mirror of
https://github.com/nginx-proxy/nginx-proxy
synced 2024-11-08 15:59:17 +01:00
Merge pull request #2473 from nginx-proxy/enable-acme-challenge
feat: enable acme challenge location handling by default
This commit is contained in:
commit
9506e60f43
@ -421,10 +421,11 @@ If you are running the container in a virtualized environment (Hyper-V, VirtualB
|
|||||||
|
|
||||||
[acme-companion](https://github.com/nginx-proxy/acme-companion) is a lightweight companion container for the nginx-proxy. It allows the automated creation/renewal of SSL certificates using the ACME protocol.
|
[acme-companion](https://github.com/nginx-proxy/acme-companion) is a lightweight companion container for the nginx-proxy. It allows the automated creation/renewal of SSL certificates using the ACME protocol.
|
||||||
|
|
||||||
By default nginx-proxy generates location blocks to handle ACME HTTP Challenge, excepted when `HTTPS_METHOD=noredirect` or there is no certificate for the domain. Ths behavior can be changed with environment variable `ACME_HTTP_CHALLENGE_LOCATION`. It accepts these values:
|
By default nginx-proxy generates location blocks to handle ACME HTTP Challenge. This behavior can be changed with environment variable `ACME_HTTP_CHALLENGE_LOCATION`. It accepts these values:
|
||||||
* `legacy`: default value; current default behavior
|
|
||||||
* `true`: handle ACME HTTP Challenge in all cases
|
- `true`: default behavior, handle ACME HTTP Challenge in all cases.
|
||||||
* `false`: do not handle ACME HTTP Challenge at all.
|
- `false`: do not handle ACME HTTP Challenge at all.
|
||||||
|
- `legacy`: legacy behavior for compatibility with older (<= `2.3`) versions of acme-companion, only handle ACME HTTP challenge when there is a certificate for the domain and `HTTPS_METHOD=redirect`.
|
||||||
|
|
||||||
### Diffie-Hellman Groups
|
### Diffie-Hellman Groups
|
||||||
|
|
||||||
@ -578,8 +579,9 @@ _WARNING_: HSTS will force your users to visit the HTTPS version of your site fo
|
|||||||
### Missing Certificate
|
### Missing Certificate
|
||||||
|
|
||||||
If no matching certificate is found for a given virtual host, nginx-proxy will:
|
If no matching certificate is found for a given virtual host, nginx-proxy will:
|
||||||
* configure nginx to use the default certificate (`default.crt` with `default.key`) and return a 500 error for HTTPS,
|
|
||||||
* force enable HTTP; i.e. `HTTPS_METHOD` will switch to `noredirect` if it was set to `nohttp` or `redirect`.
|
- configure nginx to use the default certificate (`default.crt` with `default.key`) and return a 500 error for HTTPS,
|
||||||
|
- force enable HTTP; i.e. `HTTPS_METHOD` will switch to `noredirect` if it was set to `nohttp` or `redirect`.
|
||||||
|
|
||||||
If the default certificate is also missing, nginx-proxy will configure nginx to accept HTTPS connections but fail the TLS negotiation. Client browsers will render a TLS error page. As of March 2023, web browsers display the following error messages:
|
If the default certificate is also missing, nginx-proxy will configure nginx to accept HTTPS connections but fail the TLS negotiation. Client browsers will render a TLS error page. As of March 2023, web browsers display the following error messages:
|
||||||
|
|
||||||
|
@ -596,7 +596,7 @@ proxy_set_header Proxy "";
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
{{- $http2_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable"))) $globals.Env.ENABLE_HTTP2 "true")}}
|
{{- $http2_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable"))) $globals.Env.ENABLE_HTTP2 "true")}}
|
||||||
{{- $http3_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable"))) $globals.Env.ENABLE_HTTP3 "false")}}
|
{{- $http3_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable"))) $globals.Env.ENABLE_HTTP3 "false")}}
|
||||||
{{- $acme_http_challenge := or (first (groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION")) $globals.Env.ACME_HTTP_CHALLENGE_LOCATION "legacy" }}
|
{{- $acme_http_challenge := or (first (groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION")) $globals.Env.ACME_HTTP_CHALLENGE_LOCATION "true" }}
|
||||||
{{- $acme_http_challenge_legacy := eq $acme_http_challenge "legacy" }}
|
{{- $acme_http_challenge_legacy := eq $acme_http_challenge "legacy" }}
|
||||||
{{- $acme_http_challenge_enabled := false }}
|
{{- $acme_http_challenge_enabled := false }}
|
||||||
{{- if (not $acme_http_challenge_legacy) }}
|
{{- if (not $acme_http_challenge_legacy) }}
|
||||||
|
@ -39,8 +39,6 @@ services:
|
|||||||
|
|
||||||
sut:
|
sut:
|
||||||
image: nginxproxy/nginx-proxy:test
|
image: nginxproxy/nginx-proxy:test
|
||||||
environment:
|
|
||||||
ACME_HTTP_CHALLENGE_LOCATION: "true"
|
|
||||||
volumes:
|
volumes:
|
||||||
- /var/run/docker.sock:/tmp/docker.sock:ro
|
- /var/run/docker.sock:/tmp/docker.sock:ro
|
||||||
- ./certs:/etc/nginx/certs:ro
|
- ./certs:/etc/nginx/certs:ro
|
@ -20,6 +20,8 @@ services:
|
|||||||
|
|
||||||
sut:
|
sut:
|
||||||
image: nginxproxy/nginx-proxy:test
|
image: nginxproxy/nginx-proxy:test
|
||||||
|
environment:
|
||||||
|
ACME_HTTP_CHALLENGE_LOCATION: "legacy"
|
||||||
volumes:
|
volumes:
|
||||||
- /var/run/docker.sock:/tmp/docker.sock:ro
|
- /var/run/docker.sock:/tmp/docker.sock:ro
|
||||||
- ./certs:/etc/nginx/certs:ro
|
- ./certs:/etc/nginx/certs:ro
|
@ -19,9 +19,9 @@ def test_web2_HSTS_policy_is_inactive(docker_compose, nginxproxy):
|
|||||||
assert "Strict-Transport-Security" not in r.headers
|
assert "Strict-Transport-Security" not in r.headers
|
||||||
|
|
||||||
|
|
||||||
def test_web3_acme_challenge_does_not_work(docker_compose, nginxproxy, acme_challenge_path):
|
def test_web3_acme_challenge_does_work(docker_compose, nginxproxy, acme_challenge_path):
|
||||||
r = nginxproxy.get(
|
r = nginxproxy.get(
|
||||||
f"http://web3.nginx-proxy.tld/{acme_challenge_path}",
|
f"http://web3.nginx-proxy.tld/{acme_challenge_path}",
|
||||||
allow_redirects=False
|
allow_redirects=False
|
||||||
)
|
)
|
||||||
assert r.status_code == 404
|
assert r.status_code == 200
|
||||||
|
Loading…
Reference in New Issue
Block a user