pyrox.dev / nixpkgs
lol
fork atom

Revert "reverse_proxy module: helper to run nginx as reverse proxy"

This reverts commit e6f0cd336dd286232136503c02598372162f1b8d.

These modifications are too specific to use cases and shouldn't be part of
nginx module.

Domen Kožar 71e67797 7a0be26f

+2 -263
unified split
-1
nixos/modules/module-list.nix
··· 393 393 ./services/web-servers/lighttpd/default.nix 394 394 ./services/web-servers/lighttpd/gitweb.nix 395 395 ./services/web-servers/nginx/default.nix 396 - ./services/web-servers/nginx/reverse_proxy.nix 397 396 ./services/web-servers/phpfpm.nix 398 397 ./services/web-servers/shellinabox.nix 399 398 ./services/web-servers/tomcat.nix
+2 -29
nixos/modules/services/web-servers/nginx/default.nix
··· 11 11 ${cfg.config} 12 12 ${optionalString (cfg.httpConfig != "") '' 13 13 http { 14 - ${cfg.httpConfig} 15 - ${cfg.httpServers} 16 - ${cfg.httpDefaultServer} 14 + ${cfg.httpConfig} 17 15 } 18 16 ''} 19 17 ${cfg.appendConfig} ··· 62 60 httpConfig = mkOption { 63 61 type = types.lines; 64 62 default = ""; 65 - description = '' 66 - Configuration lines to be placed at the top inside of 67 - the http {} block. The option is intended to be used for 68 - the default configuration of the servers. 69 - ''; 70 - }; 71 - 72 - httpServers = mkOption { 73 - type = types.lines; 74 - default = ""; 75 - description = '' 76 - Configuration lines to be placed inside of the http {} 77 - block. The option is intended to be used for defining 78 - individual servers. 79 - ''; 80 - }; 81 - 82 - httpDefaultServer = mkOption { 83 - type = types.lines; 84 - default = ""; 85 - description = '' 86 - Configuration lines to be placed at the bottom inside of 87 - the http {} block. The option is intended to be used for 88 - setting up the default servers. The default server is used 89 - if no previously specified server matches a request. 90 - ''; 63 + description = "Configuration lines to be appended inside of the http {} block."; 91 64 }; 92 65 93 66 stateDir = mkOption {
-233
nixos/modules/services/web-servers/nginx/reverse_proxy.nix
··· 1 - { config, lib, pkgs, ... }: 2 - 3 - with lib; 4 - 5 - let 6 - 7 - cfg = config.services.nginx; 8 - 9 - defaultSSL = cfg.httpDefaultKey != null || cfg.httpDefaultCertificate != null; 10 - 11 - validSSL = key: cert: cert != null && key != null || cert == null && key == null; 12 - 13 - in 14 - 15 - { 16 - options = { 17 - 18 - services.nginx = { 19 - 20 - reverseProxies = mkOption { 21 - type = types.attrsOf (types.submodule ( 22 - { 23 - options = { 24 - proxy = mkOption { 25 - type = types.str; 26 - default = []; 27 - description = '' 28 - Exclude files and directories matching these patterns. 29 - ''; 30 - }; 31 - 32 - key = mkOption { 33 - type = types.nullOr types.path; 34 - default = null; 35 - description = '' 36 - Exclude files and directories matching these patterns. 37 - ''; 38 - }; 39 - 40 - certificate = mkOption { 41 - type = types.nullOr types.path; 42 - default = null; 43 - description = '' 44 - Exclude files and directories matching these patterns. 45 - ''; 46 - }; 47 - }; 48 - } 49 - )); 50 - 51 - default = {}; 52 - 53 - example = literalExample '' 54 - { 55 - "hydra.yourdomain.org" = 56 - { proxy = "localhost:3000"; 57 - key = "/etc/nixos/certs/hydra_key.key"; 58 - certificate = "/etc/nixos/certs/hydra_cert.crt"; 59 - }; 60 - } 61 - ''; 62 - 63 - description = '' 64 - A reverse proxy server configuration is created for every attribute. 65 - The attribute name corresponds to the name the server is listening to, 66 - and the proxy option defines the target to forward the requests to. 67 - If a key and certificate are given, then the server is secured through 68 - a SSL connection. Non-SSL requests on port 80 are automatically 69 - re-directed to the SSL server on port 443. 70 - ''; 71 - }; 72 - 73 - httpDefaultKey = mkOption { 74 - type = types.nullOr types.path; 75 - default = null; 76 - example = "/etc/nixos/certs/defaut_key.key"; 77 - description = '' 78 - Key of SSL certificate for default server. 79 - The default certificate is presented by the default server during 80 - the SSL handshake when no specialized server configuration matches 81 - a request. 82 - A default SSL certificate is also helpful if browsers do not 83 - support the TLS Server Name Indication extension (SNI, RFC 6066). 