diff options
| author | tv <tv@krebsco.de> | 2016-08-02 20:58:42 +0200 |
|---|---|---|
| committer | tv <tv@krebsco.de> | 2016-08-02 20:58:42 +0200 |
| commit | e6aef09ad41cd55d716b8ee276ebd774b95d8ecb (patch) | |
| tree | 6d8d5cce976f3843ab196367e82fec56f0798838 /krebs/3modules/nginx.nix | |
| parent | 0928cc03a6191640c66c9122159994855527faef (diff) | |
| parent | b197949ab83ee3ee87b5774e0fc7c8d0123a6708 (diff) | |
Merge remote-tracking branch 'gum/master'
Diffstat (limited to 'krebs/3modules/nginx.nix')
| -rw-r--r-- | krebs/3modules/nginx.nix | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index bc32da3b1..214f55018 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -71,6 +71,14 @@ let type = bool; default = true; }; + force_encryption = mkOption { + type = bool; + default = false; + description = '' + redirect all `http` traffic to the same domain but with ssl + protocol. + ''; + }; protocols = mkOption { type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]); default = [ "TLSv1.1" "TLSv1.2" ]; @@ -120,6 +128,11 @@ let server_name ${toString (unique server-names)}; ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen} ${optionalString ssl.enable (indent '' + ${optionalString ssl.force_encryption '' + if ($scheme = http){ + return 301 https://$server_name$request_uri; + } + ''} listen 443 ssl; ssl_certificate ${ssl.certificate}; ssl_certificate_key ${ssl.certificate_key}; |