diff options
| author | makefu <github@syntax-fehler.de> | 2016-07-21 16:19:07 +0200 |
|---|---|---|
| committer | makefu <github@syntax-fehler.de> | 2016-07-21 21:03:36 +0200 |
| commit | 864e711114b048e875f0d73eeefdca436eebea00 (patch) | |
| tree | 949551dcd2a00674db67341e68440ec03bfd181b /krebs | |
| parent | bfc2aa3b236813945ca4f2b5d683d51c82e983b7 (diff) | |
k 3 nginx: add ssl.force_encryption
Diffstat (limited to 'krebs')
| -rw-r--r-- | krebs/3modules/nginx.nix | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index fc7fcca6..25dfb5d6 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -73,6 +73,14 @@ let type = bool; default = true; }; + force_encryption = mkOption { + type = bool; + default = false; + description = '' + redirect all `http` traffic to the same domain but with ssl + protocol. + ''; + }; protocols = mkOption { type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]); default = [ "TLSv1.1" "TLSv1.2" ]; @@ -122,6 +130,11 @@ let server_name ${toString (unique server-names)}; ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen} ${optionalString ssl.enable (indent '' + ${optionalString ssl.force_encryption '' + if ($scheme = http){ + return 301 https://$server_name$request_uri; + } + ''} listen 443 ssl; ssl_certificate ${ssl.certificate}; ssl_certificate_key ${ssl.certificate_key}; |