hitch: init at 1.4.8 + service + test (#39358)
Add the Hitch TLS reverse proxy as an option for TLS termination.
This commit is contained in:
parent
164b580b36
commit
519b64592d
9 changed files with 227 additions and 0 deletions
|
@ -1760,6 +1760,11 @@
|
|||
github = "tftio";
|
||||
name = "James Felix Black";
|
||||
};
|
||||
jflanglois = {
|
||||
email = "yourstruly@julienlanglois.me";
|
||||
github = "jflanglois";
|
||||
name = "Julien Langlois";
|
||||
};
|
||||
jfrankenau = {
|
||||
email = "johannes@frankenau.net";
|
||||
github = "jfrankenau";
|
||||
|
|
|
@ -651,6 +651,7 @@
|
|||
./services/web-servers/apache-httpd/default.nix
|
||||
./services/web-servers/caddy.nix
|
||||
./services/web-servers/fcgiwrap.nix
|
||||
./services/web-servers/hitch/default.nix
|
||||
./services/web-servers/jboss/default.nix
|
||||
./services/web-servers/lighttpd/cgit.nix
|
||||
./services/web-servers/lighttpd/collectd.nix
|
||||
|
|
108
nixos/modules/services/web-servers/hitch/default.nix
Normal file
108
nixos/modules/services/web-servers/hitch/default.nix
Normal file
|
@ -0,0 +1,108 @@
|
|||
{ config, lib, pkgs, ...}:
|
||||
let
|
||||
cfg = config.services.hitch;
|
||||
ocspDir = lib.optionalString cfg.ocsp-stapling.enabled "/var/cache/hitch/ocsp";
|
||||
hitchConfig = with lib; pkgs.writeText "hitch.conf" (concatStringsSep "\n" [
|
||||
("backend = \"${cfg.backend}\"")
|
||||
(concatMapStrings (s: "frontend = \"${s}\"\n") cfg.frontend)
|
||||
(concatMapStrings (s: "pem-file = \"${s}\"\n") cfg.pem-files)
|
||||
("ciphers = \"${cfg.ciphers}\"")
|
||||
("ocsp-dir = \"${ocspDir}\"")
|
||||
"user = \"${cfg.user}\""
|
||||
"group = \"${cfg.group}\""
|
||||
cfg.extraConfig
|
||||
]);
|
||||
in
|
||||
with lib;
|
||||
{
|
||||
options = {
|
||||
services.hitch = {
|
||||
enable = mkEnableOption "Hitch Server";
|
||||
|
||||
backend = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The host and port Hitch connects to when receiving
|
||||
a connection in the form [HOST]:PORT
|
||||
'';
|
||||
};
|
||||
|
||||
ciphers = mkOption {
|
||||
type = types.str;
|
||||
default = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
description = "The list of ciphers to use";
|
||||
};
|
||||
|
||||
frontend = mkOption {
|
||||
type = types.either types.str (types.listOf types.str);
|
||||
default = "[127.0.0.1]:443";
|
||||
description = ''
|
||||
The port and interface of the listen endpoint in the
|
||||
+ form [HOST]:PORT[+CERT].
