k 3 nginx: add ssl.force_encryption

This commit is contained in:
makefu 2016-07-21 16:19:07 +02:00
parent bfc2aa3b23
commit 864e711114
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
2 changed files with 15 additions and 4 deletions

View File

@ -73,6 +73,14 @@ let
type = bool; type = bool;
default = true; default = true;
}; };
force_encryption = mkOption {
type = bool;
default = false;
description = ''
redirect all `http` traffic to the same domain but with ssl
protocol.
'';
};
protocols = mkOption { protocols = mkOption {
type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]); type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
default = [ "TLSv1.1" "TLSv1.2" ]; default = [ "TLSv1.1" "TLSv1.2" ];
@ -122,6 +130,11 @@ let
server_name ${toString (unique server-names)}; server_name ${toString (unique server-names)};
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen} ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
${optionalString ssl.enable (indent '' ${optionalString ssl.enable (indent ''
${optionalString ssl.force_encryption ''
if ($scheme = http){
return 301 https://$server_name$request_uri;
}
''}
listen 443 ssl; listen 443 ssl;
ssl_certificate ${ssl.certificate}; ssl_certificate ${ssl.certificate};
ssl_certificate_key ${ssl.certificate_key}; ssl_certificate_key ${ssl.certificate_key};

View File

@ -45,6 +45,7 @@ in {
#certificate = "${sec}/wildcard.krebsco.de.crt"; #certificate = "${sec}/wildcard.krebsco.de.crt";
#certificate_key = "${sec}/wildcard.krebsco.de.key"; #certificate_key = "${sec}/wildcard.krebsco.de.key";
ciphers = "RC4:HIGH:!aNULL:!MD5" ; ciphers = "RC4:HIGH:!aNULL:!MD5" ;
force_encryption = true;
}; };
locations = singleton ( nameValuePair "/.well-known/acme-challenge" '' locations = singleton ( nameValuePair "/.well-known/acme-challenge" ''
root ${acmechall}/${ext-dom}/; root ${acmechall}/${ext-dom}/;
@ -54,10 +55,7 @@ in {
ssl_session_timeout 10m; ssl_session_timeout 10m;
ssl_verify_client off; ssl_verify_client off;
proxy_ssl_session_reuse off; proxy_ssl_session_reuse off;
'';
if ($scheme = http){
return 301 https://$server_name$request_uri;
}'';
}; };
defaultPermissions = "read"; defaultPermissions = "read";
secretKey = secKey; secretKey = secKey;