From 77e022cf286f0f826a2de5ac96eb7f27d7d63b8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20L=C3=89VEIL?= Date: Wed, 15 Mar 2017 01:32:47 +0100 Subject: [PATCH 01/10] DOC: reflect change from PR #344 PR #344 changed the HTTP status code from `503` to `500`. The README.md file was not updated accordingly. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ed8540e..9700b1b 100644 --- a/README.md +++ b/README.md @@ -203,7 +203,7 @@ is always preferred when available. Note that in the latter case, a browser may get an connection error as no certificate is available to establish a connection. A self-signed or generic cert named `default.crt` and `default.key` will allow a client browser to make a SSL connection (likely w/ a warning) and subsequently receive -a 503. +a 500. To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also From 8414a94d59bf70d4928c4f8785966d3b987c115f Mon Sep 17 00:00:00 2001 From: Thomas LEVEIL Date: Wed, 15 Mar 2017 02:11:21 +0100 Subject: [PATCH 02/10] TESTS: add test for the case in which a wildcard cert matches a container having `nohttps` set --- .../wildcard_cert_and_nohttps/README.md | 6 ++ .../certs/default.crt | 70 ++++++++++++++++++ .../certs/default.key | 27 +++++++ .../certs/web.nginx-proxy.tld.crt | 71 +++++++++++++++++++ .../certs/web.nginx-proxy.tld.key | 27 +++++++ .../docker-compose.yml | 33 +++++++++ .../test_wildcard_cert_nohttps.py | 31 ++++++++ 7 files changed, 265 insertions(+) create mode 100644 test/test_ssl/wildcard_cert_and_nohttps/README.md create mode 100644 test/test_ssl/wildcard_cert_and_nohttps/certs/default.crt create mode 100644 test/test_ssl/wildcard_cert_and_nohttps/certs/default.key create mode 100644 test/test_ssl/wildcard_cert_and_nohttps/certs/web.nginx-proxy.tld.crt create mode 100644 test/test_ssl/wildcard_cert_and_nohttps/certs/web.nginx-proxy.tld.key create mode 100644 test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml create mode 100644 test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py diff --git a/test/test_ssl/wildcard_cert_and_nohttps/README.md b/test/test_ssl/wildcard_cert_and_nohttps/README.md new file mode 100644 index 0000000..0ccdd2e --- /dev/null +++ b/test/test_ssl/wildcard_cert_and_nohttps/README.md @@ -0,0 +1,6 @@ +In this scenario, we have a wildcard certificate for `*.web.nginx-proxy.tld` and 3 web containers: +- 1.web.nginx-proxy.tld +- 2.web.nginx-proxy.tld +- 3.web.nginx-proxy.tld + +We want web containers 1 and 2 to support SSL, but 3 should not (using `HTTPS_METHOD=nohttps`) \ No newline at end of file diff --git a/test/test_ssl/wildcard_cert_and_nohttps/certs/default.crt b/test/test_ssl/wildcard_cert_and_nohttps/certs/default.crt new file mode 100644 index 0000000..81af239 --- /dev/null +++ b/test/test_ssl/wildcard_cert_and_nohttps/certs/default.crt @@ -0,0 +1,70 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4096 (0x1000) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=nginx-proxy test suite, CN=www.nginx-proxy.tld + Validity + Not Before: Mar 15 00:17:52 2017 GMT + Not After : Jul 31 00:17:52 2044 GMT + Subject: CN=nginx-proxy.tld + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:f2:fd:79:70:99:0c:da:63:5c:81:28:72:31:01: + 62:e9:68:d7:cb:8d:c6:95:f9:ec:26:34:1c:08:c6: + 6d:de:ad:d8:b0:c0:ae:48:03:73:76:6b:3f:c5:35: + 86:c6:42:91:53:3c:aa:85:89:84:92:67:92:ef:a9: + 