diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md new file mode 100644 index 0000000..cfaa367 --- /dev/null +++ b/.github/ISSUE_TEMPLATE.md @@ -0,0 +1,14 @@ +# !!!PLEASE READ!!! + +## Questions + +If you have a question, DO NOT SUBMIT a new issue. Please ask the question on the Q&A Group: https://groups.google.com/forum/#!forum/nginx-proxy + +## Bugs or Features + +If you are logging a bug or feature request, please search the current open issues to see if there is already a bug or feature opened. + +For bugs, the easier you make it to reproduce the issue you see, the easier and faster it can get fixed. If you can provide a script or docker-compose file that reproduces the problems, that is very helpful. + +Thanks, +Jason diff --git a/.travis.yml b/.travis.yml index 268e275..7a1c66f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,7 +7,8 @@ env: - TEST_TARGET: test-alpine before_install: - - sudo apt-get remove docker docker-engine + - sudo apt-get -y remove docker docker-engine docker-ce + - sudo rm /etc/apt/sources.list.d/docker.list - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" - sudo apt-get update diff --git a/Dockerfile b/Dockerfile index 149fb90..45a09e3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.13 +FROM nginx:1.14.1 LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates @@ -18,7 +18,7 @@ RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego RUN chmod u+x /usr/local/bin/forego -ENV DOCKER_GEN_VERSION 0.7.3 +ENV DOCKER_GEN_VERSION 0.7.4 RUN wget https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ && tar -C /usr/local/bin -xvzf docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ diff --git a/Dockerfile.alpine b/Dockerfile.alpine index fce6aae..23459a3 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM nginx:1.13-alpine +FROM nginx:1.14.1-alpine LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates @@ -15,12 +15,14 @@ RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego RUN chmod u+x /usr/local/bin/forego -ENV DOCKER_GEN_VERSION 0.7.3 +ENV DOCKER_GEN_VERSION 0.7.4 RUN wget --quiet https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ && tar -C /usr/local/bin -xvzf docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \ && rm /docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz +COPY network_internal.conf /etc/nginx/ + COPY . /app/ WORKDIR /app/ diff --git a/README.md b/README.md index c5c2463..79b6c2c 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ -![nginx 1.13](https://img.shields.io/badge/nginx-1.13-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![latest 0.7.0](https://img.shields.io/badge/latest-0.7.0-green.svg?style=flat) +![nginx 1.14.1](https://img.shields.io/badge/nginx-1.14-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. @@ -196,8 +197,12 @@ Finally, start your containers with `VIRTUAL_HOST` environment variables. $ docker run -e VIRTUAL_HOST=foo.bar.com ... ### SSL Support using letsencrypt -[letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allow the creation/renewal of Let's Encrypt certificates automatically. +[letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allow the creation/renewal of Let's Encrypt certificates automatically. +Set `DHPARAM_GENERATION` environment variable to `false` to disabled Diffie-Hellman parameters completely. This will also ignore auto-generation made by `nginx-proxy`. +The default value is `true` + + $ docker run -e DHPARAM_GENERATION=false .... ### SSL Support SSL is supported using single host, wildcard and SNI certificates using naming conventions for @@ -229,7 +234,7 @@ at startup. Since it can take minutes to generate a new `dhparam.pem`, it is do background. Once generation is complete, the `dhparam.pem` is saved on a persistent volume and nginx is reloaded. This generation process only occurs the first time you start `nginx-proxy`. -> COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 2048 bits for A+ security. Some +> COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 2048 bits for A+ security. Some > older clients (like Java 6 and 7) do not support DH keys with over 1024 bits. In order to support these > clients, you must either provide your own `dhparam.pem`, or tell `nginx-proxy` to generate a 1024-bit > key on startup by passing `-e DHPARAM_BITS=1024`. @@ -252,6 +257,15 @@ to identify the certificate to be used. For example, a certificate for `*.foo.c could be named `shared.crt` and `shared.key`. A container running with `VIRTUAL_HOST=foo.bar.com` and `CERT_NAME=shared` will then use this shared cert. +#### OCSP Stapling +To enable OCSP Stapling for a domain, `nginx-proxy` looks for a PEM certificate