mirror of
https://github.com/nginx-proxy/nginx-proxy
synced 2024-11-08 15:59:17 +01:00
feat: variable ACME_HTTP_CHALLENGE_LOCATION (#2468)
Values: * `legacy` (default): generate location blocks for ACME HTP Challenge excepted when `HTTPS_METHOD=noredirect` or there is no certificate for the domain * `true`: generate location blocks for ACME HTP Challenge in all cases * `false`: do not generate location blocks for ACME HTP Challenge This feature is currently needed because acme-companion may generate the HTTP Challenge configuration while it was done already by nginx-proxy (see #2465#issuecomment-2136361373). Also sometimes a hardcoded ACME challenge location is not wanted because the challenge validation is not done with acme-companion / Let's Encrypt, and with a challenge location setup differently.
This commit is contained in:
parent
e904471cd3
commit
9cf736f1f8
@ -421,6 +421,11 @@ If you are running the container in a virtualized environment (Hyper-V, VirtualB
|
||||
|
||||
[acme-companion](https://github.com/nginx-proxy/acme-companion) is a lightweight companion container for the nginx-proxy. It allows the automated creation/renewal of SSL certificates using the ACME protocol.
|
||||
|
||||
By default nginx-proxy generates location blocks to handle ACME HTTP Challenge, excepted when `HTTPS_METHOD=noredirect` or there is no certificate for the domain. Ths behavior can be changed with environment variable `ACME_HTTP_CHALLENGE_LOCATION`. It accepts these values:
|
||||
* `legacy`: default value; current default behavior
|
||||
* `true`: handle ACME HTTP Challenge in all cases
|
||||
* `false`: do not handle ACME HTTP Chalenge at all.
|
||||
|
||||
### Diffie-Hellman Groups
|
||||
|
||||
[RFC7919 groups](https://datatracker.ietf.org/doc/html/rfc7919#appendix-A) with key lengths of 2048, 3072, and 4096 bits are [provided by `nginx-proxy`](https://github.com/nginx-proxy/nginx-proxy/dhparam). The ENV `DHPARAM_BITS` can be set to `2048` or `3072` to change from the default 4096-bit key. The DH key file will be located in the container at `/etc/nginx/dhparam/dhparam.pem`. Mounting a different `dhparam.pem` file at that location will override the RFC7919 key.
|
||||
|
12
nginx.tmpl
12
nginx.tmpl
@ -596,6 +596,12 @@ proxy_set_header Proxy "";
|
||||
{{- end }}
|
||||
{{- $http2_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable"))) $globals.Env.ENABLE_HTTP2 "true")}}
|
||||
{{- $http3_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable"))) $globals.Env.ENABLE_HTTP3 "false")}}
|
||||
{{- $acme_http_challenge := or (first (groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION")) $globals.Env.ACME_HTTP_CHALLENGE_LOCATION "legacy" }}
|
||||
{{- $acme_http_challenge_legacy := eq $acme_http_challenge "legacy" }}
|
||||
{{- $acme_http_challenge_enabled := false }}
|
||||
