Merge pull request #1008 from lmars/fix-nginx-multiple-ssl-vhosts

Support multiple domains using a wildcard TLS certificate

plugins/nginx-vhosts/commands

@@ -45,49 +45,54 @@ EOF
         SSL_DIRECTIVES=""
       fi
 
-      NGINX_CONF="$PLUGIN_PATH/nginx-vhosts/templates/nginx.conf"
+      NGINX_CONF=$(mktemp -t "nginx.conf.XXXXXX")
       SCHEME="http"
       if [[ -n "$SSL_INUSE" ]]; then
-        NGINX_CONF="$PLUGIN_PATH/nginx-vhosts/templates/nginx.ssl.conf"
         SCHEME="https"
 
         SSL_HOSTNAME=$(openssl x509 -in $SSL_INUSE/server.crt -noout -subject | tr '/' '\n' | grep CN= | cut -c4-)
         if [[ -n "$SSL_HOSTNAME" ]]; then
-          SSL_HOSTNAME_REGEX=$(echo "$SSL_HOSTNAME" | sed 's|\.|\\.|g' | sed 's/\*/\.\*/g')
+          SSL_HOSTNAME_REGEX=$(echo "$SSL_HOSTNAME" | sed 's|\.|\\.|g' | sed 's/\*/\[^\.\]\*/g')
           [[ -z "$(egrep "^${SSL_HOSTNAME_REGEX}$" $VHOST_PATH)" ]] && echo "$SSL_HOSTNAME" >> $VHOST_PATH
         fi
 
         SSL_HOSTNAME_ALT=$(openssl x509 -in $SSL_INUSE/server.crt -noout -text | grep --after-context=1 '509v3 Subject Alternative Name:' | tail -n 1 | sed -e "s/[[:space:]]*DNS://g"  | tr ',' '\n' || true)
         if [[ -n "$SSL_HOSTNAME_ALT" ]]; then
-          SSL_HOSTNAME_ALT_REGEX=$(echo "$SSL_HOSTNAME_ALT" | sed 's|\.|\\.|g' | sed 's/\*/\.\*/g')
+          SSL_HOSTNAME_ALT_REGEX=$(echo "$SSL_HOSTNAME_ALT" | sed 's|\.|\\.|g' | sed 's/\*/\[^\.\]\*/g')
           [[ -z "$(egrep "^${SSL_HOSTNAME_ALT_REGEX}$" $VHOST_PATH)" ]] && echo "$SSL_HOSTNAME_ALT" >> $VHOST_PATH
         fi
 
         SSL_VHOSTS=$(egrep "^${SSL_HOSTNAME_REGEX}$|^${SSL_HOSTNAME_ALT_REGEX}$" $VHOST_PATH || exit 0)
         NONSSL_VHOSTS=$(egrep -v "^${SSL_HOSTNAME}$|^${SSL_HOSTNAME_ALT}$" $VHOST_PATH || exit 0)
 
+        NGINX_TEMPLATE="$PLUGIN_PATH/nginx-vhosts/templates/nginx.ssl.conf"
         while read line; do
           dokku_log_info1 "Configuring SSL for $line..."
           SSL_SERVER_NAME=$line
-          eval "cat <<< \"$(< $NGINX_CONF)\" >> $DOKKU_ROOT/$APP/nginx.conf"
+          NOSSL_SERVER_NAME=$line
+          eval "cat <<< \"$(< $NGINX_TEMPLATE)\" >> $NGINX_CONF"
         done <<< "$SSL_VHOSTS"
       fi
 
