pyrox.dev / nixpkgs
lol
fork atom

nixos/nginx: first-class PROXY protocol support

PROXY protocol is a convenient way to carry information about the
originating address/port of a TCP connection across multiple layers of
proxies/NAT, etc.

Currently, it is possible to make use of it in NGINX's NixOS module, but
is painful when we want to enable it "globally".
Technically, this is achieved by reworking the defaultListen options and
the objective is to have a coherent way to specify default listeners in
the current API design.
See `mkDefaultListenVhost` and `defaultListen` for the details.

It adds a safeguard against running a NGINX with no HTTP listeners (e.g.
only PROXY listeners) while asking for ACME certificates over HTTP-01.

An interesting usecase of PROXY protocol is to enable seamless IPv4 to
IPv6 proxy with origin IPv4 address for IPv6-only NGINX servers, it is
demonstrated how to achieve this in the tests, using sniproxy.

Finally, the tests covers:

- NGINX `defaultListen` mechanisms are not broken by these changes;
- NGINX PROXY protocol listeners are working in a final usecase
(sniproxy);
- uses snakeoil TLS certs from ACME setup with wildcard certificates;

In the future, it is desirable to spoof-attack NGINX in this scenario to
ascertain that `set_real_ip_from` and all the layers are working as
intended and preventing any user from setting their origin IP address to
any arbitrary, opening up the NixOS module to bad™ vulnerabilities.

For now, it is quite hard to achieve while being minimalistic about the
tests dependencies.

Raito Bezarius 69bb0f94 bbdb8416

options
unified split
Changed files
+410 -14
nixos
doc
manual
release-notes
rl-2311.section.md
modules
services
web-servers
nginx
default.nix
vhost-options.nix
tests
all-tests.nix
nginx-proxyprotocol
_.test.nix.cert.pem
_.test.nix.key.pem
ca.cert.pem
ca.key.pem
default.nix
generate-certs.nix
snakeoil-certs.nix
pkgs
servers
http
nginx
generic.nix
+2
nixos/doc/manual/release-notes/rl-2311.section.md 
···

       
17

       
17

       
 

       
## Other Notable Changes {#sec-release-23.11-notable-changes}


     

       
18

       
18

       
 

       



     

       
19

       
19

       
 

       
- A new option was added to the virtualisation module that enables specifying explicitly named network interfaces in QEMU VMs. The existing `virtualisation.vlans` is still supported for cases where the name of the network interface is irrelevant.


     

       

       
20

       
+

       



     

       

       
21

       
+

       
- `services.nginx` gained a `defaultListen` option at server-level with support for PROXY protocol listeners, also `proxyProtocol` is now exposed in `services.nginx.virtualHosts.<name>.listen` option. It is now possible to run PROXY listeners and non-PROXY listeners at a server-level, see [#213510](https://github.com/NixOS/nixpkgs/pull/213510/) for more details.
+94 -6
nixos/modules/services/web-servers/nginx/default.nix 
···

       
309

       
309

       
 

       
        onlySSL = vhost.onlySSL || vhost.enableSSL;


     

       
310

       
310

       
 

       
        hasSSL = onlySSL || vhost.addSSL || vhost.forceSSL;


     

       
311

       
311

       
 

       



     

       

       
312

       
+

       
        # First evaluation of defaultListen based on a set of listen lines.


     

       

       
313

       
+

       
        mkDefaultListenVhost = listenLines:


     

       

       
314

       
+

       
          # If this vhost has SSL or is a SSL rejection host.


     

       

       
315

       
+

       
          # We enable a TLS variant for lines without explicit ssl or ssl = true.


     

       

       
316

       
+

       
          optionals (hasSSL || vhost.rejectSSL)


     

       

       
317

       
+

       
            (map (listen: { port = cfg.defaultSSLListenPort; ssl = true; } // listen)


     

       

       
318

       
+

       
            (filter (listen: !(listen ? ssl) || listen.ssl) listenLines))


     

       

       
319

       
+

       
          # If this vhost is supposed to serve HTTP


     

       

       
320

       
+

       
          # We provide listen lines for those without explicit ssl or ssl = false.


     

       

       
321

       
+

       
          ++ optionals (!onlySSL)


     

       

       
322

       
+

       
            (map (listen: { port = cfg.defaultHTTPListenPort; ssl = false; } // listen)


     

       

       
323

       
+

       
            (filter (listen: !(listen ? ssl) || !listen.ssl) listenLines));


     

       

       
324

       
+

       



     

       
312

       
325

       
 

       
        defaultListen =


     

       
313

       
326

       
 

       
          if vhost.listen != [] then vhost.listen


     

       
314

       
327

       
 

       
          else


     

       

       
328

       
+

       
          if cfg.defaultListen != [] then mkDefaultListenVhost


     

       

       
329

       
+

       
            # Cleanup nulls which will mess up with //.


     

       

       
330

       
+

       
            # TODO: is there a better way to achieve this? i.e. mergeButIgnoreNullPlease?


     

       

       
331

       
+

       
            (map (listenLine: filterAttrs (_: v: (v != null)) listenLine) cfg.defaultListen)


     

       

       
332

       
+

       
          else


     

       
315

       
333

       
 

       
            let addrs = if vhost.listenAddresses != [] then vhost.listenAddresses else cfg.defaultListenAddresses;


     

       
316

       

       
-

       
            in optionals (hasSSL || vhost.rejectSSL) (map (addr: { inherit addr; port = cfg.defaultSSLListenPort; ssl = true; }) addrs)


     

       
317

       

       
-

       
              ++ optionals (!onlySSL) (map (addr: { inherit addr; port = cfg.defaultHTTPListenPort; ssl = false; }) addrs);


     

       

       
334

       
+

       
            in mkDefaultListenVhost (map (addr: { inherit addr; }) addrs);


     

       

       
335

       
+

       



     

       
318

       
336

       
 

       



     

       
319

       
337

       
 

       
        hostListen =


     

       
320

       
338

       
 

       
          if vhost.forceSSL


     

       
321

       
339

       
 

       
            then filter (x: x.ssl) defaultListen


     

       
322

       
340

       
 

       
            else defaultListen;


     

       
323

       
341

       
 

       



     

       
324

       

       
-

       
        listenString = { addr, port, ssl, extraParameters ? [], ... }:


     

       

       
342

       
+

       
        listenString = { addr, port, ssl, proxyProtocol ? false, extraParameters ? [], ... }:


