[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#59621] [PATCH] services: nginx: Add support for ssl-stapling in ser
|
From: |
Bruno Victal |
|
Subject: |
[bug#59621] [PATCH] services: nginx: Add support for ssl-stapling in server blocks. |
|
Date: |
Sat, 7 Jan 2023 20:07:11 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1 |
Hi
On 2023-01-07 17:21, Christopher Baines wrote:
>
> mirai@makinata.eu writes:
>
>> From: Bruno Victal <mirai@makinata.eu>
>>
>> * gnu/services/web.scm (<nginx-server-configuration>): Add
>> ssl-stapling? and ssl-stapling-verify?.
>> * doc/guix.texi (NGINX): Document this.
>> ---
>> doc/guix.texi | 7 +++++
>> gnu/services/web.scm | 69 +++++++++++++++++++++++++-------------------
>> 2 files changed, 46 insertions(+), 30 deletions(-)
>
> Hi Bruno,
>
> Thanks for the patch, and sorry it's taken so long to reply.
>
>> @@ -647,6 +654,8 @@ (define-syntax-rule (and/l x tail ...)
>> " server_name " (config-domain-strings server-name) ";\n"
>> (and/l ssl-certificate " ssl_certificate " <> ";\n")
>> (and/l ssl-certificate-key " ssl_certificate_key " <> ";\n")
>> + " ssl_stapling " (if ssl-stapling? "on" "off") ";\n"
>> + " ssl_stapling_verify " (if ssl-stapling-verify? "on" "off") ";\n"
>> (if (not (equal? "" root))
>> (list " root " root ";\n")
>> "")
>>
>> base-commit: 68925b5ee7e0d96b0c84ae98a633eea5097bf511
>
> Generally this looks good to me. There's some unnecessary indentation
> changes that should probably go in another commit if they're made, but I
> did spot something in the above diff.
I was afraid that doing it in a separate commit would have
made it less clearer as it would have looked like a trivial cosmetic
change without any purpose.
>
> I'm no expert in NGinx configs, but I do wonder if this change will
> break using nginx if it's built without the ngx_http_ssl_module? With
> the other module specific configuration (e.g. ssl_certificate), it's
> possible to specify a value in the <nginx-server-configuration> that
> means the line won't be included in the configuration. I think it would
> be good to continue that here.
I haven't tested this with a nginx that is built without ngx_http_ssl_module,
it would be a rather esoteric nginx build as TLS support presence is a
common expectation of web servers.
> I'm not sure how to enable not including these config lines. Maybe a
> symbol value like 'noval could be used (this should also be the default,
> rather than #f), or maybe 'on and 'off could be used as the values with
> #f meaning the line isn't included.
>
> Does that make sense?
I'm not a fan of this approach as there's define-configuration
and define-maybe value types that should be used here rather than
making up a custom value, though I'm afraid reworking nginx-configuration
and writing the serialize- procedures to use the gnu/services/configuration.scm
facilities is a much bigger effort than what's done in this patch.
Before such effort is to be considered, a plan to solve [1] is required as I
don't
think define-configuration is enough to represent the structure of nginx.conf
(nested locations, if branches, configuration for custom modules, etc.)
[1]: https://issues.guix.gnu.org/37388
Cheers,
Bruno