New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/httpd: support overridable virtual hosts #73113
Conversation
Example of current test configuration:
|
615c975
to
b378398
Compare
b5ecc12
to
f7cd970
Compare
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/what-are-your-goals-for-20-03/4773/3 |
f7cd970
to
2eb0299
Compare
d6a42ab
to
97b8dd9
Compare
cc @vanyaklimenko in case they have interest in testing this PR. |
d6a747c
to
c3c4efe
Compare
1c2a512
to
80bc305
Compare
@GrahamcOfBorg test haproxy proxy upnp |
@GrahamcOfBorg test limesurvey mediawiki |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I applied this to nixpkgs master, converted my configuration, and merged my http:// and https:// virtualhosts into a single virtualhost. That broke https:// because I had
listen = [
{ ip = "1.2.3.4"; port = 80; }
{ ip = "1.2.3.4"; port = 443; }
];
which caused Apache to run HTTP without SSL on port 443.
From the implementation in nginx, I correctly guessed that I could do this here too:
listen = [
{ ip = "1.2.3.4"; port = 80; }
{ ip = "1.2.3.4"; port = 443; ssl = true; }
];
but this is perplexingly undocumented in apache-httpd/per-server-options.nix. (Yes, it really does work, but I cannot figure out why.)
Sorry! I was looking at the wrong branch locally and see that it is documented. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Migrating my configuration wasn't very painful and the migrated configuration appears to behave correctly.
I think this should be merged once someone else looks over it, or confirms that those six Apache-using modules in nixpkgs still work.
@ivan I just need to test |
80bc305
to
3a485a2
Compare
…ualHosts option type from listOf to attrsOf, add ACME integration
3a485a2
to
79215f0
Compare
@GrahamcOfBorg test limesurvey mediawiki |
I've been running this on 3 machines for a while now, @ivan has given it a look over and migrated their configuration to use it, all outstanding issues/requirements addressed... so merging. |
The rewritten httpd module (NixOS/nixpkgs#73113) puts `AllowOverride None` into <Directory> block of each virtual host. Since the virtual host blocks are located after top level `extraConfig`, it takes precedence over `AllowOverride` set there. In order for `.htaccess` to work, we need to move that to virtual hosts’ `extraConfig`.
@aanderse
part of a vhost, is there no more way to define a "private" vhost? (like one where we want authenticated users only) EDIT: seems like it’s not recent (I just never noticed it before) and it can be overriden by a subsequent Directory directive, so I guess it’s nothing new there.. |
@immae your edit sums up the situation nicely. Not something I put in place, and easily overridden if you read through That being said... the situation in this module is less than perfect. I have spent some time trying to work through a solution to this but unfortunately ran into some roadblocks. I'm hoping to come up with a solution to improve things at some point in the future. |
I have split this PR into multiple commits to make it easier to review. Ignoring white space also helps in a few places. Before merging all commits should be squashed as the commits individually break various things.
Motivation for this change
virtualHosts
option is of typelistOf
instead ofattrsOf
which doesn't allow users to modify avirtualHost
once createdvirtualHost
defined is specific to eitherhttp
orhttps
which makes it extremely difficult to implement integration withsecurity.acme.certs
httpd
module code is overly complexhttpd
module has fallen far behind thenginx
module and as a result isn't used by many people on nixosThings not yet done
awstats
module, with offer to do so generously provided by @aristaeusservices.httpd
, something which @samueldr may have some ideas onThings done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)Notify maintainers
cc @