{{- if (not $acme_http_challenge_legacy) }}
|
||||
{{- $acme_http_challenge_enabled = parseBool $acme_http_challenge }}
|
||||
{{- end }}
|
||||
|
||||
{{- /* Get the SERVER_TOKENS defined by containers w/ the same vhost, falling back to "". */}}
|
||||
{{- $server_tokens := trim (or (first (groupByKeys $vhost_containers "Env.SERVER_TOKENS")) "") }}
|
||||
@ -617,6 +623,8 @@ proxy_set_header Proxy "";
|
||||
"https_method" $https_method
|
||||
"http2_enabled" $http2_enabled
|
||||
"http3_enabled" $http3_enabled
|
||||
"acme_http_challenge_legacy" $acme_http_challenge_legacy
|
||||
"acme_http_challenge_enabled" $acme_http_challenge_enabled
|
||||
"server_tokens" $server_tokens
|
||||
"ssl_policy" $ssl_policy
|
||||
"vhost_root" $vhost_root
|
||||
@ -741,6 +749,7 @@ server {
|
||||
listen [::]:{{ $globals.external_http_port }} {{ $default_server }};
|
||||
{{- end }}
|
||||
|
||||
{{- if (or $vhost.acme_http_challenge_legacy $vhost.acme_http_challenge_enabled) }}
|
||||
# Do not HTTPS redirect Let's Encrypt ACME challenge
|
||||
location ^~ /.well-known/acme-challenge/ {
|
||||
auth_basic off;
|
||||
@ -750,6 +759,7 @@ server {
|
||||
try_files $uri =404;
|
||||
break;
|
||||
}
|
||||
{{- end }}
|
||||
|
||||
location / {
|
||||
{{- if eq $globals.external_https_port "443" }}
|
||||
@ -776,7 +786,7 @@ server {
|
||||
listen [::]:{{ $globals.external_http_port }} {{ $default_server }};
|
||||
{{- end }}
|
||||
|
||||
{{- if (eq $vhost.https_method "noredirect") }}
|
||||
{{- if (and (eq $vhost.https_method "noredirect") $vhost.acme_http_challenge_enabled) }}
|
||||
location /.well-known/acme-challenge/ {
|
||||
auth_basic off;
|
||||
allow all;
|
||||
|
1
test/test_acme_http_challenge_location/acme_root/.well-known/acme-challenge/test-filename
Normal file
1
test/test_acme_http_challenge_location/acme_root/.well-known/acme-challenge/test-filename
Normal file
@ -0,0 +1 @@
|
||||
challenge-teststring
|
@ -0,0 +1,70 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 4096 (0x1000)
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
Issuer: O=nginx-proxy test suite, CN=www.nginx-proxy.tld
|
||||
Validity
|
||||
Not Before: Jan 10 00:08:52 2017 GMT
|
||||
Not After : May 28 00:08:52 2044 GMT
|
||||
Subject: CN=*.nginx-proxy.tld
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
Public-Key: (2048 bit)
|
||||
Modulus:
|
||||
00:cb:45:f4:14:9b:fe:64:85:79:4a:36:8d:3d:d1:
|
||||
27:d0:7c:36:28:30:e6:73:80:6f:7c:49:23:d0:6c:
|
||||
17:e4:44:c0:77:4d:9a:c2:bc:24:84:e3:a5:4d:ba:
|
||||
d2:da:51:7b:a1:2a:12:d4:c0:19:55:69:2c:22:27:
|
||||
2d:1a:f6:fc:4b:7f:e9:cb:a8:3c:e8:69:b8:d2:4f:
|
||||
de:4e:50:e2:d0:74:30:7c:42:5a:ae:aa:85:a5:b1:
|
||||
71:4d:c9:7e:86:8b:62:8c:3e:0d:e3:3b:c3:f5:81:
|
||||
0b:8c:68:79:fe:bf:10:fb:ae:ec:11:49:6d:64:5e:
|
||||
1a:7d:b3:92:93:4e:96:19:3a:98:04:a7:66:b2:74:
|
||||
