mirror of
https://github.com/nginx-proxy/nginx-proxy
synced 2024-05-26 17:36:14 +02:00
Merge branch 'master' into feature_ssl_improvement
This commit is contained in:
Jason Wilder
commit
c41186a3a4
|
|
@ -1,4 +1,4 @@
|
|||
FROM nginx:1.11.10
|
||||
FROM nginx:1.13.0
|
||||
MAINTAINER Jason Wilder mail@jasonwilder.com
|
||||
|
||||
# Install wget and install/updates certificates
|
||||
|
|
@ -9,8 +9,11 @@ RUN apt-get update \
|
|||
&& apt-get clean \
|
||||
&& rm -r /var/lib/apt/lists/*
|
||||
|
||||
# Configure nginx
|
||||
RUN echo "daemon off;" >> /etc/nginx/nginx.conf
|
||||
|
||||
# Configure Nginx and apply fix for very long server names
|
||||
RUN echo "daemon off;" >> /etc/nginx/nginx.conf \
|
||||
&& sed -i 's/^http {/&\n server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf \
|
||||
&& sed -i 's/worker_processes 1/worker_processes auto/' /etc/nginx/nginx.conf
|
||||
|
||||
# Install Forego
|
||||
ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
FROM nginx:1.11.10-alpine
|
||||
FROM nginx:1.13.0-alpine
|
||||
MAINTAINER Jason Wilder mail@jasonwilder.com
|
||||
|
||||
# Install wget and install/updates certificates
|
||||
|
|
@ -6,8 +6,11 @@ RUN apk add --no-cache --virtual .run-deps \
|
|||
ca-certificates bash wget openssl \
|
||||
&& update-ca-certificates
|
||||
|
||||
# Configure Nginx
|
||||
RUN echo "daemon off;" >> /etc/nginx/nginx.conf
|
||||
|
||||
# Configure Nginx and apply fix for very long server names
|
||||
RUN echo "daemon off;" >> /etc/nginx/nginx.conf \
|
||||
&& sed -i 's/^http {/&\n server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf \
|
||||
&& sed -i 's/worker_processes 1/worker_processes auto/' /etc/nginx/nginx.conf
|
||||
|
||||
# Install Forego
|
||||
ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego
|
||||
|
|
|
|||
10
README.md
10
README.md
|
|
@ -1,4 +1,4 @@
|
|||
  [](https://travis-ci.org/jwilder/nginx-proxy) [](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub')
|
||||
  [](https://travis-ci.org/jwilder/nginx-proxy) [](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub')
|
||||
|
||||
|
||||
nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped.
|
||||
|
|
@ -17,7 +17,7 @@ Then start any containers you want proxied with an env var `VIRTUAL_HOST=subdoma
|
|||
|
||||
The containers being proxied must [expose](https://docs.docker.com/engine/reference/run/#expose-incoming-ports) the port to be proxied, either by using the `EXPOSE` directive in their `Dockerfile` or by using the `--expose` flag to `docker run` or `docker create`.
|
||||
|
||||
Provided your DNS is setup to forward foo.bar.com to the a host running nginx-proxy, the request will be routed to a container with the VIRTUAL_HOST env var set.
|
||||
Provided your DNS is setup to forward foo.bar.com to the host running nginx-proxy, the request will be routed to a container with the VIRTUAL_HOST env var set.
|
||||
|
||||
### Image variants
|
||||
|
||||
|
|
@ -31,7 +31,7 @@ This image uses the debian:jessie based nginx image.
|
|||
|
||||
#### jwilder/nginx-proxy:alpine
|
||||
|
||||
This image is based on the nginx:alpine image.
|
||||
This image is based on the nginx:alpine image. Use this image to fully support HTTP/2 (including ALPN required by recent Chrome versions). A valid certificate is required as well (see eg. below "SSL Support using letsencrypt" for more info).
|
||||
|
||||
$ docker pull jwilder/nginx-proxy:alpine
|
||||
|
||||
|
|
@ -105,7 +105,7 @@ If you would like the reverse proxy to connect to your backend using HTTPS inste
|
|||
### uWSGI Backends
|
||||
|
||||
If you would like to connect to uWSGI backend, set `VIRTUAL_PROTO=uwsgi` on the
|
||||
backend container. Your backend container should than listen on a port rather
|
||||
backend container. Your backend container should then listen on a port rather
|
||||
than a socket and expose that port.
|
||||
|
||||
### Default Host
|
||||
|
|
@ -215,7 +215,7 @@ is always preferred when available.
