diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2016-02-17 04:01:50 +0100 |
---|---|---|
committer | Robin Gloster <mail@glob.in> | 2016-07-28 11:59:13 +0000 |
commit | 4e5c7913e9db6906b031bb8310ba811f533854d3 (patch) | |
tree | c596ad5e6aedb95495e017305cff12e3d2901ded /nixos | |
parent | 811f243ce6f1ce82cf93bc5b45e5879513a2a305 (diff) | |
download | nixlib-4e5c7913e9db6906b031bb8310ba811f533854d3.tar nixlib-4e5c7913e9db6906b031bb8310ba811f533854d3.tar.gz nixlib-4e5c7913e9db6906b031bb8310ba811f533854d3.tar.bz2 nixlib-4e5c7913e9db6906b031bb8310ba811f533854d3.tar.lz nixlib-4e5c7913e9db6906b031bb8310ba811f533854d3.tar.xz nixlib-4e5c7913e9db6906b031bb8310ba811f533854d3.tar.zst nixlib-4e5c7913e9db6906b031bb8310ba811f533854d3.zip |
nginx module: Add acmeFallbackHost vhost option
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 13 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/nginx/vhost-options.nix | 9 |
2 files changed, 20 insertions, 2 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 62348d48f5dc..e48e9b6cfd8f 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -78,6 +78,15 @@ let ssl = vhost.enableSSL || vhost.forceSSL; port = if vhost.port != null then vhost.port else (if ssl then 443 else 80); listenString = toString port + optionalString ssl " ssl spdy"; + acmeLocation = optionalString vhost.enableACME '' + location /.well-known/acme-challenge { + try_files $uri @acme-fallback; + root ${vhost.acmeRoot}; + } + location @acme-fallback { + proxy_pass http://${vhost.acmeFallbackHost}; + } + ''; in '' ${optionalString vhost.forceSSL '' server { @@ -85,7 +94,7 @@ let listen [::]:80; server_name ${serverName} ${concatStringsSep " " vhost.serverAliases}; - ${optionalString vhost.enableACME "location /.well-known/acme-challenge { root ${vhost.acmeRoot}; }"} + ${acmeLocation} location / { return 301 https://$host${optionalString (port != 443) ":${port}"}$request_uri; } @@ -97,7 +106,7 @@ let listen [::]:${listenString}; server_name ${serverName} ${concatStringsSep " " vhost.serverAliases}; - ${optionalString vhost.enableACME "location /.well-known/acme-challenge { root ${vhost.acmeRoot}; }"} + ${acmeLocation} ${optionalString (vhost.root != null) "root ${vhost.root};"} ${optionalString (vhost.globalRedirect != null) '' return 301 https://${vhost.globalRedirect}$request_uri; diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index 5fa3b18c24f0..61868d8890d4 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -38,6 +38,15 @@ with lib; description = "Directory to store certificates and keys managed by the ACME service."; }; + acmeFallbackHost = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + Host which to proxy requests to if acme challenge is not found. Useful + if you want multiple hosts to be able to verify the same domain name. + ''; + }; + enableSSL = mkOption { type = types.bool; default = false; |