fix: nohttp(s) shouldn't disable fallback server

nginx.tmpl

@@ -650,8 +650,8 @@ proxy_set_header Proxy "";
         {{- $default_https_exists = or $default_https_exists (and $https $vhost.default) }}
         {{- $http3_enabled = or $http3_enabled $vhost.http3_enabled }}
     {{- end }}
-    {{- $fallback_http := and $http_exists (not $default_http_exists) }}
-    {{- $fallback_https := and $https_exists (not $default_https_exists) }}
+    {{- $fallback_http := not $default_http_exists }}
+    {{- $fallback_https := not $default_https_exists }}
     {{- /*
          * If there are no vhosts at all, create fallbacks for both plain http
          * and https so that clients get something more useful than a connection

test/test_fallback.py

@@ -33,7 +33,6 @@ def _get(url):
 
 
 INTERNAL_ERR_RE = re.compile("TLSV1_ALERT_INTERNAL_ERROR")
-CONNECTION_REFUSED_RE = re.compile("Connection refused")
 
 
 @pytest.mark.parametrize("compose_file,url,want_code,want_err_re", [
@@ -60,33 +59,33 @@ def _get(url):
     ("nodefault.yml", "http://unknown.nginx-proxy.test/", 503, None),
     ("nodefault.yml", "https://unknown.nginx-proxy.test/", None, INTERNAL_ERR_RE),
     # HTTPS_METHOD=nohttp on nginx-proxy, HTTPS_METHOD unset on the app container.
-    ("nohttp.yml", "http://https-only.nginx-proxy.test/", None, CONNECTION_REFUSED_RE),
+    ("nohttp.yml", "http://https-only.nginx-proxy.test/", 503, None),
     ("nohttp.yml", "https://https-only.nginx-proxy.test/", 200, None),
-    ("nohttp.yml", "http://unknown.nginx-proxy.test/", None, CONNECTION_REFUSED_RE),
+    ("nohttp.yml", "http://unknown.nginx-proxy.test/", 503, None),
     ("nohttp.yml", "https://unknown.nginx-proxy.test/", 503, None),
     # HTTPS_METHOD=redirect on nginx-proxy, HTTPS_METHOD=nohttp on the app container.
-    ("nohttp-on-app.yml", "http://https-only.nginx-proxy.test/", None, CONNECTION_REFUSED_RE),
+    ("nohttp-on-app.yml", "http://https-only.nginx-proxy.test/", 503, None),
     ("nohttp-on-app.yml", "https://https-only.nginx-proxy.test/", 200, None),
-    ("nohttp-on-app.yml", "http://unknown.nginx-proxy.test/", None, CONNECTION_REFUSED_RE),
+    ("nohttp-on-app.yml", "http://unknown.nginx-proxy.test/", 503, None),
     ("nohttp-on-app.yml", "https://unknown.nginx-proxy.test/", 503, None),
     # Same as nohttp.yml, except there is a vhost with a missing cert.
     # nohttp should be enforced in this case as well.
-    ("nohttp-with-missing-cert.yml", "http://https-only.nginx-proxy.test/", None, CONNECTION_REFUSED_RE),
+    ("nohttp-with-missing-cert.yml", "http://https-only.nginx-proxy.test/", 503, None),
     ("nohttp-with-missing-cert.yml", "https://https-only.nginx-proxy.test/", 200, None),
-    ("nohttp-with-missing-cert.yml", "http://missing-cert.nginx-proxy.test/", None, CONNECTION_REFUSED_RE),
+    ("nohttp-with-missing-cert.yml", "http://missing-cert.nginx-proxy.test/", 503, None),
     ("nohttp-with-missing-cert.yml", "https://missing-cert.nginx-proxy.test/", 500, None),
-    ("nohttp-with-missing-cert.yml", "http://unknown.nginx-proxy.test/", None, CONNECTION_REFUSED_RE),
+    ("nohttp-with-missing-cert.yml", "http://unknown.nginx-proxy.test/", 503, None),
     ("nohttp-with-missing-cert.yml", "https://unknown.nginx-proxy.test/", 503, None),
     # HTTPS_METHOD=nohttps on nginx-proxy, HTTPS_METHOD unset on the app container.
     ("nohttps.yml", "http://http-only.nginx-proxy.test/", 200, None),
-    ("nohttps.yml", "https://http-only.nginx-proxy.test/", None, CONNECTION_REFUSED_RE),
+    ("nohttps.yml", "https://http-only.nginx-proxy.test/", None, INTERNAL_ERR_RE),
     ("nohttps.yml", "http://unknown.nginx-proxy.test/", 503, None),
-    ("nohttps.yml", "https://unknown.nginx-proxy.test/", None, CONNECTION_REFUSED_RE),
+    ("nohttps.yml", "https://unknown.nginx-proxy.test/", None, INTERNAL_ERR_RE),
     # HTTPS_METHOD=redirect on nginx-proxy, HTTPS_METHOD=nohttps on the app container.
     ("nohttps-on-app.yml", "http://http-only.nginx-proxy.test/", 200, None),
-    ("nohttps-on-app.yml", "https://http-only.nginx-proxy.test/", None, CONNECTION_REFUSED_RE),
+    ("nohttps-on-app.yml", "https://http-only.nginx-proxy.test/", None, INTERNAL_ERR_RE),
     ("nohttps-on-app.yml", "http://unknown.nginx-proxy.test/", 503, None),
-    ("nohttps-on-app.yml", "https://unknown.nginx-proxy.test/", None, CONNECTION_REFUSED_RE),
+    ("nohttps-on-app.yml", "https://unknown.nginx-proxy.test/", None, INTERNAL_ERR_RE),
     # Custom nginx config that has a `server` directive that uses `default_server` and simply
     # returns 418.  Nginx should successfully start (in particular, the `default_server` in the
     # custom config should not conflict with the fallback server generated by nginx-proxy) and nginx

test/test_ssl/test_nohttp.py

@@ -3,15 +3,15 @@
 
 
 def test_web2_http_is_connection_refused(docker_compose, nginxproxy):
-    with pytest.raises(requests.exceptions.RequestException, match="Connection refused"):
-        nginxproxy.get("http://web2.nginx-proxy.tld/")
+    r = nginxproxy.get("http://web2.nginx-proxy.tld/", allow_redirects=False)
+    assert r.status_code == 503
 
 
 def test_web2_http_is_connection_refused_for_acme_challenge(
     docker_compose, nginxproxy, acme_challenge_path
 ):
-    with pytest.raises(requests.exceptions.RequestException, match="Connection refused"):
-        nginxproxy.get(f"http://web2.nginx-proxy.tld/{acme_challenge_path}")
+    r = nginxproxy.get(f"http://web2.nginx-proxy.tld/{acme_challenge_path}", allow_redirects=False)
+    assert r.status_code == 503
 
 
 def test_web2_https_is_forwarded(docker_compose, nginxproxy):