Merge branch 'master' into upstream_name

.github/ISSUE_TEMPLATE.md

@@ -0,0 +1,14 @@
+# !!!PLEASE READ!!!
+
+## Questions
+
+If you have a question, DO NOT SUBMIT a new issue.  Please ask the question on the Q&A Group: https://groups.google.com/forum/#!forum/nginx-proxy
+
+## Bugs or Features
+
+If you are logging a bug or feature request, please search the current open issues to see if there is already a bug or feature opened.
+
+For bugs, the easier you make it to reproduce the issue you see, the easier and faster it can get fixed.  If you can provide a script or docker-compose file that reproduces the problems, that is very helpful.
+
+Thanks,
+Jason

.travis.yml

@@ -7,7 +7,8 @@ env:
   - TEST_TARGET: test-alpine
 
 before_install:
-  - sudo apt-get remove docker docker-engine
+  - sudo apt-get -y remove docker docker-engine docker-ce
+  - sudo rm /etc/apt/sources.list.d/docker.list
   - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
   - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
   - sudo apt-get update

Dockerfile

@@ -1,4 +1,4 @@
-FROM nginx:1.13
+FROM nginx:1.14.1
 LABEL maintainer="Jason Wilder mail@jasonwilder.com"
 
 # Install wget and install/updates certificates
@@ -18,7 +18,7 @@ RUN echo "daemon off;" >> /etc/nginx/nginx.conf \
 ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego
 RUN chmod u+x /usr/local/bin/forego
 
-ENV DOCKER_GEN_VERSION 0.7.3
+ENV DOCKER_GEN_VERSION 0.7.4
 
 RUN wget https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \
  && tar -C /usr/local/bin -xvzf docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \

Dockerfile.alpine

@@ -1,4 +1,4 @@
-FROM nginx:1.13-alpine
+FROM nginx:1.14.1-alpine
 LABEL maintainer="Jason Wilder mail@jasonwilder.com"
 
 # Install wget and install/updates certificates
@@ -15,12 +15,14 @@ RUN echo "daemon off;" >> /etc/nginx/nginx.conf \
 ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego
 RUN chmod u+x /usr/local/bin/forego
 
-ENV DOCKER_GEN_VERSION 0.7.3
+ENV DOCKER_GEN_VERSION 0.7.4
 
 RUN wget --quiet https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \
  && tar -C /usr/local/bin -xvzf docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \
  && rm /docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz
 
+COPY network_internal.conf /etc/nginx/
+
 COPY . /app/
 WORKDIR /app/
 

README.md

@@ -1,4 +1,5 @@
-![nginx 1.13](https://img.shields.io/badge/nginx-1.13-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub')
+![latest 0.7.0](https://img.shields.io/badge/latest-0.7.0-green.svg?style=flat)
+![nginx 1.14.1](https://img.shields.io/badge/nginx-1.14-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub')
 
 
 nginx-proxy sets up a container running nginx and [docker-gen][1].  docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped.
@@ -196,8 +197,12 @@ Finally, start your containers with `VIRTUAL_HOST` environment variables.
     $ docker run -e VIRTUAL_HOST=foo.bar.com  ...
 ### SSL Support using letsencrypt
 
-[letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allow the creation/renewal of Let's Encrypt certificates automatically. 
+[letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allow the creation/renewal of Let's Encrypt certificates automatically.
 
+Set `DHPARAM_GENERATION` environment variable to `false` to disabled Diffie-Hellman parameters completely. This will also ignore auto-generation made by `nginx-proxy`.
+The default value is `true`
+
+     $ docker run -e DHPARAM_GENERATION=false ....
 ### SSL Support
 
 SSL is supported using single host, wildcard and SNI certificates using naming conventions for
@@ -229,7 +234,7 @@ at startup.  Since it can take minutes to generate a new `dhparam.pem`, it is do
 background.  Once generation is complete, the `dhparam.pem` is saved on a persistent volume and nginx
 is reloaded.  This generation process only occurs the first time you start `nginx-proxy`.
 
-> COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 2048 bits for A+ security.  Some 
+> COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 2048 bits for A+ security.  Some
 > older clients (like Java 6 and 7) do not support DH keys with over 1024 bits.  In order to support these
 > clients, you must either provide your own `dhparam.pem`, or tell `nginx-proxy` to generate a 1024-bit
 > key on startup by passing `-e DHPARAM_BITS=1024`.
@@ -252,6 +257,15 @@ to identify the certificate to be used.  For example, a certificate for `*.foo.c
 could be named `shared.crt` and `shared.key`.  A container running with `VIRTUAL_HOST=foo.bar.com`
 and `CERT_NAME=shared` will then use this shared cert.
 