     

       
325

       
343

       
 

       
          # UDP listener for QUIC transport protocol.


     

       
326

       
344

       
 

       
          (optionalString (ssl && vhost.quic) ("


     

       
327

       
345

       
 

       
            listen ${addr}:${toString port} quic "


     

       
328

       
346

       
 

       
          + optionalString vhost.default "default_server "


     

       
329

       
347

       
 

       
          + optionalString vhost.reuseport "reuseport "


     

       
330

       

       
-

       
          + optionalString (extraParameters != []) (concatStringsSep " " (


     

       
331

       

       
-

       
            let inCompatibleParameters = [ "ssl" "proxy_protocol" "http2" ];


     

       

       
348

       
+

       
          + optionalString (extraParameters != []) (concatStringsSep " "


     

       

       
349

       
+

       
            (let inCompatibleParameters = [ "ssl" "proxy_protocol" "http2" ];


     

       
332

       
350

       
 

       
                isCompatibleParameter = param: !(any (p: p == param) inCompatibleParameters);


     

       
333

       
351

       
 

       
            in filter isCompatibleParameter extraParameters))


     

       
334

       
352

       
 

       
          + ";"))


     

       
335

       
353

       
 

       
          + "


     

       
336

       

       
-

       



     

       
337

       
354

       
 

       
            listen ${addr}:${toString port} "


     

       
338

       
355

       
 

       
          + optionalString (ssl && vhost.http2) "http2 "


     

       
339

       
356

       
 

       
          + optionalString ssl "ssl "


     

       
340

       
357

       
 

       
          + optionalString vhost.default "default_server "


     

       
341

       
358

       
 

       
          + optionalString vhost.reuseport "reuseport "


     

       

       
359

       
+

       
          + optionalString proxyProtocol "proxy_protocol "


     

       
342

       
360

       
 

       
          + optionalString (extraParameters != []) (concatStringsSep " " extraParameters)


     

       
343

       
361

       
 

       
          + ";";


     

       
344

       
362

       
 

       



     
···

       
539

       
557

       
 

       
        '';


     

       
540

       
558

       
 

       
      };


     

       
541

       
559

       
 

       



     

       

       
560

       
+

       
      defaultListen = mkOption {


     

       

       
561

       
+

       
        type = with types; listOf (submodule {


     

       

       
562

       
+

       
          options = {


     

       

       
563

       
+

       
            addr = mkOption {


     

       

       
564

       
+

       
              type = str;


     

       

       
565

       
+

       
              description = lib.mdDoc "IP address.";


     

       

       
566

       
+

       
            };


     

       

       
567

       
+

       
            port = mkOption {


     

       

       
568

       
+

       
              type = nullOr port;


     

       

       
569

       
+

       
              description = lib.mdDoc "Port number.";


     

       

       
570

       
+

       
              default = null;


     

       

       
571

       
+

       
            };


     

       

       
572

       
+

       
            ssl  = mkOption {


     

       

       
573

       
+

       
              type = nullOr bool;


     

       

       
574

       
+

       
              default = null;


     

       

       
575

       
+

       
              description = lib.mdDoc "Enable SSL.";


     

       

       
576

       
+

       
            };


     

       

       
577

       
+

       
            proxyProtocol = mkOption {


     

       

       
578

       
+

       
              type = bool;


     

       

       
579

       
+

       
              description = lib.mdDoc "Enable PROXY protocol.";


     

       

       
580

       
+

       
              default = false;


     

       

       
581

       
+

       
            };


     

       

       
582

       
+

       
            extraParameters = mkOption {


     

       

       
583

       
+

       
              type = listOf str;


     

       

       
584

       
+

       
              description = lib.mdDoc "Extra parameters of this listen directive.";


     

       

       
585

       
+

       
              default = [ ];


     

       

       
586

       
+

       
              example = [ "backlog=1024" "deferred" ];


     

       

       
587

       
+

       
            };


     

       

       
588

       
+

       
          };


     

       

       
589

       
+

       
        });


     

       

       
590

       
+

       
        default = [];


     

       

       
591

       
+

       
        example = literalExpression ''[


     

       

       
592

       
+

       
          { addr = "10.0.0.12"; proxyProtocol = true; ssl = true; }


     

       

       
593

       
+

       
          { addr = "0.0.0.0"; }


     

       

       
594

       
+

       
          { addr = "[::0]"; }


     

       

       
595

       
+

       
        ]'';


     

       

       
596

       
+

       
        description = lib.mdDoc ''


     

       

       
597

       
+

       
          If vhosts do not specify listen, use these addresses by default.


     

       

       
598

       
+

       
          This option takes precedence over {option}`defaultListenAddresses` and


     

       

       
599

       
+

       
          other listen-related defaults options.


     

       

       
600

       
+

       
        '';


     

       

       
601

       
+

       
      };


     

       

       
602

       
+

       



     

       
542

       
603

       
 

       
      defaultListenAddresses = mkOption {


     

       
543

       
604

       
 

       
        type = types.listOf types.str;


     

       
544

       
605

       
 

       
        default = [ "0.0.0.0" ] ++ optional enableIPv6 "[::0]";


     
···

       
546

       
607

       
 

       
        example = literalExpression ''[ "10.0.0.12" "[2002:a00:1::]" ]'';


     

       
547

       
608

       
 

       
        description = lib.mdDoc ''


     

       
548

       
609

       
 

       
          If vhosts do not specify listenAddresses, use these addresses by default.


     

       

       
610

       
+

       
          This is akin to writing `defaultListen = [ { addr = "0.0.0.0" } ]`.


     

       
549

       
611

       
 

       
        '';


     

       
550

       
612

       
 

       
      };


     

       
551

       
613

       
 

       



     
···

       
1076

       
1138

       
 

       
        message = ''


     

       
1077

       
1139

       
 

       
          services.nginx.service.virtualHosts.<name>.quic requires using nginxQuic package,


     

       
1078

       
1140

       
 

       
          which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`.