|
|||
Note that in the latter case, a browser may get an connection error as no certificate is available
|
||||
to establish a connection. A self-signed or generic cert named `default.crt` and `default.key`
|
||||
will allow a client browser to make a SSL connection (likely w/ a warning) and subsequently receive
|
||||
a 503.
|
||||
a 500.
|
||||
|
||||
To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the
|
||||
environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also
|
||||
|
|
|
|||
|
|
@ -105,10 +105,14 @@ server {
|
|||
{{ end }}
|
||||
|
||||
{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
|
||||
|
||||
{{ $host := trim $host }}
|
||||
{{ $is_regexp := hasPrefix "~" $host }}
|
||||
{{ $upstream_name := when $is_regexp (sha1 $host) $host }}
|
||||
|
||||
# {{ $host }}
|
||||
upstream {{ $upstream_name }} {
|
||||
|
||||
{{ range $container := $containers }}
|
||||
{{ $addrLen := len $container.Addresses }}
|
||||
|
||||
|
|
@ -137,7 +141,7 @@ upstream {{ $upstream_name }} {
|
|||
{{ $default_server := index (dict $host "" $default_host "default_server") $host }}
|
||||
|
||||
{{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}}
|
||||
{{ $proto := or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http" }}
|
||||
{{ $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }}
|
||||
|
||||
{{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}}
|
||||
{{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) "redirect" }}
|
||||
|
|
@ -211,6 +215,7 @@ server {
|
|||
{{ else }}
|
||||
proxy_pass {{ trim $proto }}://{{ trim $upstream_name }};
|
||||
{{ end }}
|
||||
|
||||
{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
|
||||
auth_basic "Restricted {{ $host }}";
|
||||
auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }};
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ if [[ "$#" -eq 0 ]]; then
|
|||
|
||||
You can also create certificates for wildcard domains:
|
||||
$(basename $0) '*.my-domain.tdl'
|
||||
|
||||
|
||||
EOF
|
||||
exit 0
|
||||
else
|
||||
|
|
@ -24,8 +24,8 @@ fi
|
|||
# Create a nginx container (which conveniently provides the `openssl` command)
|
||||
###############################################################################
|
||||
|
||||
CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.11.8)
|
||||
# Configure openssl
|
||||
CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.13.0)
|
||||
# Configure openssl
|
||||
docker exec $CONTAINER bash -c '
|
||||
mkdir -p /ca/{certs,crl,private,newcerts} 2>/dev/null
|
||||
echo 1000 > /ca/serial
|
||||
|
|
@ -117,7 +117,7 @@ function openssl {
|
|||
}
|
||||
|
