From 4bd542de99e05de3195b652be06f3854ea19262f Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Wed, 5 Jun 2024 08:23:55 +0200 Subject: [PATCH 1/3] feat: handle acme challenge location by default --- docs/README.md | 9 +++++---- nginx.tmpl | 2 +- ...> test_acme_challenge_location_enabled_is_default.py} | 0 ... test_acme_challenge_location_enabled_is_default.yml} | 2 -- ...default.py => test_acme_challenge_location_legacy.py} | 0 ...fault.yml => test_acme_challenge_location_legacy.yml} | 2 ++ test/test_ssl/test_noredirect.py | 4 ++-- 7 files changed, 10 insertions(+), 9 deletions(-) rename test/test_acme_http_challenge_location/{test_acme_challenge_location_enabled.py => test_acme_challenge_location_enabled_is_default.py} (100%) rename test/test_acme_http_challenge_location/{test_acme_challenge_location_enabled.yml => test_acme_challenge_location_enabled_is_default.yml} (93%) rename test/test_acme_http_challenge_location/{test_acme_challenge_location_legacy_is_default.py => test_acme_challenge_location_legacy.py} (100%) rename test/test_acme_http_challenge_location/{test_acme_challenge_location_legacy_is_default.yml => test_acme_challenge_location_legacy.yml} (89%) diff --git a/docs/README.md b/docs/README.md index d1aa75b..33a33ae 100644 --- a/docs/README.md +++ b/docs/README.md @@ -421,10 +421,11 @@ If you are running the container in a virtualized environment (Hyper-V, VirtualB [acme-companion](https://github.com/nginx-proxy/acme-companion) is a lightweight companion container for the nginx-proxy. It allows the automated creation/renewal of SSL certificates using the ACME protocol. -By default nginx-proxy generates location blocks to handle ACME HTTP Challenge, excepted when `HTTPS_METHOD=noredirect` or there is no certificate for the domain. Ths behavior can be changed with environment variable `ACME_HTTP_CHALLENGE_LOCATION`. It accepts these values: -* `legacy`: default value; current default behavior -* `true`: handle ACME HTTP Challenge in all cases -* `false`: do not handle ACME HTTP Challenge at all. +By default nginx-proxy generates location blocks to handle ACME HTTP Challenge. Ths behavior can be changed with environment variable `ACME_HTTP_CHALLENGE_LOCATION`. It accepts these values: + +- `true`: default behavior, handle ACME HTTP Challenge in all cases. +- `false`: do not handle ACME HTTP Challenge at all. +- `legacy`: legacy behavior for compatibility with older (<= `2.3`) versions of acme-companion, only handle ACME HTTP challenge when there is a certificate for the domain and `HTTPS_METHOD=redirect`. ### Diffie-Hellman Groups diff --git a/nginx.tmpl b/nginx.tmpl index 4fd6110..8512379 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -596,7 +596,7 @@ proxy_set_header Proxy ""; {{- end }} {{- $http2_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable"))) $globals.Env.ENABLE_HTTP2 "true")}} {{- $http3_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable"))) $globals.Env.ENABLE_HTTP3 "false")}} - {{- $acme_http_challenge := or (first (groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION")) $globals.Env.ACME_HTTP_CHALLENGE_LOCATION "legacy" }} + {{- $acme_http_challenge := or (first (groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION")) $globals.Env.ACME_HTTP_CHALLENGE_LOCATION "true" }} {{- $acme_http_challenge_legacy := eq $acme_http_challenge "legacy" }} {{- $acme_http_challenge_enabled := false }} {{- if (not $acme_http_challenge_legacy) }} diff --git a/test/test_acme_http_challenge_location/test_acme_challenge_location_enabled.py b/test/test_acme_http_challenge_location/test_acme_challenge_location_enabled_is_default.py similarity index 100% rename from test/test_acme_http_challenge_location/test_acme_challenge_location_enabled.py rename to test/test_acme_http_challenge_location/test_acme_challenge_location_enabled_is_default.py diff --git a/test/test_acme_http_challenge_location/test_acme_challenge_location_enabled.yml b/test/test_acme_http_challenge_location/test_acme_challenge_location_enabled_is_default.yml similarity index 93% rename from test/test_acme_http_challenge_location/test_acme_challenge_location_enabled.yml rename to test/test_acme_http_challenge_location/test_acme_challenge_location_enabled_is_default.yml index 4d211fc..41439e3 100644 --- a/test/test_acme_http_challenge_location/test_acme_challenge_location_enabled.yml +++ b/test/test_acme_http_challenge_location/test_acme_challenge_location_enabled_is_default.yml @@ -39,8 +39,6 @@ services: sut: