commit b3f93d7292a29fbcf135278172f28d58cd2d2d85 · pyrox.dev/nixpkgs

+46

nixos/modules/services/web-servers/h2o/common.nix

···

       1
       1
       +
       { lib }:

     

       2
       2
       +
       {

     

       3
       3
       +
         tlsRecommendationsOption = lib.mkOption {

     

       4
       4
       +
           type = lib.types.nullOr (

     

       5
       5
       +
             lib.types.enum [

     

       6
       6
       +
               "modern"

     

       7
       7
       +
               "intermediate"

     

       8
       8
       +
               "old"

     

       9
       9
       +
             ]

     

       10
       10
       +
           );

     

       11
       11
       +
           default = null;

     

       12
       12
       +
           example = "intermediate";

     

       13
       13
       +
           description = ''

     

       14
       14
       +
             By default, H2O, without prejudice, will use as many TLS versions &

     

       15
       15
       +
             cipher suites as it & the TLS library (OpenSSL) can support. The user is

     

       16
       16
       +
             expected to hone settings for the security of their server. Setting some

     

       17
       17
       +
             constraints is recommended, & if unsure about what TLS settings to use,

     

       18
       18
       +
             this option gives curated TLS settings recommendations from Mozilla’s

     

       19
       19
       +
             ‘SSL Configuration Generator’ project (see

     

       20
       20
       +
             <https://ssl-config.mozilla.org>) or read more at Mozilla’s Wiki (see

     

       21
       21
       +
             <https://wiki.mozilla.org/Security/Server_Side_TLS>).

     

       22
       22
       +
       

     

       23
       23
       +
             modern

     

       24
       24
       +
             : Services with clients that support TLS 1.3 & don’t need backward

     

       25
       25
       +
               compatibility

     

       26
       26
       +
       

     

       27
       27
       +
             intermediate

     

       28
       28
       +
             : General-purpose servers with a variety of clients, recommended for

     

       29
       29
       +
               almost all systems

     

       30
       30
       +
       

     

       31
       31
       +
             old

     

       32
       32
       +
             : Compatible with a number of very old clients, & should be used only as

     

       33
       33
       +
               a last resort

     

       34
       34
       +
       

     

       35
       35
       +
             The default for all virtual hosts can be set with

     

       36
       36
       +
             services.h2o.defaultTLSRecommendations, but this value can be overridden

     

       37
       37
       +
             on a per-host basis using services.h2o.hosts.<name>.tls.recommmendations.

     

       38
       38
       +
             The settings will also be overidden by manual values set with

     

       39
       39
       +
             services.settings.h2o.hosts.<name>.tls.extraSettings.

     

       40
       40
       +
       

     

       41
       41
       +
             NOTE: older/weaker ciphers might require overriding the OpenSSL version

     

       42
       42
       +
             of H2O (such as `openssl_legacy`). This can be done with

     

       43
       43
       +
             sevices.settings.h2o.package.

     

       44
       44
       +
           '';

     

       45
       45
       +
         };

     

       46
       46
       +
       }

+111 -28

nixos/modules/services/web-servers/h2o/default.nix

···

       6
       6
        
       }:

     

       7
       7
        
       

     

       8
       8
        
       # TODO: Gems includes for Mruby

     

       9
       9
       -
       # TODO: Recommended options

     

       10
       9
        
       let

     

       11
       10
        
         cfg = config.services.h2o;

     

       12
       11
        
         inherit (config.security.acme) certs;

     
···

       21
       20
        
           ;

     

       22
       21
        
       

     

       23
       22
        
         mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix lib;

     

       23
       23
       +
       

     

       24
       24
       +
         inherit (import ./common.nix { inherit lib; }) tlsRecommendationsOption;

     

       24
       25
        
       

     

       25
       26
        
         settingsFormat = pkgs.formats.yaml { };

     

       26
       27
        
       

     
···

       76
       77
        
             all = certNames'.dependent ++ certNames'.independent;

     

       77
       78
        
           };

     

       78
       79
        
       

     

       80
       80
       +
         mozTLSRecs =

     

       81
       81
       +
           if cfg.defaultTLSRecommendations != null then

     

       82
       82
       +
             let

     

       83
       83
       +
               # NOTE: if updating, *do* verify the changes then adjust ciphers &

     

       84
       84
       +
               # other settings with the tests @

     

       85
       85
       +
               # `nixos/tests/web-servers/h2o/tls-recommendations.nix`

     

