thib8956/nginx-proxy
1
0
Fork 0
mirror of https://github.com/thib8956/nginx-proxy synced 2025-02-24 01:38:15 +00:00
Code Issues Releases Wiki Activity

Merge pull request #2535 from nginx-proxy/restore-default-certificate

Browse Source 
feat: trust default certificate
This commit is contained in:
Nicolas Duchon 2024-12-07 18:04:16 +01:00 committed by GitHub
commit 559ddc7d13
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 107 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
**/__pycache__/
**/.cache/
.idea/
wip

19
docs/README.md
View File

@ -568,8 +568,8 @@ Complete list of policies available through the `SSL_POLICY` environment variabl
The default behavior for the proxy when port 80 and 443 are exposed is as follows:
- If a virtual host has a usable cert, port 80 will redirect to 443 for that virtual host so that HTTPS is always preferred when available.
- If the virtual host does not have a usable cert, but `default.crt` and `default.key` exist, those will be used as the virtual host's certificate and the client browser will receive a 500 error.
- If the virtual host does not have a usable cert, and `default.crt` and `default.key` do not exist, SSL handshake will be rejected (see [Missing Certificate](#missing-certificate) below).
- If the virtual host does not have a usable cert, but `default.crt` and `default.key` exist, those will be used as the virtual host's certificate.
- If the virtual host does not have a usable cert, and `default.crt` and `default.key` do not exist, or if the virtual host is configured not to trust the default certificate, SSL handshake will be rejected (see [Default and Missing Certificate](#default-and-missing-certificate) below).
To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with `HTTPS_METHOD=nohttps`. `HTTPS_METHOD` can be specified on each container for which you want to override the default behavior or on the proxy container to set it globally. If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS) is disabled to prevent HTTPS users from being redirected by the client. If you cannot get to the HTTP site after changing this setting, your browser has probably cached the HSTS policy and is automatically redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito window / different browser.
@ -578,15 +578,13 @@ By default, [HTTP Strict Transport Security (HSTS)](https://developer.mozilla.or
> [!WARNING]
> HSTS will force your users to visit the HTTPS version of your site for the max-age time - even if they type in http:// manually. The only way to get to an HTTP site after receiving an HSTS response is to clear your browser's HSTS cache.
### Missing Certificate
### Default and Missing Certificate
If no matching certificate is found for a given virtual host, nginx-proxy will:
If no matching certificate is found for a given virtual host, nginx-proxy will configure nginx to use the default certificate (`default.crt` with `default.key`).
- configure nginx to use the default certificate (`default.crt` with `default.key`) and return a 500 error for HTTPS,
- force enable HTTP; i.e. `HTTPS_METHOD` will switch to `noredirect` if it was set to `nohttp` or `redirect`.
If this switch to HTTP is not wanted set `ENABLE_HTTP_ON_MISSING_CERT=false` (default is `true`).
If the default certificate is also missing, nginx-proxy will configure nginx to reject the SSL handshake. Client browsers will render a TLS error page. As of October 2024, web browsers display the following error messages:
If the default certificate is also missing, nginx-proxy will:
- force enable HTTP; i.e. `HTTPS_METHOD` will switch to `noredirect` if it was set to `nohttp` or `redirect`. If this switch to HTTP is not wanted set `ENABLE_HTTP_ON_MISSING_CERT=false` (default is `true`).
- configure nginx to reject the SSL handshake for this vhost. Client browsers will render a TLS error page. As of October 2024, web browsers display the following error messages:
#### Chrome:
@ -613,6 +611,9 @@ If the default certificate is also missing, nginx-proxy will configure nginx to
>
> Safari can't open the page "https://example.test" because Safari can't establish a secure connection to the server "example.test".
> [!NOTE]
> Prior to version `1.7`, nginx-proxy never trusted the default certificate: when the default certificate was present, virtual hosts that did not have a usable per-virtual-host cert used the default cert but always returned a 500 error over HTTPS. If you want to restore this behaviour, you can do it globally by setting the enviroment variable `TRUST_DEFAULT_CERT` to `false` on the proxy container, or per-virtual-host by setting the label `com.github.nginx-proxy.nginx-proxy.trust-default-cert`to `false` on a proxied container.
⬆️ [back to table of contents](#table-of-contents)
## IPv6 Support