||||
function exitfail {
|
||||
echo
|
||||
echo
|
||||
echo ERROR: "$@"
|
||||
docker rm -f $CONTAINER
|
||||
exit 1
|
||||
|
|
@ -129,15 +129,15 @@ function exitfail {
|
|||
###############################################################################
|
||||
|
||||
if ! [[ -f "$DIR/ca-root.key" ]]; then
|
||||
echo
|
||||
echo
|
||||
echo "> Create a Certificate Authority root key: $DIR/ca-root.key"
|
||||
openssl genrsa -out ca-root.key 2048
|
||||
[[ $? -eq 0 ]] || exitfail failed to generate CA root key
|
||||
fi
|
||||
|
||||
# Create a CA root certificate
|
||||
# Create a CA root certificate
|
||||
if ! [[ -f "$DIR/ca-root.crt" ]]; then
|
||||
echo
|
||||
echo
|
||||
echo "> Create a CA root certificate: $DIR/ca-root.crt"
|
||||
openssl req -config /ca/openssl.cnf \
|
||||
-key ca-root.key \
|
||||
|
|
@ -154,30 +154,30 @@ fi
|
|||
# create server key and certificate signed by the certificate authority
|
||||
###############################################################################
|
||||
|
||||
echo
|
||||
echo
|
||||
echo "> Create a host key: $DIR/$DOMAIN.key"
|
||||
openssl genrsa -out "$DOMAIN.key" 2048
|
||||
|
||||
echo
|
||||
echo
|
||||
echo "> Create a host certificate signing request"
|
||||
|
||||
SAN="$ALTERNATE_DOMAINS" openssl req -config /ca/openssl.cnf \
|
||||
-key "$DOMAIN.key" \
|
||||
-new -out "/ca/$DOMAIN.csr" -days 1000 -extensions san_env -subj "/CN=$DOMAIN"
|
||||
-new -out "/ca/$DOMAIN.csr" -days 1000 -extensions san_env -subj "/CN=$DOMAIN"
|
||||
[[ $? -eq 0 ]] || exitfail failed to generate server certificate signing request
|
||||
|
||||
echo
|
||||
echo
|
||||
echo "> Create server certificate: $DIR/$DOMAIN.crt"
|
||||
SAN="$ALTERNATE_DOMAINS" openssl ca -config /ca/openssl.cnf -batch \
|
||||
-extensions server_cert \
|
||||
-extensions san_env \
|
||||
-in "/ca/$DOMAIN.csr" \
|
||||
-out "$DOMAIN.crt"
|
||||
-out "$DOMAIN.crt"
|
||||
[[ $? -eq 0 ]] || exitfail failed to generate server certificate
|
||||
|
||||
|
||||
# Verify host certificate
|
||||
#openssl x509 -noout -text -in "$DOMAIN.crt"
|
||||
#openssl x509 -noout -text -in "$DOMAIN.crt"
|
||||
|
||||
|
||||
docker rm -f $CONTAINER >/dev/null
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
In this scenario, we have a wildcard certificate for `*.web.nginx-proxy.tld` and 3 web containers:
|
||||
- 1.web.nginx-proxy.tld
|
||||
- 2.web.nginx-proxy.tld
|
||||
- 3.web.nginx-proxy.tld
|
||||
|
||||
We want web containers 1 and 2 to support SSL, but 3 should not (using `HTTPS_METHOD=nohttps`)
|
||||
|
|
@ -0,0 +1,70 @@
|
|||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 4096 (0x1000)
