diff --git a/upstart-jobs/apache-httpd/default.nix b/upstart-jobs/apache-httpd/default.nix index 78a6d085f88b..acb6c2654cbe 100644 --- a/upstart-jobs/apache-httpd/default.nix +++ b/upstart-jobs/apache-httpd/default.nix @@ -118,8 +118,6 @@ let # !!! integrate with virtual hosting below sslConf = '' - Listen ${toString cfg.httpsPort} - SSLSessionCache dbm:${cfg.stateDir}/ssl_scache SSLMutex file:${cfg.stateDir}/ssl_mutex @@ -127,6 +125,8 @@ let SSLRandomSeed startup builtin SSLRandomSeed connect builtin + NameVirtualHost *:${toString cfg.httpsPort} + SSLEngine on @@ -246,7 +246,20 @@ let MaxRequestsPerChild 0 - Listen ${toString cfg.httpPort} + ${let + ports = pkgs.lib.uniqList { + inputList=(concatMap (localCfg: + (pkgs.lib.optional localCfg.enableHttp localCfg.httpPort) + ++ + (pkgs.lib.optional localCfg.enableHttps localCfg.httpsPort) + ) vhosts) + ++ + (pkgs.lib.optional cfg.enableSSL cfg.httpsPort) + ++ + [cfg.httpPort]; + }; + in concatMapStrings (port: "Listen ${toString port}\n") ports + } User ${cfg.user} Group ${cfg.group} @@ -318,14 +331,23 @@ let ${perServerConf true cfg} # Always enable virtual hosts; it doesn't seem to hurt. - NameVirtualHost *:* + NameVirtualHost *:${toString cfg.httpPort} ${let - makeVirtualHost = cfg: '' - - ${perServerConf false cfg} + makeVirtualHost = localCfg: (if localCfg.enableHttp then '' + + ${perServerConf false localCfg} - ''; + '' else "") + ( if localCfg.enableHttps then '' + + SSLEngine on + + SSLCertificateFile ${sslServerCert} + SSLCertificateKeyFile ${sslServerKey} + + ${perServerConf false localCfg} + + '' else ""); in concatMapStrings makeVirtualHost vhosts} ''; diff --git a/upstart-jobs/apache-httpd/per-server-options.nix b/upstart-jobs/apache-httpd/per-server-options.nix index dbc422ec0cd5..91516196f1f6 100644 --- a/upstart-jobs/apache-httpd/per-server-options.nix +++ b/upstart-jobs/apache-httpd/per-server-options.nix @@ -29,6 +29,27 @@ "; }; + httpsPort = mkOption { + default = 443; + description = " + Port for encrypted HTTPS requests. + "; + }; + + enableHttp = mkOption { + default = true; + description = " + Whether to listen on unencrypted HTTP. + "; + }; + + enableHttps = mkOption { + default = false; + description = " + Whether to listen on encrypted HTTPS. + "; + }; + adminAddr = mkOption ({ example = "admin@example.org"; description = "