From unknown Sun Jun 15 13:01:55 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#59621] [PATCH] services: nginx: Add support for ssl-stapling in server blocks. Resent-From: mirai@makinata.eu Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 27 Nov 2022 00:01:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 59621 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 59621@debbugs.gnu.org Cc: Bruno Victal X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16695072551991 (code B ref -1); Sun, 27 Nov 2022 00:01:02 +0000 Received: (at submit) by debbugs.gnu.org; 27 Nov 2022 00:00:55 +0000 Received: from localhost ([127.0.0.1]:41694 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oz56M-0000W3-Nk for submit@debbugs.gnu.org; Sat, 26 Nov 2022 19:00:55 -0500 Received: from lists.gnu.org ([209.51.188.17]:44694) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oz56I-0000Vx-AS for submit@debbugs.gnu.org; Sat, 26 Nov 2022 19:00:53 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oz56G-0002eU-0O for guix-patches@gnu.org; Sat, 26 Nov 2022 19:00:50 -0500 Received: from smtpmciv5.myservices.hosting ([185.26.107.241]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oz56D-0001kD-Sl for guix-patches@gnu.org; Sat, 26 Nov 2022 19:00:47 -0500 Received: from mail1.netim.hosting (unknown [185.26.106.172]) by smtpmciv5.myservices.hosting (Postfix) with ESMTP id A9DAB20D4A for ; Sun, 27 Nov 2022 01:00:15 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mail1.netim.hosting (Postfix) with ESMTP id 68B6F80097; Sun, 27 Nov 2022 01:00:15 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting Received: from mail1.netim.hosting ([127.0.0.1]) by localhost (mail1-1.netim.hosting [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id iok6FB1jP8LI; Sun, 27 Nov 2022 01:00:14 +0100 (CET) Received: from guix-nuc.home.arpa (bl12-93-156.dsl.telepac.pt [85.245.93.156]) (Authenticated sender: lumen@makinata.eu) by mail1.netim.hosting (Postfix) with ESMTPSA id 595EE80093; Sun, 27 Nov 2022 01:00:14 +0100 (CET) From: mirai@makinata.eu Date: Sat, 26 Nov 2022 23:59:50 +0000 Message-Id: <9a18d0c03940cfe0d8ab01964f12d08fcc972e30.1669507155.git.mirai@makinata.eu> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=185.26.107.241; envelope-from=mirai@makinata.eu; helo=smtpmciv5.myservices.hosting X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) From: Bruno Victal * gnu/services/web.scm (): Add ssl-stapling? and ssl-stapling-verify?. * doc/guix.texi (NGINX): Document this. --- doc/guix.texi | 7 +++++ gnu/services/web.scm | 69 +++++++++++++++++++++++++------------------- 2 files changed, 46 insertions(+), 30 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index e547d469f4..f116798dba 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -29339,6 +29339,13 @@ you don't have a certificate or you don't want to use HTTPS. Where to find the private key for secure connections. Set it to @code{#f} if you don't have a key or you don't want to use HTTPS. +@item @code{ssl-stapling?} (default: @code{#f}) +Whether the server should @uref{https://datatracker.ietf.org/doc/html/rfc6066#section-8,staple OCSP responses}. +Requires at least one @samp{resolver} directive in @code{raw-content}. + +@item @code{ssl-stapling-verify?} (default: @code{#f}) +Whether the server should verify the OCSP responses. + @item @code{server-tokens?