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
Issuer: O=nginx-proxy test suite, CN=www.nginx-proxy.tld
|
||||
Validity
|
||||
Not Before: Mar 15 00:17:52 2017 GMT
|
||||
Not After : Jul 31 00:17:52 2044 GMT
|
||||
Subject: CN=nginx-proxy.tld
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
Public-Key: (2048 bit)
|
||||
Modulus:
|
||||
00:f2:fd:79:70:99:0c:da:63:5c:81:28:72:31:01:
|
||||
62:e9:68:d7:cb:8d:c6:95:f9:ec:26:34:1c:08:c6:
|
||||
6d:de:ad:d8:b0:c0:ae:48:03:73:76:6b:3f:c5:35:
|
||||
86:c6:42:91:53:3c:aa:85:89:84:92:67:92:ef:a9:
|
||||
5b:f2:d4:04:73:34:02:35:d4:6a:fa:c2:da:91:4a:
|
||||
a9:70:87:25:38:84:1d:93:99:3c:d7:03:61:a6:6d:
|
||||
33:6f:83:45:04:af:4f:96:62:1e:c1:79:87:c9:d5:
|
||||
4c:e9:8f:85:e2:c8:1b:5b:fc:b8:02:ff:7b:6d:34:
|
||||
4c:5d:40:73:44:9e:c5:1f:5f:e0:0f:89:88:c4:35:
|
||||
2b:04:53:8c:8e:a0:7c:7c:97:16:20:c2:4f:a1:c0:
|
||||
dd:bf:d5:13:2d:64:25:03:f2:d8:d5:27:01:70:c9:
|
||||
f4:37:33:36:7e:7b:48:54:ec:37:2b:81:3d:50:3c:
|
||||
d4:5f:05:19:e2:0b:ba:76:f6:2c:3b:23:4b:82:78:
|
||||
5f:e9:e3:57:fc:39:4a:5c:42:82:72:c8:a3:af:b7:
|
||||
b3:91:e4:01:9c:2c:47:5e:ff:aa:ad:63:1c:e7:9c:
|
||||
2e:a2:ac:5d:51:30:83:67:6e:f8:5a:ed:0b:70:e4:
|
||||
68:d4:e9:5e:a7:f5:5e:87:3b:e8:31:ad:00:04:f8:
|
||||
7b:d9
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Subject Alternative Name:
|
||||
DNS:nginx-proxy.tld
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
39:d4:cc:78:a3:5e:64:e9:ab:9d:a9:89:3b:9e:18:01:98:cb:
|
||||
e2:0c:ef:e9:2b:50:34:ed:63:ed:e6:0e:53:59:30:80:e0:3b:
|
||||
5e:08:ca:09:55:da:e3:3e:c2:01:d8:d6:ca:92:2a:0b:ee:2c:
|
||||
a1:93:18:7b:15:28:8d:2a:17:25:76:eb:ef:70:e0:d7:02:d3:
|
||||
ad:81:33:47:9b:fb:d8:52:87:69:a4:3a:20:a4:9a:2d:3f:40:
|
||||
5f:52:bf:0b:96:e3:52:c3:59:55:dc:5a:37:f3:e6:d6:16:46:
|
||||
64:e4:20:32:5d:cd:4b:da:2b:ef:e9:85:af:00:a1:ca:a1:08:
|
||||
ed:0f:f4:65:dc:2a:c9:b3:4e:cc:f3:82:d7:69:3a:4d:fc:8e:
|
||||
db:10:95:28:20:07:55:f0:d1:11:1f:c5:00:74:88:c6:c9:94:
|
||||
15:90:93:3a:de:90:85:fb:72:9c:d8:57:58:05:7d:bb:6a:36:
|
||||
eb:d8:12:22:41:0e:fc:c9:24:79:c0:28:4f:4f:1b:4b:59:f9:
|
||||
e4:c6:97:be:b1:94:74:de:a7:65:d3:cb:0a:56:3b:d3:63:fc:
|
||||
b2:05:fc:e7:ec:bb:45:04:91:9f:21:f9:05:3b:5d:4c:af:8e:
|
||||
84:04:f5:25:fb:4d:ab:db:23:56:74:7e:4f:b3:da:bb:27:e7:
|
||||
ea:fb:bd:00
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIC8zCCAdugAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwPzEfMB0GA1UECgwWbmdp
|
||||
bngtcHJveHkgdGVzdCBzdWl0ZTEcMBoGA1UEAwwTd3d3Lm5naW54LXByb3h5LnRs
|
||||
ZDAeFw0xNzAzMTUwMDE3NTJaFw00NDA3MzEwMDE3NTJaMBoxGDAWBgNVBAMMD25n
|
||||
