dfd4f54c61
Before, if a site's certificate was not found, the site was served
over http rather than https. Failing open like this is problematic
for sites where security is important. Presumably the user set
`HTTPS_METHOD` to a non-`noredirect` value (or left it unset) for a
good reason; we should honor it even if it means serving error
messages.
WARNING: This change breaks compatibility. Any vhost where all of the
following are true will fail after this change:
* `HTTPS_METHOD` is either unset or set to a value other than
`nohttps`.
* The vhost does not have its own certificate (`default.crt` doesn't
count).
* Clients expect to be able to access the vhost by using plain http
to nginx-proxy.
To get the previous behavior, set `HTTPS_METHOD` to `nohttps` for the
vhost.
|
||
|---|---|---|
| .. | ||
| certs | ||
| requirements | ||
| stress_tests | ||
| test_custom | ||
| test_dockergen | ||
| test_fallback.data | ||
| test_headers | ||
| test_internal | ||
| test_location-override.vhost.d | ||
| test_multiple-ports | ||
| test_server-down | ||
| test_ssl | ||
| test_trust-downstream-proxy | ||
| test_upstream-name | ||
| test_virtual-path | ||
| README.md | ||
| conftest.py | ||
| pytest.ini | ||
| pytest.sh | ||
| test_DOCKER_HOST_unix_socket.py | ||
| test_DOCKER_HOST_unix_socket.yml | ||
| test_composev2.py | ||
| test_composev2.yml | ||
| test_default-host.py | ||
| test_default-host.yml | ||
| test_default-root-none.py | ||
| test_default-root-none.yml | ||
| test_events.py | ||
| test_events.yml | ||
| test_fallback.py | ||
| test_http_port.py | ||
| test_http_port.yml | ||
| test_ipv6.py | ||
| test_ipv6.yml | ||
| test_keepalive.py | ||
| test_keepalive.yml | ||
| test_loadbalancing.py | ||
| test_loadbalancing.yml | ||
| test_location-override.py | ||
| test_location-override.yml | ||
| test_log_format.py | ||
| test_log_format.yml | ||
| test_multiple-hosts.py | ||
| test_multiple-hosts.yml | ||
| test_multiple-networks.py | ||
| test_multiple-networks.yml | ||
| test_nominal.py | ||
| test_nominal.yml | ||
| test_raw-ip-vhost.py | ||
| test_raw-ip-vhost.yml | ||
| test_vhost-empty-string.py | ||
| test_vhost-empty-string.yml | ||
| test_vhost-in-multiple-networks.py | ||
| test_vhost-in-multiple-networks.yml | ||
| test_wildcard_host.py | ||
| test_wildcard_host.yml | ||
Nginx proxy test suite
Install requirements
You need python 3.9 and pip installed. Then run the commands:
pip install -r requirements/python-requirements.txt
Prepare the nginx-proxy test image
make build-nginx-proxy-test-debian
or if you want to test the alpine flavor:
make build-nginx-proxy-test-alpine
Run the test suite
pytest
need more verbosity ?
pytest -s
Run one single test module
pytest test_nominal.py
Write a test module
This test suite uses pytest. The conftest.py file will be automatically loaded by pytest and will provide you with two useful pytest fixtures:
- docker_compose
- nginxproxy
docker_compose fixture
When using the docker_compose fixture in a test, pytest will try to find a yml file named after your test module filename. For instance, if your test module is test_example.py, then the docker_compose fixture will try to load a test_example.yml docker compose file.
Once the docker compose file found, the fixture will remove all containers, run docker-compose up, and finally your test will be executed.
The fixture will run the docker-compose command with the -f option to load the given compose file. So you can test your docker compose file syntax by running it yourself with:
docker-compose -f test_example.yml up -d
In the case you are running pytest from within a docker container, the docker_compose fixture will make sure the container running pytest is attached to all docker networks. That way, your test will be able to reach any of them.
In your tests, you can use the docker_compose variable to query and command the docker daemon as it provides you with a client from the docker python module.
Also this fixture alters the way the python interpreter resolves domain names to IP addresses in the following ways:
Any domain name containing the substring nginx-proxy will resolve to the IP address of the container that was created from the nginxproxy/nginx-proxy:test image. So all the following domain names will resolve to the nginx-proxy container in tests:
nginx-proxynginx-proxy.comwww.nginx-proxy.comwww.nginx-proxy.testwww.nginx-proxywhatever.nginx-proxyooooooo- ...
Any domain name ending with XXX.container.docker will resolve to the IP address of the XXX container.
web1.container.dockerwill resolve to the IP address of theweb1containerf00.web1.container.dockerwill resolve to the IP address of theweb1containeranything.whatever.web2.container.dockerwill resolve to the IP address of theweb2container
Otherwise, domain names are resoved as usual using your system DNS resolver.
nginxproxy fixture
The nginxproxy fixture will provide you with a replacement for the python requests module. This replacement will just repeat up to 30 times a requests if it receives the HTTP error 404 or 502. This error occurs when you try to send queries to nginx-proxy too early after the container creation.
Also this requests replacement is preconfigured to use the Certificate Authority root certificate certs/ca-root.crt to validate https connections.
Furthermore, the nginxproxy methods accept an additional keyword parameter: ipv6 which forces requests made against containers to use the containers IPv6 address when set to True. If IPv6 is not supported by the system or docker, that particular test will be skipped.
def test_forwards_to_web1_ipv6(docker_compose, nginxproxy):
r = nginxproxy.get("http://web1.nginx-proxy.tld/port", ipv6=True)
assert r.status_code == 200
assert r.text == "answer from port 81\n"
The web docker image
When you run the make build-webserver command, you built a web docker image which is convenient for running a small web server in a container. This image can produce containers that listens on multiple ports at the same time.
Testing TLS
If you need to create server certificates, use the certs/create_server_certificate.sh script. Pytest will be able to validate any certificate issued from this script.