pyrox.dev / nixpkgs
lol
fork atom

nixos/nginx: make redirect status code configurable

Add an option to configure which code globalRedirect and forceSSL use.
It previously was always 301 with no easy way to override.

Gabriel Fontes a3c60d2d 72061433

options
unified split
Changed files
+51 -8
nixos
doc
manual
release-notes
rl-2405.section.md
modules
services
web-servers
nginx
default.nix
vhost-options.nix
tests
all-tests.nix
nginx-redirectcode.nix
+4
nixos/doc/manual/release-notes/rl-2405.section.md 
···

       
47

       
47

       
 

       
  existing process, but will need to start that process from gdb (so it is a


     

       
48

       
48

       
 

       
  child). Or you can set `boot.kernel.sysctl."kernel.yama.ptrace_scope"` to 0.


     

       
49

       
49

       
 

       



     

       

       
50

       
+

       
- [Nginx virtual hosts](#opt-services.nginx.virtualHosts) using `forceSSL` or


     

       

       
51

       
+

       
  `globalRedirect` can now have redirect codes other than 301 through


     

       

       
52

       
+

       
  `redirectCode`.


     

       

       
53

       
+

       



     

       
50

       
54

       
 

       
- Gitea 1.21 upgrade has several breaking changes, including:


     

       
51

       
55

       
 

       
  - Custom themes and other assets that were previously stored in `custom/public/*` now belong in `custom/public/assets/*`


     

       
52

       
56

       
 

       
  - New instances of Gitea using MySQL now ignore the `[database].CHARSET` config option and always use the `utf8mb4` charset, existing instances should migrate via the `gitea doctor convert` CLI command.
+2 -2
nixos/modules/services/web-servers/nginx/default.nix 
···

       
377

       
377

       
 

       
            server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases};


     

       
378

       
378

       
 

       
            ${acmeLocation}


     

       
379

       
379

       
 

       
            location / {


     

       
380

       

       
-

       
              return 301 https://$host$request_uri;


     

       

       
380

       
+

       
              return ${toString vhost.redirectCode} https://$host$request_uri;


     

       
381

       
381

       
 

       
            }


     

       
382

       
382

       
 

       
          }


     

       
383

       
383

       
 

       
        ''}


     
···

       
396

       
396

       
 

       
          ${optionalString (vhost.root != null) "root ${vhost.root};"}


     

       
397

       
397

       
 

       
          ${optionalString (vhost.globalRedirect != null) ''


     

       
398

       
398

       
 

       
            location / {


     

       
399

       

       
-

       
              return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri;


     

       

       
399

       
+

       
              return ${toString vhost.redirectCode} http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri;


     

       
400

       
400

       
 

       
            }


     

       
401

       
401

       
 

       
          ''}


     

       
402

       
402

       
 

       
          ${optionalString hasSSL ''
+19 -6
nixos/modules/services/web-servers/nginx/vhost-options.nix 
···

       
162

       
162

       
 

       
      type = types.bool;


     

       
163

       
163

       
 

       
      default = false;


     

       
164

       
164

       
 

       
      description = lib.mdDoc ''


     

       
165

       

       
-

       
        Whether to add a separate nginx server block that permanently redirects (301)


     

       
166

       

       
-

       
        all plain HTTP traffic to HTTPS. This will set defaults for


     

       
167

       

       
-

       
        `listen` to listen on all interfaces on the respective default


     

       
168

       

       
-

       
        ports (80, 443), where the non-SSL listens are used for the redirect vhosts.


     

       

       
165

       
+

       
        Whether to add a separate nginx server block that redirects (defaults


     

       

       
166

       
+

       
        to 301, configurable with `redirectCode`) all plain HTTP traffic to


     

       

       
167

       
+

       
        HTTPS. This will set defaults for `listen` to listen on all interfaces


     

       

       
168

       
+

       
        on the respective default ports (80, 443), where the non-SSL listens


     

       

       
169

       
+

       
        are used for the redirect vhosts.


