From 4b22ccdc81248969e007d295a4bf989bd5170065 Mon Sep 17 00:00:00 2001 From: Pan Teparak Date: Sun, 27 Aug 2017 04:40:35 +0700 Subject: [PATCH 1/9] Add ability to opt-out dh param auto generation --- docker-entrypoint.sh | 3 ++- generate-dhparam.sh | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 2afd5bf..ed0750f 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -16,7 +16,8 @@ fi # Generate dhparam file if required # Note: if $DHPARAM_BITS is not defined, generate-dhparam.sh will use 2048 as a default -/app/generate-dhparam.sh $DHPARAM_BITS +# Note2: if $GENERATE_DHPARAM is set to false in environment variable, dh param generator will skip completely +/app/generate-dhparam.sh $DHPARAM_BITS $GENERATE_DHPARAM # Compute the DNS resolvers for use in the templates export RESOLVERS=$(awk '$1 == "nameserver" {print $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g') diff --git a/generate-dhparam.sh b/generate-dhparam.sh index 3fdc77c..67319a4 100755 --- a/generate-dhparam.sh +++ b/generate-dhparam.sh @@ -2,6 +2,7 @@ # The first argument is the bit depth of the dhparam, or 2048 if unspecified DHPARAM_BITS=${1:-2048} +GENERATE_DHPARAM=${2:-true} # If a dhparam file is not available, use the pre-generated one and generate a new one in the background. # Note that /etc/nginx/dhparam is a volume, so this dhparam will persist restarts. @@ -25,6 +26,11 @@ if [[ -f $DHPARAM_FILE ]]; then fi fi +if [[ $GENERATE_DHPARAM =~ ^[Ff][Aa][Ll][Ss][Ee]$ ]]; then + echo "Skipping Diffie-Hellman parameters generation and Ignoring pre-generated dhparam.pem" + exit 0 +fi + cat >&2 <<-EOT WARNING: $DHPARAM_FILE was not found. A pre-generated dhparam.pem will be used for now while a new one is being generated in the background. Once the new dhparam.pem is in place, nginx will be reloaded. From 09271a333ae8be4f3bee6ddf54dc2c0876ab0e91 Mon Sep 17 00:00:00 2001 From: Pan Teparak Date: Sun, 27 Aug 2017 04:40:47 +0700 Subject: [PATCH 2/9] Update Readme --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 639289c..91229c4 100644 --- a/README.md +++ b/README.md @@ -152,6 +152,10 @@ Finally, start your containers with `VIRTUAL_HOST` environment variables. [letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allow the creation/renewal of Let's Encrypt certificates automatically. +Set `GENERATE_DHPARAM` environment variable to `false` to disabled Diffie-Hellman parameters completely. This will also ignore auto-generation made by `nginx-proxy`. +The default value is `true` + + $ docker run -e GENERATE_DHPARAM=false .... ### SSL Support SSL is supported using single host, wildcard and SNI certificates using naming conventions for @@ -359,4 +363,4 @@ If your system has the `make` command, you can automate those tasks by calling: make test -You can learn more about how the test suite works and how to write new tests in the [test/README.md](test/README.md) file. +You can learn more about how the test suite works and how to write new tests in the [test/README.md](test/README.md) file. \ No newline at end of file From a3b1d5b7ab6788c4d1d4fc62a841cf1e0c9b2774 Mon Sep 17 00:00:00 2001 From: Pan Teparak Date: Sun, 27 Aug 2017 13:19:29 +0700 Subject: [PATCH 3/9] Trigger Build From 31d2ed172b2f306e0662b6d84caf486f10866089 Mon Sep 17 00:00:00 2001 From: Pan Teparak Date: Sun, 24 Sep 2017 15:13:24 +0700 Subject: [PATCH 4/9] Change ENV variable from GENERATE_DHPARAM to DHPARAM_GENERATION --- docker-entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index ed0750f..ea10d4e 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -16,8 +16,8 @@ fi # Generate dhparam file if required # Note: if $DHPARAM_BITS is not defined, generate-dhparam.sh will use 2048 as a default -# Note2: if $GENERATE_DHPARAM is set to false in environment variable, dh param generator will skip completely -/app/generate-dhparam.sh $DHPARAM_BITS $GENERATE_DHPARAM +# Note2: if $DHPARAM_GENERATION is set to false in environment variable, dh param generator will skip completely +/app/generate-dhparam.sh $DHPARAM_BITS $DHPARAM_GENERATION # Compute the DNS resolvers for use in the templates export RESOLVERS=$(awk '$1 == "nameserver" {print $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g') From 92379d8131191fc2787df07a1d9938f4973fe753 Mon Sep 17 00:00:00 2001 From: Pan Teparak Date: Sun, 24 Sep 2017 15:15:00 +0700 Subject: [PATCH 5/9] Update Readme --- README.md | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 91229c4..fa90955 100644 --- a/README.md +++ b/README.md @@ -150,12 +150,12 @@ Finally, start your containers with `VIRTUAL_HOST` environment variables. $ docker run -e VIRTUAL_HOST=foo.bar.com ... ### SSL Support using letsencrypt -[letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allow the creation/renewal of Let's Encrypt certificates automatically. +[letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allow the creation/renewal of Let's Encrypt certificates automatically. -Set `GENERATE_DHPARAM` environment variable to `false` to disabled Diffie-Hellman parameters completely. This will also ignore auto-generation made by `nginx-proxy`. +Set `DHPARAM_GENERATION` environment variable to `false` to disabled Diffie-Hellman parameters