|
||||
'';
|
||||
apply = toList;
|
||||
};
|
||||
|
||||
pem-files = mkOption {
|
||||
type = types.listOf types.path;
|
||||
default = [];
|
||||
description = "PEM files to use";
|
||||
};
|
||||
|
||||
ocsp-stapling = {
|
||||
enabled = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Whether to enable OCSP Stapling";
|
||||
};
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "hitch";
|
||||
description = "The user to run as";
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "hitch";
|
||||
description = "The group to run as";
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description = "Additional configuration lines";
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
systemd.services.hitch = {
|
||||
description = "Hitch";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
preStart = ''
|
||||
${pkgs.hitch}/sbin/hitch -t --config ${hitchConfig}
|
||||
'' + (optionalString cfg.ocsp-stapling.enabled ''
|
||||
mkdir -p ${ocspDir}
|
||||
chown -R hitch:hitch ${ocspDir}
|
||||
'');
|
||||
serviceConfig = {
|
||||
Type = "forking";
|
||||
ExecStart = "${pkgs.hitch}/sbin/hitch --daemon --config ${hitchConfig}";
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||
Restart = "always";
|
||||
RestartSec = "5s";
|
||||
LimitNOFILE = 131072;
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [ pkgs.hitch ];
|
||||
|
||||
users.extraUsers.hitch.group = "hitch";
|
||||
users.extraGroups.hitch = {};
|
||||
};
|
||||
}
|
|
@ -297,6 +297,7 @@ in rec {
|
|||
tests.graphite = callTest tests/graphite.nix {};
|
||||
tests.hardened = callTest tests/hardened.nix { };
|
||||
tests.hibernate = callTest tests/hibernate.nix {};
|
||||
tests.hitch = callTest tests/hitch {};
|
||||
tests.home-assistant = callTest tests/home-assistant.nix { };
|
||||
tests.hound = callTest tests/hound.nix {};
|
||||
tests.hocker-fetchdocker = callTest tests/hocker-fetchdocker {};
|
||||
|
|
33
nixos/tests/hitch/default.nix
Normal file
33
nixos/tests/hitch/default.nix
Normal file
|
@ -0,0 +1,33 @@
|
|||
import ../make-test.nix ({ pkgs, ... }:
|
||||
{
|
||||
name = "hitch";
|
||||
meta = with pkgs.stdenv.lib.maintainers; {
|
||||
maintainers = [ jflanglois ];
|
||||
};
|
||||
machine = { config, pkgs, ... }: {
|
||||
environment.systemPackages = [ pkgs.curl ];
|
||||
services.hitch = {
|
||||
enable = true;
|
||||
backend = "[127.0.0.1]:80";
|
||||
pem-files = [
|
||||
./example.pem
|
||||
];
|
||||
};
|
||||
|
||||
services.httpd = {
|
||||
enable = true;
|
||||
documentRoot = ./example;
|
||||
adminAddr = "noone@testing.nowhere";
|
||||
};
|
||||
};
|
||||
|
||||
testScript =
|
||||
''
|
||||
startAll;
|
