From 936e57a6de5a3e12043ab51492bf795537afe4f2 Mon Sep 17 00:00:00 2001
From: Steve Kamerman <stevekamerman@gmail.com>
Date: Mon, 26 Mar 2018 13:27:30 -0400
Subject: [PATCH 1/3] Fixed #1080, can't disable HSTS with noredirect

---
 nginx.tmpl                  |  4 ++--
 test/test_ssl/test_hsts.py  |  7 +++++++
 test/test_ssl/test_hsts.yml | 10 ++++++++++
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/nginx.tmpl b/nginx.tmpl
index d861050..a9fc479 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -19,7 +19,7 @@
 			server 127.0.0.1 down;
 		{{ end }}
 	{{ end }}
-	
+
 {{ end }}
 
 # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
@@ -262,7 +262,7 @@ server {
 	ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }};
 	{{ end }}
 
-	{{ if (and (ne $https_method "noredirect") (ne $hsts "off")) }}
+	{{ if (not (or (eq $https_method "noredirect") (eq $hsts "off"))) }}
 	add_header Strict-Transport-Security "{{ trim $hsts }}" always;
 	{{ end }}
 
diff --git a/test/test_ssl/test_hsts.py b/test/test_ssl/test_hsts.py
index 554d79a..12bbcc4 100644
--- a/test/test_ssl/test_hsts.py
+++ b/test/test_ssl/test_hsts.py
@@ -24,3 +24,10 @@ def test_web3_HSTS_custom(docker_compose, nginxproxy):
     assert "answer from port 81\n" in r.text
     assert "Strict-Transport-Security" in r.headers
     assert "max-age=86400; includeSubDomains; preload" == r.headers["Strict-Transport-Security"]
+
+# Regression test for issue 1080
+# https://github.com/jwilder/nginx-proxy/issues/1080
+def test_web4_HSTS_off_noredirect(docker_compose, nginxproxy):
+    r = nginxproxy.get("https://web4.nginx-proxy.tld/port", allow_redirects=False)
+    assert "answer from port 81\n" in r.text
+    assert "Strict-Transport-Security" not in r.headers
diff --git a/test/test_ssl/test_hsts.yml b/test/test_ssl/test_hsts.yml
index 5c04cf0..f6f39a7 100644
--- a/test/test_ssl/test_hsts.yml
+++ b/test/test_ssl/test_hsts.yml
@@ -24,6 +24,16 @@ web3:
     VIRTUAL_HOST: "web3.nginx-proxy.tld"
     HSTS: "max-age=86400; includeSubDomains; preload"
 
+web4:
+  image: web
+  expose:
+    - "81"
+  environment:
+    WEB_PORTS: "81"
+    VIRTUAL_HOST: "web4.nginx-proxy.tld"
+    HSTS: "off"
+    HTTPS_METHOD: "noredirect"
+
 sut:
   image: jwilder/nginx-proxy:test
   volumes:

From 6a1a518fec5507ba1115468e1e70dc410ed53b2f Mon Sep 17 00:00:00 2001
From: Kenichi HIROSE <seroron@outlook.com>
Date: Tue, 18 Dec 2018 14:05:17 +0000
Subject: [PATCH 2/3] Fix empty dhparam.pem

---
 generate-dhparam.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/generate-dhparam.sh b/generate-dhparam.sh
index 3fdc77c..27b6432 100755
--- a/generate-dhparam.sh
+++ b/generate-dhparam.sh
@@ -37,7 +37,8 @@ touch $GEN_LOCKFILE
 # Generate a new dhparam in the background in a low priority and reload nginx when finished (grep removes the progress indicator).
 (
     (
-        nice -n +5 openssl dhparam -out $DHPARAM_FILE $DHPARAM_BITS 2>&1 \
+        nice -n +5 openssl dhparam -out $DHPARAM_FILE.tmp $DHPARAM_BITS 2>&1 \
+        && mv $DHPARAM_FILE.tmp $DHPARAM_FILE \
         && echo "dhparam generation complete, reloading nginx" \
         && nginx -s reload
     ) | grep -vE '^[\.+]+'

From ad4117803690042e446aa7f7b25d25bebecf843a Mon Sep 17 00:00:00 2001
From: Steve Kamerman <stevekamerman@gmail.com>
Date: Mon, 4 Feb 2019 15:15:04 -0500
Subject: [PATCH 3/3] Fixed tests that are now failing due to the dhparam
 clearing command beating the nginx startup.  This is fixed permanently in
 #1213, but this PR fixes the test so as not to rely on the dhparam autogen,
 which is tested elsewhere.

---
 test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml     | 3 ++-
 .../wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py    | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml b/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml
index bffffc1..20cd1b2 100644
--- a/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml
+++ b/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml
@@ -7,6 +7,7 @@ services:
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
       - ./certs:/etc/nginx/certs:ro
+      - ../../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
 
   web1:
     image: web
@@ -30,4 +31,4 @@ services:
     environment:
       WEB_PORTS: "83"
       VIRTUAL_HOST: "3.web.nginx-proxy.tld"
-      HTTPS_METHOD: nohttps
\ No newline at end of file
+      HTTPS_METHOD: nohttps
diff --git a/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py b/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py
index de4b298..2808dee 100644
--- a/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py
+++ b/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py
@@ -11,6 +11,7 @@ from requests.exceptions import SSLError
 def test_http_redirects_to_https(docker_compose, nginxproxy, subdomain, should_redirect_to_https):
     r = nginxproxy.get("http://%s.web.nginx-proxy.tld/port" % subdomain)
     if should_redirect_to_https:
+        assert len(r.history) > 0
         assert r.history[0].is_redirect
         assert r.history[0].headers.get("Location") == "https://%s.web.nginx-proxy.tld/port" % subdomain
     assert "answer from port 8%s\n" % subdomain == r.text