Merge pull request #1737 from junderw/fix-redirect

feat: redirect non-GET methods using 308 instead of 301

docs/README.md

@@ -580,6 +580,8 @@ The default behavior for the proxy when port 80 and 443 are exposed is as follow
 - If the virtual host does not have a usable cert, but `default.crt` and `default.key` exist, those will be used as the virtual host's certificate.
 - If the virtual host does not have a usable cert, and `default.crt` and `default.key` do not exist, or if the virtual host is configured not to trust the default certificate, SSL handshake will be rejected (see [Default and Missing Certificate](#default-and-missing-certificate) below).
 
+The redirection from HTTP to HTTPS use by default a [`301`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/301) response for every HTTP methods (except `CONNECT` and `TRACE` which are disabled on nginx). If you wish to use a custom redirection response for the `OPTIONS`, `POST`, `PUT`, `PATCH` and `DELETE` HTTP methods, you can either do it globally with the environment variable `NON_GET_REDIRECT` on the proxy container or per virtual host with the `com.github.nginx-proxy.nginx-proxy.non-get-redirect` label on proxied containers. Valid values are [`307`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/307) and [`308`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/308).
+
 To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with `HTTPS_METHOD=nohttps`. `HTTPS_METHOD` can be specified on each container for which you want to override the default behavior or on the proxy container to set it globally. If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS) is disabled to prevent HTTPS users from being redirected by the client. If you cannot get to the HTTP site after changing this setting, your browser has probably cached the HSTS policy and is automatically redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito window / different browser.
 
 By default, [HTTP Strict Transport Security (HSTS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) is enabled with `max-age=31536000` for HTTPS sites. You can disable HSTS with the environment variable `HSTS=off` or use a custom HSTS configuration like `HSTS=max-age=31536000; includeSubDomains; preload`.

nginx.tmpl

@@ -32,6 +32,7 @@
 {{- $_ := set $config "enable_http3" ($globals.Env.ENABLE_HTTP3 | default "false") }}
 {{- $_ := set $config "enable_http_on_missing_cert" ($globals.Env.ENABLE_HTTP_ON_MISSING_CERT | default "true") }}
 {{- $_ := set $config "https_method" ($globals.Env.HTTPS_METHOD | default "redirect") }}
+{{- $_ := set $config "non_get_redirect" ($globals.Env.NON_GET_REDIRECT | default "301") }}
 {{- $_ := set $config "default_host" $globals.Env.DEFAULT_HOST }}
 {{- $_ := set $config "resolvers" $globals.Env.RESOLVERS }}
 {{- /* LOG_JSON is a shorthand that sets logging defaults to JSON format */}}
@@ -736,8 +737,11 @@ proxy_set_header Proxy "";
     {{- if and $https_method_disable_http (not $cert_ok) $enable_http_on_missing_cert }}
         {{- $https_method = "noredirect" }}
     {{- end }}
+    {{- $non_get_redirect := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.non-get-redirect" | keys | first | default $globals.config.non_get_redirect }}
+    
     {{- $http2_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable" | keys | first | default $globals.config.enable_http2 | parseBool }}
     {{- $http3_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable" | keys | first | default $globals.config.enable_http3 | parseBool }}
+    
     {{- $acme_http_challenge := groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION" | first | default $globals.config.acme_http_challenge }}
     {{- $acme_http_challenge_legacy := eq $acme_http_challenge "legacy" }}
     {{- $acme_http_challenge_enabled := false }}
@@ -764,6 +768,7 @@ proxy_set_header Proxy "";
         "default" $default
         "hsts" $hsts
         "https_method" $https_method
+        "non_get_redirect" $non_get_redirect
         "http2_enabled" $http2_enabled
         "http3_enabled" $http3_enabled
         "is_regexp" $is_regexp
@@ -904,11 +909,14 @@ server {
         {{- end }}
 
