nginx: make global redirect vhost option accept exceptions

lol

By moving the return into a location directive, one can provide
exceptions by adding locations. This is similar to what the forceSSL
option does.

Vincent Bernat 3 years ago fc39b5ec 04f574a1

+39 -2

6 changed files

expand all

nixos

doc

manual

from_md

release-notes

rl-2305.section.xml

release-notes

rl-2305.section.md

modules

services

web-servers

nginx

default.nix

tests

all-tests.nix

nginx-globalredirect.nix

pkgs

servers

http

nginx

generic.nix

nixos/doc/manual/from_md/release-notes/rl-2305.section.xml

··· 270 270 </listitem> 271 271 <listitem> 272 272 <para> 273 + Enabling global redirect in 274 + <literal>services.nginx.virtualHosts</literal> now allows one 275 + to add exceptions with the <literal>locations</literal> 276 + option. 277 + </para> 278 + </listitem> 279 + <listitem> 280 + <para> 273 281 Resilio sync secret keys can now be provided using a secrets 274 282 file at runtime, preventing these secrets from ending up in 275 283 the Nix store.

nixos/doc/manual/release-notes/rl-2305.section.md

··· 78 78 79 79 - The new option `users.motdFile` allows configuring a Message Of The Day that can be updated dynamically. 80 80 81 + - Enabling global redirect in `services.nginx.virtualHosts` now allows one to add exceptions with the `locations` option. 82 + 81 83 - Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store. 82 84 83 85 - The `services.fwupd` module now allows arbitrary daemon settings to be configured in a structured manner ([`services.fwupd.daemonSettings`](#opt-services.fwupd.daemonSettings)).

+3 -1

nixos/modules/services/web-servers/nginx/default.nix

··· 318 318 ${acmeLocation} 319 319 ${optionalString (vhost.root != null) "root ${vhost.root};"} 320 320 ${optionalString (vhost.globalRedirect != null) '' 321 - return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri; 321 + location / { 322 + return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri; 323 + } 322 324 ''} 323 325 ${optionalString hasSSL '' 324 326 ssl_certificate ${vhost.sslCertificate};

nixos/tests/all-tests.nix

··· 435 435 nginx = handleTest ./nginx.nix {}; 436 436 nginx-auth = handleTest ./nginx-auth.nix {}; 437 437 nginx-etag = handleTest ./nginx-etag.nix {}; 438 + nginx-globalredirect = handleTest ./nginx-globalredirect.nix {}; 438 439 nginx-http3 = handleTest ./nginx-http3.nix {}; 439 440 nginx-modsecurity = handleTest ./nginx-modsecurity.nix {}; 440 441 nginx-njs = handleTest ./nginx-njs.nix {};

+24

nixos/tests/nginx-globalredirect.nix

··· 1 + import ./make-test-python.nix ({ pkgs, ... }: { 2 + name = "nginx-globalredirect"; 3 + 4 + nodes = { 5 + webserver = { pkgs, lib, ... }: { 6 + services.nginx = { 7 + enable = true; 8 + virtualHosts.localhost = { 9 + globalRedirect = "other.example.com"; 10 + # Add an exception 11 + locations."/noredirect".return = "200 'foo'"; 12 + }; 13 + }; 14 + }; 15 + }; 16 + 17 + testScript = '' 18 + webserver.wait_for_unit("nginx") 19 + webserver.wait_for_open_port(80) 20 + 21 + webserver.succeed("curl --fail -si http://localhost/alf | grep '^Location:.*/alf'") 22 + webserver.fail("curl --fail -si http://localhost/noredirect | grep '^Location:'") 23 + ''; 24 + })

+1 -1

pkgs/servers/http/nginx/generic.nix

··· 176 176 passthru = { 177 177 modules = modules; 178 178 tests = { 179 - inherit (nixosTests) nginx nginx-auth nginx-etag nginx-http3 nginx-pubhtml nginx-sandbox nginx-sso; 179 + inherit (nixosTests) nginx nginx-auth nginx-etag nginx-globalredirect nginx-http3 nginx-pubhtml nginx-sandbox nginx-sso; 180 180 variants = lib.recurseIntoAttrs nixosTests.nginx-variants; 181 181 acme-integration = nixosTests.acme; 182 182 } // passthru.tests;