containing the trusted +CA certificate chain at `/etc/nginx/certs/.chain.pem`, where `` is the domain name in +the `VIRTUAL_HOST` directive. The format of this file is a concatenation of the public PEM CA +certificates starting with the intermediate CA most near the SSL certificate, down to the root CA. This is +often referred to as the "SSL Certificate Chain". If found, this filename is passed to the NGINX +[`ssl_trusted_certificate` directive](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate) +and OCSP Stapling is enabled. + #### How SSL Support Works The default SSL cipher configuration is based on the [Mozilla intermediate profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29) which @@ -288,12 +302,12 @@ a 500. To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also -disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with -`HTTPS_METHOD=nohttps`. `HTTPS_METHOD` must be specified on each container for which you want to -override the default behavior. If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS) -is disabled to prevent HTTPS users from being redirected by the client. If you cannot get to the HTTP -site after changing this setting, your browser has probably cached the HSTS policy and is automatically -redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito +disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with +`HTTPS_METHOD=nohttps`. `HTTPS_METHOD` must be specified on each container for which you want to +override the default behavior. If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS) +is disabled to prevent HTTPS users from being redirected by the client. If you cannot get to the HTTP +site after changing this setting, your browser has probably cached the HSTS policy and is automatically +redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito window / different browser. By default, [HTTP Strict Transport Security (HSTS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) @@ -416,7 +430,7 @@ Before submitting pull requests or issues, please check github to make sure an e To run tests, you need to prepare the docker image to test which must be tagged `jwilder/nginx-proxy:test`: docker build -t jwilder/nginx-proxy:test . # build the Debian variant image - + and call the [test/pytest.sh](test/pytest.sh) script. Then build the Alpine variant of the image: @@ -429,6 +443,10 @@ and call the [test/pytest.sh](test/pytest.sh) script again. If your system has the `make` command, you can automate those tasks by calling: make test - + You can learn more about how the test suite works and how to write new tests in the [test/README.md](test/README.md) file. + +### Need help? + +If you have questions on how to use the image, please ask them on the [Q&A Group](https://groups.google.com/forum/#!forum/nginx-proxy) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 7e7a312..b425dfe 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -16,7 +16,8 @@ fi # Generate dhparam file if required # Note: if $DHPARAM_BITS is not defined, generate-dhparam.sh will use 2048 as a default -/app/generate-dhparam.sh $DHPARAM_BITS +# Note2: if $DHPARAM_GENERATION is set to false in environment variable, dh param generator will skip completely +/app/generate-dhparam.sh $DHPARAM_BITS $DHPARAM_GENERATION # Compute the DNS resolvers for use in the templates - if the IP contains ":", it's IPv6 and must be enclosed in [] export RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g') diff --git a/generate-dhparam.sh b/generate-dhparam.sh index 3fdc77c..4099dde 100755 --- a/generate-dhparam.sh +++ b/generate-dhparam.sh @@ -2,6 +2,7 @@ # The first argument is the bit depth of the dhparam, or 2048 if unspecified DHPARAM_BITS=${1:-2048} +GENERATE_DHPARAM=${2:-true} # If a dhparam file is not available, use the pre-generated one and generate a new one in the background. # Note that /etc/nginx/dhparam is a volume, so this dhparam will persist restarts. @@ -25,6 +26,11 @@ if [[ -f $DHPARAM_FILE ]]; then fi fi +if [[ $GENERATE_DHPARAM =~ ^[Ff][Aa][Ll][Ss][Ee]$ ]]; then + echo "Skipping Diffie-Hellman parameters generation and Ignoring pre-generated dhparam.pem" + exit 0 +fi + cat >&2 <<-EOT WARNING: $DHPARAM_FILE was not found. A pre-generated dhparam.pem will be used for now while a new one is being generated in the background. Once the new dhparam.pem is in place, nginx will be reloaded. @@ -37,7 +43,8 @@ touch $GEN_LOCKFILE # Generate a new dhparam in the background in a low priority and reload nginx when finished (grep removes the progress indicator). ( ( - nice -n +5 openssl dhparam -out $DHPARAM_FILE $DHPARAM_BITS 2>&1 \ + nice -n +5 openssl dhparam -out $DHPARAM_FILE.tmp $DHPARAM_BITS 2>&1 \ + && mv $DHPARAM_FILE.tmp $DHPARAM_FILE \ && echo "dhparam generation complete, reloading nginx" \ && nginx -s reload ) | grep -vE '^[\.