From 3d77979efbaaf034d57944aafbb2616c5ec7eae9 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Thu, 19 May 2016 23:15:25 -0400 Subject: [PATCH 1/2] Expanded documentation on HTTPS_METHOD --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2e217be..37affdc 100644 --- a/README.md +++ b/README.md @@ -143,7 +143,8 @@ a 503. To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also -disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`. +disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`. Note that `HTTPS_METHOD` must be specified +on each container for which you want to override the default behavior. ### Basic Authentication Support From da3e2578433566db034f54a251f1720bf2886c63 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Thu, 19 May 2016 23:20:43 -0400 Subject: [PATCH 2/2] Removed HSTS when HTTPS_METHOD=noredirect, added tests, improved docs wrt HSTS --- README.md | 8 ++++++-- nginx.tmpl | 2 ++ test/ssl.bats | 29 +++++++++++++++++++++++++++++ 3 files changed, 37 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 37affdc..c1a431c 100644 --- a/README.md +++ b/README.md @@ -143,8 +143,12 @@ a 503. To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also -disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`. Note that `HTTPS_METHOD` must be specified -on each container for which you want to override the default behavior. +disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`. `HTTPS_METHOD` must be specified +on each container for which you want to override the default behavior. If `HTTPS_METHOD=noredirect` is +used, Strict Transport Security (HSTS) is disabled to prevent HTTPS users from being redirected by the +client. If you cannot get to the HTTP site after changing this setting, your browser has probably cached +the HSTS policy and is automatically redirecting you back to HTTPS. You will need to clear your browser's +HSTS cache or use an incognito window / different browser. ### Basic Authentication Support diff --git a/nginx.tmpl b/nginx.tmpl index 855e90d..a276000 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -153,7 +153,9 @@ server { ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }}; {{ end }} + {{ if (ne $https_method "noredirect") }} add_header Strict-Transport-Security "max-age=31536000"; + {{ end }} {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} include {{ printf "/etc/nginx/vhost.d/%s" $host }}; diff --git a/test/ssl.bats b/test/ssl.bats index b0b525f..e7e0eae 100644 --- a/test/ssl.bats +++ b/test/ssl.bats @@ -56,6 +56,35 @@ function setup { assert_200_https test.nginx-proxy.bats } +@test "[$TEST_FILE] test SSL Strict-Transport-Security" { + # WHEN + prepare_web_container bats-ssl-hosts-4 "80 443" \ + -e VIRTUAL_HOST=*.nginx-proxy.bats \ + -e CERT_NAME=nginx-proxy.bats + dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1 + sleep 1 + + # THEN + assert_301 test.nginx-proxy.bats + assert_200_https test.nginx-proxy.bats + assert_output -p "Strict-Transport-Security: max-age=31536000" +} + +@test "[$TEST_FILE] test HTTPS_METHOD=noredirect disables Strict-Transport-Security" { + # WHEN + prepare_web_container bats-ssl-hosts-5 "80 443" \ + -e VIRTUAL_HOST=*.nginx-proxy.bats \ + -e CERT_NAME=nginx-proxy.bats \ + -e HTTPS_METHOD=noredirect + dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-3 + sleep 1 + + # THEN + assert_200 test.nginx-proxy.bats + assert_200_https test.nginx-proxy.bats + refute_output -p "Strict-Transport-Security: max-age=31536000" +} + @test "[$TEST_FILE] stop all bats containers" { stop_bats_containers