61:2d:41:13:0c:a4:54:0d:2c:78:fd:b4:a3:e8:37:
|
||||
78:9a:de:fa:bc:2e:a8:0f:67:14:58:ce:c3:87:d5:
|
||||
14:0e:8b:29:7d:48:19:b2:a9:f5:b4:e8:af:32:21:
|
||||
67:15:7e:43:52:8b:20:cf:9f:38:43:bf:fd:c8:24:
|
||||
7f:52:a3:88:f2:f1:4a:14:91:2a:6e:91:6f:fb:7d:
|
||||
6a:78:c6:6d:2e:dd:1e:4c:2b:63:bb:3a:43:9c:91:
|
||||
f9:df:d3:08:13:63:86:7d:ce:e8:46:cf:f1:6c:1f:
|
||||
ca:f7:4c:de:d8:4b:e0:da:bc:06:d9:87:0f:ff:96:
|
||||
45:85
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Subject Alternative Name:
|
||||
DNS:*.nginx-proxy.tld
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
6e:a5:0e:e4:d3:cc:d5:b7:fc:34:75:89:4e:98:8c:e7:08:06:
|
||||
a8:5b:ec:13:7d:83:99:a2:61:b8:d5:12:6e:c5:b4:53:4e:9a:
|
||||
22:cd:ad:14:30:6a:7d:58:d7:23:d9:a4:2a:96:a0:40:9e:50:
|
||||
9f:ce:f2:fe:8c:dd:9a:ac:99:39:5b:89:2d:ca:e5:3e:c3:bc:
|
||||
03:04:1c:12:d9:6e:b8:9f:f0:3a:be:12:44:7e:a4:21:86:73:
|
||||
af:d5:00:51:3f:2c:56:70:34:8f:26:b0:7f:b0:cf:cf:7f:f9:
|
||||
40:6f:00:29:c4:cf:c3:b7:c2:49:3d:3f:b0:26:78:87:b9:c7:
|
||||
6c:1b:aa:6a:1a:dd:c5:eb:f2:69:ba:6d:46:0b:92:49:b5:11:
|
||||
3c:eb:48:c7:2f:fb:33:a6:6a:82:a2:ab:f8:1e:5f:7d:e3:b7:
|
||||
f2:fd:f5:88:a5:09:4d:a0:bc:f4:3b:cd:d2:8b:d7:57:1f:86:
|
||||
3b:d2:3e:a4:92:21:b0:02:0b:e9:e0:c4:1c:f1:78:e2:58:a7:
|
||||
26:5f:4c:29:c8:23:f0:6e:12:3f:bd:ad:44:7b:0b:bd:db:ba:
|
||||
63:8d:07:c6:9d:dc:46:cc:63:40:ba:5e:45:82:dd:9a:e5:50:
|
||||
e8:e7:d7:27:88:fc:6f:1d:8a:e7:5c:49:28:aa:10:29:75:28:
|
||||
c7:52:de:f9
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIC9zCCAd+gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwPzEfMB0GA1UECgwWbmdp
|
||||
bngtcHJveHkgdGVzdCBzdWl0ZTEcMBoGA1UEAwwTd3d3Lm5naW54LXByb3h5LnRs
|
||||
ZDAeFw0xNzAxMTAwMDA4NTJaFw00NDA1MjgwMDA4NTJaMBwxGjAYBgNVBAMMESou
|
||||
bmdpbngtcHJveHkudGxkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
|
||||
y0X0FJv+ZIV5SjaNPdEn0Hw2KDDmc4BvfEkj0GwX5ETAd02awrwkhOOlTbrS2lF7
|
||||
oSoS1MAZVWksIictGvb8S3/py6g86Gm40k/eTlDi0HQwfEJarqqFpbFxTcl+hoti
|
||||
jD4N4zvD9YELjGh5/r8Q+67sEUltZF4afbOSk06WGTqYBKdmsnRhLUETDKRUDSx4
|
||||
/bSj6Dd4mt76vC6oD2cUWM7Dh9UUDospfUgZsqn1tOivMiFnFX5DUosgz584Q7/9
|
||||
yCR/UqOI8vFKFJEqbpFv+31qeMZtLt0eTCtjuzpDnJH539MIE2OGfc7oRs/xbB/K
|
||||
90ze2Evg2rwG2YcP/5ZFhQIDAQABoyAwHjAcBgNVHREEFTATghEqLm5naW54LXBy
|
||||
b3h5LnRsZDANBgkqhkiG9w0BAQsFAAOCAQEAbqUO5NPM1bf8NHWJTpiM5wgGqFvs
|
||||
E32DmaJhuNUSbsW0U06aIs2tFDBqfVjXI9mkKpagQJ5Qn87y/ozdmqyZOVuJLcrl
|
||||
PsO8AwQcEtluuJ/wOr4SRH6kIYZzr9UAUT8sVnA0jyawf7DPz3/5QG8AKcTPw7fC
|
||||
ST0/sCZ4h7nHbBuqahrdxevyabptRguSSbURPOtIxy/7M6ZqgqKr+B5ffeO38v31
|
||||
iKUJTaC89DvN0ovXVx+GO9I+pJIhsAIL6eDEHPF44linJl9MKcgj8G4SP72tRHsL
|
||||
vdu6Y40Hxp3cRsxjQLpeRYLdmuVQ6OfXJ4j8bx2K51xJKKoQKXUox1Le+Q==
|
||||
-----END CERTIFICATE-----
|
@ -0,0 +1,27 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEowIBAAKCAQEAy0X0FJv+ZIV5SjaNPdEn0Hw2KDDmc4BvfEkj0GwX5ETAd02a
