From 78546bbbc55e99120dd745768bdb90c4f0b9d428 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Tue, 23 Nov 2021 01:22:11 +0300 Subject: nixos/nginx: add kTLS option --- nixos/modules/services/web-servers/nginx/default.nix | 11 +++++++++++ nixos/modules/services/web-servers/nginx/vhost-options.nix | 11 +++++++++++ 2 files changed, 22 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 5717b86b3bea6..7f5c3841f1ac2 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -316,6 +316,9 @@ let ${optionalString vhost.rejectSSL '' ssl_reject_handshake on; ''} + ${optionalString (hasSSL && vhost.kTLS) '' + ssl_conf_command Options KTLS; + ''} ${mkBasicAuth vhostName vhost} @@ -820,6 +823,14 @@ in ''; } + { + assertion = any (host: host.kTLS) (attrValues virtualHosts) -> versionAtLeast cfg.package.version "1.21.4"; + message = '' + services.nginx.virtualHosts..kTLS requires nginx version + 1.21.4 or above; see the documentation for services.nginx.package. + ''; + } + { assertion = all (host: !(host.enableACME && host.useACMEHost != null)) (attrValues virtualHosts); message = '' diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index 7ee041d372113..7f49ce9586cac 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -147,6 +147,17 @@ with lib; ''; }; + kTLS = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable kTLS support. + Implementing TLS in the kernel (kTLS) improves performance by significantly + reducing the need for copying operations between user space and the kernel. + Required Nginx version 1.21.4 or later. + ''; + }; + sslCertificate = mkOption { type = types.path; example = "/var/host.cert"; -- cgit 1.4.1 From 7376f4e34f85cd2ad9bb0c0c1caf75c1afb78fd0 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Tue, 23 Nov 2021 01:28:43 +0300 Subject: nixos/nginx: tengine requires allowing @ipc calls --- nixos/modules/services/web-servers/nginx/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 7f5c3841f1ac2..459cee34132cc 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -907,7 +907,7 @@ in PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid @mincore"; + SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid @mincore" ] ++ optionals (cfg.package != pkgs.tengine) [ "~@ipc" ]; }; }; -- cgit 1.4.1 From 2f66ac01e91d70837377c4356e5c99843b71f105 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Tue, 23 Nov 2021 15:20:30 +0300 Subject: nixos/nginx: disable rejectSSL activation when https is disabled --- nixos/modules/services/web-servers/nginx/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 459cee34132cc..4aeca17543261 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -313,7 +313,7 @@ let ${optionalString (hasSSL && vhost.sslTrustedCertificate != null) '' ssl_trusted_certificate ${vhost.sslTrustedCertificate}; ''} - ${optionalString vhost.rejectSSL '' + ${optionalString (hasSSL && vhost.rejectSSL) '' ssl_reject_handshake on; ''} ${optionalString (hasSSL && vhost.kTLS) '' -- cgit 1.4.1