nixos/profiles/services/nginx.nix

   1 { inputs, pkgs, lib, config, ... }:
   2 let
   3   inherit (lib) types;
   4   inherit (config) networking;
   5   inherit (config.services) nginx;
   6 in
   7 {
   8 options = {
   9   services.nginx = {
  10     configs = lib.mkOption {
  11       type = types.attrsOf types.lines;
  12       default = {};
  13       description = ''
  14         Make some configs available to all virtual hosts.
  15         Useful to workaround the reset of add_header:
  16         https://blog.g3rt.nl/nginx-add_header-pitfall.html
  17       '';
  18       #apply = lib.mapAttrs (name: pkgs.writeText "${name}.conf");
  19     };
  20   };
  21 };
  22 config = {
  23 systemd.tmpfiles.rules = [
  24   "d '/dev/shm/nginx' '750' '${nginx.user}' '${nginx.group}' - -"
  25 ];
  26 systemd.services.nginx = {
  27   serviceConfig = {
  28     # FIXME: remove all the mkForce in LogsDirectory
  29     # whenever upstream uses a list instead of a string.
  30     LogsDirectory = lib.mkForce ["nginx"];
  31     StateDirectory = ["nginx"];
  32     StateDirectoryMode = "2770";
  33     BindPaths = ["/dev/shm/nginx:/var/cache/nginx"];
  34   };
  35 };
  36 services.nginx = {
  37   eventsConfig = ''
  38     multi_accept on;
  39     use epoll;
  40     worker_connections 1024;
  41   '';
  42   clientMaxBodySize = "20m";
  43   recommendedGzipSettings = true;
  44   recommendedOptimisation = false;
  45   recommendedProxySettings = true;
  46   recommendedTlsSettings = true;
  47   resolver = {
  48     ipv6 = lib.mkDefault (networking.defaultGateway6 != null);
  49   };
  50   serverTokens = false;
  51   # Only allow PFS-enabled ciphers with AES256
  52   #sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
  53   #sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
  54   #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
  55   sslDhparam = inputs.secrets + "/openssl/dh.pem";
  56   sslProtocols = "TLSv1.3 TLSv1.2";
  57   configs = rec {
  58     http_add_headers = ''
  59       # Enable CSP
  60       #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
  61
  62       # Enable XSS protection of the browser.
  63       # May be unnecessary when CSP is configured properly (see above)
  64       add_header X-XSS-Protection "1; mode=block";
  65
  66       # Minimize information leaked to other domains
  67       add_header 'Referrer-Policy' 'origin-when-cross-origin';
  68
  69       # Restrict embedding as a frame
  70       #add_header X-Frame-Options SAMEORIGIN;
  71
  72       # Prevent injection of code in other mime types (XSS Attacks)
  73       add_header X-Content-Type-Options nosniff;
  74     '';
  75     https_add_headers = ''
  76       ${http_add_headers}
  77       # Add HSTS header with preloading to HTTPS requests.
  78       # Adding this header to HTTP requests is discouraged,
  79       # as doing so makes the connection vulnerable to SSL stripping attacks
  80       # DOC: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
  81       add_header Strict-Transport-Security $hsts_header;
  82     '';
  83   };
  84   commonHttpConfig = ''
  85     log_format main '$remote_addr - $remote_user [$time_local] "$request" '
  86                     '$status $body_bytes_sent "$http_referer" '
  87                     '"$http_user_agent" "$http_x_forwarded_for"';
  88
  89     log_format json escape=json
  90       '{'
  91         '"time_local":"$time_local",'
  92         '"remote_addr":"$remote_addr",'
  93         '"status": "$status",'
  94         '"request":"$request",'
  95         '"body_bytes_sent":"$body_bytes_sent",'
  96         '"http_referrer":"$http_referer",'
  97         '"http_user_agent":"$http_user_agent",'
  98         '"remote_user":"$remote_user",'
  99         '"request_time":"$request_time"'
 100       '}';
 101     charset UTF-8;
 102     types {
 103       text/html html5;
 104       text/plain md;
 105       text/plain dump;
 106     }
 107     '' +
 108     lib.concatStringsSep "\n" (lib.attrValues {
 109       default = ''
 110         default_type application/octet-stream;
 111         root /var/lib/nginx;
 112       '';
 113       security = ''
 114         #error_page 403 = 404;
 115
 116         ${nginx.configs.http_add_headers}
 117
 118         # This might create errors
 119         #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
 120       '';
 121       log = ''
 122         access_log /var/log/nginx/access.log main buffer=32k;
 123         error_log  /var/log/nginx/error.log warn;
 124         open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
 125       '';
 126       proxy = ''
 127         proxy_cache_use_stale updating;
 128         proxy_temp_path /var/cache/nginx/proxy_temp 1 2;
 129       '';
 130       fastcgi = ''
 131         # DOC: http://wiki.nginx.org/HttpFastcgiModule
 132         fastcgi_buffer_size 128k;
 133         fastcgi_buffers 256 4k;
 134         fastcgi_busy_buffers_size 256k;
 135         fastcgi_cache_key "$request_method $scheme://$http_host$request_uri";
 136         fastcgi_connect_timeout 60;
 137         fastcgi_ignore_client_abort off;
 138         fastcgi_intercept_errors on;
 139         fastcgi_max_temp_file_size 2M;
 140         #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 141         fastcgi_param SCRIPT_FILENAME $request_filename;
 142         fastcgi_temp_path /var/cache/nginx/fastcgi_temp 1 2;
 143       '';
 144       connection = ''
 145         sendfile on;
 146         # If the client stops reading data,
 147         # free up the stale client connection after this much time.
 148         send_timeout 60;
 149         # Causes nginx to attempt to send its HTTP response head
 150         # in one packet, instead of using partial frames.
 151         # This is useful for prepending headers before calling sendfile,
 152         # or for throughput optimization.
 153         tcp_nopush on;
 154         # Don't buffer data-sends (disable Nagle algorithm).
 155         # Good for sending frequent small bursts of data in real time.
 156         tcp_nodelay on;
 157         keepalive_timeout 20;
 158         reset_timedout_connection on;
 159         types_hash_max_size 4096;
 160         server_names_hash_bucket_size 128;
 161       '';
 162       map = ''
 163         map $time_iso8601 $date {
 164           default 'date-not-found';
 165           '~^(?<year>\d{4})-(?<month>\d{2})-(?<day>\d{2})' $year-$month-$day;
 166         }
 167
 168         map $scheme $hsts_header {
 169           https  "max-age=31536000; includeSubdomains; preload";
 170         }
 171
 172         # User agents that are to be blocked.
 173         #map $http_user_agent $bad_bot {
 174         #  default 0;
 175         #  libwww-perl 1;
 176         #  ~(?i)(httrack|htmlparser|libwww) 1;
 177         #}
 178         # Referrers that are to be blocked.
 179         #map $http_referer $bad_referer {
 180         #  default 0;
 181         #  ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1;
 182         #}
 183         #geo $not_local {
 184         #  default 1;
 185         #  127.0.0.1 0;
 186         #}
 187       '';
 188       cache = ''
 189         client_body_buffer_size 4K;
 190           # getconf PAGESIZE
 191           # 4096
 192         client_body_temp_path /var/cache/nginx/client_body_temp 1 2;
 193         client_body_timeout 60;
 194         client_header_buffer_size 1k;
 195         client_header_timeout 60;
 196         large_client_header_buffers 4 8k;
 197
 198         open_file_cache max=200000 inactive=20s;
 199         open_file_cache_errors on;
 200         open_file_cache_min_uses 2;
 201         open_file_cache_valid 30s;
 202       '';
 203     });
 204   appendConfig = ''
 205     worker_processes ${toString config.nix.maxJobs};
 206   '';
 207 };
 208 };
 209 }