pyrox.dev / nixpkgs
lol
fork atom

nixos/nginx: ensure TLS OCSP stapling works out of the box with LE

The recommended TLS configuration comes with `ssl_stapling on` and
`ssl_stapling_verify on`. However, this last directive also requires
the use of `ssl_trusted_certificate` to verify the received answer.
When using `enableACME` or similar, we can help the user by providing
the correct value for the directive.

The result can be tested with:

openssl s_client -connect web.example.com:443 -status 2> /dev/null

Without OCSP stapling, we get:

OCSP response: no response sent

After this change, we get:

OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Aug 30 20:46:00 2018 GMT

Vincent Bernat 1251b34b 2a606200

options
unified split
Changed files
+12
nixos
modules
services
web-servers
nginx
default.nix
vhost-options.nix
+5
nixos/modules/services/web-servers/nginx/default.nix 
···

       
16

       
16

       
 

       
    } // (optionalAttrs vhostConfig.enableACME {


     

       
17

       
17

       
 

       
      sslCertificate = "${acmeDirectory}/${serverName}/fullchain.pem";


     

       
18

       
18

       
 

       
      sslCertificateKey = "${acmeDirectory}/${serverName}/key.pem";


     

       

       
19

       
+

       
      sslTrustedCertificate = "${acmeDirectory}/${serverName}/full.pem";


     

       
19

       
20

       
 

       
    }) // (optionalAttrs (vhostConfig.useACMEHost != null) {


     

       
20

       
21

       
 

       
      sslCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem";


     

       
21

       
22

       
 

       
      sslCertificateKey = "${acmeDirectory}/${vhostConfig.useACMEHost}/key.pem";


     

       

       
23

       
+

       
      sslTrustedCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/full.pem";


     

       
22

       
24

       
 

       
    })


     

       
23

       
25

       
 

       
  ) cfg.virtualHosts;


     

       
24

       
26

       
 

       
  enableIPv6 = config.networking.enableIPv6;


     
···

       
227

       
229

       
 

       
          ${optionalString hasSSL ''


     

       
228

       
230

       
 

       
            ssl_certificate ${vhost.sslCertificate};


     

       
229

       
231

       
 

       
            ssl_certificate_key ${vhost.sslCertificateKey};


     

       

       
232

       
+

       
          ''}


     

       

       
233

       
+

       
          ${optionalString (hasSSL && vhost.sslTrustedCertificate != null) ''


     

       

       
234

       
+

       
            ssl_trusted_certificate ${vhost.sslTrustedCertificate};


     

       
230

       
235

       
 

       
          ''}


     

       
231

       
236

       
 

       



     

       
232

       
237

       
 

       
          ${optionalString (vhost.basicAuthFile != null || vhost.basicAuth != {}) ''
+7
nixos/modules/services/web-servers/nginx/vhost-options.nix 
···

       
129

       
129

       
 

       
      description = "Path to server SSL certificate key.";


     

       
130

       
130

       
 

       
    };


     

       
131

       
131

       
 

       



     

       

       
132

       
+

       
    sslTrustedCertificate = mkOption {


     

       

       
133

       
+

       
      type = types.path;


     

       

       
134

       
+

       
      default = null;


     

       

       
135

       
+

       
      example = "/var/root.cert";


     

       

       
136

       
+

       
      description = "Path to root SSL certificate for stapling and client certificates.";


     

       

       
137

       
+

       
    };


     

       

       
138

       
+

       



     

       
132

       
139

       
 

       
    http2 = mkOption {


     

       
133

       
140

       
 

       
      type = types.bool;


     

       
134

       
141

       
 

       
      default = true;