+#### OCSP Stapling
+To enable OCSP Stapling for a domain, `nginx-proxy` looks for a PEM certificate containing the trusted
+CA certificate chain at `/etc/nginx/certs/<domain>.chain.pem`, where `<domain>` is the domain name in
+the `VIRTUAL_HOST` directive.  The format of this file is a concatenation of the public PEM CA
+certificates starting with the intermediate CA most near the SSL certificate, down to the root CA.  This is
+often referred to as the "SSL Certificate Chain".  If found, this filename is passed to the NGINX
+[`ssl_trusted_certificate` directive](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate)
+and OCSP Stapling is enabled.
+
 #### How SSL Support Works
 
 The default SSL cipher configuration is based on the [Mozilla intermediate profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29) which
@@ -288,12 +302,12 @@ a 500.
 
 To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the
 environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`).  You can also
-disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with 
+disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with
-`HTTPS_METHOD=nohttps`. `HTTPS_METHOD` must be specified on each container for which you want to 
+`HTTPS_METHOD=nohttps`. `HTTPS_METHOD` must be specified on each container for which you want to
-override the default behavior.  If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS) 
+override the default behavior.  If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS)
-is disabled to prevent HTTPS users from being redirected by the client.  If you cannot get to the HTTP 
+is disabled to prevent HTTPS users from being redirected by the client.  If you cannot get to the HTTP
-site after changing this setting, your browser has probably cached the HSTS policy and is automatically 
+site after changing this setting, your browser has probably cached the HSTS policy and is automatically
-redirecting you back to HTTPS.  You will need to clear your browser's HSTS cache or use an incognito 
+redirecting you back to HTTPS.  You will need to clear your browser's HSTS cache or use an incognito
 window / different browser.
 
 By default, [HTTP Strict Transport Security (HSTS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) 
@@ -416,7 +430,7 @@ Before submitting pull requests or issues, please check github to make sure an e
 To run tests, you need to prepare the docker image to test which must be tagged `jwilder/nginx-proxy:test`:
 
     docker build -t jwilder/nginx-proxy:test .  # build the Debian variant image
-    
+
 and call the [test/pytest.sh](test/pytest.sh) script.
 
 Then build the Alpine variant of the image:
@@ -429,6 +443,10 @@ and call the [test/pytest.sh](test/pytest.sh) script again.
 If your system has the `make` command, you can automate those tasks by calling:
 
     make test
-    
+
 
 You can learn more about how the test suite works and how to write new tests in the [test/README.md](test/README.md) file.
+
+### Need help?
+
+If you have questions on how to use the image, please ask them on the [Q&A Group](https://groups.google.com/forum/#!forum/nginx-proxy)

docker-entrypoint.sh

@@ -16,7 +16,8 @@ fi
 
 # Generate dhparam file if required
 # Note: if $DHPARAM_BITS is not defined, generate-dhparam.sh will use 2048 as a default
-/app/generate-dhparam.sh $DHPARAM_BITS
+# Note2: if $DHPARAM_GENERATION is set to false in environment variable, dh param generator will skip completely
+/app/generate-dhparam.sh $DHPARAM_BITS $DHPARAM_GENERATION
 
 # Compute the DNS resolvers for use in the templates - if the IP contains ":", it's IPv6 and must be enclosed in []
 export RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g')

generate-dhparam.sh

@@ -2,6 +2,7 @@
 
 # The first argument is the bit depth of the dhparam, or 2048 if unspecified
 DHPARAM_BITS=${1:-2048}
+GENERATE_DHPARAM=${2:-true}
 
 # If a dhparam file is not available, use the pre-generated one and generate a new one in the background.
 # Note that /etc/nginx/dhparam is a volume, so this dhparam will persist restarts.
@@ -25,6 +26,11 @@ if [[ -f $DHPARAM_FILE ]]; then
     fi
 fi
 
+if [[ $GENERATE_DHPARAM =~ ^[Ff][Aa][Ll][Ss][Ee]$ ]]; then
+    echo "Skipping Diffie-Hellman parameters generation and Ignoring pre-generated dhparam.pem"
+    exit 0
+fi
+
 cat >&2 <<-EOT
 WARNING: $DHPARAM_FILE was not found. A pre-generated dhparam.pem will be used for now while a new one
 is being generated in the background.  Once the new dhparam.pem is in place, nginx will be reloaded.
@@ -37,7 +43,8 @@ touch $GEN_LOCKFILE
 # Generate a new dhparam in the background in a low priority and reload nginx when finished (grep removes the progress indicator).
 (
     (
-        nice -n +5 openssl dhparam -out $DHPARAM_FILE $DHPARAM_BITS 2>&1 \
+        nice -n +5 openssl dhparam -out $DHPARAM_FILE.tmp $DHPARAM_BITS 2>&1 \
+        && mv $DHPARAM_FILE.tmp $DHPARAM_FILE \
         && echo "dhparam generation complete, reloading nginx" \
         && nginx -s reload
     ) | grep -vE '^[\.+]+'

nginx.tmpl

@@ -25,7 +25,7 @@
 			server 127.0.0.1 down;
 		{{ end }}
 	{{ end }}
-	
+
 {{ end }}
 
 # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
@@ -153,6 +153,9 @@ upstream {{ $upstream_name }} {
 					{{ $address := where $container.Addresses "Port" $port | first }}
 					{{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }}
 				{{ end }}
+			{{ else }}
+				# Cannot connect to network of this container
+				server 127.0.0.1 down;
 			{{ end }}
 		{{ end }}
 	{{ end }}
@@ -224,31 +227,31 @@ server {
 	{{ end }}
 
 	{{ if eq $ssl_policy "Mozilla-Modern" }}
-	ssl_protocols TLSv1.2;
+	ssl_protocols TLSv1.2 TLSv1.3;
 	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
 	{{ else if eq $ssl_policy "Mozilla-Intermediate" }}
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
 	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
 	{{ else if eq $ssl_policy "Mozilla-Old" }}
-	ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+	ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
 	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';
 	{{ else if eq $ssl_policy "AWS-TLS-1-2-2017-01" }}
-	ssl_protocols TLSv1.2;
+	ssl_protocols TLSv1.2 TLSv1.3;
 	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256';
 	{{ else if eq $ssl_policy "AWS-TLS-1-1-2017-01" }}
-	ssl_protocols TLSv1.1 TLSv1.2;
+	ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
 	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
 	{{ else if eq $ssl_policy "AWS-2016-08" }}
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
 	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
 	{{ else if eq $ssl_policy "AWS-2015-05" }}
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
 	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA';
 	{{ else if eq $ssl_policy "AWS-2015-03" }}
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
 	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA';
 	{{ else if eq $ssl_policy "AWS-2015-02" }}
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
 	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA';
 	{{ end }}
 
@@ -264,14 +267,14 @@ server {
 	ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
 	{{ end }}
 
-	{{ if (exists (printf "/etc/nginx/certs/%s.chain.crt" $cert)) }}
+	{{ if (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert)) }}
 	ssl_stapling on;
 	ssl_stapling_verify on;
-	ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.crt" $cert }};
+	ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }};
 	{{ end }}
 
-	{{ if (and (ne $https_method "noredirect") (ne $hsts "off")) }}
+	{{ if (not (or (eq $https_method "noredirect") (eq $hsts "off"))) }}
-	add_header Strict-Transport-Security "{{ trim $hsts }}";
+	add_header Strict-Transport-Security "{{ trim $hsts }}" always;
 	{{ end }}
 
 	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}

test/certs/create_server_certificate.sh

@@ -24,7 +24,7 @@ fi
 # Create a nginx container (which conveniently provides the `openssl` command)
 ###############################################################################
 
-CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.13)
+CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.14.1)
 # Configure openssl
 docker exec $CONTAINER bash -c '
 	mkdir -p /ca/{certs,crl,private,newcerts} 2>/dev/null

test/conftest.py

@@ -257,7 +257,7 @@ def get_nginx_conf_from_container(container):
     strm, stat = container.get_archive('/etc/nginx/conf.d/default.conf')
     with tarfile.open(fileobj=StringIO(strm.read())) as tf:
         conffile = tf.extractfile('default.conf')
-    return conffile.read()
+        return conffile.read()
 
 
 def docker_compose_up(compose_file='docker-compose.yml'):
@@ -469,5 +469,5 @@ try:
 except docker.errors.ImageNotFound:
     pytest.exit("The docker image 'jwilder/nginx-proxy:test' is missing")
 
-if docker.__version__ != "2.0.2":
+if docker.__version__ != "2.1.0":
-    pytest.exit("This test suite is meant to work with the python docker module v2.0.2")
+    pytest.exit("This test suite is meant to work with the python docker module v2.1.0")

test/requirements/python-requirements.txt

@@ -1,5 +1,5 @@
 backoff==1.3.2
-docker-compose==1.11.1
+docker-compose==1.11.2
-docker==2.0.2
+docker==2.1.0
 pytest==3.0.5
-requests==2.11.1
+requests==2.11.1

