GNU bug report logs - #59621
[PATCH] services: nginx: Add support for ssl-stapling in server blocks.

Previous Next

Package: guix-patches;

Reported by: mirai <at> makinata.eu

Date: Sun, 27 Nov 2022 00:01:02 UTC

Severity: normal

Tags: patch

Full log

Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Christopher Baines <mail <at> cbaines.net>
To: mirai <at> makinata.eu
Cc: 59621 <at> debbugs.gnu.org, guix-patches <at> gnu.org
Subject: Re: [bug#59621] [PATCH] services: nginx: Add support for
 ssl-stapling in server blocks.
Date: Sat, 07 Jan 2023 17:21:08 +0000

[Message part 1 (text/plain, inline)]
mirai <at> makinata.eu writes:

> From: Bruno Victal <mirai <at> makinata.eu>
>
> * gnu/services/web.scm (<nginx-server-configuration>): Add
> ssl-stapling? and ssl-stapling-verify?.
> * doc/guix.texi (NGINX): Document this.
> ---
>  doc/guix.texi        |  7 +++++
>  gnu/services/web.scm | 69 +++++++++++++++++++++++++-------------------
>  2 files changed, 46 insertions(+), 30 deletions(-)

Hi Bruno,

Thanks for the patch, and sorry it's taken so long to reply.

> @@ -647,6 +654,8 @@ (define-syntax-rule (and/l x tail ...)
>       "      server_name " (config-domain-strings server-name) ";\n"
>       (and/l ssl-certificate     "      ssl_certificate " <> ";\n")
>       (and/l ssl-certificate-key "      ssl_certificate_key " <> ";\n")
> +     "      ssl_stapling " (if ssl-stapling? "on" "off") ";\n"
> +     "      ssl_stapling_verify " (if ssl-stapling-verify? "on" "off") ";\n"
>       (if (not (equal? "" root))
>           (list "      root " root ";\n")
>           "")
>
> base-commit: 68925b5ee7e0d96b0c84ae98a633eea5097bf511

Generally this looks good to me. There's some unnecessary indentation
changes that should probably go in another commit if they're made, but I
did spot something in the above diff.

I'm no expert in NGinx configs, but I do wonder if this change will
break using nginx if it's built without the ngx_http_ssl_module? With
the other module specific configuration (e.g. ssl_certificate), it's
possible to specify a value in the <nginx-server-configuration> that
means the line won't be included in the configuration. I think it would
be good to continue that here.

I'm not sure how to enable not including these config lines. Maybe a
symbol value like 'noval could be used (this should also be the default,
rather than #f), or maybe 'on and 'off could be used as the values with
#f meaning the line isn't included.

Does that make sense?

Thanks,

Chris

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 2 years and 87 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.