Merge branch 'master' into feature/VIRTUAL_IP

2019-02-17 15:47:59 +01:00 · 2019-02-17 15:47:59 +01:00 · 5c7ccf75af
commit 5c7ccf75af
parent b6ae740dc2 15d2817384
6 changed files with 23 additions and 3 deletions
--- a/generate-dhparam.sh
+++ b/generate-dhparam.sh
@ -37,7 +37,8 @@ touch $GEN_LOCKFILE
 # Generate a new dhparam in the background in a low priority and reload nginx when finished (grep removes the progress indicator).
 (
    (
-        nice -n +5 openssl dhparam -out $DHPARAM_FILE $DHPARAM_BITS 2>&1 \
+        nice -n +5 openssl dhparam -out $DHPARAM_FILE.tmp $DHPARAM_BITS 2>&1 \
+        && mv $DHPARAM_FILE.tmp $DHPARAM_FILE \
        && echo "dhparam generation complete, reloading nginx" \
        && nginx -s reload
    ) | grep -vE '^[\.+]+'
--- a/nginx.tmpl
+++ b/nginx.tmpl
@ -270,7 +270,7 @@ server {
 	ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }};
 	{{ end }}

-	{{ if (and (ne $https_method "noredirect") (ne $hsts "off")) }}
+	{{ if (not (or (eq $https_method "noredirect") (eq $hsts "off"))) }}
 	add_header Strict-Transport-Security "{{ trim $hsts }}" always;
 	{{ end }}

--- a/test/test_ssl/test_hsts.py
+++ b/test/test_ssl/test_hsts.py
@ -24,3 +24,10 @@ def test_web3_HSTS_custom(docker_compose, nginxproxy):
    assert "answer from port 81\n" in r.text
    assert "Strict-Transport-Security" in r.headers
    assert "max-age=86400; includeSubDomains; preload" == r.headers["Strict-Transport-Security"]
+
+# Regression test for issue 1080
+# https://github.com/jwilder/nginx-proxy/issues/1080
+def test_web4_HSTS_off_noredirect(docker_compose, nginxproxy):
+    r = nginxproxy.get("https://web4.nginx-proxy.tld/port", allow_redirects=False)
+    assert "answer from port 81\n" in r.text
+    assert "Strict-Transport-Security" not in r.headers
--- a/test/test_ssl/test_hsts.yml
+++ b/test/test_ssl/test_hsts.yml
@ -24,6 +24,16 @@ web3:
    VIRTUAL_HOST: "web3.nginx-proxy.tld"
    HSTS: "max-age=86400; includeSubDomains; preload"

+web4:
+  image: web
+  expose:
+    - "81"
+  environment:
+    WEB_PORTS: "81"
+    VIRTUAL_HOST: "web4.nginx-proxy.tld"
+    HSTS: "off"
+    HTTPS_METHOD: "noredirect"
+
 sut:
  image: jwilder/nginx-proxy:test
  volumes:
--- a/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml
+++ b/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml
@ -7,6 +7,7 @@ services:
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./certs:/etc/nginx/certs:ro
+      - ../../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro

  web1:
    image: web
--- a/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py
+++ b/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py
@ -11,6 +11,7 @@ from requests.exceptions import SSLError
 def test_http_redirects_to_https(docker_compose, nginxproxy, subdomain, should_redirect_to_https):
    r = nginxproxy.get("http://%s.web.nginx-proxy.tld/port" % subdomain)
    if should_redirect_to_https:
+        assert len(r.history) > 0
        assert r.history[0].is_redirect
        assert r.history[0].headers.get("Location") == "https://%s.web.nginx-proxy.tld/port" % subdomain
    assert "answer from port 8%s\n" % subdomain == r.text