3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

151 commits

Author SHA1 Message Date
Maciej Krüger 9530794548
nginx: add vhost.http3
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
2021-04-18 20:20:24 +02:00
Sandro 0139874db9
nixos/nginx: add upstreams examples (#118447)
* nixos/nginx: add upstreams examples

I am not fully sure if they are fully correct but they deployed the right syntax.

* nixos/nginx: use literal example

* Update nixos/modules/services/web-servers/nginx/default.nix

* Update nixos/modules/services/web-servers/nginx/default.nix
2021-04-17 00:25:03 +02:00
talyz 06dee38345
Revert "nixos/nginx: fix eval for tengine"
This reverts commit 2d3200e010.
2021-04-14 16:34:10 +02:00
Sandro 39060b241c
Merge pull request #118445 from SuperSandro2000/SuperSandro2000-patch-3 2021-04-12 17:18:50 +02:00
Kim Lindberger 5a1bd5ff66
Merge pull request #116074 from talyz/discourse
discourse: Add package and NixOS module
2021-04-08 14:19:49 +02:00
Sandro fb9a2414dc nixos/nginx: use http 1.1 in "recommended" proxySettings
This allows http keep-alive by default which requires http 1.1.
2021-04-05 05:30:18 +02:00
talyz 46d935a4ce
nixos/nginx: Add an option to specify additional third-party modules 2021-04-04 13:44:36 +02:00
Sandro db5a15676c
nixos/nginx: set "recommended" proxy timeouts to 60s
According to the nginx documentation [1] those values  cannot usually exceed 75 seconds.
The defaults are 60s and should probably be lowered to something reasonable like 20 or 30 seconds.

[1] https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout
2021-04-04 07:47:45 +02:00
ajs124 2d3200e010 nixos/nginx: fix eval for tengine 2021-03-10 01:23:11 +01:00
Aaron Andersen 9798ed1a3d
Merge pull request #111011 from waldheinz/nginx-mem-write-exec
nixos/nginx: fix MemoryDenyWriteExecute not being disabled when needed
2021-03-03 07:19:35 -05:00
Martin Weinelt 47901b544c
Merge pull request #111302 from fooker/pr/nginx-default-type
nixos/nginx: serve unknown MIME-Types as binary
2021-02-09 01:44:47 +01:00
Fritz Otlinghaus a55d0b80ff
nixos/nginx: add logError type 2021-01-31 11:37:38 +01:00
Dustin Frisch 891d1aa885
nixos/nginx: serve unknown MIME-Types as binary
The built-in default for unknown MIME-Types is `text/plain` whereas the
upstream default config changes it to `application/octet-stream`. By
changing the default tpye, unknown files will be downloaded by browsers
instead of being displayed.
2021-01-30 12:52:02 +01:00
Matthias Treydte 7d2829c0a0 nixos/nginx: fix MemoryDenyWriteExecute not being disabled when needed
The expression should check if the actually used nginx package
needes write+execute rights, not the default pkgs.nginx (which
has no modules unless overridden in an overlay).

Having MemoryDenyWriteExecute always true causes e.g. the Lua
module to fail (because JIT compilation).
2021-01-28 13:13:31 +01:00
Kevin Cox 8455fa3bca
Merge pull request #105347 from Mic92/nginx
nixos/nginx: add streamConfig option
2021-01-07 08:46:29 -05:00
Alyssa Ross 178ec8974f nixos/nginx: allow overriding fastcgi params
By default in Nginx, if you want to override a single fastcgi_param,
you have to override all of them.  This is less of a big deal if
you're editing the Nginx configuration directly, but when you're
generating the Nginx configuration with Nix it can be very annoying to
bloat your configuration repeating the default values of FastCGI
parameters every time.

This patch adds a fastcgiParams option to Nginx locations.  If any
parameters are set through this, all the default values will be
included as well, so only the ones that are changing need to be
supplied.  There's no way to use fastcgiParams to actually override
all parameters if that's what you want, but I think that's a niche use
case and it's still possible using extraConfig, which up until now was
the only option

Nginx allows the fastcgi_param directive in http and server scopes as
well as location, but here I only support location.  It would be
possible to support the others, but I don't think it's worth it.  It
would be a possible future enhancement if somebody has a need for it.
2021-01-05 03:36:18 +00:00
Maximilian Bosch 55ef9612a2
nixos/nginx: improve documentation for config
Unfortunately, I had a use-case where `services.nginx.config` was
necessary quite recently. While working on that config I had to look up
the module's code to understand which options can be used and which
don't.

