From: mirai@makinata.eu
To: 59621@debbugs.gnu.org
Cc: Bruno Victal <mirai@makinata.eu>
Subject: [bug#59621] [PATCH] services: nginx: Add support for ssl-stapling in server blocks.
Date: Sat, 26 Nov 2022 23:59:50 +0000 [thread overview]
Message-ID: <9a18d0c03940cfe0d8ab01964f12d08fcc972e30.1669507155.git.mirai@makinata.eu> (raw)
From: Bruno Victal <mirai@makinata.eu>
* gnu/services/web.scm (<nginx-server-configuration>): Add
ssl-stapling? and ssl-stapling-verify?.
* doc/guix.texi (NGINX): Document this.
---
doc/guix.texi | 7 +++++
gnu/services/web.scm | 69 +++++++++++++++++++++++++-------------------
2 files changed, 46 insertions(+), 30 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index e547d469f4..f116798dba 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -29339,6 +29339,13 @@ you don't have a certificate or you don't want to use HTTPS.
Where to find the private key for secure connections. Set it to @code{#f} if
you don't have a key or you don't want to use HTTPS.
+@item @code{ssl-stapling?} (default: @code{#f})
+Whether the server should @uref{https://datatracker.ietf.org/doc/html/rfc6066#section-8,staple OCSP responses}.
+Requires at least one @samp{resolver} directive in @code{raw-content}.
+
+@item @code{ssl-stapling-verify?} (default: @code{#f})
+Whether the server should verify the OCSP responses.
+
@item @code{server-tokens?} (default: @code{#f})
Whether the server should add its configuration to response.
diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index 83aa97055f..8ab4050d47 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -510,48 +510,52 @@ (define httpd-service-type
(define-record-type* <nginx-server-configuration>
nginx-server-configuration make-nginx-server-configuration
nginx-server-configuration?
- (listen nginx-server-configuration-listen
- (default '("80" "443 ssl")))
- (server-name nginx-server-configuration-server-name
- (default (list 'default)))
- (root nginx-server-configuration-root
- (default "/srv/http"))
- (locations nginx-server-configuration-locations
- (default '()))
- (index nginx-server-configuration-index
- (default (list "index.html")))
- (try-files nginx-server-configuration-try-files
- (default '()))
- (ssl-certificate nginx-server-configuration-ssl-certificate
- (default #f))
- (ssl-certificate-key nginx-server-configuration-ssl-certificate-key
- (default #f))
- (server-tokens? nginx-server-configuration-server-tokens?
- (default #f))
- (raw-content nginx-server-configuration-raw-content
- (default '())))
+ (listen nginx-server-configuration-listen
+ (default '("80" "443 ssl")))
+ (server-name nginx-server-configuration-server-name
+ (default (list 'default)))
+ (root nginx-server-configuration-root
+ (default "/srv/http"))
+ (locations nginx-server-configuration-locations
+ (default '()))
+ (index nginx-server-configuration-index
+ (default (list "index.html")))
+ (try-files nginx-server-configuration-try-files
+ (default '()))
+ (ssl-certificate nginx-server-configuration-ssl-certificate
+ (default #f))
+ (ssl-certificate-key nginx-server-configuration-ssl-certificate-key
+ (default #f))
+ (ssl-stapling? nginx-server-configuration-ssl-stapling?
+ (default #f))
+ (ssl-stapling-verify? nginx-server-configuration-ssl-stapling-verify?
+ (default #f))
+ (server-tokens? nginx-server-configuration-server-tokens?
+ (default #f))
+ (raw-content nginx-server-configuration-raw-content
+ (default '())))
(define-record-type* <nginx-upstream-configuration>
nginx-upstream-configuration make-nginx-upstream-configuration
nginx-upstream-configuration?
- (name nginx-upstream-configuration-name)
- (servers nginx-upstream-configuration-servers)
- (extra-content nginx-upstream-configuration-extra-content
- (default '())))
+ (name nginx-upstream-configuration-name)
+ (servers nginx-upstream-configuration-servers)
+ (extra-content nginx-upstream-configuration-extra-content
+ (default '())))
(define-record-type* <nginx-location-configuration>
nginx-location-configuration make-nginx-location-configuration
nginx-location-configuration?
- (uri nginx-location-configuration-uri
- (default #f))
- (body nginx-location-configuration-body))
+ (uri nginx-location-configuration-uri
+ (default #f))
+ (body nginx-location-configuration-body))
(define-record-type* <nginx-named-location-configuration>
nginx-named-location-configuration make-nginx-named-location-configuration
nginx-named-location-configuration?
- (name nginx-named-location-configuration-name
- (default #f))
- (body nginx-named-location-configuration-body))
+ (name nginx-named-location-configuration-name
+ (default #f))
+ (body nginx-named-location-configuration-body))
(define-record-type* <nginx-configuration>
nginx-configuration make-nginx-configuration
@@ -628,6 +632,9 @@ (define (emit-nginx-server-config server)
(ssl-certificate (nginx-server-configuration-ssl-certificate server))
(ssl-certificate-key
(nginx-server-configuration-ssl-certificate-key server))
+ (ssl-stapling? (nginx-server-configuration-ssl-stapling? server))
+ (ssl-stapling-verify?
+ (nginx-server-configuration-ssl-stapling-verify? server))
(root (nginx-server-configuration-root server))
(index (nginx-server-configuration-index server))
(try-files (nginx-server-configuration-try-files server))
@@ -647,6 +654,8 @@ (define-syntax-rule (and/l x tail ...)
" server_name " (config-domain-strings server-name) ";\n"
(and/l ssl-certificate " ssl_certificate " <> ";\n")
(and/l ssl-certificate-key " ssl_certificate_key " <> ";\n")
+ " ssl_stapling " (if ssl-stapling? "on" "off") ";\n"
+ " ssl_stapling_verify " (if ssl-stapling-verify? "on" "off") ";\n"
(if (not (equal? "" root))
(list " root " root ";\n")
"")
base-commit: 68925b5ee7e0d96b0c84ae98a633eea5097bf511
--
2.38.1
next reply other threads:[~2022-11-27 0:01 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-26 23:59 mirai [this message]
2023-01-07 17:21 ` [bug#59621] [PATCH] services: nginx: Add support for ssl-stapling in server blocks Christopher Baines
2023-01-07 20:07 ` Bruno Victal
2023-03-21 13:20 ` Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9a18d0c03940cfe0d8ab01964f12d08fcc972e30.1669507155.git.mirai@makinata.eu \
--to=mirai@makinata.eu \
--cc=59621@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).