHOD=redirect` - `app2` with `HTTPS_METHOD=nohttps` Without this change the fallback answer on an HTTPS request to an unknown server would change depending on whether `app1` is up (503) or not (connection refused). This is not wanted. In case someone doesn't want HTTPS at all, they just have to not bind port 443. 2024-06-06 21:44:45 +02:00			`("nohttps-on-app.yml", "https://unknown.nginx-proxy.test/", None, INTERNAL_ERR_RE),`
fix: Remove `default_server` listen option from fallback server This fixes a bug introduced in commit 9b4bb07b348dc5a428b94416517291adb30794c3. 2023-04-07 18:05:48 -04:00			# Custom nginx config that has a `server` directive that uses `default_server` and simply
			# returns 418. Nginx should successfully start (in particular, the `default_server` in the
			`# custom config should not conflict with the fallback server generated by nginx-proxy) and nginx`
			`# should prefer that server for handling requests for unknown vhosts.`
			`("custom-fallback.yml", "http://unknown.nginx-proxy.test/", 418, None),`
fix: Don't create cert error https server if https is not enabled 2023-02-02 17:17:00 -05:00			`])`
tests: factor out base nginx-proxy config 2024-12-30 11:59:07 +01:00			`def test_fallback(get, compose_file, url, want_code, want_err_re):`
fix: Don't create cert error https server if https is not enabled 2023-02-02 17:17:00 -05:00			`if want_err_re is None:`
			`r = get(url)`
			`assert r.status_code == want_code`
			`else:`
fix: reject SSL handshake rather than using empty certificate 2024-10-03 09:07:33 +02:00			`with pytest.raises(requests.exceptions.SSLError, match=want_err_re):`
fix: Don't create cert error https server if https is not enabled 2023-02-02 17:17:00 -05:00			`get(url)`