+      NOSSL_SERVER_NAME=$(echo $NONSSL_VHOSTS | tr '\n' ' ')
       APP_NGINX_TEMPLATE="$DOKKU_ROOT/$APP/nginx.conf.template"
       if [[ -f $APP_NGINX_TEMPLATE ]]; then
         dokku_log_info1 "Overriding default nginx.conf with detected nginx.conf.template"
-        NGINX_CONF=$APP_NGINX_TEMPLATE
+        eval "cat <<< \"$(< $APP_NGINX_TEMPLATE)\" > $NGINX_CONF"
+      elif [[ -n "$NONSSL_VHOSTS" ]]; then
+        xargs -i echo "-----> Configuring {}..." <<< "$NONSSL_VHOSTS"
+        NGINX_TEMPLATE="$PLUGIN_PATH/nginx-vhosts/templates/nginx.conf"
+        eval "cat <<< \"$(< $NGINX_TEMPLATE)\" >> $NGINX_CONF"
       fi
 
-      xargs -i echo "-----> Configuring {}..." < $VHOST_PATH
-      # Include SSL_VHOSTS so we can redirect http to https on that hostname as well
-      NOSSL_SERVER_NAME=$(echo $NONSSL_VHOSTS $SSL_VHOSTS| tr '\n' ' ')
+      if [[ -n "$DOKKU_APP_LISTEN_PORT" ]] && [[ -n "$DOKKU_APP_LISTEN_IP" ]]; then
+        echo "upstream $APP { server $DOKKU_APP_LISTEN_IP:$DOKKU_APP_LISTEN_PORT; }" >> $NGINX_CONF
+      fi
+
+      dokku_log_info1 "Creating $SCHEME nginx.conf"
+      mv $NGINX_CONF "$DOKKU_ROOT/$APP/nginx.conf"
 
       if [[ -n "$DOKKU_APP_LISTEN_PORT" ]] && [[ -n "$DOKKU_APP_LISTEN_IP" ]]; then
-        dokku_log_info1 "Creating $SCHEME nginx.conf"
-        echo "upstream $APP { server $DOKKU_APP_LISTEN_IP:$DOKKU_APP_LISTEN_PORT; }" > $DOKKU_ROOT/$APP/nginx.conf
-        eval "cat <<< \"$(< $NGINX_CONF)\" >> $DOKKU_ROOT/$APP/nginx.conf"
-
         dokku_log_info1 "Running nginx-pre-reload"
         pluginhook nginx-pre-reload $APP $DOKKU_APP_LISTEN_PORT $DOKKU_APP_LISTEN_IP
 

tests/unit/nginx-vhosts.bats

@@ -15,6 +15,44 @@ teardown() {
   disable_tls_wildcard
 }
 
+assert_ssl_domain() {
+  local domain=$1
+  assert_app_domain "${domain}"
+  assert_http_redirect "http://${domain}" "https://${domain}/"
+  assert_http_success "https://${domain}"
+}
+
+assert_nonssl_domain() {
+  local domain=$1
+  assert_app_domain "${domain}"
+  assert_http_success "http://${domain}"
+}
+
+assert_app_domain() {
+  local domain=$1
+  run /bin/bash -c "dokku domains $TEST_APP | grep -xF ${domain}"
+  echo "output: "$output
+  echo "status: "$status
+  assert_output "${domain}"
+}
+
+assert_http_redirect() {
+  local from=$1
+  local to=$2
+  run curl -kSso /dev/null -w "%{redirect_url}" "${from}"
+  echo "output: "$output
+  echo "status: "$status
+  assert_output "${to}"
+}
+
+assert_http_success() {
+  local url=$1
+  run curl -kSso /dev/null -w "%{http_code}" "${url}"
+  echo "output: "$output
+  echo "status: "$status
+  assert_output "200"
+}
+
 @test "nginx (no server tokens)" {
   deploy_app
   run /bin/bash -c "curl -s -D - $(dokku url $TEST_APP) -o /dev/null | egrep '^Server' | egrep '[0-9]+'"
@@ -24,70 +62,35 @@ teardown() {
 }
 
