k 3 nginx: add ssl.force_encryption

krebs/3modules/nginx.nix

@@ -73,6 +73,14 @@ let
                   type = bool;
                   default = true;
                 };
+                force_encryption = mkOption {
+                  type = bool;
+                  default = false;
+                  description = ''
+                    redirect all `http` traffic to the same domain but with ssl
+                    protocol.
+                  '';
+                };
                 protocols = mkOption {
                   type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
                   default = [ "TLSv1.1" "TLSv1.2" ];
@@ -122,6 +130,11 @@ let
       server_name ${toString (unique server-names)};
       ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
       ${optionalString ssl.enable (indent ''
+        ${optionalString ssl.force_encryption ''
+          if ($scheme = http){
+            return 301 https://$server_name$request_uri;
+          }
+        ''}
         listen 443 ssl;
         ssl_certificate ${ssl.certificate};
         ssl_certificate_key ${ssl.certificate_key};

makefu/2configs/bepasty-dual.nix

@@ -45,6 +45,7 @@ in {
             #certificate =   "${sec}/wildcard.krebsco.de.crt";
             #certificate_key = "${sec}/wildcard.krebsco.de.key";
             ciphers = "RC4:HIGH:!aNULL:!MD5" ;
+            force_encryption = true;
           };
           locations = singleton ( nameValuePair  "/.well-known/acme-challenge" ''
             root ${acmechall}/${ext-dom}/;
@@ -54,10 +55,7 @@ in {
           ssl_session_timeout  10m;
           ssl_verify_client off;
           proxy_ssl_session_reuse off;
-
-          if ($scheme = http){
-            return 301 https://$server_name$request_uri;
-          }'';
+          '';
         };
         defaultPermissions = "read";
         secretKey = secKey;