[bug#59621] services: nginx: Add support for ssl-stapling in server blocks.

From: Bruno Victal <mirai@makinata.eu>

* gnu/services/web.scm (<nginx-server-configuration>): Add
ssl-stapling? and ssl-stapling-verify?.
* doc/guix.texi (NGINX): Document this.
---
 doc/guix.texi        |  7 +++++
 gnu/services/web.scm | 69 +++++++++++++++++++++++++-------------------
 2 files changed, 46 insertions(+), 30 deletions(-)


base-commit: 68925b5ee7e0d96b0c84ae98a633eea5097bf511

mirai@makinata.eu writes:

> From: Bruno Victal <mirai@makinata.eu>
>
> * gnu/services/web.scm (<nginx-server-configuration>): Add
> ssl-stapling? and ssl-stapling-verify?.
> * doc/guix.texi (NGINX): Document this.
> ---
>  doc/guix.texi        |  7 +++++
>  gnu/services/web.scm | 69 +++++++++++++++++++++++++-------------------
>  2 files changed, 46 insertions(+), 30 deletions(-)

Hi Bruno,

Thanks for the patch, and sorry it's taken so long to reply.

> @@ -647,6 +654,8 @@ (define-syntax-rule (and/l x tail ...)
>       "      server_name " (config-domain-strings server-name) ";\n"
>       (and/l ssl-certificate     "      ssl_certificate " <> ";\n")
>       (and/l ssl-certificate-key "      ssl_certificate_key " <> ";\n")
> +     "      ssl_stapling " (if ssl-stapling? "on" "off") ";\n"
> +     "      ssl_stapling_verify " (if ssl-stapling-verify? "on" "off") ";\n"
>       (if (not (equal? "" root))
>           (list "      root " root ";\n")
>           "")
>
> base-commit: 68925b5ee7e0d96b0c84ae98a633eea5097bf511

Generally this looks good to me. There's some unnecessary indentation
changes that should probably go in another commit if they're made, but I
did spot something in the above diff.

I'm no expert in NGinx configs, but I do wonder if this change will
break using nginx if it's built without the ngx_http_ssl_module? With
the other module specific configuration (e.g. ssl_certificate), it's
possible to specify a value in the <nginx-server-configuration> that
means the line won't be included in the configuration. I think it would
be good to continue that here.

I'm not sure how to enable not including these config lines. Maybe a
symbol value like 'noval could be used (this should also be the default,
rather than #f), or maybe 'on and 'off could be used as the values with
#f meaning the line isn't included.

Does that make sense?

Thanks,

Chris

Hi

On 2023-01-07 17:21, Christopher Baines wrote:
> 
> mirai@makinata.eu writes:
> 
>> From: Bruno Victal <mirai@makinata.eu>
>>
>> * gnu/services/web.scm (<nginx-server-configuration>): Add
>> ssl-stapling? and ssl-stapling-verify?.
>> * doc/guix.texi (NGINX): Document this.
>> ---
>>  doc/guix.texi        |  7 +++++
>>  gnu/services/web.scm | 69 +++++++++++++++++++++++++-------------------
>>  2 files changed, 46 insertions(+), 30 deletions(-)
> 
> Hi Bruno,
> 
> Thanks for the patch, and sorry it's taken so long to reply.
> 
>> @@ -647,6 +654,8 @@ (define-syntax-rule (and/l x tail ...)
>>       "      server_name " (config-domain-strings server-name) ";\n"
>>       (and/l ssl-certificate     "      ssl_certificate " <> ";\n")
>>       (and/l ssl-certificate-key "      ssl_certificate_key " <> ";\n")
>> +     "      ssl_stapling " (if ssl-stapling? "on" "off") ";\n"
>> +     "      ssl_stapling_verify " (if ssl-stapling-verify? "on" "off") ";\n"
>>       (if (not (equal? "" root))
>>           (list "      root " root ";\n")
>>           "")
>>
>> base-commit: 68925b5ee7e0d96b0c84ae98a633eea5097bf511
> 
> Generally this looks good to me. There's some unnecessary indentation
> changes that should probably go in another commit if they're made, but I
> did spot something in the above diff.

