cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

nixos/nginx: update quic configuration

Browse source
This commit is contained in:
Izorkin 2023-03-27 11:27:49 +03:00
parent 9f2a1d98aa
commit 77d6fd36cf
No known key found for this signature in database
GPG key ID: 1436C1B3F3679F09
3 changed files with 59 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-2305.section.md
View file

@ -187,6 +187,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- [services.xserver.videoDrivers](options.html#opt-services.xserver.videoDrivers) now defaults to the `modesetting` driver over device-specific ones. The `radeon`, `amdgpu` and `nouveau` drivers are still available, but effectively unmaintained and not recommended for use.
- To enable the HTTP3 (QUIC) protocol for a nginx virtual host, set the `quic` attribute on it to true, e.g. `services.nginx.virtualHosts.<name>.quic = true;`.
- conntrack helper autodetection has been removed from kernels 6.0 and up upstream, and an assertion was added to ensure things don't silently stop working. Migrate your configuration to assign helpers explicitly or use an older LTS kernel branch as a temporary workaround.
- The `services.pipewire.config` options have been removed, as they have basically never worked correctly. All behavior defined by the default configuration can be overridden with drop-in files as necessary - see [below](#sec-release-23.05-migration-pipewire) for details.

28
nixos/modules/services/web-servers/nginx/default.nix
View file

@ -311,12 +311,15 @@ let
else defaultListen;
listenString = { addr, port, ssl, extraParameters ? [], ... }:
(if ssl && vhost.http3 then "
# UDP listener for **QUIC+HTTP/3
listen ${addr}:${toString port} http3 "
# UDP listener for QUIC transport protocol.
(if ssl && vhost.quic then "
listen ${addr}:${toString port} quic "
+ optionalString vhost.default "default_server "
+ optionalString vhost.reuseport "reuseport "
+ optionalString (extraParameters != []) (concatStringsSep " " extraParameters)
+ optionalString (extraParameters != []) (concatStringsSep " " (
let inCompatibleParameters = [ "ssl" "proxy_protocol" "http2" ];
isCompatibleParameter = param: !(any (p: p == param) inCompatibleParameters);
in filter isCompatibleParameter extraParameters))
+ ";" else "")
+ "
@ -363,6 +366,10 @@ let
server {
${concatMapStringsSep "\n" listenString hostListen}
server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases};
${optionalString (hasSSL && vhost.quic) ''
http3 ${if vhost.http3 then "on" else "off"};
http3_hq ${if vhost.http3_hq then "on" else "off"};
''}
${acmeLocation}
${optionalString (vhost.root != null) "root ${vhost.root};"}
${optionalString (vhost.globalRedirect != null) ''
@ -384,9 +391,10 @@ let
ssl_conf_command Options KTLS;
''}
${optionalString (hasSSL && vhost.http3) ''
${optionalString (hasSSL && vhost.quic && vhost.http3)
# Advertise that HTTP/3 is available
add_header Alt-Svc 'h3=":443"; ma=86400' always;
''
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
''}
${mkBasicAuth vhostName vhost}
@ -1027,6 +1035,14 @@ in
services.nginx.virtualHosts.<name>.useACMEHost are mutually exclusive.
'';
}
{
assertion = cfg.package.pname != "nginxQuic" -> all (host: !host.quic) (attrValues virtualHosts);
message = ''
services.nginx.service.virtualHosts.<name>.quic requires using nginxQuic package,
which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`.
'';
}
] ++ map (name: mkCertOwnershipAssertion {
inherit (cfg) group user;
cert = config.security.acme.certs.${name};

40
nixos/modules/services/web-servers/nginx/vhost-options.nix
View file

@ -188,24 +188,54 @@ with lib;
type = types.bool;
default = true;
description = lib.mdDoc ''
Whether to enable HTTP 2.
Whether to enable the HTTP/2 protocol.
Note that (as of writing) due to nginx's implementation, to disable
HTTP 2 you have to disable it on all vhosts that use a given
HTTP/2 you have to disable it on all vhosts that use a given
IP address / port.
If there is one server block configured to enable http2,then it is
If there is one server block configured to enable http2, then it is
enabled for all server blocks on this IP.
See https://stackoverflow.com/a/39466948/263061.
'';
};
http3 = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc ''
Whether to enable the HTTP/3 protocol.
This requires using `pkgs.nginxQuic` package
which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`
and activate the QUIC transport protocol
`services.nginx.virtualHosts.<name>.quic = true;`.
Note that HTTP/3 support is experimental and
*not* yet recommended for production.
Read more at https://quic.nginx.org/
'';
};
http3_hq = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether to enable HTTP 3.
Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests.
This requires using `pkgs.nginxQuic` package
which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`
and activate the QUIC transport protocol
`services.nginx.virtualHosts.<name>.quic = true;`.
Note that special application protocol support is experimental and
*not* yet recommended for production.
Read more at https://quic.nginx.org/
'';
};
quic = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether to enable the QUIC transport protocol.
This requires using `pkgs.nginxQuic` package
which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`.
Note that HTTP 3 support is experimental and
Note that QUIC support is experimental and
*not* yet recommended for production.
Read more at https://quic.nginx.org/
'';