* Running Substitute Server over https
@ 2021-02-06 10:18 Phil
2021-02-06 10:52 ` Tobias Geerinckx-Rice
2021-02-06 10:58 ` Edouard Klein
0 siblings, 2 replies; 4+ messages in thread
From: Phil @ 2021-02-06 10:18 UTC (permalink / raw)
To: help-guix
Hi all,
I have a substitute server running trivially using http, but there
doesn't seem to be anything in the manual about how/where to configure
my certificate file, etc, to run a server over https.
Can anyone advise on https setup for 'guix publish'?
Thanks,
Phil.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Running Substitute Server over https
2021-02-06 10:18 Running Substitute Server over https Phil
@ 2021-02-06 10:52 ` Tobias Geerinckx-Rice
2021-02-06 12:32 ` Phil
2021-02-06 10:58 ` Edouard Klein
1 sibling, 1 reply; 4+ messages in thread
From: Tobias Geerinckx-Rice @ 2021-02-06 10:52 UTC (permalink / raw)
To: Phil; +Cc: help-guix
[-- Attachment #1: Type: text/plain, Size: 1529 bytes --]
Phil,
Phil 写道:
> I have a substitute server running trivially using http,
That's all ‘guix publish’ does; it doesn't speak HTTPS.
That's by design (at least I hope it is): TLS should be handled by
a separate, well-audited proxy layer. Ideally one written in C.
> but there doesn't seem to be anything in the manual about
> how/where
> to configure my certificate file, etc, to run a server over
> https.
I use nginx to proxy my local ‘guix publish’ server[0]. I think
that's what everyone[1][2][3] does.
Basically:
server {
server_name guix.tobias.gr;
listen [::]:443 ssl http2;
listen 443 ssl http2;
listen [::]:80;
listen 80;
ssl_certificate /etc/tls/tobias.gr/fullchain.pem;
ssl_certificate_key /etc/tls/tobias.gr/privkey.pem;
ssl_trusted_certificate /etc/tls/tobias.gr/chain.pem;
set $upstream athena.tobias.gr; # hack to respect TTL
location = /nix-cache-info {
proxy_pass http://$upstream:3000;
}
location ~ /(file|log|nar) {
proxy_pass http://$upstream:3000;
}
location / { # /*.narinfo
proxy_pass http://$upstream:3000;
}
[...several pages of caching, APIs, &c. snipped...]
}
You'd probably use ‘localhost’ since your publisher is probably
not running on a separate node.
Kind regards,
T G-R
[0]: https://guix.tobias.gr
[1]: https://ci.guix.gnu.org
[2]: https://bayfront.guix.gnu.org
[3]: https://guix.cbaines.net
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Running Substitute Server over https
2021-02-06 10:18 Running Substitute Server over https Phil
2021-02-06 10:52 ` Tobias Geerinckx-Rice
@ 2021-02-06 10:58 ` Edouard Klein
1 sibling, 0 replies; 4+ messages in thread
From: Edouard Klein @ 2021-02-06 10:58 UTC (permalink / raw)
To: help-guix
Hi phil,
Not answering your question directly, but last time I wanted to secure
the connection between a client and a substitute I used an ssh tunnel:
# On the server
guix archive --generate-key
ssh root@client guix archive --authorize < /etc/guix/signing-key.pub
guix publish&
ssh -N -R 8081:localhost:8080 root@client&
# On the client
guix build --substitute-urls=http://localhost:8081 whatever
This may or may not be amendable to your situation, and may or may not
lend itself to tlstunnel instead of ssh.
Good luck :)
Phil writes:
> Hi all,
>
> I have a substitute server running trivially using http, but there
> doesn't seem to be anything in the manual about how/where to configure
> my certificate file, etc, to run a server over https.
>
> Can anyone advise on https setup for 'guix publish'?
>
> Thanks,
> Phil.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Running Substitute Server over https
2021-02-06 10:52 ` Tobias Geerinckx-Rice
@ 2021-02-06 12:32 ` Phil
0 siblings, 0 replies; 4+ messages in thread
From: Phil @ 2021-02-06 12:32 UTC (permalink / raw)
To: Tobias Geerinckx-Rice; +Cc: help-guix
> That's all ‘guix publish’ does; it doesn't speak HTTPS.
Ahh ot-it, so I just need to stick it behind a reverse proxy - thanks
for clarifying.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-02-06 12:32 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-02-06 10:18 Running Substitute Server over https Phil
2021-02-06 10:52 ` Tobias Geerinckx-Rice
2021-02-06 12:32 ` Phil
2021-02-06 10:58 ` Edouard Klein
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.