} (default: @code{#f}) Whether the server should add its configuration to response. diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 83aa97055f..8ab4050d47 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -510,48 +510,52 @@ (define httpd-service-type (define-record-type* nginx-server-configuration make-nginx-server-configuration nginx-server-configuration? - (listen nginx-server-configuration-listen - (default '("80" "443 ssl"))) - (server-name nginx-server-configuration-server-name - (default (list 'default))) - (root nginx-server-configuration-root - (default "/srv/http")) - (locations nginx-server-configuration-locations - (default '())) - (index nginx-server-configuration-index - (default (list "index.html"))) - (try-files nginx-server-configuration-try-files - (default '())) - (ssl-certificate nginx-server-configuration-ssl-certificate - (default #f)) - (ssl-certificate-key nginx-server-configuration-ssl-certificate-key - (default #f)) - (server-tokens? nginx-server-configuration-server-tokens? - (default #f)) - (raw-content nginx-server-configuration-raw-content - (default '()))) + (listen nginx-server-configuration-listen + (default '("80" "443 ssl"))) + (server-name nginx-server-configuration-server-name + (default (list 'default))) + (root nginx-server-configuration-root + (default "/srv/http")) + (locations nginx-server-configuration-locations + (default '())) + (index nginx-server-configuration-index + (default (list "index.html"))) + (try-files nginx-server-configuration-try-files + (default '())) + (ssl-certificate nginx-server-configuration-ssl-certificate + (default #f)) + (ssl-certificate-key nginx-server-configuration-ssl-certificate-key + (default #f)) + (ssl-stapling? nginx-server-configuration-ssl-stapling? + (default #f)) + (ssl-stapling-verify? nginx-server-configuration-ssl-stapling-verify? + (default #f)) + (server-tokens? nginx-server-configuration-server-tokens? + (default #f)) + (raw-content nginx-server-configuration-raw-content + (default '()))) (define-record-type* nginx-upstream-configuration make-nginx-upstream-configuration nginx-upstream-configuration? - (name nginx-upstream-configuration-name) - (servers nginx-upstream-configuration-servers) - (extra-content nginx-upstream-configuration-extra-content - (default '()))) + (name nginx-upstream-configuration-name) + (servers nginx-upstream-configuration-servers) + (extra-content nginx-upstream-configuration-extra-content + (default '()))) (define-record-type* nginx-location-configuration make-nginx-location-configuration nginx-location-configuration? - (uri nginx-location-configuration-uri - (default #f)) - (body nginx-location-configuration-body)) + (uri nginx-location-configuration-uri + (default #f)) + (body nginx-location-configuration-body)) (define-record-type* nginx-named-location-configuration make-nginx-named-location-configuration nginx-named-location-configuration? - (name nginx-named-location-configuration-name - (default #f)) - (body nginx-named-location-configuration-body)) + (name nginx-named-location-configuration-name + (default #f)) + (body nginx-named-location-configuration-body)) (define-record-type* nginx-configuration make-nginx-configuration @@ -628,6 +632,9 @@ (define (emit-nginx-server-config server) (ssl-certificate (nginx-server-configuration-ssl-certificate server)) (ssl-certificate-key (nginx-server-configuration-ssl-certificate-key server)) + (ssl-stapling? (nginx-server-configuration-ssl-stapling? server)) + (ssl-stapling-verify? + (nginx-server-configuration-ssl-stapling-verify? server)) (root (nginx-server-configuration-root server)) (index (nginx-server-configuration-index server)) (try-files (nginx-server-configuration-try-files server)) @@ -647,6 +654,8 @@ (define-syntax-rule (and/l x tail ...) " server_name " (config-domain-strings server-name) ";\n" (and/l ssl-certificate " ssl_certificate " <> ";\n") (and/l ssl-certificate-key " ssl_certificate_key " <> ";\n") + " ssl_stapling " (if ssl-stapling? "on" "off") ";\n" + " ssl_stapling_verify " (if ssl-stapling-verify? "on" "off") ";\n" (if (not (equal? "" root)) (list " root " root ";\n") "") base-commit: 68925b5ee7e0d96b0c84ae98a633eea5097bf511 -- 2.38.1 From unknown Sun Jun 15 13:01:55 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#59621] [PATCH] services: nginx: Add