     location / {
-        {{- if eq $globals.config.external_https_port "443" }}
-        return 301 https://$host$request_uri;
-        {{- else }}
-        return 301 https://$host:{{ $globals.config.external_https_port }}$request_uri;
+        {{- $redirect_uri := "https://$host$request_uri" }}
+        {{- if ne $globals.config.external_https_port "443" }}
+            {{- $redirect_uri = printf "https://$host:%s$request_uri" $globals.config.external_https_port }}
         {{- end}}
+        if ($request_method ~ (OPTIONS|POST|PUT|PATCH|DELETE)) {
+            return {{ $vhost.non_get_redirect }} {{ $redirect_uri }};
+        }
+        return 301 {{ $redirect_uri }};
     }
 }
     {{- end }}

test/test_ssl/test_redirect_custom.py

@@ -0,0 +1,38 @@
+import pytest
+
+
+@pytest.mark.parametrize("host,http_method,expected_code", [
+    ("nginx-proxy.tld", "GET", 301),
+    ("nginx-proxy.tld", "HEAD", 301),
+    ("nginx-proxy.tld", "POST", 308),
+    ("nginx-proxy.tld", "PUT", 308),
+    ("nginx-proxy.tld", "PATCH", 308),
+    ("nginx-proxy.tld", "DELETE", 308),
+    ("nginx-proxy.tld", "OPTIONS", 308),
+    ("nginx-proxy.tld", "CONNECT", 405),
+    ("nginx-proxy.tld", "TRACE", 405),
+    ("web2.nginx-proxy.tld", "GET", 301),
+    ("web2.nginx-proxy.tld", "HEAD", 301),
+    ("web2.nginx-proxy.tld", "POST", 307),
+    ("web2.nginx-proxy.tld", "PUT", 307),
+    ("web2.nginx-proxy.tld", "PATCH", 307),
+    ("web2.nginx-proxy.tld", "DELETE", 307),
+    ("web2.nginx-proxy.tld", "OPTIONS", 307),
+    ("web2.nginx-proxy.tld", "CONNECT", 405),
+    ("web2.nginx-proxy.tld", "TRACE", 405),
+])
+def test_custom_redirect_by_method(
+    docker_compose,
+    nginxproxy,
+    host: str,
+    http_method: str,
+    expected_code: int,
+):
+    r = nginxproxy.request(
+        method=http_method,
+        url=f'http://{host}',
+        allow_redirects=False,
+    )
+    assert r.status_code == expected_code
+    if expected_code in { 301, 302, 307, 308 }:
+        assert r.headers['Location'] == f'https://{host}/'

test/test_ssl/test_redirect_custom.yml

@@ -0,0 +1,22 @@
+services:
+  nginx-proxy:
+    environment:
+      NON_GET_REDIRECT: 308
+
+  web1:
+    image: web
+    expose:
+      - "81"
+    environment:
+      WEB_PORTS: "81"
+      VIRTUAL_HOST: "nginx-proxy.tld"
+  
+  web2:
+    image: web
+    expose:
+      - "82"
+    environment:
+      WEB_PORTS: "82"
+      VIRTUAL_HOST: "web2.nginx-proxy.tld"
+    labels:
+      com.github.nginx-proxy.nginx-proxy.non-get-redirect: 307

test/test_ssl/test_redirect_default.py

@@ -0,0 +1,28 @@
+import pytest
+
+
+@pytest.mark.parametrize("http_method,expected_code", [
+    ("GET", 301),
+    ("HEAD", 301),
+    ("POST", 301),
+    ("PUT", 301),
+    ("PATCH", 301),
+    ("DELETE", 301),
+    ("OPTIONS", 301),
+    ("CONNECT", 405),
+    ("TRACE", 405),
+])
+def test_default_redirect_by_method(
+    docker_compose,
+    nginxproxy,
+    http_method: str,
+    expected_code: int,
+):
+    r = nginxproxy.request(
+        method=http_method,
+        url='http://nginx-proxy.tld',
+        allow_redirects=False,
+    )
+    assert r.status_code == expected_code
+    if expected_code in { 301, 302, 307, 308 }:
+        assert r.headers['Location'] == 'https://nginx-proxy.tld/'

test/test_ssl/test_redirect_default.yml

@@ -0,0 +1,8 @@
+services:
+  web1:
+    image: web
+    expose:
+      - "81"
+    environment:
+      WEB_PORTS: "81"
+      VIRTUAL_HOST: "nginx-proxy.tld"