Procházet zdrojové kódy

fix: prevent incorrect loading of wildcard domains in vhost configuration

Co-authored-by: Sjoerd de Wit <sjoerd@superlatief.nl>
Co-authored-by: Minjong Kim <make.dirty.code@gmail.com>
Sjoerd de Wit před 1 měsícem
rodič
revize
32743b04ac
1 změnil soubory, kde provedl 10 přidání a 10 odebrání
  1. 10 10
      nginx.tmpl

+ 10 - 10
nginx.tmpl

@@ -65,9 +65,9 @@
 #     (none)
     {{- end }}
 {{- else }}
-# /!\ WARNING: Failed to find the Docker container labeled "{{ $globals.config.nginx_container_label }}" or the one running docker-gen. 
+# /!\ WARNING: Failed to find the Docker container labeled "{{ $globals.config.nginx_container_label }}" or the one running docker-gen.
 #              All upstream (backend) application containers will appear to be unreachable.
-#              Try removing the -only-exposed and -only-published arguments to docker-gen if you pass either of those. 
+#              Try removing the -only-exposed and -only-published arguments to docker-gen if you pass either of those.
 #              See https://github.com/nginx-proxy/docker-gen/issues/458.
 {{- end }}
 
@@ -291,7 +291,7 @@
         {{- $override = printf "/etc/nginx/vhost.d/%s_location_override" .Host }}
     {{- end }}
     {{- if exists $override }}
-    include {{ $override }};
+    include {{  printf "%s" (replace $override "*" "\\*" -1) }};
     {{- else }}
         {{- $keepalive := $vpath.keepalive }}
     location {{ .Path }} {
@@ -339,9 +339,9 @@
         {{- end }}
 
         {{- if (exists (printf "/etc/nginx/vhost.d/%s_%s_location" .Host (sha1 .Path) )) }}
-        include {{ printf "/etc/nginx/vhost.d/%s_%s_location" .Host (sha1 .Path) }};
+        include {{ printf "/etc/nginx/vhost.d/%s_%s_location" (replace .Host "*" "\\*" -1) (sha1 .Path) }};
         {{- else if (exists (printf "/etc/nginx/vhost.d/%s_location" .Host)) }}
-        include {{ printf "/etc/nginx/vhost.d/%s_location" .Host}};
+        include {{ printf "/etc/nginx/vhost.d/%s_location" (replace .Host "*" "\\*" -1) }};
         {{- else if (exists "/etc/nginx/vhost.d/default_location") }}
         include /etc/nginx/vhost.d/default_location;
         {{- end }}
@@ -788,7 +788,7 @@ proxy_set_header Proxy "";
     {{- $ssl_policy := groupByKeys $vhost_containers "Env.SSL_POLICY" | first | default "" }}
 
     {{- /* Get ssl_verify_client defined by containers w/ the same vhost, falling back to "on" */}}
-    {{- $ssl_verify_client := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.ssl_verify_client" | keys | first | default "on" }}																						   
+    {{- $ssl_verify_client := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.ssl_verify_client" | keys | first | default "on" }}
 
     {{- /* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000". */}}
     {{- $hsts := groupByKeys $vhost_containers "Env.HSTS" | first | default $globals.config.hsts }}
@@ -811,7 +811,7 @@ proxy_set_header Proxy "";
         "acme_http_challenge_enabled" $acme_http_challenge_enabled
         "server_tokens" $server_tokens
         "ssl_policy" $ssl_policy
-        "ssl_verify_client" $ssl_verify_client											  
+        "ssl_verify_client" $ssl_verify_client
         "trust_default_cert" $trust_default_cert
         "upstream_name" $upstream_name
         "vhost_root" $vhost_root
@@ -1067,7 +1067,7 @@ server {
     {{- $vhostFileName :=  $vhost.is_regexp | ternary (sha1 $hostname) $hostname }}
 
     {{- if (exists (printf "/etc/nginx/vhost.d/%s" $vhostFileName)) }}
-    include {{ printf "/etc/nginx/vhost.d/%s" $vhostFileName }};
+    include {{ printf "/etc/nginx/vhost.d/%s" (replace $vhostFileName "*" "\\*" -1) }};
     {{- else if (exists "/etc/nginx/vhost.d/default") }}
     include /etc/nginx/vhost.d/default;
     {{- end }}
@@ -1075,11 +1075,11 @@ server {
     {{/* SSL Client Certificate Validation */}}
     {{/* If vhost(hash).ca.crt exists, include CA */}}
     {{- if (exists (printf "/etc/nginx/certs/%s.ca.crt" $vhostFileName)) }}
-    ssl_client_certificate {{ printf "/etc/nginx/certs/%s.ca.crt" $vhostFileName }}; 
+    ssl_client_certificate {{ printf "/etc/nginx/certs/%s.ca.crt" $vhostFileName }};
     ssl_verify_client {{ $vhost.ssl_verify_client }};
         {{/* If vhost(hash).crl.pem exists, include CRL */}}
         {{- if (exists (printf "/etc/nginx/certs/%s.crl.pem" $vhostFileName)) }}
-    ssl_crl {{ printf "/etc/nginx/certs/%s.crl.pem" $vhostFileName }}; 
+    ssl_crl {{ printf "/etc/nginx/certs/%s.crl.pem" $vhostFileName }};
         {{ end }}
     {{/* Else if no vhost CA file exists, but a global ca.crt exists include it */}}
     {{ else if (exists "/etc/nginx/certs/ca.crt") }}