From 4606b15309e69ecf80a406638d0c18609ab7256a Mon Sep 17 00:00:00 2001
From: Gilles Filippini <pini@debian.org>
Date: Thu, 6 Jun 2024 21:44:45 +0200
Subject: [PATCH] fix: nohttp(s) shouldn't disable fallback server

Say we have two containers:
- `app1` with `HTTPS_METHOD=redirect`
- `app2` with `HTTPS_METHOD=nohttps`

Without this change the fallback answer on an HTTPS request to an unknown
server would change depending on whether `app1` is up (503) or not
(connection refused). This is not wanted.

In case someone doesn't want HTTPS at all, they just have to not bind
port 443.
---
 nginx.tmpl            | 2 +-
 test/test_fallback.py | 9 ++++-----
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/nginx.tmpl b/nginx.tmpl
index a7f4a0c..07e1314 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -664,7 +664,7 @@ proxy_set_header Proxy "";
         {{- $http3_enabled = or $http3_enabled $vhost.http3_enabled }}
     {{- end }}
     {{- $fallback_http := not $default_http_exists }}
-    {{- $fallback_https := and $https_exists (not $default_https_exists) }}
+    {{- $fallback_https := not $default_https_exists }}
     {{- /*
          * If there are no vhosts at all, create fallbacks for both plain http
          * and https so that clients get something more useful than a connection
diff --git a/test/test_fallback.py b/test/test_fallback.py
index 16da3d7..ed11fc0 100644
--- a/test/test_fallback.py
+++ b/test/test_fallback.py
@@ -33,7 +33,6 @@ def get(docker_compose, nginxproxy, want_err_re):
 
 
 INTERNAL_ERR_RE = re.compile("TLSV1_ALERT_INTERNAL_ERROR")
-CONNECTION_REFUSED_RE = re.compile("Connection refused")
 
 
 @pytest.mark.parametrize("compose_file,url,want_code,want_err_re", [
@@ -79,14 +78,14 @@ CONNECTION_REFUSED_RE = re.compile("Connection refused")
     ("nohttp-with-missing-cert.yml", "https://unknown.nginx-proxy.test/", 503, None),
     # HTTPS_METHOD=nohttps on nginx-proxy, HTTPS_METHOD unset on the app container.
     ("nohttps.yml", "http://http-only.nginx-proxy.test/", 200, None),
-    ("nohttps.yml", "https://http-only.nginx-proxy.test/", None, CONNECTION_REFUSED_RE),
+    ("nohttps.yml", "https://http-only.nginx-proxy.test/", None, INTERNAL_ERR_RE),
     ("nohttps.yml", "http://unknown.nginx-proxy.test/", 503, None),
-    ("nohttps.yml", "https://unknown.nginx-proxy.test/", None, CONNECTION_REFUSED_RE),
+    ("nohttps.yml", "https://unknown.nginx-proxy.test/", None, INTERNAL_ERR_RE),
     # HTTPS_METHOD=redirect on nginx-proxy, HTTPS_METHOD=nohttps on the app container.
     ("nohttps-on-app.yml", "http://http-only.nginx-proxy.test/", 200, None),
-    ("nohttps-on-app.yml", "https://http-only.nginx-proxy.test/", None, CONNECTION_REFUSED_RE),
+    ("nohttps-on-app.yml", "https://http-only.nginx-proxy.test/", None, INTERNAL_ERR_RE),
     ("nohttps-on-app.yml", "http://unknown.nginx-proxy.test/", 503, None),
-    ("nohttps-on-app.yml", "https://unknown.nginx-proxy.test/", None, CONNECTION_REFUSED_RE),
+    ("nohttps-on-app.yml", "https://unknown.nginx-proxy.test/", None, INTERNAL_ERR_RE),
     # Custom nginx config that has a `server` directive that uses `default_server` and simply
     # returns 418.  Nginx should successfully start (in particular, the `default_server` in the
     # custom config should not conflict with the fallback server generated by nginx-proxy) and nginx