Merge pull request #462 from kamermans/master
Disable HSTS when HTTPS_METHOD=noredirect
This commit is contained in:
commit
c36b42933d
3 changed files with 37 additions and 1 deletions
|
@ -164,7 +164,12 @@ a 503.
|
|||
|
||||
To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the
|
||||
environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also
|
||||
disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`.
|
||||
disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`. `HTTPS_METHOD` must be specified
|
||||
on each container for which you want to override the default behavior. If `HTTPS_METHOD=noredirect` is
|
||||
used, Strict Transport Security (HSTS) is disabled to prevent HTTPS users from being redirected by the
|
||||
client. If you cannot get to the HTTP site after changing this setting, your browser has probably cached
|
||||
the HSTS policy and is automatically redirecting you back to HTTPS. You will need to clear your browser's
|
||||
HSTS cache or use an incognito window / different browser.
|
||||
|
||||
### Basic Authentication Support
|
||||
|
||||
|
|
|
@ -155,7 +155,9 @@ server {
|
|||
ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
|
||||
{{ end }}
|
||||
|
||||
{{ if (ne $https_method "noredirect") }}
|
||||
add_header Strict-Transport-Security "max-age=31536000";
|
||||
{{ end }}
|
||||
|
||||
{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
|
||||
include {{ printf "/etc/nginx/vhost.d/%s" $host }};
|
||||
|
|
|
@ -56,6 +56,35 @@ function setup {
|
|||
assert_200_https test.nginx-proxy.bats
|
||||
}
|
||||
|
||||
@test "[$TEST_FILE] test SSL Strict-Transport-Security" {
|
||||
# WHEN
|
||||
prepare_web_container bats-ssl-hosts-4 "80 443" \
|
||||
-e VIRTUAL_HOST=*.nginx-proxy.bats \
|
||||
-e CERT_NAME=nginx-proxy.bats
|
||||
dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1
|
||||
sleep 1
|
||||
|
||||
# THEN
|
||||
assert_301 test.nginx-proxy.bats
|
||||
assert_200_https test.nginx-proxy.bats
|
||||
assert_output -p "Strict-Transport-Security: max-age=31536000"
|
||||
}
|
||||
|
||||
@test "[$TEST_FILE] test HTTPS_METHOD=noredirect disables Strict-Transport-Security" {
|
||||
# WHEN
|
||||
prepare_web_container bats-ssl-hosts-5 "80 443" \
|
||||
-e VIRTUAL_HOST=*.nginx-proxy.bats \
|
||||
-e CERT_NAME=nginx-proxy.bats \
|
||||
-e HTTPS_METHOD=noredirect
|
||||
dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-3
|
||||
sleep 1
|
||||
|
||||
# THEN
|
||||
assert_200 test.nginx-proxy.bats
|
||||
assert_200_https test.nginx-proxy.bats
|
||||
refute_output -p "Strict-Transport-Security: max-age=31536000"
|
||||
}
|
||||
|
||||
|
||||
@test "[$TEST_FILE] stop all bats containers" {
|
||||
stop_bats_containers
|
||||
|
|
Reference in a new issue