mirror of
https://github.com/thib8956/nginx-proxy
synced 2024-11-22 11:56:31 +00:00
Merge pull request #590 from kamermans/feature_nohttps
Added HTTPS_METHOD=nohttps to disable SSL site
This commit is contained in:
Jason Wilder
GitHub
commit
2c5d4ee3a9
13
README.md
13
README.md
@ -185,12 +185,13 @@ a 503.
|
||||
|
||||
To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the
|
||||
environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also
|
||||
disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`. `HTTPS_METHOD` must be specified
|
||||
on each container for which you want to override the default behavior. If `HTTPS_METHOD=noredirect` is
|
||||
used, Strict Transport Security (HSTS) is disabled to prevent HTTPS users from being redirected by the
|
||||
client. If you cannot get to the HTTP site after changing this setting, your browser has probably cached
|
||||
the HSTS policy and is automatically redirecting you back to HTTPS. You will need to clear your browser's
|
||||
HSTS cache or use an incognito window / different browser.
|
||||
disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with
|
||||
`HTTPS_METHOD=nohttps`. `HTTPS_METHOD` must be specified on each container for which you want to
|
||||
override the default behavior. If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS)
|
||||
is disabled to prevent HTTPS users from being redirected by the client. If you cannot get to the HTTP
|
||||
site after changing this setting, your browser has probably cached the HSTS policy and is automatically
|
||||
redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito
|
||||
window / different browser.
|
||||
|
||||
### Basic Authentication Support
|
||||
|
||||
|
||||
@ -141,7 +141,7 @@ upstream {{ $upstream_name }} {
|
||||
{{/* Use the cert specified on the container or fallback to the best vhost match */}}
|
||||
{{ $cert := (coalesce $certName $vhostCert) }}
|
||||
|
||||
{{ $is_https := (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
|
||||
{{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
|
||||
|
||||
{{ if $is_https }}
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@ function setup {
|
||||
|
||||
@test "[$TEST_FILE] test SSL for VIRTUAL_HOST=*.nginx-proxy.bats" {
|
||||
# WHEN
|
||||
prepare_web_container bats-ssl-hosts-1 "80 443" \
|
||||
prepare_web_container bats-ssl-hosts-1 "80" \
|
||||
-e VIRTUAL_HOST=*.nginx-proxy.bats \
|
||||
-e CERT_NAME=nginx-proxy.bats
|
||||
dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1
|
||||
@ -30,7 +30,7 @@ function setup {
|
||||
|
||||
@test "[$TEST_FILE] test HTTPS_METHOD=nohttp" {
|
||||
# WHEN
|
||||
prepare_web_container bats-ssl-hosts-2 "80 443" \
|
||||
prepare_web_container bats-ssl-hosts-2 "80" \
|
||||
-e VIRTUAL_HOST=*.nginx-proxy.bats \
|
||||
-e CERT_NAME=nginx-proxy.bats \
|
||||
-e HTTPS_METHOD=nohttp
|
||||
@ -44,7 +44,7 @@ function setup {
|
||||
|
||||
@test "[$TEST_FILE] test HTTPS_METHOD=noredirect" {
|
||||
# WHEN
|
||||
prepare_web_container bats-ssl-hosts-3 "80 443" \
|
||||
prepare_web_container bats-ssl-hosts-3 "80" \
|
||||
-e VIRTUAL_HOST=*.nginx-proxy.bats \
|
||||
-e CERT_NAME=nginx-proxy.bats \
|
||||
-e HTTPS_METHOD=noredirect
|
||||
@ -58,7 +58,7 @@ function setup {
|
||||
|
||||
@test "[$TEST_FILE] test SSL Strict-Transport-Security" {
|
||||
# WHEN
|
||||
prepare_web_container bats-ssl-hosts-4 "80 443" \
|
||||
prepare_web_container bats-ssl-hosts-4 "80" \
|
||||
-e VIRTUAL_HOST=*.nginx-proxy.bats \
|
||||
-e CERT_NAME=nginx-proxy.bats
|
||||
dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1
|
||||
@ -72,7 +72,7 @@ function setup {
|
||||
|
||||
@test "[$TEST_FILE] test HTTPS_METHOD=noredirect disables Strict-Transport-Security" {
|
||||
# WHEN
|
||||
prepare_web_container bats-ssl-hosts-5 "80 443" \
|
||||
prepare_web_container bats-ssl-hosts-5 "80" \
|
||||
-e VIRTUAL_HOST=*.nginx-proxy.bats \
|
||||
-e CERT_NAME=nginx-proxy.bats \
|
||||
-e HTTPS_METHOD=noredirect
|
||||
@ -85,6 +85,19 @@ function setup {
|
||||
refute_output -p "Strict-Transport-Security: max-age=31536000"
|
||||
}
|
||||
|
||||
@test "[$TEST_FILE] test HTTPS_METHOD=nohttps" {
|
||||
# WHEN
|
||||
prepare_web_container bats-ssl-hosts-6 "80" \
|
||||
-e VIRTUAL_HOST=*.nginx-proxy.bats \
|
||||
-e CERT_NAME=nginx-proxy.bats \
|
||||
-e HTTPS_METHOD=nohttps
|
||||
dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-6
|
||||
sleep 1
|
||||
|
||||
# THEN
|
||||
assert_down_https test.nginx-proxy.bats
|
||||
assert_200 test.nginx-proxy.bats
|
||||
}
|
||||
|
||||
@test "[$TEST_FILE] stop all bats containers" {
|
||||
stop_bats_containers
|
||||
@ -118,6 +131,15 @@ function assert_301 {
|
||||
assert_output -l 0 $'HTTP/1.1 301 Moved Permanently\r'
|
||||
}
|
||||
|
||||
# assert that querying nginx-proxy with the given Host header fails because the host is down
|
||||
# $1 Host HTTP header to use when querying nginx-proxy
|
||||
function assert_down_https {
|
||||
local -r host=$1
|
||||
|
||||
run curl_container_https $SUT_CONTAINER / --head --header "Host: $host"
|
||||
assert_failure
|
||||
}
|
||||
|
||||
# assert that querying nginx-proxy with the given Host header produces a `HTTP 200` response
|
||||
# $1 Host HTTP header to use when querying nginx-proxy
|
||||
function assert_200_https {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user