Message ID | 20210123100049.22389-1-jonathan.brielmaier@web.de |
---|---|
State | New |
Headers | show |
Series | [bug#46049] services: nginx: Add ssl-protocols option. | expand |
Context | Check | Description |
---|---|---|
cbaines/submitting builds | success | |
cbaines/comparison | success | View comparision |
cbaines/git branch | success | View Git branch |
cbaines/applying patch | success | View Laminar job |
cbaines/issue | success | View issue |
I tested this change in multiple setups on my production server and I could not find any grave issues, apart from maybe warnings about duplication if you self setted this option via `raw-content`. The default settings is accordingly to Mozillas "Intermediate" configuration for nginx: https://ssl-config.mozilla.org I would also like to implement an option with good defaults for `ssl_ciphers` if you have ideas how to do that in a nice way speak up :)
Jonathan, Jonathan Brielmaier 写道: > * gnu/services/web.scm > (<nginx-server-configuration>)[ssl-protocols]: > New entry defaulting to "secure" versions of TLS. Thanks! > + (ssl-protocols nginx-server-configuration-ssl-protocols > + (default "TLSv1.2 TLSv1.3")) This should be (default "TLSv1 TLSv1.1 TLSv1.2") instead, see [0]. Otherwise LGTM! Kind regards, T G-R [0]: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
Jonathan Brielmaier 写道: > The default settings is accordingly to Mozillas "Intermediate" > configuration for nginx: https://ssl-config.mozilla.org Oh, I see! Hiding subjective tweaks to upstream defaults in Guix services is a bad idea. Imagine debugging this at 2 a.m., staring at the official nginx documentation through your tears. > I would also like to implement an option with good defaults for > `ssl_ciphers` if you have ideas how to do that in a nice way > speak up :) How about writing ‘mozilla-recommended’ nginx configuration presets that users can inherit from? This would imply keeping them up to date, including the specific versions of nginx and *ssl in Guix. I don't know whether this belongs in Guix or not, but then we already ship someone's Facebook blocklist, so... :-) Kind regards, T G-R
On 24.01.21 02:36, Tobias Geerinckx-Rice wrote: > Jonathan Brielmaier 写道: >> The default settings is accordingly to Mozillas "Intermediate" >> configuration for nginx: https://ssl-config.mozilla.org > > Oh, I see! Hiding subjective tweaks to upstream defaults in Guix > services is a bad idea. > > Imagine debugging this at 2 a.m., staring at the official nginx > documentation through your tears. I see your point, but I usually start with the Guix service documentation and it clearly would state "TLSv1.2 TLSv1.3". If your client doesn't support TLSv1.2 (thats 12 years old), it's maybe a better idea to fallback to HTTP... I think in general its a good idea to follow upstreams default, but it should not hinder us to make more secure defaults >> I would also like to implement an option with good defaults for >> `ssl_ciphers` if you have ideas how to do that in a nice way speak up :) > > How about writing ‘mozilla-recommended’ nginx configuration presets that > users can inherit from? This would imply keeping them up to date, > including the specific versions of nginx and *ssl in Guix. Hm, I try to keep stuff simple and to be honest all those service "matroska" stuff grows over my head. If theres an error I can not debug them at 2am or at any other time... A compromise would maybe something like : (ssl-protocols %upstream-default OR %mozilla-default OR "Your custom string")
How about leaving it empty by default and writing the directive to file only if a value is present? This way the defaults are automatically chosen by nginx. (as they can drift due to automatic protocol support detection or as newer protocols roll out) About making recommendations in the docs, I'd suggest linking it directly to Mozilla's website rather than duplicating it and risk ending up with outdated advice.
diff --git a/doc/guix.texi b/doc/guix.texi index 4a20b3b902..4c187d4383 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -23616,6 +23616,9 @@ you don't have a certificate or you don't want to use HTTPS. Where to find the private key for secure connections. Set it to @code{#f} if you don't have a key or you don't want to use HTTPS. +@item @code{ssl-protocols} (default: @code{"TLSv1.2 TLSv1.3"}) +The versions of TLS used. + @item @code{server-tokens?} (default: @code{#f}) Whether the server should add its configuration to response. diff --git a/gnu/services/web.scm b/gnu/services/web.scm index ff7b262b6a..93e1e802dc 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -113,6 +113,7 @@ nginx-server-configuration-index nginx-server-configuration-ssl-certificate nginx-server-configuration-ssl-certificate-key + nginx-server-configuration-ssl-protocols nginx-server-configuration-server-tokens? nginx-server-configuration-raw-content @@ -489,6 +490,8 @@ (default #f)) (ssl-certificate-key nginx-server-configuration-ssl-certificate-key (default #f)) + (ssl-protocols nginx-server-configuration-ssl-protocols + (default "TLSv1.2 TLSv1.3")) (server-tokens? nginx-server-configuration-server-tokens? (default #f)) (raw-content nginx-server-configuration-raw-content @@ -587,6 +590,7 @@ of index files." (ssl-certificate (nginx-server-configuration-ssl-certificate server)) (ssl-certificate-key (nginx-server-configuration-ssl-certificate-key server)) + (ssl-protocols (nginx-server-configuration-ssl-protocols server)) (root (nginx-server-configuration-root server)) (index (nginx-server-configuration-index server)) (try-files (nginx-server-configuration-try-files server)) @@ -606,6 +610,7 @@ of index files." " server_name " (config-domain-strings server-name) ";\n" (and/l ssl-certificate " ssl_certificate " <> ";\n") (and/l ssl-certificate-key " ssl_certificate_key " <> ";\n") + " ssl_protocols " ssl-protocols ";\n" " root " root ";\n" " index " (config-index-strings index) ";\n" (if (not (nil? try-files))