loggingConf = (if mainCfg.logFormat != "none" then ''
- ErrorLog ${mainCfg.logDir}/error_log
+ ErrorLog ${mainCfg.logDir}/error.log
LogLevel notice
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
- CustomLog ${mainCfg.logDir}/access_log ${mainCfg.logFormat}
+ CustomLog ${mainCfg.logDir}/access.log ${mainCfg.logFormat}
'' else ''
ErrorLog /dev/null
'');
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
- SSLProtocol All -SSLv2 -SSLv3
- SSLCipherSuite HIGH:!aNULL:!MD5:!EXP
+ SSLProtocol ${mainCfg.sslProtocols}
+ SSLCipherSuite ${mainCfg.sslCiphers}
SSLHonorCipherOrder on
'';
) null ([ cfg ] ++ subservices);
documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else
- pkgs.runCommand "empty" {} "mkdir -p $out";
+ pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out";
documentRootConf = ''
DocumentRoot "${documentRoot}"
'' else ""}
${if !isMainServer && mainCfg.logPerVirtualHost then ''
- ErrorLog ${mainCfg.logDir}/error_log-${cfg.hostName}
- CustomLog ${mainCfg.logDir}/access_log-${cfg.hostName} ${cfg.logFormat}
+ ErrorLog ${mainCfg.logDir}/error-${cfg.hostName}.log
+ CustomLog ${mainCfg.logDir}/access-${cfg.hostName}.log ${cfg.logFormat}
'' else ""}
${optionalString (robotsTxt != "") ''
Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf
Include ${httpd}/conf/extra/httpd-languages.conf
+ TraceEnable off
+
${if enableSSL then sslConf else ""}
# Fascist default - deny access to everything.
phpIni = pkgs.runCommand "php.ini"
{ options = concatStringsSep "\n"
([ mainCfg.phpOptions ] ++ (map (svc: svc.phpOptions) allSubservices));
+ preferLocalBuild = true;
}
''
cat ${php}/etc/php.ini > $out
default = false;
description = ''
If enabled, each virtual host gets its own
- <filename>access_log</filename> and
- <filename>error_log</filename>, namely suffixed by the
+ <filename>access.log</filename> and
+ <filename>error.log</filename>, namely suffixed by the
<option>hostName</option> of the virtual host.
'';
};
virtualHosts = mkOption {
type = types.listOf (types.submodule (
- { options = import ./per-server-options.nix {
+ { options = import <nixpkgs/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix> {
inherit lib;
forMainServer = false;
};
description =
"Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited";
};
+
+ sslCiphers = mkOption {
+ type = types.str;
+ default = "HIGH:!aNULL:!MD5:!EXP";
+ description = "Cipher Suite available for negotiation in SSL proxy handshake.";
+ };
+
+ sslProtocols = mkOption {
+ type = types.str;
+ default = "All -SSLv2 -SSLv3 -TLSv1";
+ example = "All -SSLv2 -SSLv3";
+ description = "Allowed SSL/TLS protocol versions.";
+ };
}
# Include the options shared between the main server and virtual hosts.
''
; Needed for PHP's mail() function.
sendmail_path = sendmail -t -i
+
+ ; Don't advertise PHP
+ expose_php = off
'' + optionalString (!isNull config.time.timeZone) ''
; Apparently PHP doesn't use $TZ.
path =
[ httpd pkgs.coreutils pkgs.gnugrep ]
- ++ # Needed for PHP's mail() function. !!! Probably the
- # ssmtp module should export the path to sendmail in
- # some way.
- optional config.networking.defaultMailServer.directDelivery pkgs.ssmtp
+ ++ optional enablePHP pkgs.system-sendmail # Needed for PHP's mail() function.
++ concatMap (svc: svc.extraServerPath) allSubservices;
environment =