     

       

       
1141

       
+

       
        '';


     

       

       
1142

       
+

       
      }


     

       

       
1143

       
+

       



     

       

       
1144

       
+

       
      {


     

       

       
1145

       
+

       
        # The idea is to understand whether there is a virtual host with a listen configuration


     

       

       
1146

       
+

       
        # that requires ACME configuration but has no HTTP listener which will make deterministically fail


     

       

       
1147

       
+

       
        # this operation.


     

       

       
1148

       
+

       
        # Options' priorities are the following at the moment:


     

       

       
1149

       
+

       
        # listen (vhost) > defaultListen (server) > listenAddresses (vhost) > defaultListenAddresses (server)


     

       

       
1150

       
+

       
        assertion =


     

       

       
1151

       
+

       
        let


     

       

       
1152

       
+

       
          hasAtLeastHttpListener = listenOptions: any (listenLine: if listenLine ? proxyProtocol then !listenLine.proxyProtocol else true) listenOptions;


     

       

       
1153

       
+

       
          hasAtLeastDefaultHttpListener = if cfg.defaultListen != [] then hasAtLeastHttpListener cfg.defaultListen else (cfg.defaultListenAddresses != []);


     

       

       
1154

       
+

       
        in


     

       

       
1155

       
+

       
          all (host:


     

       

       
1156

       
+

       
            let


     

       

       
1157

       
+

       
              hasAtLeastVhostHttpListener = if host.listen != [] then hasAtLeastHttpListener host.listen else (host.listenAddresses != []);


     

       

       
1158

       
+

       
              vhostAuthority = host.listen != [] || (cfg.defaultListen == [] && host.listenAddresses != []);


     

       

       
1159

       
+

       
            in


     

       

       
1160

       
+

       
              # Either vhost has precedence and we need a vhost specific http listener


     

       

       
1161

       
+

       
              # Either vhost set nothing and inherit from server settings


     

       

       
1162

       
+

       
              host.enableACME -> ((vhostAuthority && hasAtLeastVhostHttpListener) || (!vhostAuthority && hasAtLeastDefaultHttpListener))


     

       

       
1163

       
+

       
          ) (attrValues virtualHosts);


     

       

       
1164

       
+

       
        message = ''


     

       

       
1165

       
+

       
          services.nginx.virtualHosts.<name>.enableACME requires a HTTP listener


     

       

       
1166

       
+

       
          to answer to ACME requests.


     

       
1079

       
1167

       
 

       
        '';


     

       
1080

       
1168

       
 

       
      }


     

       
1081

       
1169

       
 

       
    ] ++ map (name: mkCertOwnershipAssertion {
+30 -7
nixos/modules/services/web-servers/nginx/vhost-options.nix 
···

       
27

       
27

       
 

       
    };


     

       
28

       
28

       
 

       



     

       
29

       
29

       
 

       
    listen = mkOption {


     

       
30

       

       
-

       
      type = with types; listOf (submodule { options = {


     

       
31

       

       
-

       
        addr = mkOption { type = str;  description = lib.mdDoc "IP address.";  };


     

       
32

       

       
-

       
        port = mkOption { type = port;  description = lib.mdDoc "Port number."; default = 80; };


     

       
33

       

       
-

       
        ssl  = mkOption { type = bool; description = lib.mdDoc "Enable SSL.";  default = false; };


     

       
34

       

       
-

       
        extraParameters = mkOption { type = listOf str; description = lib.mdDoc "Extra parameters of this listen directive."; default = []; example = [ "backlog=1024" "deferred" ]; };


     

       
35

       

       
-

       
      }; });


     

       

       
30

       
+

       
      type = with types; listOf (submodule {


     

       

       
31

       
+

       
        options = {


     

       

       
32

       
+

       
          addr = mkOption {


     

       

       
33

       
+

       
            type = str;


     

       

       
34

       
+

       
            description = lib.mdDoc "IP address.";


     

       

       
35

       
+

       
          };


     

       

       
36

       
+

       
          port = mkOption {


     

       

       
37

       
+

       
            type = port;


     

       

       
38

       
+

       
            description = lib.mdDoc "Port number.";


     

       

       
39

       
+

       
            default = 80;


     

       

       
40

       
+

       
          };


     

       

       
41

       
+

       
          ssl = mkOption {


     

       

       
42

       
+

       
            type = bool;


     

       

       
43

       
+

       
            description = lib.mdDoc "Enable SSL.";


     

       

       
44

       
+

       
            default = false;


     

       

       
45

       
+

       
          };


     

       

       
46

       
+

       
          proxyProtocol = mkOption {


     

       

       
47

       
+

       
            type = bool;


     

       

       
48

       
+

       
            description = lib.mdDoc "Enable PROXY protocol.";


     

       

       
49

       
+

       
            default = false;


     

       

       
50

       
+

       
          };


     

       

       
51

       
+

       
          extraParameters = mkOption {


     

       

       
52

       
+

       
            type = listOf str;


     

       

       
53

       
+

       
            description = lib.mdDoc "Extra parameters of this listen directive.";


     

       

       
54

       
+

       
            default = [ ];


     

       

       
55

       
+

       
            example = [ "backlog=1024" "deferred" ];


     

       

       
56

       
+

       
          };


     

       

       
57

       
+

       
        };


     

       

       
58

       
+

       
      });


     

       
36

       
59

       
 

       
      default = [];


     

       
37

       
60

       
 

       
      example = [


     

       
38

       
61

       
 

       
        { addr = "195.154.1.1"; port = 443; ssl = true; }


     
···

       
45

       
68

       
 

       
        and `onlySSL`.


     

       
46

       
69

       
 

       



     

       
47

       
70

       
 

       
        If you only want to set the addresses manually and not


     

       
48

       

       
-

       
        the ports, take a look at `listenAddresses`


     

       

       
71

       
+

       
        the ports, take a look at `listenAddresses`.


