Merge pull request #147027 from Izorkin/update-nginx-ktls

nginxMainline: enable ktls support
2021-12-24 10:23:17 +00:00 · 2021-12-24 10:23:17 +00:00 · b0f154fd44
commit b0f154fd44
parent 3d91acc39a 2f66ac01e9
5 changed files with 29 additions and 2 deletions
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@ -317,9 +317,12 @@ let
          ${optionalString (hasSSL && vhost.sslTrustedCertificate != null) ''
            ssl_trusted_certificate ${vhost.sslTrustedCertificate};
          ''}
-          ${optionalString vhost.rejectSSL ''
+          ${optionalString (hasSSL && vhost.rejectSSL) ''
            ssl_reject_handshake on;
          ''}
+          ${optionalString (hasSSL && vhost.kTLS) ''
+            ssl_conf_command Options KTLS;
+          ''}

          ${mkBasicAuth vhostName vhost}

@ -824,6 +827,14 @@ in
        '';
      }

+      {
+        assertion = any (host: host.kTLS) (attrValues virtualHosts) -> versionAtLeast cfg.package.version "1.21.4";
+        message = ''
+          services.nginx.virtualHosts.<name>.kTLS requires nginx version
+          1.21.4 or above; see the documentation for services.nginx.package.
+        '';
+      }
+
      {
        assertion = all (host: !(host.enableACME && host.useACMEHost != null)) (attrValues virtualHosts);
        message = ''
@ -900,7 +911,7 @@ in
        PrivateMounts = true;
        # System Call Filtering
        SystemCallArchitectures = "native";
-        SystemCallFilter = "~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid @mincore";
+        SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid @mincore" ] ++ optionals (cfg.package != pkgs.tengine) [ "~@ipc" ];
      };
    };

--- a/nixos/modules/services/web-servers/nginx/vhost-options.nix
+++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix
@ -147,6 +147,17 @@ with lib;
      '';
    };

+    kTLS = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to enable kTLS support.
+        Implementing TLS in the kernel (kTLS) improves performance by significantly
+        reducing the need for copying operations between user space and the kernel.
+        Required Nginx version 1.21.4 or later.
+      '';
+    };
+
    sslCertificate = mkOption {
      type = types.path;
      example = "/var/host.cert";
--- a/pkgs/development/libraries/openssl/default.nix
+++ b/pkgs/development/libraries/openssl/default.nix
@ -108,6 +108,7 @@ let
      "-DUSE_CRYPTODEV_DIGESTS"
    ] ++ lib.optional enableSSL2 "enable-ssl2"
      ++ lib.optional enableSSL3 "enable-ssl3"
+      ++ lib.optional (versionAtLeast version "3.0.0") "enable-ktls"
      ++ lib.optional (versionAtLeast version "1.1.0" && stdenv.hostPlatform.isAarch64) "no-afalgeng"
      # OpenSSL needs a specific `no-shared` configure flag.
      # See https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options
--- a/pkgs/servers/http/nginx/generic.nix
+++ b/pkgs/servers/http/nginx/generic.nix
@ -3,6 +3,7 @@
 , nixosTests
 , substituteAll, gd, geoip, perl
 , withDebug ? false
+, withKTLS ? false
 , withStream ? true
 , withMail ? false
 , withPerl ? true
@ -80,6 +81,8 @@ stdenv.mkDerivation {
    "--http-scgi-temp-path=/var/cache/nginx/scgi"
  ] ++ optionals withDebug [
    "--with-debug"
+  ] ++ optionals withKTLS [
+    "--with-openssl-opt=enable-ktls"
  ] ++ optionals withStream [
    "--with-stream"
    "--with-stream_realip_module"
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -21177,6 +21177,7 @@ with pkgs;

  nginxMainline = callPackage ../servers/http/nginx/mainline.nix {
    zlib = zlib-ng.override { withZlibCompat = true; };
+    withKTLS = true;
    withPerl = false;
    # We don't use `with` statement here on purpose!
    # See https://github.com/NixOS/nixpkgs/pull/10474#discussion_r42369334