GNU bug report logs -
#46049
[PATCH] services: nginx: Add ssl-protocols option.
Previous Next
To reply to this bug, email your comments to 46049 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#46049; Package
guix-patches.
(Sat, 23 Jan 2021 10:02:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Jonathan Brielmaier <jonathan.brielmaier <at> web.de>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sat, 23 Jan 2021 10:02:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/services/web.scm (<nginx-server-configuration>)[ssl-protocols]:
New entry defaulting to "secure" versions of TLS.
(emit-nginx-server-config): Add it.
* doc/guix.texi (Web Services): Document it.
---
doc/guix.texi | 3 +++
gnu/services/web.scm | 5 +++++
2 files changed, 8 insertions(+)
diff --git a/doc/guix.texi b/doc/guix.texi
index 4a20b3b902..4c187d4383 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -23616,6 +23616,9 @@ you don't have a certificate or you don't want to use HTTPS.
Where to find the private key for secure connections. Set it to @code{#f} if
you don't have a key or you don't want to use HTTPS.
+@item @code{ssl-protocols} (default: @code{"TLSv1.2 TLSv1.3"})
+The versions of TLS used.
+
@item @code{server-tokens?} (default: @code{#f})
Whether the server should add its configuration to response.
diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index ff7b262b6a..93e1e802dc 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -113,6 +113,7 @@
nginx-server-configuration-index
nginx-server-configuration-ssl-certificate
nginx-server-configuration-ssl-certificate-key
+ nginx-server-configuration-ssl-protocols
nginx-server-configuration-server-tokens?
nginx-server-configuration-raw-content
@@ -489,6 +490,8 @@
(default #f))
(ssl-certificate-key nginx-server-configuration-ssl-certificate-key
(default #f))
+ (ssl-protocols nginx-server-configuration-ssl-protocols
+ (default "TLSv1.2 TLSv1.3"))
(server-tokens? nginx-server-configuration-server-tokens?
(default #f))
(raw-content nginx-server-configuration-raw-content
@@ -587,6 +590,7 @@ of index files."
(ssl-certificate (nginx-server-configuration-ssl-certificate server))
(ssl-certificate-key
(nginx-server-configuration-ssl-certificate-key server))
+ (ssl-protocols (nginx-server-configuration-ssl-protocols server))
(root (nginx-server-configuration-root server))
(index (nginx-server-configuration-index server))
(try-files (nginx-server-configuration-try-files server))
@@ -606,6 +610,7 @@ of index files."
" server_name " (config-domain-strings server-name) ";\n"
(and/l ssl-certificate " ssl_certificate " <> ";\n")
(and/l ssl-certificate-key " ssl_certificate_key " <> ";\n")
+ " ssl_protocols " ssl-protocols ";\n"
" root " root ";\n"
" index " (config-index-strings index) ";\n"
(if (not (nil? try-files))
--
2.30.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#46049; Package
guix-patches.
(Sat, 23 Jan 2021 10:09:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 46049 <at> debbugs.gnu.org (full text, mbox):
I tested this change in multiple setups on my production server and I
could not find any grave issues, apart from maybe warnings about
duplication if you self setted this option via `raw-content`.
The default settings is accordingly to Mozillas "Intermediate"
configuration for nginx: https://ssl-config.mozilla.org
I would also like to implement an option with good defaults for
`ssl_ciphers` if you have ideas how to do that in a nice way speak up :)
Information forwarded
to
guix-patches <at> gnu.org:
bug#46049; Package
guix-patches.
(Sun, 24 Jan 2021 00:47:01 GMT)
Full text and
rfc822 format available.
Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Jonathan,
Jonathan Brielmaier 写道:
> * gnu/services/web.scm
> (<nginx-server-configuration>)[ssl-protocols]:
> New entry defaulting to "secure" versions of TLS.
Thanks!
> + (ssl-protocols nginx-server-configuration-ssl-protocols
> + (default "TLSv1.2 TLSv1.3"))
This should be
(default "TLSv1 TLSv1.1 TLSv1.2")
instead, see [0]. Otherwise LGTM!
Kind regards,
T G-R
[0]:
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#46049; Package
guix-patches.
(Sun, 24 Jan 2021 00:47:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#46049; Package
guix-patches.
(Sun, 24 Jan 2021 01:37:01 GMT)
Full text and
rfc822 format available.
Message #17 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Jonathan Brielmaier 写道:
> The default settings is accordingly to Mozillas "Intermediate"
> configuration for nginx: https://ssl-config.mozilla.org
Oh, I see! Hiding subjective tweaks to upstream defaults in Guix
services is a bad idea.
Imagine debugging this at 2 a.m., staring at the official nginx
documentation through your tears.
> I would also like to implement an option with good defaults for
> `ssl_ciphers` if you have ideas how to do that in a nice way
> speak up :)
How about writing ‘mozilla-recommended’ nginx configuration
presets that users can inherit from? This would imply keeping
them up to date, including the specific versions of nginx and *ssl
in Guix.
I don't know whether this belongs in Guix or not, but then we
already ship someone's Facebook blocklist, so... :-)
Kind regards,
T G-R
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#46049; Package
guix-patches.
(Sun, 24 Jan 2021 01:37:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#46049; Package
guix-patches.
(Sun, 24 Jan 2021 13:26:01 GMT)
Full text and
rfc822 format available.
Message #23 received at submit <at> debbugs.gnu.org (full text, mbox):
On 24.01.21 02:36, Tobias Geerinckx-Rice wrote:
> Jonathan Brielmaier 写道:
>> The default settings is accordingly to Mozillas "Intermediate"
>> configuration for nginx: https://ssl-config.mozilla.org
>
> Oh, I see! Hiding subjective tweaks to upstream defaults in Guix
> services is a bad idea.
>
> Imagine debugging this at 2 a.m., staring at the official nginx
> documentation through your tears.
I see your point, but I usually start with the Guix service
documentation and it clearly would state "TLSv1.2 TLSv1.3". If your
client doesn't support TLSv1.2 (thats 12 years old), it's maybe a better
idea to fallback to HTTP...
I think in general its a good idea to follow upstreams default, but it
should not hinder us to make more secure defaults
>> I would also like to implement an option with good defaults for
>> `ssl_ciphers` if you have ideas how to do that in a nice way speak up :)
>
> How about writing ‘mozilla-recommended’ nginx configuration presets that
> users can inherit from? This would imply keeping them up to date,
> including the specific versions of nginx and *ssl in Guix.
Hm, I try to keep stuff simple and to be honest all those service
"matroska" stuff grows over my head. If theres an error I can not debug
them at 2am or at any other time...
A compromise would maybe something like :
(ssl-protocols %upstream-default OR %mozilla-default OR "Your custom
string")
Information forwarded
to
guix-patches <at> gnu.org:
bug#46049; Package
guix-patches.
(Sun, 24 Jan 2021 13:26:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#46049; Package
guix-patches.
(Tue, 22 Nov 2022 15:27:01 GMT)
Full text and
rfc822 format available.
Message #29 received at 46049 <at> debbugs.gnu.org (full text, mbox):
How about leaving it empty by default and writing the directive to file only if a value is present?
This way the defaults are automatically chosen by nginx. (as they can drift due to automatic protocol
support detection or as newer protocols roll out)
About making recommendations in the docs, I'd suggest linking it directly to Mozilla's website
rather than duplicating it and risk ending up with outdated advice.
This bug report was last modified 2 years and 70 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.