Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/nginx: use Mozilla Intermediate TLS configuration #81891

Merged
merged 1 commit into from Mar 6, 2020

Conversation

emilazy
Copy link
Member

@emilazy emilazy commented Mar 6, 2020

Motivation for this change

The configuration at https://ssl-config.mozilla.org/#server=nginx&config=intermediate
is reliably kept up-to-date in terms of security and compatible with a
wide range of clients. They've probably had more care and thought put
into them than our defaults, and will be easier to keep updated in
the future.

The only removed (rather than changed) configuration option here is
ssl_ecdh_curve, per mozilla/server-side-tls#189.

Resolves #80952.

cc @infinisil @fpletz

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@emilazy emilazy force-pushed the nginx-use-mozilla-tls-config branch from 1c4d541 to 08c75f3 Compare March 6, 2020 13:03
The configuration at https://ssl-config.mozilla.org/#server=nginx&config=intermediate
is reliably kept up-to-date in terms of security and compatible with a
wide range of clients. They've probably had more care and thought put
into them than our defaults, and will be easier to keep updated in
the future.

The only removed (rather than changed) configuration option here is
ssl_ecdh_curve, per mozilla/server-side-tls#189.

Resolves NixOS#80952.
@emilazy emilazy force-pushed the nginx-use-mozilla-tls-config branch from 08c75f3 to 4ed98d6 Compare March 6, 2020 13:09
@emilazy emilazy changed the title nginx: use Mozilla Intermediate TLS configuration nixos/nginx: use Mozilla Intermediate TLS configuration Mar 6, 2020
Copy link
Member

@Mic92 Mic92 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also had a similar commit in the pipeline: Mic92@3b698d9

Chosen options looks good to me.

@Mic92
Copy link
Member

Mic92 commented Mar 6, 2020

@GrahamcOfBorg test nginx

Copy link
Member

@infinisil infinisil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good!

@infinisil infinisil added this to the 20.03 milestone Mar 6, 2020
@Mic92 Mic92 merged commit 391b7b3 into NixOS:master Mar 6, 2020
@Mic92
Copy link
Member

Mic92 commented Mar 6, 2020

backport pr #81902

@emilazy emilazy deleted the nginx-use-mozilla-tls-config branch March 6, 2020 14:36
@emilazy
Copy link
Member Author

emilazy commented Mar 6, 2020

thanks, forgot about the backport!

jluttine added a commit to jluttine/nixos-configuration that referenced this pull request Mar 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants