diff --git a/docs/README.md b/docs/README.md index 218f650..6dea7c8 100644 --- a/docs/README.md +++ b/docs/README.md @@ -582,6 +582,7 @@ If no matching certificate is found for a given virtual host, nginx-proxy will: - configure nginx to use the default certificate (`default.crt` with `default.key`) and return a 500 error for HTTPS, - force enable HTTP; i.e. `HTTPS_METHOD` will switch to `noredirect` if it was set to `nohttp` or `redirect`. + If this switch to HTTP is not wanted set `ENABLE_HTTP_ON_MISSING_CERT=false` (default is `true`). If the default certificate is also missing, nginx-proxy will configure nginx to accept HTTPS connections but fail the TLS negotiation. Client browsers will render a TLS error page. As of March 2023, web browsers display the following error messages: diff --git a/nginx.tmpl b/nginx.tmpl index 8512379..a7f4a0c 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -590,8 +590,9 @@ proxy_set_header Proxy ""; {{- $default := eq $globals.Env.DEFAULT_HOST $hostname }} {{- $https_method := or (first (groupByKeys $vhost_containers "Env.HTTPS_METHOD")) $globals.Env.HTTPS_METHOD "redirect" }} + {{- $enable_http_on_missing_cert := parseBool (or (first (groupByKeys $vhost_containers "Env.ENABLE_HTTP_ON_MISSING_CERT")) $globals.Env.ENABLE_HTTP_ON_MISSING_CERT "true") }} {{- /* When the certificate is missing we want to ensure that HTTP is enabled; hence switching from 'nohttp' or 'redirect' to 'noredirect' */}} - {{- if (and (not $cert_ok) (or (eq $https_method "nohttp") (eq $https_method "redirect"))) }} + {{- if (and $enable_http_on_missing_cert (not $cert_ok) (or (eq $https_method "nohttp") (eq $https_method "redirect"))) }} {{- $https_method = "noredirect" }} {{- end }} {{- $http2_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable"))) $globals.Env.ENABLE_HTTP2 "true")}} diff --git a/test/test_enable_http_on_missing_cert.py b/test/test_enable_http_on_missing_cert.py new file mode 100644 index 0000000..cdedc8a --- /dev/null +++ b/test/test_enable_http_on_missing_cert.py @@ -0,0 +1,18 @@ +import pytest + + +def test_nohttp_missing_cert_disabled(docker_compose, nginxproxy): + r = nginxproxy.get("http://nohttp-missing-cert-disabled.nginx-proxy.tld/", allow_redirects=False) + assert r.status_code == 503 + +def test_nohttp_missing_cert_enabled(docker_compose, nginxproxy): + r = nginxproxy.get("http://nohttp-missing-cert-enabled.nginx-proxy.tld/", allow_redirects=False) + assert r.status_code == 200 + +def test_redirect_missing_cert_disabled(docker_compose, nginxproxy): + r = nginxproxy.get("http://redirect-missing-cert-disabled.nginx-proxy.tld/", allow_redirects=False) + assert r.status_code == 301 + +def test_redirect_missing_cert_enabled(docker_compose, nginxproxy): + r = nginxproxy.get("http://redirect-missing-cert-enabled.nginx-proxy.tld/", allow_redirects=False) + assert r.status_code == 200 diff --git a/test/test_enable_http_on_missing_cert.yml b/test/test_enable_http_on_missing_cert.yml new file mode 100644 index 0000000..1149ef7 --- /dev/null +++ b/test/test_enable_http_on_missing_cert.yml @@ -0,0 +1,46 @@ +version: "2" + +services: + sut: + image: nginxproxy/nginx-proxy:test + volumes: + - /var/run/docker.sock:/tmp/docker.sock:ro + - ./withdefault.certs:/etc/nginx/certs:ro + environment: + ENABLE_HTTP_ON_MISSING_CERT: "false" + + nohttp-missing-cert-disabled: + image: web + expose: + - "81" + environment: + WEB_PORTS: "81" + VIRTUAL_HOST: nohttp-missing-cert-disabled.nginx-proxy.tld + HTTPS_METHOD: nohttp + + nohttp-missing-cert-enabled: + image: web + expose: + - "82" + environment: + WEB_PORTS: "82" + VIRTUAL_HOST: nohttp-missing-cert-enabled.nginx-proxy.tld + HTTPS_METHOD: nohttp + ENABLE_HTTP_ON_MISSING_CERT: "true" + + redirect-missing-cert-disabled: + image: web + expose: + - "83" + environment: + WEB_PORTS: "83" + VIRTUAL_HOST: redirect-missing-cert-disabled.nginx-proxy.tld + + redirect-missing-cert-enabled: + image: web + expose: + - "84" + environment: + WEB_PORTS: "84" + VIRTUAL_HOST: redirect-missing-cert-enabled.nginx-proxy.tld + ENABLE_HTTP_ON_MISSING_CERT: "true"