aW54LXByb3h5LnRsZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPL9
|
||||
eXCZDNpjXIEocjEBYulo18uNxpX57CY0HAjGbd6t2LDArkgDc3ZrP8U1hsZCkVM8
|
||||
qoWJhJJnku+pW/LUBHM0AjXUavrC2pFKqXCHJTiEHZOZPNcDYaZtM2+DRQSvT5Zi
|
||||
HsF5h8nVTOmPheLIG1v8uAL/e200TF1Ac0SexR9f4A+JiMQ1KwRTjI6gfHyXFiDC
|
||||
T6HA3b/VEy1kJQPy2NUnAXDJ9DczNn57SFTsNyuBPVA81F8FGeILunb2LDsjS4J4
|
||||
X+njV/w5SlxCgnLIo6+3s5HkAZwsR17/qq1jHOecLqKsXVEwg2du+FrtC3DkaNTp
|
||||
Xqf1Xoc76DGtAAT4e9kCAwEAAaMeMBwwGgYDVR0RBBMwEYIPbmdpbngtcHJveHku
|
||||
dGxkMA0GCSqGSIb3DQEBCwUAA4IBAQA51Mx4o15k6audqYk7nhgBmMviDO/pK1A0
|
||||
7WPt5g5TWTCA4DteCMoJVdrjPsIB2NbKkioL7iyhkxh7FSiNKhclduvvcODXAtOt
|
||||
gTNHm/vYUodppDogpJotP0BfUr8LluNSw1lV3Fo38+bWFkZk5CAyXc1L2ivv6YWv
|
||||
AKHKoQjtD/Rl3CrJs07M84LXaTpN/I7bEJUoIAdV8NERH8UAdIjGyZQVkJM63pCF
|
||||
+3Kc2FdYBX27ajbr2BIiQQ78ySR5wChPTxtLWfnkxpe+sZR03qdl08sKVjvTY/yy
|
||||
Bfzn7LtFBJGfIfkFO11Mr46EBPUl+02r2yNWdH5Ps9q7J+fq+70A
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpQIBAAKCAQEA8v15cJkM2mNcgShyMQFi6WjXy43GlfnsJjQcCMZt3q3YsMCu
|
||||
SANzdms/xTWGxkKRUzyqhYmEkmeS76lb8tQEczQCNdRq+sLakUqpcIclOIQdk5k8
|
||||
1wNhpm0zb4NFBK9PlmIewXmHydVM6Y+F4sgbW/y4Av97bTRMXUBzRJ7FH1/gD4mI
|
||||
xDUrBFOMjqB8fJcWIMJPocDdv9UTLWQlA/LY1ScBcMn0NzM2fntIVOw3K4E9UDzU
|
||||
XwUZ4gu6dvYsOyNLgnhf6eNX/DlKXEKCcsijr7ezkeQBnCxHXv+qrWMc55wuoqxd
|
||||
UTCDZ274Wu0LcORo1Olep/VehzvoMa0ABPh72QIDAQABAoIBAQDqcaW5/fFoxHV8
|
||||
KIoEvlGw4ndS7nesPHacZaqmzM01DIcGAuIkmS/OEax1mi9vGsschGwCa6x9lXEv
|
||||
yzfsEqQ4gvWe+lQ9ncNEa8UPzVUcMlxXDIKm8ZxF9xapgP4Whw9DCWijQ57AHg0X
|
||||
TGLhbDD5j9v7CIUN2GfVkVml24pVuUoeXqv7ZLzTJKZ+Q/eqxyeIikjFheXzaQxb
|
||||
bUHbEHIXJtHMYULXmfc5WCxuobHqal3z0ymCijoZVXV8hp8dtDP34tRV9MID9wck
|
||||
lRUVqboFCIXxmLLRTZgyCbiFLkCIu2nmgNobWCNfkHN7QQhToPEecSFMZzYtmo6/
|
||||
T1fHE3ABAoGBAP1J1Izfc4CF9t2iPGzXyn8oNkXHLMPKtFQ2Rb8XwBryUOOrAHqT
|
||||
FIZ2FsDJr0VvS1ihFs1kbO+WAY5W5GytwiiVXvztHz3/f5JnGgvMCeUcEmaj90vq
|
||||
sTyfHc2OKFjumIjGe87uav3bgac7nOWLO+RIJ/ua6UO7/8psqwryxY4FAoGBAPWX
|
||||
a502kT56VwI3Gf8hb37PZ/PD+gOzgzVcMn13yLZ4gC9xoP4TKUBHSz4wO8asjKk5
|
||||
1RD/DITXYKelyRXynOtMW+2j2s5bVBpOshN/n9jRC1haoGJZYb2JVP6+8WoZKQOF
|
||||
NwgNlI4he32kSFw59fjkdG64iw7KY8ZYUatkrgrFAoGBAPozTjUCHfRdYOi6c/oI
|
||||
h81oCYSQJVYbDFsLaYZEjc2Qg/sBVm2+kE3qpLs3/10VfVZFemLVyw44Hb1fdDEu
|
||||
y1aPhs9N5Mi3dGtIUWBJ45RgUIT3fzeM1BtQCn6c6JpAxoiFmJNmzGWLyd1Kc8gD
|
||||
69uqs2RFOBtiwGBTS/p6qk+JAoGBAM1QkpnzFYf69SSX9jbRuAl20Xv8GdbgS0/f
|
||||
zSIRcw4BPYDsaOAgGrtvHttVrZORi2KqQ5Ma9ldUS6y8L5kWo9MemjfYZUNhHLWF
|
||||
luAwMO0tDmQGF9FA0jKHTjROYzsE38Heq7wixk/wc/H81rWrixRRwXkS9MYfszwN
|
||||
d/FmkQ3VAoGAXHZrDEygUmf4q0LwjLVF0TPzElh530qVmyhPa0OBs/hVh9Mwv/i6
|
||||
fj3+k7uYWgKDzcaVXSMOFGt515F8qy0AUEY9r+IjAn01KTLKO4ZuPiSpxliqDbCs