       86
       86
       +
               # & run with `nix-build -A nixosTests.h2o.tls-recommendations`

     

       87
       87
       +
               version = "5.7";

     

       88
       88
       +
               git_tag = "v5.7.1";

     

       89
       89
       +
               guidelinesJSON =

     

       90
       90
       +
                 lib.pipe

     

       91
       91
       +
                   {

     

       92
       92
       +
                     urls = [

     

       93
       93
       +
                       "https://ssl-config.mozilla.org/guidelines/${version}.json"

     

       94
       94
       +
                       "https://raw.githubusercontent.com/mozilla/ssl-config-generator/refs/tags/${git_tag}/src/static/guidelines/${version}.json"

     

       95
       95
       +
                     ];

     

       96
       96
       +
                     sha256 = "sha256:1mj2pcb1hg7q2wpgdq3ac8pc2q64wvwvwlkb9xjmdd9jm4hiyny7";

     

       97
       97
       +
                   }

     

       98
       98
       +
                   [

     

       99
       99
       +
                     pkgs.fetchurl

     

       100
       100
       +
                     builtins.readFile

     

       101
       101
       +
                     builtins.fromJSON

     

       102
       102
       +
                   ];

     

       103
       103
       +
             in

     

       104
       104
       +
             guidelinesJSON.configurations

     

       105
       105
       +
           else

     

       106
       106
       +
             null;

     

       107
       107
       +
       

     

       79
       108
        
         hostsConfig = lib.concatMapAttrs (

     

       80
       109
        
           name: value:

     

       81
       110
        
           let

     
···

       130
       159
        
                   ]

     

       131
       160
        
                 )

     

       132
       161
        
                 {

     

       133
       133
       -
                   "${names.server}:${builtins.toString port.TLS}" = value.settings // {

     

       134
       134
       -
                     listen =

     

       135
       135
       -
                       let

     

       136
       136
       -
                         identity =

     

       137
       137
       -
                           value.tls.identity

     

       138
       138
       -
                           ++ lib.optional (builtins.elem names.cert certNames.all) {

     

       139
       139
       -
                             key-file = "${certs.${names.cert}.directory}/key.pem";

     

       140
       140
       -
                             certificate-file = "${certs.${names.cert}.directory}/fullchain.pem";

     

       162
       162
       +
                   "${names.server}:${builtins.toString port.TLS}" =

     

       163
       163
       +
                     let

     

       164
       164
       +
                       tlsRecommendations = lib.attrByPath [ "tls" "recommendations" ] cfg.defaultTLSRecommendations value;

     

       165
       165
       +
       

     

       166
       166
       +
                       hasTLSRecommendations = tlsRecommendations != null && mozTLSRecs != null;

     

       167
       167
       +
       

     

       168
       168
       +
                       # NOTE: Let’s Encrypt has sunset OCSP stapling. Mozilla’s

     

       169
       169
       +
                       # ssl-config-generator is at present still recommending this setting, but

     

       170
       170
       +
                       # this module will skip setting a stapling value as Let’s Encrypt +

     

       171
       171
       +
                       # ACME is the most likely use case.

     

       172
       172
       +
                       #

     

       173
       173
       +
                       # See: https://github.com/mozilla/ssl-config-generator/issues/323

     

       174
       174
       +
                       tlsRecAttrs = lib.optionalAttrs hasTLSRecommendations (

     

       175
       175
       +
                         let

     

       176
       176
       +
                           recs = mozTLSRecs.${tlsRecommendations};

     

       177
       177
       +
                         in

     

       178
       178
       +
                         {

     

       179
       179
       +
                           min-version = builtins.head recs.tls_versions;

     

       180
       180
       +
                           cipher-preference = "server";

     

       181
       181
       +
                           "cipher-suite-tls1.3" = recs.ciphersuites;

     

       182
       182
       +
                         }

     

       183
       183
       +
                         // lib.optionalAttrs (recs.ciphers.openssl != [ ]) {

     

       184
       184
       +
                           cipher-suite = lib.concatStringsSep ":" recs.ciphers.openssl;

     

       185
       185
       +
                         }

     

       186
       186
       +
                       );

     

       187
       187
       +
       

     

       188
       188
       +
                       headerRecAttrs =

     

       189
       189
       +
                         lib.optionalAttrs

     

       190
       190
       +
                           (

     

       191
       191
       +
                             hasTLSRecommendations

     

       192
       192
       +
                             && value.tls != null

     

       193
       193
       +
                             && builtins.elem value.tls.policy [

     