image: nginxproxy/nginx-proxy:test - environment: - ACME_HTTP_CHALLENGE_LOCATION: "true" volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./certs:/etc/nginx/certs:ro diff --git a/test/test_acme_http_challenge_location/test_acme_challenge_location_legacy_is_default.py b/test/test_acme_http_challenge_location/test_acme_challenge_location_legacy.py similarity index 100% rename from test/test_acme_http_challenge_location/test_acme_challenge_location_legacy_is_default.py rename to test/test_acme_http_challenge_location/test_acme_challenge_location_legacy.py diff --git a/test/test_acme_http_challenge_location/test_acme_challenge_location_legacy_is_default.yml b/test/test_acme_http_challenge_location/test_acme_challenge_location_legacy.yml similarity index 89% rename from test/test_acme_http_challenge_location/test_acme_challenge_location_legacy_is_default.yml rename to test/test_acme_http_challenge_location/test_acme_challenge_location_legacy.yml index d29efbd..693f9e0 100644 --- a/test/test_acme_http_challenge_location/test_acme_challenge_location_legacy_is_default.yml +++ b/test/test_acme_http_challenge_location/test_acme_challenge_location_legacy.yml @@ -20,6 +20,8 @@ services: sut: image: nginxproxy/nginx-proxy:test + environment: + ACME_HTTP_CHALLENGE_LOCATION: "legacy" volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./certs:/etc/nginx/certs:ro diff --git a/test/test_ssl/test_noredirect.py b/test/test_ssl/test_noredirect.py index 0f50063..1d956d1 100644 --- a/test/test_ssl/test_noredirect.py +++ b/test/test_ssl/test_noredirect.py @@ -19,9 +19,9 @@ def test_web2_HSTS_policy_is_inactive(docker_compose, nginxproxy): assert "Strict-Transport-Security" not in r.headers -def test_web3_acme_challenge_does_not_work(docker_compose, nginxproxy, acme_challenge_path): +def test_web3_acme_challenge_does_work(docker_compose, nginxproxy, acme_challenge_path): r = nginxproxy.get( f"http://web3.nginx-proxy.tld/{acme_challenge_path}", allow_redirects=False ) - assert r.status_code == 404 + assert r.status_code == 200 From 714fa25704a680e9e6aabb54d867a47f9f717a40 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Wed, 5 Jun 2024 08:47:39 +0200 Subject: [PATCH 2/3] style: docs linting --- docs/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/README.md b/docs/README.md index 33a33ae..eb27d77 100644 --- a/docs/README.md +++ b/docs/README.md @@ -579,8 +579,9 @@ _WARNING_: HSTS will force your users to visit the HTTPS version of your site fo ### Missing Certificate If no matching certificate is found for a given virtual host, nginx-proxy will: -* configure nginx to use the default certificate (`default.crt` with `default.key`) and return a 500 error for HTTPS, -* force enable HTTP; i.e. `HTTPS_METHOD` will switch to `noredirect` if it was set to `nohttp` or `redirect`. + +- configure nginx to use the default certificate (`default.crt` with `default.key`) and return a 500 error for HTTPS, +- force enable HTTP; i.e. `HTTPS_METHOD` will switch to `noredirect` if it was set to `nohttp` or `redirect`. If the default certificate is also missing, nginx-proxy will configure nginx to accept HTTPS connections but fail the TLS negotiation. Client browsers will render a TLS error page. As of March 2023, web browsers display the following error messages: From cea905ff884d5b51294cc4fce48ee120c7f6d129 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Wed, 5 Jun 2024 15:55:49 +0200 Subject: [PATCH 3/3] docs: typo Co-authored-by: Niek <100143256+SchoNie@users.noreply.github.com> --- docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/README.md b/docs/README.md index eb27d77..218f650 100644 --- a/docs/README.md +++ b/docs/README.md @@ -421,7 +421,7 @@ If you are running the container in a virtualized environment (Hyper-V, VirtualB [acme-companion](https://github.com/nginx-proxy/acme-companion) is a lightweight companion container for the nginx-proxy. It allows the automated creation/renewal of SSL certificates using the ACME protocol. -By default nginx-proxy generates location blocks to handle ACME HTTP Challenge. Ths behavior can be changed with environment variable `ACME_HTTP_CHALLENGE_LOCATION`. It accepts these values: +By default nginx-proxy generates location blocks to handle ACME HTTP Challenge. This behavior can be changed with environment variable `ACME_HTTP_CHALLENGE_LOCATION`. It accepts these values: - `true`: default behavior, handle ACME HTTP Challenge in all cases. - `false`: do not handle ACME HTTP Challenge at all.