From: julien lepiller <julien@lepiller.eu>
To: 29467@debbugs.gnu.org
Subject: [bug#29467] [PATCH] web: Don't error about missing ssl related files.
Date: Tue, 05 Dec 2017 12:23:39 +0100 [thread overview]
Message-ID: <f71e915584d672abef213ed082e52745@lepiller.eu> (raw)
In-Reply-To: <87vahlctq3.fsf@gnu.org>
Le 2017-12-05 12:14, ludo@gnu.org a écrit :
> Hi,
>
> julien lepiller <julien@lepiller.eu> skribis:
>
>> Le 2017-11-27 09:26, Christopher Baines a écrit :
>>> Erroring here prevents doing things like building a system using
>>> nginx on a
>>> different machine from where it's intended to be deployed, or
>>> creating
>>> containers and VMs that use the ssl-certificate parts of the nginx
>>> configuration, without also getting these files to exist.
>>>
>>> * gnu/services/web.scm (emit-nginx-server-config): Don't error on
>>> missing ssl
>>> related files.
>>> ---
>>> gnu/services/web.scm | 10 ----------
>>> 1 file changed, 10 deletions(-)
>>>
>>> diff --git a/gnu/services/web.scm b/gnu/services/web.scm
>>> index 9d713003c..1af32278c 100644
>>> --- a/gnu/services/web.scm
>>> +++ b/gnu/services/web.scm
>>> @@ -191,16 +191,6 @@ of index files."
>>> (syntax-parameterize ((<> (identifier-syntax x*)))
>>> (list tail ...))
>>> '())))
>>> - (for-each
>>> - (match-lambda
>>> - ((record-key . file)
>>> - (if (and file (not (file-exists? file)))
>
> There’s another problem: ‘file-exists?’ checks the current machine,
> under the current root file system. That check doesn’t work if you do
> “guix system init config.scm /some/other/root”, or if you create a
> container, or with the envisioned “guix system reconfigure --remote”.
>
>> Hi, when configuring nginx for the first time, users will probably
>> forget to
>> configure ssl properly. The default is to enable ssl and find
>> certificates in
>> /etc/nginx. When these files don't exist, nginx will fail to start and
>> at least
>> one user complained it was hard to debug. This code was introduced to
>> prevent
>> such a mistake.
>
> Yes, I agree that it’s nice to have early error reports.
>
>> Maybe we should set the default to #f (but then users would have to
>> configure
>> more fields to enable https). Maybe we should add a configuration
>> option like
>> warn-only? (default to #f) to only warn about missing files. Or maybe
>> there's
>> a way to show nginx that another service is providing that file?
>
> Good questions.
>
> We cannot check for file existence at configuration time for the
> reasons
> above.
>
> We cannot check for file existence at build time because certificates
> may be part of the machine’s state; they are typically managed in a
> stateful fashion, outside of GuixSD.
>
> So the only option we’re left with is checking at run time, when we
> start the service. But that’s something nginx already does, I think?
>
> As for the default, I would be in favor of setting it to #f, because I
> can’t really think of a default that would work for everyone.
>
> WDYT?
Having it default to #f is fine with me. Nginx does this check at
runtime
and will refuse to start if these files are missing. Keeping https-port
to 443 and certificates to #f means it will not be able to establish a
connection to the client, but the http website will be available. So
just
setting the key and the certificate to #f by default should be OK.
>
> Ludo’.
next prev parent reply other threads:[~2017-12-05 11:24 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-27 8:26 [bug#29467] [PATCH] web: Don't error about missing ssl related files Christopher Baines
2017-11-27 9:22 ` julien lepiller
2017-12-05 11:14 ` Ludovic Courtès
2017-12-05 11:23 ` julien lepiller [this message]
2017-12-08 9:41 ` Ludovic Courtès
2017-12-09 9:31 ` [bug#29467] [PATCH 1/2] " Christopher Baines
2017-12-09 9:31 ` [bug#29467] [PATCH 2/2] services: web: Remove default certificate and key files for nginx Christopher Baines
2017-12-11 13:26 ` Ludovic Courtès
2017-12-11 20:41 ` bug#29467: " Christopher Baines
2017-12-11 13:26 ` [bug#29467] [PATCH 1/2] web: Don't error about missing ssl related files Ludovic Courtès
2017-12-09 9:37 ` [bug#29467] [PATCH] " Christopher Baines
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f71e915584d672abef213ed082e52745@lepiller.eu \
--to=julien@lepiller.eu \
--cc=29467@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).