aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--nixops/modules/websites/apache/httpd_inte.nix21
-rw-r--r--nixops/modules/websites/apache/httpd_prod.nix21
-rw-r--r--nixops/modules/websites/apache/httpd_tools.nix21
3 files changed, 54 insertions, 9 deletions
diff --git a/nixops/modules/websites/apache/httpd_inte.nix b/nixops/modules/websites/apache/httpd_inte.nix
index 0417281..ee7d15e 100644
--- a/nixops/modules/websites/apache/httpd_inte.nix
+++ b/nixops/modules/websites/apache/httpd_inte.nix
@@ -187,8 +187,8 @@ let
187 SSLRandomSeed startup builtin 187 SSLRandomSeed startup builtin
188 SSLRandomSeed connect builtin 188 SSLRandomSeed connect builtin
189 189
190 SSLProtocol All -SSLv2 -SSLv3 190 SSLProtocol ${mainCfg.sslProtocols}
191 SSLCipherSuite HIGH:!aNULL:!MD5:!EXP 191 SSLCipherSuite ${mainCfg.sslCiphers}
192 SSLHonorCipherOrder on 192 SSLHonorCipherOrder on
193 ''; 193 '';
194 194
@@ -217,7 +217,7 @@ let
217 ) null ([ cfg ] ++ subservices); 217 ) null ([ cfg ] ++ subservices);
218 218
219 documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else 219 documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else
220 pkgs.runCommand "empty" {} "mkdir -p $out"; 220 pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out";
221 221
222 documentRootConf = '' 222 documentRootConf = ''
223 DocumentRoot "${documentRoot}" 223 DocumentRoot "${documentRoot}"
@@ -376,6 +376,8 @@ let
376 Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf 376 Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf
377 Include ${httpd}/conf/extra/httpd-languages.conf 377 Include ${httpd}/conf/extra/httpd-languages.conf
378 378
379 TraceEnable off
380
379 ${if enableSSL then sslConf else ""} 381 ${if enableSSL then sslConf else ""}
380 382
381 # Fascist default - deny access to everything. 383 # Fascist default - deny access to everything.
@@ -623,6 +625,19 @@ in
623 description = 625 description =
624 "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited"; 626 "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited";
625 }; 627 };
628
629 sslCiphers = mkOption {
630 type = types.str;
631 default = "HIGH:!aNULL:!MD5:!EXP";
632 description = "Cipher Suite available for negotiation in SSL proxy handshake.";
633 };
634
635 sslProtocols = mkOption {
636 type = types.str;
637 default = "All -SSLv2 -SSLv3 -TLSv1";
638 example = "All -SSLv2 -SSLv3";
639 description = "Allowed SSL/TLS protocol versions.";
640 };
626 } 641 }
627 642
628 # Include the options shared between the main server and virtual hosts. 643 # Include the options shared between the main server and virtual hosts.
diff --git a/nixops/modules/websites/apache/httpd_prod.nix b/nixops/modules/websites/apache/httpd_prod.nix
index 5aee602..31904e0 100644
--- a/nixops/modules/websites/apache/httpd_prod.nix
+++ b/nixops/modules/websites/apache/httpd_prod.nix
@@ -187,8 +187,8 @@ let
187 SSLRandomSeed startup builtin 187 SSLRandomSeed startup builtin
188 SSLRandomSeed connect builtin 188 SSLRandomSeed connect builtin
189 189
190 SSLProtocol All -SSLv2 -SSLv3 190 SSLProtocol ${mainCfg.sslProtocols}
191 SSLCipherSuite HIGH:!aNULL:!MD5:!EXP 191 SSLCipherSuite ${mainCfg.sslCiphers}
192 SSLHonorCipherOrder on 192 SSLHonorCipherOrder on
193 ''; 193 '';
194 194
@@ -217,7 +217,7 @@ let
217 ) null ([ cfg ] ++ subservices); 217 ) null ([ cfg ] ++ subservices);
218 218
219 documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else 219 documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else
220 pkgs.runCommand "empty" {} "mkdir -p $out"; 220 pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out";
221 221
222 documentRootConf = '' 222 documentRootConf = ''
223 DocumentRoot "${documentRoot}" 223 DocumentRoot "${documentRoot}"
@@ -376,6 +376,8 @@ let
376 Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf 376 Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf
377 Include ${httpd}/conf/extra/httpd-languages.conf 377 Include ${httpd}/conf/extra/httpd-languages.conf
378 378
379 TraceEnable off
380
379 ${if enableSSL then sslConf else ""} 381 ${if enableSSL then sslConf else ""}
380 382
381 # Fascist default - deny access to everything. 383 # Fascist default - deny access to everything.
