movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-25 18:46:32 +03:00
Code Activity
nixpkgs/nixos/modules/services/web-servers/h2o/common.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

47 lines
1.7 KiB
Nix
Raw Normal View History

nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project
2025-02-23 17:35:25 +07:00
{ lib }:
{
tlsRecommendationsOption = lib.mkOption {
type = lib.types.nullOr (
lib.types.enum [
"modern"
"intermediate"
"old"
]
);
default = null;
example = "intermediate";
description = ''
By default, H2O, without prejudice, will use as many TLS versions &
cipher suites as it & the TLS library (OpenSSL) can support. The user is
expected to hone settings for the security of their server. Setting some
constraints is recommended, & if unsure about what TLS settings to use,
this option gives curated TLS settings recommendations from Mozillas
SSL Configuration Generator project (see
<https://ssl-config.mozilla.org>) or read more at Mozillas Wiki (see
<https://wiki.mozilla.org/Security/Server_Side_TLS>).
modern
: Services with clients that support TLS 1.3 & dont need backward
compatibility
intermediate
: General-purpose servers with a variety of clients, recommended for
almost all systems
old
: Compatible with a number of very old clients, & should be used only as
a last resort
The default for all virtual hosts can be set with
services.h2o.defaultTLSRecommendations, but this value can be overridden
on a per-host basis using services.h2o.hosts.<name>.tls.recommmendations.
The settings will also be overidden by manual values set with
services.settings.h2o.hosts.<name>.tls.extraSettings.
NOTE: older/weaker ciphers might require overriding the OpenSSL version
of H2O (such as `openssl_legacy`). This can be done with
sevices.settings.h2o.package.
'';
};
}
Copy permalink