22
nginx.tmpl
View File

@ -19,6 +19,7 @@
{{- $_ := set $config "external_https_port" ($globals.Env.HTTPS_PORT | default "443") }}
{{- $_ := set $config "sha1_upstream_name" ($globals.Env.SHA1_UPSTREAM_NAME | default "false" | parseBool) }}
{{- $_ := set $config "default_root_response" ($globals.Env.DEFAULT_ROOT | default "404") }}
{{- $_ := set $config "trust_default_cert" ($globals.Env.TRUST_DEFAULT_CERT | default "true") }}
{{- $_ := set $config "trust_downstream_proxy" ($globals.Env.TRUST_DOWNSTREAM_PROXY | default "true" | parseBool) }}
{{- $_ := set $config "enable_access_log" ($globals.Env.DISABLE_ACCESS_LOGS | default "false" | parseBool | not) }}
{{- $_ := set $config "enable_ipv6" ($globals.Env.ENABLE_IPV6 | default "false" | parseBool) }}
@ -674,15 +675,18 @@ proxy_set_header Proxy "";
{{- $vhostCert := closest (dir "/etc/nginx/certs") (printf "%s.crt" $hostname) }}
{{- $vhostCert = trimSuffix ".crt" $vhostCert }}
{{- $vhostCert = trimSuffix ".key" $vhostCert }}
{{- $cert := or $certName $vhostCert }}
{{- $trust_default_cert := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.trust-default-cert" | keys | first | default $globals.config.trust_default_cert | parseBool }}
{{- $cert := and $trust_default_cert $globals.config.default_cert_ok | ternary "default" "" }}
{{- $cert = or $certName $vhostCert $cert }}
{{- $cert_ok := and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert)) }}
{{- $enable_debug_endpoint := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.debug-endpoint" | keys | first | default $globals.config.enable_debug_endpoint | parseBool }}
{{- $default := eq $globals.config.default_host $hostname }}
{{- $https_method := groupByKeys $vhost_containers "Env.HTTPS_METHOD" | first | default $globals.config.https_method }}
{{- $enable_http_on_missing_cert := groupByKeys $vhost_containers "Env.ENABLE_HTTP_ON_MISSING_CERT" | first | default $globals.config.enable_http_on_missing_cert | parseBool }}
{{- /* When the certificate is missing we want to ensure that HTTP is enabled; hence switching from 'nohttp' or 'redirect' to 'noredirect' */}}
{{- if (and $enable_http_on_missing_cert (not $cert_ok) (or (eq $https_method "nohttp") (eq $https_method "redirect"))) }}
{{- /* When no trusted certs (default and/or vhost) are present we want to ensure that HTTP is enabled; hence switching from 'nohttp' or 'redirect' to 'noredirect' */}}
{{- $https_method_disable_http := list "nohttp" "redirect" | has $https_method }}
{{- if and $https_method_disable_http (not $cert_ok) $enable_http_on_missing_cert }}
{{- $https_method = "noredirect" }}
{{- end }}
{{- $http2_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable" | keys | first | default $globals.config.enable_http2 | parseBool }}
@ -720,6 +724,7 @@ proxy_set_header Proxy "";
"acme_http_challenge_enabled" $acme_http_challenge_enabled
"server_tokens" $server_tokens
"ssl_policy" $ssl_policy
"trust_default_cert" $trust_default_cert
"upstream_name" $upstream_name
"vhost_root" $vhost_root
) }}
@ -945,14 +950,9 @@ server {
}
add_header Strict-Transport-Security $sts_header always;
{{- end }}
{{- else if $globals.config.default_cert_ok }}
# No certificate found for this vhost, so use the default certificate and
# return an error code if the user connects via https.
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
if ($https) {
return 500;
}
{{- else if not $vhost.trust_default_cert | and $globals.config.default_cert_ok }}
# No certificate found for this vhost, and the default certificate isn't trusted, so reject SSL handshake.
ssl_reject_handshake on;
{{- else }}
# No certificate for this vhost nor default certificate found, so reject SSL handshake.
ssl_reject_handshake on;

10
test/test_fallback.data/nohttp-with-missing-cert.yml
View File

@ -24,3 +24,13 @@ services:
environment:
WEB_PORTS: "84"
VIRTUAL_HOST: missing-cert.nginx-proxy.test
missing-cert-default-untrusted:
image: web
expose:
- "85"
environment:
WEB_PORTS: "85"
VIRTUAL_HOST: missing-cert.default-untrusted.nginx-proxy.test
labels:
com.github.nginx-proxy.nginx-proxy.trust-default-cert: "false"

44
test/test_fallback.data/untrusteddefault.yml Normal file
View File

@ -0,0 +1,44 @@
version: "2"
services:
sut:
image: nginxproxy/nginx-proxy:test
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- ./withdefault.certs:/etc/nginx/certs:ro
environment:
TRUST_DEFAULT_CERT: "false"
https-and-http:
image: web
expose:
- "81"
environment:
WEB_PORTS: "81"
VIRTUAL_HOST: https-and-http.nginx-proxy.test
https-only:
image: web
expose:
- "82"
environment:
WEB_PORTS: "82"
VIRTUAL_HOST: https-only.nginx-proxy.test
HTTPS_METHOD: nohttp
http-only:
image: web
expose:
- "83"
environment:
WEB_PORTS: "83"
VIRTUAL_HOST: http-only.nginx-proxy.test
HTTPS_METHOD: nohttps
missing-cert:
image: web
expose:
- "84"
environment:
WEB_PORTS: "84"
VIRTUAL_HOST: missing-cert.nginx-proxy.test