|
||||
wrwkhOOlTbrS2lF7oSoS1MAZVWksIictGvb8S3/py6g86Gm40k/eTlDi0HQwfEJa
|
||||
rqqFpbFxTcl+hotijD4N4zvD9YELjGh5/r8Q+67sEUltZF4afbOSk06WGTqYBKdm
|
||||
snRhLUETDKRUDSx4/bSj6Dd4mt76vC6oD2cUWM7Dh9UUDospfUgZsqn1tOivMiFn
|
||||
FX5DUosgz584Q7/9yCR/UqOI8vFKFJEqbpFv+31qeMZtLt0eTCtjuzpDnJH539MI
|
||||
E2OGfc7oRs/xbB/K90ze2Evg2rwG2YcP/5ZFhQIDAQABAoIBAQCjAro2PNLJMfCO
|
||||
fyjNRgmzu6iCmpR0U68T8GN0JPsT576g7e8J828l0pkhuIyW33lRSThIvLSUNf9a
|
||||
dChL032H3lBTLduKVh4NKleQXnVFzaeEPoISSFVdButiAhAhPW4OIUVp0OfY3V+x
|
||||
fac3j2nDLAfL5SKAtqZv363Py9m66EBYm5BmGTQqT/frQWeCEBvlErQef5RIaU8p
|
||||
e2zMWgSNNojVai8U3nKNRvYHWeWXM6Ck7lCvkHhMF+RpbmCZuqhbEARVnehU/Jdn
|
||||
QHJ3nxeA2OWpoWKXvAHtSnno49yxq1UIstiQvY+ng5C5i56UlB60UiU2NJ6doZkB
|
||||
uQ7/1MaBAoGBAORdcFtgdgRALjXngFWhpCp0CseyUehn1KhxDCG+D1pJ142/ymcf
|
||||
oJOzKJPMRNDdDUBMnR1GBfy7rmwvYevI/SMNy2Qs7ofcXPbdtwwvTCToZ1V9/54k
|
||||
VfuPBFT+3QzWRvG1tjTV3E4L2VV3nrl2qNPhE5DlfIaU3nQq5Fl0HprJAoGBAOPf
|
||||
MWOTGev61CdODO5KN3pLAoamiPs5lEUlz3kM3L1Q52YLITxNDjRj9hWBUATJZOS2
|
||||
pLOoYRwmhD7vrnimMc41+NuuFX+4T7hWPc8uSuOxX0VijYtULyNRK57mncG1Fq9M
|
||||
RMLbOJ7FD+8jdXNsSMqpQ+pxLJRX/A10O2fOQnbdAoGAL5hV4YWSM0KZHvz332EI
|
||||
ER0MXiCJN7HkPZMKH0I4eu3m8hEmAyYxVndBnsQ1F37q0xrkqAQ/HTSUntGlS/og
|
||||
4Bxw5pkCwegoq/77tpto+ExDtSrEitYx4XMmSPyxX4qNULU5m3tzJgUML+b1etwD
|
||||
Rd2kMU/TC02dq4KBAy/TbRkCgYAl1xN5iJz+XenLGR/2liZ+TWR+/bqzlU006mF4
|
||||
pZUmbv/uJxz+yYD5XDwqOA4UrWjuvhG9r9FoflDprp2XdWnB556KxG7XhcDfSJr9
|
||||
A5/2DadXe1Ur9O/a+oi2228JEsxQkea9QPA3FVxfBtFjOHEiDlez39VaUP4PMeUH
|
||||
iO3qlQKBgFQhdTb7HeYnApYIDHLmd1PvjRvp8XKR1CpEN0nkw8HpHcT1q1MUjQCr
|
||||
iT6FQupULEvGmO3frQsgVeRIQDbEdZK3C5xCtn6qOw70sYATVf361BbTtidmU9yV
|
||||
THFxwDSVLiVZgFryoY/NtAc27sVdJnGsPRjjaeVgALAsLbmZ1K/H
|
||||
-----END RSA PRIVATE KEY-----
|
@ -0,0 +1,30 @@
|
||||
import pytest
|
||||
|
||||
|
||||
def test_redirect_acme_challenge_location_disabled(docker_compose, nginxproxy, acme_challenge_path):
|
||||
r = nginxproxy.get(
|
||||
f"http://web1.nginx-proxy.tld/{acme_challenge_path}",
|
||||
allow_redirects=False
|
||||
)
|
||||
assert r.status_code == 301
|
||||
|
||||
def test_redirect_acme_challenge_location_enabled(docker_compose, nginxproxy, acme_challenge_path):
|
||||
r = nginxproxy.get(
|
||||
f"http://web2.nginx-proxy.tld/{acme_challenge_path}",
|
||||
allow_redirects=False
|
||||
)
|
||||
assert r.status_code == 200
|
||||
|
||||
def test_noderirect_acme_challenge_location_disabled(docker_compose, nginxproxy, acme_challenge_path):
|
||||
r = nginxproxy.get(
|
||||
f"http://web3.nginx-proxy.tld/{acme_challenge_path}",
|
||||
allow_redirects=False
|
||||
)
|
||||
assert r.status_code == 404
|
||||
|
||||
def test_noderirect_acme_challenge_location_enabled(docker_compose, nginxproxy, acme_challenge_path):
|
||||
r = nginxproxy.get(
|
||||
f"http://web4.nginx-proxy.tld/{acme_challenge_path}",
