From 18598113117162375215bca182fa2c37a45a7793 Mon Sep 17 00:00:00 2001 From: junderw Date: Thu, 19 Aug 2021 07:29:39 +0900 Subject: [PATCH 1/7] feat: redirect using 308 for non-GET requests --- docs/README.md | 2 +- nginx.tmpl | 14 ++++++++++++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/docs/README.md b/docs/README.md index 5d8da45..52972b8 100644 --- a/docs/README.md +++ b/docs/README.md @@ -571,7 +571,7 @@ Complete list of policies available through the `SSL_POLICY` environment variabl The default behavior for the proxy when port 80 and 443 are exposed is as follows: -- If a virtual host has a usable cert, port 80 will redirect to 443 for that virtual host so that HTTPS is always preferred when available. +- If a virtual host has a usable cert, port 80 will redirect to 443 for that virtual host so that HTTPS is always preferred when available. This redirect will use a [301 code](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/301) for `GET` requests and [308 code](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/308) for any other HTTP method (`POST`/`HEAD`/`PUT` etc.). - If the virtual host does not have a usable cert, but `default.crt` and `default.key` exist, those will be used as the virtual host's certificate. - If the virtual host does not have a usable cert, and `default.crt` and `default.key` do not exist, or if the virtual host is configured not to trust the default certificate, SSL handshake will be rejected (see [Default and Missing Certificate](#default-and-missing-certificate) below). diff --git a/nginx.tmpl b/nginx.tmpl index d18b2ab..e11a6bd 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -887,9 +887,19 @@ server { location / { {{- if eq $globals.config.external_https_port "443" }} - return 301 https://$host$request_uri; + if ($request_method = GET) { + return 301 https://$host$request_uri; + } + if ($request_method != GET) { + return 308 https://$host$request_uri; + } {{- else }} - return 301 https://$host:{{ $globals.config.external_https_port }}$request_uri; + if ($request_method = GET) { + return 301 https://$host:{{ $globals.config.external_https_port }}$request_uri; + } + if ($request_method != GET) { + return 308 https://$host:{{ $globals.config.external_https_port }}$request_uri; + } {{- end }} } } From 820d4a29ac445682fe9eb3f3beb6de209e92840f Mon Sep 17 00:00:00 2001 From: junderw Date: Thu, 19 Aug 2021 16:47:44 +0900 Subject: [PATCH 2/7] tests: redirects --- test/test_ssl/test_redirect.py | 34 +++++++++++++++++++++++++++++++++ test/test_ssl/test_redirect.yml | 14 ++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 test/test_ssl/test_redirect.py create mode 100644 test/test_ssl/test_redirect.yml diff --git a/test/test_ssl/test_redirect.py b/test/test_ssl/test_redirect.py new file mode 100644 index 0000000..6fcabad --- /dev/null +++ b/test/test_ssl/test_redirect.py @@ -0,0 +1,34 @@ +import pytest + +# These tests are to test that GET is 301 and other methods all use 308 +# Permanent Redirects +# https://github.com/nginx-proxy/nginx-proxy/pull/1737 +def test_web1_GET_301(docker_compose, nginxproxy): + r = nginxproxy.get('http://web1.nginx-proxy.tld', allow_redirects=False) + assert r.status_code == 301 + assert r.headers['Location'] == 'https://web1.nginx-proxy.tld/' + +def test_web1_POST_308(docker_compose, nginxproxy): + r = nginxproxy.post('http://web1.nginx-proxy.tld', allow_redirects=False) + assert r.status_code == 308 + assert r.headers['Location'] == 'https://web1.nginx-proxy.tld/' + +def test_web1_PUT_308(docker_compose, nginxproxy): + r = nginxproxy.put('http://web1.nginx-proxy.tld', allow_redirects=False) + assert r.status_code == 308 + assert r.headers['Location'] == 'https://web1.nginx-proxy.tld/' + +def test_web1_HEAD_308(docker_compose, nginxproxy): + r = nginxproxy.head('http://web1.nginx-proxy.tld', allow_redirects=False) + assert r.status_code == 308 + assert r.headers['Location'] == 'https://web1.nginx-proxy.tld/' + +def test_web1_DELETE_308(docker_compose, nginxproxy): + r = nginxproxy.delete('http://web1.nginx-proxy.tld', allow_redirects=False) + assert