Support multiple domains using a wildcard TLS certificate

Previous to this change, each TLS domain would be written to nginx.conf
using the nginx.ssl.conf template (lines 69-73) but with an empty
"server_name" directive (because NOSSL_SERVER_NAME was not set).

This would then become irrelevant because nginx.conf would get truncated
on line 88, and a single parsing of the template would then be written to
nginx.conf on line 89, meaning only the last TLS domain would be set up to
actually use TLS.

This patch changes this behaviour so that all TLS domains get added to
nginx.conf using the nginx.ssl.conf template (which includes redirecting
HTTP -> HTTPS), and all non-TLS domains get added using the nginx.conf
template, so do not get redirected to a TLS domain.

Signed-off-by: Lewis Marshall <lewis@lmars.net>

plugins/nginx-vhosts/commands

@@ -45,10 +45,9 @@ EOF
         SSL_DIRECTIVES=""
       fi
 
-      NGINX_CONF="$PLUGIN_PATH/nginx-vhosts/templates/nginx.conf"
+      NGINX_CONF=$(mktemp -t "nginx.conf.XXXXXX")
       SCHEME="http"
       if [[ -n "$SSL_INUSE" ]]; then
-        NGINX_CONF="$PLUGIN_PATH/nginx-vhosts/templates/nginx.ssl.conf"
         SCHEME="https"
 
         SSL_HOSTNAME=$(openssl x509 -in $SSL_INUSE/server.crt -noout -subject | tr '/' '\n' | grep CN= | cut -c4-)
@@ -66,28 +65,34 @@ EOF
         SSL_VHOSTS=$(egrep "^${SSL_HOSTNAME_REGEX}$|^${SSL_HOSTNAME_ALT_REGEX}$" $VHOST_PATH || exit 0)
         NONSSL_VHOSTS=$(egrep -v "^${SSL_HOSTNAME}$|^${SSL_HOSTNAME_ALT}$" $VHOST_PATH || exit 0)
 
+        NGINX_TEMPLATE="$PLUGIN_PATH/nginx-vhosts/templates/nginx.ssl.conf"
         while read line; do
           dokku_log_info1 "Configuring SSL for $line..."
           SSL_SERVER_NAME=$line
-          eval "cat <<< \"$(< $NGINX_CONF)\" >> $DOKKU_ROOT/$APP/nginx.conf"
+          NOSSL_SERVER_NAME=$line
+          eval "cat <<< \"$(< $NGINX_TEMPLATE)\" >> $NGINX_CONF"
         done <<< "$SSL_VHOSTS"
       fi
 
+      NOSSL_SERVER_NAME=$(echo $NONSSL_VHOSTS | tr '\n' ' ')
       APP_NGINX_TEMPLATE="$DOKKU_ROOT/$APP/nginx.conf.template"
       if [[ -f $APP_NGINX_TEMPLATE ]]; then
         dokku_log_info1 "Overriding default nginx.conf with detected nginx.conf.template"
-        NGINX_CONF=$APP_NGINX_TEMPLATE
+        eval "cat <<< \"$(< $APP_NGINX_TEMPLATE)\" > $NGINX_CONF"
+      elif [[ -n "$NONSSL_VHOSTS" ]]; then
+        xargs -i echo "-----> Configuring {}..." <<< "$NONSSL_VHOSTS"
+        NGINX_TEMPLATE="$PLUGIN_PATH/nginx-vhosts/templates/nginx.conf"
+        eval "cat <<< \"$(< $NGINX_TEMPLATE)\" >> $NGINX_CONF"
       fi
 
-      xargs -i echo "-----> Configuring {}..." < $VHOST_PATH
-      # Include SSL_VHOSTS so we can redirect http to https on that hostname as well
-      NOSSL_SERVER_NAME=$(echo $NONSSL_VHOSTS $SSL_VHOSTS| tr '\n' ' ')
+      if [[ -n "$DOKKU_APP_LISTEN_PORT" ]] && [[ -n "$DOKKU_APP_LISTEN_IP" ]]; then
+        echo "upstream $APP { server $DOKKU_APP_LISTEN_IP:$DOKKU_APP_LISTEN_PORT; }" >> $NGINX_CONF
+      fi
+
+      dokku_log_info1 "Creating $SCHEME nginx.conf"
+      mv $NGINX_CONF "$DOKKU_ROOT/$APP/nginx.conf"
 
       if [[ -n "$DOKKU_APP_LISTEN_PORT" ]] && [[ -n "$DOKKU_APP_LISTEN_IP" ]]; then
-        dokku_log_info1 "Creating $SCHEME nginx.conf"
-        echo "upstream $APP { server $DOKKU_APP_LISTEN_IP:$DOKKU_APP_LISTEN_PORT; }" > $DOKKU_ROOT/$APP/nginx.conf
-        eval "cat <<< \"$(< $NGINX_CONF)\" >> $DOKKU_ROOT/$APP/nginx.conf"
-
         dokku_log_info1 "Running nginx-pre-reload"
         pluginhook nginx-pre-reload $APP $DOKKU_APP_LISTEN_PORT $DOKKU_APP_LISTEN_IP
 

tests/unit/nginx-vhosts.bats

@@ -63,9 +63,11 @@ assert_http_success() {
 
 @test "nginx:build-config (wildcard SSL)" {
   setup_test_tls_wildcard
-  add_domain "wildcard.dokku.me"
+  add_domain "wildcard1.dokku.me"
+  add_domain "wildcard2.dokku.me"
   deploy_app
-  assert_ssl_domain "wildcard.dokku.me"
+  assert_ssl_domain "wildcard1.dokku.me"
+  assert_ssl_domain "wildcard2.dokku.me"
 }
 
 @test "nginx:build-config (with SSL CN mismatch)" {