|
||||
gzsX9CWVSVgTN+TY15QCoJNpzLiyrXe3uldAP5JEBQSnjt9OfSJQ5IU=
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
|
@ -0,0 +1,71 @@
|
|||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 4096 (0x1000)
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
Issuer: O=nginx-proxy test suite, CN=www.nginx-proxy.tld
|
||||
Validity
|
||||
Not Before: Mar 14 23:19:36 2017 GMT
|
||||
Not After : Jul 30 23:19:36 2044 GMT
|
||||
Subject: CN=*.web.nginx-proxy.tld
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
Public-Key: (2048 bit)
|
||||
Modulus:
|
||||
00:ce:2b:74:13:b2:1a:d5:72:5c:3e:10:f7:63:01:
|
||||
22:df:e8:d9:cf:0b:8a:3f:40:75:62:58:78:27:9e:
|
||||
af:33:d2:a1:19:6a:e1:b7:57:db:d9:8f:05:70:c2:
|
||||
35:5d:f1:44:0d:51:62:74:73:e5:77:d9:bb:c6:d0:
|
||||
33:7a:43:88:e9:e6:3c:2d:d4:39:9d:61:34:5a:19:
|
||||
f3:c1:96:e0:bd:26:5b:69:18:a6:4c:8c:21:04:d8:
|
||||
fa:56:22:ec:55:0d:ba:49:4d:8e:27:69:7f:82:e9:
|
||||
e7:e9:c4:b7:87:70:d7:d7:4b:49:d1:c1:8c:b0:5a:
|
||||
13:62:db:de:c1:94:31:d1:c9:74:c4:63:01:50:10:
|
||||
70:42:73:67:c4:76:32:fb:d2:b7:91:2f:e8:cf:3a:
|
||||
96:4a:ee:8e:0d:13:74:73:1b:e4:74:83:e7:66:d6:
|
||||
8d:81:19:54:5b:d8:47:3e:3b:b5:fd:35:a2:df:f3:
|
||||
7d:1c:9e:67:ee:50:da:28:9c:02:0a:ad:75:8d:04:
|
||||
f7:28:1f:04:89:13:ac:ed:a9:34:26:dc:f7:f9:1f:
|
||||
72:21:d5:72:fb:09:d9:cb:40:c0:0d:36:3c:c0:77:
|
||||
0e:9a:f7:41:f1:3b:dd:b6:05:ab:13:60:c5:fd:c6:
|
||||
5f:f5:05:c4:42:00:ba:b5:ef:fb:dc:64:98:d9:4d:
|
||||
2b:07
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Subject Alternative Name:
|
||||
DNS:*.web.nginx-proxy.tld
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
9b:78:39:b3:90:8f:31:8c:7d:02:aa:6f:46:3d:8c:f5:93:86:
|
||||
03:e2:d8:9b:73:d1:e7:70:f1:d6:e6:3c:41:41:8c:76:c9:29:
|
||||
a4:83:47:c7:10:fd:d0:8b:fa:60:26:a8:36:41:a4:69:89:81:
|
||||
ec:bf:fd:33:72:bb:83:ea:42:e4:59:3f:10:df:d1:de:e2:bb:
|
||||
eb:fa:97:44:fe:f4:55:29:69:ca:a5:88:b2:94:60:58:5a:1a:
|
||||
19:16:fb:9f:42:4c:7c:d3:6b:21:45:22:56:5c:76:07:97:35:
|
||||
27:8f:46:d2:77:5b:65:1b:94:99:cb:73:37:ae:cf:61:6c:7a:
|
||||
5c:b3:3b:19:f2:9f:99:8f:89:eb:98:0b:74:0d:30:f5:49:19:
|
||||
d6:41:32:4e:c9:fc:59:2a:4a:53:2c:83:89:3d:e8:89:ed:37:
|
||||
d0:b4:f1:09:49:b5:0b:76:fd:a5:75:23:fb:01:c8:bb:59:02:
|
||||
5c:e4:8e:9c:f9:5b:85:5f:67:fb:04:40:de:bc:e8:c3:15:2f:
|
||||
ba:00:5c:36:57:47:e3:1a:95:44:5f:f4:10:55:b0:c4:af:12:
|
||||
dc:0e:6c:18:4a:70:9e:73:90:8d:55:37:73:a5:1a:41:7f:00:
|
||||
79:96:34:01:6b:10:2d:e9:61:3d:8f:8a:9a:c8:b6:bc:0f:57:
|
||||
91:84:7c:26
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIC/zCCAeegAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwPzEfMB0GA1UECgwWbmdp