     

       
49

       
72

       
 

       
      '';


     

       
50

       
73

       
 

       
    };


     

       
51

       
74
+1
nixos/tests/all-tests.nix 
···

       
521

       
521

       
 

       
  nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {};


     

       
522

       
522

       
 

       
  nginx-sso = handleTest ./nginx-sso.nix {};


     

       
523

       
523

       
 

       
  nginx-variants = handleTest ./nginx-variants.nix {};


     

       

       
524

       
+

       
  nginx-proxyprotocol = handleTest ./nginx-proxyprotocol {};


     

       
524

       
525

       
 

       
  nifi = handleTestOn ["x86_64-linux"] ./web-apps/nifi.nix {};


     

       
525

       
526

       
 

       
  nitter = handleTest ./nitter.nix {};


     

       
526

       
527

       
 

       
  nix-ld = handleTest ./nix-ld.nix {};
+20
nixos/tests/nginx-proxyprotocol/_.test.nix.cert.pem 
···

       

       
1

       
+

       
-----BEGIN CERTIFICATE-----


     

       

       
2

       
+

       
MIIDLjCCAhagAwIBAgIIP2+4GFxOYMgwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE


     

       

       
3

       
+

       
AxMVbWluaWNhIHJvb3QgY2EgNGU3NTJiMB4XDTIzMDEzMDAzNDExOFoXDTQzMDEz


     

       

       
4

       
+

       
MDAzNDExOFowFTETMBEGA1UEAwwKKi50ZXN0Lm5peDCCASIwDQYJKoZIhvcNAQEB


     

       

       
5

       
+

       
BQADggEPADCCAQoCggEBAMarJSCzelnzTMT5GMoIKA/MXBNk5j277uI2Gq2MCky/


     

       

       
6

       
+

       
DlBpx+tjSsKsz6QLBduKMF8OH5AgjrVAKQAtsVPDseY0Qcyx/5dgJjkdO4on+DFb


     

       

       
7

       
+

       
V0SJ3ZhYPKACrqQ1SaoG+Xup37puw7sVR13J7oNvP6fAYRcjYqCiFC7VMjJNG4dR


     

       

       
8

       
+

       
251jvWWidSc7v5CYw2AxrngtBgHeQuyG9QCJ1DRH8h6ioV7IeonwReN7noYtTWh8


     

       

       
9

       
+

       
NDjGnw9HH2nYMcL91E+DWCxWVmbC9/orvYOT7u0Orho0t1w9BB0/zzcdojwQpMCv


     

       

       
10

       
+

       
HahEmFQmdGbWTuI4caBeaDBJVsSwKlTcxLSS4MAZ0c8CAwEAAaN3MHUwDgYDVR0P


     

       

       
11

       
+

       
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB


     

       

       
12

       
+

       
Af8EAjAAMB8GA1UdIwQYMBaAFGyXySYI3gL88d7GHnGMU6wpiBf2MBUGA1UdEQQO


     

       

       
13

       
+

       
MAyCCioudGVzdC5uaXgwDQYJKoZIhvcNAQELBQADggEBAJ/DpwiLVBgWyozsn++f


     

       

       
14

       
+

       
kR4m0dUjnuCgpHo2EMoMZh+9og+OC0vq6WITXHaJytB3aBMxFOUTim3vwxPyWPXX


     

       

       
15

       
+

       
/vy+q6jJ6QMLx1J3VIWZdmXsT+qLGbVzL/4gNoaRsLPGO06p3yVjhas+OBFx1Fee


     

       

       
16

       
+

       
6kTHb82S/dzBojOJLRRo18CU9yw0FUXOPqN7HF7k2y+Twe6+iwCuCKGSFcvmRjxe


     

       

       
17

       
+

       
bWy11C921bTienW0Rmq6ppFWDaUNYP8kKpMN2ViAvc0tyF6wwk5lyOiqCR+pQHJR


     

       

       
18

       
+

       
H/J4qSeKDchYLKECuzd6SySz8FW/xPKogQ28zba+DBD86hpqiEJOBzxbrcN3cjUn


     

       

       
19

       
+

       
7N4=


     

       

       
20

       
+

       
-----END CERTIFICATE-----
+27
nixos/tests/nginx-proxyprotocol/_.test.nix.key.pem 
···

       

       
1

       
+

       
-----BEGIN RSA PRIVATE KEY-----


     

       

       
2

       
+

       
MIIEpAIBAAKCAQEAxqslILN6WfNMxPkYyggoD8xcE2TmPbvu4jYarYwKTL8OUGnH


     

       

       
3

       
+

       
62NKwqzPpAsF24owXw4fkCCOtUApAC2xU8Ox5jRBzLH/l2AmOR07iif4MVtXRInd


     

       

       
4

       
+

       
mFg8oAKupDVJqgb5e6nfum7DuxVHXcnug28/p8BhFyNioKIULtUyMk0bh1HbnWO9


     

       

       
5

       
+

       
ZaJ1Jzu/kJjDYDGueC0GAd5C7Ib1AInUNEfyHqKhXsh6ifBF43uehi1NaHw0OMaf


     

       

       
6

       
+

       
D0cfadgxwv3UT4NYLFZWZsL3+iu9g5Pu7Q6uGjS3XD0EHT/PNx2iPBCkwK8dqESY


     

       

       
7

       
+

       
VCZ0ZtZO4jhxoF5oMElWxLAqVNzEtJLgwBnRzwIDAQABAoIBAFuNGOH184cqKJGI


     

       

       
8

       
+

       
3RSVJ6kIGtJRKA0A4vfZyPd61nBBhx4lcRyXOCd4LYPCFKP0DZBwWLk5V6pM89gC


     

       

       
9

       
+

       
NnqMbxnPsRbcXBVtGJAvWXW0L5rHJfMOuVBwMRfnxIUljVnONv/264PlcUtwZd/h


     

       

       
10

       
+

       
o4lsJeBvNg7MnrG5nyVp1+T4RZxYm1P86HLp5zyT+fdj4Cr82b9j6QpxGXEfm1jV


     

       

       
11

       
+

       
QA1xr1ZkrV8fgETyaE0TBIKcdt6xNfv1mpI1RE5gaP/YzcCs/mL+G0kMar4l7pO/


     

       

       
12

       
+

       
6OHXTvHz+W3G6Xlha7Wq1ADoqYz2K7VoL/OgSQhIxRNujyWR6lir7eladVrKkCzu


     

       

       
13

       
+

       
uzFi/HECgYEA0vSNCIK3useSypMPHhYUVNbZ4hbK0WgqSAxfJQtL3nC7KviVMAXj


     

       

       
14

       
+

       
IKVR90xuzJB+ih88KCJpH84JH90paMpW0Gq1yEae90bnWa8Nj7ULLS/Zuj0WrelU


     

       

       
15

       
+

       
+DEGbx47IUPOtiLBxooxFKyIVhX3hWRwZ0pokSQzbgb5zYnlM6tqZ3cCgYEA8Rb2


     

       

       
16

       
+

       
wtt0XmqEQedFacs4fobJoVWMcETjpuxYp0m5Kje/4QkptZIbspXGBgNtPBBRGg51


     

       

       
17

       
+

       
AYSu8wYkGEueI77KiFDgY8AAkpOk2MrMVPszjOhUiO1oEfbT6ynOY5RDOuXcY6jo


     