10
test/test_fallback.data/withdefault.yml
View File

@ -40,3 +40,13 @@ services:
environment:
WEB_PORTS: "84"
VIRTUAL_HOST: missing-cert.nginx-proxy.test
missing-cert-default-untrusted:
image: web
expose:
- "85"
environment:
WEB_PORTS: "85"
VIRTUAL_HOST: missing-cert.default-untrusted.nginx-proxy.test
labels:
com.github.nginx-proxy.nginx-proxy.trust-default-cert: "false"

26
test/test_fallback.py
View File

@ -43,10 +43,23 @@ INTERNAL_ERR_RE = re.compile("TLSV1_UNRECOGNIZED_NAME")
("withdefault.yml", "https://https-only.nginx-proxy.test/", 200, None),
("withdefault.yml", "http://http-only.nginx-proxy.test/", 200, None),
("withdefault.yml", "https://http-only.nginx-proxy.test/", 503, None),
("withdefault.yml", "http://missing-cert.nginx-proxy.test/", 200, None),
("withdefault.yml", "https://missing-cert.nginx-proxy.test/", 500, None),
("withdefault.yml", "http://missing-cert.nginx-proxy.test/", 301, None),
("withdefault.yml", "https://missing-cert.nginx-proxy.test/", 200, None),
("withdefault.yml", "http://missing-cert.default-untrusted.nginx-proxy.test/", 200, None),
("withdefault.yml", "https://missing-cert.default-untrusted.nginx-proxy.test/", None, INTERNAL_ERR_RE),
("withdefault.yml", "http://unknown.nginx-proxy.test/", 503, None),
("withdefault.yml", "https://unknown.nginx-proxy.test/", 503, None),
# Same as withdefault.yml, except default.crt is not trusted (TRUST_DEFAULT_CERT=false).
("untrusteddefault.yml", "http://https-and-http.nginx-proxy.test/", 301, None),
("untrusteddefault.yml", "https://https-and-http.nginx-proxy.test/", 200, None),
("untrusteddefault.yml", "http://https-only.nginx-proxy.test/", 503, None),
("untrusteddefault.yml", "https://https-only.nginx-proxy.test/", 200, None),
("untrusteddefault.yml", "http://http-only.nginx-proxy.test/", 200, None),
("untrusteddefault.yml", "https://http-only.nginx-proxy.test/", 503, None),
("untrusteddefault.yml", "http://missing-cert.nginx-proxy.test/", 200, None),
("untrusteddefault.yml", "https://missing-cert.nginx-proxy.test/", None, INTERNAL_ERR_RE),
("untrusteddefault.yml", "http://unknown.nginx-proxy.test/", 503, None),
("untrusteddefault.yml", "https://unknown.nginx-proxy.test/", 503, None),
# Same as withdefault.yml, except there is no default.crt.
("nodefault.yml", "http://https-and-http.nginx-proxy.test/", 301, None),
("nodefault.yml", "https://https-and-http.nginx-proxy.test/", 200, None),
@ -68,12 +81,15 @@ INTERNAL_ERR_RE = re.compile("TLSV1_UNRECOGNIZED_NAME")
("nohttp-on-app.yml", "https://https-only.nginx-proxy.test/", 200, None),
("nohttp-on-app.yml", "http://unknown.nginx-proxy.test/", 503, None),
("nohttp-on-app.yml", "https://unknown.nginx-proxy.test/", 503, None),
# Same as nohttp.yml, except there is a vhost with a missing cert. This causes its
# Same as nohttp.yml, except there are two vhosts with a missing cert, the second
# one being configured not to trust the default certificate. This causes its
# HTTPS_METHOD=nohttp setting to effectively become HTTPS_METHOD=noredirect.
("nohttp-with-missing-cert.yml", "http://https-only.nginx-proxy.test/", 503, None),
("nohttp-with-missing-cert.yml", "https://https-only.nginx-proxy.test/", 200, None),
("nohttp-with-missing-cert.yml", "http://missing-cert.nginx-proxy.test/", 200, None),
("nohttp-with-missing-cert.yml", "https://missing-cert.nginx-proxy.test/", 500, None),
("nohttp-with-missing-cert.yml", "http://missing-cert.nginx-proxy.test/", 503, None),
("nohttp-with-missing-cert.yml", "https://missing-cert.nginx-proxy.test/", 200, None),
("nohttp-with-missing-cert.yml", "http://missing-cert.default-untrusted.nginx-proxy.test/", 200, None),
("nohttp-with-missing-cert.yml", "https://missing-cert.default-untrusted.nginx-proxy.test/", None, INTERNAL_ERR_RE),
("nohttp-with-missing-cert.yml", "http://unknown.nginx-proxy.test/", 503, None),
("nohttp-with-missing-cert.yml", "https://unknown.nginx-proxy.test/", 503, None),
# HTTPS_METHOD=nohttps on nginx-proxy, HTTPS_METHOD unset on the app container.