Browse Source

Merge pull request #768 from thomasleveil/wildcard_cert_nohttps

TESTS: add test for wildcard cert + nohttps + default.crt
Jason Wilder 8 years ago
parent
commit
fed6df3756

+ 6 - 0
test/test_ssl/wildcard_cert_and_nohttps/README.md

@@ -0,0 +1,6 @@
+In this scenario, we have a wildcard certificate for `*.web.nginx-proxy.tld` and 3 web containers:
+- 1.web.nginx-proxy.tld
+- 2.web.nginx-proxy.tld
+- 3.web.nginx-proxy.tld
+
+We want web containers 1 and 2 to support SSL, but 3 should not (using `HTTPS_METHOD=nohttps`)

+ 70 - 0
test/test_ssl/wildcard_cert_and_nohttps/certs/default.crt

@@ -0,0 +1,70 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4096 (0x1000)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: O=nginx-proxy test suite, CN=www.nginx-proxy.tld
+        Validity
+            Not Before: Mar 15 00:17:52 2017 GMT
+            Not After : Jul 31 00:17:52 2044 GMT
+        Subject: CN=nginx-proxy.tld
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:f2:fd:79:70:99:0c:da:63:5c:81:28:72:31:01:
+                    62:e9:68:d7:cb:8d:c6:95:f9:ec:26:34:1c:08:c6:
+                    6d:de:ad:d8:b0:c0:ae:48:03:73:76:6b:3f:c5:35:
+                    86:c6:42:91:53:3c:aa:85:89:84:92:67:92:ef:a9:
+                    5b:f2:d4:04:73:34:02:35:d4:6a:fa:c2:da:91:4a:
+                    a9:70:87:25:38:84:1d:93:99:3c:d7:03:61:a6:6d:
+                    33:6f:83:45:04:af:4f:96:62:1e:c1:79:87:c9:d5:
+                    4c:e9:8f:85:e2:c8:1b:5b:fc:b8:02:ff:7b:6d:34:
+                    4c:5d:40:73:44:9e:c5:1f:5f:e0:0f:89:88:c4:35:
+                    2b:04:53:8c:8e:a0:7c:7c:97:16:20:c2:4f:a1:c0:
+                    dd:bf:d5:13:2d:64:25:03:f2:d8:d5:27:01:70:c9:
+                    f4:37:33:36:7e:7b:48:54:ec:37:2b:81:3d:50:3c:
+                    d4:5f:05:19:e2:0b:ba:76:f6:2c:3b:23:4b:82:78:
+                    5f:e9:e3:57:fc:39:4a:5c:42:82:72:c8:a3:af:b7:
+                    b3:91:e4:01:9c:2c:47:5e:ff:aa:ad:63:1c:e7:9c:
+                    2e:a2:ac:5d:51:30:83:67:6e:f8:5a:ed:0b:70:e4:
+                    68:d4:e9:5e:a7:f5:5e:87:3b:e8:31:ad:00:04:f8:
+                    7b:d9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:nginx-proxy.tld
