mirror of
https://github.com/thib8956/nginx-proxy
synced 2024-11-22 03:46:29 +00:00
Merge branch 'master' into ssl-modern
This commit is contained in:
commit
ea80027525
@ -1,5 +1,5 @@
|
|||||||
FROM nginx:1.13
|
FROM nginx:1.13
|
||||||
MAINTAINER Jason Wilder mail@jasonwilder.com
|
LABEL maintainer="Jason Wilder mail@jasonwilder.com"
|
||||||
|
|
||||||
# Install wget and install/updates certificates
|
# Install wget and install/updates certificates
|
||||||
RUN apt-get update \
|
RUN apt-get update \
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
FROM nginx:1.13-alpine
|
FROM nginx:1.13-alpine
|
||||||
MAINTAINER Jason Wilder mail@jasonwilder.com
|
LABEL maintainer="Jason Wilder mail@jasonwilder.com"
|
||||||
|
|
||||||
# Install wget and install/updates certificates
|
# Install wget and install/updates certificates
|
||||||
RUN apk add --no-cache --virtual .run-deps \
|
RUN apk add --no-cache --virtual .run-deps \
|
||||||
|
@ -272,6 +272,13 @@ site after changing this setting, your browser has probably cached the HSTS poli
|
|||||||
redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito
|
redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito
|
||||||
window / different browser.
|
window / different browser.
|
||||||
|
|
||||||
|
By default, [HTTP Strict Transport Security (HSTS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)
|
||||||
|
is enabled with `max-age=31536000` for HTTPS sites. You can disable HSTS with the environment variable
|
||||||
|
`HSTS=off` or use a custom HSTS configuration like `HSTS=max-age=31536000; includeSubDomains; preload`.
|
||||||
|
*WARNING*: HSTS will force your users to visit the HTTPS version of your site for the `max-age` time -
|
||||||
|
even if they type in `http://` manually. The only way to get to an HTTP site after receiving an HSTS
|
||||||
|
response is to clear your browser's HSTS cache.
|
||||||
|
|
||||||
### Basic Authentication Support
|
### Basic Authentication Support
|
||||||
|
|
||||||
In order to be able to secure your virtual host, you have to create a file named as its equivalent VIRTUAL_HOST variable on directory
|
In order to be able to secure your virtual host, you have to create a file named as its equivalent VIRTUAL_HOST variable on directory
|
||||||
|
@ -161,6 +161,9 @@ upstream {{ $upstream_name }} {
|
|||||||
{{/* Get the MODERN_SSL defined by containers w/ the same vhost, falling back to "false" */}}
|
{{/* Get the MODERN_SSL defined by containers w/ the same vhost, falling back to "false" */}}
|
||||||
{{ $modern_ssl := or (first (groupByKeys $containers "Env.MODERN_SSL")) "false" }}
|
{{ $modern_ssl := or (first (groupByKeys $containers "Env.MODERN_SSL")) "false" }}
|
||||||
|
|
||||||
|
{{/* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}}
|
||||||
|
{{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) "max-age=31536000" }}
|
||||||
|
|
||||||
{{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
|
{{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
|
||||||
{{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
|
{{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
|
||||||
|
|
||||||
@ -233,8 +236,8 @@ server {
|
|||||||
ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.crt" $cert }};
|
ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.crt" $cert }};
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
{{ if (ne $https_method "noredirect") }}
|
{{ if (and (ne $https_method "noredirect") (ne $hsts "off")) }}
|
||||||
add_header Strict-Transport-Security "max-age=31536000";
|
add_header Strict-Transport-Security "{{ trim $hsts }}";
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
|
{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
|
||||||
|
@ -89,5 +89,5 @@ def test_web5_dhparam_is_used(docker_compose):
|
|||||||
|
|
||||||
host = "%s:443" % sut_container.attrs["NetworkSettings"]["IPAddress"]
