From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp10.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms5.migadu.com with LMTPS
	id AFZ6DF/AuWOyVAAAbAwnHQ
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 07 Jan 2023 19:56:31 +0100
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp10.migadu.com with LMTPS
	id ePV3C1/AuWNTWQAAG6o9tA
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 07 Jan 2023 19:56:31 +0100
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id D02F12678
	for <larch@yhetil.org>; Sat,  7 Jan 2023 19:56:30 +0100 (CET)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1pEEMO-0006cv-Pw; Sat, 07 Jan 2023 13:56:04 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1pEEMN-0006bg-3D
 for guix-patches@gnu.org; Sat, 07 Jan 2023 13:56:03 -0500
Received: from debbugs.gnu.org ([209.51.188.43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1pEEMM-0004R0-RS
 for guix-patches@gnu.org; Sat, 07 Jan 2023 13:56:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1pEEMM-0004js-Nj
 for guix-patches@gnu.org; Sat, 07 Jan 2023 13:56:02 -0500
X-Loop: help-debbugs@gnu.org
Subject: [bug#59621] [PATCH] services: nginx: Add support for ssl-stapling in
 server blocks.
Resent-From: Christopher Baines <mail@cbaines.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Sat, 07 Jan 2023 18:56:02 +0000
Resent-Message-ID: <handler.59621.B59621.167311771718086@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 59621
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: mirai@makinata.eu
Cc: 59621@debbugs.gnu.org
X-Debbugs-Original-Cc: 59621@debbugs.gnu.org, guix-patches@gnu.org
Received: via spool by 59621-submit@debbugs.gnu.org id=B59621.167311771718086
 (code B ref 59621); Sat, 07 Jan 2023 18:56:02 +0000
Received: (at 59621) by debbugs.gnu.org; 7 Jan 2023 18:55:17 +0000
Received: from localhost ([127.0.0.1]:58926 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1pEELc-0004he-UC
 for submit@debbugs.gnu.org; Sat, 07 Jan 2023 13:55:17 -0500
Received: from mira.cbaines.net ([212.71.252.8]:42076)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mail@cbaines.net>) id 1pEELb-0004hX-Vc
 for 59621@debbugs.gnu.org; Sat, 07 Jan 2023 13:55:16 -0500
Received: from localhost (unknown [IPv6:2a02:8010:68c1:0:3a91:a0a4:ecee:f157])
 by mira.cbaines.net (Postfix) with ESMTPSA id C719127BBE9;
 Sat,  7 Jan 2023 18:55:14 +0000 (GMT)
Received: from felis (localhost [127.0.0.1])
 by localhost (OpenSMTPD) with ESMTP id 50adc391;
 Sat, 7 Jan 2023 18:55:13 +0000 (UTC)
References: <9a18d0c03940cfe0d8ab01964f12d08fcc972e30.1669507155.git.mirai@makinata.eu>
User-agent: mu4e 1.8.11; emacs 28.2
From: Christopher Baines <mail@cbaines.net>
Date: Sat, 07 Jan 2023 17:21:08 +0000
In-reply-to: <9a18d0c03940cfe0d8ab01964f12d08fcc972e30.1669507155.git.mirai@makinata.eu>
Message-ID: <87o7ramay8.fsf@cbaines.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: guix-patches-bounces+larch=yhetil.org@gnu.org
X-Migadu-Country: US
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1673117790;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:in-reply-to:in-reply-to:references:references:
	 list-id:list-help:list-unsubscribe:list-subscribe:list-post;
	bh=NclgwX8dhC33KDlN3DIUu3w/WQqRfAN0lcp7/NAk+VE=;
	b=kC8MDJiojr9CT5X3/yP8RUy0S/+usIN0FozjSJot8zc5fr+Yu4h26a7zsEe26Uo2DtIu8F
	PYCBugnv5DMRcpavOOcnW1j5CX/Oe5YZVY4kQfjq+eK21yc42DX6LHBUY3ULMMudgx+LU2
	cpiFztUBt9PAxpFI+/Qu0p1OMVcNhkkzbjxX1TFsSWVcZ4PAnAJP91AT91QwPqzsPrySiQ
	LSMMy8td3ry8tWoAh0nQ8L+lPcv586h47UuZKUkYqLXB4cS5pIvorxiisKkrS0IlIMaOa6
	3wypb/ZrxXrzH19dsfzEzfXBFyAA5AXH1qdqzbNoLfqspPCC1EK+NJVgdrZHzA==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=none;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org";
	dmarc=none
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1673117790; a=rsa-sha256; cv=none;
	b=DvTPJ6nxPGthu1/QcB0qZowkkXqznHySw0B94OIPKIdrighaDdo8GEPfgxm2w4lpaTCHkT
	/6UisqQLdsXelp01LKIqjaCw7RCDAry3Ing6YWRhL5fMgl6YfhHCJUAUu7xNlYD0DqOTWN
	Y1qA4Focq80j4AuWJZB3/S2tUST0J/IunYmRm2LJzmEMBH4GddCu5YqBoCwfHbcoFksqc0
	iwpK/3GpWj4mEvTSlIQ+B+0G+7gk4t/sSpzOowkvTCdvqYOYW8pfP++jSzmK4p3R/mqFk4
	RPlc/BR0qLiNqza9XaFuO72Bya1eGtSz+2+UXGWJ8cRBCZtGVqosFKcmSr9Juw==
X-Spam-Score: -5.16
X-Migadu-Queue-Id: D02F12678
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org";
	dmarc=none
X-Migadu-Scanner: scn1.migadu.com
X-Migadu-Spam-Score: -5.16
X-TUID: 7arJ07fVNxCN

--=-=-=
Content-Type: text/plain


mirai@makinata.eu writes:

> From: Bruno Victal <mirai@makinata.eu>
>
> * gnu/services/web.scm (<nginx-server-configuration>): Add
> ssl-stapling? and ssl-stapling-verify?.
> * doc/guix.texi (NGINX): Document this.
> ---
>  doc/guix.texi        |  7 +++++
>  gnu/services/web.scm | 69 +++++++++++++++++++++++++-------------------
>  2 files changed, 46 insertions(+), 30 deletions(-)

Hi Bruno,

Thanks for the patch, and sorry it's taken so long to reply.

> @@ -647,6 +654,8 @@ (define-syntax-rule (and/l x tail ...)
>       "      server_name " (config-domain-strings server-name) ";\n"
>       (and/l ssl-certificate     "      ssl_certificate " <> ";\n")
>       (and/l ssl-certificate-key "      ssl_certificate_key " <> ";\n")
> +     "      ssl_stapling " (if ssl-stapling? "on" "off") ";\n"
> +     "      ssl_stapling_verify " (if ssl-stapling-verify? "on" "off") ";\n"
>       (if (not (equal? "" root))
>           (list "      root " root ";\n")
>           "")
>
> base-commit: 68925b5ee7e0d96b0c84ae98a633eea5097bf511

Generally this looks good to me. There's some unnecessary indentation
changes that should probably go in another commit if they're made, but I
did spot something in the above diff.

I'm no expert in NGinx configs, but I do wonder if this change will
break using nginx if it's built without the ngx_http_ssl_module? With
the other module specific configuration (e.g. ssl_certificate), it's
possible to specify a value in the <nginx-server-configuration> that
means the line won't be included in the configuration. I think it would
be good to continue that here.

I'm not sure how to enable not including these config lines. Maybe a
symbol value like 'noval could be used (this should also be the default,
rather than #f), or maybe 'on and 'off could be used as the values with
#f meaning the line isn't included.

Does that make sense?

Thanks,

Chris

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmO5wA9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh
aW5lcy5uZXQACgkQXiijOwuE9XcBFw//SeCdplyuIbCgasFPf6DHGBuLT7l74xpu
xGuAD33ABueYs7Gf/qRZ2qUuCqNXJ3yly4ovCRfYTKLOlhLN1xPWn9sBFKXAd2l8
qhBHHLO+k+3gnjONLjyWpHBkq94xrzkMHAjDftuw47LUerzU4t/vmAYBligohZSy
7XxA1Dz4pdVI31MyeJW2yh6roVzW/ow3bQl3rLCpG/Jz64nUZlEbnv0QGT8bGojP
crblVhyE+9A3+iZ9uXRks+9GgnTPfRr42y+7nwnFhS//l18VTwaoWAgirngg+C7P
E86KJl0wXBe5De2iZgWL4EjovNPwh13Q12JYrbHoBAvJHMZpvoU8ea7IeS5NMIdE
6R9az7wu3HncPDX8/h3jKSaB2h2bcuM9wNm0711Hs01dW57YWIarEz5kxfItfQW2
JSRHikK2oj1SkxB0HGIfX4Um/T7cXCjKifQWEkK9iL2+fQa4RK5TKGB/TH9E5sss
GCUNB6WVflWTbFmG+RrwfEGU9d4iAoIH6hhM/5pqNaZ2hHJhMsDCRIJpFp2bsUUR
CW3o06OGwo8K6PzVA+JzeIIsIG/ETLeDjuXqdvEQ/yVlMhqlkqrr5FkyS8x4MLVG
nut6KOActyO08xvmhMT9526/Y3eDnrJxtHHRvPl+iNRalsco6XQ8i/jldN5grvfx
qzTg4T7M/Bs=
=U08J
-----END PGP SIGNATURE-----
--=-=-=--