 @test "nginx:build-config (wildcard SSL)" {
-  destroy_app
   setup_test_tls_wildcard
-  create_app
-  run dokku domains:add $TEST_APP wildcard.dokku.me
-  echo "output: "$output
-  echo "status: "$status
-  assert_success
+  add_domain "wildcard1.dokku.me"
+  add_domain "wildcard2.dokku.me"
+  add_domain "www.test.dokku.me"
   deploy_app
-  run bash -c "response=\"$(curl -LkSs wildcard.dokku.me)\"; echo \$response; test \"\$response\" == \"nodejs/express\""
-  echo "output: "$output
-  echo "status: "$status
-  assert_success
+  assert_ssl_domain "wildcard1.dokku.me"
+  assert_ssl_domain "wildcard2.dokku.me"
+  assert_nonssl_domain "www.test.dokku.me"
 }
 
 @test "nginx:build-config (with SSL CN mismatch)" {
   setup_test_tls
   deploy_app
-  run /bin/bash -c "dokku domains $TEST_APP | egrep ^node-js-app\.dokku\.me$"
-  echo "output: "$output
-  echo "status: "$status
-  assert_output "node-js-app.dokku.me"
-  run bash -c "response=\"$(curl -LkSs node-js-app.dokku.me)\"; echo \$response; test \"\$response\" == \"nodejs/express\""
-  echo "output: "$output
-  echo "status: "$status
-  assert_success
+  assert_ssl_domain "node-js-app.dokku.me"
 }
 
 @test "nginx:build-config (with SSL and Multiple SANs)" {
   setup_test_tls_with_sans
   deploy_app
-  run /bin/bash -c "dokku domains $TEST_APP | egrep ^test\.dokku\.me$"
-  echo "output: "$output
-  echo "status: "$status
-  assert_output "test.dokku.me"
-  run /bin/bash -c "dokku domains $TEST_APP | grep ^www\.test\.dokku\.me$"
-  echo "output: "$output
-  echo "status: "$status
-  assert_output "www.test.dokku.me"
-  run bash -c "response=\"$(curl -LkSs test.dokku.me)\"; echo \$response; test \"\$response\" == \"nodejs/express\""
-  echo "output: "$output
-  echo "status: "$status
-  assert_success
-  run bash -c "response=\"$(curl -LkSs www.test.dokku.me)\"; echo \$response; test \"\$response\" == \"nodejs/express\""
-  echo "output: "$output
-  echo "status: "$status
-  assert_success
-  run bash -c "response=\"$(curl -LkSs www.test.app.dokku.me)\"; echo \$response; test \"\$response\" == \"nodejs/express\""
-  echo "output: "$output
-  echo "status: "$status
-  assert_success
+  assert_ssl_domain "test.dokku.me"
+  assert_ssl_domain "www.test.dokku.me"
+  assert_ssl_domain "www.test.app.dokku.me"
 }
 
 @test "nginx:build-config (no global VHOST and domains:add)" {
   destroy_app
   rm "$DOKKU_ROOT/VHOST"
   create_app
-  run dokku domains:add $TEST_APP www.test.app.dokku.me
-  echo "output: "$output
-  echo "status: "$status
-  assert_success
+  add_domain "www.test.app.dokku.me"
   deploy_app
-  sleep 5 # wait for nginx to reload
-  run bash -c "response=\"$(curl -s -S www.test.app.dokku.me)\"; echo \$response; test \"\$response\" == \"nodejs/express\""
-  echo "output: "$output
-  echo "status: "$status
-  assert_success
+  assert_nonssl_domain "www.test.app.dokku.me"
 }

tests/unit/test_helper.bash

@@ -92,6 +92,10 @@ destroy_app() {
   echo $TEST_APP | dokku apps:destroy $TEST_APP
 }
 
+add_domain() {
+  dokku domains:add $TEST_APP $1
+}
+
 deploy_app() {
   APP_TYPE="$1"; APP_TYPE=${APP_TYPE:="nodejs-express"}
   TMP=$(mktemp -d -t "$TARGET.XXXXX")