New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/nginx: use Mozilla Intermediate TLS configuration #81891
Conversation
1c4d541
to
08c75f3
Compare
The configuration at https://ssl-config.mozilla.org/#server=nginx&config=intermediate is reliably kept up-to-date in terms of security and compatible with a wide range of clients. They've probably had more care and thought put into them than our defaults, and will be easier to keep updated in the future. The only removed (rather than changed) configuration option here is ssl_ecdh_curve, per mozilla/server-side-tls#189. Resolves NixOS#80952.
08c75f3
to
4ed98d6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also had a similar commit in the pipeline: Mic92@3b698d9
Chosen options looks good to me.
@GrahamcOfBorg test nginx |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good!
backport pr #81902 |
thanks, forgot about the backport! |
Motivation for this change
The configuration at https://ssl-config.mozilla.org/#server=nginx&config=intermediate
is reliably kept up-to-date in terms of security and compatible with a
wide range of clients. They've probably had more care and thought put
into them than our defaults, and will be easier to keep updated in
the future.
The only removed (rather than changed) configuration option here is
ssl_ecdh_curve, per mozilla/server-side-tls#189.
Resolves #80952.
cc @infinisil @fpletz
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)