k 3 nginx: add ssl.force_encryption
This commit is contained in:
parent
bfc2aa3b23
commit
864e711114
@ -73,6 +73,14 @@ let
|
||||
type = bool;
|
||||
default = true;
|
||||
};
|
||||
force_encryption = mkOption {
|
||||
type = bool;
|
||||
default = false;
|
||||
description = ''
|
||||
redirect all `http` traffic to the same domain but with ssl
|
||||
protocol.
|
||||
'';
|
||||
};
|
||||
protocols = mkOption {
|
||||
type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
|
||||
default = [ "TLSv1.1" "TLSv1.2" ];
|
||||
@ -122,6 +130,11 @@ let
|
||||
server_name ${toString (unique server-names)};
|
||||
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
|
||||
${optionalString ssl.enable (indent ''
|
||||
${optionalString ssl.force_encryption ''
|
||||
if ($scheme = http){
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
''}
|
||||
listen 443 ssl;
|
||||
ssl_certificate ${ssl.certificate};
|
||||
ssl_certificate_key ${ssl.certificate_key};
|
||||
|
@ -45,6 +45,7 @@ in {
|
||||
#certificate = "${sec}/wildcard.krebsco.de.crt";
|
||||
#certificate_key = "${sec}/wildcard.krebsco.de.key";
|
||||
ciphers = "RC4:HIGH:!aNULL:!MD5" ;
|
||||
force_encryption = true;
|
||||
};
|
||||
locations = singleton ( nameValuePair "/.well-known/acme-challenge" ''
|
||||
root ${acmechall}/${ext-dom}/;
|
||||
@ -54,10 +55,7 @@ in {
|
||||
ssl_session_timeout 10m;
|
||||
ssl_verify_client off;
|
||||
proxy_ssl_session_reuse off;
|
||||
|
||||
if ($scheme = http){
|
||||
return 301 https://$server_name$request_uri;
|
||||
}'';
|
||||
'';
|
||||
};
|
||||
defaultPermissions = "read";
|
||||
secretKey = secKey;
|
||||
|
Loading…
Reference in New Issue
Block a user