Re: Running Substitute Server over https

[Tobias Geerinckx-Rice <me@tobias.gr>]

[-- Attachment #1: Type: text/plain, Size: 1529 bytes --]

Phil,

Phil 写道：
> I have a substitute server running trivially using http,

That's all ‘guix publish’ does; it doesn't speak HTTPS.

That's by design (at least I hope it is): TLS should be handled by 
a separate, well-audited proxy layer.  Ideally one written in C.

> but there doesn't seem to be anything in the manual about 
> how/where
> to configure my certificate file, etc, to run a server over 
> https.

I use nginx to proxy my local ‘guix publish’ server[0].  I think 
that's what everyone[1][2][3] does.

Basically:

  server {
    server_name guix.tobias.gr;
    listen [::]:443 ssl http2;
    listen      443 ssl http2;
    listen [::]:80;
    listen      80;
    ssl_certificate         /etc/tls/tobias.gr/fullchain.pem;
    ssl_certificate_key     /etc/tls/tobias.gr/privkey.pem;
    ssl_trusted_certificate /etc/tls/tobias.gr/chain.pem;

    set $upstream athena.tobias.gr; # hack to respect TTL

    location = /nix-cache-info {
      proxy_pass http://$upstream:3000;
    }

    location ~ /(file|log|nar) {
      proxy_pass http://$upstream:3000;
    }

    location / { # /*.narinfo
      proxy_pass http://$upstream:3000;
    }

    [...several pages of caching, APIs, &c. snipped...]
  }

You'd probably use ‘localhost’ since your publisher is probably 
not running on a separate node.

Kind regards,

T G-R

[0]: https://guix.tobias.gr
[1]: https://ci.guix.gnu.org
[2]: https://bayfront.guix.gnu.org
[3]: https://guix.cbaines.net

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]