mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-22 21:50:55 +00:00
nixos/httpd: allow user to specify a minimal list of apache modules
This commit is contained in:
parent
9c28599bfe
commit
5c3715379d
|
@ -29,41 +29,26 @@ let
|
|||
|
||||
listenToString = l: "${l.ip}:${toString l.port}";
|
||||
|
||||
extraModules = attrByPath ["extraModules"] [] mainCfg;
|
||||
extraForeignModules = filter isAttrs extraModules;
|
||||
extraApacheModules = filter isString extraModules;
|
||||
|
||||
allHosts = [mainCfg] ++ mainCfg.virtualHosts;
|
||||
|
||||
enableSSL = any (vhost: vhost.enableSSL) allHosts;
|
||||
|
||||
|
||||
# Names of modules from ${httpd}/modules that we want to load.
|
||||
apacheModules =
|
||||
[ # HTTP authentication mechanisms: basic and digest.
|
||||
"auth_basic" "auth_digest"
|
||||
|
||||
# Authentication: is the user who he claims to be?
|
||||
"authn_file" "authn_dbm" "authn_anon" "authn_core"
|
||||
|
||||
# Authorization: is the user allowed access?
|
||||
"authz_user" "authz_groupfile" "authz_host" "authz_core"
|
||||
|
||||
# Other modules.
|
||||
"ext_filter" "include" "log_config" "env" "mime_magic"
|
||||
"cern_meta" "expires" "headers" "usertrack" /* "unique_id" */ "setenvif"
|
||||
"mime" "dav" "status" "autoindex" "asis" "info" "dav_fs"
|
||||
"vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling"
|
||||
"userdir" "alias" "rewrite" "proxy" "proxy_http"
|
||||
"unixd" "cache" "cache_disk" "slotmem_shm" "socache_shmcb"
|
||||
# NOTE: generally speaking order of modules is very important
|
||||
modules =
|
||||
[ # required apache modules our httpd service cannot run without
|
||||
"authn_core" "authz_core"
|
||||
"log_config"
|
||||
"mime" "autoindex" "negotiation" "dir"
|
||||
"alias" "rewrite"
|
||||
"unixd" "slotmem_shm" "socache_shmcb"
|
||||
"mpm_${mainCfg.multiProcessingModule}"
|
||||
|
||||
# For compatibility with old configurations, the new module mod_access_compat is provided.
|
||||
"access_compat"
|
||||
]
|
||||
++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ])
|
||||
++ optional enableSSL "ssl"
|
||||
++ extraApacheModules;
|
||||
++ optional mainCfg.enableMellon { name = "auth_mellon"; path = "${pkgs.apacheHttpdPackages.mod_auth_mellon}/modules/mod_auth_mellon.so"; }
|
||||
++ optional mainCfg.enablePHP { name = "php${phpMajorVersion}"; path = "${php}/modules/libphp${phpMajorVersion}.so"; }
|
||||
++ optional mainCfg.enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; }
|
||||
++ mainCfg.extraModules;
|
||||
|
||||
|
||||
allDenied = "Require all denied";
|
||||
|
@ -87,6 +72,7 @@ let
|
|||
|
||||
|
||||
browserHacks = ''
|
||||
<IfModule mod_setenvif.c>
|
||||
BrowserMatch "Mozilla/2" nokeepalive
|
||||
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
|
||||
BrowserMatch "RealPlayer 4\.0" force-response-1.0
|
||||
|
@ -96,6 +82,7 @@ let
|
|||
BrowserMatch "^WebDrive" redirect-carefully
|
||||
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
|
||||
BrowserMatch "^gnome-vfs" redirect-carefully
|
||||
</IfModule>
|
||||
'';
|
||||
|
||||
|
||||
|
@ -266,13 +253,12 @@ let
|
|||
Group ${mainCfg.group}
|
||||
|
||||
${let
|
||||
load = {name, path}: "LoadModule ${name}_module ${path}\n";
|
||||
allModules = map (name: {inherit name; path = "${httpd}/modules/mod_${name}.so";}) apacheModules
|
||||
++ optional mainCfg.enableMellon { name = "auth_mellon"; path = "${pkgs.apacheHttpdPackages.mod_auth_mellon}/modules/mod_auth_mellon.so"; }
|
||||
++ optional mainCfg.enablePHP { name = "php${phpMajorVersion}"; path = "${php}/modules/libphp${phpMajorVersion}.so"; }
|
||||
++ optional mainCfg.enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; }
|
||||
++ extraForeignModules;
|
||||
in concatMapStrings load (unique allModules)
|
||||
mkModule = module:
|
||||
if isString module then { name = module; path = "${httpd}/modules/mod_${module}.so"; }
|
||||
else if isAttrs module then { inherit (module) name path; }
|
||||
else throw "Expecting either a string or attribute set including a name and path.";
|
||||
in
|
||||
concatMapStringsSep "\n" (module: "LoadModule ${module.name}_module ${module.path}") (unique (map mkModule modules))
|
||||
}
|
||||
|
||||
AddHandler type-map var
|
||||
|
@ -387,7 +373,12 @@ in
|
|||
extraModules = mkOption {
|
||||
type = types.listOf types.unspecified;
|
||||
default = [];
|
||||
example = literalExample ''[ "proxy_connect" { name = "php5"; path = "''${pkgs.php}/modules/libphp5.so"; } ]'';
|
||||
example = literalExample ''
|
||||
[
|
||||
"proxy_connect"
|
||||
{ name = "jk"; path = "''${pkgs.tomcat_connectors}/modules/mod_jk.so"; }
|
||||
]
|
||||
'';
|
||||
description = ''
|
||||
Additional Apache modules to be used. These can be
|
||||
specified as a string in the case of modules distributed
|
||||
|
@ -588,6 +579,28 @@ in
|
|||
date.timezone = "${config.time.timeZone}"
|
||||
'';
|
||||
|
||||
services.httpd.extraModules = mkBefore [
|
||||
# HTTP authentication mechanisms: basic and digest.
|
||||
"auth_basic" "auth_digest"
|
||||
|
||||
# Authentication: is the user who he claims to be?
|
||||
"authn_file" "authn_dbm" "authn_anon"
|
||||
|
||||
# Authorization: is the user allowed access?
|
||||
"authz_user" "authz_groupfile" "authz_host"
|
||||
|
||||
# Other modules.
|
||||
"ext_filter" "include" "env" "mime_magic"
|
||||
"cern_meta" "expires" "headers" "usertrack" "setenvif"
|
||||
"dav" "status" "asis" "info" "dav_fs"
|
||||
"vhost_alias" "imagemap" "actions" "speling"
|
||||
"proxy" "proxy_http"
|
||||
"cache" "cache_disk"
|
||||
|
||||
# For compatibility with old configurations, the new module mod_access_compat is provided.
|
||||
"access_compat"
|
||||
];
|
||||
|
||||
systemd.services.httpd =
|
||||
{ description = "Apache HTTPD";
|
||||
|
||||
|
|
Loading…
Reference in a new issue