diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml
index 955c19bd98e..07f11239366 100644
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@@ -266,6 +266,25 @@ environment.systemPackages = [
+
+
+ The httpd web server previously started its main process as root
+ privileged, then ran worker processes as a less privileged identity user.
+ This was changed to start all of httpd as a less privileged user (defined by
+ and
+ ). As a consequence, all files that
+ are needed for httpd to run (included configuration fragments, SSL
+ certificates and keys, etc.) must now be readable by this less privileged
+ user/group.
+
+
+ The default value for
+ has been changed from prefork to event. Along with
+ this change the default value for
+ services.httpd.virtualHosts.<name>.http2
+ has been set to true.
+
+
diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix
index 5e55baa203a..653c1706834 100644
--- a/nixos/modules/services/web-servers/apache-httpd/default.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/default.nix
@@ -41,9 +41,9 @@ let
"mime" "autoindex" "negotiation" "dir"
"alias" "rewrite"
"unixd" "slotmem_shm" "socache_shmcb"
- "mpm_${cfg.multiProcessingModule}"
+ "mpm_${cfg.mpm}"
]
- ++ (if cfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ])
+ ++ (if cfg.mpm == "prefork" then [ "cgi" ] else [ "cgid" ])
++ optional enableHttp2 "http2"
++ optional enableSSL "ssl"
++ optional enableUserDir "userdir"
@@ -264,7 +264,7 @@ let
PidFile ${runtimeDir}/httpd.pid
- ${optionalString (cfg.multiProcessingModule != "prefork") ''
+ ${optionalString (cfg.mpm != "prefork") ''
# mod_cgid requires this.
ScriptSock ${runtimeDir}/cgisock
''}
@@ -350,6 +350,7 @@ in
imports = [
(mkRemovedOptionModule [ "services" "httpd" "extraSubservices" ] "Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.")
(mkRemovedOptionModule [ "services" "httpd" "stateDir" ] "The httpd module now uses /run/httpd as a runtime directory.")
+ (mkRenamedOptionModule [ "services" "httpd" "multiProcessingModule" ] [ "services" "httpd" "mpm" ])
# virtualHosts options
(mkRemovedOptionModule [ "services" "httpd" "documentRoot" ] "Please define a virtual host using `services.httpd.virtualHosts`.")
@@ -454,7 +455,13 @@ in
type = types.str;
default = "wwwrun";
description = ''
- User account under which httpd runs.
+ User account under which httpd children processes run.
+
+ If you require the main httpd process to run as
+ root add the following configuration:
+
+ systemd.services.httpd.serviceConfig.User = lib.mkForce "root";
+
'';
};
@@ -462,7 +469,7 @@ in
type = types.str;
default = "wwwrun";
description = ''
- Group under which httpd runs.
+ Group under which httpd children processes run.
'';
};
@@ -539,20 +546,19 @@ in
'';
};
- multiProcessingModule = mkOption {
+ mpm = mkOption {
type = types.enum [ "event" "prefork" "worker" ];
- default = "prefork";
+ default = "event";
example = "worker";
description =
''
Multi-processing module to be used by Apache. Available
- modules are prefork (the default;
- handles each request in a separate child process),
- worker (hybrid approach that starts a
- number of child processes each running a number of
- threads) and event (a recent variant of
- worker that handles persistent
- connections more efficiently).
+ modules are prefork (handles each
+ request in a separate child process), worker
+ (hybrid approach that starts a number of child processes
+ each running a number of threads) and event
+ (the default; a recent variant of worker
+ that handles persistent connections more efficiently).
'';
};
@@ -652,7 +658,7 @@ in
services.httpd.phpOptions =
''
; Needed for PHP's mail() function.
- sendmail_path = sendmail -t -i
+ sendmail_path = ${pkgs.system-sendmail}/bin/sendmail -t -i
; Don't advertise PHP
expose_php = off
@@ -703,9 +709,7 @@ in
wants = concatLists (map (hostOpts: [ "acme-${hostOpts.hostName}.service" "acme-selfsigned-${hostOpts.hostName}.service" ]) vhostsACME);
after = [ "network.target" "fs.target" ] ++ map (hostOpts: "acme-selfsigned-${hostOpts.hostName}.service") vhostsACME;
- path =
- [ pkg pkgs.coreutils pkgs.gnugrep ]
- ++ optional cfg.enablePHP pkgs.system-sendmail; # Needed for PHP's mail() function.
+ path = [ pkg pkgs.coreutils pkgs.gnugrep ];
environment =
optionalAttrs cfg.enablePHP { PHPRC = phpIni; }
@@ -725,7 +729,7 @@ in
ExecStart = "@${pkg}/bin/httpd httpd -f ${httpdConf}";
ExecStop = "${pkg}/bin/httpd -f ${httpdConf} -k graceful-stop";
ExecReload = "${pkg}/bin/httpd -f ${httpdConf} -k graceful";
- User = "root";
+ User = cfg.user;
Group = cfg.group;
Type = "forking";
PIDFile = "${runtimeDir}/httpd.pid";
@@ -733,6 +737,7 @@ in
RestartSec = "5s";
RuntimeDirectory = "httpd httpd/runtime";
RuntimeDirectoryMode = "0750";
+ AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
};
};
diff --git a/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix b/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix
index 2e806afb42c..173c0f8561c 100644
--- a/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix
@@ -137,7 +137,7 @@ in
http2 = mkOption {
type = types.bool;
- default = false;
+ default = true;
description = ''
Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. However, if you use the prefork mpm, there will
be severe restrictions. Refer to for details.