X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fmodules%2Fwebsites%2Fapache%2Fhttpd_tools.nix;h=1b9d1e3697aa3b20c96365d1b162784d785147b6;hb=62366a393e343b70571c6cf98ca74e94432b4f10;hp=c0b779bdf9fcd971b759c8ad6a231ad3f843f7f5;hpb=69475c58ebbb30ea72890133bf12aa0b2ccbd731;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/nixops/modules/websites/apache/httpd_tools.nix b/nixops/modules/websites/apache/httpd_tools.nix index c0b779b..1b9d1e3 100644 --- a/nixops/modules/websites/apache/httpd_tools.nix +++ b/nixops/modules/websites/apache/httpd_tools.nix @@ -187,8 +187,8 @@ let SSLRandomSeed startup builtin SSLRandomSeed connect builtin - SSLProtocol All -SSLv2 -SSLv3 - SSLCipherSuite HIGH:!aNULL:!MD5:!EXP + SSLProtocol ${mainCfg.sslProtocols} + SSLCipherSuite ${mainCfg.sslCiphers} SSLHonorCipherOrder on ''; @@ -217,7 +217,7 @@ let ) null ([ cfg ] ++ subservices); documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else - pkgs.runCommand "empty" {} "mkdir -p $out"; + pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out"; documentRootConf = '' DocumentRoot "${documentRoot}" @@ -376,6 +376,8 @@ let Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf Include ${httpd}/conf/extra/httpd-languages.conf + TraceEnable off + ${if enableSSL then sslConf else ""} # Fascist default - deny access to everything. @@ -623,6 +625,19 @@ in description = "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited"; }; + + sslCiphers = mkOption { + type = types.str; + default = "HIGH:!aNULL:!MD5:!EXP"; + description = "Cipher Suite available for negotiation in SSL proxy handshake."; + }; + + sslProtocols = mkOption { + type = types.str; + default = "All -SSLv2 -SSLv3 -TLSv1"; + example = "All -SSLv2 -SSLv3"; + description = "Allowed SSL/TLS protocol versions."; + }; } # Include the options shared between the main server and virtual hosts.