       194
       194
       +
                               "force"

     

       195
       195
       +
                               "only"

     

       196
       196
       +
                             ]

     

       197
       197
       +
                           )

     

       198
       198
       +
                           (

     

       199
       199
       +
                             let

     

       200
       200
       +
                               headerSet = value.settings."header.set" or [ ];

     

       201
       201
       +
                               recs = mozTLSRecs.${tlsRecommendations};

     

       202
       202
       +
                               hsts = "Strict-Transport-Security: max-age=${builtins.toString recs.hsts_min_age}; includeSubDomains; preload";

     

       203
       203
       +
                             in

     

       204
       204
       +
                             {

     

       205
       205
       +
                               "header.set" =

     

       206
       206
       +
                                 if builtins.isString headerSet then

     

       207
       207
       +
                                   [

     

       208
       208
       +
                                     headerSet

     

       209
       209
       +
                                     hsts

     

       210
       210
       +
                                   ]

     

       211
       211
       +
                                 else

     

       212
       212
       +
                                   headerSet ++ [ hsts ];

     

       213
       213
       +
                             }

     

       214
       214
       +
                           );

     

       215
       215
       +
                     in

     

       216
       216
       +
                     value.settings

     

       217
       217
       +
                     // headerRecAttrs

     

       218
       218
       +
                     // {

     

       219
       219
       +
                       listen =

     

       220
       220
       +
                         let

     

       221
       221
       +
                           identity =

     

       222
       222
       +
                             value.tls.identity

     

       223
       223
       +
                             ++ lib.optional (builtins.elem names.cert certNames.all) {

     

       224
       224
       +
                               key-file = "${certs.${names.cert}.directory}/key.pem";

     

       225
       225
       +
                               certificate-file = "${certs.${names.cert}.directory}/fullchain.pem";

     

       226
       226
       +
                             };

     

       227
       227
       +
                         in

     

       228
       228
       +
                         {

     

       229
       229
       +
                           port = port.TLS;

     

       230
       230
       +
                           ssl = (lib.recursiveUpdate tlsRecAttrs value.tls.extraSettings) // {

     

       231
       231
       +
                             inherit identity;

     

       141
       232
        
                           };

     

       142
       142
       -
                       in

     

       143
       143
       -
                       {

     

       144
       144
       -
                         port = port.TLS;

     

       145
       145
       -
                         ssl = value.tls.extraSettings // {

     

       146
       146
       -
                           inherit identity;

     

       147
       233
        
                         };

     

       148
       148
       -
                       };

     

       149
       149
       -
                   };

     

       234
       234
       +
                     };

     

       150
       235
        
                 };

     

       151
       236
        
           in

     

       152
       237
        
           # With a high likelihood of HTTP & ACME challenges being on the same port,

     
···

       184
       269
        
             };

     

       185
       270
        
       

     

       186
       271
        
             package = lib.mkPackageOption pkgs "h2o" {

     

       187
       187
       -
               example = ''

     

       188
       188
       -
                 pkgs.h2o.override {

     

       189
       189
       -
                   withMruby = false;

     

       190
       190
       -
                 };

     

       191
       191
       -
               '';

     

       272
       272
       +
               example = # nix

     

       273
       273
       +
                 ''

     

       274
       274
       +
                   pkgs.h2o.override {

     

       275
       275
       +
                     withMruby = false;

     

       276
       276
       +
                     openssl = pkgs.openssl_legacy;

     

       277
       277
       +
                   }

     

       278
       278
       +
                 '';

     

       192
       279
        
             };

     

       193
       280
        
       

     

       194
       281
        
             defaultHTTPListenPort = mkOption {

     
···

       209
       296
        
               example = 8443;

     

       210
       297
        
             };

     

       211
       298
        
       

     

       299
       299
       +
             defaultTLSRecommendations = tlsRecommendationsOption;

     

       300
       300
       +
       

     

       212
       301
        
             settings = mkOption {

     

       213
       302
        
               type = settingsFormat.type;

     

       214
       303
        
               default = { };

     
···

       216
       305
        
             };

     

       217
       306
        
       

     

       218
       307
        
             hosts = mkOption {

     

       219
       219
       -
               type = types.attrsOf (

     

       220
       220
       -
                 types.submodule (

     

       221
       221
       -
                   import ./vhost-options.nix {

     

       222
       222
       -
                     inherit config lib;

     

       223
       223
       -
                   }

     

       224
       224
       -
                 )

     

       225
       225
       -
               );

     

       308
       308
       +
               type = types.attrsOf (types.submodule (import ./vhost-options.nix { inherit config lib; }));

     

       226
       309
        
               default = { };

     

       227
       310
        
               description = ''

     

       228
       311
        
                 The `hosts` config to be merged with the settings.

