mirror of
https://github.com/thib8956/nginx-proxy
synced 2025-02-24 01:38:15 +00:00
feat: customizable non get redirect code
This commit is contained in:
Nicolas Duchon
parent
8447a36046
commit
9fc7cec15c
@ -571,10 +571,12 @@ Complete list of policies available through the `SSL_POLICY` environment variabl
|
||||
|
||||
The default behavior for the proxy when port 80 and 443 are exposed is as follows:
|
||||
|
||||
- If a virtual host has a usable cert, port 80 will redirect to 443 for that virtual host so that HTTPS is always preferred when available. This redirect will use a [301 code](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/301) for `GET` requests and [308 code](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/308) for any other HTTP method (`POST`/`HEAD`/`PUT` etc.).
|
||||
- If a virtual host has a usable cert, port 80 will redirect to 443 for that virtual host so that HTTPS is always preferred when available.
|
||||
- If the virtual host does not have a usable cert, but `default.crt` and `default.key` exist, those will be used as the virtual host's certificate.
|
||||
- If the virtual host does not have a usable cert, and `default.crt` and `default.key` do not exist, or if the virtual host is configured not to trust the default certificate, SSL handshake will be rejected (see [Default and Missing Certificate](#default-and-missing-certificate) below).
|
||||
|
||||
The redirection from HTTP to HTTPS use by default a [`301`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/301) response for every HTTP methods (except `CONNECT` and `TRACE` which are disabled on nginx). If you wish to use a custom redirection response for the `OPTIONS`, `POST`, `PUT`, `PATCH` and `DELETE` HTTP methods (for example to use a ), you can either do it globally with the environment variable `NON_GET_REDIRECT` on the proxy container or per virtual host with the `com.github.nginx-proxy.nginx-proxy.non-get-redirect` label on proxied containers. Valid values are [`307`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/307) and [`308`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/308).
|
||||
|
||||
To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with `HTTPS_METHOD=nohttps`. `HTTPS_METHOD` can be specified on each container for which you want to override the default behavior or on the proxy container to set it globally. If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS) is disabled to prevent HTTPS users from being redirected by the client. If you cannot get to the HTTP site after changing this setting, your browser has probably cached the HSTS policy and is automatically redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito window / different browser.
|
||||
|
||||
By default, [HTTP Strict Transport Security (HSTS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) is enabled with `max-age=31536000` for HTTPS sites. You can disable HSTS with the environment variable `HSTS=off` or use a custom HSTS configuration like `HSTS=max-age=31536000; includeSubDomains; preload`.
|
||||
|
||||
26
nginx.tmpl
26
nginx.tmpl
@ -32,6 +32,7 @@
|
||||
{{- $_ := set $config "enable_http3" ($globals.Env.ENABLE_HTTP3 | default "false") }}
|
||||
{{- $_ := set $config "enable_http_on_missing_cert" ($globals.Env.ENABLE_HTTP_ON_MISSING_CERT | default "true") }}
|
||||
{{- $_ := set $config "https_method" ($globals.Env.HTTPS_METHOD | default "redirect") }}
|
||||
{{- $_ := set $config "non_get_redirect" ($globals.Env.NON_GET_REDIRECT | default "301") }}
|
||||
{{- $_ := set $config "default_host" $globals.Env.DEFAULT_HOST }}
|
||||
{{- $_ := set $config "resolvers" $globals.Env.RESOLVERS }}
|
||||
{{- /* LOG_JSON is a shorthand that sets logging defaults to JSON format */}}
|
||||
@ -718,8 +719,11 @@ proxy_set_header Proxy "";
|
||||
{{- if and $https_method_disable_http (not $cert_ok) $enable_http_on_missing_cert }}
|
||||
{{- $https_method = "noredirect" }}
|
||||
{{- end }}
|
||||
{{- $non_get_redirect := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.non-get-redirect" | keys | first | default $globals.config.non_get_redirect }}
|
||||
|
||||
{{- $http2_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable" | keys | first | default $globals.config.enable_http2 | parseBool }}
|
||||
{{- $http3_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable" | keys | first | default $globals.config.enable_http3 | parseBool }}