5b:f2:d4:04:73:34:02:35:d4:6a:fa:c2:da:91:4a: + a9:70:87:25:38:84:1d:93:99:3c:d7:03:61:a6:6d: + 33:6f:83:45:04:af:4f:96:62:1e:c1:79:87:c9:d5: + 4c:e9:8f:85:e2:c8:1b:5b:fc:b8:02:ff:7b:6d:34: + 4c:5d:40:73:44:9e:c5:1f:5f:e0:0f:89:88:c4:35: + 2b:04:53:8c:8e:a0:7c:7c:97:16:20:c2:4f:a1:c0: + dd:bf:d5:13:2d:64:25:03:f2:d8:d5:27:01:70:c9: + f4:37:33:36:7e:7b:48:54:ec:37:2b:81:3d:50:3c: + d4:5f:05:19:e2:0b:ba:76:f6:2c:3b:23:4b:82:78: + 5f:e9:e3:57:fc:39:4a:5c:42:82:72:c8:a3:af:b7: + b3:91:e4:01:9c:2c:47:5e:ff:aa:ad:63:1c:e7:9c: + 2e:a2:ac:5d:51:30:83:67:6e:f8:5a:ed:0b:70:e4: + 68:d4:e9:5e:a7:f5:5e:87:3b:e8:31:ad:00:04:f8: + 7b:d9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:nginx-proxy.tld + Signature Algorithm: sha256WithRSAEncryption + 39:d4:cc:78:a3:5e:64:e9:ab:9d:a9:89:3b:9e:18:01:98:cb: + e2:0c:ef:e9:2b:50:34:ed:63:ed:e6:0e:53:59:30:80:e0:3b: + 5e:08:ca:09:55:da:e3:3e:c2:01:d8:d6:ca:92:2a:0b:ee:2c: + a1:93:18:7b:15:28:8d:2a:17:25:76:eb:ef:70:e0:d7:02:d3: + ad:81:33:47:9b:fb:d8:52:87:69:a4:3a:20:a4:9a:2d:3f:40: + 5f:52:bf:0b:96:e3:52:c3:59:55:dc:5a:37:f3:e6:d6:16:46: + 64:e4:20:32:5d:cd:4b:da:2b:ef:e9:85:af:00:a1:ca:a1:08: + ed:0f:f4:65:dc:2a:c9:b3:4e:cc:f3:82:d7:69:3a:4d:fc:8e: + db:10:95:28:20:07:55:f0:d1:11:1f:c5:00:74:88:c6:c9:94: + 15:90:93:3a:de:90:85:fb:72:9c:d8:57:58:05:7d:bb:6a:36: + eb:d8:12:22:41:0e:fc:c9:24:79:c0:28:4f:4f:1b:4b:59:f9: + e4:c6:97:be:b1:94:74:de:a7:65:d3:cb:0a:56:3b:d3:63:fc: + b2:05:fc:e7:ec:bb:45:04:91:9f:21:f9:05:3b:5d:4c:af:8e: + 84:04:f5:25:fb:4d:ab:db:23:56:74:7e:4f:b3:da:bb:27:e7: + ea:fb:bd:00 +-----BEGIN CERTIFICATE----- +MIIC8zCCAdugAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwPzEfMB0GA1UECgwWbmdp +bngtcHJveHkgdGVzdCBzdWl0ZTEcMBoGA1UEAwwTd3d3Lm5naW54LXByb3h5LnRs +ZDAeFw0xNzAzMTUwMDE3NTJaFw00NDA3MzEwMDE3NTJaMBoxGDAWBgNVBAMMD25n +aW54LXByb3h5LnRsZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPL9 +eXCZDNpjXIEocjEBYulo18uNxpX57CY0HAjGbd6t2LDArkgDc3ZrP8U1hsZCkVM8 +qoWJhJJnku+pW/LUBHM0AjXUavrC2pFKqXCHJTiEHZOZPNcDYaZtM2+DRQSvT5Zi +HsF5h8nVTOmPheLIG1v8uAL/e200TF1Ac0SexR9f4A+JiMQ1KwRTjI6gfHyXFiDC +T6HA3b/VEy1kJQPy2NUnAXDJ9DczNn57SFTsNyuBPVA81F8FGeILunb2LDsjS4J4 +X+njV/w5SlxCgnLIo6+3s5HkAZwsR17/qq1jHOecLqKsXVEwg2du+FrtC3DkaNTp +Xqf1Xoc76DGtAAT4e9kCAwEAAaMeMBwwGgYDVR0RBBMwEYIPbmdpbngtcHJveHku +dGxkMA0GCSqGSIb3DQEBCwUAA4IBAQA51Mx4o15k6audqYk7nhgBmMviDO/pK1A0 +7WPt5g5TWTCA4DteCMoJVdrjPsIB2NbKkioL7iyhkxh7FSiNKhclduvvcODXAtOt +gTNHm/vYUodppDogpJotP0BfUr8LluNSw1lV3Fo38+bWFkZk5CAyXc1L2ivv6YWv +AKHKoQjtD/Rl3CrJs07M84LXaTpN/I7bEJUoIAdV8NERH8UAdIjGyZQVkJM63pCF ++3Kc2FdYBX27ajbr2BIiQQ78ySR5wChPTxtLWfnkxpe+sZR03qdl08sKVjvTY/yy +Bfzn7LtFBJGfIfkFO11Mr46EBPUl+02r2yNWdH5Ps9q7J+fq+70A +-----END CERTIFICATE----- diff --git a/test/test_ssl/wildcard_cert_and_nohttps/certs/default.key b/test/test_ssl/wildcard_cert_and_nohttps/certs/default.key new file mode 100644 index 0000000..af5fa34 --- /dev/null +++ b/test/test_ssl/wildcard_cert_and_nohttps/certs/default.