[PATCH] services: nginx: Add ssl-protocols option.

  • Open
  • quality assurance status badge
Details
3 participants
  • Jonathan Brielmaier
  • Tobias Geerinckx-Rice
  • mirai
Owner
unassigned
Submitted by
Jonathan Brielmaier
Severity
normal
J
J
Jonathan Brielmaier wrote on 23 Jan 2021 11:00
(address . guix-patches@gnu.org)(name . Jonathan Brielmaier)(address . jonathan.brielmaier@web.de)
20210123100049.22389-1-jonathan.brielmaier@web.de
* gnu/services/web.scm (<nginx-server-configuration>)[ssl-protocols]:
New entry defaulting to "secure" versions of TLS.
(emit-nginx-server-config): Add it.
* doc/guix.texi (Web Services): Document it.
---
doc/guix.texi | 3 +++
gnu/services/web.scm | 5 +++++
2 files changed, 8 insertions(+)

Toggle diff (51 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 4a20b3b902..4c187d4383 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -23616,6 +23616,9 @@ you don't have a certificate or you don't want to use HTTPS.
Where to find the private key for secure connections. Set it to @code{#f} if
you don't have a key or you don't want to use HTTPS.

+@item @code{ssl-protocols} (default: @code{"TLSv1.2 TLSv1.3"})
+The versions of TLS used.
+
@item @code{server-tokens?} (default: @code{#f})
Whether the server should add its configuration to response.

diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index ff7b262b6a..93e1e802dc 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -113,6 +113,7 @@
nginx-server-configuration-index
nginx-server-configuration-ssl-certificate
nginx-server-configuration-ssl-certificate-key
+ nginx-server-configuration-ssl-protocols
nginx-server-configuration-server-tokens?
nginx-server-configuration-raw-content

@@ -489,6 +490,8 @@
(default #f))
(ssl-certificate-key nginx-server-configuration-ssl-certificate-key
(default #f))
+ (ssl-protocols nginx-server-configuration-ssl-protocols
+ (default "TLSv1.2 TLSv1.3"))
(server-tokens? nginx-server-configuration-server-tokens?
(default #f))
(raw-content nginx-server-configuration-raw-content
@@ -587,6 +590,7 @@ of index files."
(ssl-certificate (nginx-server-configuration-ssl-certificate server))
(ssl-certificate-key
(nginx-server-configuration-ssl-certificate-key server))
+ (ssl-protocols (nginx-server-configuration-ssl-protocols server))
(root (nginx-server-configuration-root server))
(index (nginx-server-configuration-index server))
(try-files (nginx-server-configuration-try-files server))
@@ -606,6 +610,7 @@ of index files."
" server_name " (config-domain-strings server-name) ";\n"
(and/l ssl-certificate " ssl_certificate " <> ";\n")
(and/l ssl-certificate-key " ssl_certificate_key " <> ";\n")
+ " ssl_protocols " ssl-protocols ";\n"
" root " root ";\n"
" index " (config-index-strings index) ";\n"
(if (not (nil? try-files))
--
2.30.0
J
J
Jonathan Brielmaier wrote on 23 Jan 2021 11:07
(address . 46049@debbugs.gnu.org)
5d511a10-e589-7de9-35ed-8294298dee7a@web.de
I tested this change in multiple setups on my production server and I
could not find any grave issues, apart from maybe warnings about
duplication if you self setted this option via `raw-content`.

The default settings is accordingly to Mozillas "Intermediate"
configuration for nginx: https://ssl-config.mozilla.org

I would also like to implement an option with good defaults for
`ssl_ciphers` if you have ideas how to do that in a nice way speak up :)
T
T
Tobias Geerinckx-Rice wrote on 24 Jan 2021 01:45
(name . Jonathan Brielmaier)(address . jonathan.brielmaier@web.de)
878s8jqi0t.fsf@nckx
Jonathan,

Jonathan Brielmaier ???
Toggle quote (4 lines)
> * gnu/services/web.scm
> (<nginx-server-configuration>)[ssl-protocols]:
> New entry defaulting to "secure" versions of TLS.

Thanks!