|
||||
|
||||
{{- $acme_http_challenge := groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION" | first | default $globals.config.acme_http_challenge }}
|
||||
{{- $acme_http_challenge_legacy := eq $acme_http_challenge "legacy" }}
|
||||
{{- $acme_http_challenge_enabled := false }}
|
||||
@ -746,6 +750,7 @@ proxy_set_header Proxy "";
|
||||
"default" $default
|
||||
"hsts" $hsts
|
||||
"https_method" $https_method
|
||||
"non_get_redirect" $non_get_redirect
|
||||
"http2_enabled" $http2_enabled
|
||||
"http3_enabled" $http3_enabled
|
||||
"is_regexp" $is_regexp
|
||||
@ -886,21 +891,14 @@ server {
|
||||
{{- end }}
|
||||
|
||||
location / {
|
||||
{{- if eq $globals.config.external_https_port "443" }}
|
||||
if ($request_method = GET) {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
if ($request_method != GET) {
|
||||
return 308 https://$host$request_uri;
|
||||
}
|
||||
{{- else }}
|
||||
if ($request_method = GET) {
|
||||
return 301 https://$host:{{ $globals.config.external_https_port }}$request_uri;
|
||||
}
|
||||
if ($request_method != GET) {
|
||||
return 308 https://$host:{{ $globals.config.external_https_port }}$request_uri;
|
||||
}
|
||||
{{- $redirect_uri := "https://$host$request_uri" }}
|
||||
{{- if ne $globals.config.external_https_port "443" }}
|
||||
{{- $redirect_uri = printf "https://$host:%s$request_uri" $globals.config.external_https_port }}
|
||||
{{- end}}
|
||||
if ($request_method ~ (OPTIONS|POST|PUT|PATCH|DELETE)) {
|
||||
return {{ $vhost.non_get_redirect }} {{ $redirect_uri }};
|
||||
}
|
||||
return 301 {{ $redirect_uri }};
|
||||
}
|
||||
}
|
||||
{{- end }}
|
||||
|
||||
38
test/test_ssl/test_redirect_custom.py
Normal file
38
test/test_ssl/test_redirect_custom.py
Normal file
@ -0,0 +1,38 @@
|
||||
import pytest
|
||||
|
||||
|
||||
@pytest.mark.parametrize("host,http_method,expected_code", [
|
||||
("nginx-proxy.tld", "GET", 301),
|
||||
("nginx-proxy.tld", "HEAD", 301),
|
||||
("nginx-proxy.tld", "POST", 308),
|
||||
("nginx-proxy.tld", "PUT", 308),
|
||||
("nginx-proxy.tld", "PATCH", 308),
|
||||
("nginx-proxy.tld", "DELETE", 308),
|
||||
("nginx-proxy.tld", "OPTIONS", 308),
|
||||
("nginx-proxy.tld", "CONNECT", 405),
|
||||
("nginx-proxy.tld", "TRACE", 405),
|
||||
("web2.nginx-proxy.tld", "GET", 301),
|
||||
("web2.nginx-proxy.tld", "HEAD", 301),
|
||||
("web2.nginx-proxy.tld", "POST", 307),
|
||||
("web2.nginx-proxy.tld", "PUT", 307),
|
||||
("web2.nginx-proxy.tld", "PATCH", 307),
|
||||
("web2.nginx-proxy.tld", "DELETE", 307),
|
||||
("web2.nginx-proxy.tld", "OPTIONS", 307),
|
||||
("web2.nginx-proxy.tld", "CONNECT", 405),
|
||||
("web2.nginx-proxy.tld", "TRACE", 405),
|
||||
])
|
||||
def test_custom_redirect_by_method(
|
||||
docker_compose,
|
||||
nginxproxy,
|
||||
host: str,
|
||||
http_method: str,
|
||||
expected_code: int,
|
||||
):
|
||||
r = nginxproxy.request(
|
||||
method=http_method,
|
||||
url=f'http://{host}',
|
||||
allow_redirects=False,
|
||||
)
|
||||
assert r.status_code == expected_code
|
||||
if expected_code in { 301, 302, 307, 308 }:
|
||||
assert r.headers['Location'] == f'https://{host}/'
|
||||
26
test/test_ssl/test_redirect_custom.yml
Normal file
26
test/test_ssl/test_redirect_custom.yml
Normal file
@ -0,0 +1,26 @@
|
||||
services:
|
||||
web1:
|
||||
image: web
|
||||
expose:
|
||||
- "81"
|
||||
environment:
|
||||
WEB_PORTS: "81"
|
||||
VIRTUAL_HOST: "nginx-proxy.tld"
|
||||
|
||||
web2:
|
||||
image: web
|
||||
expose:
|
||||
- "82"
|
||||
environment:
|
||||
WEB_PORTS: "82"
|
||||
VIRTUAL_HOST: "web2.nginx-proxy.tld"
|
||||
labels:
|
||||
com.github.nginx-proxy.nginx-proxy.non-get-redirect: 307
|
||||
|
||||
sut:
|
||||
image: nginxproxy/nginx-proxy:test
|
||||
environment:
|
||||
NON_GET_REDIRECT: 308
|
||||
volumes:
|
||||
- /var/run/docker.sock:/tmp/docker.sock:ro
|
||||
- ./certs:/etc/nginx/certs:ro
|
||||
@ -3,12 +3,12 @@ import pytest
|
||||
|
||||
@pytest.mark.parametrize("http_method,expected_code", [
|
||||
("GET", 301),
|
||||
("HEAD", 308),
|
||||
("POST", 308),
|
||||
("PUT", 308),
|
||||
("PATCH", 308),
|
||||
("DELETE", 308),
|
||||
("OPTIONS", 308),
|
||||
("HEAD", 301),
|
||||
("POST", 301),
|
||||
("PUT", 301),
|
||||
("PATCH", 301),
|
||||
("DELETE", 301),
|
||||
("OPTIONS", 301),
|
||||
("CONNECT", 405),
|
||||
("TRACE", 405),
|
||||
])
|
||||
Loading…
x
Reference in New Issue
Block a user