JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #85043 from aanderse/httpd-2020

Browse Source 
nixos/httpd: modernize module standards
This commit is contained in:
Aaron Andersen 2020-04-25 20:04:05 -04:00 committed by GitHub
commit 16ab83760f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 44 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
nixos/doc/manual/release-notes/rl-2009.xml
View File

@ -266,6 +266,25 @@ environment.systemPackages = [
</programlisting>
</para>
</listitem>
<listitem>
<para>
The httpd web server previously started its main process as root
privileged, then ran worker processes as a less privileged identity user.
This was changed to start all of httpd as a less privileged user (defined by
<xref linkend="opt-services.httpd.user"/> and
<xref linkend="opt-services.httpd.group"/>). As a consequence, all files that
are needed for httpd to run (included configuration fragments, SSL
certificates and keys, etc.) must now be readable by this less privileged
user/group.
</para>
<para>
The default value for <xref linkend="opt-services.httpd.mpm"/>
has been changed from <literal>prefork</literal> to <literal>event</literal>. Along with
this change the default value for
<link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.&lt;name&gt;.http2</link>
has been set to <literal>true</literal>.
</para>
</listitem>
</itemizedlist>
</section>

43
nixos/modules/services/web-servers/apache-httpd/default.nix
View File

@ -41,9 +41,9 @@ let
"mime" "autoindex" "negotiation" "dir"
"alias" "rewrite"
"unixd" "slotmem_shm" "socache_shmcb"
"mpm_${cfg.multiProcessingModule}"
"mpm_${cfg.mpm}"
]
++ (if cfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ])
++ (if cfg.mpm == "prefork" then [ "cgi" ] else [ "cgid" ])
++ optional enableHttp2 "http2"
++ optional enableSSL "ssl"
++ optional enableUserDir "userdir"
@ -264,7 +264,7 @@ let
PidFile ${runtimeDir}/httpd.pid
${optionalString (cfg.multiProcessingModule != "prefork") ''
${optionalString (cfg.mpm != "prefork") ''
# mod_cgid requires this.
ScriptSock ${runtimeDir}/cgisock
''}
@ -350,6 +350,7 @@ in
imports = [
(mkRemovedOptionModule [ "services" "httpd" "extraSubservices" ] "Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.")
(mkRemovedOptionModule [ "services" "httpd" "stateDir" ] "The httpd module now uses /run/httpd as a runtime directory.")
(mkRenamedOptionModule [ "services" "httpd" "multiProcessingModule" ] [ "services" "httpd" "mpm" ])
# virtualHosts options
(mkRemovedOptionModule [ "services" "httpd" "documentRoot" ] "Please define a virtual host using `services.httpd.virtualHosts`.")
@ -454,7 +455,13 @@ in
type = types.str;
default = "wwwrun";
description = ''
User account under which httpd runs.
User account under which httpd children processes run.
If you require the main httpd process to run as
<literal>root</literal> add the following configuration:
<programlisting>
systemd.services.httpd.serviceConfig.User = lib.mkForce "root";
</programlisting>
'';
};
@ -462,7 +469,7 @@ in
type = types.str;
default = "wwwrun";
description = ''
Group under which httpd runs.
Group under which httpd children processes run.
'';
};
@ -539,20 +546,19 @@ in
'';
};
multiProcessingModule = mkOption {
mpm = mkOption {
type = types.enum [ "event" "prefork" "worker" ];
default = "prefork";
default = "event";
example = "worker";
description =
''
Multi-processing module to be used by Apache. Available
modules are <literal>prefork</literal> (the default;
handles each request in a separate child process),
<literal>worker</literal> (hybrid approach that starts a
number of child processes each running a number of
threads) and <literal>event</literal> (a recent variant of
<literal>worker</literal> that handles persistent
connections more efficiently).
modules are <literal>prefork</literal> (handles each
request in a separate child process), <literal>worker</literal>
(hybrid approach that starts a number of child processes
each running a number of threads) and <literal>event</literal>
(the default; a recent variant of <literal>worker</literal>
that handles persistent connections more efficiently).
'';
};
@ -652,7 +658,7 @@ in
services.httpd.phpOptions =
''
; Needed for PHP's mail() function.
sendmail_path = sendmail -t -i
sendmail_path = ${pkgs.system-sendmail}/bin/sendmail -t -i
; Don't advertise PHP
expose_php = off
@ -703,9 +709,7 @@ in
wants = concatLists (map (hostOpts: [ "acme-${hostOpts.hostName}.service" "acme-selfsigned-${hostOpts.hostName}.service" ]) vhostsACME);
after = [ "network.target" "fs.target" ] ++ map (hostOpts: "acme-selfsigned-${hostOpts.hostName}.service") vhostsACME;
path =
[ pkg pkgs.coreutils pkgs.gnugrep ]
++ optional cfg.enablePHP pkgs.system-sendmail; # Needed for PHP's mail() function.
path = [ pkg pkgs.coreutils pkgs.gnugrep ];
environment =
optionalAttrs cfg.enablePHP { PHPRC = phpIni; }
@ -725,7 +729,7 @@ in
ExecStart = "@${pkg}/bin/httpd httpd -f ${httpdConf}";
ExecStop = "${pkg}/bin/httpd -f ${httpdConf} -k graceful-stop";
ExecReload = "${pkg}/bin/httpd -f ${httpdConf} -k graceful";
User = "root";
User = cfg.user;
Group = cfg.group;
Type = "forking";
PIDFile = "${runtimeDir}/httpd.pid";
@ -733,6 +737,7 @@ in
RestartSec = "5s";
RuntimeDirectory = "httpd httpd/runtime";
RuntimeDirectoryMode = "0750";
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
};
};

2
nixos/modules/services/web-servers/apache-httpd/vhost-options.nix
View File

@ -137,7 +137,7 @@ in
http2 = mkOption {
type = types.bool;
default = false;
default = true;
description = ''
Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. <emphasis>However, if you use the prefork mpm, there will
be severe restrictions.</emphasis> Refer to <link xlink:href="https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config"/> for details.