+]+' diff --git a/nginx.tmpl b/nginx.tmpl index 2223226..336c77c 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -25,7 +25,7 @@ server 127.0.0.1 down; {{ end }} {{ end }} - + {{ end }} # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the @@ -153,6 +153,9 @@ upstream {{ $upstream_name }} { {{ $address := where $container.Addresses "Port" $port | first }} {{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }} {{ end }} + {{ else }} + # Cannot connect to network of this container + server 127.0.0.1 down; {{ end }} {{ end }} {{ end }} @@ -224,31 +227,31 @@ server { {{ end }} {{ if eq $ssl_policy "Mozilla-Modern" }} - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; {{ else if eq $ssl_policy "Mozilla-Intermediate" }} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS'; {{ else if eq $ssl_policy "Mozilla-Old" }} - ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP'; {{ else if eq $ssl_policy "AWS-TLS-1-2-2017-01" }} - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256'; {{ else if eq $ssl_policy "AWS-TLS-1-1-2017-01" }} - ssl_protocols TLSv1.1 TLSv1.2; + ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA'; {{ else if eq $ssl_policy "AWS-2016-08" }} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA'; {{ else if eq $ssl_policy "AWS-2015-05" }} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA'; {{ else if eq $ssl_policy "AWS-2015-03" }} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA'; {{ else if eq $ssl_policy "AWS-2015-02" }} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA'; {{ end }} @@ -264,14 +267,14 @@ server { ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }}; {{ end }} - {{ if (exists (printf "/etc/nginx/certs/%s.chain.crt" $cert)) }} + {{ if (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert)) }} ssl_stapling on; ssl_stapling_verify on; - ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.crt" $cert }}; + ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }}; {{ end }} - {{ if (and (ne $https_method "noredirect") (ne $hsts "off")) }} - add_header Strict-Transport-Security "{{ trim $hsts }}"; + {{ if (not (or (eq $https_method "noredirect") (eq $hsts "off"))) }} + add_header Strict-Transport-Security "{{ trim $hsts }}" always; {{ end }} {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} diff --git a/test/certs/create_server_certificate.sh b/test/certs/create_server_certificate.sh index bffc27e..ae51280 100755 --- a/test/certs/create_server_certificate.sh +++ b/test/certs/create_server_certificate.sh @@ -24,7 +24,7 @@ fi # Create a nginx container (which conveniently provides the `openssl` command) ############################################################################### -CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.13) +CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.14.1) # Configure openssl docker exec $CONTAINER bash -c ' mkdir -p /ca/{certs,crl,private,newcerts} 2>/dev/null diff --git a/test/conftest.py b/test/conftest.py index 43f83bb..6bd172a 100644 --- a/test/conftest.py +++ b/test/conftest.py @@ -257,7 +257,7 @@ def get_nginx_conf_from_container(container): strm, stat = container.get_archive('/etc/nginx/conf.d/default.conf') with tarfile.open(fileobj=StringIO(strm.read())) as tf: conffile = tf.extractfile('default.conf') - return conffile.read() + return conffile.read() def docker_compose_up(compose_file='docker-compose.yml'): @@ -469,5 +469,5 @@ try: except docker.errors.ImageNotFound: pytest.exit("The docker image 'jwilder/nginx-proxy:test' is missing") -if docker.__version__ != "2.0.2": - pytest.exit("This test suite is meant to work with the python docker module v2.0.2") +if docker.__version__ != "2.1.0": + pytest.exit("This test suite is meant to work with the python docker module v2.1.0") diff --git a/test/requirements/python-requirements.txt b/test/requirements/python-requirements.txt index e868e14..ba95455 100644 --- a/test/requirements/python-requirements.txt +++ b/test/requirements/python-requirements.txt @@ -1,5 +1,5 @@ backoff==1.3.2 -docker-compose==1.11.1 -docker==2.0.2 +docker-compose==1.11.2 +docker==2.1.0 pytest==3.0.5 -requests==2.11.1 \ No newline at end of file +requests==2.11.1 diff --git a/test/requirements/web/webserver.py b/test/requirements/web/webserver.py index 305c207..9334657 100755 --- a/test/requirements/web/webserver.py +++ b/test/requirements/web/webserver.py @@ -1,28 +1,35 @@ #!