mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-10-30 22:21:26 +00:00
Revert "nixos/nginx: validate syntax of config file at build time"
This reverts commit a768871934
.
This is too fragile, it breaks at least on:
* ssl dh params
* hostnames in proxypass and upstreams are resolved in the sandbox
This commit is contained in:
parent
aa4780077a
commit
cb73862665
@ -288,7 +288,7 @@ let
|
||||
|
||||
configPath = if cfg.enableReload
|
||||
then "/etc/nginx/nginx.conf"
|
||||
else finalConfigFile;
|
||||
else configFile;
|
||||
|
||||
execCommand = "${cfg.package}/bin/nginx -c '${configPath}'";
|
||||
|
||||
@ -440,38 +440,6 @@ let
|
||||
);
|
||||
|
||||
mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix;
|
||||
|
||||
snakeOilCert = pkgs.runCommand "nginx-config-validate-cert" { nativeBuildInputs = [ pkgs.openssl.bin ]; } ''
|
||||
mkdir $out
|
||||
openssl genrsa -des3 -passout pass:xxxxx -out server.pass.key 2048
|
||||
openssl rsa -passin pass:xxxxx -in server.pass.key -out $out/server.key
|
||||
openssl req -new -key $out/server.key -out server.csr \
|
||||
-subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com"
|
||||
openssl x509 -req -days 1 -in server.csr -signkey $out/server.key -out $out/server.crt
|
||||
'';
|
||||
validatedConfigFile = pkgs.runCommand "validated-nginx.conf" { nativeBuildInputs = [ cfg.package ]; } ''
|
||||
# nginx absolutely wants to read the certificates even when told to only validate config, so let's provide fake certs
|
||||
sed ${configFile} \
|
||||
-e "s|ssl_certificate .*;|ssl_certificate ${snakeOilCert}/server.crt;|g" \
|
||||
-e "s|ssl_trusted_certificate .*;|ssl_trusted_certificate ${snakeOilCert}/server.crt;|g" \
|
||||
-e "s|ssl_certificate_key .*;|ssl_certificate_key ${snakeOilCert}/server.key;|g" \
|
||||
> conf
|
||||
|
||||
LD_PRELOAD=${pkgs.libredirect}/lib/libredirect.so \
|
||||
NIX_REDIRECTS="/etc/resolv.conf=/dev/null" \
|
||||
nginx -t -c $(readlink -f ./conf) > out 2>&1 || true
|
||||
if ! grep -q "syntax is ok" out; then
|
||||
echo nginx config validation failed.
|
||||
echo config was ${configFile}.
|
||||
echo 'in case of false positive, set `services.nginx.validateConfig` to false.'
|
||||
echo nginx output:
|
||||
cat out
|
||||
exit 1
|
||||
fi
|
||||
cp ${configFile} $out
|
||||
'';
|
||||
|
||||
finalConfigFile = if cfg.validateConfig then validatedConfigFile else configFile;
|
||||
in
|
||||
|
||||
{
|
||||
@ -580,15 +548,6 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
validateConfig = mkOption {
|
||||
default = pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform;
|
||||
defaultText = literalExpression "pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform";
|
||||
type = types.bool;
|
||||
description = lib.mdDoc ''
|
||||
Validate the generated nginx config at build time. The check is not very robust and can be disabled in case of false positives. This is notably the case when cross-compiling or when using `include` with files outside of the store.
|
||||
'';
|
||||
};
|
||||
|
||||
additionalModules = mkOption {
|
||||
default = [];
|
||||
type = types.listOf (types.attrsOf types.anything);
|
||||
@ -1126,7 +1085,7 @@ in
|
||||
};
|
||||
|
||||
environment.etc."nginx/nginx.conf" = mkIf cfg.enableReload {
|
||||
source = finalConfigFile;
|
||||
source = configFile;
|
||||
};
|
||||
|
||||
# This service waits for all certificates to be available
|
||||
@ -1145,7 +1104,7 @@ in
|
||||
# certs are updated _after_ config has been reloaded.
|
||||
before = sslTargets;
|
||||
after = sslServices;
|
||||
restartTriggers = optionals cfg.enableReload [ finalConfigFile ];
|
||||
restartTriggers = optionals cfg.enableReload [ configFile ];
|
||||
# Block reloading if not all certs exist yet.
|
||||
# Happens when config changes add new vhosts/certs.
|
||||
unitConfig.ConditionPathExists = optionals (sslServices != []) (map (certName: certs.${certName}.directory + "/fullchain.pem") dependentCertNames);
|
||||
|
@ -61,7 +61,7 @@ import ./make-test-python.nix ({ pkgs, ... }: {
|
||||
|
||||
specialisation.reloadWithErrorsSystem.configuration = {
|
||||
services.nginx.package = pkgs.nginxMainline;
|
||||
services.nginx.virtualHosts."hello".extraConfig = "access_log /does/not/exist.log;";
|
||||
services.nginx.virtualHosts."!@$$(#*%".locations."~@#*$*!)".proxyPass = ";;;";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
Loading…
Reference in New Issue
Block a user