Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/nginx: add option rejectSSL exposing ssl_reject_handshake #119186

Merged
merged 1 commit into from May 24, 2021
Merged

nixos/nginx: add option rejectSSL exposing ssl_reject_handshake #119186

merged 1 commit into from May 24, 2021

Conversation

ncfavier
Copy link
Member

@ncfavier ncfavier commented Apr 11, 2021
edited

Motivation for this change

Alternative to #119039 as suggested in this comment.

Exposes nginx 1.19.4's ssl_reject_handshake directive. This is useful in default server blocks, to avoid serving the certificate for another vhost. For example, assuming I have a wildcard DNS record for *.example.com:

{ pkgs, ... }: {
  services.nginx = {
    enable = true;
    package = pkgs.nginxMainline;
    recommendedTlsSettings = true;
    virtualHosts = {
      "foo.example.com" = {
	forceSSL = true;
	# ...
      };

      default = {
	default = true;
	rejectSSL = true;
	extraConfig = "return 444;";
      };
    };
  };
}

Now accessing http://unknown.example.com results in a connection reset, and https://unknown.example.com results in a TLS error.

See https://trac.nginx.org/nginx/ticket/195 for additional context.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested this on my own server
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@ncfavier ncfavier mentioned this pull request Apr 11, 2021
Closed
10 tasks
@ncfavier
Copy link
Member Author

@aanderse @lukegb any opinion on this?

@lukegb
Copy link
Contributor

lukegb commented May 24, 2021

My opinion is:

ship it

@lukegb lukegb merged commit 709785f into NixOS:master May 24, 2021
@ncfavier ncfavier deleted the nginx-reject-ssl branch May 24, 2021 14:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SuperSandro2000 SuperSandro2000 Awaiting requested review from SuperSandro2000

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ncfavier @lukegb @SuperSandro2000