|
||||
allow_redirects=False
|
||||
)
|
||||
assert r.status_code == 200
|
@ -0,0 +1,47 @@
|
||||
version: "2"
|
||||
|
||||
services:
|
||||
web1:
|
||||
image: web
|
||||
expose:
|
||||
- "81"
|
||||
environment:
|
||||
WEB_PORTS: "81"
|
||||
VIRTUAL_HOST: "web1.nginx-proxy.tld"
|
||||
|
||||
web2:
|
||||
image: web
|
||||
expose:
|
||||
- "82"
|
||||
environment:
|
||||
WEB_PORTS: "82"
|
||||
VIRTUAL_HOST: "web2.nginx-proxy.tld"
|
||||
ACME_HTTP_CHALLENGE_LOCATION: "true"
|
||||
|
||||
web3:
|
||||
image: web
|
||||
expose:
|
||||
- "83"
|
||||
environment:
|
||||
WEB_PORTS: "83"
|
||||
VIRTUAL_HOST: "web3.nginx-proxy.tld"
|
||||
HTTPS_METHOD: noredirect
|
||||
|
||||
web4:
|
||||
image: web
|
||||
expose:
|
||||
- "84"
|
||||
environment:
|
||||
WEB_PORTS: "84"
|
||||
VIRTUAL_HOST: "web4.nginx-proxy.tld"
|
||||
HTTPS_METHOD: noredirect
|
||||
ACME_HTTP_CHALLENGE_LOCATION: "true"
|
||||
|
||||
sut:
|
||||
image: nginxproxy/nginx-proxy:test
|
||||
environment:
|
||||
ACME_HTTP_CHALLENGE_LOCATION: "false"
|
||||
volumes:
|
||||
- /var/run/docker.sock:/tmp/docker.sock:ro
|
||||
- ./certs:/etc/nginx/certs:ro
|
||||
- ./acme_root:/usr/share/nginx/html:ro
|
@ -0,0 +1,30 @@
|
||||
import pytest
|
||||
|
||||
|
||||
def test_redirect_acme_challenge_location_enabled(docker_compose, nginxproxy, acme_challenge_path):
|
||||
r = nginxproxy.get(
|
||||
f"http://web1.nginx-proxy.tld/{acme_challenge_path}",
|
||||
allow_redirects=False
|
||||
)
|
||||
assert r.status_code == 200
|
||||
|
||||
def test_redirect_acme_challenge_location_disabled(docker_compose, nginxproxy, acme_challenge_path):
|
||||
r = nginxproxy.get(
|
||||
f"http://web2.nginx-proxy.tld/{acme_challenge_path}",
|
||||
allow_redirects=False
|
||||
)
|
||||
assert r.status_code == 301
|
||||
|
||||
def test_noderirect_acme_challenge_location_enabled(docker_compose, nginxproxy, acme_challenge_path):
|
||||
r = nginxproxy.get(
|
||||
f"http://web3.nginx-proxy.tld/{acme_challenge_path}",
|
||||
allow_redirects=False
|
||||
)
|
||||
assert r.status_code == 200
|
||||
|
||||
def test_noderirect_acme_challenge_location_disabled(docker_compose, nginxproxy, acme_challenge_path):
|
||||
r = nginxproxy.get(
|
||||
f"http://web4.nginx-proxy.tld/{acme_challenge_path}",
|
||||
allow_redirects=False
|
||||
)
|
||||
assert r.status_code == 404
|
@ -0,0 +1,47 @@
|
||||
version: "2"
|
||||
|
||||
services:
|
||||
web1:
|
||||
image: web
|
||||
expose:
|
||||
- "81"
|
||||
environment:
|
||||
WEB_PORTS: "81"
|
||||
VIRTUAL_HOST: "web1.nginx-proxy.tld"
|
||||
|
||||
web2:
|
||||
image: web
|
||||
expose:
|
||||
- "82"
|
||||
environment:
|
||||
WEB_PORTS: "82"
|
||||
VIRTUAL_HOST: "web2.nginx-proxy.tld"
|
||||
ACME_HTTP_CHALLENGE_LOCATION: "false"
|
||||
|
||||
web3:
|
||||
image: web
|
||||
expose:
|
||||
- "83"
|
||||
