From a294ad01b38d9108e02d18aa9788143c15d1e151 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 25 Jul 2016 16:07:53 +0000
Subject: [PATCH] nginx module: make recommended settings optional

---
 .../services/web-servers/nginx/default.nix    | 110 +++++++++++-------
 1 file changed, 70 insertions(+), 40 deletions(-)

diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
index 6b6ad0d9b985..c8486d3bfcd0 100644
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -16,61 +16,65 @@ let
     error_log stderr;
     daemon off;
 
-    ${cfg.config}
-
     http {
       include ${cfg.package}/conf/mime.types;
       include ${cfg.package}/conf/fastcgi.conf;
 
-      # optimisation
-      sendfile on;
-      tcp_nopush on;
-      tcp_nodelay on;
-      keepalive_timeout 65;
-      types_hash_max_size 2048;
+      ${optionalString (cfg.recommendedOptimisation) ''
+        # optimisation
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+      ''}
 
-      # use secure TLS defaults
       ssl_protocols ${cfg.sslProtocols};
-      ssl_session_cache shared:SSL:42m;
-      ssl_session_timeout 23m;
-
       ssl_ciphers ${cfg.sslCiphers};
-      ssl_ecdh_curve secp384r1;
-      ssl_prefer_server_ciphers on;
       ${optionalString (cfg.sslDhparam != null) "ssl_dhparam ${cfg.sslDhparam};"}
 
-      ssl_stapling on;
-      ssl_stapling_verify on;
+      ${optionalString (cfg.recommendedTlsSettings) ''
+        ssl_session_cache shared:SSL:42m;
+        ssl_session_timeout 23m;
+        ssl_ecdh_curve secp384r1;
+        ssl_prefer_server_ciphers on;
+        ssl_stapling on;
+        ssl_stapling_verify on;
+      ''}
 
-      gzip on;
-      gzip_disable "msie6";
-      gzip_proxied any;
-      gzip_comp_level 9;
-      gzip_buffers 16 8k;
-      gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+      ${optionalString (cfg.recommendedGzipSettings) ''
+        gzip on;
+        gzip_disable "msie6";
+        gzip_proxied any;
+        gzip_comp_level 9;
+        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+      ''}
 
-      # sane proxy settings/headers
-      proxy_set_header        Host $host;
-      proxy_set_header        X-Real-IP $remote_addr;
-      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header        X-Forwarded-Proto $scheme;
-      proxy_set_header        X-Forwarded-Host $host;
-      proxy_set_header        X-Forwarded-Server $host;
-      proxy_set_header        Accept-Encoding "";
+      ${optionalString (cfg.recommendedProxySettings) ''
+        proxy_set_header        Host $host;
+        proxy_set_header        X-Real-IP $remote_addr;
+        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Proto $scheme;
+        proxy_set_header        X-Forwarded-Host $host;
+        proxy_set_header        X-Forwarded-Server $host;
+        proxy_set_header        Accept-Encoding "";
+
+        proxy_redirect          off;
+        proxy_connect_timeout   90;
+        proxy_send_timeout      90;
+        proxy_read_timeout      90;
+        proxy_http_version      1.0;
+      ''}
 
-      proxy_redirect          off;
       client_max_body_size    10m;
-      client_body_buffer_size 128k;
-      proxy_connect_timeout   90;
-      proxy_send_timeout      90;
-      proxy_read_timeout      90;
-      proxy_buffers           32 4k;
-      proxy_buffer_size       8k;
-      proxy_http_version      1.0;
 
       server_tokens ${if cfg.serverTokens then "on" else "off"};
       ${vhosts}
     }
+
+    ${cfg.config}
+
+    # Keep this seperate to allow overriding previous settings
     ${optionalString (cfg.httpConfig != "") ''
     http {
       include ${cfg.package}/conf/mime.types;
@@ -157,11 +161,37 @@ in
 {
   options = {
     services.nginx = {
-      enable = mkOption {
+      enable = mkEnableOption "Nginx Web Server";
+
+      recommendedTlsSettings = mkOption {
         default = false;
         type = types.bool;
         description = "
-          Enable the nginx Web Server.
+          Enable recommended TLS settings.
+        ";
+      };
+
+      recommendedOptimisation = mkOption {
+        default = false;
+        type = types.bool;
+        description = "
+          Enable recommended optimisation settings.
+        ";
+      };
+
+      recommendedGzipSettings = mkOption {
+        default = false;
+        type = types.bool;
+        description = "
+          Enable recommended gzip settings.
+        ";
+      };
+
+      recommendedProxySettings = mkOption {
+        default = false;
+        type = types.bool;
+        description = "
+          Enable recommended proxy settings.
         ";
       };