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA8v15cJkM2mNcgShyMQFi6WjXy43GlfnsJjQcCMZt3q3YsMCu +SANzdms/xTWGxkKRUzyqhYmEkmeS76lb8tQEczQCNdRq+sLakUqpcIclOIQdk5k8 +1wNhpm0zb4NFBK9PlmIewXmHydVM6Y+F4sgbW/y4Av97bTRMXUBzRJ7FH1/gD4mI +xDUrBFOMjqB8fJcWIMJPocDdv9UTLWQlA/LY1ScBcMn0NzM2fntIVOw3K4E9UDzU +XwUZ4gu6dvYsOyNLgnhf6eNX/DlKXEKCcsijr7ezkeQBnCxHXv+qrWMc55wuoqxd +UTCDZ274Wu0LcORo1Olep/VehzvoMa0ABPh72QIDAQABAoIBAQDqcaW5/fFoxHV8 +KIoEvlGw4ndS7nesPHacZaqmzM01DIcGAuIkmS/OEax1mi9vGsschGwCa6x9lXEv +yzfsEqQ4gvWe+lQ9ncNEa8UPzVUcMlxXDIKm8ZxF9xapgP4Whw9DCWijQ57AHg0X +TGLhbDD5j9v7CIUN2GfVkVml24pVuUoeXqv7ZLzTJKZ+Q/eqxyeIikjFheXzaQxb +bUHbEHIXJtHMYULXmfc5WCxuobHqal3z0ymCijoZVXV8hp8dtDP34tRV9MID9wck +lRUVqboFCIXxmLLRTZgyCbiFLkCIu2nmgNobWCNfkHN7QQhToPEecSFMZzYtmo6/ +T1fHE3ABAoGBAP1J1Izfc4CF9t2iPGzXyn8oNkXHLMPKtFQ2Rb8XwBryUOOrAHqT +FIZ2FsDJr0VvS1ihFs1kbO+WAY5W5GytwiiVXvztHz3/f5JnGgvMCeUcEmaj90vq +sTyfHc2OKFjumIjGe87uav3bgac7nOWLO+RIJ/ua6UO7/8psqwryxY4FAoGBAPWX +a502kT56VwI3Gf8hb37PZ/PD+gOzgzVcMn13yLZ4gC9xoP4TKUBHSz4wO8asjKk5 +1RD/DITXYKelyRXynOtMW+2j2s5bVBpOshN/n9jRC1haoGJZYb2JVP6+8WoZKQOF +NwgNlI4he32kSFw59fjkdG64iw7KY8ZYUatkrgrFAoGBAPozTjUCHfRdYOi6c/oI +h81oCYSQJVYbDFsLaYZEjc2Qg/sBVm2+kE3qpLs3/10VfVZFemLVyw44Hb1fdDEu +y1aPhs9N5Mi3dGtIUWBJ45RgUIT3fzeM1BtQCn6c6JpAxoiFmJNmzGWLyd1Kc8gD +69uqs2RFOBtiwGBTS/p6qk+JAoGBAM1QkpnzFYf69SSX9jbRuAl20Xv8GdbgS0/f +zSIRcw4BPYDsaOAgGrtvHttVrZORi2KqQ5Ma9ldUS6y8L5kWo9MemjfYZUNhHLWF +luAwMO0tDmQGF9FA0jKHTjROYzsE38Heq7wixk/wc/H81rWrixRRwXkS9MYfszwN +d/FmkQ3VAoGAXHZrDEygUmf4q0LwjLVF0TPzElh530qVmyhPa0OBs/hVh9Mwv/i6 +fj3+k7uYWgKDzcaVXSMOFGt515F8qy0AUEY9r+IjAn01KTLKO4ZuPiSpxliqDbCs +gzsX9CWVSVgTN+TY15QCoJNpzLiyrXe3uldAP5JEBQSnjt9OfSJQ5IU= +-----END RSA PRIVATE KEY----- diff --git a/test/test_ssl/wildcard_cert_and_nohttps/certs/web.nginx-proxy.tld.crt b/test/test_ssl/wildcard_cert_and_nohttps/certs/web.nginx-proxy.tld.crt new file mode 100644 index 0000000..9020a44 --- /dev/null +++ b/test/test_ssl/wildcard_cert_and_nohttps/certs/web.nginx-proxy.tld.crt @@ -0,0 +1,71 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4096 (0x1000) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=nginx-proxy test suite, CN=www.nginx-proxy.tld + Validity + Not Before: Mar 14 23:19:36 2017 GMT + Not After : Jul 30 23:19:36 2044 GMT + Subject: CN=*.web.nginx-proxy.tld + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ce:2b:74:13:b2:1a:d5:72:5c:3e:10:f7:63:01: + 22:df:e8:d9:cf:0b:8a:3f:40:75:62:58:78:27:9e: + af:33:d2:a1:19:6a:e1:b7:57:db:d9:8f:05:70:c2: + 35:5d:f1:44:0d:51:62:74:73:e5:77:d9:bb:c6:d0: + 33:7a:43:88:e9:e6:3c:2d:d4:39:9d:61:34:5a:19: + f3:c1:96:e0:bd:26:5b:69:18:a6:4c:8c:21:04:d8: + fa:56:22:ec:55:0d:ba:49:4d:8e:27:69:7f:82:e9: + e7:e9:c4:b7:87:70:d7:d7:4b:49:d1:c1:8c:b0:5a: + 13:62:db:de:c1:94:31:d1:c9:74:c4:63:01:50:10: + 70:42:73:67:c4:76:32:fb:d2:b7:91:2f:e8:cf:3a: + 96:4a:ee:8e:0d:13:74:73:1b:e4:74:83:e7:66:d6: + 8d:81:19:54:5b:d8:47:3e:3b:b5:fd:35:a2:df:f3: + 7d:1c:9e:67:ee:50:da:28:9c:02:0a:ad:75:8d:04: + f7:28:1f:04:89:13:ac:ed:a9:34:26:dc:f7:f9:1f: + 72:21:d5:72:fb:09:d9:cb:40:c0:0d:36:3c:c0:77: + 0e:9a:f7:41:f1:3b:dd:b6:05:ab:13:60:c5:fd:c6: + 5f:f5:05:c4:42:00:ba:b5:ef:fb:dc:64:98:d9:4d: + 2b:07 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:*.web.nginx-proxy.tld + Signature Algorithm: sha256WithRSAEncryption + 9b:78:39:b3:90:8f:31:8c:7d:02:aa:6f:46:3d:8c:f5:93:86: + 03:e2:d8:9b:73:d1:e7:70:f1:d6:e6:3c:41:41:8c:76:c9:29: + a4:83:47:c7:10:fd:d0:8b:fa:60:26:a8:36:41:a4:69:89:81: + ec:bf:fd:33:72:bb:83:ea:42:e4:59:3f:10:df:d1:de:e2:bb: + eb:fa:97:44:fe:f4:55:29:69:ca:a5:88:b2:94:60:58:5a:1a: + 19:16:fb:9f:42:4c:7c:d3:6b:21:45:22:56:5c:76:07:97:35: + 27:8f:46:d2:77:5b:65:1b:94:99:cb:73:37:ae:cf:61:6c:7a: + 5c:b3:3b:19:f2:9f:99:8f:89:eb:98:0b:74:0d:30:f5:49:19: + d6:41:32:4e:c9:fc:59:2a:4a:53:2c:83:89:3d:e8:89:ed:37: + d0:b4:f1:09:49:b5:0b:76:fd:a5:75:23:fb:01:c8:bb:59:02: + 5c:e4:8e:9c:f9:5b:85:5f:67:fb:04:40:de:bc:e8:c3:15:2f: + ba:00:5c:36:57:47:e3:1a:95:44:5f:f4:10:55:b0:c4:af:12: + dc:0e:6c:18:4a:70:9e:73:90:8d:55:37:73:a5:1a:41:7f:00: + 79:96:34:01:6b:10:2d:e9:61:3d:8f:8a:9a:c8:b6:bc:0f:57: + 91:84:7c:26 +-----BEGIN CERTIFICATE----- +MIIC/zCCAeegAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwPzEfMB0GA1UECgwWbmdp +bngtcHJveHkgdGVzdCBzdWl0ZTEcMBoGA1UEAwwTd3d3Lm5naW54LXByb3h5LnRs +ZDAeFw0xNzAzMTQyMzE5MzZaFw00NDA3MzAyMzE5MzZaMCAxHjAcBgNVBAMMFSou +d2ViLm5naW54LXByb3h5LnRsZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAM4rdBOyGtVyXD4Q92MBIt/o2c8Lij9AdWJYeCeerzPSoRlq4bdX29mPBXDC +NV3xRA1RYnRz5XfZu8bQM3pDiOnmPC3UOZ1hNFoZ88GW4L0mW2kYpkyMIQTY+lYi +7FUNuklNjidpf4Lp5+nEt4dw19dLSdHBjLBaE2Lb3sGUMdHJdMRjAVAQcEJzZ8R2 +MvvSt5Ev6M86lkrujg0TdHMb5HSD52bWjYEZVFvYRz47tf01ot/zfRyeZ+5Q2iic +AgqtdY0E9ygfBIkTrO2pNCbc9/kfciHVcvsJ2ctAwA02PMB3Dpr3QfE73bYFqxNg +xf3GX/UFxEIAurXv+9xkmNlNKwcCAwEAAaMkMCIwIAYDVR0RBBkwF4IVKi53ZWIu +bmdpbngtcHJveHkudGxkMA0GCSqGSIb3DQEBCwUAA4IBAQCbeDmzkI8xjH0Cqm9G +PYz1k4YD4tibc9HncPHW5jxBQYx2ySmkg0fHEP3Qi/pgJqg2QaRpiYHsv/0zcruD +6kLkWT8Q39He4rvr+pdE/vRVKWnKpYiylGBYWhoZFvufQkx802shRSJWXHYHlzUn +j0bSd1tlG5SZy3M3rs9hbHpcszsZ8p+Zj4nrmAt0DTD1SRnWQTJOyfxZKkpTLIOJ +PeiJ7TfQtPEJSbULdv2ldSP7Aci7WQJc5I6c+VuFX2f7BEDevOjDFS+6AFw2V0fj +GpVEX/QQVbDErxLcDmwYSnCec5CNVTdzpRpBfwB5ljQBaxAt6WE9j4qayLa8D1eR +hHwm +-----END CERTIFICATE----- diff --git a/test/test_ssl/wildcard_cert_and_nohttps/certs/web.nginx-proxy.tld.key b/test/test_ssl/wildcard_cert_and_nohttps/certs/web.nginx-proxy.tld.key new file mode 100644 index 0000000..358eb4b --- /dev/null +++ b/test/test_ssl/wildcard_cert_and_nohttps/certs/web.nginx-proxy.tld.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAzit0E7Ia1XJcPhD3YwEi3+jZzwuKP0B1Ylh4J56vM9KhGWrh +t1fb2Y8FcMI1XfFEDVFidHPld9m7xtAzekOI6eY8LdQ5nWE0WhnzwZbgvSZbaRim +TIwhBNj6ViLsVQ26SU2OJ2l/gunn6cS3h3DX10tJ0cGMsFoTYtvewZQx0cl0xGMB +UBBwQnNnxHYy+9K3kS/ozzqWSu6ODRN0cxvkdIPnZtaNgRlUW9hHPju1/TWi3/N9 +HJ5n7lDaKJwCCq11jQT3KB8EiROs7ak0Jtz3+R9yIdVy+wnZy0DADTY8wHcOmvdB +8TvdtgWrE2DF/cZf9QXEQgC6te/73GSY2U0rBwIDAQABAoIBAGVkDVPaVUP/V8nW +QjNYTbRcKTGfdT+iDZht9blWWsdboIqFe7fU53PY2E4Z1HD8xADgs1Cd5o3IcIZX +wdkw+VY+Of43zpXNRhfBh5T/BEtBX9cRnkcq6todcw+FYUB63dBK6cwMH/9b1Qes +DK35GszwY79aNjxMMBiAFM6SeOW4EElPsV8wd9ldX/ndiZuwkZ6k9PfyWrfeeaF+ +EwVf/HaT0bV7cHQ73tYqzKjMpdbzIyaMzuAMGZDwPfLK+O1rEsWvLvK0ypl2Omzw +ndon8U3z0JPNmBGoq+SFS2qtCeOezNX3lPz+TWxG05R5iiFtuK83zJ5qGqCgCNZ6 +qzpZsOECgYEA/NvWqT5MdZS1fdL2wROzFMTH4OBdUGr1Gh/DsNZj4qFVSFl969mA +7Vntm+koNLFsJt2EB67kC3ZWjozLXomHJ55/uKNnJ5LrLxczQ9x4l52CsTzrlvFq +crYjQZDmeN3B4Z+8RSi2icq6j1PeaCZRTvcz6eBjNYj/v/O0SmiXIp8CgYEA0Lsh +fZWuw23a8UXS2YUrXXqfIEdisVMnLRu3Zi0Y1R4lIpuwn5+2n+TxnuWcY1q+ZTMw +dcmGPi6aRj81kEN/Kw5raKoVb6YywTNB4/Dwz7PRQH386FrjfivGXGEEINgbPQ09 +2u0QV2Cr9yMGZ5qNXut70RYewkxjF7+s6L8+RpkCgYB9ikBHgtC/R/fb4pP0RG2T +ECgUtBBgTtomAENOVwL8kBEhfJ0SLcjfDtjzoYz+rF//49cbYW+DaVuMJscJxso9 +l2neJ/KdKUpu9NvVA280B1XN3WsyY+Xv0hIrCWAD/kW2WXJF+/K08twxMPipSOzx +gbZalbdr6vrfOIX4s3jmDQKBgDiXA3Vw53jEh99x9sBSgndNj2bI89DvomdwZECn +aVweWCMR4sjkHDctcvSJe+TT7VqyjijhAixJpjn1WShLpGaf+i7eLgGfJZOLugl6 +gU9OiSTbA35bZeIHLDhPdTcSYBAlTufT7eJCq1zNeicMl9dsMJ13Sc+TtinyJYbU +kqXBAoGBAL9gRa1PkNkpCJ5F9aYSohCAXB7DaAgYvVyvOTQ8Bw2uACPgdnpHmxQd +/sT7qJ1h8ZCtn89Ug/4yx79eUcOImugoCRIUVtq1xhyXUdVl55Tuy5bKBSSAe/Vh +T7sAmryCkzn9ihRziY2j84vK0mdMkCU5AoatPg5l0g1adn5zcY6q +-----END RSA PRIVATE KEY----- diff --git a/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml b/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml new file mode 100644 index 0000000..bffffc1 --- /dev/null +++ b/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml @@ -0,0 +1,33 @@ +version: "3" + +services: + + proxy: + image: jwilder/nginx-proxy:test + volumes: + - /var/run/docker.sock:/tmp/docker.sock:ro + - ./certs:/etc/nginx/certs:ro + + web1: + image: web + expose: + - "81" + environment: + WEB_PORTS: "81" + VIRTUAL_HOST: "1.web.nginx-proxy.tld" + web2: + image: web + expose: + - "82" + environment: + WEB_PORTS: "82" + VIRTUAL_HOST: "2.web.nginx-proxy.tld" + + web3_nohttps: + image: web + expose: + - "83" + environment: + WEB_PORTS: "83" + VIRTUAL_HOST: "3.web.nginx-proxy.tld" + HTTPS_METHOD: nohttps \ No newline at end of file diff --git a/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py b/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py new file mode 100644 index 0000000..db18809 --- /dev/null +++ b/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py @@ -0,0 +1,31 @@ +import pytest +from backports.ssl_match_hostname import CertificateError + + +@pytest.mark.parametrize("subdomain,should_redirect_to_https", [ + (1, True), + (2, True), + (3, False), +]) +def test_http_redirects_to_https(docker_compose, nginxproxy, subdomain, should_redirect_to_https): + r = nginxproxy.get("http://%s.web.nginx-proxy.tld/port" % subdomain) + if should_redirect_to_https: + assert r.history[0].is_redirect + assert r.history[0].headers.get("Location") == "https://%s.web.nginx-proxy.tld/port" % subdomain + assert "answer from port 8%s\n" % subdomain == r.text + + +@pytest.mark.parametrize("subdomain", [1, 2]) +def test_https_get_served(docker_compose, nginxproxy, subdomain): + r = nginxproxy.get("https://%s.web.nginx-proxy.tld/port" % subdomain, allow_redirects=False) + assert r.status_code == 200 + assert "answer from port 8%s\n" % subdomain == r.text + + +def test_web3_https_is_500_and_SSL_validation_fails(docker_compose, nginxproxy): + with pytest.raises(CertificateError) as excinfo: + nginxproxy.get("https://3.web.nginx-proxy.tld/port") + assert """hostname '3.web.nginx-proxy.tld' doesn't match 'nginx-proxy.tld'""" in str(excinfo.value) + + r = nginxproxy.get("https://3.web.nginx-proxy.tld/port", verify=False) + assert r.status_code == 500 From 6fd32b5a9b8675da016533c4dc026d1355a8ea78 Mon Sep 17 00:00:00 2001 From: sischnei Date: Sat, 18 Mar 2017 10:52:43 +0100 Subject: [PATCH 03/10] Updated README to include HTTP/2.0 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9700b1b..0b8191a 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ This image uses the debian:jessie based nginx image. #### jwilder/nginx-proxy:alpine -This image is based on the nginx:alpine image. +This image is based on the nginx:alpine image. Use this image to fully support HTTP/2 (including ALPN required by recent Chrome versions). A valid certificate is required as well (see eg. below "SSL Support using letsencrypt" for more info). $ docker pull jwilder/nginx-proxy:alpine From 172d79aff48a010c8bfbace70fc3bcd89727f384 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20D=C3=B6ring?