mirror/nginx-proxy
1
0
Fork 0
mirror of https://github.com/nginx-proxy/nginx-proxy synced 2024-11-08 07:49:22 +01:00
Code Issues

docs: explicit policy on missing certificate (#2465)

Browse Source 
* chore/doc: explicit policy on missing certificate

This doesn't change the current nginx-proxy behavior, but makes explicit
the current HTTPS_METHOD policy on missing certificate.

* fix: bad wording about missing certificate

Co-authored-by: Nicolas Duchon <nicolas.duchon@gmail.com>

* docs: typo in suggestion

---------

Co-authored-by: Nicolas Duchon <nicolas.duchon@gmail.com>
This commit is contained in:
pini-gh 2024-05-27 20:50:13 +02:00 committed by GitHub
parent 0dfc8b7a50
commit 5f3ec18b28
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/README.md
View File

@ -572,7 +572,9 @@ _WARNING_: HSTS will force your users to visit the HTTPS version of your site fo
### Missing Certificate ### Missing Certificate
If HTTPS is enabled for a virtual host but its certificate is missing, nginx-proxy will configure nginx to use the default certificate (`default.crt` with `default.key`) and return a 500 error. If no matching certificate is found for a given virtual host, nginx-proxy will:
* configure nginx to use the default certificate (`default.crt` with `default.key`) and return a 500 error for HTTPS,
* force enable HTTP; i.e. `HTTPS_METHOD` will switch to `noredirect` if it was set to `nohttp` or `redirect`.
If the default certificate is also missing, nginx-proxy will configure nginx to accept HTTPS connections but fail the TLS negotiation. Client browsers will render a TLS error page. As of March 2023, web browsers display the following error messages: If the default certificate is also missing, nginx-proxy will configure nginx to accept HTTPS connections but fail the TLS negotiation. Client browsers will render a TLS error page. As of March 2023, web browsers display the following error messages:

10
nginx.tmpl
View File

@ -590,6 +590,10 @@ proxy_set_header Proxy "";
{{- $default := eq $globals.Env.DEFAULT_HOST $hostname }} {{- $default := eq $globals.Env.DEFAULT_HOST $hostname }}
{{- $https_method := or (first (groupByKeys $vhost_containers "Env.HTTPS_METHOD")) $globals.Env.HTTPS_METHOD "redirect" }} {{- $https_method := or (first (groupByKeys $vhost_containers "Env.HTTPS_METHOD")) $globals.Env.HTTPS_METHOD "redirect" }}
{{- /* When the certificate is missing we want to ensure that HTTP is enabled; hence switching from 'nohttp' or 'redirect' to 'noredirect' */}}
{{- if (and (not $cert_ok) (or (eq $https_method "nohttp") (eq $https_method "redirect"))) }}
{{- $https_method = "noredirect" }}
{{- end }}
{{- $http2_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable"))) $globals.Env.ENABLE_HTTP2 "true")}} {{- $http2_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable"))) $globals.Env.ENABLE_HTTP2 "true")}}
{{- $http3_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable"))) $globals.Env.ENABLE_HTTP3 "false")}} {{- $http3_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable"))) $globals.Env.ENABLE_HTTP3 "false")}}
@ -642,7 +646,7 @@ proxy_set_header Proxy "";
{{- $default_https_exists := false }} {{- $default_https_exists := false }}
{{- $http3_enabled := false }} {{- $http3_enabled := false }}
{{- range $vhost := $globals.vhosts }} {{- range $vhost := $globals.vhosts }}
{{- $http := or (ne $vhost.https_method "nohttp") (not $vhost.cert_ok) }} {{- $http := ne $vhost.https_method "nohttp" }}
{{- $https := ne $vhost.https_method "nohttps" }} {{- $https := ne $vhost.https_method "nohttps" }}
{{- $http_exists = or $http_exists $http }} {{- $http_exists = or $http_exists $http }}
{{- $https_exists = or $https_exists $https }} {{- $https_exists = or $https_exists $https }}
@ -725,7 +729,7 @@ server {
{{ template "upstream" (dict "globals" $globals "Path" $path "VPath" $vpath) }} {{ template "upstream" (dict "globals" $globals "Path" $path "VPath" $vpath) }}
{{- end }} {{- end }}
{{- if and $vhost.cert_ok (eq $vhost.https_method "redirect") }} {{- if (eq $vhost.https_method "redirect") }}
server { server {
server_name {{ $hostname }}; server_name {{ $hostname }};
{{- if $vhost.server_tokens }} {{- if $vhost.server_tokens }}
@ -766,7 +770,7 @@ server {
{{- if $vhost.http2_enabled }} {{- if $vhost.http2_enabled }}
http2 on; http2 on;
{{- end }} {{- end }}
{{- if or (eq $vhost.https_method "nohttps") (not $vhost.cert_ok) (eq $vhost.https_method "noredirect") }} {{- if or (eq $vhost.https_method "nohttps") (eq $vhost.https_method "noredirect") }}
listen {{ $globals.external_http_port }} {{ $default_server }}; listen {{ $globals.external_http_port }} {{ $default_server }};
{{- if $globals.enable_ipv6 }} {{- if $globals.enable_ipv6 }}
listen [::]:{{ $globals.external_http_port }} {{ $default_server }}; listen [::]:{{ $globals.external_http_port }} {{ $default_server }};