+8 -1

nixos/modules/services/web-servers/h2o/vhost-options.nix

···

       1
       1
       -
       { config, lib, ... }:

     

       1
       1
       +
       {

     

       2
       2
       +
         config,

     

       3
       3
       +
         lib,

     

       4
       4
       +
         ...

     

       5
       5
       +
       }:

     

       2
       6
        
       

     

       3
       7
        
       let

     

       4
       8
        
         inherit (lib)

     
···

       6
       10
        
           mkOption

     

       7
       11
        
           types

     

       8
       12
        
           ;

     

       13
       13
       +
       

     

       14
       14
       +
         inherit (import ./common.nix { inherit lib; }) tlsRecommendationsOption;

     

       9
       15
        
       in

     

       10
       16
        
       {

     

       11
       17
        
         options = {

     
···

       128
       134
        
                           ]

     

       129
       135
        
                         '';

     

       130
       136
        
                   };

     

       137
       137
       +
                   recommendations = tlsRecommendationsOption;

     

       131
       138
        
                   extraSettings = mkOption {

     

       132
       139
        
                     type = types.attrs;

     

       133
       140
        
                     default = { };

nixos/tests/web-servers/h2o/default.nix

···

       13
       13
        
       {

     

       14
       14
        
         basic = handleTestOn supportedSystems ./basic.nix { inherit system; };

     

       15
       15
        
         mruby = handleTestOn supportedSystems ./mruby.nix { inherit system; };

     

       16
       16
       +
         tls-recommendations = handleTestOn supportedSystems ./tls-recommendations.nix { inherit system; };

     

       16
       17
        
       }

+115

nixos/tests/web-servers/h2o/tls-recommendations.nix

···

       1
       1
       +
       import ../../make-test-python.nix (

     

       2
       2
       +
         { lib, pkgs, ... }:

     

       3
       3
       +
       

     

       4
       4
       +
         let

     

       5
       5
       +
           domain = "acme.test";

     

       6
       6
       +
           port = 8443;

     

       7
       7
       +
       

     

       8
       8
       +
           hello_txt =

     

       9
       9
       +
             name:

     

       10
       10
       +
             pkgs.writeTextFile {

     

       11
       11
       +
               name = "/hello_${name}.txt";

     

       12
       12
       +
               text = "Hello, ${name}!";

     

       13
       13
       +
             };

     

       14
       14
       +
       

     

       15
       15
       +
           mkH2OServer =

     

       16
       16
       +
             recommendations:

     

       17
       17
       +
             { pkgs, lib, ... }:

     

       18
       18
       +
             {

     

       19
       19
       +
               services.h2o = {

     

       20
       20
       +
                 enable = true;

     

       21
       21
       +
                 package = pkgs.h2o.override (

     

       22
       22
       +
                   lib.optionalAttrs

     

       23
       23
       +
                     (builtins.elem recommendations [

     

       24
       24
       +
                       "intermediate"

     

       25
       25
       +
                       "old"

     

       26
       26
       +
                     ])

     

       27
       27
       +
                     {

     

       28
       28
       +
                       openssl = pkgs.openssl_legacy;

     

       29
       29
       +
                     }

     

       30
       30
       +
                 );

     

       31
       31
       +
                 defaultTLSRecommendations = "modern"; # prove overridden

     

       32
       32
       +
                 hosts = {

     

       33
       33
       +
                   "${domain}" = {

     

       34
       34
       +
                     tls = {

     

       35
       35
       +
                       inherit port recommendations;

     

       36
       36
       +
                       policy = "force";

     

       37
       37
       +
                       identity = [

     

       38
       38
       +
                         {

     

       39
       39
       +
                           key-file = ../../common/acme/server/acme.test.key.pem;

     

       40
       40
       +
                           certificate-file = ../../common/acme/server/acme.test.cert.pem;

     

       41
       41
       +
                         }

     

       42
       42
       +
                       ];

     

       43
       43
       +
                     };

     

       44
       44
       +
                     settings = {

     

       45
       45
       +
                       paths."/"."file.file" = "${hello_txt recommendations}";

     

       46
       46
       +
                     };

     

       47
       47
       +
                   };

     

       48
       48
       +
                 };

     

       49
       49
       +
                 settings = {

     

