diff --git a/docs/README.md b/docs/README.md index 208ed35..2ee008a 100644 --- a/docs/README.md +++ b/docs/README.md @@ -582,7 +582,7 @@ By default, [HTTP Strict Transport Security (HSTS)](https://developer.mozilla.or If no matching certificate is found for a given virtual host, nginx-proxy will: -- configure nginx to use the default certificate (`default.crt` with `default.key`) and return a 500 error for HTTPS, +- configure nginx to use the default certificate (`default.crt` with `default.key`), - force enable HTTP; i.e. `HTTPS_METHOD` will switch to `noredirect` if it was set to `nohttp` or `redirect`. If this switch to HTTP is not wanted set `ENABLE_HTTP_ON_MISSING_CERT=false` (default is `true`). diff --git a/nginx.tmpl b/nginx.tmpl index a15e7e8..b9b0598 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -918,15 +918,21 @@ server { {{- end }} {{- end }} - {{- if $vhost.cert_ok }} + {{- if or $vhost.cert_ok $globals.config.default_cert_ok }} {{- template "ssl_policy" (dict "ssl_policy" $vhost.ssl_policy) }} ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; + {{- if $vhost.cert_ok }} ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $vhost.cert) }}; ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $vhost.cert) }}; + {{- else }} + # No vhost certificate found, using the default certificate. + ssl_certificate /etc/nginx/certs/default.crt; + ssl_certificate_key /etc/nginx/certs/default.key; + {{- end }} {{- if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $vhost.cert)) }} ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $vhost.cert }}; @@ -945,14 +951,6 @@ server { } add_header Strict-Transport-Security $sts_header always; {{- end }} - {{- else if $globals.config.default_cert_ok }} - # No certificate found for this vhost, so use the default certificate and - # return an error code if the user connects via https. - ssl_certificate /etc/nginx/certs/default.crt; - ssl_certificate_key /etc/nginx/certs/default.key; - if ($https) { - return 500; - } {{- else }} # No certificate for this vhost nor default certificate found, so reject SSL handshake. ssl_reject_handshake on; diff --git a/test/test_fallback.py b/test/test_fallback.py index a8a673a..13af825 100644 --- a/test/test_fallback.py +++ b/test/test_fallback.py @@ -44,7 +44,7 @@ INTERNAL_ERR_RE = re.compile("TLSV1_UNRECOGNIZED_NAME") ("withdefault.yml", "http://http-only.nginx-proxy.test/", 200, None), ("withdefault.yml", "https://http-only.nginx-proxy.test/", 503, None), ("withdefault.yml", "http://missing-cert.nginx-proxy.test/", 200, None), - ("withdefault.yml", "https://missing-cert.nginx-proxy.test/", 500, None), + ("withdefault.yml", "https://missing-cert.nginx-proxy.test/", 200, None), ("withdefault.yml", "http://unknown.nginx-proxy.test/", 503, None), ("withdefault.yml", "https://unknown.nginx-proxy.test/", 503, None), # Same as withdefault.yml, except there is no default.crt. @@ -73,7 +73,7 @@ INTERNAL_ERR_RE = re.compile("TLSV1_UNRECOGNIZED_NAME") ("nohttp-with-missing-cert.yml", "http://https-only.nginx-proxy.test/", 503, None), ("nohttp-with-missing-cert.yml", "https://https-only.nginx-proxy.test/", 200, None), ("nohttp-with-missing-cert.yml", "http://missing-cert.nginx-proxy.test/", 200, None), - ("nohttp-with-missing-cert.yml", "https://missing-cert.nginx-proxy.test/", 500, None), + ("nohttp-with-missing-cert.yml", "https://missing-cert.nginx-proxy.test/", 200, None), ("nohttp-with-missing-cert.yml", "http://unknown.nginx-proxy.test/", 503, None), ("nohttp-with-missing-cert.yml", "https://unknown.nginx-proxy.test/", 503, None), # HTTPS_METHOD=nohttps on nginx-proxy, HTTPS_METHOD unset on the app container.