|
host = "%s:443" % sut_container.attrs["NetworkSettings"]["IPAddress"]
|
||||||
r = subprocess.check_output(
|
r = subprocess.check_output(
|
||||||
"echo '' | openssl s_client -verify 0 -connect %s -cipher 'EDH' | grep 'Server Temp Key'" % host, shell=True)
|
"echo '' | openssl s_client -connect %s -cipher 'EDH' | grep 'Server Temp Key'" % host, shell=True)
|
||||||
assert "Server Temp Key: DH, 2048 bits\n" == r
|
assert "Server Temp Key: DH, 2048 bits\n" == r
|
||||||
|
19
test/test_ssl/test_hsts.py
Normal file
19
test/test_ssl/test_hsts.py
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
import pytest
|
||||||
|
|
||||||
|
|
||||||
|
def test_web1_HSTS_default(docker_compose, nginxproxy):
|
||||||
|
r = nginxproxy.get("https://web1.nginx-proxy.tld/port", allow_redirects=False)
|
||||||
|
assert "answer from port 81\n" in r.text
|
||||||
|
assert "Strict-Transport-Security" in r.headers
|
||||||
|
assert "max-age=31536000" == r.headers["Strict-Transport-Security"]
|
||||||
|
|
||||||
|
def test_web2_HSTS_off(docker_compose, nginxproxy):
|
||||||
|
r = nginxproxy.get("https://web2.nginx-proxy.tld/port", allow_redirects=False)
|
||||||
|
assert "answer from port 81\n" in r.text
|
||||||
|
assert "Strict-Transport-Security" not in r.headers
|
||||||
|
|
||||||
|
def test_web3_HSTS_custom(docker_compose, nginxproxy):
|
||||||
|
r = nginxproxy.get("https://web3.nginx-proxy.tld/port", allow_redirects=False)
|
||||||
|
assert "answer from port 81\n" in r.text
|
||||||
|
assert "Strict-Transport-Security" in r.headers
|
||||||
|
assert "max-age=86400; includeSubDomains; preload" == r.headers["Strict-Transport-Security"]
|
32
test/test_ssl/test_hsts.yml
Normal file
32
test/test_ssl/test_hsts.yml
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
web1:
|
||||||
|
image: web
|
||||||
|
expose:
|
||||||
|
- "81"
|
||||||
|
environment:
|
||||||
|
WEB_PORTS: "81"
|
||||||
|
VIRTUAL_HOST: "web1.nginx-proxy.tld"
|
||||||
|
|
||||||
|
web2:
|
||||||
|
image: web
|
||||||
|
expose:
|
||||||
|
- "81"
|
||||||
|
environment:
|
||||||
|
WEB_PORTS: "81"
|
||||||
|
VIRTUAL_HOST: "web2.nginx-proxy.tld"
|
||||||
|
HSTS: "off"
|
||||||
|
|
||||||
|
web3:
|
||||||
|
image: web
|
||||||
|
expose:
|
||||||
|
- "81"
|
||||||
|
environment:
|
||||||
|
WEB_PORTS: "81"
|
||||||
|
VIRTUAL_HOST: "web3.nginx-proxy.tld"
|
||||||
|
HSTS: "max-age=86400; includeSubDomains; preload"
|
||||||
|
|
||||||
|
sut:
|
||||||
|
image: jwilder/nginx-proxy:test
|
||||||
|
volumes:
|
||||||
|
- /var/run/docker.sock:/tmp/docker.sock:ro
|
||||||
|
- ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
|
||||||
|
- ./certs:/etc/nginx/certs:ro
|
@ -1,5 +1,6 @@
|
|||||||
import pytest
|
import pytest
|
||||||
from backports.ssl_match_hostname import CertificateError
|
from backports.ssl_match_hostname import CertificateError
|
||||||
|
from requests.exceptions import SSLError
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.parametrize("subdomain,should_redirect_to_https", [
|
@pytest.mark.parametrize("subdomain,should_redirect_to_https", [
|
||||||
@ -23,7 +24,7 @@ def test_https_get_served(docker_compose, nginxproxy, subdomain):
|
|||||||
|
|
||||||
|
|
||||||
def test_web3_https_is_500_and_SSL_validation_fails(docker_compose, nginxproxy):
|
def test_web3_https_is_500_and_SSL_validation_fails(docker_compose, nginxproxy):
|
||||||
with pytest.raises(CertificateError) as excinfo:
|
with pytest.raises( (CertificateError, SSLError) ) as excinfo:
|
||||||
nginxproxy.get("https://3.web.nginx-proxy.tld/port")
|
nginxproxy.get("https://3.web.nginx-proxy.tld/port")
|
||||||
assert """hostname '3.web.nginx-proxy.tld' doesn't match 'nginx-proxy.tld'""" in str(excinfo.value)
|
assert """hostname '3.web.nginx-proxy.tld' doesn't match 'nginx-proxy.tld'""" in str(excinfo.value)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user