k 3 nginx: add ssl.force_encryption
This commit is contained in:
parent
bfc2aa3b23
commit
864e711114
@ -73,6 +73,14 @@ let
|
|||||||
type = bool;
|
type = bool;
|
||||||
default = true;
|
default = true;
|
||||||
};
|
};
|
||||||
|
force_encryption = mkOption {
|
||||||
|
type = bool;
|
||||||
|
default = false;
|
||||||
|
description = ''
|
||||||
|
redirect all `http` traffic to the same domain but with ssl
|
||||||
|
protocol.
|
||||||
|
'';
|
||||||
|
};
|
||||||
protocols = mkOption {
|
protocols = mkOption {
|
||||||
type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
|
type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
|
||||||
default = [ "TLSv1.1" "TLSv1.2" ];
|
default = [ "TLSv1.1" "TLSv1.2" ];
|
||||||
@ -122,6 +130,11 @@ let
|
|||||||
server_name ${toString (unique server-names)};
|
server_name ${toString (unique server-names)};
|
||||||
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
|
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
|
||||||
${optionalString ssl.enable (indent ''
|
${optionalString ssl.enable (indent ''
|
||||||
|
${optionalString ssl.force_encryption ''
|
||||||
|
if ($scheme = http){
|
||||||
|
return 301 https://$server_name$request_uri;
|
||||||
|
}
|
||||||
|
''}
|
||||||
listen 443 ssl;
|
listen 443 ssl;
|
||||||
ssl_certificate ${ssl.certificate};
|
ssl_certificate ${ssl.certificate};
|
||||||
ssl_certificate_key ${ssl.certificate_key};
|
ssl_certificate_key ${ssl.certificate_key};
|
||||||
|
@ -45,6 +45,7 @@ in {
|
|||||||
#certificate = "${sec}/wildcard.krebsco.de.crt";
|
#certificate = "${sec}/wildcard.krebsco.de.crt";
|
||||||
#certificate_key = "${sec}/wildcard.krebsco.de.key";
|
#certificate_key = "${sec}/wildcard.krebsco.de.key";
|
||||||
ciphers = "RC4:HIGH:!aNULL:!MD5" ;
|
ciphers = "RC4:HIGH:!aNULL:!MD5" ;
|
||||||
|
force_encryption = true;
|
||||||
};
|
};
|
||||||
locations = singleton ( nameValuePair "/.well-known/acme-challenge" ''
|
locations = singleton ( nameValuePair "/.well-known/acme-challenge" ''
|
||||||
root ${acmechall}/${ext-dom}/;
|
root ${acmechall}/${ext-dom}/;
|
||||||
@ -54,10 +55,7 @@ in {
|
|||||||
ssl_session_timeout 10m;
|
ssl_session_timeout 10m;
|
||||||
ssl_verify_client off;
|
ssl_verify_client off;
|
||||||
proxy_ssl_session_reuse off;
|
proxy_ssl_session_reuse off;
|
||||||
|
'';
|
||||||
if ($scheme = http){
|
|
||||||
return 301 https://$server_name$request_uri;
|
|
||||||
}'';
|
|
||||||
};
|
};
|
||||||
defaultPermissions = "read";
|
defaultPermissions = "read";
|
||||||
secretKey = secKey;
|
secretKey = secKey;
|
||||||
|
Loading…
Reference in New Issue
Block a user