+    Signature Algorithm: sha256WithRSAEncryption
+         39:d4:cc:78:a3:5e:64:e9:ab:9d:a9:89:3b:9e:18:01:98:cb:
+         e2:0c:ef:e9:2b:50:34:ed:63:ed:e6:0e:53:59:30:80:e0:3b:
+         5e:08:ca:09:55:da:e3:3e:c2:01:d8:d6:ca:92:2a:0b:ee:2c:
+         a1:93:18:7b:15:28:8d:2a:17:25:76:eb:ef:70:e0:d7:02:d3:
+         ad:81:33:47:9b:fb:d8:52:87:69:a4:3a:20:a4:9a:2d:3f:40:
+         5f:52:bf:0b:96:e3:52:c3:59:55:dc:5a:37:f3:e6:d6:16:46:
+         64:e4:20:32:5d:cd:4b:da:2b:ef:e9:85:af:00:a1:ca:a1:08:
+         ed:0f:f4:65:dc:2a:c9:b3:4e:cc:f3:82:d7:69:3a:4d:fc:8e:
+         db:10:95:28:20:07:55:f0:d1:11:1f:c5:00:74:88:c6:c9:94:
+         15:90:93:3a:de:90:85:fb:72:9c:d8:57:58:05:7d:bb:6a:36:
+         eb:d8:12:22:41:0e:fc:c9:24:79:c0:28:4f:4f:1b:4b:59:f9:
+         e4:c6:97:be:b1:94:74:de:a7:65:d3:cb:0a:56:3b:d3:63:fc:
+         b2:05:fc:e7:ec:bb:45:04:91:9f:21:f9:05:3b:5d:4c:af:8e:
+         84:04:f5:25:fb:4d:ab:db:23:56:74:7e:4f:b3:da:bb:27:e7:
+         ea:fb:bd:00
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAdugAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwPzEfMB0GA1UECgwWbmdp
+bngtcHJveHkgdGVzdCBzdWl0ZTEcMBoGA1UEAwwTd3d3Lm5naW54LXByb3h5LnRs
+ZDAeFw0xNzAzMTUwMDE3NTJaFw00NDA3MzEwMDE3NTJaMBoxGDAWBgNVBAMMD25n
+aW54LXByb3h5LnRsZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPL9
+eXCZDNpjXIEocjEBYulo18uNxpX57CY0HAjGbd6t2LDArkgDc3ZrP8U1hsZCkVM8
+qoWJhJJnku+pW/LUBHM0AjXUavrC2pFKqXCHJTiEHZOZPNcDYaZtM2+DRQSvT5Zi
+HsF5h8nVTOmPheLIG1v8uAL/e200TF1Ac0SexR9f4A+JiMQ1KwRTjI6gfHyXFiDC
+T6HA3b/VEy1kJQPy2NUnAXDJ9DczNn57SFTsNyuBPVA81F8FGeILunb2LDsjS4J4
+X+njV/w5SlxCgnLIo6+3s5HkAZwsR17/qq1jHOecLqKsXVEwg2du+FrtC3DkaNTp
+Xqf1Xoc76DGtAAT4e9kCAwEAAaMeMBwwGgYDVR0RBBMwEYIPbmdpbngtcHJveHku
+dGxkMA0GCSqGSIb3DQEBCwUAA4IBAQA51Mx4o15k6audqYk7nhgBmMviDO/pK1A0
+7WPt5g5TWTCA4DteCMoJVdrjPsIB2NbKkioL7iyhkxh7FSiNKhclduvvcODXAtOt
+gTNHm/vYUodppDogpJotP0BfUr8LluNSw1lV3Fo38+bWFkZk5CAyXc1L2ivv6YWv
+AKHKoQjtD/Rl3CrJs07M84LXaTpN/I7bEJUoIAdV8NERH8UAdIjGyZQVkJM63pCF
++3Kc2FdYBX27ajbr2BIiQQ78ySR5wChPTxtLWfnkxpe+sZR03qdl08sKVjvTY/yy
+Bfzn7LtFBJGfIfkFO11Mr46EBPUl+02r2yNWdH5Ps9q7J+fq+70A
+-----END CERTIFICATE-----