support for ssl-stapling in server blocks. Resent-From: Christopher Baines Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 07 Jan 2023 18:56:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 59621 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: mirai@makinata.eu Cc: 59621@debbugs.gnu.org X-Debbugs-Original-Cc: 59621@debbugs.gnu.org, guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.167311774018139 (code B ref -1); Sat, 07 Jan 2023 18:56:02 +0000 Received: (at submit) by debbugs.gnu.org; 7 Jan 2023 18:55:40 +0000 Received: from localhost ([127.0.0.1]:58931 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pEEM0-0004iU-BJ for submit@debbugs.gnu.org; Sat, 07 Jan 2023 13:55:40 -0500 Received: from lists.gnu.org ([209.51.188.17]:44774) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pEELy-0004iH-Hk for submit@debbugs.gnu.org; Sat, 07 Jan 2023 13:55:39 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pEELw-0006Wj-QR for guix-patches@gnu.org; Sat, 07 Jan 2023 13:55:37 -0500 Received: from mira.cbaines.net ([212.71.252.8]) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pEELv-0004Dc-B1 for guix-patches@gnu.org; Sat, 07 Jan 2023 13:55:36 -0500 Received: from localhost (unknown [IPv6:2a02:8010:68c1:0:3a91:a0a4:ecee:f157]) by mira.cbaines.net (Postfix) with ESMTPSA id C719127BBE9; Sat, 7 Jan 2023 18:55:14 +0000 (GMT) Received: from felis (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id 50adc391; Sat, 7 Jan 2023 18:55:13 +0000 (UTC) References: <9a18d0c03940cfe0d8ab01964f12d08fcc972e30.1669507155.git.mirai@makinata.eu> User-agent: mu4e 1.8.11; emacs 28.2 From: Christopher Baines Date: Sat, 07 Jan 2023 17:21:08 +0000 In-reply-to: <9a18d0c03940cfe0d8ab01964f12d08fcc972e30.1669507155.git.mirai@makinata.eu> Message-ID: <87o7ramay8.fsf@cbaines.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=212.71.252.8; envelope-from=mail@cbaines.net; helo=mira.cbaines.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) --=-=-= Content-Type: text/plain mirai@makinata.eu writes: > From: Bruno Victal > > * gnu/services/web.scm (): Add > ssl-stapling? and ssl-stapling-verify?. > * doc/guix.texi (NGINX): Document this. > --- > doc/guix.texi | 7 +++++ > gnu/services/web.scm | 69 +++++++++++++++++++++++++------------------- > 2 files changed, 46 insertions(+), 30 deletions(-) Hi Bruno, Thanks for the patch, and sorry it's taken so long to reply. > @@ -647,6 +654,8 @@ (define-syntax-rule (and/l x tail ...) > " server_name " (config-domain-strings server-name) ";\n" > (and/l ssl-certificate " ssl_certificate " <> ";\n") > (and/l ssl-certificate-key " ssl_certificate_key " <> ";\n") > + " ssl_stapling " (if ssl-stapling? "on" "off") ";\n" > + " ssl_stapling_verify " (if ssl-stapling-verify? "on" "off") ";\n" > (if (not (equal? "" root)) > (list " root " root ";\n") > "") > > base-commit: 68925b5ee7e0d96b0c84ae98a633eea5097bf511 Generally this looks good to me. There's some unnecessary indentation changes that should probably go in another commit if they're made, but I did spot something in the above diff. I'm no expert in NGinx configs, but I do wonder if this change will break using nginx if it's built without the ngx_http_ssl_module? With the other module specific configuration (e.g. ssl_certificate), it's possible to specify a value in the that means the line won't be included in the configuration. I think it would be good to continue that here. I'm not sure how to enable not including these config lines. Maybe a symbol value like 'noval could be used (this should also be the default, rather than #f), or maybe 'on and 'off could be used as the values with #f meaning the line isn't included. Does that make sense? Thanks, Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmO5wA9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh aW5lcy5uZXQACgkQXiijOwuE9XcBFw//SeCdplyuIbCgasFPf6DHGBuLT7l74xpu