all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* [bug#46049] [PATCH] services: nginx: Add ssl-protocols option.
@ 2021-01-23 10:00 Jonathan Brielmaier
  2021-01-23 10:07 ` Jonathan Brielmaier
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Jonathan Brielmaier @ 2021-01-23 10:00 UTC (permalink / raw)
  To: 46049

* gnu/services/web.scm (<nginx-server-configuration>)[ssl-protocols]:
New entry defaulting to "secure" versions of TLS.
(emit-nginx-server-config): Add it.
* doc/guix.texi (Web Services): Document it.
---
 doc/guix.texi        | 3 +++
 gnu/services/web.scm | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/doc/guix.texi b/doc/guix.texi
index 4a20b3b902..4c187d4383 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -23616,6 +23616,9 @@ you don't have a certificate or you don't want to use HTTPS.
 Where to find the private key for secure connections.  Set it to @code{#f} if
 you don't have a key or you don't want to use HTTPS.

+@item @code{ssl-protocols} (default: @code{"TLSv1.2 TLSv1.3"})
+The versions of TLS used.
+
 @item @code{server-tokens?} (default: @code{#f})
 Whether the server should add its configuration to response.

diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index ff7b262b6a..93e1e802dc 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -113,6 +113,7 @@
             nginx-server-configuration-index
             nginx-server-configuration-ssl-certificate
             nginx-server-configuration-ssl-certificate-key
+            nginx-server-configuration-ssl-protocols
             nginx-server-configuration-server-tokens?
             nginx-server-configuration-raw-content

@@ -489,6 +490,8 @@
                        (default #f))
   (ssl-certificate-key nginx-server-configuration-ssl-certificate-key
                        (default #f))
+  (ssl-protocols       nginx-server-configuration-ssl-protocols
+                       (default "TLSv1.2 TLSv1.3"))
   (server-tokens?      nginx-server-configuration-server-tokens?
                        (default #f))
   (raw-content         nginx-server-configuration-raw-content
@@ -587,6 +590,7 @@ of index files."
         (ssl-certificate (nginx-server-configuration-ssl-certificate server))
         (ssl-certificate-key
          (nginx-server-configuration-ssl-certificate-key server))
+        (ssl-protocols (nginx-server-configuration-ssl-protocols server))
         (root (nginx-server-configuration-root server))
         (index (nginx-server-configuration-index server))
         (try-files (nginx-server-configuration-try-files server))
@@ -606,6 +610,7 @@ of index files."
      "      server_name " (config-domain-strings server-name) ";\n"
      (and/l ssl-certificate     "      ssl_certificate " <> ";\n")
      (and/l ssl-certificate-key "      ssl_certificate_key " <> ";\n")
+     "      ssl_protocols " ssl-protocols ";\n"
      "      root " root ";\n"
      "      index " (config-index-strings index) ";\n"
      (if (not (nil? try-files))
--
2.30.0





^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [bug#46049] [PATCH] services: nginx: Add ssl-protocols option.
  2021-01-23 10:00 [bug#46049] [PATCH] services: nginx: Add ssl-protocols option Jonathan Brielmaier
@ 2021-01-23 10:07 ` Jonathan Brielmaier
  2021-01-24  1:36   ` guix-patches--- via
  2021-01-24  0:45 ` guix-patches--- via
  2022-11-22 15:26 ` mirai
  2 siblings, 1 reply; 6+ messages in thread
From: Jonathan Brielmaier @ 2021-01-23 10:07 UTC (permalink / raw)
  To: 46049

I tested this change in multiple setups on my production server and I
could not find any grave issues, apart from maybe warnings about
duplication if you self setted this option via `raw-content`.

The default settings is accordingly to Mozillas "Intermediate"
configuration for nginx: https://ssl-config.mozilla.org

I would also like to implement an option with good defaults for
`ssl_ciphers` if you have ideas how to do that in a nice way speak up :)




^ permalink raw reply	[flat|nested] 6+ messages in thread

* [bug#46049] [PATCH] services: nginx: Add ssl-protocols option.
  2021-01-23 10:00 [bug#46049] [PATCH] services: nginx: Add ssl-protocols option Jonathan Brielmaier
  2021-01-23 10:07 ` Jonathan Brielmaier
@ 2021-01-24  0:45 ` guix-patches--- via
  2022-11-22 15:26 ` mirai
  2 siblings, 0 replies; 6+ messages in thread
From: guix-patches--- via @ 2021-01-24  0:45 UTC (permalink / raw)
  To: Jonathan Brielmaier; +Cc: 46049

[-- Attachment #1: Type: text/plain, Size: 512 bytes --]

Jonathan,

Jonathan Brielmaier 写道:
> * gnu/services/web.scm 
> (<nginx-server-configuration>)[ssl-protocols]:
> New entry defaulting to "secure" versions of TLS.