+ 27 - 0
test/test_ssl/wildcard_cert_and_nohttps/certs/default.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA8v15cJkM2mNcgShyMQFi6WjXy43GlfnsJjQcCMZt3q3YsMCu
+SANzdms/xTWGxkKRUzyqhYmEkmeS76lb8tQEczQCNdRq+sLakUqpcIclOIQdk5k8
+1wNhpm0zb4NFBK9PlmIewXmHydVM6Y+F4sgbW/y4Av97bTRMXUBzRJ7FH1/gD4mI
+xDUrBFOMjqB8fJcWIMJPocDdv9UTLWQlA/LY1ScBcMn0NzM2fntIVOw3K4E9UDzU
+XwUZ4gu6dvYsOyNLgnhf6eNX/DlKXEKCcsijr7ezkeQBnCxHXv+qrWMc55wuoqxd
+UTCDZ274Wu0LcORo1Olep/VehzvoMa0ABPh72QIDAQABAoIBAQDqcaW5/fFoxHV8
+KIoEvlGw4ndS7nesPHacZaqmzM01DIcGAuIkmS/OEax1mi9vGsschGwCa6x9lXEv
+yzfsEqQ4gvWe+lQ9ncNEa8UPzVUcMlxXDIKm8ZxF9xapgP4Whw9DCWijQ57AHg0X
+TGLhbDD5j9v7CIUN2GfVkVml24pVuUoeXqv7ZLzTJKZ+Q/eqxyeIikjFheXzaQxb
+bUHbEHIXJtHMYULXmfc5WCxuobHqal3z0ymCijoZVXV8hp8dtDP34tRV9MID9wck
+lRUVqboFCIXxmLLRTZgyCbiFLkCIu2nmgNobWCNfkHN7QQhToPEecSFMZzYtmo6/
+T1fHE3ABAoGBAP1J1Izfc4CF9t2iPGzXyn8oNkXHLMPKtFQ2Rb8XwBryUOOrAHqT
+FIZ2FsDJr0VvS1ihFs1kbO+WAY5W5GytwiiVXvztHz3/f5JnGgvMCeUcEmaj90vq
+sTyfHc2OKFjumIjGe87uav3bgac7nOWLO+RIJ/ua6UO7/8psqwryxY4FAoGBAPWX
+a502kT56VwI3Gf8hb37PZ/PD+gOzgzVcMn13yLZ4gC9xoP4TKUBHSz4wO8asjKk5
+1RD/DITXYKelyRXynOtMW+2j2s5bVBpOshN/n9jRC1haoGJZYb2JVP6+8WoZKQOF
+NwgNlI4he32kSFw59fjkdG64iw7KY8ZYUatkrgrFAoGBAPozTjUCHfRdYOi6c/oI
+h81oCYSQJVYbDFsLaYZEjc2Qg/sBVm2+kE3qpLs3/10VfVZFemLVyw44Hb1fdDEu
+y1aPhs9N5Mi3dGtIUWBJ45RgUIT3fzeM1BtQCn6c6JpAxoiFmJNmzGWLyd1Kc8gD
+69uqs2RFOBtiwGBTS/p6qk+JAoGBAM1QkpnzFYf69SSX9jbRuAl20Xv8GdbgS0/f
+zSIRcw4BPYDsaOAgGrtvHttVrZORi2KqQ5Ma9ldUS6y8L5kWo9MemjfYZUNhHLWF
+luAwMO0tDmQGF9FA0jKHTjROYzsE38Heq7wixk/wc/H81rWrixRRwXkS9MYfszwN
+d/FmkQ3VAoGAXHZrDEygUmf4q0LwjLVF0TPzElh530qVmyhPa0OBs/hVh9Mwv/i6
+fj3+k7uYWgKDzcaVXSMOFGt515F8qy0AUEY9r+IjAn01KTLKO4ZuPiSpxliqDbCs
+gzsX9CWVSVgTN+TY15QCoJNpzLiyrXe3uldAP5JEBQSnjt9OfSJQ5IU=
+-----END RSA PRIVATE KEY-----

