瀏覽代碼

Merged conflict in BATS SSL test

Steve Kamerman 8 年之前
父節點
當前提交
d320b43476
共有 3 個文件被更改,包括 36 次插入12 次删除
  1. 7 6
      README.md
  2. 1 1
      nginx.tmpl
  3. 28 5
      test/ssl.bats

+ 7 - 6
README.md

@@ -197,12 +197,13 @@ a 503.
 
 
 To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the
 To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the
 environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`).  You can also
 environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`).  You can also
-disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`. `HTTPS_METHOD` must be specified
-on each container for which you want to override the default behavior.  If `HTTPS_METHOD=noredirect` is
-used, Strict Transport Security (HSTS) is disabled to prevent HTTPS users from being redirected by the
-client.  If you cannot get to the HTTP site after changing this setting, your browser has probably cached
-the HSTS policy and is automatically redirecting you back to HTTPS.  You will need to clear your browser's
-HSTS cache or use an incognito window / different browser.
+disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with 
+`HTTPS_METHOD=nohttps`. `HTTPS_METHOD` must be specified on each container for which you want to 
+override the default behavior.  If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS) 
+is disabled to prevent HTTPS users from being redirected by the client.  If you cannot get to the HTTP 
+site after changing this setting, your browser has probably cached the HSTS policy and is automatically 
+redirecting you back to HTTPS.  You will need to clear your browser's HSTS cache or use an incognito 
+window / different browser.
 
 
 ### Basic Authentication Support
 ### Basic Authentication Support
 
 

+ 1 - 1
nginx.tmpl

@@ -147,7 +147,7 @@ upstream {{ $upstream_name }} {
 {{/* Use the cert specified on the container or fallback to the best vhost match */}}
 {{/* Use the cert specified on the container or fallback to the best vhost match */}}
 {{ $cert := (coalesce $certName $vhostCert) }}
 {{ $cert := (coalesce $certName $vhostCert) }}
 
 
-{{ $is_https := (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
+{{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
 
 
 {{ if $is_https }}
 {{ if $is_https }}
 
 

+ 28 - 5
test/ssl.bats

@@ -17,7 +17,7 @@ function setup {
 
 
 @test "[$TEST_FILE] test SSL for VIRTUAL_HOST=*.nginx-proxy.bats" {
 @test "[$TEST_FILE] test SSL for VIRTUAL_HOST=*.nginx-proxy.bats" {
 	# WHEN
 	# WHEN
-	prepare_web_container bats-ssl-hosts-1 "80 443" \
+	prepare_web_container bats-ssl-hosts-1 "80" \
 		-e VIRTUAL_HOST=*.nginx-proxy.bats \
 		-e VIRTUAL_HOST=*.nginx-proxy.bats \
 		-e CERT_NAME=nginx-proxy.bats
 		-e CERT_NAME=nginx-proxy.bats
 	dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1
 	dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1
@@ -30,7 +30,7 @@ function setup {
 
 
 @test "[$TEST_FILE] test HTTPS_METHOD=nohttp" {
 @test "[$TEST_FILE] test HTTPS_METHOD=nohttp" {
 	# WHEN
 	# WHEN
-	prepare_web_container bats-ssl-hosts-2 "80 443" \
+	prepare_web_container bats-ssl-hosts-2 "80" \
 		-e VIRTUAL_HOST=*.nginx-proxy.bats \
 		-e VIRTUAL_HOST=*.nginx-proxy.bats \
 		-e CERT_NAME=nginx-proxy.bats \
 		-e CERT_NAME=nginx-proxy.bats \
 		-e HTTPS_METHOD=nohttp
 		-e HTTPS_METHOD=nohttp
@@ -44,7 +44,7 @@ function setup {
 
