Home Explore Help
Sign In
mirrors
/
nginx-proxy
mirror of https://github.com/nginx-proxy/nginx-proxy.git
2
0
Fork 0
Files
Browse Source

Merge pull request #2473 from nginx-proxy/enable-acme-challenge

feat: enable acme challenge location handling by default
Nicolas Duchon 1 year ago
parent
8de923fd33 cea905ff88
commit
9506e60f43
7 changed files with 13 additions and 11 deletions
Split View Show Diff Stats
  1. 8 6
      docs/README.md
  2. 1 1
      nginx.tmpl
  3. 0 0
      test/test_acme_http_challenge_location/test_acme_challenge_location_enabled_is_default.py
  4. 0 2
      test/test_acme_http_challenge_location/test_acme_challenge_location_enabled_is_default.yml
  5. 0 0
      test/test_acme_http_challenge_location/test_acme_challenge_location_legacy.py
  6. 2 0
      test/test_acme_http_challenge_location/test_acme_challenge_location_legacy.yml
  7. 2 2
      test/test_ssl/test_noredirect.py

+ 8 - 6
docs/README.md
View File 

@@ -421,10 +421,11 @@ If you are running the container in a virtualized environment (Hyper-V, VirtualB
 
 
 [acme-companion](https://github.com/nginx-proxy/acme-companion) is a lightweight companion container for the nginx-proxy. It allows the automated creation/renewal of SSL certificates using the ACME protocol.
 
 
-By default nginx-proxy generates location blocks to handle ACME HTTP Challenge, excepted when `HTTPS_METHOD=noredirect` or there is no certificate for the domain. Ths behavior can be changed with environment variable `ACME_HTTP_CHALLENGE_LOCATION`. It accepts these values:
 
-* `legacy`: default value; current default behavior
 
-* `true`: handle ACME HTTP Challenge in all cases
 
-* `false`: do not handle ACME HTTP Challenge at all.
 
+By default nginx-proxy generates location blocks to handle ACME HTTP Challenge. This behavior can be changed with environment variable `ACME_HTTP_CHALLENGE_LOCATION`. It accepts these values:
 
+
 
+- `true`: default behavior, handle ACME HTTP Challenge in all cases.
 
+- `false`: do not handle ACME HTTP Challenge at all.
 
+- `legacy`: legacy behavior for compatibility with older (<= `2.3`) versions of acme-companion, only handle ACME HTTP challenge when there is a certificate for the domain and `HTTPS_METHOD=redirect`.
 
 
 ### Diffie-Hellman Groups
 
 
@@ -578,8 +579,9 @@ _WARNING_: HSTS will force your users to visit the HTTPS version of your site fo
 
 ### Missing Certificate
 
 
 If no matching certificate is found for a given virtual host, nginx-proxy will:
 
-* configure nginx to use the default certificate (`default.crt` with `default.key`) and return a 500 error for HTTPS,
 
-* force enable HTTP; i.e. `HTTPS_METHOD` will switch to `noredirect` if it was set to `nohttp` or `redirect`.
 
+
 
+- configure nginx to use the default certificate (`default.crt` with `default.key`) and return a 500 error for HTTPS,
 
+- force enable HTTP; i.e. `HTTPS_METHOD` will switch to `noredirect` if it was set to `nohttp` or `redirect`.
 
 
 If the default certificate is also missing, nginx-proxy will configure nginx to accept HTTPS connections but fail the TLS negotiation. Client browsers will render a TLS error page. As of March 2023, web browsers display the following error messages:

+ 1 - 1
nginx.tmpl
View File 

@@ -596,7 +596,7 @@ proxy_set_header Proxy "";
 
     {{- end }}
 
     {{- $http2_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable"))) $globals.Env.ENABLE_HTTP2 "true")}}
 
     {{- $http3_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable"))) $globals.Env.ENABLE_HTTP3 "false")}}
 
-    {{- $acme_http_challenge := or (first (groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION")) $globals.Env.ACME_HTTP_CHALLENGE_LOCATION "legacy" }}
 
+    {{- $acme_http_challenge := or (first (groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION")) $globals.Env.ACME_HTTP_CHALLENGE_LOCATION "true" }}
 
     {{- $acme_http_challenge_legacy := eq $acme_http_challenge "legacy" }}
 
     {{- $acme_http_challenge_enabled := false }}
 
     {{- if (not $acme_http_challenge_legacy) }}

+ 0 - 0
test/test_acme_http_challenge_location/test_acme_challenge_location_enabled.py → test/test_acme_http_challenge_location/test_acme_challenge_location_enabled_is_default.py
View File


+ 0 - 2
test/test_acme_http_challenge_location/test_acme_challenge_location_enabled.yml → test/test_acme_http_challenge_location/test_acme_challenge_location_enabled_is_default.yml
View File 

@@ -39,8 +39,6 @@ services:
 
 
   sut:
 
     image: nginxproxy/nginx-proxy:test
 
-    environment:
 
-      ACME_HTTP_CHALLENGE_LOCATION: "true"
 
     volumes:
 
       - /var/run/docker.sock:/tmp/docker.sock:ro
 
       - ./certs:/etc/nginx/certs:ro

+ 0 - 0
test/test_acme_http_challenge_location/test_acme_challenge_location_legacy_is_default.py → test/test_acme_http_challenge_location/test_acme_challenge_location_legacy.py
View File


+ 2 - 0
test/test_acme_http_challenge_location/test_acme_challenge_location_legacy_is_default.yml → test/test_acme_http_challenge_location/test_acme_challenge_location_legacy.yml
View File 

@@ -20,6 +20,8 @@ services:
 
 
   sut:
 
     image: nginxproxy/nginx-proxy:test
 
+    environment:
 
+      ACME_HTTP_CHALLENGE_LOCATION: "legacy"
 
     volumes:
 
       - /var/run/docker.sock:/tmp/docker.sock:ro
 
       - ./certs:/etc/nginx/certs:ro

+ 2 - 2
test/test_ssl/test_noredirect.py
View File 

@@ -19,9 +19,9 @@ def test_web2_HSTS_policy_is_inactive(docker_compose, nginxproxy):
 
     assert "Strict-Transport-Security" not in r.headers
 
 
 
-def test_web3_acme_challenge_does_not_work(docker_compose, nginxproxy, acme_challenge_path):
 
+def test_web3_acme_challenge_does_work(docker_compose, nginxproxy, acme_challenge_path):
 
     r = nginxproxy.get(
 
         f"http://web3.nginx-proxy.tld/{acme_challenge_path}",
 
         allow_redirects=False
 
     )
 
-    assert r.status_code == 404
 
+    assert r.status_code == 200