Skip to content

Commit 6aaa411

Browse files
author
Matthew Fisher
committed
fix(router): include deis.conf if no match with an SSL cert
The idea behind not including deis.conf was so that custom domains which are different from the platform domain would not attach the platform SSL certificate when it was enabled. However, this has the side effect of not attaching domains which are subdomains of the platform domain, which is intentional.
1 parent 8e960ca commit 6aaa411

1 file changed

Lines changed: 12 additions & 5 deletions

File tree

router/image/templates/nginx.conf

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -142,6 +142,7 @@ http {
142142
{{ $affinityArg := .deis_router_affinityArg }}
143143
{{ $certs := .deis_certs }}
144144
{{ $domains := .deis_domains }}
145+
{{ $root := . }}
145146
{{ range $service := .deis_services }}{{ if $service.Nodes }}
146147
upstream {{ Base $service.Key }} {
147148
{{ if $affinityArg }}hash $arg_{{ $affinityArg }} consistent;
@@ -155,18 +156,24 @@ http {
155156
{{ range $domain := $domains }}{{ if eq (Base $service.Key) $domain.Value }}
156157
server {
157158
server_name {{ Base $domain.Key }};
158-
server_name_in_redirect off;
159-
port_in_redirect off;
160-
listen 80;
161159
{{/* if a SSL certificate is installed for this domain, use SSL */}}
162160
{{/* Note (bacongobbler): domains are separate from the default platform domain, */}}
163161
{{/* so we can't rely on deis.conf as each domain is an island */}}
164-
{{ range $cert := $certs }}{{ if eq (Base $domain.Key) (Base $cert.Key) }}
162+
{{ if index $root (printf "deis_certs_%s_cert" (Base $domain.Key)) }}
163+
server_name_in_redirect off;
164+
port_in_redirect off;
165+
listen 80;
165166
listen 443 ssl spdy;
166167
ssl_certificate /etc/ssl/deis/certs/{{ Base $domain.Key }}.cert;
167168
ssl_certificate_key /etc/ssl/deis/keys/{{ Base $domain.Key }}.key;
168169
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
169-
{{ end }}{{ end }}
170+
{{/* if there's no app SSL cert but we have a router SSL cert, enable that instead */}}
171+
{{/* TODO (bacongobbler): wait for https://github.com/kelseyhightower/confd/issues/270 */}}
172+
{{/* so we can apply this config to just subdomains of the platform domain. */}}
173+
{{/* ref: https://github.com/deis/deis/pull/3519 */}}
174+
{{ else }}
175+
include deis.conf;
176+
{{ end }}
170177

171178
{{ if $service.Nodes }}
172179
location / {

0 commit comments

Comments
 (0)