Running Substitute Server over https

Running Substitute Server over https

[Phil]

Hi all,

I have a substitute server running trivially using http, but there
doesn't seem to be anything in the manual about how/where to configure
my certificate file, etc, to run a server over https.

Can anyone advise on https setup for 'guix publish'?

Thanks,
Phil.

Re: Running Substitute Server over https

[Tobias Geerinckx-Rice]

[-- Attachment #1: Type: text/plain, Size: 1529 bytes --]

Phil,

Phil 写道：
> I have a substitute server running trivially using http,

That's all ‘guix publish’ does; it doesn't speak HTTPS.

That's by design (at least I hope it is): TLS should be handled by 
a separate, well-audited proxy layer.  Ideally one written in C.

> but there doesn't seem to be anything in the manual about 
> how/where
> to configure my certificate file, etc, to run a server over 
> https.

I use nginx to proxy my local ‘guix publish’ server[0].  I think 
that's what everyone[1][2][3] does.

Basically:

  server {
    server_name guix.tobias.gr;
    listen [::]:443 ssl http2;
    listen      443 ssl http2;
    listen [::]:80;
    listen      80;
    ssl_certificate         /etc/tls/tobias.gr/fullchain.pem;
    ssl_certificate_key     /etc/tls/tobias.gr/privkey.pem;
    ssl_trusted_certificate /etc/tls/tobias.gr/chain.pem;

    set $upstream athena.tobias.gr; # hack to respect TTL

    location = /nix-cache-info {
      proxy_pass http://$upstream:3000;
    }

    location ~ /(file|log|nar) {
      proxy_pass http://$upstream:3000;
    }

    location / { # /*.narinfo
      proxy_pass http://$upstream:3000;
    }

    [...several pages of caching, APIs, &c. snipped...]
  }

You'd probably use ‘localhost’ since your publisher is probably 
not running on a separate node.

Kind regards,

T G-R

[0]: https://guix.tobias.gr
[1]: https://ci.guix.gnu.org
[2]: https://bayfront.guix.gnu.org
[3]: https://guix.cbaines.net

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

Re: Running Substitute Server over https

[Edouard Klein]

Hi phil,

Not answering your question directly, but last time I wanted to secure
the connection between a client and a substitute I used an ssh tunnel:


# On the server
guix archive --generate-key
ssh root@client guix archive --authorize < /etc/guix/signing-key.pub
guix publish&
ssh -N -R 8081:localhost:8080 root@client&

# On the client
guix build --substitute-urls=http://localhost:8081 whatever

This may or may not be amendable to your situation, and may or may not
lend itself to tlstunnel instead of ssh.

Good luck :)


Phil writes:

> Hi all,
>
> I have a substitute server running trivially using http, but there
> doesn't seem to be anything in the manual about how/where to configure
> my certificate file, etc, to run a server over https.
>
> Can anyone advise on https setup for 'guix publish'?
>
> Thanks,
> Phil.

Re: Running Substitute Server over https

[Phil]

> That's all ‘guix publish’ does; it doesn't speak HTTPS.

Ahh ot-it, so I just need to stick it behind a reverse proxy - thanks
for clarifying.