-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: enforce HTTPS_METHOD on missing cert as well #2452
base: main
Are you sure you want to change the base?
Conversation
e08994a
to
24930f0
Compare
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
ef6d8c3
to
7137335
Compare
@pini-gh If we're updating a behaviour of nginx-proxy, shouldn't we update the test assertions rather than the test setups ? |
I don't think so. The related tests use HTTP URLs, while default To explicitly enable HTTP mode we need to set The other way around would be to configure valid certificates for all these tests, which seems cumbersome to me. |
Okay, got it. I'd prefer |
To me But I won't object setting |
Because this PR may change the behavior of existing setups I could add an environment variable |
7137335
to
267dea7
Compare
After carefully re-reading and testing this PR I'm afraid we're going in the wrong direction, we actually do want to silently switch to
As you remarked in your previous message, changing this to make the proxy enforce To get a better view of the proxy behaviour and see if things need to be fixed, I tried to test it a bit more exhaustively and in an easier to understand way than in the Unknown vhosts
Known vhostsThe only "issue" I see here is
Let me know if you see other behaviours that seem incorrect or if I forgot some cases. |
That's where I'd want a different behavior. A certificate going missing could be a bug or a mistake. For my sites I don't want HTTP silently enabled on such cases. Then I need a way to enforce There are several ways to achieve this. If we don't want to change the current default behavior I see two ways:
Would you agree on one of these? EDIT: Fixed typo |
I've created PR #2465 to make the current behavior explicit and documented. |
Ok I totally get this use case 👍 Ideally I'd prefer if we did not introduce an entirely new environment variable (to avoid adding one dimension to the previous behaviour tables), so |
May I insist on a using a new variable? Say The new variable doesn't add a full new dimension. In both cases we just need a couple of tests where we check that HTTP is not enabled on missing cert when |
267dea7
to
2ed3521
Compare
I guess I really liked my tables above ^^ Let's roll with |
2ed3521
to
8bb72ba
Compare
This PR should be ready then :) |
8bb72ba
to
ffb3808
Compare
docs/README.md
Outdated
* force enable HTTP; i.e. `HTTPS_METHOD` will switch to `noredirect` if it was set to `nohttp` or `redirect`. | ||
* if `ENABLE_HTTP_ON_MISSING_CERT=true` (default) force enable HTTP; i.e. `HTTPS_METHOD` will switch to `noredirect` if it was set to `nohttp` or `redirect`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not certain formulating it this way really highlight the use case for the new environment variable.
If you're not in a hurry I can try to come up with something.
47ab172
to
1d7a3ca
Compare
Default: true
1d7a3ca
to
0b3f138
Compare
There is no reason to silently switch to noredirect on missing cert.
The default being
HTTPS_METHOD=redirect
most of the test cases need to setHTTPS_METHOD=nohttps
orHTTPS_METHOD=noredirect
.