Commit Graph

19 Commits

Author SHA1 Message Date
Jappie Klooster
e576c3b385 doc: Fix insecure nginx docs (#51840) 2018-12-11 11:02:56 +00:00
Uli Baum
15e6e1ff6f nixos/nginx: fix type of sslTrustedCertificate option
The option was added in 1251b34b5b
with type `types.path` but default `null`, so eval failed with
the default setting. This broke the acme and certmgr tests.

cc: @vincentbernat @fpletz
2018-09-02 01:35:59 +02:00
Vincent Bernat
1251b34b5b nixos/nginx: ensure TLS OCSP stapling works out of the box with LE
The recommended TLS configuration comes with `ssl_stapling on` and
`ssl_stapling_verify on`. However, this last directive also requires
the use of `ssl_trusted_certificate` to verify the received answer.
When using `enableACME` or similar, we can help the user by providing
the correct value for the directive.

The result can be tested with:

    openssl s_client -connect web.example.com:443 -status 2> /dev/null

Without OCSP stapling, we get:

    OCSP response: no response sent

After this change, we get:

    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Produced At: Aug 30 20:46:00 2018 GMT
2018-08-30 22:47:41 +02:00
volth
2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
Jan Tojnar
bd648f321c
nixos/nginx: emphasize that useACMEHost does not create certs
It was not entirely clean that `services.nginx.virtualHosts.<name>.useACMEHost` does not create certificates, see https://github.com/NixOS/nixpkgs/issues/40593
2018-05-17 20:48:02 +02:00
Ben Wolsieffer
4d40adb86d nginx: allow basic auth passwords to be specified in a file 2018-04-25 15:37:09 +02:00
Jan Tojnar
41d252d7a4
nixos/nginx: allow using existing ACME certificate
When a domain has a lot of subdomains, it is quite easy to hit the rate limit:

https://letsencrypt.org/docs/rate-limits/

Instead you can define the certificate manually in `security.acme.certs` and list the subdomains in the `extraDomains` option.
2018-01-15 13:48:45 +01:00
Niklas Hambüchen
afa97cb981 nginx service: Make http2 an option.
HTTP 2 can break some things, for example due to this Chrome bug:

  https://bugs.chromium.org/p/chromium/issues/detail?id=796199

So the service hardcoding it to be enabled is not helpful.

This commit adds an option so you can turn it off.
2017-12-19 19:59:15 +01:00
Jan Tojnar
3c48a1e06d nixos/services.nginx: Fix globalRedirect example
Virtual host globalRedirect attribute accepts a hostname not a URL

09a9a472ee/nixos/modules/services/web-servers/nginx/default.nix (L167)
2017-10-22 15:38:08 +02:00
Robin Gloster
0371f2b5cc
nginx module: clean up SSL/listen handling 2017-08-30 21:01:52 +02:00
rnhmjoj
a912a6a291
nginx: make enabling SSL port-specific 2017-07-27 03:45:53 +02:00
rnhmjoj
e40f3bea3e
nginx: make listen addresses configurable 2017-07-14 21:26:54 +02:00
Bob van der Linden
d9987f360a nginx: added serverName option for virtualHosts
This allows overriding the `server_name` attribute of virtual
hosts. By doing so it is possible to have multiple virtualHost
definitions that share the same `server_name`. This is useful in
particular when you need a HTTP as well as a HTTPS virtualhost: same
server_name, different port.
2017-01-25 14:55:55 +01:00
Alexander Ried
e84b803300 security.acme: remove loop when no fallbackHost is given 2016-09-06 17:47:00 +02:00
Robin Gloster
5dd7cf964a nginx module: improve documentation 2016-07-28 11:59:13 +00:00
Robin Gloster
3830a890ab nginx module: add option to make vhost default 2016-07-28 11:59:13 +00:00
Franz Pletz
4e5c7913e9 nginx module: Add acmeFallbackHost vhost option 2016-07-28 11:59:13 +00:00
Tristan Helmich
4676983990 nginx module: Add ACME support for ssl sites 2016-07-28 11:59:13 +00:00
Robin Gloster
f298be9ef4 nginx module: declarative config 2016-07-28 11:58:37 +00:00