 
 @test "[$TEST_FILE] test HTTPS_METHOD=noredirect" {
 @test "[$TEST_FILE] test HTTPS_METHOD=noredirect" {
 	# WHEN
 	# WHEN
-	prepare_web_container bats-ssl-hosts-3 "80 443" \
+	prepare_web_container bats-ssl-hosts-3 "80" \
 		-e VIRTUAL_HOST=*.nginx-proxy.bats \
 		-e VIRTUAL_HOST=*.nginx-proxy.bats \
 		-e CERT_NAME=nginx-proxy.bats \
 		-e CERT_NAME=nginx-proxy.bats \
 		-e HTTPS_METHOD=noredirect
 		-e HTTPS_METHOD=noredirect
@@ -58,7 +58,7 @@ function setup {
 
 
 @test "[$TEST_FILE] test SSL Strict-Transport-Security" {
 @test "[$TEST_FILE] test SSL Strict-Transport-Security" {
 	# WHEN
 	# WHEN
-	prepare_web_container bats-ssl-hosts-4 "80 443" \
+	prepare_web_container bats-ssl-hosts-4 "80" \
 		-e VIRTUAL_HOST=*.nginx-proxy.bats \
 		-e VIRTUAL_HOST=*.nginx-proxy.bats \
 		-e CERT_NAME=nginx-proxy.bats
 		-e CERT_NAME=nginx-proxy.bats
 	dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-4
 	dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-4
@@ -72,7 +72,7 @@ function setup {
 
 
 @test "[$TEST_FILE] test HTTPS_METHOD=noredirect disables Strict-Transport-Security" {
 @test "[$TEST_FILE] test HTTPS_METHOD=noredirect disables Strict-Transport-Security" {
 	# WHEN
 	# WHEN
-	prepare_web_container bats-ssl-hosts-5 "80 443" \
+	prepare_web_container bats-ssl-hosts-5 "80" \
 		-e VIRTUAL_HOST=*.nginx-proxy.bats \
 		-e VIRTUAL_HOST=*.nginx-proxy.bats \
 		-e CERT_NAME=nginx-proxy.bats \
 		-e CERT_NAME=nginx-proxy.bats \
 		-e HTTPS_METHOD=noredirect
 		-e HTTPS_METHOD=noredirect
@@ -85,6 +85,20 @@ function setup {
 	refute_output -p "Strict-Transport-Security: max-age=31536000"
 	refute_output -p "Strict-Transport-Security: max-age=31536000"
 }
 }
 
 
+@test "[$TEST_FILE] test HTTPS_METHOD=nohttps" {
+	# WHEN
+	prepare_web_container bats-ssl-hosts-6 "80" \
+		-e VIRTUAL_HOST=*.nginx-proxy.bats \
+		-e CERT_NAME=nginx-proxy.bats \
+		-e HTTPS_METHOD=nohttps
+	dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-6
+	sleep 1
+
+	# THEN
+	assert_down_https test.nginx-proxy.bats
+	assert_200 test.nginx-proxy.bats
+}
+
 @test "[$TEST_FILE] stop all bats containers" {
 @test "[$TEST_FILE] stop all bats containers" {
 	stop_bats_containers
 	stop_bats_containers
 }
 }
@@ -117,6 +131,15 @@ function assert_301 {
 	assert_output -l 0 $'HTTP/1.1 301 Moved Permanently\r'
 	assert_output -l 0 $'HTTP/1.1 301 Moved Permanently\r'
 }
 }
 
 
+# assert that querying nginx-proxy with the given Host header fails because the host is down
+# $1 Host HTTP header to use when querying nginx-proxy
+function assert_down_https {
+	local -r host=$1
+
+	run curl_container_https $SUT_CONTAINER / --head --header "Host: $host"
+	assert_failure
+}
+
 # assert that querying nginx-proxy with the given Host header produces a `HTTP 200` response
 # assert that querying nginx-proxy with the given Host header produces a `HTTP 200` response
 # $1 Host HTTP header to use when querying nginx-proxy
 # $1 Host HTTP header to use when querying nginx-proxy
 function assert_200_https {
 function assert_200_https {