diff options
| author | Michael Raskin <7c6f434c@mail.ru> | 2016-03-04 16:54:27 +0100 |
|---|---|---|
| committer | Michael Raskin <7c6f434c@mail.ru> | 2016-03-04 16:54:37 +0100 |
| commit | 7b9684a5b578b8e1c4c0a928f3536129f8d9f849 (patch) | |
| tree | 828ee4c8fb4e417bf10bcebeb575f441424f67ae /pkgs/servers | |
| parent | ce9e2012af4c6198538aea1b14714dada6274b3e (diff) | |
| download | nixlib-7b9684a5b578b8e1c4c0a928f3536129f8d9f849.tar nixlib-7b9684a5b578b8e1c4c0a928f3536129f8d9f849.tar.gz nixlib-7b9684a5b578b8e1c4c0a928f3536129f8d9f849.tar.bz2 nixlib-7b9684a5b578b8e1c4c0a928f3536129f8d9f849.tar.lz nixlib-7b9684a5b578b8e1c4c0a928f3536129f8d9f849.tar.xz nixlib-7b9684a5b578b8e1c4c0a928f3536129f8d9f849.tar.zst nixlib-7b9684a5b578b8e1c4c0a928f3536129f8d9f849.zip | |
nginx, nginxUnstable: enable hardening. Flags as recommended by @arno01 (Andrey Arapov) in #7190
Diffstat (limited to 'pkgs/servers')
| -rw-r--r-- | pkgs/servers/http/nginx/default.nix | 10 | ||||
| -rw-r--r-- | pkgs/servers/http/nginx/unstable.nix | 10 |
2 files changed, 18 insertions, 2 deletions
diff --git a/pkgs/servers/http/nginx/default.nix b/pkgs/servers/http/nginx/default.nix index 6944a89477ad..cc95c60c7c24 100644 --- a/pkgs/servers/http/nginx/default.nix +++ b/pkgs/servers/http/nginx/default.nix @@ -1,6 +1,7 @@ { stdenv, fetchurl, fetchFromGitHub, openssl, zlib, pcre, libxml2, libxslt, expat , gd, geoip , modules ? [] +, hardening ? true }: with stdenv.lib; @@ -53,7 +54,14 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = [ "-I${libxml2}/include/libxml2" ] ++ optional stdenv.isDarwin "-Wno-error=deprecated-declarations -Wno-error=conditional-uninitialized"; - preConfigure = concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules; + preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules) + + optionalString hardening '' + configureFlagsArray=( + --with-cc-opt="-fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2" + --with-ld-opt="-pie -Wl,-z,relro,-z,now" + ) + '' + ; meta = { description = "A reverse proxy and lightweight webserver"; diff --git a/pkgs/servers/http/nginx/unstable.nix b/pkgs/servers/http/nginx/unstable.nix index 5840dee0ba53..4ac1b0b268c1 100644 --- a/pkgs/servers/http/nginx/unstable.nix +++ b/pkgs/servers/http/nginx/unstable.nix @@ -2,6 +2,7 @@ , gd, geoip , withStream ? false , modules ? [] +, hardening ? true }: with stdenv.lib; @@ -51,7 +52,14 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = [ "-I${libxml2}/include/libxml2" ] ++ optional stdenv.isDarwin "-Wno-error=deprecated-declarations"; - preConfigure = concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules; + preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules) + + optionalString hardening '' + configureFlagsArray=( + --with-cc-opt="-fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2" + --with-ld-opt="-pie -Wl,-z,relro,-z,now" + ) + '' + ; postInstall = '' mv $out/sbin $out/bin |