       50
       50
       +
                   ssl-offload = "kernel";

     

       51
       51
       +
                 };

     

       52
       52
       +
               };

     

       53
       53
       +
       

     

       54
       54
       +
               security.pki.certificates = [

     

       55
       55
       +
                 (builtins.readFile ../../common/acme/server/ca.cert.pem)

     

       56
       56
       +
               ];

     

       57
       57
       +
       

     

       58
       58
       +
               networking = {

     

       59
       59
       +
                 firewall.allowedTCPPorts = [ port ];

     

       60
       60
       +
                 extraHosts = "127.0.0.1 ${domain}";

     

       61
       61
       +
               };

     

       62
       62
       +
             };

     

       63
       63
       +
         in

     

       64
       64
       +
         {

     

       65
       65
       +
           name = "h2o-tls-recommendations";

     

       66
       66
       +
       

     

       67
       67
       +
           meta = {

     

       68
       68
       +
             maintainers = with lib.maintainers; [ toastal ];

     

       69
       69
       +
           };

     

       70
       70
       +
       

     

       71
       71
       +
           nodes = {

     

       72
       72
       +
             server_modern = mkH2OServer "modern";

     

       73
       73
       +
             server_intermediate = mkH2OServer "intermediate";

     

       74
       74
       +
             server_old = mkH2OServer "old";

     

       75
       75
       +
           };

     

       76
       76
       +
       

     

       77
       77
       +
           testScript =

     

       78
       78
       +
             let

     

       79
       79
       +
               portStr = builtins.toString port;

     

       80
       80
       +
             in

     

       81
       81
       +
             # python

     

       82
       82
       +
             ''

     

       83
       83
       +
               curl_basic = "curl -v --tlsv1.3 --http2 'https://${domain}:${portStr}/'"

     

       84
       84
       +
               curl_head = "curl -v --head 'https://${domain}:${portStr}/'"

     

       85
       85
       +
               curl_max_tls1_2 ="curl -v --tlsv1.0 --tls-max 1.2 'https://${domain}:${portStr}/'"

     

       86
       86
       +
               curl_max_tls1_2_intermediate_cipher ="curl -v --tlsv1.0 --tls-max 1.2 --ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256' 'https://${domain}:${portStr}/'"

     

       87
       87
       +
               curl_max_tls1_2_old_cipher ="curl -v --tlsv1.0 --tls-max 1.2 --ciphers 'ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256' 'https://${domain}:${portStr}/'"

     

       88
       88
       +
       

     

       89
       89
       +
               server_modern.wait_for_unit("h2o.service")

     

       90
       90
       +
               modern_response = server_modern.succeed(curl_basic)

     

       91
       91
       +
               assert "Hello, modern!" in modern_response

     

       92
       92
       +
               modern_head = server_modern.succeed(curl_head)

     

       93
       93
       +
               assert "strict-transport-security" in modern_head

     

       94
       94
       +
               server_modern.fail(curl_max_tls1_2)

     

       95
       95
       +
       

     

       96
       96
       +
               server_intermediate.wait_for_unit("h2o.service")

     

       97
       97
       +
               intermediate_response = server_intermediate.succeed(curl_basic)

     

       98
       98
       +
               assert "Hello, intermediate!" in intermediate_response

     

       99
       99
       +
               intermediate_head = server_modern.succeed(curl_head)

     

       100
       100
       +
               assert "strict-transport-security" in intermediate_head

     

       101
       101
       +
               server_intermediate.succeed(curl_max_tls1_2)

     

       102
       102
       +
               server_intermediate.succeed(curl_max_tls1_2_intermediate_cipher)

     

       103
       103
       +
               server_intermediate.fail(curl_max_tls1_2_old_cipher)

     

       104
       104
       +
       

     

       105
       105
       +
               server_old.wait_for_unit("h2o.service")

     

       106
       106
       +
               old_response = server_old.succeed(curl_basic)

     

       107
       107
       +
               assert "Hello, old!" in old_response

     

       108
       108
       +
               old_head = server_modern.succeed(curl_head)

     

       109
       109
       +
               assert "strict-transport-security" in old_head

     

       110
       110
       +
               server_old.succeed(curl_max_tls1_2)

     

       111
       111
       +
               server_old.succeed(curl_max_tls1_2_intermediate_cipher)

     

       112
       112
       +
               server_old.succeed(curl_max_tls1_2_old_cipher)

     

       113
       113
       +
             '';

     

       114
       114
       +
         }

     

       115
       115
       +
       )