To slightly improve the situation, I changed the documentation like
this:

* Added `types.str` as type since `config` is not mergeable on purpose.
  It must be a string as it's rendered verbatim into `nginx.conf` and if
  the type is `unspecified`, it can be confused with RFC42-like options.

* Mention which config options that don't generate config in
  `nginx.conf` are NOT mutually exclusive.
2020-12-06 17:26:13 +01:00
Jörg Thalheim 6f330ccedf
nixos/nginx: add streamConfig option 2020-11-29 10:55:01 +01:00
Graham Christensen c7bf3828f0
nginx: add basic auth support for locations 2020-11-02 08:16:00 -05:00
Graham Christensen 33cf4f0e8e
nginx: factor out the generation of basic auth generation 2020-11-02 08:16:00 -05:00
lf- b37bbca521 nixos/modules: fix systemd start rate-limits
These were broken since 2016:
f0367da7d1
since StartLimitIntervalSec got moved into [Unit] from [Service].
StartLimitBurst has also been moved accordingly, so let's fix that one
too.

NixOS systems have been producing logs such as:
/nix/store/wf98r55aszi1bkmln1lvdbp7znsfr70i-unit-caddy.service/caddy.service:31:
Unknown key name 'StartLimitIntervalSec' in section 'Service', ignoring.

I have also removed some unnecessary duplication in units disabling
rate limiting since setting either interval or burst to zero disables it
(ad16158c10/src/basic/ratelimit.c (L16))
2020-10-31 01:35:56 -07:00
Aneesh Agrawal 924035bb97 nixos/nginx: Allow unsetting ssl_ciphers
When using the Modern config from the Mozilla SSL config generator,
the `ssl_ciphers` parameter does not need to be set
as only TLSv1.3 is permitted and all of its ciphers are reasonable.
2020-10-26 00:35:29 -04:00
Dustin Frisch 762ca640c4
nixos/nginx: Do not remove headers while proxying
Removing the `Accept-Encoding` header breaks applications which may
produce already compressed content.

Removing this header is staded in the nginx docs but is ment as an
example, not as an recomendation.
2020-10-16 12:50:52 +02:00
Izorkin 535896671b
nixos/nginx: remove option enableSandbox 2020-09-10 08:19:20 +03:00
Lucas Savva 982c5a1f0e
nixos/acme: Restructure module
- Use an acme user and group, allow group override only
- Use hashes to determine when certs actually need to regenerate
- Avoid running lego more than necessary
- Harden permissions
- Support "systemctl clean" for cert regeneration
- Support reuse of keys between some configuration changes
- Permissions fix services solves for previously root owned certs
- Add a note about multiple account creation and emails
- Migrate extraDomains to a list
- Deprecate user option
- Use minica for self-signed certs
- Rewrite all tests

I thought of a few more cases where things may go wrong,
and added tests to cover them. In particular, the web server
reload services were depending on the target - which stays alive,
meaning that the renewal timer wouldn't be triggering a reload
and old certs would stay on the web servers.

I encountered some problems ensuring that the reload took place
without accidently triggering it as part of the test. The sync
commands I added ended up being essential and I'm not sure why,
it seems like either node.succeed ends too early or there's an
oddity of the vm's filesystem I'm not aware of.

- Fix duplicate systemd rules on reload services

Since useACMEHost is not unique to every vhost, if one cert
was reused many times it would create duplicate entries in
${server}-config-reload.service for wants, before and
ConditionPathExists
2020-09-02 19:22:43 +01:00
Florian Klink 300049ca51 nixos/nginx: move configuration testing script into reload command
nginx -t not only verifies configuration, but also creates (and chowns)
files. When the `nginx-config-reload` service is used, this can cause
directories to be chowned to `root`, causing nginx to fail.

