nginx: make global redirect vhost option accept exceptions

By moving the return into a location directive, one can provide exceptions by adding locations. This is similar to what the forceSSL option does.
2022-12-03 18:58:33 +01:00 · 2022-12-03 18:58:33 +01:00 · fc39b5ecc8
commit fc39b5ecc8
parent 04f574a1c0
6 changed files with 39 additions and 2 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
@ -268,6 +268,14 @@
          dynamically.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          Enabling global redirect in
+          <literal>services.nginx.virtualHosts</literal> now allows one
+          to add exceptions with the <literal>locations</literal>
+          option.
+        </para>
+      </listitem>
      <listitem>
        <para>
          Resilio sync secret keys can now be provided using a secrets
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@ -78,6 +78,8 @@ In addition to numerous new and upgraded packages, this release has the followin

 - The new option `users.motdFile` allows configuring a Message Of The Day that can be updated dynamically.

+- Enabling global redirect in `services.nginx.virtualHosts` now allows one to add exceptions with the `locations` option.
+
 - Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.

 - The `services.fwupd` module now allows arbitrary daemon settings to be configured in a structured manner ([`services.fwupd.daemonSettings`](#opt-services.fwupd.daemonSettings)).
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@ -318,7 +318,9 @@ let
          ${acmeLocation}
          ${optionalString (vhost.root != null) "root ${vhost.root};"}
          ${optionalString (vhost.globalRedirect != null) ''
-            return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri;
+            location / {
+              return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri;
+            }
          ''}
          ${optionalString hasSSL ''
            ssl_certificate ${vhost.sslCertificate};
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -435,6 +435,7 @@ in {
  nginx = handleTest ./nginx.nix {};
  nginx-auth = handleTest ./nginx-auth.nix {};
  nginx-etag = handleTest ./nginx-etag.nix {};
+  nginx-globalredirect = handleTest ./nginx-globalredirect.nix {};
  nginx-http3 = handleTest ./nginx-http3.nix {};
  nginx-modsecurity = handleTest ./nginx-modsecurity.nix {};
  nginx-njs = handleTest ./nginx-njs.nix {};
--- a/nixos/tests/nginx-globalredirect.nix
+++ b/nixos/tests/nginx-globalredirect.nix
@ -0,0 +1,24 @@
+import ./make-test-python.nix ({ pkgs, ... }: {
+  name = "nginx-globalredirect";
+
+  nodes = {
+    webserver = { pkgs, lib, ... }: {
+      services.nginx = {
+        enable = true;
+        virtualHosts.localhost = {
+          globalRedirect = "other.example.com";
+          # Add an exception
+          locations."/noredirect".return = "200 'foo'";
+        };
+      };
+    };
+  };
+
+  testScript = ''
+    webserver.wait_for_unit("nginx")
+    webserver.wait_for_open_port(80)
+
+    webserver.succeed("curl --fail -si http://localhost/alf | grep '^Location:.*/alf'")
+    webserver.fail("curl --fail -si http://localhost/noredirect | grep '^Location:'")
+  '';
+})
--- a/pkgs/servers/http/nginx/generic.nix
+++ b/pkgs/servers/http/nginx/generic.nix
@ -176,7 +176,7 @@ stdenv.mkDerivation {
  passthru = {
    modules = modules;
    tests = {
-      inherit (nixosTests) nginx nginx-auth nginx-etag nginx-http3 nginx-pubhtml nginx-sandbox nginx-sso;
+      inherit (nixosTests) nginx nginx-auth nginx-etag nginx-globalredirect nginx-http3 nginx-pubhtml nginx-sandbox nginx-sso;
      variants = lib.recurseIntoAttrs nixosTests.nginx-variants;
      acme-integration = nixosTests.acme;
    } // passthru.tests;