k 3 nginx: add ssl.force_encryption

author: makefu <github@syntax-fehler.de> 2016-07-21 16:19:07 +0200
committer: makefu <github@syntax-fehler.de> 2016-07-21 21:03:36 +0200
commit: 864e711114b048e875f0d73eeefdca436eebea00 (patch)
tree: 949551dcd2a00674db67341e68440ec03bfd181b
parent: bfc2aa3b236813945ca4f2b5d683d51c82e983b7 (diff)
2 files changed, 15 insertions, 4 deletions
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
index fc7fcca6f..25dfb5d6a 100644
--- a/krebs/3modules/nginx.nix
+++ b/krebs/3modules/nginx.nix
@@ -73,6 +73,14 @@ let
                   type = bool;
                   default = true;
                 };
+                force_encryption = mkOption {
+                  type = bool;
+                  default = false;
+                  description = ''
+                    redirect all `http` traffic to the same domain but with ssl
+                    protocol.
+                  '';
+                };
                 protocols = mkOption {
                   type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
                   default = [ "TLSv1.1" "TLSv1.2" ];
@@ -122,6 +130,11 @@ let
       server_name ${toString (unique server-names)};
       ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
       ${optionalString ssl.enable (indent ''
+        ${optionalString ssl.force_encryption ''
+          if ($scheme = http){
+            return 301 https://$server_name$request_uri;
+          }
+        ''}
         listen 443 ssl;
         ssl_certificate ${ssl.certificate};
         ssl_certificate_key ${ssl.certificate_key};
diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix
index f675c4ac8..4b5389c32 100644
--- a/makefu/2configs/bepasty-dual.nix
+++ b/makefu/2configs/bepasty-dual.nix
@@ -45,6 +45,7 @@ in {
             #certificate =   "${sec}/wildcard.krebsco.de.crt";
             #certificate_key = "${sec}/wildcard.krebsco.de.key";
             ciphers = "RC4:HIGH:!aNULL:!MD5" ;
+            force_encryption = true;
           };
           locations = singleton ( nameValuePair  "/.well-known/acme-challenge" ''
             root ${acmechall}/${ext-dom}/;
@@ -54,10 +55,7 @@ in {
           ssl_session_timeout  10m;
           ssl_verify_client off;
           proxy_ssl_session_reuse off;
-
-          if ($scheme = http){
-            return 301 https://$server_name$request_uri;
-          }'';
+          '';
         };
         defaultPermissions = "read";
         secretKey = secKey;
author	makefu <github@syntax-fehler.de>	2016-07-21 16:19:07 +0200
committer	makefu <github@syntax-fehler.de>	2016-07-21 21:03:36 +0200
commit	864e711114b048e875f0d73eeefdca436eebea00 (patch)
tree	949551dcd2a00674db67341e68440ec03bfd181b
parent	bfc2aa3b236813945ca4f2b5d683d51c82e983b7 (diff)