       

       
18

       
+

       
8RpSk46VkfVxt6LVmappqcVFtVWcAjdGfXeSLmkCgYAWP7SgMSkvidzxgJEXmzyJ


     

       

       
19

       
+

       
th9EuSKq81GCR8vBHG/kBf+3iIAzkGtkBgufCXCmIpc1+hVeJkLwF8rekXTMmIqP


     

       

       
20

       
+

       
cLG7bbdWXSQJUW0cuvtyyJkuC0NZFELh6knDbmzOFVi33PKS/gAvLgMzER4J843n


     

       

       
21

       
+

       
VvGwXSEPeazfAKwrxuhyAQKBgQCOm5TPYlyNVNhy20h18d2zCivOoPn3luhKXtd5


     

       

       
22

       
+

       
7OP4kw2PIYpoesqjcnC2MeS1eLlgfli70y5hVqqXLHOYlUzcIWr51iMAkREbo6oG


     

       

       
23

       
+

       
QqkVmoAWlsfOiICGRC5vPM4f0sPwt4NCyt05p0fWFKd1hn5u7Ryfba90OfWUYfny


     

       

       
24

       
+

       
UX5IsQKBgQCswer4Qc3UepkiYxGwSTxgIh4kYlmamU2I00Kar4uFAr9JsCbk98f0


     

       

       
25

       
+

       
kaCUNZjrrvTwgRmdhwcpMDiMW/F4QkNk0I2unHcoAvzNop6c22VhHJU2XJhrQ57h


     

       

       
26

       
+

       
n1iPiw0NLXiA4RQwMUMjtt3nqlpLOTXGtsF8TmpWPcAN2QcTxOutzw==


     

       

       
27

       
+

       
-----END RSA PRIVATE KEY-----
+20
nixos/tests/nginx-proxyprotocol/ca.cert.pem 
···

       

       
1

       
+

       
-----BEGIN CERTIFICATE-----


     

       

       
2

       
+

       
MIIDSzCCAjOgAwIBAgIITnUr3xFw4oEwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE


     

       

       
3

       
+

       
AxMVbWluaWNhIHJvb3QgY2EgNGU3NTJiMCAXDTIzMDEzMDAzNDExOFoYDzIxMjMw


     

       

       
4

       
+

       
MTMwMDM0MTE4WjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSA0ZTc1MmIwggEi


     

       

       
5

       
+

       
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1SrJT9k3zXIXApEyL5UDlw7F6


     

       

       
6

       
+

       
MMOqE5d+8ZwMccHbEKLu0ssNRY+j31tnNYQ/r5iCNeNgUZccKBgzdU0ysyw5n4tw


     

       

       
7

       
+

       
0y+MTD9fCfUXYcc8pJRPRolo6zxYO9W7WJr0nfJZ+p7zFRAjRCmzXdnZjKz0EGcg


     

       

       
8

       
+

       
x9mHwn//3SuLt1ItK1n3aZ6im9NlcVtunDe3lCSL0tRgy7wDGNvWDZMO49jk4AFU


     

       

       
9

       
+

       
BlMqScuiNpUzYgCxNaaGMuH3M0f0YyRAxSs6FWewLtqTIaVql7HL+3PcGAhvlKEZ


     

       

       
10

       
+

       
fvfaf80F9aWI88sbEddTA0s5837zEoDwGpZl3K5sPU/O3MVEHIhAY5ICG0IBAgMB


     

       

       
11

       
+

       
AAGjgYYwgYMwDgYDVR0PAQH/BAQDAgKEMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr


     

       

       
12

       
+

       
BgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBRsl8kmCN4C/PHe


     

       

       
13

       
+

       
xh5xjFOsKYgX9jAfBgNVHSMEGDAWgBRsl8kmCN4C/PHexh5xjFOsKYgX9jANBgkq


     

       

       
14

       
+

       
hkiG9w0BAQsFAAOCAQEAmvgpU+q+TBbz+9Y2rdiIeTfeDXtMNPf+nKI3zxYztRGC


     

       

       
15

       
+

       
MoKP6jCQaFSQra4BVumFLV38DoqR1pOV1ojkiyO5c/9Iym/1Wmm8LeqgsHNqSgyS


     

       

       
16

       
+

       
C7wvBcb/N9PzIBQFq/RiboDoC7bqK/0zQguCmBtGceH+AVpQyfXM+P78B1EkHozu


     

       

       
17

       
+

       
67igP8GfouPp2s4Vd5P2XGkA6vMgYCtFEnCbtmmo7C8B+ymhD/D9axpMKQ1OaBg9


     

       

       
18

       
+

       
jfqLOlk+Rc2nYZuaDjnUmlTkYjC6EwCNe9weYkSJgQ9QzoGJLIRARsdQdsp3C2fZ


     

       

       
19

       
+

       
l2UZKkDJ2GPrrc+TdaGXZTYi0uMmvQsEKZXtqAzorQ==


     

       

       
20

       
+

       
-----END CERTIFICATE-----
+27
nixos/tests/nginx-proxyprotocol/ca.key.pem 
···

       

       
1

       
+

       
-----BEGIN RSA PRIVATE KEY-----


     

       

       
2

       
+

       
MIIEpQIBAAKCAQEAtUqyU/ZN81yFwKRMi+VA5cOxejDDqhOXfvGcDHHB2xCi7tLL


     

       

       
3

       
+

       
DUWPo99bZzWEP6+YgjXjYFGXHCgYM3VNMrMsOZ+LcNMvjEw/Xwn1F2HHPKSUT0aJ


     

       

       
4

       
+

       
aOs8WDvVu1ia9J3yWfqe8xUQI0Qps13Z2Yys9BBnIMfZh8J//90ri7dSLStZ92me


     

       

       
5

       
+

       
opvTZXFbbpw3t5Qki9LUYMu8Axjb1g2TDuPY5OABVAZTKknLojaVM2IAsTWmhjLh


     

       

       
6

       
+

       
9zNH9GMkQMUrOhVnsC7akyGlapexy/tz3BgIb5ShGX732n/NBfWliPPLGxHXUwNL


     

       

       
7

       
+

       
OfN+8xKA8BqWZdyubD1PztzFRByIQGOSAhtCAQIDAQABAoIBAQCLeAWs1kWtvTYg


     

       

       
8

       
+

       
t8UzspC0slItAKrmgt//hvxYDoPmdewC8yPG+AbDOSfmRKOTIxGeyro79UjdHnNP


     