This moves the nginx -t command into a second ExecReload command, which
runs as nginx's user. While fixing above issue, this will also cause the
configuration to be verified when running `systemctl reload nginx`, not
only when restarting the dummy `nginx-config-reload` unit. The latter is
mostly a workaround for missing features in our activation script
anyways.
2020-08-12 18:13:29 +02:00
Arian van Putten 681cc105ce nixos/acme: Make sure nginx is running before certs are requested
This fixes https://github.com/NixOS/nixpkgs/issues/81842

We should probably also fix this for Apache, which recently also learned
to use ACME.
2020-06-15 11:04:59 +02:00
Florian Klink a3678ed347 nixos/nginx: always run systemctl of the currently running systemd
Also, make the postRun script refer to that systemctl, and not just rely
on $PATH for consistency.
2020-05-21 10:31:47 +02:00
Izorkin 94391fce1d nixos/nginx: add option enableSandbox 2020-05-12 20:03:29 +03:00
Izorkin aa12fb8adb nginxModules: add option allowMemoryWriteExecute
The allowMemoryWriteExecute option is required to checking enabled nginxModules
and disable the nginx sandbox mode MemoryDenyWriteExecute.
2020-05-12 20:03:29 +03:00
Izorkin 628354c686 nixos/nginx: enable sandboxing 2020-05-12 20:03:27 +03:00
Izorkin 4d988ff0d0 nixos/nginx: change log and cache directories 2020-05-04 16:36:37 +03:00
Jan Tojnar 3c4ab13243
nixos/nginx: fix eval
Fixes a typo introduced in https://github.com/NixOS/nixpkgs/pull/83611
2020-03-29 00:20:07 +01:00
Vincent Bernat 7c451c3b6b
nginx: increase types_hash_max_size to 4096 (#83609)
After upgrading to NixOS 20.03, I've got the following warning:

    nginx: [warn] could not build optimal types_hash, you should increase either types_hash_max_size: 2048 or types_hash_bucket_size: 64; ignoring types_hash_bucket_size

The documentation states that "if nginx emits the message requesting
to increase either hash max size or hash bucket size then the first
parameter should first be increased" (aka types_hash_max_size).

In 19.03, the size of mime.types was around 100 entries. In 20.03, we
are around 900 entries. This is due to ff0148d868 which makes nginx
use mailcap mime.types.
2020-03-28 20:40:44 +01:00
Vincent Bernat 8f8cbec985
nixos/nginx: use mailcap mimetypes in all cases (#83611)
In ff0148d868, nginx configuration was modified to use mime.types
from mailcap package as it is more complete. However, there are two
places where mime.types is included in configuration. When the user
was setting `cfg.httpConfig`, the mime.types from nginx was still
used. This commit fix that by moving the common snippet in a variable
of its own and ensure it is used at both places.
2020-03-28 20:29:09 +01:00
Emily 4ed98d69ed nixos/nginx: use Mozilla Intermediate TLS configuration
The configuration at https://ssl-config.mozilla.org/#server=nginx&config=intermediate
is reliably kept up-to-date in terms of security and compatible with a
wide range of clients. They've probably had more care and thought put
into them than our defaults, and will be easier to keep updated in
the future.

The only removed (rather than changed) configuration option here is
ssl_ecdh_curve, per https://github.com/mozilla/server-side-tls/issues/189.

Resolves #80952.
2020-03-06 13:08:56 +00:00
rnhmjoj 1d61efb7f1 treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
Danylo Hlynskyi cef68c4580
nixos/nginx: don't hide nginx config errors on nixos-rebuild --switch with reload enabled (#76179)
nixos/nginx: don't hide nginx config errors on nixos-rebuild --switch
with reload enabled

Closes https://github.com/NixOS/nixpkgs/issues/73455
2020-01-05 00:39:23 +02:00
danbst 50d6e93dc8 nixos/nginx: fixup permissions for Nginx state dir
The commit b0bbacb521 was a bit too fast
It did set executable bit for log files.

Also, it didn't account for other directories in state dir:
```
 # ls -la /var/spool/nginx/
total 32
drwxr-x--- 8 nginx nginx 4096 Dec 26 12:00 .
drwxr-xr-x 4 root  root  4096 Oct 10 20:24 ..
drwx------ 2 root  root  4096 Oct 10 20:24 client_body_temp
drwx------ 2 root  root  4096 Oct 10 20:24 fastcgi_temp
drwxr-x--- 2 nginx nginx 4096 Dec 26 12:00 logs
drwx------ 2 root  root  4096 Oct 10 20:24 proxy_temp
drwx------ 2 root  root  4096 Oct 10 20:24 scgi_temp
drwx------ 2 root  root  4096 Oct 10 20:24 uwsgi_temp
```

