summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2016-07-21 16:19:07 +0200
committermakefu <github@syntax-fehler.de>2016-07-21 21:03:36 +0200
commit864e711114b048e875f0d73eeefdca436eebea00 (patch)
tree949551dcd2a00674db67341e68440ec03bfd181b /krebs
parentbfc2aa3b236813945ca4f2b5d683d51c82e983b7 (diff)
k 3 nginx: add ssl.force_encryption
Diffstat (limited to 'krebs')
-rw-r--r--krebs/3modules/nginx.nix13
1 files changed, 13 insertions, 0 deletions
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
index fc7fcca6f..25dfb5d6a 100644
--- a/krebs/3modules/nginx.nix
+++ b/krebs/3modules/nginx.nix
@@ -73,6 +73,14 @@ let
type = bool;
default = true;
};
+ force_encryption = mkOption {
+ type = bool;
+ default = false;
+ description = ''
+ redirect all `http` traffic to the same domain but with ssl
+ protocol.
+ '';
+ };
protocols = mkOption {
type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
default = [ "TLSv1.1" "TLSv1.2" ];
@@ -122,6 +130,11 @@ let
server_name ${toString (unique server-names)};
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
${optionalString ssl.enable (indent ''
+ ${optionalString ssl.force_encryption ''
+ if ($scheme = http){
+ return 301 https://$server_name$request_uri;
+ }
+ ''}
listen 443 ssl;
ssl_certificate ${ssl.certificate};
ssl_certificate_key ${ssl.certificate_key};