       

       
9

       
+

       
0yQqpvCU/AqYJ7/inR37jXuCG3TdUHfQbSF1F9N6xb1tvYKoQYKaelYiB8g8eUnj


     

       

       
10

       
+

       
dYYM+U5tDNlpvJW6/YTfYFUJzWRo3i8jj5lhbkjcJDvdOhVxMXNXJgJAymu1KysE


     

       

       
11

       
+

       
N1da2l4fzmuoN82wFE9KMyYSn+LOLWBReQQmXHZPP+2LjRIVrWoFoV49k2Ylp9tH


     

       

       
12

       
+

       
yeaFx1Ya/wVx3PRnSW+zebWDcc0bAua9XU3Fi42yRq5iXOyoXHyefDfJoId7+GAO


     

       

       
13

       
+

       
IF2qRw9hAoGBAM1O1l4ceOEDsEBh7HWTvmfwVfkXgT6VHeI6LGEjb88FApXgT+wT


     

       

       
14

       
+

       
1s1IWVVOigLl9OKQbrjqlg9xgzrPDHYRwu5/Oz3X2WaH6wlF+d+okoqls6sCEAeo


     

       

       
15

       
+

       
GfzF3sKOHQyIYjttCXE5G38uhIgVFFFfK97AbUiY8egYBr0zjVXK7xINAoGBAOIN


     

       

       
16

       
+

       
1pDBFBQIoKj64opm/G9lJBLUpWLBFdWXhXS6q2jNsdY1mLMRmu/RBaKSfGz7W1a/


     

       

       
17

       
+

       
a2WBedjcnTWJ/84tBsn4Qj5tLl8xkcXiN/pslWzg724ZnVsbyxM9KvAdXAma3F0g


     

       

       
18

       
+

       
2EsYq8mhvbAEkpE+aoM6jwOJBnMhTRZrNMKN2lbFAoGAHmZWB4lfvLG3H1FgmehO


     

       

       
19

       
+

       
gUVs9X0tff7GdgD3IUsF+zlasKaOLv6hB7R2xdLjTJqQMBwCyQ6zOYYtUD/oMHNg


     

       

       
20

       
+

       
0b+1HesgHbZybuUVorBrQmxWtjOP/BJABtWlrlkso/Zt1S7H/yPdlm9k4GF+qK3W


     

       

       
21

       
+

       
6RzFEcLTzvH/zXQcsV9jFuECgYEAhaX+1KiC0XFkY2OpaoCHAOlAUa3NdjyIRzcF


     

       

       
22

       
+

       
XUU8MINkgCxB8qUXAHCJL1wCGoDluL0FpwbM3m1YuR200tYGLIUNzVDJ2Ng6wk8E


     

       

       
23

       
+

       
H5fxJGU8ydB1Gzescdx5NWt2Tet0G89ecc/NSTHKL3YUnbDUUm/dvA5YdNscc4PA


     

       

       
24

       
+

       
tsIdc60CgYEArvU1MwqGQUTDKUmaM2t3qm70fbwmOViHfyTWpn4aAQR3sK16iJMm


     

       

       
25

       
+

       
V+dka62L/VYs5CIbzXvCioyugUMZGJi/zIwrViRzqJQbNnPADAW4lG88UxXqHHAH


     

       

       
26

       
+

       
q33ivjgd9omGFb37saKOmR44KmjUIDvSIZF4W3EPwAMEyl5mM31Ryns=


     

       

       
27

       
+

       
-----END RSA PRIVATE KEY-----
+144
nixos/tests/nginx-proxyprotocol/default.nix 
···

       

       
1

       
+

       
let


     

       

       
2

       
+

       
  certs = import ./snakeoil-certs.nix;


     

       

       
3

       
+

       
in


     

       

       
4

       
+

       
import ../make-test-python.nix ({ pkgs, ... }: {


     

       

       
5

       
+

       
  name = "nginx-proxyprotocol";


     

       

       
6

       
+

       



     

       

       
7

       
+

       
  nodes = {


     

       

       
8

       
+

       
    webserver = { pkgs, lib, ... }: {


     

       

       
9

       
+

       
      environment.systemPackages = [ pkgs.netcat ];


     

       

       
10

       
+

       
      security.pki.certificateFiles = [


     

       

       
11

       
+

       
        certs.ca.cert


     

       

       
12

       
+

       
      ];


     

       

       
13

       
+

       



     

       

       
14

       
+

       
      networking.extraHosts = ''


     

       

       
15

       
+

       
        127.0.0.5 proxy.test.nix


     

       

       
16

       
+

       
        127.0.0.5 noproxy.test.nix


     

       

       
17

       
+

       
        127.0.0.3 direct-nossl.test.nix


     

       

       
18

       
+

       
        127.0.0.4 unsecure-nossl.test.nix


     

       

       
19

       
+

       
        127.0.0.2 direct-noproxy.test.nix


     

       

       
20

       
+

       
        127.0.0.1 direct-proxy.test.nix


     

       

       
21

       
+

       
      '';


     

       

       
22

       
+

       
      services.nginx = {


     

       

       
23

       
+

       
        enable = true;


     

       

       
24

       
+

       
        defaultListen = [


     

       

       
25

       
+

       
          { addr = "127.0.0.1"; proxyProtocol = true; ssl = true; }


     

       

       
26

       
+

       
          { addr = "127.0.0.2"; }


     

       

       
27

       
+

       
          { addr = "127.0.0.3"; ssl = false; }


     

       

       
28

       
+

       
          { addr = "127.0.0.4"; ssl = false; proxyProtocol = true; }


     

       

       
29

       
+

       
        ];


     

       

       
30

       
+

       
        commonHttpConfig = ''


     

       

       
31

       
+

       
          log_format pcombined '(proxy_protocol=$proxy_protocol_addr) - (remote_addr=$remote_addr) - (realip=$realip_remote_addr) - (upstream=) - (remote_user=$remote_user) [$time_local] '


     

       

       
32

       
+

       
                        '"$request" $status $body_bytes_sent '


     

       

       
33

       
+

       
                        '"$http_referer" "$http_user_agent"';


     

       

       
34

       
+

       
          access_log /var/log/nginx/access.log pcombined;


     

       

       
35

       
+

       
          error_log /var/log/nginx/error.log;


     

       

       
36

       
+

       
        '';


