diff options
author | 7c6f434c <7c6f434c@mail.ru> | 2021-12-24 10:23:17 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-12-24 10:23:17 +0000 |
commit | b0f154fd440bdf43a483b8ca46020d7d6cec5fbf (patch) | |
tree | 11a7211089221f06d35de1d4a28a1cb3cb89e97e /nixos | |
parent | 3d91acc39a3ffa6049c99e1c3a2efc87e2f3ef73 (diff) | |
parent | 2f66ac01e91d70837377c4356e5c99843b71f105 (diff) |
Merge pull request #147027 from Izorkin/update-nginx-ktls
nginxMainline: enable ktls support
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 15 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/nginx/vhost-options.nix | 11 |
2 files changed, 24 insertions, 2 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 96e45cfc4f77d..ba8e874f2dede 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -317,9 +317,12 @@ let ${optionalString (hasSSL && vhost.sslTrustedCertificate != null) '' ssl_trusted_certificate ${vhost.sslTrustedCertificate}; ''} - ${optionalString vhost.rejectSSL '' + ${optionalString (hasSSL && vhost.rejectSSL) '' ssl_reject_handshake on; ''} + ${optionalString (hasSSL && vhost.kTLS) '' + ssl_conf_command Options KTLS; + ''} ${mkBasicAuth vhostName vhost} @@ -825,6 +828,14 @@ in } { + assertion = any (host: host.kTLS) (attrValues virtualHosts) -> versionAtLeast cfg.package.version "1.21.4"; + message = '' + services.nginx.virtualHosts.<name>.kTLS requires nginx version + 1.21.4 or above; see the documentation for services.nginx.package. + ''; + } + + { assertion = all (host: !(host.enableACME && host.useACMEHost != null)) (attrValues virtualHosts); message = '' Options services.nginx.service.virtualHosts.<name>.enableACME and @@ -900,7 +911,7 @@ in PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid @mincore"; + SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid @mincore" ] ++ optionals (cfg.package != pkgs.tengine) [ "~@ipc" ]; }; }; diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index 7ee041d372113..7f49ce9586cac 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -147,6 +147,17 @@ with lib; ''; }; + kTLS = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable kTLS support. + Implementing TLS in the kernel (kTLS) improves performance by significantly + reducing the need for copying operations between user space and the kernel. + Required Nginx version 1.21.4 or later. + ''; + }; + sslCertificate = mkOption { type = types.path; example = "/var/host.cert"; |