diff options
| author | Vincent Bernat <vincent@bernat.ch> | 2018-08-30 22:33:56 +0200 |
|---|---|---|
| committer | Vincent Bernat <vincent@bernat.ch> | 2018-08-30 22:47:41 +0200 |
| commit | 1251b34b5bbcd11a7a2974df7bada5d6d47b985d (patch) | |
| tree | 329594bc20b6a23ba815d915f8e8b92c04b7bbb3 /nixos/modules/services/web-servers | |
| parent | 2a606200bca4f5552f7f28e0f11dfbfedc2aa81a (diff) | |
| download | nixlib-1251b34b5bbcd11a7a2974df7bada5d6d47b985d.tar nixlib-1251b34b5bbcd11a7a2974df7bada5d6d47b985d.tar.gz nixlib-1251b34b5bbcd11a7a2974df7bada5d6d47b985d.tar.bz2 nixlib-1251b34b5bbcd11a7a2974df7bada5d6d47b985d.tar.lz nixlib-1251b34b5bbcd11a7a2974df7bada5d6d47b985d.tar.xz nixlib-1251b34b5bbcd11a7a2974df7bada5d6d47b985d.tar.zst nixlib-1251b34b5bbcd11a7a2974df7bada5d6d47b985d.zip | |
nixos/nginx: ensure TLS OCSP stapling works out of the box with LE
The recommended TLS configuration comes with `ssl_stapling on` and
`ssl_stapling_verify on`. However, this last directive also requires
the use of `ssl_trusted_certificate` to verify the received answer.
When using `enableACME` or similar, we can help the user by providing
the correct value for the directive.
The result can be tested with:
openssl s_client -connect web.example.com:443 -status 2> /dev/null
Without OCSP stapling, we get:
OCSP response: no response sent
After this change, we get:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Aug 30 20:46:00 2018 GMT
Diffstat (limited to 'nixos/modules/services/web-servers')
| -rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 5 | ||||
| -rw-r--r-- | nixos/modules/services/web-servers/nginx/vhost-options.nix | 7 |
2 files changed, 12 insertions, 0 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 17b169f7c696..b231ee5a3f01 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -16,9 +16,11 @@ let } // (optionalAttrs vhostConfig.enableACME { sslCertificate = "${acmeDirectory}/${serverName}/fullchain.pem"; sslCertificateKey = "${acmeDirectory}/${serverName}/key.pem"; + sslTrustedCertificate = "${acmeDirectory}/${serverName}/full.pem"; }) // (optionalAttrs (vhostConfig.useACMEHost != null) { sslCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem"; sslCertificateKey = "${acmeDirectory}/${vhostConfig.useACMEHost}/key.pem"; + sslTrustedCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/full.pem"; }) ) cfg.virtualHosts; enableIPv6 = config.networking.enableIPv6; @@ -228,6 +230,9 @@ let ssl_certificate ${vhost.sslCertificate}; ssl_certificate_key ${vhost.sslCertificateKey}; ''} + ${optionalString (hasSSL && vhost.sslTrustedCertificate != null) '' + ssl_trusted_certificate ${vhost.sslTrustedCertificate}; + ''} ${optionalString (vhost.basicAuthFile != null || vhost.basicAuth != {}) '' auth_basic secured; diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index 1075b00768fd..6954d932eed4 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -129,6 +129,13 @@ with lib; description = "Path to server SSL certificate key."; }; + sslTrustedCertificate = mkOption { + type = types.path; + default = null; + example = "/var/root.cert"; + description = "Path to root SSL certificate for stapling and client certificates."; + }; + http2 = mkOption { type = types.bool; default = true; |