     

       

       
37

       
+

       
        virtualHosts =


     

       

       
38

       
+

       
        let


     

       

       
39

       
+

       
          commonConfig = {


     

       

       
40

       
+

       
           locations."/".return = "200 '$remote_addr'";


     

       

       
41

       
+

       
           extraConfig = ''


     

       

       
42

       
+

       
            set_real_ip_from 127.0.0.5/32;


     

       

       
43

       
+

       
            real_ip_header proxy_protocol;


     

       

       
44

       
+

       
           '';


     

       

       
45

       
+

       
         };


     

       

       
46

       
+

       
        in


     

       

       
47

       
+

       
        {


     

       

       
48

       
+

       
          "*.test.nix" = commonConfig // {


     

       

       
49

       
+

       
            sslCertificate = certs."*.test.nix".cert;


     

       

       
50

       
+

       
            sslCertificateKey = certs."*.test.nix".key;


     

       

       
51

       
+

       
            forceSSL = true;


     

       

       
52

       
+

       
          };


     

       

       
53

       
+

       
          "direct-nossl.test.nix" = commonConfig;


     

       

       
54

       
+

       
          "unsecure-nossl.test.nix" = commonConfig // {


     

       

       
55

       
+

       
            extraConfig = ''


     

       

       
56

       
+

       
              real_ip_header proxy_protocol;


     

       

       
57

       
+

       
            '';


     

       

       
58

       
+

       
          };


     

       

       
59

       
+

       
        };


     

       

       
60

       
+

       
      };


     

       

       
61

       
+

       



     

       

       
62

       
+

       
      services.sniproxy = {


     

       

       
63

       
+

       
        enable = true;


     

       

       
64

       
+

       
        config = ''


     

       

       
65

       
+

       
          error_log {


     

       

       
66

       
+

       
            syslog daemon


     

       

       
67

       
+

       
          }


     

       

       
68

       
+

       
          access_log {


     

       

       
69

       
+

       
            syslog daemon


     

       

       
70

       
+

       
          }


     

       

       
71

       
+

       
          listener 127.0.0.5:443 {


     

       

       
72

       
+

       
            protocol tls


     

       

       
73

       
+

       
            source 127.0.0.5


     

       

       
74

       
+

       
          }


     

       

       
75

       
+

       
          table {


     

       

       
76

       
+

       
            ^proxy\.test\.nix$   127.0.0.1 proxy_protocol


     

       

       
77

       
+

       
            ^noproxy\.test\.nix$ 127.0.0.2


     

       

       
78

       
+

       
          }


     

       

       
79

       
+

       
        '';


     

       

       
80

       
+

       
      };


     

       

       
81

       
+

       
    };


     

       

       
82

       
+

       
  };


     

       

       
83

       
+

       



     

       

       
84

       
+

       
  testScript = ''


     

       

       
85

       
+

       
    def check_origin_ip(src_ip: str, dst_url: str, failure: bool = False, proxy_protocol: bool = False, expected_ip: str | None = None):


     

       

       
86

       
+

       
      check = webserver.fail if failure else webserver.succeed


     

       

       
87

       
+

       
      if expected_ip is None:


     

       

       
88

       
+

       
        expected_ip = src_ip


     

       

       
89

       
+

       



     

       

       
90

       
+

       
      return check(f"curl {'--haproxy-protocol' if proxy_protocol else '''} --interface {src_ip} --fail -L {dst_url} | grep '{expected_ip}'")


     

       

       
91

       
+

       



     

       

       
92

       
+

       
    webserver.wait_for_unit("nginx")


     

       

       
93

       
+

       
    webserver.wait_for_unit("sniproxy")


     

       

       
94

       
+

       
    # This should be closed by virtue of ssl = true;


     

       

       
95

       
+

       
    webserver.wait_for_closed_port(80, "127.0.0.1")


     

       

       
96

       
+

       
    # This should be open by virtue of no explicit ssl


     

       

       
97

       
+

       
    webserver.wait_for_open_port(80, "127.0.0.2")


     

       

       
98

       
+

       
    # This should be open by virtue of ssl = true;


     

       

       
99

       
+

       
    webserver.wait_for_open_port(443, "127.0.0.1")


     

       

       
100

       
+

       
    # This should be open by virtue of no explicit ssl


     

       

       
101

       
+

       
    webserver.wait_for_open_port(443, "127.0.0.2")


     

       

       
102

       
+

       
    # This should be open by sniproxy


     

       

       
103

       
+

       
    webserver.wait_for_open_port(443, "127.0.0.5")


     

       

       
104

       
+

       
    # This should be closed by sniproxy


     

       

       
105

       
+

       
    webserver.wait_for_closed_port(80, "127.0.0.5")


     

       

       
106

       
+

       



     

       

       
107

       
+

       
    # Sanity checks for the NGINX module


     

       

       
108

       
+

       
    # direct-HTTP connection to NGINX without TLS, this checks that ssl = false; works well.


     

       

       
109

       
+

       
    check_origin_ip("127.0.0.10", "http://direct-nossl.test.nix/")


     

       

       
110

       
+

       
    # webserver.execute("openssl s_client -showcerts -connect direct-noproxy.test.nix:443")


     

       

       
111

       
+

       
    # direct-HTTP connection to NGINX with TLS


     

       

       
112

       
+

       
    check_origin_ip("127.0.0.10", "http://direct-noproxy.test.nix/")


     

       

       
113

       
+

       
    check_origin_ip("127.0.0.10", "https://direct-noproxy.test.nix/")


     

       

       
114

       
+

       
    # Well, sniproxy is not listening on 80 and cannot redirect


     

       

       
115

       
+

       
    check_origin_ip("127.0.0.10", "http://proxy.test.nix/", failure=True)


     

       

       
116

       
+

       
    check_origin_ip("127.0.0.10", "http://noproxy.test.nix/", failure=True)


     

       

       
117

       
+

       



     

       

       
118

       
+

       
    # Actual PROXY protocol related tests


     

       

       
119

       
+

       
    # Connecting through sniproxy should passthrough the originating IP address.


     

       

       
120

       
+

       
    check_origin_ip("127.0.0.10", "https://proxy.test.nix/")


     

       

       
121

       
+

       
    # Connecting through sniproxy to a non-PROXY protocol enabled listener should not pass the originating IP address.


     

       

       
122

       
+

       
    check_origin_ip("127.0.0.10", "https://noproxy.test.nix/", expected_ip="127.0.0.5")


