From 62366a393e343b70571c6cf98ca74e94432b4f10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sun, 14 Apr 2019 19:24:39 +0200 Subject: Update http modules --- nixops/modules/websites/apache/httpd_inte.nix | 21 ++++++++++++++++++--- nixops/modules/websites/apache/httpd_prod.nix | 21 ++++++++++++++++++--- nixops/modules/websites/apache/httpd_tools.nix | 21 ++++++++++++++++++--- 3 files changed, 54 insertions(+), 9 deletions(-) (limited to 'nixops/modules/websites') diff --git a/nixops/modules/websites/apache/httpd_inte.nix b/nixops/modules/websites/apache/httpd_inte.nix index 0417281..ee7d15e 100644 --- a/nixops/modules/websites/apache/httpd_inte.nix +++ b/nixops/modules/websites/apache/httpd_inte.nix @@ -187,8 +187,8 @@ let SSLRandomSeed startup builtin SSLRandomSeed connect builtin - SSLProtocol All -SSLv2 -SSLv3 - SSLCipherSuite HIGH:!aNULL:!MD5:!EXP + SSLProtocol ${mainCfg.sslProtocols} + SSLCipherSuite ${mainCfg.sslCiphers} SSLHonorCipherOrder on ''; @@ -217,7 +217,7 @@ let ) null ([ cfg ] ++ subservices); documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else - pkgs.runCommand "empty" {} "mkdir -p $out"; + pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out"; documentRootConf = '' DocumentRoot "${documentRoot}" @@ -376,6 +376,8 @@ let Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf Include ${httpd}/conf/extra/httpd-languages.conf + TraceEnable off + ${if enableSSL then sslConf else ""} # Fascist default - deny access to everything. @@ -623,6 +625,19 @@ in description = "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited"; }; + + sslCiphers = mkOption { + type = types.str; + default = "HIGH:!aNULL:!MD5:!EXP"; + description = "Cipher Suite available for negotiation in SSL proxy handshake."; + }; + + sslProtocols = mkOption { + type = types.str; + default = "All -SSLv2 -SSLv3 -TLSv1"; + example = "All -SSLv2 -SSLv3"; + description = "Allowed SSL/TLS protocol versions."; + }; } # Include the options shared between the main server and virtual hosts. diff --git a/nixops/modules/websites/apache/httpd_prod.nix b/nixops/modules/websites/apache/httpd_prod.nix index 5aee602..31904e0 100644 --- a/nixops/modules/websites/apache/httpd_prod.nix +++ b/nixops/modules/websites/apache/httpd_prod.nix @@ -187,8 +187,8 @@ let SSLRandomSeed startup builtin SSLRandomSeed connect builtin - SSLProtocol All -SSLv2 -SSLv3 - SSLCipherSuite HIGH:!aNULL:!MD5:!EXP + SSLProtocol ${mainCfg.sslProtocols} + SSLCipherSuite ${mainCfg.sslCiphers} SSLHonorCipherOrder on ''; @@ -217,7 +217,7 @@ let ) null ([ cfg ] ++ subservices); documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else - pkgs.runCommand "empty" {} "mkdir -p $out"; + pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out"; documentRootConf = '' DocumentRoot "${documentRoot}" @@ -376,6 +376,8 @@ let Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf Include ${httpd}/conf/extra/httpd-languages.conf + TraceEnable off + ${if enableSSL then sslConf else ""} # Fascist default - deny access to everything. @@ -623,6 +625,19 @@ in description = "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited"; }; + + sslCiphers = mkOption { + type = types.str; + default = "HIGH:!aNULL:!MD5:!EXP"; + description = "Cipher Suite available for negotiation in SSL proxy handshake."; + }; + + sslProtocols = mkOption { + type = types.str; + default = "All -SSLv2 -SSLv3 -TLSv1"; + example = "All -SSLv2 -SSLv3"; + description = "Allowed SSL/TLS protocol versions."; + }; } # Include the options shared between the main server and virtual hosts. diff --git a/nixops/modules/websites/apache/httpd_tools.nix b/nixops/modules/websites/apache/httpd_tools.nix index c0b779b..1b9d1e3 100644 --- a/nixops/modules/websites/apache/httpd_tools.nix +++ b/nixops/modules/websites/apache/httpd_tools.nix @@ -187,8 +187,8 @@ let SSLRandomSeed startup builtin SSLRandomSeed connect builtin - SSLProtocol All -SSLv2 -SSLv3 - SSLCipherSuite HIGH:!aNULL:!MD5:!EXP + SSLProtocol ${mainCfg.sslProtocols} + SSLCipherSuite ${mainCfg.sslCiphers} SSLHonorCipherOrder on ''; @@ -217,7 +217,7 @@ let ) null ([ cfg ] ++ subservices); documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else - pkgs.runCommand "empty" {} "mkdir -p $out"; + pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out"; documentRootConf = '' DocumentRoot "${documentRoot}" @@ -376,6 +376,8 @@ let Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf Include ${httpd}/conf/extra/httpd-languages.conf + TraceEnable off + ${if enableSSL then sslConf else ""} # Fascist default - deny access to everything. @@ -623,6 +625,19 @@ in description = "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited"; }; + + sslCiphers = mkOption { + type = types.str; + default = "HIGH:!aNULL:!MD5:!EXP"; + description = "Cipher Suite available for negotiation in SSL proxy handshake."; + }; + + sslProtocols = mkOption { + type = types.str; + default = "All -SSLv2 -SSLv3 -TLSv1"; + example = "All -SSLv2 -SSLv3"; + description = "Allowed SSL/TLS protocol versions."; + }; } # Include the options shared between the main server and virtual hosts. -- cgit v1.2.3