|
||||
bngtcHJveHkgdGVzdCBzdWl0ZTEcMBoGA1UEAwwTd3d3Lm5naW54LXByb3h5LnRs
|
||||
ZDAeFw0xNzAzMTQyMzE5MzZaFw00NDA3MzAyMzE5MzZaMCAxHjAcBgNVBAMMFSou
|
||||
d2ViLm5naW54LXByb3h5LnRsZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
|
||||
ggEBAM4rdBOyGtVyXD4Q92MBIt/o2c8Lij9AdWJYeCeerzPSoRlq4bdX29mPBXDC
|
||||
NV3xRA1RYnRz5XfZu8bQM3pDiOnmPC3UOZ1hNFoZ88GW4L0mW2kYpkyMIQTY+lYi
|
||||
7FUNuklNjidpf4Lp5+nEt4dw19dLSdHBjLBaE2Lb3sGUMdHJdMRjAVAQcEJzZ8R2
|
||||
MvvSt5Ev6M86lkrujg0TdHMb5HSD52bWjYEZVFvYRz47tf01ot/zfRyeZ+5Q2iic
|
||||
AgqtdY0E9ygfBIkTrO2pNCbc9/kfciHVcvsJ2ctAwA02PMB3Dpr3QfE73bYFqxNg
|
||||
xf3GX/UFxEIAurXv+9xkmNlNKwcCAwEAAaMkMCIwIAYDVR0RBBkwF4IVKi53ZWIu
|
||||
bmdpbngtcHJveHkudGxkMA0GCSqGSIb3DQEBCwUAA4IBAQCbeDmzkI8xjH0Cqm9G
|
||||
PYz1k4YD4tibc9HncPHW5jxBQYx2ySmkg0fHEP3Qi/pgJqg2QaRpiYHsv/0zcruD
|
||||
6kLkWT8Q39He4rvr+pdE/vRVKWnKpYiylGBYWhoZFvufQkx802shRSJWXHYHlzUn
|
||||
j0bSd1tlG5SZy3M3rs9hbHpcszsZ8p+Zj4nrmAt0DTD1SRnWQTJOyfxZKkpTLIOJ
|
||||
PeiJ7TfQtPEJSbULdv2ldSP7Aci7WQJc5I6c+VuFX2f7BEDevOjDFS+6AFw2V0fj
|
||||
GpVEX/QQVbDErxLcDmwYSnCec5CNVTdzpRpBfwB5ljQBaxAt6WE9j4qayLa8D1eR
|
||||
hHwm
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEowIBAAKCAQEAzit0E7Ia1XJcPhD3YwEi3+jZzwuKP0B1Ylh4J56vM9KhGWrh
|
||||
t1fb2Y8FcMI1XfFEDVFidHPld9m7xtAzekOI6eY8LdQ5nWE0WhnzwZbgvSZbaRim
|
||||
TIwhBNj6ViLsVQ26SU2OJ2l/gunn6cS3h3DX10tJ0cGMsFoTYtvewZQx0cl0xGMB
|
||||
UBBwQnNnxHYy+9K3kS/ozzqWSu6ODRN0cxvkdIPnZtaNgRlUW9hHPju1/TWi3/N9
|
||||
HJ5n7lDaKJwCCq11jQT3KB8EiROs7ak0Jtz3+R9yIdVy+wnZy0DADTY8wHcOmvdB
|
||||
8TvdtgWrE2DF/cZf9QXEQgC6te/73GSY2U0rBwIDAQABAoIBAGVkDVPaVUP/V8nW
|
||||
QjNYTbRcKTGfdT+iDZht9blWWsdboIqFe7fU53PY2E4Z1HD8xADgs1Cd5o3IcIZX
|
||||
wdkw+VY+Of43zpXNRhfBh5T/BEtBX9cRnkcq6todcw+FYUB63dBK6cwMH/9b1Qes
|
||||
DK35GszwY79aNjxMMBiAFM6SeOW4EElPsV8wd9ldX/ndiZuwkZ6k9PfyWrfeeaF+
|
||||
EwVf/HaT0bV7cHQ73tYqzKjMpdbzIyaMzuAMGZDwPfLK+O1rEsWvLvK0ypl2Omzw
|
||||
ndon8U3z0JPNmBGoq+SFS2qtCeOezNX3lPz+TWxG05R5iiFtuK83zJ5qGqCgCNZ6
|
||||
qzpZsOECgYEA/NvWqT5MdZS1fdL2wROzFMTH4OBdUGr1Gh/DsNZj4qFVSFl969mA
|
||||
7Vntm+koNLFsJt2EB67kC3ZWjozLXomHJ55/uKNnJ5LrLxczQ9x4l52CsTzrlvFq
|
||||
crYjQZDmeN3B4Z+8RSi2icq6j1PeaCZRTvcz6eBjNYj/v/O0SmiXIp8CgYEA0Lsh
|
||||
fZWuw23a8UXS2YUrXXqfIEdisVMnLRu3Zi0Y1R4lIpuwn5+2n+TxnuWcY1q+ZTMw
|
||||
dcmGPi6aRj81kEN/Kw5raKoVb6YywTNB4/Dwz7PRQH386FrjfivGXGEEINgbPQ09
|
||||
2u0QV2Cr9yMGZ5qNXut70RYewkxjF7+s6L8+RpkCgYB9ikBHgtC/R/fb4pP0RG2T
|
||||
ECgUtBBgTtomAENOVwL8kBEhfJ0SLcjfDtjzoYz+rF//49cbYW+DaVuMJscJxso9
|
||||
l2neJ/KdKUpu9NvVA280B1XN3WsyY+Xv0hIrCWAD/kW2WXJF+/K08twxMPipSOzx
|
||||
gbZalbdr6vrfOIX4s3jmDQKBgDiXA3Vw53jEh99x9sBSgndNj2bI89DvomdwZECn
|
||||
aVweWCMR4sjkHDctcvSJe+TT7VqyjijhAixJpjn1WShLpGaf+i7eLgGfJZOLugl6
|
||||
gU9OiSTbA35bZeIHLDhPdTcSYBAlTufT7eJCq1zNeicMl9dsMJ13Sc+TtinyJYbU
|
||||
kqXBAoGBAL9gRa1PkNkpCJ5F9aYSohCAXB7DaAgYvVyvOTQ8Bw2uACPgdnpHmxQd
|
||||
/sT7qJ1h8ZCtn89Ug/4yx79eUcOImugoCRIUVtq1xhyXUdVl55Tuy5bKBSSAe/Vh
|
||||
T7sAmryCkzn9ihRziY2j84vK0mdMkCU5AoatPg5l0g1adn5zcY6q
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
version: "3"
|
||||
|
||||
services:
|
||||
|
||||
proxy:
|
||||
image: jwilder/nginx-proxy:test
|
||||
volumes:
|
||||
- /var/run/docker.sock:/tmp/docker.sock:ro
|
||||
- ./certs:/etc/nginx/certs:ro
|
||||
|
||||
web1:
|
||||
image: web
|
||||
expose:
|
||||
- "81"
|
||||
environment:
|
||||
WEB_PORTS: "81"
|
||||
VIRTUAL_HOST: "1.web.nginx-proxy.tld"
|
||||
web2:
|
||||
image: web
|
||||
expose:
|
||||
- "82"
|
||||
environment:
|
||||
WEB_PORTS: "82"
|
||||
VIRTUAL_HOST: "2.web.nginx-proxy.tld"
|
||||
|
||||
web3_nohttps:
|
||||
image: web
|
||||
expose:
|
||||
- "83"
|
||||
environment:
|
||||
WEB_PORTS: "83"
|
||||
VIRTUAL_HOST: "3.web.nginx-proxy.tld"
|
||||
HTTPS_METHOD: nohttps
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
import pytest
|
||||
from backports.ssl_match_hostname import CertificateError
|
||||
|
||||
|
||||
@pytest.mark.parametrize("subdomain,should_redirect_to_https", [
|
||||
(1, True),
|
||||
(2, True),
|
||||
(3, False),
|
||||
])
|
||||
def test_http_redirects_to_https(docker_compose, nginxproxy, subdomain, should_redirect_to_https):
|
||||
r = nginxproxy.get("http://%s.web.nginx-proxy.tld/port" % subdomain)
|
||||
if should_redirect_to_https:
|
||||
assert r.history[0].is_redirect
|
||||
assert r.history[0].headers.get("Location") == "https://%s.web.nginx-proxy.tld/port" % subdomain
|
||||
assert "answer from port 8%s\n" % subdomain == r.text
|
||||
|
||||
|
||||
@pytest.mark.parametrize("subdomain", [1, 2])
|
||||
def test_https_get_served(docker_compose, nginxproxy, subdomain):
|
||||
r = nginxproxy.get("https://%s.web.nginx-proxy.tld/port" % subdomain, allow_redirects=False)
|
||||
assert r.status_code == 200
|
||||
assert "answer from port 8%s\n" % subdomain == r.text
|
||||
|
||||
|
||||
def test_web3_https_is_500_and_SSL_validation_fails(docker_compose, nginxproxy):
|
||||
with pytest.raises(CertificateError) as excinfo:
|
||||
nginxproxy.get("https://3.web.nginx-proxy.tld/port")
|
||||
assert """hostname '3.web.nginx-proxy.tld' doesn't match 'nginx-proxy.tld'""" in str(excinfo.value)
|
||||
|
||||
r = nginxproxy.get("https://3.web.nginx-proxy.tld/port", verify=False)
|
||||
assert r.status_code == 500
|
||||
Loading…
Reference in New Issue