r.status_code == 308 + assert r.headers['Location'] == 'https://web1.nginx-proxy.tld/' + +def test_web1_OPTIONS_308(docker_compose, nginxproxy): + r = nginxproxy.options('http://web1.nginx-proxy.tld', allow_redirects=False) + assert r.status_code == 308 + assert r.headers['Location'] == 'https://web1.nginx-proxy.tld/' diff --git a/test/test_ssl/test_redirect.yml b/test/test_ssl/test_redirect.yml new file mode 100644 index 0000000..62694bd --- /dev/null +++ b/test/test_ssl/test_redirect.yml @@ -0,0 +1,14 @@ +web1: + image: web + expose: + - "81" + environment: + WEB_PORTS: "81" + VIRTUAL_HOST: "web1.nginx-proxy.tld" + +sut: + image: nginxproxy/nginx-proxy:test + volumes: + - /var/run/docker.sock:/tmp/docker.sock:ro + - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro + - ./certs:/etc/nginx/certs:ro From 923f05032f8647722ceafb882befb76c783aeaf2 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Sun, 8 Dec 2024 18:38:05 +0100 Subject: [PATCH 3/7] tests: fix tests & test compose file --- test/test_ssl/test_redirect.py | 24 ++++++++++++------------ test/test_ssl/test_redirect.yml | 26 +++++++++++++------------- 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/test/test_ssl/test_redirect.py b/test/test_ssl/test_redirect.py index 6fcabad..e42c792 100644 --- a/test/test_ssl/test_redirect.py +++ b/test/test_ssl/test_redirect.py @@ -4,31 +4,31 @@ import pytest # Permanent Redirects # https://github.com/nginx-proxy/nginx-proxy/pull/1737 def test_web1_GET_301(docker_compose, nginxproxy): - r = nginxproxy.get('http://web1.nginx-proxy.tld', allow_redirects=False) + r = nginxproxy.get('http://nginx-proxy.tld', allow_redirects=False) assert r.status_code == 301 - assert r.headers['Location'] == 'https://web1.nginx-proxy.tld/' + assert r.headers['Location'] == 'https://nginx-proxy.tld/' def test_web1_POST_308(docker_compose, nginxproxy): - r = nginxproxy.post('http://web1.nginx-proxy.tld', allow_redirects=False) + r = nginxproxy.post('http://nginx-proxy.tld', allow_redirects=False) assert r.status_code == 308 - assert r.headers['Location'] == 'https://web1.nginx-proxy.tld/' + assert r.headers['Location'] == 'https://nginx-proxy.tld/' def test_web1_PUT_308(docker_compose, nginxproxy): - r = nginxproxy.put('http://web1.nginx-proxy.tld', allow_redirects=False) + r = nginxproxy.put('http://nginx-proxy.tld', allow_redirects=False) assert r.status_code == 308 - assert r.headers['Location'] == 'https://web1.nginx-proxy.tld/' + assert r.headers['Location'] == 'https://nginx-proxy.tld/' def test_web1_HEAD_308(docker_compose, nginxproxy): - r = nginxproxy.head('http://web1.nginx-proxy.tld', allow_redirects=False) + r = nginxproxy.head('http://nginx-proxy.tld', allow_redirects=False) assert r.status_code == 308 - assert r.headers['Location'] == 'https://web1.nginx-proxy.tld/' + assert r.headers['Location'] == 'https://nginx-proxy.tld/' def test_web1_DELETE_308(docker_compose, nginxproxy): - r = nginxproxy.delete('http://web1.nginx-proxy.tld', allow_redirects=False) + r = nginxproxy.delete('http://nginx-proxy.tld', allow_redirects=False) assert r.status_code == 308 - assert r.headers['Location'] == 'https://web1.nginx-proxy.tld/' + assert r.headers['Location'] == 'https://nginx-proxy.tld/' def test_web1_OPTIONS_308(docker_compose, nginxproxy): - r = nginxproxy.options('http://web1.nginx-proxy.tld', allow_redirects=False) + r = nginxproxy.options('http://nginx-proxy.tld', allow_redirects=False) assert r.status_code == 308 - assert r.headers['Location'] == 'https://web1.nginx-proxy.tld/' + assert r.headers['Location'] == 'https://nginx-proxy.tld/' diff --git a/test/test_ssl/test_redirect.yml b/test/test_ssl/test_redirect.yml index 62694bd..07efc17 100644 --- a/test/test_ssl/test_redirect.yml +++ b/test/test_ssl/test_redirect.yml @@ -1,14 +1,14 @@ -web1: - image: web - expose: - - "81" - environment: - WEB_PORTS: "81" - VIRTUAL_HOST: "web1.nginx-proxy.tld" +services: + web1: + image: web + expose: + - "81" + environment: + WEB_PORTS: "81" + VIRTUAL_HOST: "nginx-proxy.tld" -sut: - image: nginxproxy/nginx-proxy:test - volumes: - - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro - - ./certs:/etc/nginx/certs:ro + sut: + image: nginxproxy/nginx-proxy:test + volumes: + - /var/run/docker.sock:/tmp/docker.sock:ro + - ./certs:/etc/nginx/certs:ro From 8447a36046f6b02ee695bb0a7a3814a040fc0796 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Sun, 8 Dec 2024 19:41:31 +0100 Subject: [PATCH 4/7] tests: parameterize test --- test/test_ssl/test_redirect.py | 56 +++++++++++++++------------------- 1 file changed, 25 insertions(+), 31 deletions(-) diff --git a/test/test_ssl/test_redirect.py b/test/test_ssl/test_redirect.py index e42c792..0e32be2 100644 --- a/test/test_ssl/test_redirect.py +++ b/test/test_ssl/test_redirect.py @@ -1,34 +1,28 @@ import pytest -# These tests are to test that GET is 301 and other methods all use 308 -# Permanent Redirects -# https://github.com/nginx-proxy/nginx-proxy/pull/1737 -def test_web1_GET_301(docker_compose, nginxproxy): - r = nginxproxy.get('http://nginx-proxy.tld', allow_redirects=False) - assert r.status_code == 301 - assert r.headers['Location'] == 'https://nginx-proxy.tld/' -def test_web1_POST_308(docker_compose, nginxproxy): - r = nginxproxy.post('http://nginx-proxy.tld', allow_redirects=False) - assert r.status_code == 308 - assert r.headers['Location'] == 'https://nginx-proxy.tld/' - -def test_web1_PUT_308(docker_compose, nginxproxy): - r = nginxproxy.put('http://nginx-proxy.tld', allow_redirects=False) - assert r.status_code == 308 - assert r.headers['Location'] == 'https://nginx-proxy.tld/' - -def test_web1_HEAD_308(docker_compose, nginxproxy): - r = nginxproxy.head('http://nginx-proxy.tld', allow_redirects=False) - assert r.status_code == 308 - assert r.headers['Location'] == 'https://nginx-proxy.tld/' - -def test_web1_DELETE_308(docker_compose, nginxproxy): - r = nginxproxy.delete('http://nginx-proxy.tld', allow_redirects=False) - assert r.status_code == 308 - assert r.headers['Location'] == 'https://nginx-proxy.tld/' - -def test_web1_OPTIONS_308(docker_compose, nginxproxy): - r = nginxproxy.options('http://nginx-proxy.tld', allow_redirects=False) - assert r.status_code == 308 - assert r.headers['Location'] == 'https://nginx-proxy.tld/' +@pytest.mark.parametrize("http_method,expected_code", [ + ("GET", 301), + ("HEAD", 308), + ("POST", 308), + ("PUT", 308), + ("PATCH", 308), + ("DELETE", 308), + ("OPTIONS", 308), + ("CONNECT", 405), + ("TRACE", 405), +]) +def test_default_redirect_by_method( + docker_compose, + nginxproxy, + http_method: str, + expected_code: int, +): + r = nginxproxy.request( + method=http_method, + url='http://nginx-proxy.tld', + allow_redirects=False, + ) + assert r.status_code == expected_code + if expected_code in { 301, 302, 307, 308 }: + assert r.headers['Location'] == 'https://nginx-proxy.tld/' From 9fc7cec15cdb87d5318c08792b04b6bedb9fa975 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Sun, 8 Dec 2024 20:04:50 +0100 Subject: [PATCH 5/7] feat: customizable non get redirect code --- docs/README.md | 4 +- nginx.tmpl | 26 ++++++------- test/test_ssl/test_redirect_custom.py | 38 +++++++++++++++++++ test/test_ssl/test_redirect_custom.yml | 26 +++++++++++++ ...t_redirect.py => test_redirect_default.py} | 12 +++--- ...redirect.yml => test_redirect_default.yml} | 0 6 files changed, 85 insertions(+), 21 deletions(-) create mode 100644 test/test_ssl/test_redirect_custom.py create mode 100644 test/test_ssl/test_redirect_custom.yml rename test/test_ssl/{test_redirect.py => test_redirect_default.py} (82%) rename test/test_ssl/{test_redirect.yml => test_redirect_default.yml} (100%) diff --git a/docs/README.md b/docs/README.md index 52972b8..1b4ecab 100644 --- a/docs/README.md +++ b/docs/README.md @@ -571,10 +571,12 @@ Complete list of policies available through the `SSL_POLICY` environment variabl The default behavior for the proxy when port 80 and 443 are exposed is as follows: -- If a virtual host has a usable cert, port 80 will redirect to 443 for that virtual host so that HTTPS is always preferred when available. This redirect will use a [301 code](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/301) for `GET` requests and [308 code](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/308) for any other HTTP method (`POST`/`HEAD`/`PUT` etc.). +- If a virtual host has a usable cert, port 80 will redirect to 443 for that virtual host so that HTTPS is always preferred when available. - If the virtual host does not have a usable cert, but `default.crt` and `default.key` exist, those will be used as the virtual host's certificate. - If the virtual host does not have a usable cert, and `default.crt` and `default.key` do not exist, or if the virtual host is configured not to trust the default certificate, SSL handshake will be rejected (see [Default and Missing Certificate](#default-and-missing-certificate) below). +The redirection from HTTP to HTTPS use by default a [`301`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/301) response for every HTTP methods (except `CONNECT` and `TRACE` which are disabled on nginx). If you wish to use a custom redirection response for the `OPTIONS`, `POST`, `PUT`, `PATCH` and `DELETE` HTTP methods (for example to use a ), you can either do it globally with the environment variable `NON_GET_REDIRECT` on the proxy container or per virtual host with the `com.github.nginx-proxy.nginx-proxy.non-get-redirect` label on proxied containers. Valid values are [`307`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/307) and [`308`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/308). + To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with `HTTPS_METHOD=nohttps`. `HTTPS_METHOD` can be specified on each container for which you want to override the default behavior or on the proxy container to set it globally. If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS) is disabled to prevent HTTPS users from being redirected by the client. If you cannot get to the HTTP site after changing this setting, your browser has probably cached the HSTS policy and is automatically redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito window / different browser. By default, [HTTP Strict Transport Security (HSTS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) is enabled with `max-age=31536000` for HTTPS sites. You can disable HSTS with the environment variable `HSTS=off` or use a custom HSTS configuration like `HSTS=max-age=31536000; includeSubDomains; preload`. diff --git a/nginx.tmpl b/nginx.tmpl index e11a6bd..ecff051 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -32,6 +32,7 @@ {{- $_ := set $config "enable_http3" ($globals.Env.ENABLE_HTTP3 | default "false") }} {{- $_ := set $config "enable_http_on_missing_cert" ($globals.Env.ENABLE_HTTP_ON_MISSING_CERT | default "true") }} {{- $_ := set $config "https_method" ($globals.Env.HTTPS_METHOD | default "redirect") }} +{{- $_ := set $config "non_get_redirect" ($globals.Env.NON_GET_REDIRECT | default "301") }} {{- $_ := set $config "default_host" $globals.Env.DEFAULT_HOST }} {{- $_ := set $config "resolvers" $globals.Env.RESOLVERS }} {{- /* LOG_JSON is a shorthand that sets logging defaults to JSON format */}} @@ -718,8 +719,11 @@ proxy_set_header Proxy ""; {{- if and $https_method_disable_http (not $cert_ok) $enable_http_on_missing_cert }} {{- $https_method = "noredirect" }} {{- end }} + {{- $non_get_redirect := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.non-get-redirect" | keys | first | default $globals.config.non_get_redirect }} + {{- $http2_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable" | keys | first | default $globals.config.enable_http2 | parseBool }} {{- $http3_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable" | keys | first | default $globals.config.enable_http3 | parseBool }} + {{- $acme_http_challenge := groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION" | first | default $globals.config.acme_http_challenge }} {{- $acme_http_challenge_legacy := eq $acme_http_challenge "legacy" }} {{- $acme_http_challenge_enabled := false }} @@ -746,6 +750,7 @@ proxy_set_header Proxy ""; "default" $default "hsts" $hsts "https_method" $https_method + "non_get_redirect" $non_get_redirect "http2_enabled" $http2_enabled "http3_enabled" $http3_enabled "is_regexp" $is_regexp @@ -886,21 +891,14 @@ server { {{- end }} location / { - {{- if eq $globals.config.external_https_port "443" }} - if ($request_method = GET) { - return 301 https://$host$request_uri; + {{- $redirect_uri := "https://$host$request_uri" }} + {{- if ne $globals.config.external_https_port "443" }} + {{- $redirect_uri = printf "https://$host:%s$request_uri" $globals.config.external_https_port }} + {{- end}} + if ($request_method ~ (OPTIONS|POST|PUT|PATCH|DELETE)) { + return {{ $vhost.non_get_redirect }} {{ $redirect_uri }}; } - if ($request_method != GET) { - return 308 https://$host$request_uri; - } - {{- else }} - if ($request_method = GET) { - return 301 https://$host:{{ $globals.config.external_https_port }}$request_uri; - } - if ($request_method != GET) { - return 308 https://$host:{{ $globals.config.external_https_port }}$request_uri; - } - {{- end }} + return 301 {{ $redirect_uri }}; } } {{- end }} diff --git a/test/test_ssl/test_redirect_custom.py b/test/test_ssl/test_redirect_custom.py new file mode 100644 index 0000000..07c951d --- /dev/null +++ b/test/test_ssl/test_redirect_custom.py @@ -0,0 +1,38 @@ +import pytest + + +@pytest.mark.parametrize("host,http_method,expected_code", [ + ("nginx-proxy.tld", "GET", 301), + ("nginx-proxy.tld", "HEAD", 301), + ("nginx-proxy.tld", "POST", 308), + ("nginx-proxy.tld", "PUT", 308), + ("nginx-proxy.tld", "PATCH", 308), + ("nginx-proxy.tld", "DELETE", 308), + ("nginx-proxy.tld", "OPTIONS", 308), + ("nginx-proxy.tld", "CONNECT", 405), + ("nginx-proxy.tld", "TRACE", 405), + ("web2.nginx-proxy.tld", "GET", 301), + ("web2.nginx-proxy.tld", "HEAD", 301), + ("web2.nginx-proxy.tld", "POST", 307), + ("web2.nginx-proxy.tld", "PUT", 307), + ("web2.nginx-proxy.tld", "PATCH", 307), + ("web2.nginx-proxy.tld", "DELETE", 307), + ("web2.nginx-proxy.tld", "OPTIONS", 307), + ("web2.nginx-proxy.tld", "CONNECT", 405), + ("web2.nginx-proxy.tld", "TRACE", 405), +]) +def test_custom_redirect_by_method( + docker_compose, + nginxproxy, + host: str, + http_method: str, + expected_code: int, +): + r = nginxproxy.request( + method=http_method, + url=f'http://{host}', + allow_redirects=False, + ) + assert r.status_code == expected_code + if expected_code in { 301, 302, 307, 308 }: + assert r.headers['Location'] == f'https://{host}/' diff --git a/test/test_ssl/test_redirect_custom.yml b/test/test_ssl/test_redirect_custom.yml new file mode 100644 index 0000000..c6c70d2 --- /dev/null +++ b/test/test_ssl/test_redirect_custom.yml @@ -0,0 +1,26 @@ +services: + web1: + image: web + expose: + - "81" + environment: + WEB_PORTS: "81" + VIRTUAL_HOST: "nginx-proxy.tld" + + web2: + image: web + expose: + - "82" + environment: + WEB_PORTS: "82" + VIRTUAL_HOST: "web2.nginx-proxy.tld" + labels: + com.github.nginx-proxy.nginx-proxy.non-get-redirect: 307 + + sut: + image: nginxproxy/nginx-proxy:test + environment: + NON_GET_REDIRECT: 308 + volumes: + - /var/run/docker.sock:/tmp/docker.sock:ro + - ./certs:/etc/nginx/certs:ro diff --git a/test/test_ssl/test_redirect.py b/test/test_ssl/test_redirect_default.py similarity index 82% rename from test/test_ssl/test_redirect.py rename to test/test_ssl/test_redirect_default.py index 0e32be2..ca558a0 100644 --- a/test/test_ssl/test_redirect.py +++ b/test/test_ssl/test_redirect_default.py @@ -3,12 +3,12 @@ import pytest @pytest.mark.parametrize("http_method,expected_code", [ ("GET", 301), - ("HEAD", 308), - ("POST", 308), - ("PUT", 308), - ("PATCH", 308), - ("DELETE", 308), - ("OPTIONS", 308), + ("HEAD", 301), + ("POST", 301), + ("PUT", 301), + ("PATCH", 301), + ("DELETE", 301), + ("OPTIONS", 301), ("CONNECT", 405), ("TRACE", 405), ]) diff --git a/test/test_ssl/test_redirect.yml b/test/test_ssl/test_redirect_default.yml similarity index 100% rename from test/test_ssl/test_redirect.yml rename to test/test_ssl/test_redirect_default.yml From 9312d5239ab9dac402284c49574cf8bfe94a0c87 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Wed, 11 Dec 2024 21:07:08 +0100 Subject: [PATCH 6/7] docs: typo --- docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/README.md b/docs/README.md index 1b4ecab..734457b 100644 --- a/docs/README.md +++ b/docs/README.md @@ -575,7 +575,7 @@ The default behavior for the proxy when port 80 and 443 are exposed is as follow - If the virtual host does not have a usable cert, but `default.crt` and `default.key` exist, those will be used as the virtual host's certificate. - If the virtual host does not have a usable cert, and `default.crt` and `default.key` do not exist, or if the virtual host is configured not to trust the default certificate, SSL handshake will be rejected (see [Default and Missing Certificate](#default-and-missing-certificate) below). -The redirection from HTTP to HTTPS use by default a [`301`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/301) response for every HTTP methods (except `CONNECT` and `TRACE` which are disabled on nginx). If you wish to use a custom redirection response for the `OPTIONS`, `POST`, `PUT`, `PATCH` and `DELETE` HTTP methods (for example to use a ), you can either do it globally with the environment variable `NON_GET_REDIRECT` on the proxy container or per virtual host with the `com.github.nginx-proxy.nginx-proxy.non-get-redirect` label on proxied containers. Valid values are [`307`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/307) and [`308`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/308). +The redirection from HTTP to HTTPS use by default a [`301`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/301) response for every HTTP methods (except `CONNECT` and `TRACE` which are disabled on nginx). If you wish to use a custom redirection response for the `OPTIONS`, `POST`, `PUT`, `PATCH` and `DELETE` HTTP methods, you can either do it globally with the environment variable `NON_GET_REDIRECT` on the proxy container or per virtual host with the `com.github.nginx-proxy.nginx-proxy.non-get-redirect` label on proxied containers. Valid values are [`307`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/307) and [`308`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/308). To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with `HTTPS_METHOD=nohttps`. `HTTPS_METHOD` can be specified on each container for which you want to override the default behavior or on the proxy container to set it globally. If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS) is disabled to prevent HTTPS users from being redirected by the client. If you cannot get to the HTTP site after changing this setting, your browser has probably cached the HSTS policy and is automatically redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito window / different browser. From a61e485410543aa414455476416d7b9bc64c1bc9 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Sat, 18 Jan 2025 20:41:17 +0100 Subject: [PATCH 7/7] tests: refactor due to rebase --- test/test_ssl/test_redirect_custom.yml | 12 ++++-------- test/test_ssl/test_redirect_default.yml | 6 ------ 2 files changed, 4 insertions(+), 14 deletions(-) diff --git a/test/test_ssl/test_redirect_custom.yml b/test/test_ssl/test_redirect_custom.yml index c6c70d2..19f883a 100644 --- a/test/test_ssl/test_redirect_custom.yml +++ b/test/test_ssl/test_redirect_custom.yml @@ -1,4 +1,8 @@ services: + nginx-proxy: + environment: + NON_GET_REDIRECT: 308 + web1: image: web expose: @@ -16,11 +20,3 @@ services: VIRTUAL_HOST: "web2.nginx-proxy.tld" labels: com.github.nginx-proxy.nginx-proxy.non-get-redirect: 307 - - sut: - image: nginxproxy/nginx-proxy:test - environment: - NON_GET_REDIRECT: 308 - volumes: - - /var/run/docker.sock:/tmp/docker.sock:ro - - ./certs:/etc/nginx/certs:ro diff --git a/test/test_ssl/test_redirect_default.yml b/test/test_ssl/test_redirect_default.yml index 07efc17..17044fc 100644 --- a/test/test_ssl/test_redirect_default.yml +++ b/test/test_ssl/test_redirect_default.yml @@ -6,9 +6,3 @@ services: environment: WEB_PORTS: "81" VIRTUAL_HOST: "nginx-proxy.tld" - - sut: - image: nginxproxy/nginx-proxy:test - volumes: - - /var/run/docker.sock:/tmp/docker.sock:ro - - ./certs:/etc/nginx/certs:ro