+ 71 - 0
test/test_ssl/wildcard_cert_and_nohttps/certs/web.nginx-proxy.tld.crt

@@ -0,0 +1,71 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4096 (0x1000)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: O=nginx-proxy test suite, CN=www.nginx-proxy.tld
+        Validity
+            Not Before: Mar 14 23:19:36 2017 GMT
+            Not After : Jul 30 23:19:36 2044 GMT
+        Subject: CN=*.web.nginx-proxy.tld
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ce:2b:74:13:b2:1a:d5:72:5c:3e:10:f7:63:01:
+                    22:df:e8:d9:cf:0b:8a:3f:40:75:62:58:78:27:9e:
+                    af:33:d2:a1:19:6a:e1:b7:57:db:d9:8f:05:70:c2:
+                    35:5d:f1:44:0d:51:62:74:73:e5:77:d9:bb:c6:d0:
+                    33:7a:43:88:e9:e6:3c:2d:d4:39:9d:61:34:5a:19:
+                    f3:c1:96:e0:bd:26:5b:69:18:a6:4c:8c:21:04:d8:
+                    fa:56:22:ec:55:0d:ba:49:4d:8e:27:69:7f:82:e9:
+                    e7:e9:c4:b7:87:70:d7:d7:4b:49:d1:c1:8c:b0:5a:
+                    13:62:db:de:c1:94:31:d1:c9:74:c4:63:01:50:10:
+                    70:42:73:67:c4:76:32:fb:d2:b7:91:2f:e8:cf:3a:
+                    96:4a:ee:8e:0d:13:74:73:1b:e4:74:83:e7:66:d6:
+                    8d:81:19:54:5b:d8:47:3e:3b:b5:fd:35:a2:df:f3:
+                    7d:1c:9e:67:ee:50:da:28:9c:02:0a:ad:75:8d:04:
+                    f7:28:1f:04:89:13:ac:ed:a9:34:26:dc:f7:f9:1f:
+                    72:21:d5:72:fb:09:d9:cb:40:c0:0d:36:3c:c0:77:
+                    0e:9a:f7:41:f1:3b:dd:b6:05:ab:13:60:c5:fd:c6:
+                    5f:f5:05:c4:42:00:ba:b5:ef:fb:dc:64:98:d9:4d:
+                    2b:07
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:*.web.nginx-proxy.tld
+    Signature Algorithm: sha256WithRSAEncryption
+         9b:78:39:b3:90:8f:31:8c:7d:02:aa:6f:46:3d:8c:f5:93:86:
+         03:e2:d8:9b:73:d1:e7:70:f1:d6:e6:3c:41:41:8c:76:c9:29:
+         a4:83:47:c7:10:fd:d0:8b:fa:60:26:a8:36:41:a4:69:89:81:
+         ec:bf:fd:33:72:bb:83:ea:42:e4:59:3f:10:df:d1:de:e2:bb:
+         eb:fa:97:44:fe:f4:55:29:69:ca:a5:88:b2:94:60:58:5a:1a:
+         19:16:fb:9f:42:4c:7c:d3:6b:21:45:22:56:5c:76:07:97:35:
+         27:8f:46:d2:77:5b:65:1b:94:99:cb:73:37:ae:cf:61:6c:7a:
+         5c:b3:3b:19:f2:9f:99:8f:89:eb:98:0b:74:0d:30:f5:49:19:
+         d6:41:32:4e:c9:fc:59:2a:4a:53:2c:83:89:3d:e8:89:ed:37:
+         d0:b4:f1:09:49:b5:0b:76:fd:a5:75:23:fb:01:c8:bb:59:02:
+         5c:e4:8e:9c:f9:5b:85:5f:67:fb:04:40:de:bc:e8:c3:15:2f:
+         ba:00:5c:36:57:47:e3:1a:95:44:5f:f4:10:55:b0:c4:af:12:
+         dc:0e:6c:18:4a:70:9e:73:90:8d:55:37:73:a5:1a:41:7f:00:
+         79:96:34:01:6b:10:2d:e9:61:3d:8f:8a:9a:c8:b6:bc:0f:57:
+         91:84:7c:26
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwPzEfMB0GA1UECgwWbmdp
+bngtcHJveHkgdGVzdCBzdWl0ZTEcMBoGA1UEAwwTd3d3Lm5naW54LXByb3h5LnRs
+ZDAeFw0xNzAzMTQyMzE5MzZaFw00NDA3MzAyMzE5MzZaMCAxHjAcBgNVBAMMFSou
+d2ViLm5naW54LXByb3h5LnRsZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAM4rdBOyGtVyXD4Q92MBIt/o2c8Lij9AdWJYeCeerzPSoRlq4bdX29mPBXDC
+NV3xRA1RYnRz5XfZu8bQM3pDiOnmPC3UOZ1hNFoZ88GW4L0mW2kYpkyMIQTY+lYi
+7FUNuklNjidpf4Lp5+nEt4dw19dLSdHBjLBaE2Lb3sGUMdHJdMRjAVAQcEJzZ8R2
+MvvSt5Ev6M86lkrujg0TdHMb5HSD52bWjYEZVFvYRz47tf01ot/zfRyeZ+5Q2iic
+AgqtdY0E9ygfBIkTrO2pNCbc9/kfciHVcvsJ2ctAwA02PMB3Dpr3QfE73bYFqxNg
+xf3GX/UFxEIAurXv+9xkmNlNKwcCAwEAAaMkMCIwIAYDVR0RBBkwF4IVKi53ZWIu
+bmdpbngtcHJveHkudGxkMA0GCSqGSIb3DQEBCwUAA4IBAQCbeDmzkI8xjH0Cqm9G
+PYz1k4YD4tibc9HncPHW5jxBQYx2ySmkg0fHEP3Qi/pgJqg2QaRpiYHsv/0zcruD
+6kLkWT8Q39He4rvr+pdE/vRVKWnKpYiylGBYWhoZFvufQkx802shRSJWXHYHlzUn
+j0bSd1tlG5SZy3M3rs9hbHpcszsZ8p+Zj4nrmAt0DTD1SRnWQTJOyfxZKkpTLIOJ
+PeiJ7TfQtPEJSbULdv2ldSP7Aci7WQJc5I6c+VuFX2f7BEDevOjDFS+6AFw2V0fj
+GpVEX/QQVbDErxLcDmwYSnCec5CNVTdzpRpBfwB5ljQBaxAt6WE9j4qayLa8D1eR
+hHwm
+-----END CERTIFICATE-----

