From 4bd542de99e05de3195b652be06f3854ea19262f Mon Sep 17 00:00:00 2001
From: Nicolas Duchon <nicolas.duchon@gmail.com>
Date: Wed, 5 Jun 2024 08:23:55 +0200
Subject: [PATCH] feat: handle acme challenge location by default

---
 docs/README.md                                           | 9 +++++----
 nginx.tmpl                                               | 2 +-
 ...> test_acme_challenge_location_enabled_is_default.py} | 0
 ... test_acme_challenge_location_enabled_is_default.yml} | 2 --
 ...default.py => test_acme_challenge_location_legacy.py} | 0
 ...fault.yml => test_acme_challenge_location_legacy.yml} | 2 ++
 test/test_ssl/test_noredirect.py                         | 4 ++--
 7 files changed, 10 insertions(+), 9 deletions(-)
 rename test/test_acme_http_challenge_location/{test_acme_challenge_location_enabled.py => test_acme_challenge_location_enabled_is_default.py} (100%)
 rename test/test_acme_http_challenge_location/{test_acme_challenge_location_enabled.yml => test_acme_challenge_location_enabled_is_default.yml} (93%)
 rename test/test_acme_http_challenge_location/{test_acme_challenge_location_legacy_is_default.py => test_acme_challenge_location_legacy.py} (100%)
 rename test/test_acme_http_challenge_location/{test_acme_challenge_location_legacy_is_default.yml => test_acme_challenge_location_legacy.yml} (89%)

diff --git a/docs/README.md b/docs/README.md
index d1aa75b..33a33ae 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -421,10 +421,11 @@ If you are running the container in a virtualized environment (Hyper-V, VirtualB
 
 [acme-companion](https://github.com/nginx-proxy/acme-companion) is a lightweight companion container for the nginx-proxy. It allows the automated creation/renewal of SSL certificates using the ACME protocol.
 
-By default nginx-proxy generates location blocks to handle ACME HTTP Challenge, excepted when `HTTPS_METHOD=noredirect` or there is no certificate for the domain. Ths behavior can be changed with environment variable `ACME_HTTP_CHALLENGE_LOCATION`. It accepts these values:
-* `legacy`: default value; current default behavior
-* `true`: handle ACME HTTP Challenge in all cases
-* `false`: do not handle ACME HTTP Challenge at all.
+By default nginx-proxy generates location blocks to handle ACME HTTP Challenge. Ths behavior can be changed with environment variable `ACME_HTTP_CHALLENGE_LOCATION`. It accepts these values:
+
+- `true`: default behavior, handle ACME HTTP Challenge in all cases.
+- `false`: do not handle ACME HTTP Challenge at all.
+- `legacy`: legacy behavior for compatibility with older (<= `2.3`) versions of acme-companion, only handle ACME HTTP challenge when there is a certificate for the domain and `HTTPS_METHOD=redirect`.
 
 ### Diffie-Hellman Groups
 
diff --git a/nginx.tmpl b/nginx.tmpl
index 4fd6110..8512379 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -596,7 +596,7 @@ proxy_set_header Proxy "";
     {{- end }}
     {{- $http2_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable"))) $globals.Env.ENABLE_HTTP2 "true")}}
     {{- $http3_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable"))) $globals.Env.ENABLE_HTTP3 "false")}}
-    {{- $acme_http_challenge := or (first (groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION")) $globals.Env.ACME_HTTP_CHALLENGE_LOCATION "legacy" }}
+    {{- $acme_http_challenge := or (first (groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION")) $globals.Env.ACME_HTTP_CHALLENGE_LOCATION "true" }}
     {{- $acme_http_challenge_legacy := eq $acme_http_challenge "legacy" }}
     {{- $acme_http_challenge_enabled := false }}
     {{- if (not $acme_http_challenge_legacy) }}
diff --git a/test/test_acme_http_challenge_location/test_acme_challenge_location_enabled.py b/test/test_acme_http_challenge_location/test_acme_challenge_location_enabled_is_default.py
similarity index 100%
rename from test/test_acme_http_challenge_location/test_acme_challenge_location_enabled.py
rename to test/test_acme_http_challenge_location/test_acme_challenge_location_enabled_is_default.py
diff --git a/test/test_acme_http_challenge_location/test_acme_challenge_location_enabled.yml b/test/test_acme_http_challenge_location/test_acme_challenge_location_enabled_is_default.yml
similarity index 93%
rename from test/test_acme_http_challenge_location/test_acme_challenge_location_enabled.yml
rename to test/test_acme_http_challenge_location/test_acme_challenge_location_enabled_is_default.yml
index 4d211fc..41439e3 100644
--- a/test/test_acme_http_challenge_location/test_acme_challenge_location_enabled.yml
+++ b/test/test_acme_http_challenge_location/test_acme_challenge_location_enabled_is_default.yml
@@ -39,8 +39,6 @@ services:
 
   sut:
     image: nginxproxy/nginx-proxy:test
-    environment:
-      ACME_HTTP_CHALLENGE_LOCATION: "true"
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
       - ./certs:/etc/nginx/certs:ro
diff --git a/test/test_acme_http_challenge_location/test_acme_challenge_location_legacy_is_default.py b/test/test_acme_http_challenge_location/test_acme_challenge_location_legacy.py
similarity index 100%
rename from test/test_acme_http_challenge_location/test_acme_challenge_location_legacy_is_default.py
rename to test/test_acme_http_challenge_location/test_acme_challenge_location_legacy.py
diff --git a/test/test_acme_http_challenge_location/test_acme_challenge_location_legacy_is_default.yml b/test/test_acme_http_challenge_location/test_acme_challenge_location_legacy.yml
similarity index 89%
rename from test/test_acme_http_challenge_location/test_acme_challenge_location_legacy_is_default.yml
rename to test/test_acme_http_challenge_location/test_acme_challenge_location_legacy.yml
index d29efbd..693f9e0 100644
--- a/test/test_acme_http_challenge_location/test_acme_challenge_location_legacy_is_default.yml
+++ b/test/test_acme_http_challenge_location/test_acme_challenge_location_legacy.yml
@@ -20,6 +20,8 @@ services:
 
   sut:
     image: nginxproxy/nginx-proxy:test
+    environment:
+      ACME_HTTP_CHALLENGE_LOCATION: "legacy"
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
       - ./certs:/etc/nginx/certs:ro
diff --git a/test/test_ssl/test_noredirect.py b/test/test_ssl/test_noredirect.py
index 0f50063..1d956d1 100644
--- a/test/test_ssl/test_noredirect.py
+++ b/test/test_ssl/test_noredirect.py
@@ -19,9 +19,9 @@ def test_web2_HSTS_policy_is_inactive(docker_compose, nginxproxy):
     assert "Strict-Transport-Security" not in r.headers
 
 
-def test_web3_acme_challenge_does_not_work(docker_compose, nginxproxy, acme_challenge_path):
+def test_web3_acme_challenge_does_work(docker_compose, nginxproxy, acme_challenge_path):
     r = nginxproxy.get(
         f"http://web3.nginx-proxy.tld/{acme_challenge_path}",
         allow_redirects=False
     )
-    assert r.status_code == 404
+    assert r.status_code == 200