Toggle quote (3 lines)
> + (ssl-protocols nginx-server-configuration-ssl-protocols
> + (default "TLSv1.2 TLSv1.3"))

This should be

(default "TLSv1 TLSv1.1 TLSv1.2")

instead, see [0]. Otherwise LGTM!

Kind regards,

T G-R

[0]:
-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYAzDQg0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15HHIA/iileMqUdOEIjDm3NEawC1uPslmtQRd6/8gz0c82
oMe5AQDnDj1w/iHRBhFvlQhsxCKuscH66xrhf2JBB9vrgoTQAA==
=8BZ2
-----END PGP SIGNATURE-----

T
T
Tobias Geerinckx-Rice wrote on 24 Jan 2021 02:36
(name . Jonathan Brielmaier)(address . jonathan.brielmaier@web.de)
874kj7qfo5.fsf@nckx
Jonathan Brielmaier ???
Toggle quote (3 lines)
> The default settings is accordingly to Mozillas "Intermediate"
> configuration for nginx: https://ssl-config.mozilla.org

Oh, I see! Hiding subjective tweaks to upstream defaults in Guix
services is a bad idea.

Imagine debugging this at 2 a.m., staring at the official nginx
documentation through your tears.

Toggle quote (4 lines)
> I would also like to implement an option with good defaults for
> `ssl_ciphers` if you have ideas how to do that in a nice way
> speak up :)

How about writing ‘mozilla-recommended’ nginx configuration
presets that users can inherit from? This would imply keeping
them up to date, including the specific versions of nginx and *ssl
in Guix.

I don't know whether this belongs in Guix or not, but then we
already ship someone's Facebook blocklist, so... :-)

Kind regards,

T G-R
-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYAzPKw0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15GfUA/2NB4n/iQZTkT7C3N2EvtPsw3/cqYBfD25hRS/b1
eY9SAQCL8bF60pqyUPug9Lef+xgTYFQ0xgnKmw4GIbEnGjUzDQ==
=nXwD
-----END PGP SIGNATURE-----

J
J
Jonathan Brielmaier wrote on 24 Jan 2021 14:25
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)
01fc7a42-eba3-aaf6-783c-778cddf69b51@web.de
On 24.01.21 02:36, Tobias Geerinckx-Rice wrote:
Toggle quote (10 lines)
> Jonathan Brielmaier ???
>> The default settings is accordingly to Mozillas "Intermediate"
>> configuration for nginx: https://ssl-config.mozilla.org
>
> Oh, I see!  Hiding subjective tweaks to upstream defaults in Guix
> services is a bad idea.
>
> Imagine debugging this at 2 a.m., staring at the official nginx
> documentation through your tears.

I see your point, but I usually start with the Guix service
documentation and it clearly would state "TLSv1.2 TLSv1.3". If your
client doesn't support TLSv1.2 (thats 12 years old), it's maybe a better
idea to fallback to HTTP...

I think in general its a good idea to follow upstreams default, but it
should not hinder us to make more secure defaults

Toggle quote (7 lines)
>> I would also like to implement an option with good defaults for
>> `ssl_ciphers` if you have ideas how to do that in a nice way speak up :)
>
> How about writing ‘mozilla-recommended’ nginx configuration presets that
> users can inherit from?  This would imply keeping them up to date,
> including the specific versions of nginx and *ssl in Guix.

Hm, I try to keep stuff simple and to be honest all those service
"matroska" stuff grows over my head. If theres an error I can not debug
them at 2am or at any other time...

A compromise would maybe something like :
(ssl-protocols %upstream-default OR %mozilla-default OR "Your custom
string")
M
M
mirai wrote on 22 Nov 2022 16:26
[PATCH] services: nginx: Add ssl-protocols option.
(address . 46049@debbugs.gnu.org)
1d3856f6-8adb-7b1a-57c5-bb22533c202e@makinata.eu
How about leaving it empty by default and writing the directive to file only if a value is present?
This way the defaults are automatically chosen by nginx. (as they can drift due to automatic protocol
support detection or as newer protocols roll out)

About making recommendations in the docs, I'd suggest linking it directly to Mozilla's website
rather than duplicating it and risk ending up with outdated advice.
?