-
-
Notifications
You must be signed in to change notification settings - Fork 12.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nginx: make enabling SSL port-specific #27426
Conversation
LGTM, but would it not be better to remain backwards-compatible by making enableSSL an alias for onlySSL? You can use |
Ok, a deprecation warning could be useful too. Is there a way? edit: I have found about |
(mkRenamedOptionModule [ "services" "nginx" "virtualHosts" "<name>" "enableSSL" ] [ "services" "nginx" "virtualHosts" "<name>" "onySSL" ]) gives this error:
|
I don't think it's possible, but you could just keep enableSSL a hidden setting that you logically OR with forceSSL to decide to force… |
@globin @rnhmjoj To make it work within a submodule you would have to make a new option named https://github.com/NixOS/nixpkgs/blob/master/lib/modules.nix#L669 |
Sorry but I don't understand. Can you show me an example? |
👌 LGTM, let's merge? |
Currently |
Can you make it OR together with .sslOnly? That way there's no breakage in
17.09 and we can remove it in the release after that…
…On Wed, Jul 26, 2017, 5:35 PM Michele Guerini Rocco < ***@***.***> wrote:
Currently .enableSSL = true; doesn't do anything besides triggering the
warning. Is it ok?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#27426 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AADWln2tajWZ-84Rhd39U9VbK8qAA3vGks5sR1y9gaJpZM4OZWMq>
.
|
Done. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot! LGTM overall but see my comments.
+ ";"; | ||
|
||
redirectListen = filter (x: !x.ssl) defaultListen; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need another assertion that there is a listen statement with and without ssl enabled. Otherwise there won't be any listen directives in either the redirect or host server block.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure I understand. forceSSL
implies addSSL
so at least hostListen
should have an entry. How can they be both empty?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ping
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rnhmjoj Hmm, you can set forceSSL
but not addSSL
right? That would be wrong of course, but why not make addSSL
be true if forceSSL
is true? Or assert it at least?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is an assert:
assertion = all (conf: with conf; forceSSL -> addSSL) (attrValues virtualHosts);
message = ''
Option services.nginx.virtualHosts.<name>.forceSSL requires
services.nginx.virtualHosts.<name>.addSSL set to true.
'';
@@ -70,12 +66,24 @@ with lib; | |||
''; | |||
}; | |||
|
|||
enableSSL = mkOption { | |||
addSSL = mkOption { | |||
type = types.bool; | |||
default = false; | |||
description = "Whether to enable SSL (https) support."; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Description proposal:
Whether to enable HTTPS in addition to plain HTTP. This will set defaults
for <literal>listen</literal> to listen on all interfaces on the
respective default ports (80, 443).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you.
visible = false; | ||
default = false; | ||
}; | ||
|
||
forceSSL = mkOption { | ||
type = types.bool; | ||
default = false; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Description proposal:
Whether to add a separate nginx server block that permanently redirects (301) all
plain HTTP traffic to HTTPS. This option needs <literal>addSSL</literal> to be
set to true.
onlySSL = mkOption { | ||
type = types.bool; | ||
default = false; | ||
description = "Whether to enable SSL (https) support and reject plain (http) connections."; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Description proposal:
Whether to add a separate nginx server block that permanently redirects (301)
all plain HTTP traffic to HTTPS. This will set defaults for <literal>listen</literal>
to listen on all interfaces on port 443.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you mixed up this one.
Missed that :) ok, 👍 👍 👍 from me!
…On Tue, Aug 1, 2017, 7:26 PM Michele Guerini Rocco ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In nixos/modules/services/web-servers/nginx/default.nix
<#27426 (comment)>:
> + ";";
+ redirectListen = filter (x: !x.ssl) defaultListen;
There is an assert:
assertion = all (conf: with conf; forceSSL -> addSSL) (attrValues virtualHosts);
message = ''
Option services.nginx.virtualHosts.<name>.forceSSL requires
services.nginx.virtualHosts.<name>.addSSL set to true.
'';
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#27426 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AADWlvsu2EqAAkYf6_wCJMO9umVtp38Aks5sT1_TgaJpZM4OZWMq>
.
|
Merged since no further comments, thanks! |
instead of redeclaring part of the options. Backward-compatible change. This gives the same flexibility to the user as nginx itself. This also resolves the piwik module break from nginx' enableSSL introduction from NixOS#27426.
Motivation for this change
Fix issues #27338, #27442, #25533 and possibly #23711
This PR implements @globin's suggestion about SSL:
addSSL
: add a listen port on *:443 keeping *:80 and every other address/portonlySSL
: listen only on *:443forceSSL
: redirects *:80 (and every other non-ssl port) to *:443addSSL
andonlySSL
are mutually exclusive whileforceSSL
needsaddSSL
.Moreover one can freely configure the virtual host using the
listen
option directly.Things done
addSSL
,onlySSL
andforceSSL
enableACME
I had to move out the default value for
config.nginx.virtualHost.<name>.listen
because I don't know how to access the configuration inside a submodule. Is there a way? I would like to see what's the default fromman configuration.nix
when possible.cc @globin @fpletz