nixos/nginx: make redirect status code configurable

Add an option to configure which code globalRedirect and forceSSL use.
It previously was always 301 with no easy way to override.
This commit is contained in:
Gabriel Fontes 2023-12-01 15:42:46 -03:00
parent 72061433dd
commit a3c60d2ddc
No known key found for this signature in database
GPG Key ID: 2E54EA7BFE630916
5 changed files with 51 additions and 8 deletions

View File

@ -47,6 +47,10 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
existing process, but will need to start that process from gdb (so it is a
child). Or you can set `boot.kernel.sysctl."kernel.yama.ptrace_scope"` to 0.
- [Nginx virtual hosts](#opt-services.nginx.virtualHosts) using `forceSSL` or
`globalRedirect` can now have redirect codes other than 301 through
`redirectCode`.
- Gitea 1.21 upgrade has several breaking changes, including:
- Custom themes and other assets that were previously stored in `custom/public/*` now belong in `custom/public/assets/*`
- New instances of Gitea using MySQL now ignore the `[database].CHARSET` config option and always use the `utf8mb4` charset, existing instances should migrate via the `gitea doctor convert` CLI command.

View File

@ -377,7 +377,7 @@ let
server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases};
${acmeLocation}
location / {
return 301 https://$host$request_uri;
return ${toString vhost.redirectCode} https://$host$request_uri;
}
}
''}
@ -396,7 +396,7 @@ let
${optionalString (vhost.root != null) "root ${vhost.root};"}
${optionalString (vhost.globalRedirect != null) ''
location / {
return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri;
return ${toString vhost.redirectCode} http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri;
}
''}
${optionalString hasSSL ''

View File

@ -162,10 +162,11 @@ with lib;
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether to add a separate nginx server block that permanently redirects (301)
all plain HTTP traffic to HTTPS. This will set defaults for
`listen` to listen on all interfaces on the respective default
ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with `redirectCode`) all plain HTTP traffic to
HTTPS. This will set defaults for `listen` to listen on all interfaces
on the respective default ports (80, 443), where the non-SSL listens
are used for the redirect vhosts.
'';
};
@ -307,8 +308,20 @@ with lib;
default = null;
example = "newserver.example.org";
description = lib.mdDoc ''
If set, all requests for this host are redirected permanently to
the given hostname.
If set, all requests for this host are redirected (defaults to 301,
configurable with `redirectCode`) to the given hostname.
'';
};
redirectCode = mkOption {
type = types.ints.between 300 399;
default = 301;
example = 308;
description = lib.mdDoc ''
HTTP status used by `globalRedirect` and `forceSSL`. Possible usecases
include temporary (302, 307) redirects, keeping the request method and
body (307, 308), or explicitly resetting the method to GET (303).
See <https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections>.
'';
};

View File

@ -583,6 +583,7 @@ in {
nginx-njs = handleTest ./nginx-njs.nix {};
nginx-proxyprotocol = handleTest ./nginx-proxyprotocol {};
nginx-pubhtml = handleTest ./nginx-pubhtml.nix {};
nginx-redirectcode = handleTest ./nginx-redirectcode.nix {};
nginx-sso = handleTest ./nginx-sso.nix {};
nginx-status-page = handleTest ./nginx-status-page.nix {};
nginx-tmpdir = handleTest ./nginx-tmpdir.nix {};

View File

@ -0,0 +1,25 @@
import ./make-test-python.nix ({ pkgs, lib, ... }: {
name = "nginx-redirectcode";
meta.maintainers = with lib.maintainers; [ misterio77 ];
nodes = {
webserver = { pkgs, lib, ... }: {
services.nginx = {
enable = true;
virtualHosts.localhost = {
globalRedirect = "example.com/foo";
# With 308 (and 307), the method and body are to be kept when following it
redirectCode = 308;
};
};
};
};
testScript = ''
webserver.wait_for_unit("nginx")
webserver.wait_for_open_port(80)
# Check the status code
webserver.succeed("curl -si http://localhost | grep '^HTTP/[0-9.]\+ 308 Permanent Redirect'")
'';
})