@@ -623,6 +625,19 @@ in
623 description = 625 description =
624 "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited"; 626 "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited";
625 }; 627 };
628
629 sslCiphers = mkOption {
630 type = types.str;
631 default = "HIGH:!aNULL:!MD5:!EXP";
632 description = "Cipher Suite available for negotiation in SSL proxy handshake.";
633 };
634
635 sslProtocols = mkOption {
636 type = types.str;
637 default = "All -SSLv2 -SSLv3 -TLSv1";
638 example = "All -SSLv2 -SSLv3";
639 description = "Allowed SSL/TLS protocol versions.";
640 };
626 } 641 }
627 642
628 # Include the options shared between the main server and virtual hosts. 643 # Include the options shared between the main server and virtual hosts.
diff --git a/nixops/modules/websites/apache/httpd_tools.nix b/nixops/modules/websites/apache/httpd_tools.nix
index c0b779b..1b9d1e3 100644
--- a/nixops/modules/websites/apache/httpd_tools.nix
+++ b/nixops/modules/websites/apache/httpd_tools.nix
@@ -187,8 +187,8 @@ let
187 SSLRandomSeed startup builtin 187 SSLRandomSeed startup builtin
188 SSLRandomSeed connect builtin 188 SSLRandomSeed connect builtin
189 189
190 SSLProtocol All -SSLv2 -SSLv3 190 SSLProtocol ${mainCfg.sslProtocols}
191 SSLCipherSuite HIGH:!aNULL:!MD5:!EXP 191 SSLCipherSuite ${mainCfg.sslCiphers}
192 SSLHonorCipherOrder on 192 SSLHonorCipherOrder on
193 ''; 193 '';
194 194
@@ -217,7 +217,7 @@ let
217 ) null ([ cfg ] ++ subservices); 217 ) null ([ cfg ] ++ subservices);
218 218
219 documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else 219 documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else
220 pkgs.runCommand "empty" {} "mkdir -p $out"; 220 pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out";
221 221
222 documentRootConf = '' 222 documentRootConf = ''
223 DocumentRoot "${documentRoot}" 223 DocumentRoot "${documentRoot}"
@@ -376,6 +376,8 @@ let
376 Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf 376 Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf
377 Include ${httpd}/conf/extra/httpd-languages.conf 377 Include ${httpd}/conf/extra/httpd-languages.conf
378 378
379 TraceEnable off
380
379 ${if enableSSL then sslConf else ""} 381 ${if enableSSL then sslConf else ""}
380 382
381 # Fascist default - deny access to everything. 383 # Fascist default - deny access to everything.
@@ -623,6 +625,19 @@ in
623 description = 625 description =
624 "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited"; 626 "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited";
625 }; 627 };
628
629 sslCiphers = mkOption {
630 type = types.str;
631 default = "HIGH:!aNULL:!MD5:!EXP";
632 description = "Cipher Suite available for negotiation in SSL proxy handshake.";
633 };
634
635 sslProtocols = mkOption {
636 type = types.str;
637 default = "All -SSLv2 -SSLv3 -TLSv1";
638 example = "All -SSLv2 -SSLv3";
639 description = "Allowed SSL/TLS protocol versions.";
640 };
626 } 641 }
627 642
628 # Include the options shared between the main server and virtual hosts. 643 # Include the options shared between the main server and virtual hosts.