From 9419b653ba45e75b164237446bccecd9c34655d7 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Mon, 22 Nov 2021 19:51:52 +0300 Subject: [PATCH 1/5] openssl 3.0.0: enable ktls support --- pkgs/development/libraries/openssl/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index ca2e240dd869..b8cd042cb301 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -108,6 +108,7 @@ let "-DUSE_CRYPTODEV_DIGESTS" ] ++ lib.optional enableSSL2 "enable-ssl2" ++ lib.optional enableSSL3 "enable-ssl3" + ++ lib.optional (versionAtLeast version "3.0.0") "enable-ktls" ++ lib.optional (versionAtLeast version "1.1.0" && stdenv.hostPlatform.isAarch64) "no-afalgeng" # OpenSSL needs a specific `no-shared` configure flag. # See https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options From 532cd57bda7def5411de9429c50ab9623c47d447 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Mon, 22 Nov 2021 20:50:12 +0300 Subject: [PATCH 2/5] nginxMainline: enable ktls support --- pkgs/servers/http/nginx/generic.nix | 3 +++ pkgs/top-level/all-packages.nix | 1 + 2 files changed, 4 insertions(+) diff --git a/pkgs/servers/http/nginx/generic.nix b/pkgs/servers/http/nginx/generic.nix index 7465589d636e..fa711d1dff4f 100644 --- a/pkgs/servers/http/nginx/generic.nix +++ b/pkgs/servers/http/nginx/generic.nix @@ -3,6 +3,7 @@ , nixosTests , substituteAll, gd, geoip, perl , withDebug ? false +, withKTLS ? false , withStream ? true , withMail ? false , withPerl ? true @@ -80,6 +81,8 @@ stdenv.mkDerivation { "--http-scgi-temp-path=/var/cache/nginx/scgi" ] ++ optionals withDebug [ "--with-debug" + ] ++ optionals withKTLS [ + "--with-openssl-opt=enable-ktls" ] ++ optionals withStream [ "--with-stream" "--with-stream_realip_module" diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index e9526189b7f3..15f4cb5cee85 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -21035,6 +21035,7 @@ with pkgs; nginxMainline = callPackage ../servers/http/nginx/mainline.nix { zlib = zlib-ng.override { withZlibCompat = true; }; + withKTLS = true; withPerl = false; # We don't use `with` statement here on purpose! # See https://github.com/NixOS/nixpkgs/pull/10474#discussion_r42369334 From 78546bbbc55e99120dd745768bdb90c4f0b9d428 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Tue, 23 Nov 2021 01:22:11 +0300 Subject: [PATCH 3/5] nixos/nginx: add kTLS option --- nixos/modules/services/web-servers/nginx/default.nix | 11 +++++++++++ .../services/web-servers/nginx/vhost-options.nix | 11 +++++++++++ 2 files changed, 22 insertions(+) diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 5717b86b3bea..7f5c3841f1ac 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -316,6 +316,9 @@ let ${optionalString vhost.rejectSSL '' ssl_reject_handshake on; ''} + ${optionalString (hasSSL && vhost.kTLS) '' + ssl_conf_command Options KTLS; + ''} ${mkBasicAuth vhostName vhost} @@ -820,6 +823,14 @@ in ''; } + { + assertion = any (host: host.kTLS) (attrValues virtualHosts) -> versionAtLeast cfg.package.version "1.21.4"; + message = '' + services.nginx.virtualHosts..kTLS requires nginx version + 1.21.4 or above; see the documentation for services.nginx.package. + ''; + } + { assertion = all (host: !(host.enableACME && host.useACMEHost != null)) (attrValues virtualHosts); message = '' diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index 7ee041d37211..7f49ce9586ca 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -147,6 +147,17 @@ with lib; ''; }; + kTLS = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable kTLS support. + Implementing TLS in the kernel (kTLS) improves performance by significantly + reducing the need for copying operations between user space and the kernel. + Required Nginx version 1.21.4 or later. + ''; + }; + sslCertificate = mkOption { type = types.path; example = "/var/host.cert"; From 7376f4e34f85cd2ad9bb0c0c1caf75c1afb78fd0 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Tue, 23 Nov 2021 01:28:43 +0300 Subject: [PATCH 4/5] nixos/nginx: tengine requires allowing @ipc calls --- nixos/modules/services/web-servers/nginx/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 7f5c3841f1ac..459cee34132c 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -907,7 +907,7 @@ in PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid @mincore"; + SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid @mincore" ] ++ optionals (cfg.package != pkgs.tengine) [ "~@ipc" ]; }; }; From 2f66ac01e91d70837377c4356e5c99843b71f105 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Tue, 23 Nov 2021 15:20:30 +0300 Subject: [PATCH 5/5] nixos/nginx: disable rejectSSL activation when https is disabled --- nixos/modules/services/web-servers/nginx/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 459cee34132c..4aeca1754326 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -313,7 +313,7 @@ let ${optionalString (hasSSL && vhost.sslTrustedCertificate != null) '' ssl_trusted_certificate ${vhost.sslTrustedCertificate}; ''} - ${optionalString vhost.rejectSSL '' + ${optionalString (hasSSL && vhost.rejectSSL) '' ssl_reject_handshake on; ''} ${optionalString (hasSSL && vhost.kTLS) ''