alioth/nixpkgs
3
0
Fork 0
forked from mirrors/nixpkgs
Code Releases Activity

nixos/nginx: ensure TLS OCSP stapling works out of the box with LE

Browse source 
The recommended TLS configuration comes with `ssl_stapling on` and
`ssl_stapling_verify on`. However, this last directive also requires
the use of `ssl_trusted_certificate` to verify the received answer.
When using `enableACME` or similar, we can help the user by providing
the correct value for the directive.

The result can be tested with:

    openssl s_client -connect web.example.com:443 -status 2> /dev/null

Without OCSP stapling, we get:

    OCSP response: no response sent

After this change, we get:

    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Produced At: Aug 30 20:46:00 2018 GMT
This commit is contained in:
Vincent Bernat 2018-08-30 22:33:56 +02:00
parent 2a606200bc
commit 1251b34b5b
2 changed files with 12 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
nixos/modules/services/web-servers/nginx/default.nix
View file

@ -16,9 +16,11 @@ let
} // (optionalAttrs vhostConfig.enableACME { } // (optionalAttrs vhostConfig.enableACME {
sslCertificate = "${acmeDirectory}/${serverName}/fullchain.pem"; sslCertificate = "${acmeDirectory}/${serverName}/fullchain.pem";
sslCertificateKey = "${acmeDirectory}/${serverName}/key.pem"; sslCertificateKey = "${acmeDirectory}/${serverName}/key.pem";
sslTrustedCertificate = "${acmeDirectory}/${serverName}/full.pem";
}) // (optionalAttrs (vhostConfig.useACMEHost != null) { }) // (optionalAttrs (vhostConfig.useACMEHost != null) {
sslCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem"; sslCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem";
sslCertificateKey = "${acmeDirectory}/${vhostConfig.useACMEHost}/key.pem"; sslCertificateKey = "${acmeDirectory}/${vhostConfig.useACMEHost}/key.pem";
sslTrustedCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/full.pem";
}) })
) cfg.virtualHosts; ) cfg.virtualHosts;
enableIPv6 = config.networking.enableIPv6; enableIPv6 = config.networking.enableIPv6;
@ -228,6 +230,9 @@ let
ssl_certificate ${vhost.sslCertificate}; ssl_certificate ${vhost.sslCertificate};
ssl_certificate_key ${vhost.sslCertificateKey}; ssl_certificate_key ${vhost.sslCertificateKey};
''} ''}
${optionalString (hasSSL && vhost.sslTrustedCertificate != null) ''
ssl_trusted_certificate ${vhost.sslTrustedCertificate};
''}
${optionalString (vhost.basicAuthFile != null || vhost.basicAuth != {}) '' ${optionalString (vhost.basicAuthFile != null || vhost.basicAuth != {}) ''
auth_basic secured; auth_basic secured;

7
nixos/modules/services/web-servers/nginx/vhost-options.nix
View file

@ -129,6 +129,13 @@ with lib;
description = "Path to server SSL certificate key."; description = "Path to server SSL certificate key.";
}; };
sslTrustedCertificate = mkOption {
type = types.path;
default = null;
example = "/var/root.cert";
description = "Path to root SSL certificate for stapling and client certificates.";
};
http2 = mkOption { http2 = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;