= Date: Fri, 7 Apr 2017 12:58:49 +0200 Subject: [PATCH 04/10] Upgrade to nginx 1.11.13 --- Dockerfile | 2 +- Dockerfile.alpine | 2 +- README.md | 2 +- test/certs/create_server_certificate.sh | 26 ++++++++++++------------- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6da4b03..b0c3cf7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.11.10 +FROM nginx:1.11.13 MAINTAINER Jason Wilder mail@jasonwilder.com # Install wget and install/updates certificates diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 8715a2a..b92145c 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM nginx:1.11.10-alpine +FROM nginx:1.11.13-alpine MAINTAINER Jason Wilder mail@jasonwilder.com # Install wget and install/updates certificates diff --git a/README.md b/README.md index 0b8191a..af37350 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![nginx 1.11.10](https://img.shields.io/badge/nginx-1.11.10-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.11.13](https://img.shields.io/badge/nginx-1.11.13-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. diff --git a/test/certs/create_server_certificate.sh b/test/certs/create_server_certificate.sh index 833b97c..52f728f 100755 --- a/test/certs/create_server_certificate.sh +++ b/test/certs/create_server_certificate.sh @@ -11,7 +11,7 @@ if [[ "$#" -eq 0 ]]; then You can also create certificates for wildcard domains: $(basename $0) '*.my-domain.tdl' - + EOF exit 0 else @@ -24,8 +24,8 @@ fi # Create a nginx container (which conveniently provides the `openssl` command) ############################################################################### -CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.11.8) -# Configure openssl +CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.11.13) +# Configure openssl docker exec $CONTAINER bash -c ' mkdir -p /ca/{certs,crl,private,newcerts} 2>/dev/null echo 1000 > /ca/serial @@ -117,7 +117,7 @@ function openssl { } function exitfail { - echo + echo echo ERROR: "$@" docker rm -f $CONTAINER exit 1 @@ -129,15 +129,15 @@ function exitfail { ############################################################################### if ! [[ -f "$DIR/ca-root.key" ]]; then - echo + echo echo "> Create a Certificate Authority root key: $DIR/ca-root.key" openssl genrsa -out ca-root.key 2048 [[ $? -eq 0 ]] || exitfail failed to generate CA root key fi -# Create a CA root certificate +# Create a CA root certificate if ! [[ -f "$DIR/ca-root.crt" ]]; then - echo + echo echo "> Create a CA root certificate: $DIR/ca-root.crt" openssl req -config /ca/openssl.cnf \ -key ca-root.key \ @@ -154,30 +154,30 @@ fi # create server key and certificate signed by the certificate authority ############################################################################### -echo +echo echo "> Create a host key: $DIR/$DOMAIN.key" openssl genrsa -out "$DOMAIN.key" 2048 -echo +echo echo "> Create a host certificate signing request" SAN="$ALTERNATE_DOMAINS" openssl req -config /ca/openssl.cnf \ -key "$DOMAIN.key" \ - -new -out "/ca/$DOMAIN.csr" -days 1000 -extensions san_env -subj "/CN=$DOMAIN" + -new -out "/ca/$DOMAIN.csr" -days 1000 -extensions san_env -subj "/CN=$DOMAIN" [[ $? -eq 0 ]] || exitfail failed to generate server certificate signing request -echo +echo echo "> Create server certificate: $DIR/$DOMAIN.crt" SAN="$ALTERNATE_DOMAINS" openssl ca -config /ca/openssl.cnf -batch \ -extensions server_cert \ -extensions san_env \ -in "/ca/$DOMAIN.csr" \ - -out "$DOMAIN.crt" + -out "$DOMAIN.crt" [[ $? -eq 0 ]] || exitfail failed to generate server certificate # Verify host certificate -#openssl x509 -noout -text -in "$DOMAIN.crt" +#openssl x509 -noout -text -in "$DOMAIN.crt" docker rm -f $CONTAINER >/dev/null From cf888173550e9459a9cd49799c7d1c90bc7ffa27 Mon Sep 17 00:00:00 2001 From: Naglis Jonaitis Date: Tue, 11 Apr 2017 11:43:47 +0300 Subject: [PATCH 05/10] DOC: fixed typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index af37350..c41c426 100644 --- a/README.md +++ b/README.md @@ -103,7 +103,7 @@ If you would like the reverse proxy to connect to your backend using HTTPS inste ### uWSGI Backends If you would like to connect to uWSGI backend, set `VIRTUAL_PROTO=uwsgi` on the -backend container. Your backend container should than listen on a port rather +backend container. Your backend container should then listen on a port rather than a socket and expose that port. ### Default Host From f2487741dc526ed979d1e0565f4cc8a976f710d1 Mon Sep 17 00:00:00 2001 From: Roberto Alvarez Date: Wed, 3 May 2017 11:06:34 -0500 Subject: [PATCH 06/10] Fix README typo Fixed a small typo/error with "the a" host --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c41c426..0dc42f4 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ Then start any containers you want proxied with an env var `VIRTUAL_HOST=subdoma The containers being proxied must [expose](https://docs.docker.com/engine/reference/run/#expose-incoming-ports) the port to be proxied, either by using the `EXPOSE` directive in their `Dockerfile` or by using the `--expose` flag to `docker run` or `docker create`. -Provided your DNS is setup to forward foo.bar.com to the a host running nginx-proxy, the request will be routed to a container with the VIRTUAL_HOST env var set. +Provided your DNS is setup to forward foo.bar.com to the host running nginx-proxy, the request will be routed to a container with the VIRTUAL_HOST env var set. ### Image variants From 2c4102d39627b2fc539cec01b04c1027abbfb01e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20H=C3=BCske?= Date: Thu, 4 May 2017 18:57:00 +0200 Subject: [PATCH 07/10] Upgrade to 1.13.0 --- Dockerfile | 2 +- Dockerfile.alpine | 2 +- README.md | 2 +- test/certs/create_server_certificate.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index b0c3cf7..f8f76a1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.11.13 +FROM nginx:1.13.0 MAINTAINER Jason Wilder mail@jasonwilder.com # Install wget and install/updates certificates diff --git a/Dockerfile.alpine b/Dockerfile.alpine index b92145c..b7443f0 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM nginx:1.11.13-alpine +FROM nginx:1.13.0-alpine MAINTAINER Jason Wilder mail@jasonwilder.com # Install wget and install/updates certificates diff --git a/README.md b/README.md index 0dc42f4..34ef8fb 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![nginx 1.11.13](https://img.shields.io/badge/nginx-1.11.13-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.13.0](https://img.shields.io/badge/nginx-1.13.0-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. diff --git a/test/certs/create_server_certificate.sh b/test/certs/create_server_certificate.sh index 52f728f..adacb5e 100755 --- a/test/certs/create_server_certificate.sh +++ b/test/certs/create_server_certificate.sh @@ -24,7 +24,7 @@ fi # Create a nginx container (which conveniently provides the `openssl` command) ############################################################################### -CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.11.13) +CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.13.0) # Configure openssl docker exec $CONTAINER bash -c ' mkdir -p /ca/{certs,crl,private,newcerts} 2>/dev/null From 4e4733f68e0fa44b0cb686d9046b7cf62c210d00 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Fri, 9 Jun 2017 12:55:39 -0600 Subject: [PATCH 08/10] Trim $host and $proto before they are used --- nginx.tmpl | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index a5b1d32..b340473 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -99,10 +99,14 @@ server { {{ end }} {{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }} + +{{ $host := trim $host }} {{ $is_regexp := hasPrefix "~" $host }} {{ $upstream_name := when $is_regexp (sha1 $host) $host }} + # {{ $host }} upstream {{ $upstream_name }} { + {{ range $container := $containers }} {{ $addrLen := len $container.Addresses }} @@ -131,7 +135,7 @@ upstream {{ $upstream_name }} { {{ $default_server := index (dict $host "" $default_host "default_server") $host }} {{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}} -{{ $proto := or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http" }} +{{ $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }} {{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}} {{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) "redirect" }} @@ -205,6 +209,7 @@ server { {{ else }} proxy_pass {{ trim $proto }}://{{ trim $upstream_name }}; {{ end }} + {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} auth_basic "Restricted {{ $host }}"; auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; From 1867228ccee886090bd24061c06080618fa952d3 Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 12 Jun 2017 15:59:55 +0800 Subject: [PATCH 09/10] fix worker_processes to "auto" --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index f8f76a1..88a4c75 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,8 @@ RUN apt-get update \ # Configure Nginx and apply fix for very long server names RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ - && sed -i 's/^http {/&\n server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf + && sed -i 's/^http {/&\n server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf \ + && sed -i 's/worker_processes 1/worker_processes auto/' /etc/nginx/nginx.conf # Install Forego ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego From a3cd96ead45911b27c3f20ab6cb0c092b466b366 Mon Sep 17 00:00:00 2001 From: neil Date: Tue, 13 Jun 2017 09:11:27 +0800 Subject: [PATCH 10/10] alpine fix worker_processes to "auto" --- Dockerfile.alpine | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile.alpine b/Dockerfile.alpine index b7443f0..b70b8bb 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -8,7 +8,8 @@ RUN apk add --no-cache --virtual .run-deps \ # Configure Nginx and apply fix for very long server names RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ - && sed -i 's/^http {/&\n server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf + && sed -i 's/^http {/&\n server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf \ + && sed -i 's/worker_processes 1/worker_processes auto/' /etc/nginx/nginx.conf # Install Forego ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego