From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id aDfyE0mvGWTdKAAASxT56A (envelope-from ) for ; Tue, 21 Mar 2023 14:21:13 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id yHimE0mvGWSuHAEAauVa8A (envelope-from ) for ; Tue, 21 Mar 2023 14:21:13 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id DBD9226DDF for ; Tue, 21 Mar 2023 14:21:12 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pebvF-0000DI-Ue; Tue, 21 Mar 2023 09:21:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pebvD-0000Cv-9k for guix-patches@gnu.org; Tue, 21 Mar 2023 09:21:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pebvD-0007FK-12 for guix-patches@gnu.org; Tue, 21 Mar 2023 09:21:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pebvC-0000hK-I8 for guix-patches@gnu.org; Tue, 21 Mar 2023 09:21:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#59621] [PATCH] services: nginx: Add support for ssl-stapling in server blocks. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 21 Mar 2023 13:21:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 59621 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Bruno Victal Cc: Christopher Baines , 59621@debbugs.gnu.org Received: via spool by 59621-submit@debbugs.gnu.org id=B59621.16794048592652 (code B ref 59621); Tue, 21 Mar 2023 13:21:02 +0000 Received: (at 59621) by debbugs.gnu.org; 21 Mar 2023 13:20:59 +0000 Received: from localhost ([127.0.0.1]:57931 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pebv9-0000gi-DT for submit@debbugs.gnu.org; Tue, 21 Mar 2023 09:20:59 -0400 Received: from mail-qt1-f173.google.com ([209.85.160.173]:43870) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pebv7-0000gU-1R for 59621@debbugs.gnu.org; Tue, 21 Mar 2023 09:20:57 -0400 Received: by mail-qt1-f173.google.com with SMTP id c10so6527138qtj.10 for <59621@debbugs.gnu.org>; Tue, 21 Mar 2023 06:20:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1679404851; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=L5qN1JhtffriyYim5d7PwDix27JWkWOfCfgJpIXu5nY=; b=CaQIE8KbiVNVXNFFl40TJl2mQNlIYRSs4DleaIKZHznSuITKvuZSxTE/lhFP7GiMNC W6U9j0rem25zj5URtaA08f5TJaJEVXGYeoCWoUMFzd5xn2Lq1G7mPif2otdAUlfJ1FtN JOZyQgB+2BfwpJ9+GCkPUxBKhxLjItOah12sM8uUgLK1hTxPz+MbfJHoi1frdK/AqSUQ pDDgzCdW2xXuCG5W5kT15KtJxv6h8Q1AYBwl7ziPSxIOTbFOmZgBsfP8SzYAjbiY4KJm 2vNKHiQwPhh5q9N0vFqwNKghifxAB7IK1YZGRGEiQ35bVPNgOl3Ep1X3lHIKzjoVENs0 8OWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679404851; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=L5qN1JhtffriyYim5d7PwDix27JWkWOfCfgJpIXu5nY=; b=bSueDmLZWNti1R13DWpJjw5grD3oQkkfhvD9A799wh5ulUdyOi9XZFaNDLh08o++LE rZeHw/Bo6TAmZt+zFe9ZiuUxCfrhgnfgDIFrRZLHpXOfvi066IrMM+wrdwykA305gMh4 f4Luhl+biTg1Fdqh1Q82X+ZvEoyOJac0VK6ZY45Fp9ktgxxvlIlyssUOw6qc7vx+zPts PzZFLLmcJ/GWV/akQxdlF7k2lWr7cE8f3FuZt2hIhMHiaQfr9KqfNO6qpoVi9+oHxYaF OfW0iZsnuWZlk8Jx60vQ2kKzhesZaXsMPSvMAlcQBEwalUqXl/VQFU/QNv/f/vkyDnPB OHiw== X-Gm-Message-State: AO0yUKVO6n4CUFBwtLxOuIWNguYePYCcKjPGzDUIzpjaa8QrQTL/4dBh //+tQ4pgmHtGudNFKq1QnmVqtSpUVgXT2g== X-Google-Smtp-Source: AK7set89Qstgu6oHRVQrMTxYPGcKvOCox5YGLymkEBEC6ga3Z1aGgqf7uLWzXQtP/TMZq/AUIFCv+A== X-Received: by 2002:a05:622a:1193:b0:3e0:ceec:6c67 with SMTP id m19-20020a05622a119300b003e0ceec6c67mr4133145qtk.19.1679404850911; Tue, 21 Mar 2023 06:20:50 -0700 (PDT) Received: from hurd (dsl-10-130-195.b2b2c.ca. [72.10.130.195]) by smtp.gmail.com with ESMTPSA id v10-20020ac873ca000000b003e29583cf22sm2880493qtp.91.2023.03.21.06.20.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Mar 2023 06:20:50 -0700 (PDT) From: Maxim Cournoyer References: <9a18d0c03940cfe0d8ab01964f12d08fcc972e30.1669507155.git.mirai@makinata.eu> <87o7ramay8.fsf@cbaines.net> Date: Tue, 21 Mar 2023 09:20:49 -0400 In-Reply-To: (Bruno Victal's message of "Sat, 7 Jan 2023 20:07:11 +0000") Message-ID: <87y1nqqlzi.fsf_-_@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1679404873; a=rsa-sha256; cv=none; b=lK6J4aaPMrNSqmyKhKjQ8p17TGnGl+Qxo0uOSy+Rs/VF/1np4xxXQPtLokOYlA/LItdQTB 4wd2tcc3nNyeF9fLr894JkucCwZr/ZAGrv9YECR1mzjs8nuU9e2V2fmegLT9mUpurN/Tdg 5857TzS6IabiUTxTSDKi5QFqqRlqyxHYl+P5aaO68v8PrilSEojSSXwNwaWI1GmPko1ZDj emTV54V5+jsDvKl6VKNoExGi+/J8/dslavuxQh5ILj0LrFuKZjz5XiU7cV+/rfvfPsr55K 0hcjjVdIXDG7/sHQp7aeCq8ZeALU6z4GYxl8GbzzDlC6kQyjw7NBCxeMhxScEQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=CaQIE8Kb; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1679404873; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=L5qN1JhtffriyYim5d7PwDix27JWkWOfCfgJpIXu5nY=; b=B9fVnt80LEuGi9VeLyI3H+fuC99B9LQX5v3JE0HqjJ1SoRwd4HblmbhLyTOn5/jaMjoucg I317vqa8WhtzSu15G/vc9hTb4RwZpLwhC3CeTjUwKSF1WgeN1PbwtV3DZhUJkxvspkSxDH QxijC9tVU0C74BvtaU7nCGssUOcC/tqenppKMXX7lYeZEcDjT+RIBRrUD/Gg90fwjSWjKE 1mq9BxD+gH591uP4XPUpvC6yqhhgq5grElyVWBBHJ+2cDJnXcWSYE4LpT7hfttEO9oevIN YfT2S3e3QSBEPpYBSu9q4Gcdp+4gxMFAr1wN7YAwupFct6xK9buNhSv1QWs+mw== X-Migadu-Spam-Score: 5.75 X-Spam-Score: 5.75 X-Migadu-Queue-Id: DBD9226DDF Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=CaQIE8Kb; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Scanner: scn1.migadu.com X-TUID: uMHV23gfZoVg Hi Bruno, Chris, Bruno Victal writes: > Hi > > On 2023-01-07 17:21, Christopher Baines wrote: >> >> mirai@makinata.eu writes: >> >>> From: Bruno Victal >>> >>> * gnu/services/web.scm (): Add >>> ssl-stapling? and ssl-stapling-verify?. >>> * doc/guix.texi (NGINX): Document this. >>> --- >>> doc/guix.texi | 7 +++++ >>> gnu/services/web.scm | 69 +++++++++++++++++++++++++------------------- >>> 2 files changed, 46 insertions(+), 30 deletions(-) >> >> Hi Bruno, >> >> Thanks for the patch, and sorry it's taken so long to reply. >> >>> @@ -647,6 +654,8 @@ (define-syntax-rule (and/l x tail ...) >>> " server_name " (config-domain-strings server-name) ";\n" >>> (and/l ssl-certificate " ssl_certificate " <> ";\n") >>> (and/l ssl-certificate-key " ssl_certificate_key " <> ";\n") >>> + " ssl_stapling " (if ssl-stapling? "on" "off") ";\n" >>> + " ssl_stapling_verify " (if ssl-stapling-verify? "on" "off") ";\n" >>> (if (not (equal? "" root)) >>> (list " root " root ";\n") >>> "") >>> >>> base-commit: 68925b5ee7e0d96b0c84ae98a633eea5097bf511 >> >> Generally this looks good to me. There's some unnecessary indentation >> changes that should probably go in another commit if they're made, but I >> did spot something in the above diff. > > I was afraid that doing it in a separate commit would have > made it less clearer as it would have looked like a trivial cosmetic > change without any purpose. > >> >> I'm no expert in NGinx configs, but I do wonder if this change will >> break using nginx if it's built without the ngx_http_ssl_module? With >> the other module specific configuration (e.g. ssl_certificate), it's >> possible to specify a value in the that >> means the line won't be included in the configuration. I think it would >> be good to continue that here. > > I haven't tested this with a nginx that is built without ngx_http_ssl_module, > it would be a rather esoteric nginx build as TLS support presence is a > common expectation of web servers. The only nginx package in Guix has TLS support; I wouldn't expect people will go out of the way to define TLS-less variants just to run a local HTTP-only web server; perhaps it's OK to not give to much importance to that for now? -- Thanks, Maxim