||||
|
||||
$machine->waitForUnit('multi-user.target');
|
||||
$machine->waitForUnit('hitch.service');
|
||||
$machine->waitForOpenPort(443);
|
||||
$machine->succeed('curl -k https://localhost:443/index.txt | grep "We are all good!"');
|
||||
'';
|
||||
})
|
53
nixos/tests/hitch/example.pem
Normal file
53
nixos/tests/hitch/example.pem
Normal file
|
@ -0,0 +1,53 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEKTCCAxGgAwIBAgIJAIFAWQXSZ7lIMA0GCSqGSIb3DQEBCwUAMIGqMQswCQYD
|
||||
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMUmVkd29vZCBD
|
||||
aXR5MRkwFwYDVQQKDBBUZXN0aW5nIDEyMyBJbmMuMRQwEgYDVQQLDAtJVCBTZXJ2
|
||||
aWNlczEYMBYGA1UEAwwPdGVzdGluZy5ub3doZXJlMSQwIgYJKoZIhvcNAQkBFhVu
|
||||
b29uZUB0ZXN0aW5nLm5vd2hlcmUwHhcNMTgwNDIzMDcxMTI5WhcNMTkwNDIzMDcx
|
||||
MTI5WjCBqjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNV
|
||||
BAcMDFJlZHdvb2QgQ2l0eTEZMBcGA1UECgwQVGVzdGluZyAxMjMgSW5jLjEUMBIG
|
||||
A1UECwwLSVQgU2VydmljZXMxGDAWBgNVBAMMD3Rlc3Rpbmcubm93aGVyZTEkMCIG
|
||||
CSqGSIb3DQEJARYVbm9vbmVAdGVzdGluZy5ub3doZXJlMIIBIjANBgkqhkiG9w0B
|
||||
AQEFAAOCAQ8AMIIBCgKCAQEAxQq6AA9o/QErMbQwfgDF4mqXcvglRTwPr2zPE6Rv
|
||||
1g0ncRBSMM8iKbPapHM6qHNfg2e1fU2SFqzD6HkyZqHHLCgLzkdzswEcEjsMqiUP
|
||||
OR++5g4CWoQrdTi31itzYzCjnQ45BrAMrLEhBQgDTNwrEE+Tit0gpOGggtj/ktLk
|
||||
OD8BKa640lkmWEUGF18fd3rYTUC4hwM5qhAVXTe21vj9ZWsgprpQKdN61v0dCUap
|
||||
C5eAgvZ8Re+Cd0Id674hK4cJ4SekqfHKv/jLyIg3Vsdc9nkhmiC4O6KH5f1Zzq2i
|
||||
E4Kd5mnJDFxfSzIErKWmbhriLWsj3KEJ983AGLJ9hxQTAwIDAQABo1AwTjAdBgNV
|
||||
HQ4EFgQU76Mm6DP/BePJRQUNrJ9z038zjocwHwYDVR0jBBgwFoAU76Mm6DP/BePJ
|
||||
RQUNrJ9z038zjocwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAZzt
|
||||
VdPaUqrvDAh5rMYqzYMJ3tj6daNYoX6CbTFoevK5J5D4FESM0D/FMKgpNiVz39kB
|
||||
8Cjaw5rPHMHY61rHz7JRDK1sWXsonwzCF21BK7Tx0G1CIfLpYHWYb/FfdWGROx+O
|
||||
hPgKuoMRWQB+txozkZp5BqWJmk5MOyFCDEXhMOmrfsJq0IYU6QaH3Lsf1oJRy4yU
|
||||
afFrT9o3DLOyYLG/j/HXijCu8DVjZVa4aboum79ecYzPjjGF1posrFUnvQiuAeYy
|
||||
t7cuHNUB8gW9lWR5J7tP8fzFWtIcyT2oRL8u3H+fXf0i4bW73wtOBOoeULBzBNE7
|
||||
6rphcSrQunSZQIc+hg==
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFCroAD2j9ASsx
|
||||
tDB+AMXiapdy+CVFPA+vbM8TpG/WDSdxEFIwzyIps9qkczqoc1+DZ7V9TZIWrMPo
|
||||
eTJmoccsKAvOR3OzARwSOwyqJQ85H77mDgJahCt1OLfWK3NjMKOdDjkGsAyssSEF
|
||||
CANM3CsQT5OK3SCk4aCC2P+S0uQ4PwEprrjSWSZYRQYXXx93ethNQLiHAzmqEBVd
|
||||
N7bW+P1layCmulAp03rW/R0JRqkLl4CC9nxF74J3Qh3rviErhwnhJ6Sp8cq/+MvI
|
||||
iDdWx1z2eSGaILg7oofl/VnOraITgp3mackMXF9LMgSspaZuGuItayPcoQn3zcAY
|
||||
sn2HFBMDAgMBAAECggEAcaR8HijFHpab+PC5vxJnDuz3KEHiDQpU6ZJR5DxEnCm+
|
||||
A8GsBaaRR4gJpCspO5o/DiS0Ue55QUanPt8XqIXJv7fhBznCiw0qyYDxDviMzR94
|
||||
