From: Tobias Geerinckx-Rice <me@tobias.gr>
To: Phil <phil@beadling.co.uk>
Cc: help-guix@gnu.org
Subject: Re: Running Substitute Server over https
Date: Sat, 06 Feb 2021 11:52:23 +0100 [thread overview]
Message-ID: <874kipxyc8.fsf@nckx> (raw)
In-Reply-To: <85o8gxebyh.fsf@beadling.co.uk>
[-- Attachment #1: Type: text/plain, Size: 1529 bytes --]
Phil,
Phil 写道:
> I have a substitute server running trivially using http,
That's all ‘guix publish’ does; it doesn't speak HTTPS.
That's by design (at least I hope it is): TLS should be handled by
a separate, well-audited proxy layer. Ideally one written in C.
> but there doesn't seem to be anything in the manual about
> how/where
> to configure my certificate file, etc, to run a server over
> https.
I use nginx to proxy my local ‘guix publish’ server[0]. I think
that's what everyone[1][2][3] does.
Basically:
server {
server_name guix.tobias.gr;
listen [::]:443 ssl http2;
listen 443 ssl http2;
listen [::]:80;
listen 80;
ssl_certificate /etc/tls/tobias.gr/fullchain.pem;
ssl_certificate_key /etc/tls/tobias.gr/privkey.pem;
ssl_trusted_certificate /etc/tls/tobias.gr/chain.pem;
set $upstream athena.tobias.gr; # hack to respect TTL
location = /nix-cache-info {
proxy_pass http://$upstream:3000;
}
location ~ /(file|log|nar) {
proxy_pass http://$upstream:3000;
}
location / { # /*.narinfo
proxy_pass http://$upstream:3000;
}
[...several pages of caching, APIs, &c. snipped...]
}
You'd probably use ‘localhost’ since your publisher is probably
not running on a separate node.
Kind regards,
T G-R
[0]: https://guix.tobias.gr
[1]: https://ci.guix.gnu.org
[2]: https://bayfront.guix.gnu.org
[3]: https://guix.cbaines.net
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]
next prev parent reply other threads:[~2021-02-06 10:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-06 10:18 Running Substitute Server over https Phil
2021-02-06 10:52 ` Tobias Geerinckx-Rice [this message]
2021-02-06 12:32 ` Phil
2021-02-06 10:58 ` Edouard Klein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874kipxyc8.fsf@nckx \
--to=me@tobias.gr \
--cc=help-guix@gnu.org \
--cc=phil@beadling.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).