From 7a769a6a22ac2ea28d084c11bb25b48881234b28 Mon Sep 17 00:00:00 2001 From: b1f6c1c4 Date: Tue, 20 Feb 2018 17:59:52 +0800 Subject: [PATCH 1/3] Add HSTS header regardless of status code See nginx [doc](http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header) and [blog](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/). --- nginx.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index 726c74b..bbb9b37 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -260,7 +260,7 @@ server { {{ end }} {{ if (and (ne $https_method "noredirect") (ne $hsts "off")) }} - add_header Strict-Transport-Security "{{ trim $hsts }}"; + add_header Strict-Transport-Security "{{ trim $hsts }}" always; {{ end }} {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} From c1ae91364c25a9722f19e66e5360eddf61642b8a Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Mon, 26 Mar 2018 14:57:50 -0400 Subject: [PATCH 2/3] Added endpoint to allow testing alternate response codes --- test/requirements/web/webserver.py | 37 ++++++++++++++++++------------ 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/test/requirements/web/webserver.py b/test/requirements/web/webserver.py index 305c207..9334657 100755 --- a/test/requirements/web/webserver.py +++ b/test/requirements/web/webserver.py @@ -1,28 +1,35 @@ #!/usr/bin/env python3 -import os, sys +import os, sys, re import http.server import socketserver - class Handler(http.server.SimpleHTTPRequestHandler): def do_GET(self): - - self.send_response(200) + + response_body = "" + response_code = 200 + + if self.path == "/headers": + response_body += self.headers.as_string() + elif self.path == "/port": + response_body += "answer from port %s\n" % PORT + elif re.match("/status/(\d+)", self.path): + result = re.match("/status/(\d+)", self.path) + response_code = int(result.group(1)) + response_body += "answer with response code %s\n" % response_code + elif self.path == "/": + response_body += "I'm %s\n" % os.environ['HOSTNAME'] + else: + response_body += "No route for this path!\n" + response_code = 404 + + self.send_response(response_code) self.send_header("Content-Type", "text/plain") self.end_headers() - if self.path == "/headers": - self.wfile.write(self.headers.as_string().encode()) - elif self.path == "/port": - response = "answer from port %s\n" % PORT - self.wfile.write(response.encode()) - elif self.path == "/": - response = "I'm %s\n" % os.environ['HOSTNAME'] - self.wfile.write(response.encode()) - else: - self.wfile.write("No route for this path!\n".encode()) - + if (len(response_body)): + self.wfile.write(response_body.encode()) if __name__ == '__main__': PORT = int(sys.argv[1]) From 3590c1bae00df9a00f0d258282668b36d0380eef Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Mon, 26 Mar 2018 14:58:06 -0400 Subject: [PATCH 3/3] Added regression test to ensure HSTS works for errors --- test/test_ssl/test_hsts.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/test/test_ssl/test_hsts.py b/test/test_ssl/test_hsts.py index 180f274..554d79a 100644 --- a/test/test_ssl/test_hsts.py +++ b/test/test_ssl/test_hsts.py @@ -7,6 +7,13 @@ def test_web1_HSTS_default(docker_compose, nginxproxy): assert "Strict-Transport-Security" in r.headers assert "max-age=31536000" == r.headers["Strict-Transport-Security"] +# Regression test to ensure HSTS is enabled even when the upstream sends an error in response +# Issue #1073 https://github.com/jwilder/nginx-proxy/pull/1073 +def test_web1_HSTS_error(docker_compose, nginxproxy): + r = nginxproxy.get("https://web1.nginx-proxy.tld/status/500", allow_redirects=False) + assert "Strict-Transport-Security" in r.headers + assert "max-age=31536000" == r.headers["Strict-Transport-Security"] + def test_web2_HSTS_off(docker_compose, nginxproxy): r = nginxproxy.get("https://web2.nginx-proxy.tld/port", allow_redirects=False) assert "answer from port 81\n" in r.text