+ 27 - 0
test/test_ssl/wildcard_cert_and_nohttps/certs/web.nginx-proxy.tld.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAzit0E7Ia1XJcPhD3YwEi3+jZzwuKP0B1Ylh4J56vM9KhGWrh
+t1fb2Y8FcMI1XfFEDVFidHPld9m7xtAzekOI6eY8LdQ5nWE0WhnzwZbgvSZbaRim
+TIwhBNj6ViLsVQ26SU2OJ2l/gunn6cS3h3DX10tJ0cGMsFoTYtvewZQx0cl0xGMB
+UBBwQnNnxHYy+9K3kS/ozzqWSu6ODRN0cxvkdIPnZtaNgRlUW9hHPju1/TWi3/N9
+HJ5n7lDaKJwCCq11jQT3KB8EiROs7ak0Jtz3+R9yIdVy+wnZy0DADTY8wHcOmvdB
+8TvdtgWrE2DF/cZf9QXEQgC6te/73GSY2U0rBwIDAQABAoIBAGVkDVPaVUP/V8nW
+QjNYTbRcKTGfdT+iDZht9blWWsdboIqFe7fU53PY2E4Z1HD8xADgs1Cd5o3IcIZX
+wdkw+VY+Of43zpXNRhfBh5T/BEtBX9cRnkcq6todcw+FYUB63dBK6cwMH/9b1Qes
+DK35GszwY79aNjxMMBiAFM6SeOW4EElPsV8wd9ldX/ndiZuwkZ6k9PfyWrfeeaF+
+EwVf/HaT0bV7cHQ73tYqzKjMpdbzIyaMzuAMGZDwPfLK+O1rEsWvLvK0ypl2Omzw
+ndon8U3z0JPNmBGoq+SFS2qtCeOezNX3lPz+TWxG05R5iiFtuK83zJ5qGqCgCNZ6
+qzpZsOECgYEA/NvWqT5MdZS1fdL2wROzFMTH4OBdUGr1Gh/DsNZj4qFVSFl969mA
+7Vntm+koNLFsJt2EB67kC3ZWjozLXomHJ55/uKNnJ5LrLxczQ9x4l52CsTzrlvFq
+crYjQZDmeN3B4Z+8RSi2icq6j1PeaCZRTvcz6eBjNYj/v/O0SmiXIp8CgYEA0Lsh
+fZWuw23a8UXS2YUrXXqfIEdisVMnLRu3Zi0Y1R4lIpuwn5+2n+TxnuWcY1q+ZTMw
+dcmGPi6aRj81kEN/Kw5raKoVb6YywTNB4/Dwz7PRQH386FrjfivGXGEEINgbPQ09
+2u0QV2Cr9yMGZ5qNXut70RYewkxjF7+s6L8+RpkCgYB9ikBHgtC/R/fb4pP0RG2T
+ECgUtBBgTtomAENOVwL8kBEhfJ0SLcjfDtjzoYz+rF//49cbYW+DaVuMJscJxso9
+l2neJ/KdKUpu9NvVA280B1XN3WsyY+Xv0hIrCWAD/kW2WXJF+/K08twxMPipSOzx
+gbZalbdr6vrfOIX4s3jmDQKBgDiXA3Vw53jEh99x9sBSgndNj2bI89DvomdwZECn
+aVweWCMR4sjkHDctcvSJe+TT7VqyjijhAixJpjn1WShLpGaf+i7eLgGfJZOLugl6
+gU9OiSTbA35bZeIHLDhPdTcSYBAlTufT7eJCq1zNeicMl9dsMJ13Sc+TtinyJYbU
+kqXBAoGBAL9gRa1PkNkpCJ5F9aYSohCAXB7DaAgYvVyvOTQ8Bw2uACPgdnpHmxQd
+/sT7qJ1h8ZCtn89Ug/4yx79eUcOImugoCRIUVtq1xhyXUdVl55Tuy5bKBSSAe/Vh
+T7sAmryCkzn9ihRziY2j84vK0mdMkCU5AoatPg5l0g1adn5zcY6q
+-----END RSA PRIVATE KEY-----