With proposed change, only ownership is changed for state files, and mode is left as is
except that statedir/logs is now group accessible.
2019-12-26 14:16:29 +02:00
Yurii Izorkin b0bbacb521 nixos/nginx: recursively change logs directory owner/group (#76174)
This change brings pre-existing installations (where the logfiles
are owned by root) in line with the new permssions (where logfiles
are owned by the nginx user)
2019-12-26 13:51:10 +02:00
Izorkin 2a413da57e nixos/nginx: do not run anything as root 2019-12-15 11:21:08 +03:00
Robin Gloster 8e1fdad7c6
Merge pull request #70858 from manveru/nginx-map-hash-sizes
nginx: add map_hash_*_size options
2019-10-09 17:32:40 +02:00
Milan Pässler ff0148d868 nixos/nginx: use mailcap mime.types
The mime type definitions included with nginx are very incomplete, so
we use a list of mime types from the mailcap package, which is also
used by most other Linux distributions by default.
2019-10-09 14:20:40 +00:00
Michael Fellinger 2d0b34aa1c
nginx: add map_hash_*_size options 2019-10-09 15:59:03 +02:00
Vincent Bernat cf3e491cef nginx: remove gzip_disable directive
IE6 is long gone and this directive is not useful anymore. We can
spare a few CPU cycles (and maybe skip some bugs) by not trying to
disable gzip for MSIE6.
2019-09-12 11:55:32 -05:00
Silvan Mosberger 478e7184f8
nixos/modules: Remove all usages of types.string
And replace them with a more appropriate type

Also fix up some minor module problems along the way
2019-08-31 18:19:00 +02:00
Arian van Putten 604b7c139f Fix letsencrypt (#60219)
* nixos/acme: Fix ordering of cert requests

When subsequent certificates would be added, they would
not wake up nginx correctly due to target units only being triggered
once. We now added more fine-grained systemd dependencies to make sure
nginx always is aware of new certificates and doesn't restart too early
resulting in a crash.

Furthermore, the acme module has been refactored. Mostly to get
rid of the deprecated PermissionStartOnly systemd options which were
deprecated. Below is a summary of changes made.

* Use SERVICE_RESULT to determine status
This was added in systemd v232. we don't have to keep track
of the EXITCODE ourselves anymore.

* Add regression test for requesting mutliple domains

* Deprecate 'directory' option
We now use systemd's StateDirectory option to manage
create and permissions of the acme state directory.

* The webroot is created using a systemd.tmpfiles.rules rule
instead of the preStart script.

* Depend on certs directly

By getting rid of the target units, we make sure ordering
is correct in the case that you add new certs after already
having deployed some.

Reason it broke before:  acme-certificates.target would
be in active state, and if you then add a new cert, it
would still be active and hence nginx would restart
without even requesting a new cert. Not good!  We
make the dependencies more fine-grained now. this should fix that

* Remove activationDelay option

It complicated the code a lot, and is rather arbitrary. What if
your activation script takes more than activationDelay seconds?

Instead, one should use systemd dependencies to make sure some
action happens before setting the certificate live.

e.g. If you want to wait until your cert is published in DNS DANE /
TLSA, you could create a unit that blocks until it appears in DNS:

```
RequiredBy=acme-${cert}.service
After=acme-${cert}.service
ExecStart=publish-wait-for-dns-script
```
2019-08-29 16:32:59 +02:00
Danylo Hlynskyi 855be67358
nginx: expose generated config and allow nginx reloads (#57429)
* nginx: expose generated config and allow nginx reloads

Fixes: https://github.com/NixOS/nixpkgs/issues/15906
Another try was done, but not yet merged in https://github.com/NixOS/nixpkgs/pull/24476

This add 2 new features: ability to review generated Nginx config
(and NixOS has sophisticated generation!) and reloading
of nginx on config changes. This preserves nginx restart on package
updates.

I've modified nginx test to use this new feature and check reload/restart
behavior.

* rename to enableReload

* add sleep(1) in ETag test (race condition) and rewrite rebuild-switch using `nesting.clone`
2019-08-21 16:52:46 +03:00
volth f3282c8d1e treewide: remove unused variables (#63177)
* treewide: remove unused variables

* making ofborg happy
2019-06-16 19:59:05 +00:00
Izorkin 5612650767 nixos/nginx: add ipv6 options to resolver 2019-06-02 19:29:30 +00:00