JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nginx module: clean up SSL/listen handling

Browse Source
This commit is contained in:
Robin Gloster 2017-08-08 20:48:41 +02:00
parent 56c1c527aa
commit 0371f2b5cc
No known key found for this signature in database
GPG Key ID: D5C458DF6DD97EDF
2 changed files with 28 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
nixos/modules/services/web-servers/nginx/default.nix
View File

@ -130,22 +130,23 @@ let
vhosts = concatStringsSep "\n" (mapAttrsToList (vhostName: vhost: vhosts = concatStringsSep "\n" (mapAttrsToList (vhostName: vhost:
let let
ssl = with vhost; addSSL || onlySSL || enableSSL; onlySSL = vhost.onlySSL || vhost.enableSSL;
hasSSL = onlySSL || vhost.addSSL || vhost.forceSSL;
defaultListen = with vhost; defaultListen =
if listen != [] then listen if vhost.listen != [] then vhost.listen
else if onlySSL || enableSSL then else ((optionals hasSSL (
singleton { addr = "0.0.0.0"; port = 443; ssl = true; } singleton { addr = "0.0.0.0"; port = 443; ssl = true; }
++ optional enableIPv6 { addr = "[::]"; port = 443; ssl = true; } ++ optional enableIPv6 { addr = "[::]"; port = 443; ssl = true; }
else singleton { addr = "0.0.0.0"; port = 80; ssl = false; } )) ++ optionals (!onlySSL) (
++ optional enableIPv6 { addr = "[::]"; port = 80; ssl = false; } singleton { addr = "0.0.0.0"; port = 80; ssl = false; }
++ optional addSSL { addr = "0.0.0.0"; port = 443; ssl = true; } ++ optional enableIPv6 { addr = "[::]"; port = 80; ssl = false; }
++ optional (enableIPv6 && addSSL) { addr = "[::]"; port = 443; ssl = true; }; ));
hostListen = hostListen =
if !vhost.forceSSL if vhost.forceSSL
then defaultListen then filter (x: x.ssl) defaultListen
else filter (x: x.ssl) defaultListen; else defaultListen;
listenString = { addr, port, ssl, ... }: listenString = { addr, port, ssl, ... }:
"listen ${addr}:${toString port} " "listen ${addr}:${toString port} "
@ -155,9 +156,6 @@ let
redirectListen = filter (x: !x.ssl) defaultListen; redirectListen = filter (x: !x.ssl) defaultListen;
redirectListenString = { addr, ... }:
"listen ${addr}:80 ${optionalString vhost.default "default_server"};";
acmeLocation = '' acmeLocation = ''
location /.well-known/acme-challenge { location /.well-known/acme-challenge {
${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"} ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"}
@ -175,7 +173,7 @@ let
in '' in ''
${optionalString vhost.forceSSL '' ${optionalString vhost.forceSSL ''
server { server {
${concatMapStringsSep "\n" redirectListenString redirectListen} ${concatMapStringsSep "\n" listenString redirectListen}
server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases}; server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases};
${optionalString vhost.enableACME acmeLocation} ${optionalString vhost.enableACME acmeLocation}
@ -191,9 +189,9 @@ let
${optionalString vhost.enableACME acmeLocation} ${optionalString vhost.enableACME acmeLocation}
${optionalString (vhost.root != null) "root ${vhost.root};"} ${optionalString (vhost.root != null) "root ${vhost.root};"}
${optionalString (vhost.globalRedirect != null) '' ${optionalString (vhost.globalRedirect != null) ''
return 301 http${optionalString ssl "s"}://${vhost.globalRedirect}$request_uri; return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri;
''} ''}
${optionalString ssl '' ${optionalString hasSSL ''
ssl_certificate ${vhost.sslCertificate}; ssl_certificate ${vhost.sslCertificate};
ssl_certificate_key ${vhost.sslCertificateKey}; ssl_certificate_key ${vhost.sslCertificateKey};
''} ''}
@ -478,18 +476,15 @@ in
} }
{ {
assertion = all (conf: with conf; !(addSSL && (onlySSL || enableSSL))) (attrValues virtualHosts); assertion = all (conf: with conf;
!(addSSL && (onlySSL || enableSSL)) &&
!(forceSSL && (onlySSL || enableSSL)) &&
!(addSSL && forceSSL)
) (attrValues virtualHosts);
message = '' message = ''
Options services.nginx.service.virtualHosts.<name>.addSSL and Options services.nginx.service.virtualHosts.<name>.addSSL,
services.nginx.virtualHosts.<name>.onlySSL are mutually esclusive services.nginx.virtualHosts.<name>.onlySSL and services.nginx.virtualHosts.<name>.forceSSL
''; are mutually exclusive.
}
{
assertion = all (conf: with conf; forceSSL -> addSSL) (attrValues virtualHosts);
message = ''
Option services.nginx.virtualHosts.<name>.forceSSL requires
services.nginx.virtualHosts.<name>.addSSL set to true.
''; '';
} }
]; ];

5
nixos/modules/services/web-servers/nginx/vhost-options.nix
View File

@ -96,8 +96,9 @@ with lib;
default = false; default = false;
description = '' description = ''
Whether to add a separate nginx server block that permanently redirects (301) Whether to add a separate nginx server block that permanently redirects (301)
all plain HTTP traffic to HTTPS. This option needs <literal>addSSL</literal> all plain HTTP traffic to HTTPS. This will set defaults for
to be set to true. <literal>listen</literal> to listen on all interfaces on the respective default
ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
''; '';
}; };