xGuAD33ABueYs7Gf/qRZ2qUuCqNXJ3yly4ovCRfYTKLOlhLN1xPWn9sBFKXAd2l8 qhBHHLO+k+3gnjONLjyWpHBkq94xrzkMHAjDftuw47LUerzU4t/vmAYBligohZSy 7XxA1Dz4pdVI31MyeJW2yh6roVzW/ow3bQl3rLCpG/Jz64nUZlEbnv0QGT8bGojP crblVhyE+9A3+iZ9uXRks+9GgnTPfRr42y+7nwnFhS//l18VTwaoWAgirngg+C7P E86KJl0wXBe5De2iZgWL4EjovNPwh13Q12JYrbHoBAvJHMZpvoU8ea7IeS5NMIdE 6R9az7wu3HncPDX8/h3jKSaB2h2bcuM9wNm0711Hs01dW57YWIarEz5kxfItfQW2 JSRHikK2oj1SkxB0HGIfX4Um/T7cXCjKifQWEkK9iL2+fQa4RK5TKGB/TH9E5sss GCUNB6WVflWTbFmG+RrwfEGU9d4iAoIH6hhM/5pqNaZ2hHJhMsDCRIJpFp2bsUUR CW3o06OGwo8K6PzVA+JzeIIsIG/ETLeDjuXqdvEQ/yVlMhqlkqrr5FkyS8x4MLVG nut6KOActyO08xvmhMT9526/Y3eDnrJxtHHRvPl+iNRalsco6XQ8i/jldN5grvfx qzTg4T7M/Bs= =U08J -----END PGP SIGNATURE----- --=-=-=-- From unknown Sun Jun 15 13:01:55 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#59621] [PATCH] services: nginx: Add support for ssl-stapling in server blocks. Resent-From: Bruno Victal Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 07 Jan 2023 20:08:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 59621 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Christopher Baines Cc: 59621@debbugs.gnu.org X-Debbugs-Original-Cc: 59621@debbugs.gnu.org, guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.167312203925374 (code B ref -1); Sat, 07 Jan 2023 20:08:02 +0000 Received: (at submit) by debbugs.gnu.org; 7 Jan 2023 20:07:19 +0000 Received: from localhost ([127.0.0.1]:59055 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pEFTK-0006bC-Mk for submit@debbugs.gnu.org; Sat, 07 Jan 2023 15:07:19 -0500 Received: from lists.gnu.org ([209.51.188.17]:46680) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pEFTJ-0006b4-BU for submit@debbugs.gnu.org; Sat, 07 Jan 2023 15:07:17 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pEFTJ-0002ji-4J for guix-patches@gnu.org; Sat, 07 Jan 2023 15:07:17 -0500 Received: from smtpmciv2.myservices.hosting ([185.26.107.238]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pEFTH-0005p6-3f for guix-patches@gnu.org; Sat, 07 Jan 2023 15:07:16 -0500 Received: from mail1.netim.hosting (unknown [185.26.106.172]) by smtpmciv2.myservices.hosting (Postfix) with ESMTP id 6D2FB20D32; Sat, 7 Jan 2023 21:07:12 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mail1.netim.hosting (Postfix) with ESMTP id 1C14F80096; Sat, 7 Jan 2023 21:07:12 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting Received: from mail1.netim.hosting ([127.0.0.1]) by localhost (mail1-1.netim.hosting [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id CebgBCCxy-MX; Sat, 7 Jan 2023 21:07:11 +0100 (CET) Received: from [192.168.1.239] (unknown [10.192.1.83]) (Authenticated sender: lumen@makinata.eu) by mail1.netim.hosting (Postfix) with ESMTPSA id 7079180093; Sat, 7 Jan 2023 21:07:11 +0100 (CET) Message-ID: Date: Sat, 7 Jan 2023 20:07:11 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1 Content-Language: en-US References: <9a18d0c03940cfe0d8ab01964f12d08fcc972e30.1669507155.git.mirai@makinata.eu> <87o7ramay8.fsf@cbaines.net> From: Bruno Victal In-Reply-To: <87o7ramay8.fsf@cbaines.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=185.26.107.238; envelope-from=mirai@makinata.eu; helo=smtpmciv2.myservices.hosting X-Spam_score_int: -49 X-Spam_score: -5.0 X-Spam_bar: ----- X-Spam_report: (-5.0 / 5.0 requ) BAYES_00=-1.9, NICE_REPLY_A=-3.114, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.5 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.5 (---) Hi On 2023-01-07 17:21, Christopher Baines wrote: > > mirai@makinata.eu writes: > >> From: Bruno Victal >> >> * gnu/services/web.scm (): Add >> ssl-stapling? and ssl-stapling-verify?. >> * doc/guix.texi (NGINX): Document this. >> --- >> doc/guix.texi | 7 +++++ >> gnu/services/web.scm | 69 +++++++++++++++++++++++++------------------- >> 2 files changed, 46 insertions(+), 30 deletions(-) > > Hi Bruno, > > Thanks for the patch, and sorry it's taken so long to reply. > >> @@ -647,6 +654,8 @@ (define-syntax-rule (and/l x tail ...) >> " server_name " (config-domain-strings server-name) ";\n" >> (and/l ssl-certificate " ssl_certificate " <> ";\n") >> (and/l ssl-certificate-key " ssl_certificate_key " <> ";\n") >> + " ssl_stapling " (if ssl-stapling? "on" "off") ";\n" >> + " ssl_stapling_verify " (if ssl-stapling-verify? "on" "off") ";\n" >> (if (not (equal? "" root)) >> (list " root " root ";\n") >> "") >> >> base-commit: 68925b5ee7e0d96b0c84ae98a633eea5097bf511 > > Generally this looks good to me. There's some unnecessary indentation > changes that should probably go in another commit if they're made, but I > did spot something in the above diff. I was afraid that doing it in a separate commit would have made it less clearer as it would have looked like a trivial cosmetic change without any purpose. > > I'm no expert in NGinx configs, but I do wonder if this change will > break using nginx if it's built without the ngx_http_ssl_module? With > the other module specific configuration (e.g. ssl_certificate), it's > possible to specify a value in the that > means the line won't be included in the configuration. I think it would > be good to continue that here. I haven't tested this with a nginx that is built without ngx_http_ssl_module, it would be a rather esoteric nginx build as TLS support presence is a common expectation of web servers. > I'm not sure how to enable not including these config lines. Maybe a > symbol value like 'noval could be used (this should also be the default, > rather than #f), or maybe 'on and 'off could be used as the values with > #f meaning the line isn't included. > > Does that make sense? I'm not a fan of this approach as there's define-configuration and define-maybe value types that should be used here rather than making up a custom value, though I'm afraid reworking nginx-configuration and writing the serialize- procedures to use the gnu/services/configuration.scm facilities is a much bigger effort than what's done in this patch. Before such effort is to be considered, a plan to solve [1] is required as I don't think define-configuration is enough to represent the structure of nginx.conf (nested locations, if branches, configuration for custom modules, etc.) [1]: https://issues.guix.gnu.org/37388 Cheers, Bruno From unknown Sun Jun 15 13:01:55 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#59621] [PATCH] services: nginx: Add support for ssl-stapling in server blocks. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 21 Mar 2023 13:21:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 59621 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Bruno Victal Cc: Christopher Baines , 59621@debbugs.gnu.org Received: via spool by 59621-submit@debbugs.gnu.org id=B59621.16794048592652 (code B ref 59621); Tue, 21 Mar 2023 13:21:02 +0000 Received: (at 59621) by debbugs.gnu.org; 21 Mar 2023 13:20:59 +0000 Received: from localhost ([127.0.0.1]:57931 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pebv9-0000gi-DT for submit@debbugs.gnu.org; Tue, 21 Mar 2023 09:20:59 -0400 Received: from mail-qt1-f173.google.com ([209.85.160.173]:43870) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pebv7-0000gU-1R for 59621@debbugs.gnu.org; Tue, 21 Mar 2023 09:20:57 -0400 Received: by mail-qt1-f173.google.com with SMTP id c10so6527138qtj.10 for <59621@debbugs.gnu.org>; Tue, 21 Mar 2023 06:20:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1679404851; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=L5qN1JhtffriyYim5d7PwDix27JWkWOfCfgJpIXu5nY=; b=CaQIE8KbiVNVXNFFl40TJl2mQNlIYRSs4DleaIKZHznSuITKvuZSxTE/lhFP7GiMNC W6U9j0rem25zj5URtaA08f5TJaJEVXGYeoCWoUMFzd5xn2Lq1G7mPif2otdAUlfJ1FtN JOZyQgB+2BfwpJ9+GCkPUxBKhxLjItOah12sM8uUgLK1hTxPz+MbfJHoi1frdK/AqSUQ pDDgzCdW2xXuCG5W5kT15KtJxv6h8Q1AYBwl7ziPSxIOTbFOmZgBsfP8SzYAjbiY4KJm 2vNKHiQwPhh5q9N0vFqwNKghifxAB7IK1YZGRGEiQ35bVPNgOl3Ep1X3lHIKzjoVENs0 8OWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679404851; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=L5qN1JhtffriyYim5d7PwDix27JWkWOfCfgJpIXu5nY=; b=bSueDmLZWNti1R13DWpJjw5grD3oQkkfhvD9A799wh5ulUdyOi9XZFaNDLh08o++LE rZeHw/Bo6TAmZt+zFe9ZiuUxCfrhgnfgDIFrRZLHpXOfvi066IrMM+wrdwykA305gMh4 f4Luhl+biTg1Fdqh1Q82X+ZvEoyOJac0VK6ZY45Fp9ktgxxvlIlyssUOw6qc7vx+zPts PzZFLLmcJ/GWV/akQxdlF7k2lWr7cE8f3FuZt2hIhMHiaQfr9KqfNO6qpoVi9+oHxYaF OfW0iZsnuWZlk8Jx60vQ2kKzhesZaXsMPSvMAlcQBEwalUqXl/VQFU/QNv/f/vkyDnPB OHiw== X-Gm-Message-State: AO0yUKVO6n4CUFBwtLxOuIWNguYePYCcKjPGzDUIzpjaa8QrQTL/4dBh //+tQ4pgmHtGudNFKq1QnmVqtSpUVgXT2g== X-Google-Smtp-Source: AK7set89Qstgu6oHRVQrMTxYPGcKvOCox5YGLymkEBEC6ga3Z1aGgqf7uLWzXQtP/TMZq/AUIFCv+A== X-Received: by 2002:a05:622a:1193:b0:3e0:ceec:6c67 with SMTP id m19-20020a05622a119300b003e0ceec6c67mr4133145qtk.19.1679404850911; Tue, 21 Mar 2023 06:20:50 -0700 (PDT) Received: from hurd (dsl-10-130-195.b2b2c.ca. [72.10.130.195]) by smtp.gmail.com with ESMTPSA id v10-20020ac873ca000000b003e29583cf22sm2880493qtp.91.2023.03.21.06.20.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Mar 2023 06:20:50 -0700 (PDT) From: Maxim Cournoyer References: <9a18d0c03940cfe0d8ab01964f12d08fcc972e30.1669507155.git.mirai@makinata.eu> <87o7ramay8.fsf@cbaines.net> Date: Tue, 21 Mar 2023 09:20:49 -0400 In-Reply-To: (Bruno Victal's message of "Sat, 7 Jan 2023 20:07:11 +0000") Message-ID: <87y1nqqlzi.fsf_-_@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Bruno, Chris, Bruno Victal writes: > Hi > > On 2023-01-07 17:21, Christopher Baines wrote: >> >> mirai@makinata.eu writes: >> >>> From: Bruno Victal >>> >>> * gnu/services/web.scm (): Add >>> ssl-stapling? and ssl-stapling-verify?. >>> * doc/guix.texi (NGINX): Document this. >>> --- >>> doc/guix.texi | 7 +++++ >>> gnu/services/web.scm | 69 +++++++++++++++++++++++++------------------- >>> 2 files changed, 46 insertions(+), 30 deletions(-) >> >> Hi Bruno, >> >> Thanks for the patch, and sorry it's taken so long to reply. >> >>> @@ -647,6 +654,8 @@ (define-syntax-rule (and/l x tail ...) >>> " server_name " (config-domain-strings server-name) ";\n" >>> (and/l ssl-certificate " ssl_certificate " <> ";\n") >>> (and/l ssl-certificate-key " ssl_certificate_key " <> ";\n") >>> + " ssl_stapling " (if ssl-stapling? "on" "off") ";\n" >>> + " ssl_stapling_verify " (if ssl-stapling-verify? "on" "off") ";\n" >>> (if (not (equal? "" root)) >>> (list " root " root ";\n") >>> "") >>> >>> base-commit: 68925b5ee7e0d96b0c84ae98a633eea5097bf511 >> >> Generally this looks good to me. There's some unnecessary indentation >> changes that should probably go in another commit if they're made, but I >> did spot something in the above diff. > > I was afraid that doing it in a separate commit would have > made it less clearer as it would have looked like a trivial cosmetic > change without any purpose. > >> >> I'm no expert in NGinx configs, but I do wonder if this change will >> break using nginx if it's built without the ngx_http_ssl_module? With >> the other module specific configuration (e.g. ssl_certificate), it's >> possible to specify a value in the that >> means the line won't be included in the configuration. I think it would >> be good to continue that here. > > I haven't tested this with a nginx that is built without ngx_http_ssl_module, > it would be a rather esoteric nginx build as TLS support presence is a > common expectation of web servers. The only nginx package in Guix has TLS support; I wouldn't expect people will go out of the way to define TLS-less variants just to run a local HTTP-only web server; perhaps it's OK to not give to much importance to that for now? -- Thanks, Maxim