test: default cert optional trust

test/test_fallback.data/nohttp-on-app.yml

@@ -5,7 +5,7 @@ services:
     image: nginxproxy/nginx-proxy:test
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ./nodefault.certs:/etc/nginx/certs:ro
+      - ./withdefault.certs:/etc/nginx/certs:ro
     environment:
       HTTPS_METHOD: redirect
 

test/test_fallback.data/nohttp-with-missing-cert.yml

@@ -5,7 +5,7 @@ services:
     image: nginxproxy/nginx-proxy:test
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ./nodefault.certs:/etc/nginx/certs:ro
+      - ./withdefault.certs:/etc/nginx/certs:ro
     environment:
       HTTPS_METHOD: nohttp
 
@@ -24,3 +24,13 @@ services:
     environment:
       WEB_PORTS: "84"
       VIRTUAL_HOST: missing-cert.nginx-proxy.test
+
+  missing-cert-default-untrusted:
+    image: web
+    expose:
+      - "85"
+    environment:
+      WEB_PORTS: "85"
+      VIRTUAL_HOST: missing-cert.default-untrusted.nginx-proxy.test
+    labels:
+      com.github.nginx-proxy.nginx-proxy.trust-default-cert: "false"

test/test_fallback.data/nohttp.yml

@@ -5,7 +5,7 @@ services:
     image: nginxproxy/nginx-proxy:test
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ./nodefault.certs:/etc/nginx/certs:ro
+      - ./withdefault.certs:/etc/nginx/certs:ro
     environment:
       HTTPS_METHOD: nohttp
 

test/test_fallback.data/withdefault.yml

@@ -40,3 +40,13 @@ services:
     environment:
       WEB_PORTS: "84"
       VIRTUAL_HOST: missing-cert.nginx-proxy.test
+  
+  missing-cert-default-untrusted:
+    image: web
+    expose:
+      - "85"
+    environment:
+      WEB_PORTS: "85"
+      VIRTUAL_HOST: missing-cert.default-untrusted.nginx-proxy.test
+    labels:
+      com.github.nginx-proxy.nginx-proxy.trust-default-cert: "false"

test/test_fallback.py

@@ -45,6 +45,8 @@ INTERNAL_ERR_RE = re.compile("TLSV1_UNRECOGNIZED_NAME")
     ("withdefault.yml", "https://http-only.nginx-proxy.test/", 503, None),
     ("withdefault.yml", "http://missing-cert.nginx-proxy.test/", 301, None),
     ("withdefault.yml", "https://missing-cert.nginx-proxy.test/", 200, None),
+    ("withdefault.yml", "http://missing-cert.default-untrusted.nginx-proxy.test/", 200, None),
+    ("withdefault.yml", "https://missing-cert.default-untrusted.nginx-proxy.test/", None, INTERNAL_ERR_RE),
     ("withdefault.yml", "http://unknown.nginx-proxy.test/", 503, None),
     ("withdefault.yml", "https://unknown.nginx-proxy.test/", 503, None),
     # Same as withdefault.yml, except there is no default.crt.
@@ -58,24 +60,27 @@ INTERNAL_ERR_RE = re.compile("TLSV1_UNRECOGNIZED_NAME")
     ("nodefault.yml", "https://missing-cert.nginx-proxy.test/", None, INTERNAL_ERR_RE),
     ("nodefault.yml", "http://unknown.nginx-proxy.test/", 503, None),
     ("nodefault.yml", "https://unknown.nginx-proxy.test/", None, INTERNAL_ERR_RE),
-    # HTTPS_METHOD=nohttp on nginx-proxy, no default.crt, HTTPS_METHOD unset on the app container.
+    # HTTPS_METHOD=nohttp on nginx-proxy, HTTPS_METHOD unset on the app container.
     ("nohttp.yml", "http://https-only.nginx-proxy.test/", 503, None),
     ("nohttp.yml", "https://https-only.nginx-proxy.test/", 200, None),
     ("nohttp.yml", "http://unknown.nginx-proxy.test/", 503, None),
-    ("nohttp.yml", "https://unknown.nginx-proxy.test/", None, INTERNAL_ERR_RE),
-    # HTTPS_METHOD=redirect on nginx-proxy, no default.crt, HTTPS_METHOD=nohttp on the app container.
+    ("nohttp.yml", "https://unknown.nginx-proxy.test/", 503, None),
+    # HTTPS_METHOD=redirect on nginx-proxy, HTTPS_METHOD=nohttp on the app container.
     ("nohttp-on-app.yml", "http://https-only.nginx-proxy.test/", 503, None),
     ("nohttp-on-app.yml", "https://https-only.nginx-proxy.test/", 200, None),
     ("nohttp-on-app.yml", "http://unknown.nginx-proxy.test/", 503, None),
-    ("nohttp-on-app.yml", "https://unknown.nginx-proxy.test/", None, INTERNAL_ERR_RE),
-    # Same as nohttp.yml, except there is a vhost with a missing cert. This causes its
+    ("nohttp-on-app.yml", "https://unknown.nginx-proxy.test/", 503, None),
+    # Same as nohttp.yml, except there are two vhosts with a missing cert, the second
+    # one being configured not to trust the default certificate. This causes its
     # HTTPS_METHOD=nohttp setting to effectively become HTTPS_METHOD=noredirect.
     ("nohttp-with-missing-cert.yml", "http://https-only.nginx-proxy.test/", 503, None),
     ("nohttp-with-missing-cert.yml", "https://https-only.nginx-proxy.test/", 200, None),
-    ("nohttp-with-missing-cert.yml", "http://missing-cert.nginx-proxy.test/", 200, None),
-    ("nohttp-with-missing-cert.yml", "https://missing-cert.nginx-proxy.test/", None, INTERNAL_ERR_RE),
+    ("nohttp-with-missing-cert.yml", "http://missing-cert.nginx-proxy.test/", 503, None),
+    ("nohttp-with-missing-cert.yml", "https://missing-cert.nginx-proxy.test/", 200, None),
+    ("nohttp-with-missing-cert.yml", "http://missing-cert.default-untrusted.nginx-proxy.test/", 200, None),
+    ("nohttp-with-missing-cert.yml", "https://missing-cert.default-untrusted.nginx-proxy.test/", None, INTERNAL_ERR_RE),
     ("nohttp-with-missing-cert.yml", "http://unknown.nginx-proxy.test/", 503, None),
-    ("nohttp-with-missing-cert.yml", "https://unknown.nginx-proxy.test/", None, INTERNAL_ERR_RE),
+    ("nohttp-with-missing-cert.yml", "https://unknown.nginx-proxy.test/", 503, None),
     # HTTPS_METHOD=nohttps on nginx-proxy, HTTPS_METHOD unset on the app container.
     ("nohttps.yml", "http://http-only.nginx-proxy.test/", 200, None),
     ("nohttps.yml", "https://http-only.nginx-proxy.test/", None, INTERNAL_ERR_RE),