From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id yNAZL/50HmBxXQAA0tVLHw (envelope-from ) for ; Sat, 06 Feb 2021 10:52:46 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id qIDeKv50HmC6DgAA1q6Kng (envelope-from ) for ; Sat, 06 Feb 2021 10:52:46 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 83B069403EB for ; Sat, 6 Feb 2021 10:52:45 +0000 (UTC) Received: from localhost ([::1]:47110 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l8LCm-0003LG-H8 for larch@yhetil.org; Sat, 06 Feb 2021 05:52:44 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:36106) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l8LCZ-0003L2-Uw for help-guix@gnu.org; Sat, 06 Feb 2021 05:52:31 -0500 Received: from tobias.gr ([2a02:c205:2020:6054::1]:59154) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l8LCX-0005C5-8i for help-guix@gnu.org; Sat, 06 Feb 2021 05:52:31 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018; bh=HcjWkt1HDtOqfEK1gYTIdNKSzGIAXaZlCBZoMp8N148=; h=date:in-reply-to: references:subject:cc:to:from; b=UCRMOtMb/SPSsk/e5lIXgfNzZHsWrmyd21Jez /58dmVpZg4sNf5dPc3Gc0/z9uflyCXCMMAmcHBoo88dV7nR6vYPPrSN8wh2hBaM3U+uuEu zOupeaEWXStj9XScy9GZsiaTlkJ/YY50WQvEfJzAo5LrE7eG8mt/riHPkswo7CPFM0MG13 LHrY6vNwHI3wXV3DGoQSy8zvb2Q03Jggsi62kjMmpv4YgNjlQtKd5AjstkqkzSqwTK2DkJ kbTcK8x8QWH3qp3l+78QsC4txnb+bIZ4FYPgjeUzwUHa6WR/o4avlN1JGqcyHhkz1fwV3D /vdFWs+5ozsRSqsAxRslBedZg== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id dbe402da (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO); Sat, 6 Feb 2021 10:53:07 +0000 (UTC) BIMI-Selector: v=BIMI1; s=default; From: Tobias Geerinckx-Rice To: Phil Cc: help-guix@gnu.org Subject: Re: Running Substitute Server over https References: <85o8gxebyh.fsf@beadling.co.uk> In-reply-to: <85o8gxebyh.fsf@beadling.co.uk> Date: Sat, 06 Feb 2021 11:52:23 +0100 Message-ID: <874kipxyc8.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr; helo=tobias.gr X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -4.66 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=tobias.gr header.s=2018 header.b=UCRMOtMb; dmarc=pass (policy=reject) header.from=tobias.gr; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Queue-Id: 83B069403EB X-Spam-Score: -4.66 X-Migadu-Scanner: scn1.migadu.com X-TUID: Po3/b8oVqIcc --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Phil, Phil =E5=86=99=E9=81=93=EF=BC=9A > I have a substitute server running trivially using http, That's all =E2=80=98guix publish=E2=80=99 does; it doesn't speak HTTPS. That's by design (at least I hope it is): TLS should be handled by=20 a separate, well-audited proxy layer. Ideally one written in C. > but there doesn't seem to be anything in the manual about=20 > how/where > to configure my certificate file, etc, to run a server over=20 > https. I use nginx to proxy my local =E2=80=98guix publish=E2=80=99 server[0]. I = think=20 that's what everyone[1][2][3] does. Basically: server { server_name guix.tobias.gr; listen [::]:443 ssl http2; listen 443 ssl http2; listen [::]:80; listen 80; ssl_certificate /etc/tls/tobias.gr/fullchain.pem; ssl_certificate_key /etc/tls/tobias.gr/privkey.pem; ssl_trusted_certificate /etc/tls/tobias.gr/chain.pem; set $upstream athena.tobias.gr; # hack to respect TTL location =3D /nix-cache-info { proxy_pass http://$upstream:3000; } location ~ /(file|log|nar) { proxy_pass http://$upstream:3000; } location / { # /*.narinfo proxy_pass http://$upstream:3000; } [...several pages of caching, APIs, &c. snipped...] } You'd probably use =E2=80=98localhost=E2=80=99 since your publisher is prob= ably=20 not running on a separate node. Kind regards, T G-R [0]: https://guix.tobias.gr [1]: https://ci.guix.gnu.org [2]: https://bayfront.guix.gnu.org [3]: https://guix.cbaines.net --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYB505w0cbWVAdG9iaWFz LmdyAAoJEA2w/4hPVW15L10A/iQZrEvSngcAeumf4IYvk19l3/W3qmgYdJI/ais0 5lPeAQC67vutibxXuGnUFwXppWxAzUubpMU9PWXVo3ChkwBdCQ== =F7oa -----END PGP SIGNATURE----- --=-=-=--