From 04346a8ec28dccb1e2776cc38874662cf5e1f8ee Mon Sep 17 00:00:00 2001 From: Andreas Kohn Date: Tue, 27 Jun 2017 15:28:33 +0200 Subject: [PATCH] Apply the 'ssl-redirect' redirect per-location This is needed to avoid ingress definitions with different settings for SSL redirection conflicting with each other. NB: This was discussed in the review of #427, but ultimately not addressed. --- .../nginx/rootfs/etc/nginx/template/nginx.tmpl | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl index 04bd1ae6b..95ea4c98e 100644 --- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl +++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl @@ -313,13 +313,6 @@ http { ssl_verify_depth {{ $location.CertificateAuth.ValidationDepth }}; {{ end }} - {{ if (or $location.Redirect.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Redirect.SSLRedirect)) }} - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$best_http_host$request_uri; - } - {{ end }} - {{ if not (empty $location.Redirect.AppRoot)}} if ($uri = /) { return 302 {{ $location.Redirect.AppRoot }}; @@ -353,6 +346,14 @@ http { location {{ $path }} { set $proxy_upstream_name "{{ buildUpstreamName $server.Hostname $backends $location }}"; + + {{ if (or $location.Redirect.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Redirect.SSLRedirect)) }} + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$best_http_host$request_uri; + } + {{ end }} + {{ if isLocationAllowed $location }} {{ if gt (len $location.Whitelist.CIDR) 0 }} if ({{ buildDenyVariable (print $server.Hostname "_" $path) }}) {