From 8414a94d59bf70d4928c4f8785966d3b987c115f Mon Sep 17 00:00:00 2001 From: Thomas LEVEIL Date: Wed, 15 Mar 2017 02:11:21 +0100 Subject: [PATCH] TESTS: add test for the case in which a wildcard cert matches a container having `nohttps` set --- .../wildcard_cert_and_nohttps/README.md | 6 ++ .../certs/default.crt | 70 ++++++++++++++++++ .../certs/default.key | 27 +++++++ .../certs/web.nginx-proxy.tld.crt | 71 +++++++++++++++++++ .../certs/web.nginx-proxy.tld.key | 27 +++++++ .../docker-compose.yml | 33 +++++++++ .../test_wildcard_cert_nohttps.py | 31 ++++++++ 7 files changed, 265 insertions(+) create mode 100644 test/test_ssl/wildcard_cert_and_nohttps/README.md create mode 100644 test/test_ssl/wildcard_cert_and_nohttps/certs/default.crt create mode 100644 test/test_ssl/wildcard_cert_and_nohttps/certs/default.key create mode 100644 test/test_ssl/wildcard_cert_and_nohttps/certs/web.nginx-proxy.tld.crt create mode 100644 test/test_ssl/wildcard_cert_and_nohttps/certs/web.nginx-proxy.tld.key create mode 100644 test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml create mode 100644 test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py diff --git a/test/test_ssl/wildcard_cert_and_nohttps/README.md b/test/test_ssl/wildcard_cert_and_nohttps/README.md new file mode 100644 index 0000000..0ccdd2e --- /dev/null +++ b/test/test_ssl/wildcard_cert_and_nohttps/README.md @@ -0,0 +1,6 @@ +In this scenario, we have a wildcard certificate for `*.web.nginx-proxy.tld` and 3 web containers: +- 1.web.nginx-proxy.tld +- 2.web.nginx-proxy.tld +- 3.web.nginx-proxy.tld + +We want web containers 1 and 2 to support SSL, but 3 should not (using `HTTPS_METHOD=nohttps`) \ No newline at end of file diff --git a/test/test_ssl/wildcard_cert_and_nohttps/certs/default.crt b/test/test_ssl/wildcard_cert_and_nohttps/certs/default.crt new file mode 100644 index 0000000..81af239 --- /dev/null +++ b/test/test_ssl/wildcard_cert_and_nohttps/certs/default.crt @@ -0,0 +1,70 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4096 (0x1000) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=nginx-proxy test suite, CN=www.nginx-proxy.tld + Validity + Not Before: Mar 15 00:17:52 2017 GMT + Not After : Jul 31 00:17:52 2044 GMT + Subject: CN=nginx-proxy.tld + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:f2:fd:79:70:99:0c:da:63:5c:81:28:72:31:01: + 62:e9:68:d7:cb:8d:c6:95:f9:ec:26:34:1c:08:c6: + 6d:de:ad:d8:b0:c0:ae:48:03:73:76:6b:3f:c5:35: + 86:c6:42:91:53:3c:aa:85:89:84:92:67:92:ef:a9: + 