completely. This will also ignore auto-generation made by `nginx-proxy`. The default value is `true` - $ docker run -e GENERATE_DHPARAM=false .... + $ docker run -e DHPARAM_GENERATION=false .... ### SSL Support SSL is supported using single host, wildcard and SNI certificates using naming conventions for @@ -187,7 +187,7 @@ at startup. Since it can take minutes to generate a new `dhparam.pem`, it is do background. Once generation is complete, the `dhparams.pem` is saved on a persistent volume and nginx is reloaded. This generation process only occurs the first time you start `nginx-proxy`. -> COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 2048 bits for A+ security. Some +> COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 2048 bits for A+ security. Some > older clients (like Java 6 and 7) do not support DH keys with over 1024 bits. In order to support these > clients, you must either provide your own `dhparam.pem`, or tell `nginx-proxy` to generate a 1024-bit > key on startup by passing `-e DHPARAM_BITS=1024`. @@ -210,7 +210,7 @@ The SSL cipher configuration is based on the [Mozilla nginx intermediate profile should provide compatibility with clients back to Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7. Note that the DES-based TLS ciphers were removed for security. The configuration also enables HSTS, PFS, OCSP stapling and SSL session caches. Currently TLS 1.0, 1.1 and 1.2 -are supported. TLS 1.0 is deprecated but its end of life is not until June 30, 2018. It is being +are supported. TLS 1.0 is deprecated but its end of life is not until June 30, 2018. It is being included because the following browsers will stop working when it is removed: Chrome < 22, Firefox < 27, IE < 11, Safari < 7, iOS < 5, Android Browser < 5. @@ -227,12 +227,12 @@ a 500. To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also -disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with -`HTTPS_METHOD=nohttps`. `HTTPS_METHOD` must be specified on each container for which you want to -override the default behavior. If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS) -is disabled to prevent HTTPS users from being redirected by the client. If you cannot get to the HTTP -site after changing this setting, your browser has probably cached the HSTS policy and is automatically -redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito +disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with +`HTTPS_METHOD=nohttps`. `HTTPS_METHOD` must be specified on each container for which you want to +override the default behavior. If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS) +is disabled to prevent HTTPS users from being redirected by the client. If you cannot get to the HTTP +site after changing this setting, your browser has probably cached the HSTS policy and is automatically +redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito window / different browser. ### Basic Authentication Support @@ -348,7 +348,7 @@ Before submitting pull requests or issues, please check github to make sure an e To run tests, you need to prepare the docker image to test which must be tagged `jwilder/nginx-proxy:test`: docker build -t jwilder/nginx-proxy:test . # build the Debian variant image - + and call the [test/pytest.sh](test/pytest.sh) script. Then build the Alpine variant of the image: @@ -361,6 +361,6 @@ and call the [test/pytest.sh](test/pytest.sh) script again. If your system has the `make` command, you can automate those tasks by calling: make test - -You can learn more about how the test suite works and how to write new tests in the [test/README.md](test/README.md) file. \ No newline at end of file + +You can learn more about how the test suite works and how to write new tests in the [test/README.md](test/README.md) file. From 936e57a6de5a3e12043ab51492bf795537afe4f2 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Mon, 26 Mar 2018 13:27:30 -0400 Subject: [PATCH 6/9] Fixed #1080, can't disable HSTS with noredirect --- nginx.tmpl | 4 ++-- test/test_ssl/test_hsts.py | 7 +++++++ test/test_ssl/test_hsts.yml | 10 ++++++++++ 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index d861050..a9fc479 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -19,7 +19,7 @@ server 127.0.0.1 down; {{ end }} {{ end }} - + {{ end }} # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the @@ -262,7 +262,7 @@ server { ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }}; {{ end }} - {{ if (and (ne $https_method "noredirect") (ne $hsts "off")) }} + {{ if (not (or (eq $https_method "noredirect") (eq $hsts "off"))) }} add_header Strict-Transport-Security "{{ trim $hsts }}" always; {{ end }} diff --git a/test/test_ssl/test_hsts.py b/test/test_ssl/test_hsts.py index 554d79a..12bbcc4 100644 --- a/test/test_ssl/test_hsts.py +++ b/test/test_ssl/test_hsts.py @@ -24,3 +24,10 @@ def test_web3_HSTS_custom(docker_compose, nginxproxy): assert "answer from port 81\n" in r.text assert "Strict-Transport-Security" in r.headers assert "max-age=86400; includeSubDomains; preload" == r.headers["Strict-Transport-Security"] + +# Regression test for issue 1080 +# https://github.com/jwilder/nginx-proxy/issues/1080 +def