environment:
|
||||
WEB_PORTS: "83"
|
||||
VIRTUAL_HOST: "web3.nginx-proxy.tld"
|
||||
HTTPS_METHOD: noredirect
|
||||
|
||||
web4:
|
||||
image: web
|
||||
expose:
|
||||
- "84"
|
||||
environment:
|
||||
WEB_PORTS: "84"
|
||||
VIRTUAL_HOST: "web4.nginx-proxy.tld"
|
||||
HTTPS_METHOD: noredirect
|
||||
ACME_HTTP_CHALLENGE_LOCATION: "false"
|
||||
|
||||
sut:
|
||||
image: nginxproxy/nginx-proxy:test
|
||||
environment:
|
||||
ACME_HTTP_CHALLENGE_LOCATION: "true"
|
||||
volumes:
|
||||
- /var/run/docker.sock:/tmp/docker.sock:ro
|
||||
- ./certs:/etc/nginx/certs:ro
|
||||
- ./acme_root:/usr/share/nginx/html:ro
|
16
test/test_acme_http_challenge_location/test_acme_challenge_location_legacy_is_default.py
Normal file
16
test/test_acme_http_challenge_location/test_acme_challenge_location_legacy_is_default.py
Normal file
@ -0,0 +1,16 @@
|
||||
import pytest
|
||||
|
||||
|
||||
def test_redirect_acme_challenge_location_legacy(docker_compose, nginxproxy, acme_challenge_path):
|
||||
r = nginxproxy.get(
|
||||
f"http://web1.nginx-proxy.tld/{acme_challenge_path}",
|
||||
allow_redirects=False
|
||||
)
|
||||
assert r.status_code == 200
|
||||
|
||||
def test_noderirect_acme_challenge_location_legacy(docker_compose, nginxproxy, acme_challenge_path):
|
||||
r = nginxproxy.get(
|
||||
f"http://web2.nginx-proxy.tld/{acme_challenge_path}",
|
||||
allow_redirects=False
|
||||
)
|
||||
assert r.status_code == 404
|
26
test/test_acme_http_challenge_location/test_acme_challenge_location_legacy_is_default.yml
Normal file
26
test/test_acme_http_challenge_location/test_acme_challenge_location_legacy_is_default.yml
Normal file
@ -0,0 +1,26 @@
|
||||
version: "2"
|
||||
|
||||
services:
|
||||
web1:
|
||||
image: web
|
||||
expose:
|
||||
- "81"
|
||||
environment:
|
||||
WEB_PORTS: "81"
|
||||
VIRTUAL_HOST: "web1.nginx-proxy.tld"
|
||||
|
||||
web2:
|
||||
image: web
|
||||
expose:
|
||||
- "82"
|
||||
environment:
|
||||
WEB_PORTS: "82"
|
||||
VIRTUAL_HOST: "web2.nginx-proxy.tld"
|
||||
HTTPS_METHOD: noredirect
|
||||
|
||||
sut:
|
||||
image: nginxproxy/nginx-proxy:test
|
||||
volumes:
|
||||
- /var/run/docker.sock:/tmp/docker.sock:ro
|
||||
- ./certs:/etc/nginx/certs:ro
|
||||
- ./acme_root:/usr/share/nginx/html:ro
|
@ -19,9 +19,9 @@ def test_web2_HSTS_policy_is_inactive(docker_compose, nginxproxy):
|
||||
assert "Strict-Transport-Security" not in r.headers
|
||||
|
||||
|
||||
def test_web3_acme_challenge_does_work(docker_compose, nginxproxy, acme_challenge_path):
|
||||
def test_web3_acme_challenge_does_not_work(docker_compose, nginxproxy, acme_challenge_path):
|
||||
r = nginxproxy.get(
|
||||
f"http://web3.nginx-proxy.tld/{acme_challenge_path}",
|
||||
allow_redirects=False
|
||||
)
|
||||
assert r.status_code == 200
|
||||
assert r.status_code == 404
|
||||
|
Loading…
Reference in New Issue
Block a user