thib8956/nginx-proxy
1
0
Fork 0
mirror of https://github.com/thib8956/nginx-proxy synced 2024-11-22 03:46:29 +00:00
Code Issues Releases Wiki Activity

Merge pull request #1073 from b1f6c1c4/b1f6c1c4-patch-1

Browse Source 
Add HSTS header regardless of status code
This commit is contained in:
Jason Wilder 2018-03-30 17:34:02 -04:00 committed by GitHub
commit ccbbbeb928
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 30 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nginx.tmpl
View File

@ -263,7 +263,7 @@ server {
{{ end }} {{ end }}
{{ if (and (ne $https_method "noredirect") (ne $hsts "off")) }} {{ if (and (ne $https_method "noredirect") (ne $hsts "off")) }}
add_header Strict-Transport-Security "{{ trim $hsts }}"; add_header Strict-Transport-Security "{{ trim $hsts }}" always;
{{ end }} {{ end }}
{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}

37
test/requirements/web/webserver.py
View File

@ -1,28 +1,35 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
import os, sys import os, sys, re
import http.server import http.server
import socketserver import socketserver
class Handler(http.server.SimpleHTTPRequestHandler): class Handler(http.server.SimpleHTTPRequestHandler):
def do_GET(self): def do_GET(self):
self.send_response(200) response_body = ""
response_code = 200
if self.path == "/headers":
response_body += self.headers.as_string()
elif self.path == "/port":
response_body += "answer from port %s\n" % PORT
elif re.match("/status/(\d+)", self.path):
result = re.match("/status/(\d+)", self.path)
response_code = int(result.group(1))
response_body += "answer with response code %s\n" % response_code
elif self.path == "/":
response_body += "I'm %s\n" % os.environ['HOSTNAME']
else:
response_body += "No route for this path!\n"
response_code = 404
self.send_response(response_code)
self.send_header("Content-Type", "text/plain") self.send_header("Content-Type", "text/plain")
self.end_headers() self.end_headers()
if self.path == "/headers": if (len(response_body)):
self.wfile.write(self.headers.as_string().encode()) self.wfile.write(response_body.encode())
elif self.path == "/port":
response = "answer from port %s\n" % PORT
self.wfile.write(response.encode())
elif self.path == "/":
response = "I'm %s\n" % os.environ['HOSTNAME']
self.wfile.write(response.encode())
else:
self.wfile.write("No route for this path!\n".encode())
if __name__ == '__main__': if __name__ == '__main__':
PORT = int(sys.argv[1]) PORT = int(sys.argv[1])

7
test/test_ssl/test_hsts.py
View File

@ -7,6 +7,13 @@ def test_web1_HSTS_default(docker_compose, nginxproxy):
assert "Strict-Transport-Security" in r.headers assert "Strict-Transport-Security" in r.headers
assert "max-age=31536000" == r.headers["Strict-Transport-Security"] assert "max-age=31536000" == r.headers["Strict-Transport-Security"]
# Regression test to ensure HSTS is enabled even when the upstream sends an error in response
# Issue #1073 https://github.com/jwilder/nginx-proxy/pull/1073
def test_web1_HSTS_error(docker_compose, nginxproxy):
r = nginxproxy.get("https://web1.nginx-proxy.tld/status/500", allow_redirects=False)
assert "Strict-Transport-Security" in r.headers
assert "max-age=31536000" == r.headers["Strict-Transport-Security"]
def test_web2_HSTS_off(docker_compose, nginxproxy): def test_web2_HSTS_off(docker_compose, nginxproxy):
r = nginxproxy.get("https://web2.nginx-proxy.tld/port", allow_redirects=False) r = nginxproxy.get("https://web2.nginx-proxy.tld/port", allow_redirects=False)
assert "answer from port 81\n" in r.text assert "answer from port 81\n" in r.text