nginx: make enabling SSL port-specific #27426
Conversation
|
LGTM, but would it not be better to remain backwards-compatible by making enableSSL an alias for onlySSL? You can use |
|
Ok, a deprecation warning could be useful too. Is there a way? edit: I have found about |
(mkRenamedOptionModule [ "services" "nginx" "virtualHosts" "<name>" "enableSSL" ] [ "services" "nginx" "virtualHosts" "<name>" "onySSL" ])gives this error: |
|
I don't think it's possible, but you could just keep enableSSL a hidden setting that you logically OR with forceSSL to decide to force… |
|
@globin @rnhmjoj To make it work within a submodule you would have to make a new option named https://github.com/NixOS/nixpkgs/blob/master/lib/modules.nix#L669 |
|
Sorry but I don't understand. Can you show me an example? |
|
👌 LGTM, let's merge? |
|
Currently |
|
Can you make it OR together with .sslOnly? That way there's no breakage in
17.09 and we can remove it in the release after that…
…On Wed, Jul 26, 2017, 5:35 PM Michele Guerini Rocco < ***@***.***> wrote:
Currently .enableSSL = true; doesn't do anything besides triggering the
warning. Is it ok?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#27426 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AADWln2tajWZ-84Rhd39U9VbK8qAA3vGks5sR1y9gaJpZM4OZWMq>
.
|
|
Done. |
| + ";"; | ||
|
|
||
| redirectListen = filter (x: !x.ssl) defaultListen; |
There was a problem hiding this comment.
I think we need another assertion that there is a listen statement with and without ssl enabled. Otherwise there won't be any listen directives in either the redirect or host server block.
There was a problem hiding this comment.
I'm not sure I understand. forceSSL implies addSSL so at least hostListen should have an entry. How can they be both empty?
There was a problem hiding this comment.
@rnhmjoj Hmm, you can set forceSSL but not addSSL right? That would be wrong of course, but why not make addSSL be true if forceSSL is true? Or assert it at least?
There was a problem hiding this comment.
There is an assert:
assertion = all (conf: with conf; forceSSL -> addSSL) (attrValues virtualHosts);
message = ''
Option services.nginx.virtualHosts.<name>.forceSSL requires
services.nginx.virtualHosts.<name>.addSSL set to true.
'';
| @@ -70,12 +66,24 @@ with lib; | |||
| ''; | |||
| }; | |||
|
|
|||
| enableSSL = mkOption { | |||
| addSSL = mkOption { | |||
| type = types.bool; | |||
| default = false; | |||
| description = "Whether to enable SSL (https) support."; | |||
There was a problem hiding this comment.
Description proposal:
Whether to enable HTTPS in addition to plain HTTP. This will set defaults
for <literal>listen</literal> to listen on all interfaces on the
respective default ports (80, 443).
| visible = false; | ||
| default = false; | ||
| }; | ||
|
|
||
| forceSSL = mkOption { | ||
| type = types.bool; | ||
| default = false; |
There was a problem hiding this comment.
Description proposal:
Whether to add a separate nginx server block that permanently redirects (301) all
plain HTTP traffic to HTTPS. This option needs <literal>addSSL</literal> to be
set to true.
| onlySSL = mkOption { | ||
| type = types.bool; | ||
| default = false; | ||
| description = "Whether to enable SSL (https) support and reject plain (http) connections."; |
There was a problem hiding this comment.
Description proposal:
Whether to add a separate nginx server block that permanently redirects (301)
all plain HTTP traffic to HTTPS. This will set defaults for <literal>listen</literal>
to listen on all interfaces on port 443.
There was a problem hiding this comment.
I think you mixed up this one.
|
Missed that :) ok, 👍 👍 👍 from me!
…On Tue, Aug 1, 2017, 7:26 PM Michele Guerini Rocco ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In nixos/modules/services/web-servers/nginx/default.nix
<#27426 (comment)>:
> + ";";
+ redirectListen = filter (x: !x.ssl) defaultListen;
There is an assert:
assertion = all (conf: with conf; forceSSL -> addSSL) (attrValues virtualHosts);
message = ''
Option services.nginx.virtualHosts.<name>.forceSSL requires
services.nginx.virtualHosts.<name>.addSSL set to true.
'';
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#27426 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AADWlvsu2EqAAkYf6_wCJMO9umVtp38Aks5sT1_TgaJpZM4OZWMq>
.
|
|
Merged since no further comments, thanks! |
instead of redeclaring part of the options. Backward-compatible change. This gives the same flexibility to the user as nginx itself. This also resolves the piwik module break from nginx' enableSSL introduction from NixOS#27426.
Motivation for this change
Fix issues #27338, #27442, #25533 and possibly #23711
This PR implements @globin's suggestion about SSL:
addSSL: add a listen port on *:443 keeping *:80 and every other address/portonlySSL: listen only on *:443forceSSL: redirects *:80 (and every other non-ssl port) to *:443addSSLandonlySSLare mutually exclusive whileforceSSLneedsaddSSL.Moreover one can freely configure the virtual host using the
listenoption directly.Things done
addSSL,onlySSLandforceSSLenableACMEI had to move out the default value for
config.nginx.virtualHost.<name>.listenbecause I don't know how to access the configuration inside a submodule. Is there a way? I would like to see what's the default fromman configuration.nixwhen possible.cc @globin @fpletz