Merge pull request #147027 from Izorkin/update-nginx-ktls

nginxMainline: enable ktls support
2025-07-14 06:00:33 +03:00 · 2021-12-24 10:23:17 +00:00 · 2021-12-24 10:23:17 +00:00 · b0f154fd44
commit b0f154fd44
parent 3d91acc39a 2f66ac01e9
5 changed files with 29 additions and 2 deletions
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@ -317,9 +317,12 @@ let
          ${optionalString (hasSSL && vhost.sslTrustedCertificate != null) ''
            ssl_trusted_certificate ${vhost.sslTrustedCertificate};
          ''}
-          ${optionalString vhost.rejectSSL ''
+          ${optionalString (hasSSL && vhost.rejectSSL) ''
            ssl_reject_handshake on;
          ''}
+          ${optionalString (hasSSL && vhost.kTLS) ''
+            ssl_conf_command Options KTLS;
+          ''}

          ${mkBasicAuth vhostName vhost}

@ -824,6 +827,14 @@ in
        '';
      }

+      {
+        assertion = any (host: host.kTLS) (attrValues virtualHosts) -> versionAtLeast cfg.package.version "1.21.4";
+        message = ''
+          services.nginx.virtualHosts.<name>.kTLS requires nginx version
+          1.21.4 or above; see the documentation for services.nginx.package.
+        '';
+      }
+
      {
        assertion = all (host: !(host.enableACME && host.useACMEHost != null)) (attrValues virtualHosts);
        message = ''
@ -900,7 +911,7 @@ in
        PrivateMounts = true;
        # System Call Filtering
        SystemCallArchitectures = "native";
-        SystemCallFilter = "~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid @mincore";
+        SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid @mincore" ] ++ optionals (cfg.package != pkgs.tengine) [ "~@ipc" ];
      };
    };

--- a/nixos/modules/services/web-servers/nginx/vhost-options.nix
+++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix
@ -147,6 +147,17 @@ with lib;
      '';
    };

+    kTLS = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to enable kTLS support.
+        Implementing TLS in the kernel (kTLS) improves performance by significantly
+        reducing the need for copying operations between user space and the kernel.
+        Required Nginx version 1.21.4 or later.
+      '';
+    };
+
    sslCertificate = mkOption {
      type = types.path;
      example = "/var/host.cert";