diff --git a/README.md b/README.md index 2312b25..1043737 100644 --- a/README.md +++ b/README.md @@ -97,7 +97,7 @@ session caches. The behavior for the proxy when port 80 and 443 are exposed is as follows: -* If a container has a usable cert, port 80 will redirect to 443 for that container so that HTTPS +* If a container has a usable cert and not SSL_REDIRECT=no is set, port 80 will redirect to 443 for that container so that HTTPS is always preferred when available. * If the container does not have a usable cert, a 503 will be returned. diff --git a/nginx.tmpl b/nginx.tmpl index 446ec31..a53b780 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -71,6 +71,9 @@ upstream {{ $host }} { {{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}} {{ $proto := or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http" }} +{{/* Get redirect behaviour defined by containers w/ the same vhost, falling back to redirecting to https */}} +{{ $sslRedirect := or (first (groupByKeys $containers "Env.SSL_REDIRECT")) "yes" }} + {{/* Get the first cert name defined by containers w/ the same vhost */}} {{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }} @@ -84,15 +87,20 @@ upstream {{ $host }} { {{/* Use the cert specifid on the container or fallback to the best vhost match */}} {{ $cert := (coalesce $certName $vhostCert) }} -{{ if (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }} +{{ $enabledSSL := (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }} +{{ if (and $enabledSSL (eq $sslRedirect "yes")) }} server { server_name {{ $host }}; return 301 https://$host$request_uri; } +{{ end }} server { server_name {{ $host }}; + {{ if (ne $sslRedirect "yes") }} listen 80; {{ end }} + + {{ if $enabledSSL }} listen 443 ssl; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; @@ -106,6 +114,7 @@ server { ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; add_header Strict-Transport-Security "max-age=31536000"; + {{ end }} {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} include {{ printf "/etc/nginx/vhost.d/%s" $host }}; @@ -118,26 +127,10 @@ server { auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; {{ end }} } -} -{{ else }} -server { - server_name {{ $host }}; - - {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} - include {{ printf "/etc/nginx/vhost.d/%s" $host }}; - {{ end }} - - location / { - proxy_pass {{ $proto }}://{{ $host }}; - {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} - auth_basic "Restricted {{ $host }}"; - auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; - {{ end }} - } } -{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} +{{ if (and (not $enabledSSL) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} server { server_name {{ $host }}; listen 443 ssl; @@ -149,4 +142,3 @@ server { {{ end }} {{ end }} -{{ end }}