nginx module: make recommended settings optional

This commit is contained in:
Robin Gloster 2016-07-25 16:07:53 +00:00
parent 186a8400ed
commit a294ad01b3

View File

@ -16,61 +16,65 @@ let
error_log stderr;
daemon off;
${cfg.config}
http {
include ${cfg.package}/conf/mime.types;
include ${cfg.package}/conf/fastcgi.conf;
# optimisation
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
${optionalString (cfg.recommendedOptimisation) ''
# optimisation
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
''}
# use secure TLS defaults
ssl_protocols ${cfg.sslProtocols};
ssl_session_cache shared:SSL:42m;
ssl_session_timeout 23m;
ssl_ciphers ${cfg.sslCiphers};
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
${optionalString (cfg.sslDhparam != null) "ssl_dhparam ${cfg.sslDhparam};"}
ssl_stapling on;
ssl_stapling_verify on;
${optionalString (cfg.recommendedTlsSettings) ''
ssl_session_cache shared:SSL:42m;
ssl_session_timeout 23m;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
''}
gzip on;
gzip_disable "msie6";
gzip_proxied any;
gzip_comp_level 9;
gzip_buffers 16 8k;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
${optionalString (cfg.recommendedGzipSettings) ''
gzip on;
gzip_disable "msie6";
gzip_proxied any;
gzip_comp_level 9;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
''}
# sane proxy settings/headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header Accept-Encoding "";
${optionalString (cfg.recommendedProxySettings) ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header Accept-Encoding "";
proxy_redirect off;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_http_version 1.0;
''}
proxy_redirect off;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
proxy_buffer_size 8k;
proxy_http_version 1.0;
server_tokens ${if cfg.serverTokens then "on" else "off"};
${vhosts}
}
${cfg.config}
# Keep this seperate to allow overriding previous settings
${optionalString (cfg.httpConfig != "") ''
http {
include ${cfg.package}/conf/mime.types;
@ -157,11 +161,37 @@ in
{
options = {
services.nginx = {
enable = mkOption {
enable = mkEnableOption "Nginx Web Server";
recommendedTlsSettings = mkOption {
default = false;
type = types.bool;
description = "
Enable the nginx Web Server.
Enable recommended TLS settings.
";
};
recommendedOptimisation = mkOption {
default = false;
type = types.bool;
description = "
Enable recommended optimisation settings.
";
};
recommendedGzipSettings = mkOption {
default = false;
type = types.bool;
description = "
Enable recommended gzip settings.
";
};
recommendedProxySettings = mkOption {
default = false;
type = types.bool;
description = "
Enable recommended proxy settings.
";
};