     

       

       
123

       
+

       



     

       

       
124

       
+

       
    # Attack tests against spoofing


     

       

       
125

       
+

       
    # Let's try to spoof our IP address by connecting direct-y to the PROXY protocol listener.


     

       

       
126

       
+

       
    # FIXME(RaitoBezarius): rewrite it using Python + (Scapy|something else) as this is too much broken unfortunately.


     

       

       
127

       
+

       
    # Or wait for upstream curl patch.


     

       

       
128

       
+

       
    # def generate_attacker_request(original_ip: str, target_ip: str, dst_url: str):


     

       

       
129

       
+

       
    #     return f"""PROXY TCP4 {original_ip} {target_ip} 80 80


     

       

       
130

       
+

       
    #     GET / HTTP/1.1


     

       

       
131

       
+

       
    #     Host: {dst_url}


     

       

       
132

       
+

       



     

       

       
133

       
+

       
    #     """


     

       

       
134

       
+

       
    # def spoof(original_ip: str, target_ip: str, dst_url: str, tls: bool = False, expect_failure: bool = True):


     

       

       
135

       
+

       
    #   method = webserver.fail if expect_failure else webserver.succeed


     

       

       
136

       
+

       
    #   port = 443 if tls else 80


     

       

       
137

       
+

       
    #   print(webserver.execute(f"cat <<EOF | nc {target_ip} {port}\n{generate_attacker_request(original_ip, target_ip, dst_url)}\nEOF"))


     

       

       
138

       
+

       
    #   return method(f"cat <<EOF | nc {target_ip} {port} | grep {original_ip}\n{generate_attacker_request(original_ip, target_ip, dst_url)}\nEOF")


     

       

       
139

       
+

       



     

       

       
140

       
+

       
    # check_origin_ip("127.0.0.10", "http://unsecure-nossl.test.nix", proxy_protocol=True)


     

       

       
141

       
+

       
    # spoof("1.1.1.1", "127.0.0.4", "direct-nossl.test.nix")


     

       

       
142

       
+

       
    # spoof("1.1.1.1", "127.0.0.4", "unsecure-nossl.test.nix", expect_failure=False)


     

       

       
143

       
+

       
  '';


     

       

       
144

       
+

       
})
+30
nixos/tests/nginx-proxyprotocol/generate-certs.nix 
···

       

       
1

       
+

       
# Minica can provide a CA key and cert, plus a key


     

       

       
2

       
+

       
# and cert for our fake CA server's Web Front End (WFE).


     

       

       
3

       
+

       
{


     

       

       
4

       
+

       
  pkgs ? import <nixpkgs> {},


     

       

       
5

       
+

       
  minica ? pkgs.minica,


     

       

       
6

       
+

       
  runCommandCC ? pkgs.runCommandCC,


     

       

       
7

       
+

       
}:


     

       

       
8

       
+

       
let


     

       

       
9

       
+

       
  conf = import ./snakeoil-certs.nix;


     

       

       
10

       
+

       
  domain = conf.domain;


     

       

       
11

       
+

       
  domainSanitized = pkgs.lib.replaceStrings ["*"] ["_"] domain;


     

       

       
12

       
+

       
in


     

       

       
13

       
+

       
  runCommandCC "generate-tests-certs" {


     

       

       
14

       
+

       
    buildInputs = [ (minica.overrideAttrs (old: {


     

       

       
15

       
+

       
    postPatch = ''


     

       

       
16

       
+

       
      sed -i 's_NotAfter: time.Now().AddDate(2, 0, 30),_NotAfter: time.Now().AddDate(20, 0, 0),_' main.go


     

       

       
17

       
+

       
    '';


     

       

       
18

       
+

       
  })) ];


     

       

       
19

       
+

       



     

       

       
20

       
+

       
  } ''


     

       

       
21

       
+

       
    minica \


     

       

       
22

       
+

       
      --ca-key ca.key.pem \


     

       

       
23

       
+

       
      --ca-cert ca.cert.pem \


     

       

       
24

       
+

       
      --domains "${domain}"


     

       

       
25

       
+

       



     

       

       
26

       
+

       
    mkdir -p $out


     

       

       
27

       
+

       
    mv ca.*.pem $out/


     

       

       
28

       
+

       
    mv ${domainSanitized}/key.pem $out/${domainSanitized}.key.pem


     

       

       
29

       
+

       
    mv ${domainSanitized}/cert.pem $out/${domainSanitized}.cert.pem


     

       

       
30

       
+

       
  ''
+14
nixos/tests/nginx-proxyprotocol/snakeoil-certs.nix 
···

       

       
1

       
+

       
let


     

       

       
2

       
+

       
  domain = "*.test.nix";


     

       

       
3

       
+

       
  domainSanitized = "_.test.nix";


     

       

       
4

       
+

       
in {


     

       

       
5

       
+

       
  inherit domain;


     

       

       
6

       
+

       
  ca = {


     

       

       
7

       
+

       
    cert = ./ca.cert.pem;


     

       

       
8

       
+

       
    key = ./ca.key.pem;


     

       

       
9

       
+

       
  };


     

       

       
10

       
+

       
  "${domain}" = {


     

       

       
11

       
+

       
    cert = ./. + "/${domainSanitized}.cert.pem";


     

       

       
12

       
+

       
    key = ./. + "/${domainSanitized}.key.pem";


     

       

       
13

       
+

       
  };


     

       

       
14

       
+

       
}
+1 -1
pkgs/servers/http/nginx/generic.nix 
···

       
178

       
178

       
 

       
  passthru = {


     

       
179

       
179

       
 

       
    inherit modules;


     

       
180

       
180

       
 

       
    tests = {


     

       
181

       

       
-

       
      inherit (nixosTests) nginx nginx-auth nginx-etag nginx-globalredirect nginx-http3 nginx-pubhtml nginx-sandbox nginx-sso;


     

       

       
181

       
+

       
      inherit (nixosTests) nginx nginx-auth nginx-etag nginx-globalredirect nginx-http3 nginx-pubhtml nginx-sandbox nginx-sso nginx-proxyprotocol;


     

       
182

       
182

       
 

       
      variants = lib.recurseIntoAttrs nixosTests.nginx-variants;


     

       
183

       
183

       
 

       
      acme-integration = nixosTests.acme;


     

       
184

       
184

       
 

       
    } // passthru.tests;