thib8956/nginx-proxy
1
0
Fork 0
mirror of https://github.com/thib8956/nginx-proxy synced 2025-02-24 01:38:15 +00:00
Code Issues Releases Wiki Activity

feat: default certificate optional trust

Browse Source
This commit is contained in:
Nicolas Duchon 2024-11-03 23:56:39 +01:00
parent 023a3d17da
commit 469765bbb7
1 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
nginx.tmpl
View File

@ -19,6 +19,7 @@
{{- $_ := set $config "external_https_port" ($globals.Env.HTTPS_PORT | default "443") }} {{- $_ := set $config "external_https_port" ($globals.Env.HTTPS_PORT | default "443") }}
{{- $_ := set $config "sha1_upstream_name" ($globals.Env.SHA1_UPSTREAM_NAME | default "false" | parseBool) }} {{- $_ := set $config "sha1_upstream_name" ($globals.Env.SHA1_UPSTREAM_NAME | default "false" | parseBool) }}
{{- $_ := set $config "default_root_response" ($globals.Env.DEFAULT_ROOT | default "404") }} {{- $_ := set $config "default_root_response" ($globals.Env.DEFAULT_ROOT | default "404") }}
{{- $_ := set $config "trust_default_cert" ($globals.Env.TRUST_DEFAULT_CERT | default "true") }}
{{- $_ := set $config "trust_downstream_proxy" ($globals.Env.TRUST_DOWNSTREAM_PROXY | default "true" | parseBool) }} {{- $_ := set $config "trust_downstream_proxy" ($globals.Env.TRUST_DOWNSTREAM_PROXY | default "true" | parseBool) }}
{{- $_ := set $config "enable_access_log" ($globals.Env.DISABLE_ACCESS_LOGS | default "false" | parseBool | not) }} {{- $_ := set $config "enable_access_log" ($globals.Env.DISABLE_ACCESS_LOGS | default "false" | parseBool | not) }}
{{- $_ := set $config "enable_ipv6" ($globals.Env.ENABLE_IPV6 | default "false" | parseBool) }} {{- $_ := set $config "enable_ipv6" ($globals.Env.ENABLE_IPV6 | default "false" | parseBool) }}
@ -674,17 +675,18 @@ proxy_set_header Proxy "";
{{- $vhostCert := closest (dir "/etc/nginx/certs") (printf "%s.crt" $hostname) }} {{- $vhostCert := closest (dir "/etc/nginx/certs") (printf "%s.crt" $hostname) }}
{{- $vhostCert = trimSuffix ".crt" $vhostCert }} {{- $vhostCert = trimSuffix ".crt" $vhostCert }}
{{- $vhostCert = trimSuffix ".key" $vhostCert }} {{- $vhostCert = trimSuffix ".key" $vhostCert }}
{{- $cert := or $certName $vhostCert }} {{- $trust_default_cert := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.trust-default-cert" | keys | first | default $globals.config.trust_default_cert | parseBool }}
{{- $cert := and $trust_default_cert $globals.config.default_cert_ok | ternary "default" "" }}
{{- $cert = or $certName $vhostCert $cert }}
{{- $cert_ok := and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert)) }} {{- $cert_ok := and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert)) }}
{{- $enable_debug_endpoint := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.debug-endpoint" | keys | first | default $globals.config.enable_debug_endpoint | parseBool }} {{- $enable_debug_endpoint := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.debug-endpoint" | keys | first | default $globals.config.enable_debug_endpoint | parseBool }}
{{- $default := eq $globals.config.default_host $hostname }} {{- $default := eq $globals.config.default_host $hostname }}
{{- $https_method := groupByKeys $vhost_containers "Env.HTTPS_METHOD" | first | default $globals.config.https_method }} {{- $https_method := groupByKeys $vhost_containers "Env.HTTPS_METHOD" | first | default $globals.config.https_method }}
{{- $enable_http_on_missing_cert := groupByKeys $vhost_containers "Env.ENABLE_HTTP_ON_MISSING_CERT" | first | default $globals.config.enable_http_on_missing_cert | parseBool }} {{- $enable_http_on_missing_cert := groupByKeys $vhost_containers "Env.ENABLE_HTTP_ON_MISSING_CERT" | first | default $globals.config.enable_http_on_missing_cert | parseBool }}
{{- /* When both the vhost and default certificates are missing we want to ensure that HTTP is enabled; hence switching from 'nohttp' or 'redirect' to 'noredirect' */}} {{- /* When no trusted certs (default and/or vhost) are present we want to ensure that HTTP is enabled; hence switching from 'nohttp' or 'redirect' to 'noredirect' */}}
{{- $https_method_disable_http := list "nohttp" "redirect" | has $https_method }} {{- $https_method_disable_http := list "nohttp" "redirect" | has $https_method }}
{{- $no_vhost_or_default_cert := or $cert_ok $globals.config.default_cert_ok | not }} {{- if and $https_method_disable_http (not $cert_ok) $enable_http_on_missing_cert }}
{{- if and $https_method_disable_http $no_vhost_or_default_cert $enable_http_on_missing_cert }}
{{- $https_method = "noredirect" }} {{- $https_method = "noredirect" }}
{{- end }} {{- end }}
{{- $http2_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable" | keys | first | default $globals.config.enable_http2 | parseBool }} {{- $http2_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable" | keys | first | default $globals.config.enable_http2 | parseBool }}
@ -722,6 +724,7 @@ proxy_set_header Proxy "";
"acme_http_challenge_enabled" $acme_http_challenge_enabled "acme_http_challenge_enabled" $acme_http_challenge_enabled
"server_tokens" $server_tokens "server_tokens" $server_tokens
"ssl_policy" $ssl_policy "ssl_policy" $ssl_policy
"trust_default_cert" $trust_default_cert
"upstream_name" $upstream_name "upstream_name" $upstream_name
"vhost_root" $vhost_root "vhost_root" $vhost_root
) }} ) }}
@ -920,21 +923,15 @@ server {
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if or $vhost.cert_ok $globals.config.default_cert_ok }} {{- if $vhost.cert_ok }}
{{- template "ssl_policy" (dict "ssl_policy" $vhost.ssl_policy) }} {{- template "ssl_policy" (dict "ssl_policy" $vhost.ssl_policy) }}
ssl_session_timeout 5m; ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
ssl_session_tickets off; ssl_session_tickets off;
{{- if $vhost.cert_ok }}
ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $vhost.cert) }}; ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $vhost.cert) }};
ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $vhost.cert) }}; ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $vhost.cert) }};
{{- else }}
# No vhost certificate found, using the default certificate.
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
{{- end }}
{{- if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $vhost.cert)) }} {{- if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $vhost.cert)) }}
ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $vhost.cert }}; ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $vhost.cert }};
@ -953,6 +950,9 @@ server {
} }
add_header Strict-Transport-Security $sts_header always; add_header Strict-Transport-Security $sts_header always;
{{- end }} {{- end }}
{{- else if not $vhost.trust_default_cert | and $globals.config.default_cert_ok }}
# No certificate found for this vhost, and the default certificate isn't trusted, so reject SSL handshake.
ssl_reject_handshake on;
{{- else }} {{- else }}
# No certificate for this vhost nor default certificate found, so reject SSL handshake. # No certificate for this vhost nor default certificate found, so reject SSL handshake.
ssl_reject_handshake on; ssl_reject_handshake on;