صفحهٔ اصلی گشت‌و‌گذار راهنما
ورود
mirrors
/
nginx-proxy
mirrorاز https://github.com/nginx-proxy/nginx-proxy.git
2
0
انشعاب 0
پرونده‌ها
فهرست منبع

Removed HSTS when HTTPS_METHOD=noredirect, added tests, improved docs wrt HSTS

Steve Kamerman 9 سال پیش
والد
3d77979efb
کامیت
da3e257843
3فایلهای تغییر یافته به همراه37 افزوده شده و 2 حذف شده
نمای یکپارچه نمایش آمار تفاوت ها
  1. 6 2
      README.md
  2. 2 0
      nginx.tmpl
  3. 29 0
      test/ssl.bats

+ 6 - 2
README.md
مشاهده فایل 

@@ -143,8 +143,12 @@ a 503.
 
 
 
 To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the
 
 To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the
 
 environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`).  You can also
 
 environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`).  You can also
 
-disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`. Note that `HTTPS_METHOD` must be specified
 
-on each container for which you want to override the default behavior.
 
+disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`. `HTTPS_METHOD` must be specified
 
+on each container for which you want to override the default behavior.  If `HTTPS_METHOD=noredirect` is
 
+used, Strict Transport Security (HSTS) is disabled to prevent HTTPS users from being redirected by the
 
+client.  If you cannot get to the HTTP site after changing this setting, your browser has probably cached
 
+the HSTS policy and is automatically redirecting you back to HTTPS.  You will need to clear your browser's
 
+HSTS cache or use an incognito window / different browser.
 
 
 
 ### Basic Authentication Support
 
 ### Basic Authentication Support

+ 2 - 0
nginx.tmpl
مشاهده فایل 

@@ -153,7 +153,9 @@ server {
 
 	ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
 
 	ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
 
 	{{ end }}
 
 	{{ end }}
 
 
 
+	{{ if (ne $https_method "noredirect") }}
 
 	add_header Strict-Transport-Security "max-age=31536000";
 
 	add_header Strict-Transport-Security "max-age=31536000";
 
+	{{ end }}
 
 
 
 	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
 
 	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
 
 	include {{ printf "/etc/nginx/vhost.d/%s" $host }};
 
 	include {{ printf "/etc/nginx/vhost.d/%s" $host }};

+ 29 - 0
test/ssl.bats
مشاهده فایل 

@@ -56,6 +56,35 @@ function setup {
 
 	assert_200_https test.nginx-proxy.bats
 
 	assert_200_https test.nginx-proxy.bats
 
 }
 
 }
 
 
 
+@test "[$TEST_FILE] test SSL Strict-Transport-Security" {
 
+	# WHEN
 
+	prepare_web_container bats-ssl-hosts-4 "80 443" \
 
+		-e VIRTUAL_HOST=*.nginx-proxy.bats \
 
+		-e CERT_NAME=nginx-proxy.bats
 
+	dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1
 
+	sleep 1
 
+
 
+	# THEN
 
+	assert_301 test.nginx-proxy.bats
 
+	assert_200_https test.nginx-proxy.bats
 
+    assert_output -p "Strict-Transport-Security: max-age=31536000"
 
+}
 
+
 
+@test "[$TEST_FILE] test HTTPS_METHOD=noredirect disables Strict-Transport-Security" {
 
+	# WHEN
 
+	prepare_web_container bats-ssl-hosts-5 "80 443" \
 
+		-e VIRTUAL_HOST=*.nginx-proxy.bats \
 
+		-e CERT_NAME=nginx-proxy.bats \
 
+		-e HTTPS_METHOD=noredirect
 
+	dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-3
 
+	sleep 1
 
+
 
+	# THEN
 
+	assert_200 test.nginx-proxy.bats
 
+	assert_200_https test.nginx-proxy.bats
 
+    refute_output -p "Strict-Transport-Security: max-age=31536000"
 
+}
 
+
 
 
 
 @test "[$TEST_FILE] stop all bats containers" {
 
 @test "[$TEST_FILE] stop all bats containers" {
 
 	stop_bats_containers
 
 	stop_bats_containers