movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 06:00:33 +03:00
Code Activity

nixos/nginx: add option rejectSSL exposing ssl_reject_handshake

Browse source
This commit is contained in:
Naïm Favier 2021-04-11 19:43:39 +02:00
parent 4f51b501fe
commit 821ca7d4cc
No known key found for this signature in database
GPG key ID: 49B07322580B7EE2
2 changed files with 36 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

38
nixos/modules/services/web-servers/nginx/default.nix
View file

@ -230,13 +230,13 @@ let
defaultListen = defaultListen =
if vhost.listen != [] then vhost.listen if vhost.listen != [] then vhost.listen
else ((optionals hasSSL ( else optionals (hasSSL || vhost.rejectSSL) (
singleton { addr = "0.0.0.0"; port = 443; ssl = true; } singleton { addr = "0.0.0.0"; port = 443; ssl = true; }
++ optional enableIPv6 { addr = "[::]"; port = 443; ssl = true; } ++ optional enableIPv6 { addr = "[::]"; port = 443; ssl = true; }
)) ++ optionals (!onlySSL) ( ) ++ optionals (!onlySSL) (
singleton { addr = "0.0.0.0"; port = 80; ssl = false; } singleton { addr = "0.0.0.0"; port = 80; ssl = false; }
++ optional enableIPv6 { addr = "[::]"; port = 80; ssl = false; } ++ optional enableIPv6 { addr = "[::]"; port = 80; ssl = false; }
)); );
hostListen = hostListen =
if vhost.forceSSL if vhost.forceSSL
@ -303,6 +303,9 @@ let
${optionalString (hasSSL && vhost.sslTrustedCertificate != null) '' ${optionalString (hasSSL && vhost.sslTrustedCertificate != null) ''
ssl_trusted_certificate ${vhost.sslTrustedCertificate}; ssl_trusted_certificate ${vhost.sslTrustedCertificate};
''} ''}
${optionalString vhost.rejectSSL ''
ssl_reject_handshake on;
''}
${mkBasicAuth vhostName vhost} ${mkBasicAuth vhostName vhost}
@ -771,20 +774,27 @@ in
} }
{ {
assertion = all (conf: with conf; assertion = all (host: with host;
!(addSSL && (onlySSL || enableSSL)) && count id [ addSSL (onlySSL || enableSSL) forceSSL rejectSSL ] <= 1
!(forceSSL && (onlySSL || enableSSL)) &&
!(addSSL && forceSSL)
) (attrValues virtualHosts); ) (attrValues virtualHosts);
message = '' message = ''
Options services.nginx.service.virtualHosts.<name>.addSSL, Options services.nginx.service.virtualHosts.<name>.addSSL,
services.nginx.virtualHosts.<name>.onlySSL and services.nginx.virtualHosts.<name>.forceSSL services.nginx.virtualHosts.<name>.onlySSL,
are mutually exclusive. services.nginx.virtualHosts.<name>.forceSSL and
services.nginx.virtualHosts.<name>.rejectSSL are mutually exclusive.
''; '';
} }
{ {
assertion = all (conf: !(conf.enableACME && conf.useACMEHost != null)) (attrValues virtualHosts); assertion = any (host: host.rejectSSL) (attrValues virtualHosts) -> versionAtLeast cfg.package.version "1.19.4";
message = ''
services.nginx.virtualHosts.<name>.rejectSSL requires nginx version
1.19.4 or above; see the documentation for services.nginx.package.
'';
}
{
assertion = all (host: !(host.enableACME && host.useACMEHost != null)) (attrValues virtualHosts);
message = '' message = ''
Options services.nginx.service.virtualHosts.<name>.enableACME and Options services.nginx.service.virtualHosts.<name>.enableACME and
services.nginx.virtualHosts.<name>.useACMEHost are mutually exclusive. services.nginx.virtualHosts.<name>.useACMEHost are mutually exclusive.

12
nixos/modules/services/web-servers/nginx/vhost-options.nix
View file

@ -118,6 +118,18 @@ with lib;
''; '';
}; };
rejectSSL = mkOption {
type = types.bool;
default = false;
description = ''
Whether to listen for and reject all HTTPS connections to this vhost. Useful in
<link linkend="opt-services.nginx.virtualHosts._name_.default">default</link>
server blocks to avoid serving the certificate for another vhost. Uses the
<literal>ssl_reject_handshake</literal> directive available in nginx versions
1.19.4 and above.
'';
};
sslCertificate = mkOption { sslCertificate = mkOption {
type = types.path; type = types.path;
example = "/var/host.cert"; example = "/var/host.cert";