From 374b1256cd3fbc9a7d131023b052b45c105e1bb4 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Sat, 1 Oct 2016 11:22:48 -0400 Subject: [PATCH 1/2] Add HTTPS_METHOD=https to disable SSL site --- nginx.tmpl | 2 +- test/ssl.bats | 32 +++++++++++++++++++++++++++----- 2 files changed, 28 insertions(+), 6 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index 9eb9520..3d2c1b8 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -125,7 +125,7 @@ upstream {{ $host }} { {{/* Use the cert specified on the container or fallback to the best vhost match */}} {{ $cert := (coalesce $certName $vhostCert) }} -{{ $is_https := (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }} +{{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }} {{ if $is_https }} diff --git a/test/ssl.bats b/test/ssl.bats index e7e0eae..b832a0a 100644 --- a/test/ssl.bats +++ b/test/ssl.bats @@ -17,7 +17,7 @@ function setup { @test "[$TEST_FILE] test SSL for VIRTUAL_HOST=*.nginx-proxy.bats" { # WHEN - prepare_web_container bats-ssl-hosts-1 "80 443" \ + prepare_web_container bats-ssl-hosts-1 "80" \ -e VIRTUAL_HOST=*.nginx-proxy.bats \ -e CERT_NAME=nginx-proxy.bats dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1 @@ -30,7 +30,7 @@ function setup { @test "[$TEST_FILE] test HTTPS_METHOD=nohttp" { # WHEN - prepare_web_container bats-ssl-hosts-2 "80 443" \ + prepare_web_container bats-ssl-hosts-2 "80" \ -e VIRTUAL_HOST=*.nginx-proxy.bats \ -e CERT_NAME=nginx-proxy.bats \ -e HTTPS_METHOD=nohttp @@ -44,7 +44,7 @@ function setup { @test "[$TEST_FILE] test HTTPS_METHOD=noredirect" { # WHEN - prepare_web_container bats-ssl-hosts-3 "80 443" \ + prepare_web_container bats-ssl-hosts-3 "80" \ -e VIRTUAL_HOST=*.nginx-proxy.bats \ -e CERT_NAME=nginx-proxy.bats \ -e HTTPS_METHOD=noredirect @@ -58,7 +58,7 @@ function setup { @test "[$TEST_FILE] test SSL Strict-Transport-Security" { # WHEN - prepare_web_container bats-ssl-hosts-4 "80 443" \ + prepare_web_container bats-ssl-hosts-4 "80" \ -e VIRTUAL_HOST=*.nginx-proxy.bats \ -e CERT_NAME=nginx-proxy.bats dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1 @@ -72,7 +72,7 @@ function setup { @test "[$TEST_FILE] test HTTPS_METHOD=noredirect disables Strict-Transport-Security" { # WHEN - prepare_web_container bats-ssl-hosts-5 "80 443" \ + prepare_web_container bats-ssl-hosts-5 "80" \ -e VIRTUAL_HOST=*.nginx-proxy.bats \ -e CERT_NAME=nginx-proxy.bats \ -e HTTPS_METHOD=noredirect @@ -85,6 +85,19 @@ function setup { refute_output -p "Strict-Transport-Security: max-age=31536000" } +@test "[$TEST_FILE] test HTTPS_METHOD=nohttps" { + # WHEN + prepare_web_container bats-ssl-hosts-6 "80" \ + -e VIRTUAL_HOST=*.nginx-proxy.bats \ + -e CERT_NAME=nginx-proxy.bats \ + -e HTTPS_METHOD=nohttps + dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-6 + sleep 1 + + # THEN + assert_down_https test.nginx-proxy.bats + assert_200 test.nginx-proxy.bats +} @test "[$TEST_FILE] stop all bats containers" { stop_bats_containers @@ -118,6 +131,15 @@ function assert_301 { assert_output -l 0 $'HTTP/1.1 301 Moved Permanently\r' } +# assert that querying nginx-proxy with the given Host header fails because the host is down +# $1 Host HTTP header to use when querying nginx-proxy +function assert_down_https { + local -r host=$1 + + run curl_container_https $SUT_CONTAINER / --head --header "Host: $host" + assert_failure +} + # assert that querying nginx-proxy with the given Host header produces a `HTTP 200` response # $1 Host HTTP header to use when querying nginx-proxy function assert_200_https { From 8cf0b75d80a0f119801c6a88b854e0f08ae180c1 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Sat, 1 Oct 2016 11:25:11 -0400 Subject: [PATCH 2/2] Updated README with HTTPS_METHOD=nohttps --- README.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 52ab6e4..b93078a 100644 --- a/README.md +++ b/README.md @@ -178,12 +178,13 @@ a 503. To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also -disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`. `HTTPS_METHOD` must be specified -on each container for which you want to override the default behavior. If `HTTPS_METHOD=noredirect` is -used, Strict Transport Security (HSTS) is disabled to prevent HTTPS users from being redirected by the -client. If you cannot get to the HTTP site after changing this setting, your browser has probably cached -the HSTS policy and is automatically redirecting you back to HTTPS. You will need to clear your browser's -HSTS cache or use an incognito window / different browser. +disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with +`HTTPS_METHOD=nohttps`. `HTTPS_METHOD` must be specified on each container for which you want to +override the default behavior. If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS) +is disabled to prevent HTTPS users from being redirected by the client. If you cannot get to the HTTP +site after changing this setting, your browser has probably cached the HSTS policy and is automatically +redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito +window / different browser. ### Basic Authentication Support