mirror/nginx-proxy
1
0
Fork 0
mirror of https://github.com/nginx-proxy/nginx-proxy synced 2024-11-08 07:49:22 +01:00
Code Issues

feat: handle acme challenge location by default

Browse Source
This commit is contained in:
Nicolas Duchon 2024-06-05 08:23:55 +02:00
parent 8de923fd33
commit 4bd542de99
No known key found for this signature in database
GPG Key ID: EA3151C66A4D79E7
7 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/README.md
View File

@ -421,10 +421,11 @@ If you are running the container in a virtualized environment (Hyper-V, VirtualB
[acme-companion](https://github.com/nginx-proxy/acme-companion) is a lightweight companion container for the nginx-proxy. It allows the automated creation/renewal of SSL certificates using the ACME protocol. [acme-companion](https://github.com/nginx-proxy/acme-companion) is a lightweight companion container for the nginx-proxy. It allows the automated creation/renewal of SSL certificates using the ACME protocol.
By default nginx-proxy generates location blocks to handle ACME HTTP Challenge, excepted when `HTTPS_METHOD=noredirect` or there is no certificate for the domain. Ths behavior can be changed with environment variable `ACME_HTTP_CHALLENGE_LOCATION`. It accepts these values: By default nginx-proxy generates location blocks to handle ACME HTTP Challenge. Ths behavior can be changed with environment variable `ACME_HTTP_CHALLENGE_LOCATION`. It accepts these values:
* `legacy`: default value; current default behavior
* `true`: handle ACME HTTP Challenge in all cases - `true`: default behavior, handle ACME HTTP Challenge in all cases.
* `false`: do not handle ACME HTTP Challenge at all. - `false`: do not handle ACME HTTP Challenge at all.
- `legacy`: legacy behavior for compatibility with older (<= `2.3`) versions of acme-companion, only handle ACME HTTP challenge when there is a certificate for the domain and `HTTPS_METHOD=redirect`.
### Diffie-Hellman Groups ### Diffie-Hellman Groups

2
nginx.tmpl
View File

@ -596,7 +596,7 @@ proxy_set_header Proxy "";
{{- end }} {{- end }}
{{- $http2_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable"))) $globals.Env.ENABLE_HTTP2 "true")}} {{- $http2_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable"))) $globals.Env.ENABLE_HTTP2 "true")}}
{{- $http3_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable"))) $globals.Env.ENABLE_HTTP3 "false")}} {{- $http3_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable"))) $globals.Env.ENABLE_HTTP3 "false")}}
{{- $acme_http_challenge := or (first (groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION")) $globals.Env.ACME_HTTP_CHALLENGE_LOCATION "legacy" }} {{- $acme_http_challenge := or (first (groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION")) $globals.Env.ACME_HTTP_CHALLENGE_LOCATION "true" }}
{{- $acme_http_challenge_legacy := eq $acme_http_challenge "legacy" }} {{- $acme_http_challenge_legacy := eq $acme_http_challenge "legacy" }}
{{- $acme_http_challenge_enabled := false }} {{- $acme_http_challenge_enabled := false }}
{{- if (not $acme_http_challenge_legacy) }} {{- if (not $acme_http_challenge_legacy) }}

0
test/test_acme_http_challenge_location/test_acme_challenge_location_enabled.py → test/test_acme_http_challenge_location/test_acme_challenge_location_enabled_is_default.py
View File

2
test/test_acme_http_challenge_location/test_acme_challenge_location_enabled.yml → test/test_acme_http_challenge_location/test_acme_challenge_location_enabled_is_default.yml
View File

@ -39,8 +39,6 @@ services:
sut: sut:
image: nginxproxy/nginx-proxy:test image: nginxproxy/nginx-proxy:test
environment:
ACME_HTTP_CHALLENGE_LOCATION: "true"
volumes: volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro - /var/run/docker.sock:/tmp/docker.sock:ro
- ./certs:/etc/nginx/certs:ro - ./certs:/etc/nginx/certs:ro

0
test/test_acme_http_challenge_location/test_acme_challenge_location_legacy_is_default.py → test/test_acme_http_challenge_location/test_acme_challenge_location_legacy.py
View File

2
test/test_acme_http_challenge_location/test_acme_challenge_location_legacy_is_default.yml → test/test_acme_http_challenge_location/test_acme_challenge_location_legacy.yml
View File

@ -20,6 +20,8 @@ services:
sut: sut:
image: nginxproxy/nginx-proxy:test image: nginxproxy/nginx-proxy:test
environment:
ACME_HTTP_CHALLENGE_LOCATION: "legacy"
volumes: volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro - /var/run/docker.sock:/tmp/docker.sock:ro
- ./certs:/etc/nginx/certs:ro - ./certs:/etc/nginx/certs:ro

4
test/test_ssl/test_noredirect.py
View File

@ -19,9 +19,9 @@ def test_web2_HSTS_policy_is_inactive(docker_compose, nginxproxy):
assert "Strict-Transport-Security" not in r.headers assert "Strict-Transport-Security" not in r.headers
def test_web3_acme_challenge_does_not_work(docker_compose, nginxproxy, acme_challenge_path): def test_web3_acme_challenge_does_work(docker_compose, nginxproxy, acme_challenge_path):
r = nginxproxy.get( r = nginxproxy.get(
f"http://web3.nginx-proxy.tld/{acme_challenge_path}", f"http://web3.nginx-proxy.tld/{acme_challenge_path}",
allow_redirects=False allow_redirects=False
) )
assert r.status_code == 404 assert r.status_code == 200