/usr/bin/env python3 -import os, sys +import os, sys, re import http.server import socketserver - class Handler(http.server.SimpleHTTPRequestHandler): def do_GET(self): - - self.send_response(200) + + response_body = "" + response_code = 200 + + if self.path == "/headers": + response_body += self.headers.as_string() + elif self.path == "/port": + response_body += "answer from port %s\n" % PORT + elif re.match("/status/(\d+)", self.path): + result = re.match("/status/(\d+)", self.path) + response_code = int(result.group(1)) + response_body += "answer with response code %s\n" % response_code + elif self.path == "/": + response_body += "I'm %s\n" % os.environ['HOSTNAME'] + else: + response_body += "No route for this path!\n" + response_code = 404 + + self.send_response(response_code) self.send_header("Content-Type", "text/plain") self.end_headers() - if self.path == "/headers": - self.wfile.write(self.headers.as_string().encode()) - elif self.path == "/port": - response = "answer from port %s\n" % PORT - self.wfile.write(response.encode()) - elif self.path == "/": - response = "I'm %s\n" % os.environ['HOSTNAME'] - self.wfile.write(response.encode()) - else: - self.wfile.write("No route for this path!\n".encode()) - + if (len(response_body)): + self.wfile.write(response_body.encode()) if __name__ == '__main__': PORT = int(sys.argv[1]) diff --git a/test/test_ssl/test_hsts.py b/test/test_ssl/test_hsts.py index 180f274..12bbcc4 100644 --- a/test/test_ssl/test_hsts.py +++ b/test/test_ssl/test_hsts.py @@ -7,6 +7,13 @@ def test_web1_HSTS_default(docker_compose, nginxproxy): assert "Strict-Transport-Security" in r.headers assert "max-age=31536000" == r.headers["Strict-Transport-Security"] +# Regression test to ensure HSTS is enabled even when the upstream sends an error in response +# Issue #1073 https://github.com/jwilder/nginx-proxy/pull/1073 +def test_web1_HSTS_error(docker_compose, nginxproxy): + r = nginxproxy.get("https://web1.nginx-proxy.tld/status/500", allow_redirects=False) + assert "Strict-Transport-Security" in r.headers + assert "max-age=31536000" == r.headers["Strict-Transport-Security"] + def test_web2_HSTS_off(docker_compose, nginxproxy): r = nginxproxy.get("https://web2.nginx-proxy.tld/port", allow_redirects=False) assert "answer from port 81\n" in r.text @@ -17,3 +24,10 @@ def test_web3_HSTS_custom(docker_compose, nginxproxy): assert "answer from port 81\n" in r.text assert "Strict-Transport-Security" in r.headers assert "max-age=86400; includeSubDomains; preload" == r.headers["Strict-Transport-Security"] + +# Regression test for issue 1080 +# https://github.com/jwilder/nginx-proxy/issues/1080 +def test_web4_HSTS_off_noredirect(docker_compose, nginxproxy): + r = nginxproxy.get("https://web4.nginx-proxy.tld/port", allow_redirects=False) + assert "answer from port 81\n" in r.text + assert "Strict-Transport-Security" not in r.headers diff --git a/test/test_ssl/test_hsts.yml b/test/test_ssl/test_hsts.yml index 5c04cf0..f6f39a7 100644 --- a/test/test_ssl/test_hsts.yml +++ b/test/test_ssl/test_hsts.yml @@ -24,6 +24,16 @@ web3: VIRTUAL_HOST: "web3.nginx-proxy.tld" HSTS: "max-age=86400; includeSubDomains; preload" +web4: + image: web + expose: + - "81" + environment: + WEB_PORTS: "81" + VIRTUAL_HOST: "web4.nginx-proxy.tld" + HSTS: "off" + HTTPS_METHOD: "noredirect" + sut: image: jwilder/nginx-proxy:test volumes: diff --git a/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml b/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml index bffffc1..20cd1b2 100644 --- a/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml +++ b/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml @@ -7,6 +7,7 @@ services: volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./certs:/etc/nginx/certs:ro + - ../../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro web1: image: web @@ -30,4 +31,4 @@ services: environment: WEB_PORTS: "83" VIRTUAL_HOST: "3.web.nginx-proxy.tld" - HTTPS_METHOD: nohttps \ No newline at end of file + HTTPS_METHOD: nohttps diff --git a/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py b/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py index de4b298..2808dee 100644 --- a/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py +++ b/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py @@ -11,6 +11,7 @@ from requests.exceptions import SSLError def test_http_redirects_to_https(docker_compose, nginxproxy, subdomain, should_redirect_to_https): r = nginxproxy.get("http://%s.web.nginx-proxy.tld/port" % subdomain) if should_redirect_to_https: + assert len(r.history) > 0 assert r.history[0].is_redirect assert r.history[0].headers.get("Location") == "https://%s.web.nginx-proxy.tld/port" % subdomain assert "answer from port 8%s\n" % subdomain == r.text