I was afraid that doing it in a separate commit would have
made it less clearer as it would have looked like a trivial cosmetic
change without any purpose.

> 
> I'm no expert in NGinx configs, but I do wonder if this change will
> break using nginx if it's built without the ngx_http_ssl_module? With
> the other module specific configuration (e.g. ssl_certificate), it's
> possible to specify a value in the <nginx-server-configuration> that
> means the line won't be included in the configuration. I think it would
> be good to continue that here.

I haven't tested this with a nginx that is built without ngx_http_ssl_module,
it would be a rather esoteric nginx build as TLS support presence is a
common expectation of web servers.
 
> I'm not sure how to enable not including these config lines. Maybe a
> symbol value like 'noval could be used (this should also be the default,
> rather than #f), or maybe 'on and 'off could be used as the values with
> #f meaning the line isn't included.
> 
> Does that make sense?

I'm not a fan of this approach as there's define-configuration
and define-maybe value types that should be used here rather than
making up a custom value, though I'm afraid reworking nginx-configuration
and writing the serialize- procedures to use the gnu/services/configuration.scm
facilities is a much bigger effort than what's done in this patch.

Before such effort is to be considered, a plan to solve [1] is required as I don't
think define-configuration is enough to represent the structure of nginx.conf
(nested locations, if branches, configuration for custom modules, etc.)

[1]: https://issues.guix.gnu.org/37388


Cheers,
Bruno

Hi Bruno, Chris,

Bruno Victal <mirai@makinata.eu> writes:

> Hi
>
> On 2023-01-07 17:21, Christopher Baines wrote:
>> 
>> mirai@makinata.eu writes:
>> 
>>> From: Bruno Victal <mirai@makinata.eu>
>>>
>>> * gnu/services/web.scm (<nginx-server-configuration>): Add
>>> ssl-stapling? and ssl-stapling-verify?.
>>> * doc/guix.texi (NGINX): Document this.
>>> ---
>>>  doc/guix.texi        |  7 +++++
>>>  gnu/services/web.scm | 69 +++++++++++++++++++++++++-------------------
>>>  2 files changed, 46 insertions(+), 30 deletions(-)
>> 
>> Hi Bruno,
>> 
>> Thanks for the patch, and sorry it's taken so long to reply.
>> 
>>> @@ -647,6 +654,8 @@ (define-syntax-rule (and/l x tail ...)
>>>       "      server_name " (config-domain-strings server-name) ";\n"
>>>       (and/l ssl-certificate     "      ssl_certificate " <> ";\n")
>>>       (and/l ssl-certificate-key "      ssl_certificate_key " <> ";\n")
>>> +     "      ssl_stapling " (if ssl-stapling? "on" "off") ";\n"
>>> +     "      ssl_stapling_verify " (if ssl-stapling-verify? "on" "off") ";\n"
>>>       (if (not (equal? "" root))
>>>           (list "      root " root ";\n")
>>>           "")
>>>
>>> base-commit: 68925b5ee7e0d96b0c84ae98a633eea5097bf511
>> 
>> Generally this looks good to me. There's some unnecessary indentation
>> changes that should probably go in another commit if they're made, but I
>> did spot something in the above diff.
>
> I was afraid that doing it in a separate commit would have
> made it less clearer as it would have looked like a trivial cosmetic
> change without any purpose.
>
>> 
>> I'm no expert in NGinx configs, but I do wonder if this change will
>> break using nginx if it's built without the ngx_http_ssl_module? With
>> the other module specific configuration (e.g. ssl_certificate), it's
>> possible to specify a value in the <nginx-server-configuration> that
>> means the line won't be included in the configuration. I think it would
>> be good to continue that here.
>
> I haven't tested this with a nginx that is built without ngx_http_ssl_module,
> it would be a rather esoteric nginx build as TLS support presence is a
> common expectation of web servers.

The only nginx package in Guix has TLS support; I wouldn't expect people
will go out of the way to define TLS-less variants just to run a local
HTTP-only web server; perhaps it's OK to not give to much importance to
that for now?