5b:f2:d4:04:73:34:02:35:d4:6a:fa:c2:da:91:4a: + a9:70:87:25:38:84:1d:93:99:3c:d7:03:61:a6:6d: + 33:6f:83:45:04:af:4f:96:62:1e:c1:79:87:c9:d5: + 4c:e9:8f:85:e2:c8:1b:5b:fc:b8:02:ff:7b:6d:34: + 4c:5d:40:73:44:9e:c5:1f:5f:e0:0f:89:88:c4:35: + 2b:04:53:8c:8e:a0:7c:7c:97:16:20:c2:4f:a1:c0: + dd:bf:d5:13:2d:64:25:03:f2:d8:d5:27:01:70:c9: + f4:37:33:36:7e:7b:48:54:ec:37:2b:81:3d:50:3c: + d4:5f:05:19:e2:0b:ba:76:f6:2c:3b:23:4b:82:78: + 5f:e9:e3:57:fc:39:4a:5c:42:82:72:c8:a3:af:b7: + b3:91:e4:01:9c:2c:47:5e:ff:aa:ad:63:1c:e7:9c: + 2e:a2:ac:5d:51:30:83:67:6e:f8:5a:ed:0b:70:e4: + 68:d4:e9:5e:a7:f5:5e:87:3b:e8:31:ad:00:04:f8: + 7b:d9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:nginx-proxy.tld + Signature Algorithm: sha256WithRSAEncryption + 39:d4:cc:78:a3:5e:64:e9:ab:9d:a9:89:3b:9e:18:01:98:cb: + e2:0c:ef:e9:2b:50:34:ed:63:ed:e6:0e:53:59:30:80:e0:3b: + 5e:08:ca:09:55:da:e3:3e:c2:01:d8:d6:ca:92:2a:0b:ee:2c: + a1:93:18:7b:15:28:8d:2a:17:25:76:eb:ef:70:e0:d7:02:d3: + ad:81:33:47:9b:fb:d8:52:87:69:a4:3a:20:a4:9a:2d:3f:40: + 5f:52:bf:0b:96:e3:52:c3:59:55:dc:5a:37:f3:e6:d6:16:46: + 64:e4:20:32:5d:cd:4b:da:2b:ef:e9:85:af:00:a1:ca:a1:08: + ed:0f:f4:65:dc:2a:c9:b3:4e:cc:f3:82:d7:69:3a:4d:fc:8e: + db:10:95:28:20:07:55:f0:d1:11:1f:c5:00:74:88:c6:c9:94: + 15:90:93:3a:de:90:85:fb:72:9c:d8:57:58:05:7d:bb:6a:36: + eb:d8:12:22:41:0e:fc:c9:24:79:c0:28:4f:4f:1b:4b:59:f9: + e4:c6:97:be:b1:94:74:de:a7:65:d3:cb:0a:56:3b:d3:63:fc: + b2:05:fc:e7:ec:bb:45:04:91:9f:21:f9:05:3b:5d:4c:af:8e: + 84:04:f5:25:fb:4d:ab:db:23:56:74:7e:4f:b3:da:bb:27:e7: + ea:fb:bd:00 +-----BEGIN CERTIFICATE----- +MIIC8zCCAdugAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwPzEfMB0GA1UECgwWbmdp +bngtcHJveHkgdGVzdCBzdWl0ZTEcMBoGA1UEAwwTd3d3Lm5naW54LXByb3h5LnRs +ZDAeFw0xNzAzMTUwMDE3NTJaFw00NDA3MzEwMDE3NTJaMBoxGDAWBgNVBAMMD25n +aW54LXByb3h5LnRsZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPL9 +eXCZDNpjXIEocjEBYulo18uNxpX57CY0HAjGbd6t2LDArkgDc3ZrP8U1hsZCkVM8 +qoWJhJJnku+pW/LUBHM0AjXUavrC2pFKqXCHJTiEHZOZPNcDYaZtM2+DRQSvT5Zi +HsF5h8nVTOmPheLIG1v8uAL/e200TF1Ac0SexR9f4A+JiMQ1KwRTjI6gfHyXFiDC +T6HA3b/VEy1kJQPy2NUnAXDJ9DczNn57SFTsNyuBPVA81F8FGeILunb2LDsjS4J4 +X+njV/w5SlxCgnLIo6+3s5HkAZwsR17/qq1jHOecLqKsXVEwg2du+FrtC3DkaNTp +Xqf1Xoc76DGtAAT4e9kCAwEAAaMeMBwwGgYDVR0RBBMwEYIPbmdpbngtcHJveHku +dGxkMA0GCSqGSIb3DQEBCwUAA4IBAQA51Mx4o15k6audqYk7nhgBmMviDO/pK1A0 +7WPt5g5TWTCA4DteCMoJVdrjPsIB2NbKkioL7iyhkxh7FSiNKhclduvvcODXAtOt +gTNHm/vYUodppDogpJotP0BfUr8LluNSw1lV3Fo38+bWFkZk5CAyXc1L2ivv6YWv +AKHKoQjtD/Rl3CrJs07M84LXaTpN/I7bEJUoIAdV8NERH8UAdIjGyZQVkJM63pCF ++3Kc2FdYBX27ajbr2BIiQQ78ySR5wChPTxtLWfnkxpe+sZR03qdl08sKVjvTY/yy +Bfzn7LtFBJGfIfkFO11Mr46EBPUl+02r2yNWdH5Ps9q7J+fq+70A +-----END CERTIFICATE----- diff --git a/test/test_ssl/wildcard_cert_and_nohttps/certs/default.key b/test/test_ssl/wildcard_cert_and_nohttps/certs/default.key new file mode 100644 index 0000000..af5fa34 --- /dev/null +++ b/test/test_ssl/wildcard_cert_and_nohttps/certs/default.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA8v15cJkM2mNcgShyMQFi6WjXy43GlfnsJjQcCMZt3q3YsMCu +SANzdms/xTWGxkKRUzyqhYmEkmeS76lb8tQEczQCNdRq+sLakUqpcIclOIQdk5k8 +1wNhpm0zb4NFBK9PlmIewXmHydVM6Y+F4sgbW/y4Av97bTRMXUBzRJ7FH1/gD4mI +xDUrBFOMjqB8fJcWIMJPocDdv9UTLWQlA/LY1ScBcMn0NzM2fntIVOw3K4E9UDzU +XwUZ4gu6dvYsOyNLgnhf6eNX/DlKXEKCcsijr7ezkeQBnCxHXv+qrWMc55wuoqxd +UTCDZ274Wu0LcORo1Olep/VehzvoMa0ABPh72QIDAQABAoIBAQDqcaW5/fFoxHV8 +KIoEvlGw4ndS7nesPHacZaqmzM01DIcGAuIkmS/OEax1mi9vGsschGwCa6x9lXEv +yzfsEqQ4gvWe+lQ9ncNEa8UPzVUcMlxXDIKm8ZxF9xapgP4Whw9DCWijQ57AHg0X +TGLhbDD5j9v7CIUN2GfVkVml24pVuUoeXqv7ZLzTJKZ+Q/eqxyeIikjFheXzaQxb +bUHbEHIXJtHMYULXmfc5WCxuobHqal3z0ymCijoZVXV8hp8dtDP34tRV9MID9wck +lRUVqboFCIXxmLLRTZgyCbiFLkCIu2nmgNobWCNfkHN7QQhToPEecSFMZzYtmo6/ +T1fHE3ABAoGBAP1J1Izfc4CF9t2iPGzXyn8oNkXHLMPKtFQ2Rb8XwBryUOOrAHqT +FIZ2FsDJr0VvS1ihFs1kbO+WAY5W5GytwiiVXvztHz3/f5JnGgvMCeUcEmaj90vq +sTyfHc2OKFjumIjGe87uav3bgac7nOWLO+RIJ/ua6UO7/8psqwryxY4FAoGBAPWX +a502kT56VwI3Gf8hb37PZ/PD+gOzgzVcMn13yLZ4gC9xoP4TKUBHSz4wO8asjKk5 +1RD/DITXYKelyRXynOtMW+2j2s5bVBpOshN/n9jRC1haoGJZYb2JVP6+8WoZKQOF +NwgNlI4he32kSFw59fjkdG64iw7KY8ZYUatkrgrFAoGBAPozTjUCHfRdYOi6c/oI +h81oCYSQJVYbDFsLaYZEjc2Qg/sBVm2+kE3qpLs3/10VfVZFemLVyw44Hb1fdDEu +y1aPhs9N5Mi3dGtIUWBJ45RgUIT3fzeM1BtQCn6c6JpAxoiFmJNmzGWLyd1Kc8gD +69uqs2RFOBtiwGBTS/p6qk+JAoGBAM1QkpnzFYf69SSX9jbRuAl20Xv8GdbgS0/f +zSIRcw4BPYDsaOAgGrtvHttVrZORi2KqQ5Ma9ldUS6y8L5kWo9MemjfYZUNhHLWF +luAwMO0tDmQGF9FA0jKHTjROYzsE38Heq7wixk/wc/H81rWrixRRwXkS9MYfszwN +d/FmkQ3VAoGAXHZrDEygUmf4q0LwjLVF0TPzElh530qVmyhPa0OBs/hVh9Mwv/i6 +fj3+k7uYWgKDzcaVXSMOFGt515F8qy0AUEY9r+IjAn01KTLKO4ZuPiSpxliqDbCs +gzsX9CWVSVgTN+TY15QCoJNpzLiyrXe3uldAP5JEBQSnjt9OfSJQ5IU= +-----END RSA PRIVATE KEY----- diff --git a/test/test_ssl/wildcard_cert_and_nohttps/certs/web.nginx-proxy.tld.crt b/test/test_ssl/wildcard_cert_and_nohttps/certs/web.nginx-proxy.tld.crt new file mode 100644 index 0000000..9020a44 --- /dev/null +++ b/test/test_ssl/wildcard_cert_and_nohttps/certs/web.nginx-proxy.tld.crt @@ -0,0 +1,71 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4096 (0x1000) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=nginx-proxy test suite, CN=www.nginx-proxy.tld + Validity + Not Before: Mar 14 23:19:36 2017 GMT + Not After : Jul 30 23:19:36 2044 GMT + Subject: CN=*.web.nginx-proxy.tld + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ce:2b:74:13:b2:1a:d5:72:5c:3e:10:f7:63:01: + 22:df:e8:d9:cf:0b:8a:3f:40:75:62:58:78:27:9e: + af:33:d2:a1:19:6a:e1:b7:57:db:d9:8f:05:70:c2: + 35:5d:f1:44:0d:51:62:74:73:e5:77:d9:bb:c6:d0: + 33:7a:43:88:e9:e6:3c:2d:d4:39:9d:61:34:5a:19: + f3:c1:96:e0:bd:26:5b:69:18:a6:4c:8c:21:04:d8: + fa:56:22:ec:55:0d:ba:49:4d:8e:27:69:7f:82:e9: + e7:e9:c4:b7:87:70:d7:d7:4b:49:d1:c1:8c:b0:5a: + 13:62:db:de:c1:94:31:d1:c9:74:c4:63:01:50:10: + 70:42:73:67:c4:76:32:fb:d2:b7:91:2f:e8:cf:3a: + 96:4a:ee:8e:0d:13:74:73:1b:e4:74:83:e7:66:d6: + 8d:81:19:54:5b:d8:47:3e:3b:b5:fd:35:a2:df:f3: + 7d:1c:9e:67:ee:50:da:28:9c:02:0a:ad:75:8d:04: + f7:28:1f:04:89:13:ac:ed:a9:34:26:dc:f7:f9:1f: + 72:21:d5:72:fb:09:d9:cb:40:c0:0d:36:3c:c0:77: + 0e:9a:f7:41:f1:3b:dd:b6:05:ab:13:60:c5:fd:c6: + 5f:f5:05:c4:42:00:ba:b5:ef:fb:dc:64:98:d9:4d: + 2b:07 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:*.web.nginx-proxy.tld + Signature Algorithm: sha256WithRSAEncryption + 9b:78:39:b3:90:8f:31:8c:7d:02:aa:6f:46:3d:8c:f5:93:86: + 03:e2:d8:9b:73:d1:e7:70:f1:d6:e6:3c:41:41:8c:76:c9:29: + a4:83:47:c7:10:fd:d0:8b:fa:60:26:a8:36:41:a4:69:89:81: + ec:bf:fd:33:72:bb:83:ea:42:e4:59:3f:10:df:d1:de:e2:bb: + eb:fa:97:44:fe:f4:55:29:69:ca:a5:88:b2:94:60:58:5a:1a: + 19:16:fb:9f:42:4c:7c:d3:6b:21:45:22:56:5c:76:07:97:35: + 27:8f:46:d2:77:5b:65:1b:94:99:cb:73:37:ae:cf:61:6c:7a: + 5c:b3:3b:19:f2:9f:99:8f:89:eb:98:0b:74:0d:30:f5:49:19: + d6:41:32:4e:c9:fc:59:2a:4a:53:2c:83:89:3d:e8:89:ed:37: + d0:b4:f1:09:49:b5:0b:76:fd:a5:75:23:fb:01:c8:bb:59:02: + 5c:e4:8e:9c:f9:5b:85:5f:67:fb:04:40:de:bc:e8:c3:15:2f: + ba:00:5c:36:57:47:e3:1a:95:44:5f:f4:10:55:b0:c4:af:12: + dc:0e:6c:18:4a:70:9e:73:90:8d:55:37:73:a5:1a:41:7f:00: + 79:96:34:01:6b:10:2d:e9:61:3d:8f:8a:9a:c8:b6:bc:0f:57: + 91:84:7c:26 +-----BEGIN CERTIFICATE----- +MIIC/zCCAeegAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwPzEfMB0GA1UECgwWbmdp +bngtcHJveHkgdGVzdCBzdWl0ZTEcMBoGA1UEAwwTd3d3Lm5naW54LXByb3h5LnRs +ZDAeFw0xNzAzMTQyMzE5MzZaFw00NDA3MzAyMzE5MzZaMCAxHjAcBgNVBAMMFSou +d2ViLm5naW54LXByb3h5LnRsZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAM4rdBOyGtVyXD4Q92MBIt/o2c8Lij9AdWJYeCeerzPSoRlq4bdX29mPBXDC +NV3xRA1RYnRz5XfZu8bQM3pDiOnmPC3UOZ1hNFoZ88GW4L0mW2kYpkyMIQTY+lYi +7FUNuklNjidpf4Lp5+nEt4dw19dLSdHBjLBaE2Lb3sGUMdHJdMRjAVAQcEJzZ8R2 +MvvSt5Ev6M86lkrujg0TdHMb5HSD52bWjYEZVFvYRz47tf01ot/zfRyeZ+5Q2iic +AgqtdY0E9ygfBIkTrO2pNCbc9/kfciHVcvsJ2ctAwA02PMB3Dpr3QfE73bYFqxNg +xf3GX/UFxEIAurXv+9xkmNlNKwcCAwEAAaMkMCIwIAYDVR0RBBkwF4IVKi53ZWIu +bmdpbngtcHJveHkudGxkMA0GCSqGSIb3DQEBCwUAA4IBAQCbeDmzkI8xjH0Cqm9G +PYz1k4YD4tibc9HncPHW5jxBQYx2ySmkg0fHEP3Qi/pgJqg2QaRpiYHsv/0zcruD +6kLkWT8Q39He4rvr+pdE/vRVKWnKpYiylGBYWhoZFvufQkx802shRSJWXHYHlzUn +j0bSd1tlG5SZy3M3rs9hbHpcszsZ8p+Zj4nrmAt0DTD1SRnWQTJOyfxZKkpTLIOJ +PeiJ7TfQtPEJSbULdv2ldSP7Aci7WQJc5I6c+VuFX2f7BEDevOjDFS+6AFw2V0fj +GpVEX/QQVbDErxLcDmwYSnCec5CNVTdzpRpBfwB5ljQBaxAt6WE9j4qayLa8D1eR +hHwm +-----END CERTIFICATE----- diff --git a/test/test_ssl/wildcard_cert_and_nohttps/certs/web.nginx-proxy.tld.key b/test/test_ssl/wildcard_cert_and_nohttps/certs/web.nginx-proxy.tld.key new file mode 100644 index 0000000..358eb4b --- /dev/null +++ b/test/test_ssl/wildcard_cert_and_nohttps/certs/web.nginx-proxy.tld.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAzit0E7Ia1XJcPhD3YwEi3+jZzwuKP0B1Ylh4J56vM9KhGWrh +t1fb2Y8FcMI1XfFEDVFidHPld9m7xtAzekOI6eY8LdQ5nWE0WhnzwZbgvSZbaRim +TIwhBNj6ViLsVQ26SU2OJ2l/gunn6cS3h3DX10tJ0cGMsFoTYtvewZQx0cl0xGMB +UBBwQnNnxHYy+9K3kS/ozzqWSu6ODRN0cxvkdIPnZtaNgRlUW9hHPju1/TWi3/N9 +HJ5n7lDaKJwCCq11jQT3KB8EiROs7ak0Jtz3+R9yIdVy+wnZy0DADTY8wHcOmvdB +8TvdtgWrE2DF/cZf9QXEQgC6te/73GSY2U0rBwIDAQABAoIBAGVkDVPaVUP/V8nW +QjNYTbRcKTGfdT+iDZht9blWWsdboIqFe7fU53PY2E4Z1HD8xADgs1Cd5o3IcIZX +wdkw+VY+Of43zpXNRhfBh5T/BEtBX9cRnkcq6todcw+FYUB63dBK6cwMH/9b1Qes +DK35GszwY79aNjxMMBiAFM6SeOW4EElPsV8wd9ldX/ndiZuwkZ6k9PfyWrfeeaF+ +EwVf/HaT0bV7cHQ73tYqzKjMpdbzIyaMzuAMGZDwPfLK+O1rEsWvLvK0ypl2Omzw +ndon8U3z0JPNmBGoq+SFS2qtCeOezNX3lPz+TWxG05R5iiFtuK83zJ5qGqCgCNZ6 +qzpZsOECgYEA/NvWqT5MdZS1fdL2wROzFMTH4OBdUGr1Gh/DsNZj4qFVSFl969mA +7Vntm+koNLFsJt2EB67kC3ZWjozLXomHJ55/uKNnJ5LrLxczQ9x4l52CsTzrlvFq +crYjQZDmeN3B4Z+8RSi2icq6j1PeaCZRTvcz6eBjNYj/v/O0SmiXIp8CgYEA0Lsh +fZWuw23a8UXS2YUrXXqfIEdisVMnLRu3Zi0Y1R4lIpuwn5+2n+TxnuWcY1q+ZTMw +dcmGPi6aRj81kEN/Kw5raKoVb6YywTNB4/Dwz7PRQH386FrjfivGXGEEINgbPQ09 +2u0QV2Cr9yMGZ5qNXut70RYewkxjF7+s6L8+RpkCgYB9ikBHgtC/R/fb4pP0RG2T +ECgUtBBgTtomAENOVwL8kBEhfJ0SLcjfDtjzoYz+rF//49cbYW+DaVuMJscJxso9 +l2neJ/KdKUpu9NvVA280B1XN3WsyY+Xv0hIrCWAD/kW2WXJF+/K08twxMPipSOzx +gbZalbdr6vrfOIX4s3jmDQKBgDiXA3Vw53jEh99x9sBSgndNj2bI89DvomdwZECn +aVweWCMR4sjkHDctcvSJe+TT7VqyjijhAixJpjn1WShLpGaf+i7eLgGfJZOLugl6 +gU9OiSTbA35bZeIHLDhPdTcSYBAlTufT7eJCq1zNeicMl9dsMJ13Sc+TtinyJYbU +kqXBAoGBAL9gRa1PkNkpCJ5F9aYSohCAXB7DaAgYvVyvOTQ8Bw2uACPgdnpHmxQd +/sT7qJ1h8ZCtn89Ug/4yx79eUcOImugoCRIUVtq1xhyXUdVl55Tuy5bKBSSAe/Vh +T7sAmryCkzn9ihRziY2j84vK0mdMkCU5AoatPg5l0g1adn5zcY6q +-----END RSA PRIVATE KEY----- diff --git a/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml b/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml new file mode 100644 index 0000000..bffffc1 --- /dev/null +++ b/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml @@ -0,0 +1,33 @@ +version: "3" + +services: + + proxy: + image: jwilder/nginx-proxy:test + volumes: + - /var/run/docker.sock:/tmp/docker.sock:ro + - ./certs:/etc/nginx/certs:ro + + web1: + image: web + expose: + - "81" + environment: + WEB_PORTS: "81" + VIRTUAL_HOST: "1.web.nginx-proxy.tld" + web2: + image: web + expose: + - "82" + environment: + WEB_PORTS: "82" + VIRTUAL_HOST: "2.web.nginx-proxy.tld" + + web3_nohttps: + image: web + expose: + - "83" + environment: + WEB_PORTS: "83" + VIRTUAL_HOST: "3.web.nginx-proxy.tld" + HTTPS_METHOD: nohttps \ No newline at end of file diff --git a/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py b/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py new file mode 100644 index 0000000..db18809 --- /dev/null +++ b/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py @@ -0,0 +1,31 @@ +import pytest +from backports.ssl_match_hostname import CertificateError + + +@pytest.mark.parametrize("subdomain,should_redirect_to_https", [ + (1, True), + (2, True), + (3, False), +]) +def test_http_redirects_to_https(docker_compose, nginxproxy, subdomain, should_redirect_to_https): + r = nginxproxy.get("http://%s.web.nginx-proxy.tld/port" % subdomain) + if should_redirect_to_https: + assert r.history[0].is_redirect + assert r.history[0].headers.get("Location") == "https://%s.web.nginx-proxy.tld/port" % subdomain + assert "answer from port 8%s\n" % subdomain == r.text + + +@pytest.mark.parametrize("subdomain", [1, 2]) +def test_https_get_served(docker_compose, nginxproxy, subdomain): + r = nginxproxy.get("https://%s.web.nginx-proxy.tld/port" % subdomain, allow_redirects=False) + assert r.status_code == 200 + assert "answer from port 8%s\n" % subdomain == r.text + + +def test_web3_https_is_500_and_SSL_validation_fails(docker_compose, nginxproxy): + with pytest.raises(CertificateError) as excinfo: + nginxproxy.get("https://3.web.nginx-proxy.tld/port") + assert """hostname '3.web.nginx-proxy.tld' doesn't match 'nginx-proxy.tld'""" in str(excinfo.value) + + r = nginxproxy.get("https://3.web.nginx-proxy.tld/port", verify=False) + assert r.status_code == 500