test/requirements/web/webserver.py

@@ -1,28 +1,35 @@
 #!/usr/bin/env python3
 
-import os, sys
+import os, sys, re
 import http.server
 import socketserver
 
-
 class Handler(http.server.SimpleHTTPRequestHandler):
     def do_GET(self):
-        
+
-        self.send_response(200)
+        response_body = ""
+        response_code = 200
+
+        if self.path == "/headers":
+            response_body += self.headers.as_string()
+        elif self.path == "/port":
+            response_body += "answer from port %s\n" % PORT
+        elif re.match("/status/(\d+)", self.path):
+            result = re.match("/status/(\d+)", self.path)
+            response_code = int(result.group(1))
+            response_body += "answer with response code %s\n" % response_code
+        elif self.path == "/":
+            response_body += "I'm %s\n" % os.environ['HOSTNAME']
+        else:
+            response_body += "No route for this path!\n"
+            response_code = 404
+
+        self.send_response(response_code)
         self.send_header("Content-Type", "text/plain")
         self.end_headers()
 
-        if self.path == "/headers":
+        if (len(response_body)):
-            self.wfile.write(self.headers.as_string().encode())
+            self.wfile.write(response_body.encode())
-        elif self.path == "/port":
-            response = "answer from port %s\n" % PORT
-            self.wfile.write(response.encode())
-        elif self.path == "/":
-            response = "I'm %s\n" % os.environ['HOSTNAME']
-            self.wfile.write(response.encode())
-        else:
-            self.wfile.write("No route for this path!\n".encode())
-
 
 if __name__ == '__main__':
     PORT = int(sys.argv[1])

test/test_ssl/test_hsts.py

@@ -7,6 +7,13 @@ def test_web1_HSTS_default(docker_compose, nginxproxy):
     assert "Strict-Transport-Security" in r.headers
     assert "max-age=31536000" == r.headers["Strict-Transport-Security"]
 
+# Regression test to ensure HSTS is enabled even when the upstream sends an error in response
+# Issue #1073 https://github.com/jwilder/nginx-proxy/pull/1073
+def test_web1_HSTS_error(docker_compose, nginxproxy):
+    r = nginxproxy.get("https://web1.nginx-proxy.tld/status/500", allow_redirects=False)
+    assert "Strict-Transport-Security" in r.headers
+    assert "max-age=31536000" == r.headers["Strict-Transport-Security"]
+
 def test_web2_HSTS_off(docker_compose, nginxproxy):
     r = nginxproxy.get("https://web2.nginx-proxy.tld/port", allow_redirects=False)
     assert "answer from port 81\n" in r.text
@@ -17,3 +24,10 @@ def test_web3_HSTS_custom(docker_compose, nginxproxy):
     assert "answer from port 81\n" in r.text
     assert "Strict-Transport-Security" in r.headers
     assert "max-age=86400; includeSubDomains; preload" == r.headers["Strict-Transport-Security"]
+
+# Regression test for issue 1080
+# https://github.com/jwilder/nginx-proxy/issues/1080
+def test_web4_HSTS_off_noredirect(docker_compose, nginxproxy):
+    r = nginxproxy.get("https://web4.nginx-proxy.tld/port", allow_redirects=False)
+    assert "answer from port 81\n" in r.text
+    assert "Strict-Transport-Security" not in r.headers

test/test_ssl/test_hsts.yml

@@ -24,6 +24,16 @@ web3:
     VIRTUAL_HOST: "web3.nginx-proxy.tld"
     HSTS: "max-age=86400; includeSubDomains; preload"
 
+web4:
+  image: web
+  expose:
+    - "81"
+  environment:
+    WEB_PORTS: "81"
+    VIRTUAL_HOST: "web4.nginx-proxy.tld"
+    HSTS: "off"
+    HTTPS_METHOD: "noredirect"
+
 sut:
   image: jwilder/nginx-proxy:test
   volumes:

test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml

@@ -7,6 +7,7 @@ services:
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
       - ./certs:/etc/nginx/certs:ro
+      - ../../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
 
   web1:
     image: web
@@ -30,4 +31,4 @@ services:
     environment:
       WEB_PORTS: "83"
       VIRTUAL_HOST: "3.web.nginx-proxy.tld"
-      HTTPS_METHOD: nohttps
+      HTTPS_METHOD: nohttps

test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py

@@ -11,6 +11,7 @@ from requests.exceptions import SSLError
 def test_http_redirects_to_https(docker_compose, nginxproxy, subdomain, should_redirect_to_https):
     r = nginxproxy.get("http://%s.web.nginx-proxy.tld/port" % subdomain)
     if should_redirect_to_https:
+        assert len(r.history) > 0
         assert r.history[0].is_redirect
         assert r.history[0].headers.get("Location") == "https://%s.web.nginx-proxy.tld/port" % subdomain
     assert "answer from port 8%s\n" % subdomain == r.text