Declarative nginx module with ACME support #15862
Conversation
|
By analyzing the blame information on this pull request, we identified @shlevy, @domenkozar and @roconnor to be potential reviewers |
fpletz
added
6.topic: nixos
|
I'm not a maintainer or anything, but I reviewed the whole PR and it looks great 👍 |
| daemon off; | ||
|
|
||
| ${cfg.config} | ||
|
|
||
| ${optionalString (cfg.httpConfig != "") '' |
There was a problem hiding this comment.
This changes the semantics of cfg.httpConfig significantly. Do we need that?
|
Any chance you can separate out the declarative bits from the ACME bits? It's a lot to look at currently. |
| gzip_disable "msie6"; | ||
| gzip_proxied any; | ||
| gzip_comp_level 9; | ||
| gzip_buffers 16 8k; |
There was a problem hiding this comment.
On platforms with 8k memory pages this equals the default and on platforms with 4k memory pages this is most probably inferior to the default (32 4k on such platforms). I recommend removing this.
|
It's actually separated quite nicely in the commits, why I left them separate for now? |
| proxy_connect_timeout 90; | ||
| proxy_send_timeout 90; | ||
| proxy_read_timeout 90; | ||
| proxy_buffers 32 4k; |
There was a problem hiding this comment.
Are 32 buffers needed? Settings this forces 4k buffers on systems with 8k memory pages. Below: proxy_buffer_size defaults to two proxy_buffers.
|
Eh, so I'm a bit skeptical that we need all these defaults hard-coded in. This is less flexible than before and could be easily replicated by saving the common snippet in some "recommended config" string. This is not policy everywhere, but IMO unless a setting needs to affect multiple components (e.g. set something in the config file and change the port that systemd socket activates on) we should just let users set config file contents themselves. |
| type = types.str; | ||
| default = "0.0.0.0"; | ||
| description = '' | ||
| Host which to proxy requests to if acme challenge is not found. Useful |
There was a problem hiding this comment.
Nitpick: I'm not a native speaker but this reads wrong.
Maybe: "Host to which the request is forwarded if ACME challenge is not found." ?
|
I'm happy to finally see these updates to the nginx module. Also: Does this work when the user wants no SSL and does not set And last thing for now: I dislike the mixup of |
|
I'm very 👎 on changing nginx defaults this way. I've already reverted a similar change #9693 and you can see how already these two PRs really differ a lot. There are a lot of assumptions in here, for example that you'll be serving everything through HTTPS and redirect HTTP to it. Or that you'll always gzip all plaintext. I agree this should be the default, but it may also break lots of stuff. For example some applications (even Hydra has a bug report) don't handle reverse proxy url rewriting with HTTPS. I think nginx composes nicely at the moment, so including this somehow to be an external module would be optimal. I'm +1 adding nginx modules under optional switch that follow some upstream very well documented convention (for example hardened TLS based on mozilla recommendations), but I think if we all start pulling in our defaults, we'll be all very angry in a year. Note: this is my very opinionated view, I'm open for a discussion :) |
|
I agree that we should remove those defaults. Will rebase the whole PR and/or remove commits soon. However, what about the other improvements like options for virtual hosts and the acme support? |
|
@fpletz I think those should be fine since they're optional and all "typed". |
| proxy_http_version 1.0; | ||
|
|
||
| server_tokens ${if cfg.serverTokens then "on" else "off"}; | ||
| ${vhosts} | ||
| ${cfg.httpConfig} |
There was a problem hiding this comment.
This should be appendHttpConfig to be in line with appendConfig. The original httpConfig should (I think) override all of this http { ... } configuration to be backwards compatible with its old functionality and have an option to override all of this.
|
Wow, this is something I've wanted for Nginx for a while now. Thanks for sharing! This opens up a whole range of possibilities. Do you have some example of system configuration that illustrates how it'll look? Would be nice for documentation and possibly tests. |
|
My two cents as someone who runs a small NixOS VPS and isn't an expert at server admin: Some kind of way to enable good defaults like are in this PR would be very welcome since I'm not sure what to enable otherwise. Also wrappers of config file languages like the vhosts generator are something I really like since it limits the amount of config languages and documentation sites I have to learn to set up a NixOS VPS to just one, unlike the 10+ I need to set up a VPS with any other distro. Inline config strings are great for experts, not as nice for newbies, which is why having both is probably best. I agree that it's probably best to maintain the existing semantics of the nginx module options though to avoid breaking things unnecessarily. I'd also be totally fine with this being a separate module, as long as it is in nikpkgs and has a searchable name including the substring "nginx" it is just as easy to find and use. |
|
@trishume I agree, the old configuration was very minimal. However, with such defaults it becomes a bit trickier to maintain backwards compatibility in the future. Like, we might want to add Other distros do not have this problem, since you just take their initial configuration and keep using it. It'll never change. We could play things safe and never change the configuration, but that won't help people using better defaults and prevents moving forward. The only way I can think of to make this reliable is adding tests. Maybe even include templated tests (functions that result in tests) or example tests so that server admins can implement their own tests to check whether all critical URLs actually work. Outside the scope of this PR though. |
|
Yah I did mean that the "defaults" would be more like a starter pack option that enabled a bunch of recommended nginx settings. Maybe options that are off by default but you can enable like |
|
@trishume Ah, that would be nice as well. But it'll still trigger errors when such options are enabled. This PR in itself has the potential to cause configuration errors when using an existing |
I think this buys little versus nginx language: and restricts many location specific options and overrides (I have some rewrites, if's, content_by_lua and so on in locations). EDIT: didn't notice
Can we support two styles for location configs (via Also big +1 for allowing custom location matching strategies, you can now do nice hacks like |
Revert httpConfig its old behaviour and make it mutually exclusive to the new structured configuration. Adds appendHttpConfig to have the ability to write custom config in the generated http block.
Adds ::1 as allowed host and turns of access_log for the status page.
|
@garbas: bump, I'd be happy if I don't need to merge this myself |
|
@globin sry, weekend was extremely busy and couldn't find any time to test this. i'm just deploying this to my server for a test and lets see if something is broken afterwards. |
|
@globin it works for me, without doing any changes to my config which is nice and ppl wont be surprised. merging it and if it does not work for somebody we can fix it or in the worse case revert this PR. also we need to add this to changelog and to documentation. especially mentioning all those "recommended" options. you think you would have time to write it? nothing big just so people are aware of this features. |
Motivation for this change
Make the nginx config declaritive and therefore to easily generate locations/vhosts e.g. for many domains on a reverse proxy.
Things done