thib8956/nginx-proxy
1
0
Fork 0
mirror of https://github.com/thib8956/nginx-proxy synced 2024-11-22 11:56:31 +00:00
Code Issues Releases Wiki Activity

Merged conflict in BATS SSL test

Browse Source
This commit is contained in:
Steve Kamerman 2017-01-26 13:46:11 -05:00
commit d320b43476
3 changed files with 36 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
README.md
View File

@ -197,12 +197,13 @@ a 503.
To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the
environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also
disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`. `HTTPS_METHOD` must be specified disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with
on each container for which you want to override the default behavior. If `HTTPS_METHOD=noredirect` is `HTTPS_METHOD=nohttps`. `HTTPS_METHOD` must be specified on each container for which you want to
used, Strict Transport Security (HSTS) is disabled to prevent HTTPS users from being redirected by the override the default behavior. If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS)
client. If you cannot get to the HTTP site after changing this setting, your browser has probably cached is disabled to prevent HTTPS users from being redirected by the client. If you cannot get to the HTTP
the HSTS policy and is automatically redirecting you back to HTTPS. You will need to clear your browser's site after changing this setting, your browser has probably cached the HSTS policy and is automatically
HSTS cache or use an incognito window / different browser. redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito
window / different browser.
### Basic Authentication Support ### Basic Authentication Support

2
nginx.tmpl
View File

@ -147,7 +147,7 @@ upstream {{ $upstream_name }} {
{{/* Use the cert specified on the container or fallback to the best vhost match */}} {{/* Use the cert specified on the container or fallback to the best vhost match */}}
{{ $cert := (coalesce $certName $vhostCert) }} {{ $cert := (coalesce $certName $vhostCert) }}
{{ $is_https := (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }} {{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
{{ if $is_https }} {{ if $is_https }}

33
test/ssl.bats
View File

@ -17,7 +17,7 @@ function setup {
@test "[$TEST_FILE] test SSL for VIRTUAL_HOST=*.nginx-proxy.bats" { @test "[$TEST_FILE] test SSL for VIRTUAL_HOST=*.nginx-proxy.bats" {
# WHEN # WHEN
prepare_web_container bats-ssl-hosts-1 "80 443" \ prepare_web_container bats-ssl-hosts-1 "80" \
-e VIRTUAL_HOST=*.nginx-proxy.bats \ -e VIRTUAL_HOST=*.nginx-proxy.bats \
-e CERT_NAME=nginx-proxy.bats -e CERT_NAME=nginx-proxy.bats
dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1 dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1
@ -30,7 +30,7 @@ function setup {
@test "[$TEST_FILE] test HTTPS_METHOD=nohttp" { @test "[$TEST_FILE] test HTTPS_METHOD=nohttp" {
# WHEN # WHEN
prepare_web_container bats-ssl-hosts-2 "80 443" \ prepare_web_container bats-ssl-hosts-2 "80" \
-e VIRTUAL_HOST=*.nginx-proxy.bats \ -e VIRTUAL_HOST=*.nginx-proxy.bats \
-e CERT_NAME=nginx-proxy.bats \ -e CERT_NAME=nginx-proxy.bats \
-e HTTPS_METHOD=nohttp -e HTTPS_METHOD=nohttp
@ -44,7 +44,7 @@ function setup {
@test "[$TEST_FILE] test HTTPS_METHOD=noredirect" { @test "[$TEST_FILE] test HTTPS_METHOD=noredirect" {
# WHEN # WHEN
prepare_web_container bats-ssl-hosts-3 "80 443" \ prepare_web_container bats-ssl-hosts-3 "80" \
-e VIRTUAL_HOST=*.nginx-proxy.bats \ -e VIRTUAL_HOST=*.nginx-proxy.bats \
-e CERT_NAME=nginx-proxy.bats \ -e CERT_NAME=nginx-proxy.bats \
-e HTTPS_METHOD=noredirect -e HTTPS_METHOD=noredirect
@ -58,7 +58,7 @@ function setup {
@test "[$TEST_FILE] test SSL Strict-Transport-Security" { @test "[$TEST_FILE] test SSL Strict-Transport-Security" {
# WHEN # WHEN
prepare_web_container bats-ssl-hosts-4 "80 443" \ prepare_web_container bats-ssl-hosts-4 "80" \
-e VIRTUAL_HOST=*.nginx-proxy.bats \ -e VIRTUAL_HOST=*.nginx-proxy.bats \
-e CERT_NAME=nginx-proxy.bats -e CERT_NAME=nginx-proxy.bats
dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-4 dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-4
@ -72,7 +72,7 @@ function setup {
@test "[$TEST_FILE] test HTTPS_METHOD=noredirect disables Strict-Transport-Security" { @test "[$TEST_FILE] test HTTPS_METHOD=noredirect disables Strict-Transport-Security" {
# WHEN # WHEN
prepare_web_container bats-ssl-hosts-5 "80 443" \ prepare_web_container bats-ssl-hosts-5 "80" \
-e VIRTUAL_HOST=*.nginx-proxy.bats \ -e VIRTUAL_HOST=*.nginx-proxy.bats \
-e CERT_NAME=nginx-proxy.bats \ -e CERT_NAME=nginx-proxy.bats \
-e HTTPS_METHOD=noredirect -e HTTPS_METHOD=noredirect
@ -85,6 +85,20 @@ function setup {
refute_output -p "Strict-Transport-Security: max-age=31536000" refute_output -p "Strict-Transport-Security: max-age=31536000"
} }
@test "[$TEST_FILE] test HTTPS_METHOD=nohttps" {
# WHEN
prepare_web_container bats-ssl-hosts-6 "80" \
-e VIRTUAL_HOST=*.nginx-proxy.bats \
-e CERT_NAME=nginx-proxy.bats \
-e HTTPS_METHOD=nohttps
dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-6
sleep 1
# THEN
assert_down_https test.nginx-proxy.bats
assert_200 test.nginx-proxy.bats
}
@test "[$TEST_FILE] stop all bats containers" { @test "[$TEST_FILE] stop all bats containers" {
stop_bats_containers stop_bats_containers
} }
@ -117,6 +131,15 @@ function assert_301 {
assert_output -l 0 $'HTTP/1.1 301 Moved Permanently\r' assert_output -l 0 $'HTTP/1.1 301 Moved Permanently\r'
} }
# assert that querying nginx-proxy with the given Host header fails because the host is down
# $1 Host HTTP header to use when querying nginx-proxy
function assert_down_https {
local -r host=$1
run curl_container_https $SUT_CONTAINER / --head --header "Host: $host"
assert_failure
}
# assert that querying nginx-proxy with the given Host header produces a `HTTP 200` response # assert that querying nginx-proxy with the given Host header produces a `HTTP 200` response
# $1 Host HTTP header to use when querying nginx-proxy # $1 Host HTTP header to use when querying nginx-proxy
function assert_200_https { function assert_200_https {