summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2016-07-21 16:19:07 +0200
committermakefu <github@syntax-fehler.de>2016-07-21 21:03:36 +0200
commit864e711114b048e875f0d73eeefdca436eebea00 (patch)
tree949551dcd2a00674db67341e68440ec03bfd181b
parentbfc2aa3b236813945ca4f2b5d683d51c82e983b7 (diff)
k 3 nginx: add ssl.force_encryption
-rw-r--r--krebs/3modules/nginx.nix13
-rw-r--r--makefu/2configs/bepasty-dual.nix6
2 files changed, 15 insertions, 4 deletions
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
index fc7fcca6f..25dfb5d6a 100644
--- a/krebs/3modules/nginx.nix
+++ b/krebs/3modules/nginx.nix
@@ -73,6 +73,14 @@ let
type = bool;
default = true;
};
+ force_encryption = mkOption {
+ type = bool;
+ default = false;
+ description = ''
+ redirect all `http` traffic to the same domain but with ssl
+ protocol.
+ '';
+ };
protocols = mkOption {
type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
default = [ "TLSv1.1" "TLSv1.2" ];
@@ -122,6 +130,11 @@ let
server_name ${toString (unique server-names)};
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
${optionalString ssl.enable (indent ''
+ ${optionalString ssl.force_encryption ''
+ if ($scheme = http){
+ return 301 https://$server_name$request_uri;
+ }
+ ''}
listen 443 ssl;
ssl_certificate ${ssl.certificate};
ssl_certificate_key ${ssl.certificate_key};
diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix
index f675c4ac8..4b5389c32 100644
--- a/makefu/2configs/bepasty-dual.nix
+++ b/makefu/2configs/bepasty-dual.nix
@@ -45,6 +45,7 @@ in {
#certificate = "${sec}/wildcard.krebsco.de.crt";
#certificate_key = "${sec}/wildcard.krebsco.de.key";
ciphers = "RC4:HIGH:!aNULL:!MD5" ;
+ force_encryption = true;
};
locations = singleton ( nameValuePair "/.well-known/acme-challenge" ''
root ${acmechall}/${ext-dom}/;
@@ -54,10 +55,7 @@ in {
ssl_session_timeout 10m;
ssl_verify_client off;
proxy_ssl_session_reuse off;
-
- if ($scheme = http){
- return 301 https://$server_name$request_uri;
- }'';
+ '';
};
defaultPermissions = "read";
secretKey = secKey;