{ inputs, pkgs, lib, config, host, ... }: let inherit (lib) types; inherit (config) networking; inherit (config.services) nginx; in { options = { services.nginx = { configs = lib.mkOption { type = types.attrsOf types.lines; default = {}; description = '' Make some configs available to all virtual hosts. Useful to workaround the reset of add_header: https://blog.g3rt.nl/nginx-add_header-pitfall.html ''; #apply = lib.mapAttrs (name: pkgs.writeText "${name}.conf"); }; }; }; config = { systemd.tmpfiles.rules = [ "d '/dev/shm/nginx' '750' '${nginx.user}' '${nginx.group}' - -" ]; systemd.services.nginx = { requires = [ "systemd-tmpfiles-setup-dev.service" ]; serviceConfig = { # FIXME: remove all the mkForce in LogsDirectory # whenever upstream uses a list instead of a string. LogsDirectory = lib.mkForce ["nginx"]; StateDirectory = ["nginx"]; StateDirectoryMode = "2770"; #BindPaths = ["/dev/shm/nginx:/var/cache/nginx"]; }; }; services.nginx = { eventsConfig = '' multi_accept on; use epoll; worker_connections 1024; ''; clientMaxBodySize = "20m"; recommendedGzipSettings = true; recommendedOptimisation = false; recommendedProxySettings = true; recommendedTlsSettings = true; resolver = { ipv6 = lib.mkDefault (networking.defaultGateway6 != null); }; serverTokens = false; # Only allow PFS-enabled ciphers with AES256 #sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; #sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL"; #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL"; sslDhparam = inputs.secrets + "/openssl/dh.pem"; sslProtocols = "TLSv1.3 TLSv1.2"; configs = rec { http_add_headers = '' # Enable CSP #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; # Enable XSS protection of the browser. # May be unnecessary when CSP is configured properly (see above) add_header X-XSS-Protection "1; mode=block"; # Minimize information leaked to other domains add_header 'Referrer-Policy' 'origin-when-cross-origin'; # Restrict embedding as a frame #add_header X-Frame-Options SAMEORIGIN; # Prevent injection of code in other mime types (XSS Attacks) add_header X-Content-Type-Options nosniff; ''; https_add_headers = '' ${http_add_headers} # Add HSTS header with preloading to HTTPS requests. # Adding this header to HTTP requests is discouraged, # as doing so makes the connection vulnerable to SSL stripping attacks # DOC: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server add_header Strict-Transport-Security $hsts_header; ''; }; commonHttpConfig = '' log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; log_format json escape=json '{' '"time_local":"$time_local",' '"host":"$host",' '"request":"$request",' '"status":"$status",' '"http_referrer":"$http_referer",' '"remote_addr":"$remote_addr",' '"remote_user":"$remote_user",' '"msec":"$msec",' '"body_bytes_sent":"$body_bytes_sent",' '"bytes_sent":"$bytes_sent",' '"http_user_agent":"$http_user_agent",' '"request_length":"$request_length",' '"request_method":"$request_method",' '"request_time":"$request_time",' '"request_uri":"$request_uri",' '"server_protocol":"$server_protocol",' '"ssl_protocol":"$ssl_protocol",' '"upstream_addr":"$upstream_addr",' '"upstream_connect_time":"$upstream_connect_time",' '"upstream_response_time":"$upstream_response_time"' '}'; charset UTF-8; types { text/html html5; text/plain dump; } '' + lib.concatStringsSep "\n" (lib.attrValues { default = '' #default_type application/octet-stream; root /var/lib/nginx; ''; security = '' #error_page 403 = 404; ${nginx.configs.http_add_headers} # This might create errors #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; ''; log = '' access_log /var/log/nginx/access.json json buffer=32k; error_log /var/log/nginx/error.log warn; open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m; ''; proxy = '' proxy_cache_use_stale updating; proxy_temp_path /var/cache/nginx/proxy_temp 1 2; ''; fastcgi = '' # DOC: http://wiki.nginx.org/HttpFastcgiModule fastcgi_buffer_size 128k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_cache_key "$request_method $scheme://$http_host$request_uri"; fastcgi_connect_timeout 60; fastcgi_ignore_client_abort off; fastcgi_intercept_errors on; fastcgi_max_temp_file_size 2M; #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_temp_path /var/cache/nginx/fastcgi_temp 1 2; ''; connection = '' sendfile on; # If the client stops reading data, # free up the stale client connection after this much time. send_timeout 60; # Causes nginx to attempt to send its HTTP response head # in one packet, instead of using partial frames. # This is useful for prepending headers before calling sendfile, # or for throughput optimization. tcp_nopush on; # Don't buffer data-sends (disable Nagle algorithm). # Good for sending frequent small bursts of data in real time. tcp_nodelay on; keepalive_timeout 20; reset_timedout_connection on; types_hash_max_size 4096; server_names_hash_bucket_size 128; ''; map = '' map $time_iso8601 $date { default 'date-not-found'; '~^(?\d{4})-(?\d{2})-(?\d{2})' $year-$month-$day; } map $scheme $hsts_header { https "max-age=31536000; includeSubdomains; preload"; } # User agents that are to be blocked. #map $http_user_agent $bad_bot { # default 0; # libwww-perl 1; # ~(?i)(httrack|htmlparser|libwww) 1; #} # Referrers that are to be blocked. #map $http_referer $bad_referer { # default 0; # ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1; #} #geo $not_local { # default 1; # 127.0.0.1 0; #} ''; cache = '' client_body_buffer_size 4K; # getconf PAGESIZE # 4096 client_body_temp_path /var/cache/nginx/client_body_temp 1 2; client_body_timeout 60; client_header_buffer_size 1k; client_header_timeout 60; large_client_header_buffers 4 8k; open_file_cache max=200000 inactive=20s; open_file_cache_errors on; open_file_cache_min_uses 2; open_file_cache_valid 30s; ''; }); appendConfig = '' worker_processes ${toString host.CPUs}; ''; }; }; }