1
0
mirror of https://github.com/thib8956/nginx-proxy synced 2025-10-26 06:39:20 +00:00

Merge branch 'master' into ssl-modern

This commit is contained in:
Nicolas Duchon
2017-11-16 22:47:25 +01:00
committed by GitHub
8 changed files with 68 additions and 6 deletions

View File

@@ -1,5 +1,5 @@
FROM nginx:1.13 FROM nginx:1.13
MAINTAINER Jason Wilder mail@jasonwilder.com LABEL maintainer="Jason Wilder mail@jasonwilder.com"
# Install wget and install/updates certificates # Install wget and install/updates certificates
RUN apt-get update \ RUN apt-get update \

View File

@@ -1,5 +1,5 @@
FROM nginx:1.13-alpine FROM nginx:1.13-alpine
MAINTAINER Jason Wilder mail@jasonwilder.com LABEL maintainer="Jason Wilder mail@jasonwilder.com"
# Install wget and install/updates certificates # Install wget and install/updates certificates
RUN apk add --no-cache --virtual .run-deps \ RUN apk add --no-cache --virtual .run-deps \

View File

@@ -272,6 +272,13 @@ site after changing this setting, your browser has probably cached the HSTS poli
redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito
window / different browser. window / different browser.
By default, [HTTP Strict Transport Security (HSTS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)
is enabled with `max-age=31536000` for HTTPS sites. You can disable HSTS with the environment variable
`HSTS=off` or use a custom HSTS configuration like `HSTS=max-age=31536000; includeSubDomains; preload`.
*WARNING*: HSTS will force your users to visit the HTTPS version of your site for the `max-age` time -
even if they type in `http://` manually. The only way to get to an HTTP site after receiving an HSTS
response is to clear your browser's HSTS cache.
### Basic Authentication Support ### Basic Authentication Support
In order to be able to secure your virtual host, you have to create a file named as its equivalent VIRTUAL_HOST variable on directory In order to be able to secure your virtual host, you have to create a file named as its equivalent VIRTUAL_HOST variable on directory

View File

@@ -161,6 +161,9 @@ upstream {{ $upstream_name }} {
{{/* Get the MODERN_SSL defined by containers w/ the same vhost, falling back to "false" */}} {{/* Get the MODERN_SSL defined by containers w/ the same vhost, falling back to "false" */}}
{{ $modern_ssl := or (first (groupByKeys $containers "Env.MODERN_SSL")) "false" }} {{ $modern_ssl := or (first (groupByKeys $containers "Env.MODERN_SSL")) "false" }}
{{/* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}}
{{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) "max-age=31536000" }}
{{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}} {{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
{{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }} {{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
@@ -233,8 +236,8 @@ server {
ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.crt" $cert }}; ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.crt" $cert }};
{{ end }} {{ end }}
{{ if (ne $https_method "noredirect") }} {{ if (and (ne $https_method "noredirect") (ne $hsts "off")) }}
add_header Strict-Transport-Security "max-age=31536000"; add_header Strict-Transport-Security "{{ trim $hsts }}";
{{ end }} {{ end }}
{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}

View File

@@ -89,5 +89,5 @@ def test_web5_dhparam_is_used(docker_compose):
host = "%s:443" % sut_container.attrs["NetworkSettings"]["IPAddress"] host = "%s:443" % sut_container.attrs["NetworkSettings"]["IPAddress"]
r = subprocess.check_output( r = subprocess.check_output(
"echo '' | openssl s_client -verify 0 -connect %s -cipher 'EDH' | grep 'Server Temp Key'" % host, shell=True) "echo '' | openssl s_client -connect %s -cipher 'EDH' | grep 'Server Temp Key'" % host, shell=True)
assert "Server Temp Key: DH, 2048 bits\n" == r assert "Server Temp Key: DH, 2048 bits\n" == r

View File

@@ -0,0 +1,19 @@
import pytest
def test_web1_HSTS_default(docker_compose, nginxproxy):
r = nginxproxy.get("https://web1.nginx-proxy.tld/port", allow_redirects=False)
assert "answer from port 81\n" in r.text
assert "Strict-Transport-Security" in r.headers
assert "max-age=31536000" == r.headers["Strict-Transport-Security"]
def test_web2_HSTS_off(docker_compose, nginxproxy):
r = nginxproxy.get("https://web2.nginx-proxy.tld/port", allow_redirects=False)
assert "answer from port 81\n" in r.text
assert "Strict-Transport-Security" not in r.headers
def test_web3_HSTS_custom(docker_compose, nginxproxy):
r = nginxproxy.get("https://web3.nginx-proxy.tld/port", allow_redirects=False)
assert "answer from port 81\n" in r.text
assert "Strict-Transport-Security" in r.headers
assert "max-age=86400; includeSubDomains; preload" == r.headers["Strict-Transport-Security"]

View File

@@ -0,0 +1,32 @@
web1:
image: web
expose:
- "81"
environment:
WEB_PORTS: "81"
VIRTUAL_HOST: "web1.nginx-proxy.tld"
web2:
image: web
expose:
- "81"
environment:
WEB_PORTS: "81"
VIRTUAL_HOST: "web2.nginx-proxy.tld"
HSTS: "off"
web3:
image: web
expose:
- "81"
environment:
WEB_PORTS: "81"
VIRTUAL_HOST: "web3.nginx-proxy.tld"
HSTS: "max-age=86400; includeSubDomains; preload"
sut:
image: jwilder/nginx-proxy:test
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
- ./certs:/etc/nginx/certs:ro

View File

@@ -1,5 +1,6 @@
import pytest import pytest
from backports.ssl_match_hostname import CertificateError from backports.ssl_match_hostname import CertificateError
from requests.exceptions import SSLError
@pytest.mark.parametrize("subdomain,should_redirect_to_https", [ @pytest.mark.parametrize("subdomain,should_redirect_to_https", [
@@ -23,7 +24,7 @@ def test_https_get_served(docker_compose, nginxproxy, subdomain):
def test_web3_https_is_500_and_SSL_validation_fails(docker_compose, nginxproxy): def test_web3_https_is_500_and_SSL_validation_fails(docker_compose, nginxproxy):
with pytest.raises(CertificateError) as excinfo: with pytest.raises( (CertificateError, SSLError) ) as excinfo:
nginxproxy.get("https://3.web.nginx-proxy.tld/port") nginxproxy.get("https://3.web.nginx-proxy.tld/port")
assert """hostname '3.web.nginx-proxy.tld' doesn't match 'nginx-proxy.tld'""" in str(excinfo.value) assert """hostname '3.web.nginx-proxy.tld' doesn't match 'nginx-proxy.tld'""" in str(excinfo.value)