+ 33 - 0
test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml

@@ -0,0 +1,33 @@
+version: "3"
+
+services:
+
+  proxy:
+    image: jwilder/nginx-proxy:test
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - ./certs:/etc/nginx/certs:ro
+
+  web1:
+    image: web
+    expose:
+      - "81"
+    environment:
+      WEB_PORTS: "81"
+      VIRTUAL_HOST: "1.web.nginx-proxy.tld"
+  web2:
+    image: web
+    expose:
+      - "82"
+    environment:
+      WEB_PORTS: "82"
+      VIRTUAL_HOST: "2.web.nginx-proxy.tld"
+
+  web3_nohttps:
+    image: web
+    expose:
+      - "83"
+    environment:
+      WEB_PORTS: "83"
+      VIRTUAL_HOST: "3.web.nginx-proxy.tld"
+      HTTPS_METHOD: nohttps

+ 31 - 0
test/test_ssl/wildcard_cert_and_nohttps/test_wildcard_cert_nohttps.py

@@ -0,0 +1,31 @@
+import pytest
+from backports.ssl_match_hostname import CertificateError
+
+
+@pytest.mark.parametrize("subdomain,should_redirect_to_https", [
+    (1, True),
+    (2, True),
+    (3, False),
+])
+def test_http_redirects_to_https(docker_compose, nginxproxy, subdomain, should_redirect_to_https):
+    r = nginxproxy.get("http://%s.web.nginx-proxy.tld/port" % subdomain)
+    if should_redirect_to_https:
+        assert r.history[0].is_redirect
+        assert r.history[0].headers.get("Location") == "https://%s.web.nginx-proxy.tld/port" % subdomain
+    assert "answer from port 8%s\n" % subdomain == r.text
+
+
+@pytest.mark.parametrize("subdomain", [1, 2])
+def test_https_get_served(docker_compose, nginxproxy, subdomain):
+    r = nginxproxy.get("https://%s.web.nginx-proxy.tld/port" % subdomain, allow_redirects=False)
+    assert r.status_code == 200
+    assert "answer from port 8%s\n" % subdomain == r.text
+
+
+def test_web3_https_is_500_and_SSL_validation_fails(docker_compose, nginxproxy):
+    with pytest.raises(CertificateError) as excinfo:
+        nginxproxy.get("https://3.web.nginx-proxy.tld/port")
+    assert """hostname '3.web.nginx-proxy.tld' doesn't match 'nginx-proxy.tld'""" in str(excinfo.value)
+
+    r = nginxproxy.get("https://3.web.nginx-proxy.tld/port", verify=False)
+    assert r.status_code == 500