test_web4_HSTS_off_noredirect(docker_compose, nginxproxy): + r = nginxproxy.get("https://web4.nginx-proxy.tld/port", allow_redirects=False) + assert "answer from port 81\n" in r.text + assert "Strict-Transport-Security" not in r.headers diff --git a/test/test_ssl/test_hsts.yml b/test/test_ssl/test_hsts.yml index 5c04cf0..f6f39a7 100644 --- a/test/test_ssl/test_hsts.yml +++ b/test/test_ssl/test_hsts.yml @@ -24,6 +24,16 @@ web3: VIRTUAL_HOST: "web3.nginx-proxy.tld" HSTS: "max-age=86400; includeSubDomains; preload" +web4: + image: web + expose: + - "81" + environment: + WEB_PORTS: "81" + VIRTUAL_HOST: "web4.nginx-proxy.tld" + HSTS: "off" + HTTPS_METHOD: "noredirect" + sut: image: jwilder/nginx-proxy:test volumes: From 58c1fe360687a3a005ff9eae23ac3b6c4c4c3123 Mon Sep 17 00:00:00 2001 From: Gpkfr Date: Fri, 9 Nov 2018 15:26:01 +0100 Subject: [PATCH 7/9] Upgrade to nginx 1.14.1 stable version --- Dockerfile | 2 +- Dockerfile.alpine | 2 +- README.md | 2 +- test/certs/create_server_certificate.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 295c06b..45a09e3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.14 +FROM nginx:1.14.1 LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates diff --git a/Dockerfile.alpine b/Dockerfile.alpine index ba93de7..23459a3 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM nginx:1.14-alpine +FROM nginx:1.14.1-alpine LABEL maintainer="Jason Wilder mail@jasonwilder.com" # Install wget and install/updates certificates diff --git a/README.md b/README.md index 5c83548..a6504cd 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ ![latest 0.7.0](https://img.shields.io/badge/latest-0.7.0-green.svg?style=flat) -![nginx 1.14](https://img.shields.io/badge/nginx-1.14-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') +![nginx 1.14.1](https://img.shields.io/badge/nginx-1.14-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. diff --git a/test/certs/create_server_certificate.sh b/test/certs/create_server_certificate.sh index 7473552..ae51280 100755 --- a/test/certs/create_server_certificate.sh +++ b/test/certs/create_server_certificate.sh @@ -24,7 +24,7 @@ fi # Create a nginx container (which conveniently provides the `openssl` command) ############################################################################### -CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.14) +CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.14.1) # Configure openssl docker exec $CONTAINER bash -c ' mkdir -p /ca/{certs,crl,private,newcerts} 2>/dev/null From 6a1a518fec5507ba1115468e1e70dc410ed53b2f Mon Sep 17 00:00:00 2001 From: Kenichi HIROSE Date: Tue, 18 Dec 2018 14:05:17 +0000 Subject: [PATCH 8/9] Fix empty dhparam.pem --- generate-dhparam.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/generate-dhparam.sh b/generate-dhparam.sh index 3fdc77c..27b6432 100755 --- a/generate-dhparam.sh +++ b/generate-dhparam.sh @@ -37,7 +37,8 @@ touch $GEN_LOCKFILE # Generate a new dhparam in the background in a low priority and reload nginx when finished (grep removes the progress indicator). ( ( - nice -n +5 openssl dhparam -out $DHPARAM_FILE $DHPARAM_BITS 2>&1 \ + nice -n +5 openssl dhparam -out $DHPARAM_FILE.tmp $DHPARAM_BITS 2>&1 \ + && mv $DHPARAM_FILE.tmp $DHPARAM_FILE \ && echo "dhparam generation complete, reloading nginx" \ && nginx -s reload ) | grep -vE '^[\.+]+' From ad4117803690042e446aa7f7b25d25bebecf843a Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Mon, 4 Feb 2019 15:15:04 -0500 Subject: [PATCH 9/9] Fixed tests that are now failing due to the dhparam clearing command beating the nginx startup. This is fixed permanently in #1213, but this PR fixes the test so as not to rely on the dhparam autogen, which is tested elsewhere. --- test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml | 3 ++- .../wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml b/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml index bffffc1..20cd1b2 100644 --- a/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml +++ b/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml @@ -7,6 +7,7 @@ services: volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./certs:/etc/nginx/certs:ro + - ../../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro web1: image: web @@ -30,4 +31,4 @@ services: environment: WEB_PORTS: "83" VIRTUAL_HOST: "3.web.nginx-proxy.tld" - HTTPS_METHOD: nohttps \ No newline at end of file + HTTPS_METHOD: nohttps diff --git a/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py b/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py index de4b298..2808dee 100644 --- a/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py +++ b/test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py @@ -11,6 +11,7 @@ from requests.exceptions import SSLError def test_http_redirects_to_https(docker_compose, nginxproxy, subdomain, should_redirect_to_https): r = nginxproxy.get("http://%s.web.nginx-proxy.tld/port" % subdomain) if should_redirect_to_https: + assert len(r.history) > 0 assert r.history[0].is_redirect assert r.history[0].headers.get("Location") == "https://%s.web.nginx-proxy.tld/port" % subdomain assert "answer from port 8%s\n" % subdomain == r.text