Thanks!

> +  (ssl-protocols       nginx-server-configuration-ssl-protocols
> +                       (default "TLSv1.2 TLSv1.3"))

This should be

  (default "TLSv1 TLSv1.1 TLSv1.2")

instead, see [0].  Otherwise LGTM!

Kind regards,

T G-R

[0]: 
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [bug#46049] [PATCH] services: nginx: Add ssl-protocols option.
  2021-01-23 10:07 ` Jonathan Brielmaier
@ 2021-01-24  1:36   ` guix-patches--- via
  2021-01-24 13:25     ` Jonathan Brielmaier
  0 siblings, 1 reply; 6+ messages in thread
From: guix-patches--- via @ 2021-01-24  1:36 UTC (permalink / raw)
  To: Jonathan Brielmaier; +Cc: 46049

[-- Attachment #1: Type: text/plain, Size: 861 bytes --]

Jonathan Brielmaier 写道:
> The default settings is accordingly to Mozillas "Intermediate"
> configuration for nginx: https://ssl-config.mozilla.org

Oh, I see!  Hiding subjective tweaks to upstream defaults in Guix 
services is a bad idea.

Imagine debugging this at 2 a.m., staring at the official nginx 
documentation through your tears.

> I would also like to implement an option with good defaults for
> `ssl_ciphers` if you have ideas how to do that in a nice way 
> speak up :)

How about writing ‘mozilla-recommended’ nginx configuration 
presets that users can inherit from?  This would imply keeping 
them up to date, including the specific versions of nginx and *ssl 
in Guix.

I don't know whether this belongs in Guix or not, but then we 
already ship someone's Facebook blocklist, so... :-)

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [bug#46049] [PATCH] services: nginx: Add ssl-protocols option.
  2021-01-24  1:36   ` guix-patches--- via
@ 2021-01-24 13:25     ` Jonathan Brielmaier
  0 siblings, 0 replies; 6+ messages in thread
From: Jonathan Brielmaier @ 2021-01-24 13:25 UTC (permalink / raw)
  To: Tobias Geerinckx-Rice; +Cc: 46049

On 24.01.21 02:36, Tobias Geerinckx-Rice wrote:
> Jonathan Brielmaier 写道:
>> The default settings is accordingly to Mozillas "Intermediate"
>> configuration for nginx: https://ssl-config.mozilla.org
>
> Oh, I see!  Hiding subjective tweaks to upstream defaults in Guix
> services is a bad idea.
>
> Imagine debugging this at 2 a.m., staring at the official nginx
> documentation through your tears.

I see your point, but I usually start with the Guix service
documentation and it clearly would state "TLSv1.2 TLSv1.3". If your
client doesn't support TLSv1.2 (thats 12 years old), it's maybe a better
idea to fallback to HTTP...

I think in general its a good idea to follow upstreams default, but it
should not hinder us to make more secure defaults

>> I would also like to implement an option with good defaults for
>> `ssl_ciphers` if you have ideas how to do that in a nice way speak up :)
>
> How about writing ‘mozilla-recommended’ nginx configuration presets that
> users can inherit from?  This would imply keeping them up to date,
> including the specific versions of nginx and *ssl in Guix.

Hm, I try to keep stuff simple and to be honest all those service
"matroska" stuff grows over my head. If theres an error I can not debug
them at 2am or at any other time...

A compromise would maybe something like :
(ssl-protocols %upstream-default OR %mozilla-default OR "Your custom
string")




^ permalink raw reply	[flat|nested] 6+ messages in thread

* [bug#46049] [PATCH] services: nginx: Add ssl-protocols option.
  2021-01-23 10:00 [bug#46049] [PATCH] services: nginx: Add ssl-protocols option Jonathan Brielmaier
  2021-01-23 10:07 ` Jonathan Brielmaier
  2021-01-24  0:45 ` guix-patches--- via
@ 2022-11-22 15:26 ` mirai
  2 siblings, 0 replies; 6+ messages in thread
From: mirai @ 2022-11-22 15:26 UTC (permalink / raw)
  To: 46049

How about leaving it empty by default and writing the directive to file only if a value is present?
This way the defaults are automatically chosen by nginx. (as they can drift due to automatic protocol
support detection or as newer protocols roll out)

About making recommendations in the docs, I'd suggest linking it directly to Mozilla's website
rather than duplicating it and risk ending up with outdated advice.





^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2022-11-22 15:28 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-01-23 10:00 [bug#46049] [PATCH] services: nginx: Add ssl-protocols option Jonathan Brielmaier
2021-01-23 10:07 ` Jonathan Brielmaier
2021-01-24  1:36   ` guix-patches--- via
2021-01-24 13:25     ` Jonathan Brielmaier
2021-01-24  0:45 ` guix-patches--- via
2022-11-22 15:26 ` mirai

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.