     

       
169

       
170

       
 

       
      '';


     

       
170

       
171

       
 

       
    };


     

       
171

       
172

       
 

       



     
···

       
307

       
308

       
 

       
      default = null;


     

       
308

       
309

       
 

       
      example = "newserver.example.org";


     

       
309

       
310

       
 

       
      description = lib.mdDoc ''


     

       
310

       

       
-

       
        If set, all requests for this host are redirected permanently to


     

       
311

       

       
-

       
        the given hostname.


     

       

       
311

       
+

       
        If set, all requests for this host are redirected (defaults to 301,


     

       

       
312

       
+

       
        configurable with `redirectCode`) to the given hostname.


     

       

       
313

       
+

       
      '';


     

       

       
314

       
+

       
    };


     

       

       
315

       
+

       



     

       

       
316

       
+

       
    redirectCode = mkOption {


     

       

       
317

       
+

       
      type = types.ints.between 300 399;


     

       

       
318

       
+

       
      default = 301;


     

       

       
319

       
+

       
      example = 308;


     

       

       
320

       
+

       
      description = lib.mdDoc ''


     

       

       
321

       
+

       
        HTTP status used by `globalRedirect` and `forceSSL`. Possible usecases


     

       

       
322

       
+

       
        include temporary (302, 307) redirects, keeping the request method and


     

       

       
323

       
+

       
        body (307, 308), or explicitly resetting the method to GET (303).


     

       

       
324

       
+

       
        See <https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections>.


     

       
312

       
325

       
 

       
      '';


     

       
313

       
326

       
 

       
    };


     

       
314

       
327
+1
nixos/tests/all-tests.nix 
···

       
583

       
583

       
 

       
  nginx-njs = handleTest ./nginx-njs.nix {};


     

       
584

       
584

       
 

       
  nginx-proxyprotocol = handleTest ./nginx-proxyprotocol {};


     

       
585

       
585

       
 

       
  nginx-pubhtml = handleTest ./nginx-pubhtml.nix {};


     

       

       
586

       
+

       
  nginx-redirectcode = handleTest ./nginx-redirectcode.nix {};


     

       
586

       
587

       
 

       
  nginx-sso = handleTest ./nginx-sso.nix {};


     

       
587

       
588

       
 

       
  nginx-status-page = handleTest ./nginx-status-page.nix {};


     

       
588

       
589

       
 

       
  nginx-tmpdir = handleTest ./nginx-tmpdir.nix {};
+25
nixos/tests/nginx-redirectcode.nix 
···

       

       
1

       
+

       
import ./make-test-python.nix ({ pkgs, lib, ... }: {


     

       

       
2

       
+

       
  name = "nginx-redirectcode";


     

       

       
3

       
+

       
  meta.maintainers = with lib.maintainers; [ misterio77 ];


     

       

       
4

       
+

       



     

       

       
5

       
+

       
  nodes = {


     

       

       
6

       
+

       
    webserver = { pkgs, lib, ... }: {


     

       

       
7

       
+

       
      services.nginx = {


     

       

       
8

       
+

       
        enable = true;


     

       

       
9

       
+

       
        virtualHosts.localhost = {


     

       

       
10

       
+

       
          globalRedirect = "example.com/foo";


     

       

       
11

       
+

       
          # With 308 (and 307), the method and body are to be kept when following it


     

       

       
12

       
+

       
          redirectCode = 308;


     

       

       
13

       
+

       
        };


     

       

       
14

       
+

       
      };


     

       

       
15

       
+

       
    };


     

       

       
16

       
+

       
  };


     

       

       
17

       
+

       



     

       

       
18

       
+

       
  testScript = ''


     

       

       
19

       
+

       
    webserver.wait_for_unit("nginx")


     

       

       
20

       
+

       
    webserver.wait_for_open_port(80)


     

       

       
21

       
+

       



     

       

       
22

       
+

       
    # Check the status code


     

       

       
23

       
+

       
    webserver.succeed("curl -si http://localhost | grep '^HTTP/[0-9.]\+ 308 Permanent Redirect'")


     

       

       
24

       
+

       
  '';


     

       

       
25

       
+

       
})