X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fmodules%2Fwebsites%2Fapache%2Fhttpd_tools.nix;h=c48d0d2f45348772be29162ea35a60b97fa9cb21;hb=9129f327844ca58af61a20582b04e35762c63e35;hp=c0b779bdf9fcd971b759c8ad6a231ad3f843f7f5;hpb=01f21083a897b86bf148f1d2bb9c8edca4d3786a;p=perso%2FImmae%2FConfig%2FNix.git
diff --git a/nixops/modules/websites/apache/httpd_tools.nix b/nixops/modules/websites/apache/httpd_tools.nix
index c0b779b..c48d0d2 100644
--- a/nixops/modules/websites/apache/httpd_tools.nix
+++ b/nixops/modules/websites/apache/httpd_tools.nix
@@ -151,7 +151,7 @@ let
loggingConf = (if mainCfg.logFormat != "none" then ''
- ErrorLog ${mainCfg.logDir}/error_log
+ ErrorLog ${mainCfg.logDir}/error.log
LogLevel notice
@@ -160,7 +160,7 @@ let
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
- CustomLog ${mainCfg.logDir}/access_log ${mainCfg.logFormat}
+ CustomLog ${mainCfg.logDir}/access.log ${mainCfg.logFormat}
'' else ''
ErrorLog /dev/null
'');
@@ -187,8 +187,8 @@ let
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
- SSLProtocol All -SSLv2 -SSLv3
- SSLCipherSuite HIGH:!aNULL:!MD5:!EXP
+ SSLProtocol ${mainCfg.sslProtocols}
+ SSLCipherSuite ${mainCfg.sslCiphers}
SSLHonorCipherOrder on
'';
@@ -217,7 +217,7 @@ let
) null ([ cfg ] ++ subservices);
documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else
- pkgs.runCommand "empty" {} "mkdir -p $out";
+ pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out";
documentRootConf = ''
DocumentRoot "${documentRoot}"
@@ -261,8 +261,8 @@ let
'' else ""}
${if !isMainServer && mainCfg.logPerVirtualHost then ''
- ErrorLog ${mainCfg.logDir}/error_log-${cfg.hostName}
- CustomLog ${mainCfg.logDir}/access_log-${cfg.hostName} ${cfg.logFormat}
+ ErrorLog ${mainCfg.logDir}/error-${cfg.hostName}.log
+ CustomLog ${mainCfg.logDir}/access-${cfg.hostName}.log ${cfg.logFormat}
'' else ""}
${optionalString (robotsTxt != "") ''
@@ -376,6 +376,8 @@ let
Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf
Include ${httpd}/conf/extra/httpd-languages.conf
+ TraceEnable off
+
${if enableSSL then sslConf else ""}
# Fascist default - deny access to everything.
@@ -417,6 +419,7 @@ let
phpIni = pkgs.runCommand "php.ini"
{ options = concatStringsSep "\n"
([ mainCfg.phpOptions ] ++ (map (svc: svc.phpOptions) allSubservices));
+ preferLocalBuild = true;
}
''
cat ${php}/etc/php.ini > $out
@@ -488,8 +491,8 @@ in
default = false;
description = ''
If enabled, each virtual host gets its own
- access_log and
- error_log, namely suffixed by the
+ access.log and
+ error.log, namely suffixed by the
of the virtual host.
'';
};
@@ -532,7 +535,7 @@ in
virtualHosts = mkOption {
type = types.listOf (types.submodule (
- { options = import ./per-server-options.nix {
+ { options = import {
inherit lib;
forMainServer = false;
};
@@ -623,6 +626,19 @@ in
description =
"Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited";
};
+
+ sslCiphers = mkOption {
+ type = types.str;
+ default = "HIGH:!aNULL:!MD5:!EXP";
+ description = "Cipher Suite available for negotiation in SSL proxy handshake.";
+ };
+
+ sslProtocols = mkOption {
+ type = types.str;
+ default = "All -SSLv2 -SSLv3 -TLSv1";
+ example = "All -SSLv2 -SSLv3";
+ description = "Allowed SSL/TLS protocol versions.";
+ };
}
# Include the options shared between the main server and virtual hosts.
@@ -664,6 +680,9 @@ in
''
; Needed for PHP's mail() function.
sendmail_path = sendmail -t -i
+
+ ; Don't advertise PHP
+ expose_php = off
'' + optionalString (!isNull config.time.timeZone) ''
; Apparently PHP doesn't use $TZ.
@@ -679,10 +698,7 @@ in
path =
[ httpd pkgs.coreutils pkgs.gnugrep ]
- ++ # Needed for PHP's mail() function. !!! Probably the
- # ssmtp module should export the path to sendmail in
- # some way.
- optional config.networking.defaultMailServer.directDelivery pkgs.ssmtp
+ ++ optional enablePHP pkgs.system-sendmail # Needed for PHP's mail() function.
++ concatMap (svc: svc.extraServerPath) allSubservices;
environment =