FGskBFySS+tIa+dnh1+4HY7kaO0Egl0udB5o+N1KoP+kUsSyXSYcUxsgW+fx5FW9
|
||||
22Ya3HNWnWxMCSfSGGlTFXGj2whf25SkL25dM9iblO4ZOx4MX8kaXij7TaYy8hMM
|
||||
Vf6/OMnXqtPKho+ctZZVKZkE9PxdS4f/pnp5EsdoOZwNBtfQ1WqVLWd3DlGWhnsH
|
||||
7L8ZSP2HkoI4Pd1wtkpOKZc+yM2bFXWa8WY4TcmpUQKBgQD33HxGdtmtZehrexSA
|
||||
/ZwWJlMslUsNz4Ivv6s7J4WCRhdh94+r9TWQP/yHdT9Ry5bvn84I5ZLUdp+aA962
|
||||
mvjz+GIglkCGpA7HU/hqurB1O63pj2cIDB8qhV21zjVIoqXcQ7IBJ+tqD79nF8vm
|
||||
h3KfuHUhuu1rayGepbtIyNhLdwKBgQDLgw4TJBg/QB8RzYECk78QnfZpCExsQA/z
|
||||
YJpc+dF2/nsid5R2u9jWzfmgHM2Jjo2/+ofRUaTqcFYU0K57CqmQkOLIzsbNQoYt
|
||||
e2NOANNVHiZLuzTZC2r3BrrkNbo3YvQzhAesUA5lS6LfrxBLUKiwo2LU9NlmJs3b
|
||||
UPVFYI0/1QKBgCswxIcS1sOcam+wNtZzWuuRKhUuvrFdY3YmlBPuwxj8Vb7AgMya
|
||||
IgdM3xhLmgkKzPZchm6OcpOLSCxyWDDBuHfq5E6BYCUWGW0qeLNAbNdA2wFD99Qz
|
||||
KIskSjwP/sD1dql3MmF5L1CABf5U6zb0i0jBv8ds50o8lNMsVgJM3UPpAoGBAL1+
|
||||
nzllb4pdi1CJWKnspoizfQCZsIdPM0r71V/jYY36MO+MBtpz2NlSWzAiAaQm74gl
|
||||
oBdgfT2qMg0Zro11BSRONEykdOolGkj5TiMQk7b65s+3VeMPRZ8UTis2d9kgs5/Q
|
||||
PVDODkl1nwfGu1ZVmW04BUujXVZHpYCkJm1eFMetAoGAImE7gWj+qRMhpbtCCGCg
|
||||
z06gDKvMrF6S+GJsvUoSyM8oUtfdPodI6gWAC65NfYkIiqbpCaEVNzfui73f5Lnz
|
||||
p5X1IbzhuH5UZs/k5A3OR2PPDbPs3lqEw7YJdBdLVRmO1o824uaXaJJwkL/1C+lq
|
||||
8dh1wV3CnynNmZApkz4vpzQ=
|
||||
-----END PRIVATE KEY-----
|
1
nixos/tests/hitch/example/index.txt
Normal file
1
nixos/tests/hitch/example/index.txt
Normal file
|
@ -0,0 +1 @@
|
|||
We are all good!
|
23
pkgs/servers/hitch/default.nix
Normal file
23
pkgs/servers/hitch/default.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
{ stdenv, fetchurl, docutils, libev, openssl, pkgconfig }:
|
||||
stdenv.mkDerivation rec {
|
||||
version = "1.4.8";
|
||||
name = "hitch-${version}";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://hitch-tls.org/source/${name}.tar.gz";
|
||||
sha256 = "1hqs5p69gr1lb3xldbrgq7d6d0vk4za0wpizlzybn98cv68acaym";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ pkgconfig ];
|
||||
buildInputs = [ docutils libev openssl ];
|
||||
|
||||
outputs = [ "out" "doc" "man" ];
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
description = "Hitch is a libev-based high performance SSL/TLS proxy by Varnish Software";
|
||||
homepage = https://hitch-tls.org/;
|
||||
license = licenses.bsd2;
|
||||
maintainers = [ maintainers.jflanglois ];
|
||||
platforms = platforms.linux;
|
||||
};
|
||||
}
|
|
@ -5611,6 +5611,8 @@ with pkgs;
|
|||
varnishPackages = varnish5Packages;
|
||||
varnish = varnishPackages.varnish;
|
||||
|
||||
hitch = callPackage ../servers/hitch { };
|
||||
|
||||
venus = callPackage ../tools/misc/venus {
|
||||
python = python27;
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue