{ inputs, pkgs, lib, config, ... }:
let
inherit (lib) types;
inherit (config) networking;
inherit (config.services) nginx;
in
{
options = {
services.nginx = {
configs = lib.mkOption {
type = types.attrsOf types.lines;
default = {};
description = ''
Make some configs available to all virtual hosts.
Useful to workaround the reset of add_header:
https://blog.g3rt.nl/nginx-add_header-pitfall.html
'';
#apply = lib.mapAttrs (name: pkgs.writeText "${name}.conf");
};
};
};
config = {
systemd.tmpfiles.rules = [
"d '/dev/shm/nginx' '750' '${nginx.user}' '${nginx.group}' - -"
];
systemd.services.nginx = {
serviceConfig = {
# FIXME: remove all the mkForce in LogsDirectory
# whenever upstream uses a list instead of a string.
LogsDirectory = lib.mkForce ["nginx"];
StateDirectory = ["nginx"];
StateDirectoryMode = "2770";
BindPaths = ["/dev/shm/nginx:/var/cache/nginx"];
};
};
services.nginx = {
eventsConfig = ''
multi_accept on;
use epoll;
worker_connections 1024;
'';
clientMaxBodySize = "20m";
recommendedGzipSettings = true;
recommendedOptimisation = false;
recommendedProxySettings = true;
recommendedTlsSettings = true;
resolver = {
ipv6 = lib.mkDefault (networking.defaultGateway6 != null);
};
serverTokens = false;
# Only allow PFS-enabled ciphers with AES256
#sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
#sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
#sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
sslDhparam = inputs.secrets + "/openssl/dh.pem";
sslProtocols = "TLSv1.3 TLSv1.2";
configs = rec {
http_add_headers = ''
# Enable CSP
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Restrict embedding as a frame
#add_header X-Frame-Options SAMEORIGIN;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
'';
https_add_headers = ''
${http_add_headers}
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged,
# as doing so makes the connection vulnerable to SSL stripping attacks
# DOC: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
add_header Strict-Transport-Security $hsts_header;
'';
};
commonHttpConfig = ''
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format json escape=json
'{'
'"time_local":"$time_local",'
'"remote_addr":"$remote_addr",'
'"status": "$status",'
'"request":"$request",'
'"body_bytes_sent":"$body_bytes_sent",'
'"http_referrer":"$http_referer",'
'"http_user_agent":"$http_user_agent",'
'"remote_user":"$remote_user",'
'"request_time":"$request_time"'
'}';
charset UTF-8;
types {
text/html html5;
text/plain md;
text/plain dump;
}
'' +
lib.concatStringsSep "\n" (lib.attrValues {
default = ''
default_type application/octet-stream;
root /var/lib/nginx;
'';
security = ''
#error_page 403 = 404;
${nginx.configs.http_add_headers}
# This might create errors
#proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
log = ''
access_log /var/log/nginx/access.log main buffer=32k;
error_log /var/log/nginx/error.log warn;
open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
'';
proxy = ''
proxy_cache_use_stale updating;
proxy_temp_path /var/cache/nginx/proxy_temp 1 2;
'';
fastcgi = ''
# DOC: http://wiki.nginx.org/HttpFastcgiModule
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_cache_key "$request_method $scheme://$http_host$request_uri";
fastcgi_connect_timeout 60;
fastcgi_ignore_client_abort off;
fastcgi_intercept_errors on;
fastcgi_max_temp_file_size 2M;
#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_temp_path /var/cache/nginx/fastcgi_temp 1 2;
'';
connection = ''
sendfile on;
# If the client stops reading data,
# free up the stale client connection after this much time.
send_timeout 60;
# Causes nginx to attempt to send its HTTP response head
# in one packet, instead of using partial frames.
# This is useful for prepending headers before calling sendfile,
# or for throughput optimization.
tcp_nopush on;
# Don't buffer data-sends (disable Nagle algorithm).
# Good for sending frequent small bursts of data in real time.
tcp_nodelay on;
keepalive_timeout 20;
reset_timedout_connection on;
types_hash_max_size 4096;
server_names_hash_bucket_size 128;
'';
map = ''
map $time_iso8601 $date {
default 'date-not-found';
'~^(?<year>\d{4})-(?<month>\d{2})-(?<day>\d{2})' $year-$month-$day;
}
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
# User agents that are to be blocked.
#map $http_user_agent $bad_bot {
# default 0;
# libwww-perl 1;
# ~(?i)(httrack|htmlparser|libwww) 1;
#}
# Referrers that are to be blocked.
#map $http_referer $bad_referer {
# default 0;
# ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1;
#}
#geo $not_local {
# default 1;
# 127.0.0.1 0;
#}
'';
cache = ''
client_body_buffer_size 4K;
# getconf PAGESIZE
# 4096
client_body_temp_path /var/cache/nginx/client_body_temp 1 2;
client_body_timeout 60;
client_header_buffer_size 1k;
client_header_timeout 60;
large_client_header_buffers 4 8k;
open_file_cache max=200000 inactive=20s;
open_file_cache_errors on;
open_file_cache_min_uses 2;
open_file_cache_valid 30s;
'';
});
appendConfig = ''
worker_processes ${toString config.nix.maxJobs};
'';
};
};
}