84 - ''; 85 - }; 86 - 87 - httpDefaultCertificate = mkOption { 88 - type = types.nullOr types.path; 89 - default = null; 90 - example = "/etc/nixos/certs/defaut_key.crt"; 91 - description = '' 92 - SSL certificate for default server. 93 - The default certificate is presented by the default server during 94 - the SSL handshake when no specialized server configuration matches 95 - a request. 96 - A default SSL certificate is also helpful if browsers do not 97 - support the TLS Server Name Indication extension (SNI, RFC 6066). 98 - ''; 99 - }; 100 - 101 - }; 102 - 103 - }; 104 - 105 - 106 - config = mkIf (cfg.reverseProxies != {}) { 107 - 108 - assertions = [ 109 - { assertion = all id (mapAttrsToList (n: v: validSSL v.certificate v.key) cfg.reverseProxies); 110 - message = '' 111 - One (or more) reverse proxy configurations specify only either 112 - the key option or the certificate option. Both certificate 113 - with associated key have to be configured to enable SSL for a 114 - server configuration. 115 - 116 - services.nginx.reverseProxies: ${toString cfg.reverseProxies} 117 - ''; 118 - } 119 - { assertion = validSSL cfg.httpDefaultCertificate cfg.httpDefaultKey; 120 - message = '' 121 - The default server configuration specifies only either the key 122 - option or the certificate option. Both httpDefaultCertificate 123 - with associated httpDefaultKey have to be configured to enable 124 - SSL for the default server configuration. 125 - 126 - services.nginx.httpDefaultCertificate: ${toString cfg.httpDefaultCertificate} 127 - 128 - services.nginx.httpDefaultKey : ${toString cfg.httpDefaultKey} 129 - ''; 130 - } 131 - ]; 132 - 133 - services.nginx.config = mkBefore '' 134 - worker_processes 1; 135 - error_log logs/error.log debug; 136 - pid logs/nginx.pid; 137 - events { 138 - worker_connections 1024; 139 - } 140 - ''; 141 - 142 - services.nginx.httpConfig = mkBefore '' 143 - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 144 - '$status $body_bytes_sent "$http_referer" ' 145 - '"$http_user_agent" "$http_x_forwarded_for"'; 146 - access_log logs/access.log main; 147 - sendfile on; 148 - tcp_nopush on; 149 - keepalive_timeout 10; 150 - gzip on; 151 - 152 - ${lib.optionalString defaultSSL '' 153 - ssl_session_cache shared:SSL:10m; 154 - ssl_session_timeout 10m; 155 - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 156 - ssl_ciphers HIGH:!aNULL:!MD5; 157 - ssl_certificate ${cfg.httpDefaultCertificate}; 158 - ssl_certificate_key ${cfg.httpDefaultKey}; 159 - ''} 160 - ''; 161 - 162 - services.nginx.httpDefaultServer = mkBefore '' 163 - # reject as default policy 164 - server { 165 - listen 80 default_server; 166 - listen [::]:80 default_server; 167 - ${lib.optionalString defaultSSL "listen 443 default_server ssl;"} 168 - return 444; 169 - } 170 - ''; 171 - 172 - services.nginx.httpServers = 173 - let 174 - useSSL = certificate: key: certificate != null && key != null; 175 - 176 - server = servername: proxy: certificate: key: useSSL: '' 177 - server { 178 - server_name ${servername}; 179 - keepalive_timeout 70; 180 - 181 - ${if !useSSL then '' 182 - listen 80; 183 - listen [::]:80; 184 - '' else '' 185 - listen 443 ssl; 186 - ssl_session_cache shared:SSL:10m; 187 - ssl_session_timeout 10m; 188 - ssl_certificate ${certificate}; 189 - ssl_certificate_key ${key}; 190 - ''} 191 - 192 - location / { 193 - proxy_pass ${proxy}; 194 - 195 - ### force timeouts if one of backend is dead ## 196 - proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; 197 - 198 - ### Set headers #### 199 - proxy_set_header Accept-Encoding ""; 200 - proxy_set_header Host $host; 201 - proxy_set_header X-Real-IP $remote_addr; 202 - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 203 - 204 - ${lib.optionalString useSSL '' 205 - ### Most PHP, Python, Rails, Java App can use this header ### 206 - #proxy_set_header X-Forwarded-Proto https;## 207 - #This is better## 208 - proxy_set_header X-Forwarded-Proto $scheme; 209 - add_header Front-End-Https on; 210 - ''} 211 - 212 - ### By default we don't want to redirect it #### 213 - proxy_redirect off; 214 - proxy_buffering off; 215 - } 216 - } 217 - 218 - ${lib.optionalString useSSL '' 219 - # redirect http to https 220 - server { 221 - listen 80; 222 - listen [::]:80; 223 - server_name ${servername}; 224 - return 301 https://$server_name$request_uri; 225 - } 226 - ''} 227 - ''; 228 - in 229 - concatStrings (mapAttrsToList (n: v: server n v.proxy v.certificate v.key (useSSL v.proxy v.certificate)) cfg.reverseProxies); 230 - 231 - }; 232 - 233 - }