[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#59621] [PATCH] services: nginx: Add support for ssl-stapling in ser
|
From: |
Maxim Cournoyer |
|
Subject: |
[bug#59621] [PATCH] services: nginx: Add support for ssl-stapling in server blocks. |
|
Date: |
Tue, 21 Mar 2023 09:20:49 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) |
Hi Bruno, Chris,
Bruno Victal <mirai@makinata.eu> writes:
> Hi
>
> On 2023-01-07 17:21, Christopher Baines wrote:
>>
>> mirai@makinata.eu writes:
>>
>>> From: Bruno Victal <mirai@makinata.eu>
>>>
>>> * gnu/services/web.scm (<nginx-server-configuration>): Add
>>> ssl-stapling? and ssl-stapling-verify?.
>>> * doc/guix.texi (NGINX): Document this.
>>> ---
>>> doc/guix.texi | 7 +++++
>>> gnu/services/web.scm | 69 +++++++++++++++++++++++++-------------------
>>> 2 files changed, 46 insertions(+), 30 deletions(-)
>>
>> Hi Bruno,
>>
>> Thanks for the patch, and sorry it's taken so long to reply.
>>
>>> @@ -647,6 +654,8 @@ (define-syntax-rule (and/l x tail ...)
>>> " server_name " (config-domain-strings server-name) ";\n"
>>> (and/l ssl-certificate " ssl_certificate " <> ";\n")
>>> (and/l ssl-certificate-key " ssl_certificate_key " <> ";\n")
>>> + " ssl_stapling " (if ssl-stapling? "on" "off") ";\n"
>>> + " ssl_stapling_verify " (if ssl-stapling-verify? "on" "off")
>>> ";\n"
>>> (if (not (equal? "" root))
>>> (list " root " root ";\n")
>>> "")
>>>
>>> base-commit: 68925b5ee7e0d96b0c84ae98a633eea5097bf511
>>
>> Generally this looks good to me. There's some unnecessary indentation
>> changes that should probably go in another commit if they're made, but I
>> did spot something in the above diff.
>
> I was afraid that doing it in a separate commit would have
> made it less clearer as it would have looked like a trivial cosmetic
> change without any purpose.
>
>>
>> I'm no expert in NGinx configs, but I do wonder if this change will
>> break using nginx if it's built without the ngx_http_ssl_module? With
>> the other module specific configuration (e.g. ssl_certificate), it's
>> possible to specify a value in the <nginx-server-configuration> that
>> means the line won't be included in the configuration. I think it would
>> be good to continue that here.
>
> I haven't tested this with a nginx that is built without ngx_http_ssl_module,
> it would be a rather esoteric nginx build as TLS support presence is a
> common expectation of web servers.
The only nginx package in Guix has TLS support; I wouldn't expect people
will go out of the way to define TLS-less variants just to run a local
HTTP-only web server; perhaps it's OK to not give to much importance to
that for now?
--
Thanks,
Maxim
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [bug#59621] [PATCH] services: nginx: Add support for ssl-stapling in server blocks.,
Maxim Cournoyer <=