thib8956/nginx-proxy
1
0
Fork 0
mirror of https://github.com/thib8956/nginx-proxy synced 2025-02-24 01:38:15 +00:00
Code Issues Releases Wiki Activity

feat: trust default certificate

Browse Source
This commit is contained in:
Nicolas Duchon 2024-11-03 20:10:32 +01:00
parent e96a3ddec2
commit 57e503c830
3 changed files with 10 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/README.md
View File

@ -582,7 +582,7 @@ By default, [HTTP Strict Transport Security (HSTS)](https://developer.mozilla.or
If no matching certificate is found for a given virtual host, nginx-proxy will:
- configure nginx to use the default certificate (`default.crt` with `default.key`) and return a 500 error for HTTPS,
- configure nginx to use the default certificate (`default.crt` with `default.key`),
- force enable HTTP; i.e. `HTTPS_METHOD` will switch to `noredirect` if it was set to `nohttp` or `redirect`.
If this switch to HTTP is not wanted set `ENABLE_HTTP_ON_MISSING_CERT=false` (default is `true`).

16
nginx.tmpl
View File

@ -918,15 +918,21 @@ server {
{{- end }}
{{- end }}
{{- if $vhost.cert_ok }}
{{- if or $vhost.cert_ok $globals.config.default_cert_ok }}
{{- template "ssl_policy" (dict "ssl_policy" $vhost.ssl_policy) }}
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
{{- if $vhost.cert_ok }}
ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $vhost.cert) }};
ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $vhost.cert) }};
{{- else }}
# No vhost certificate found, using the default certificate.
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
{{- end }}
{{- if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $vhost.cert)) }}
ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $vhost.cert }};
@ -945,14 +951,6 @@ server {
}
add_header Strict-Transport-Security $sts_header always;
{{- end }}
{{- else if $globals.config.default_cert_ok }}
# No certificate found for this vhost, so use the default certificate and
# return an error code if the user connects via https.
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
if ($https) {
return 500;
}
{{- else }}
# No certificate for this vhost nor default certificate found, so reject SSL handshake.
ssl_reject_handshake on;

4
test/test_fallback.py
View File

@ -44,7 +44,7 @@ INTERNAL_ERR_RE = re.compile("TLSV1_UNRECOGNIZED_NAME")
("withdefault.yml", "http://http-only.nginx-proxy.test/", 200, None),
("withdefault.yml", "https://http-only.nginx-proxy.test/", 503, None),
("withdefault.yml", "http://missing-cert.nginx-proxy.test/", 200, None),
("withdefault.yml", "https://missing-cert.nginx-proxy.test/", 500, None),
("withdefault.yml", "https://missing-cert.nginx-proxy.test/", 200, None),
("withdefault.yml", "http://unknown.nginx-proxy.test/", 503, None),
("withdefault.yml", "https://unknown.nginx-proxy.test/", 503, None),
# Same as withdefault.yml, except there is no default.crt.
@ -73,7 +73,7 @@ INTERNAL_ERR_RE = re.compile("TLSV1_UNRECOGNIZED_NAME")
("nohttp-with-missing-cert.yml", "http://https-only.nginx-proxy.test/", 503, None),
("nohttp-with-missing-cert.yml", "https://https-only.nginx-proxy.test/", 200, None),
("nohttp-with-missing-cert.yml", "http://missing-cert.nginx-proxy.test/", 200, None),
("nohttp-with-missing-cert.yml", "https://missing-cert.nginx-proxy.test/", 500, None),
("nohttp-with-missing-cert.yml", "https://missing-cert.nginx-proxy.test/", 200, None),
("nohttp-with-missing-cert.yml", "http://unknown.nginx-proxy.test/", 503, None),
("nohttp-with-missing-cert.yml", "https://unknown.nginx-proxy.test/", 503, None),
# HTTPS_METHOD=nohttps on nginx-proxy, HTTPS_METHOD unset on the app container.