X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fmodules%2Fwebsites%2Fapache%2Fhttpd_inte.nix;h=ee7d15e8102423b6fa87e9c824bacc1463f4191d;hb=62366a393e343b70571c6cf98ca74e94432b4f10;hp=0417281c0bb1e4d9181056cc3799b0dd14cf99b8;hpb=01f21083a897b86bf148f1d2bb9c8edca4d3786a;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/nixops/modules/websites/apache/httpd_inte.nix b/nixops/modules/websites/apache/httpd_inte.nix index 0417281..ee7d15e 100644 --- a/nixops/modules/websites/apache/httpd_inte.nix +++ b/nixops/modules/websites/apache/httpd_inte.nix @@ -187,8 +187,8 @@ let SSLRandomSeed startup builtin SSLRandomSeed connect builtin - SSLProtocol All -SSLv2 -SSLv3 - SSLCipherSuite HIGH:!aNULL:!MD5:!EXP + SSLProtocol ${mainCfg.sslProtocols} + SSLCipherSuite ${mainCfg.sslCiphers} SSLHonorCipherOrder on ''; @@ -217,7 +217,7 @@ let ) null ([ cfg ] ++ subservices); documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else - pkgs.runCommand "empty" {} "mkdir -p $out"; + pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out"; documentRootConf = '' DocumentRoot "${documentRoot}" @@ -376,6 +376,8 @@ let Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf Include ${httpd}/conf/extra/httpd-languages.conf + TraceEnable off + ${if enableSSL then sslConf else ""} # Fascist default - deny access to everything. @@ -623,6 +625,19 @@ in description = "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited"; }; + + sslCiphers = mkOption { + type = types.str; + default = "HIGH:!aNULL:!MD5:!EXP"; + description = "Cipher Suite available for negotiation in SSL proxy handshake."; + }; + + sslProtocols = mkOption { + type = types.str; + default = "All -SSLv2 -SSLv3 -TLSv1"; + example = "All -SSLv2 -SSLv3"; + description = "Allowed SSL/TLS protocol versions."; + }; } # Include the options shared between the main server and virtual hosts.