diff --git a/system/options.nix b/system/options.nix index 974034648f9..30475fd6bcb 100644 --- a/system/options.nix +++ b/system/options.nix @@ -899,6 +899,13 @@ "; }; + enableSSL = mkOption { + default = false; + description = " + Whether to enable SSL (https) support. + "; + }; + adminAddr = mkOption { example = "admin@example.org"; description = " diff --git a/upstart-jobs/apache-httpd/default.nix b/upstart-jobs/apache-httpd/default.nix new file mode 100644 index 00000000000..feec4f7f000 --- /dev/null +++ b/upstart-jobs/apache-httpd/default.nix @@ -0,0 +1,200 @@ +{config, pkgs}: + +let + + cfg = config.services.httpd; + + startingDependency = if config.services.gw6c.enable then "gw6c" else "network-interfaces"; + + httpd = pkgs.apacheHttpd; + + + documentRoot = "/etc"; + + + # Names of modules from ${httpd}/modules that we want to load. + apacheModules = + [ # HTTP authentication mechanisms: basic and digest. + "auth_basic" "auth_digest" + + # Authentication: is the user who he claims to be? + "authn_file" "authn_dbm" "authn_anon" "authn_alias" + + # Authorization: is the user allowed access? + "authz_user" "authz_groupfile" "authz_host" + + # Other modules. + "ext_filter" "include" "log_config" "env" "mime_magic" + "cern_meta" "expires" "headers" "usertrack" "unique_id" "setenvif" + "mime" "dav" "status" "autoindex" "asis" "info" "cgi" "dav_fs" + "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling" + "userdir" "alias" "rewrite" + ] ++ pkgs.lib.optional cfg.enableSSL "ssl_module"; + + + loggingConf = '' + ErrorLog ${cfg.logDir}/error_log + + LogLevel notice + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + LogFormat "%{Referer}i -> %U" referer + LogFormat "%{User-agent}i" agent + + CustomLog ${cfg.logDir}/access_log common + ''; + + + browserHacks = '' + BrowserMatch "Mozilla/2" nokeepalive + BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 + BrowserMatch "RealPlayer 4\.0" force-response-1.0 + BrowserMatch "Java/1\.0" force-response-1.0 + BrowserMatch "JDK/1\.0" force-response-1.0 + BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully + BrowserMatch "^WebDrive" redirect-carefully + BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully + BrowserMatch "^gnome-vfs" redirect-carefully + ''; + + + sslConf = '' + Listen ${toString cfg.httpsPort} + + SSLSessionCache dbm:${cfg.stateDir}/ssl_scache + + SSLMutex file:${cfg.stateDir}/ssl_mutex + + SSLRandomSeed startup builtin + SSLRandomSeed connect builtin + + + + SSLEngine on + + SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL + + SSLCertificateFile @sslServerCert@ + SSLCertificateKeyFile @sslServerKey@ + + # MSIE compatability. + SetEnvIf User-Agent ".*MSIE.*" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + + + ''; + + + mimeConf = '' + TypesConfig ${httpd}/conf/mime.types + + AddType application/x-x509-ca-cert .crt + AddType application/x-pkcs7-crl .crl + + + MIMEMagicFile ${httpd}/conf/magic + + + AddEncoding x-compress Z + AddEncoding x-gzip gz tgz + ''; + + + documentRootConf = '' + DocumentRoot "${documentRoot}" + + + Options Indexes FollowSymLinks + AllowOverride None + Order allow,deny + Allow from all + + ''; + + + httpdConf = pkgs.writeText "httpd.conf" '' + + ServerRoot ${httpd} + + ServerAdmin ${cfg.adminAddr} + + ServerName ${cfg.hostName}:${toString cfg.httpPort} + + PidFile ${cfg.stateDir}/httpd.pid + + + MaxClients 150 + MaxRequestsPerChild 0 + + + Listen ${toString cfg.httpPort} + + User ${cfg.user} + Group ${cfg.group} + + ${let f = name: "LoadModule ${name}_module ${httpd}/modules/mod_${name}.so\n"; + in pkgs.lib.concatStrings (map f apacheModules) + } + + # !!! is this a good idea? + UseCanonicalName Off + + ServerSignature On + + ${if cfg.noUserDir then "" else "UserDir public_html"} + + AddHandler type-map var + + + Order allow,deny + Deny from all + + + ${mimeConf} + ${loggingConf} + ${browserHacks} + + Include ${httpd}/conf/extra/httpd-autoindex.conf + Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf + Include ${httpd}/conf/extra/httpd-languages.conf + + ${if cfg.enableSSL then sslConf else ""} + + + Options FollowSymLinks + AllowOverride None + + + ${documentRootConf} + ''; + + +in + +{ + + name = "httpd"; + + users = [ + { name = cfg.user; + description = "Apache httpd user"; + } + ]; + + groups = [ + { name = cfg.group; + } + ]; + + job = '' + description "Apache HTTPD" + + start on ${startingDependency}/started + stop on ${startingDependency}/stop + + respawn ${httpd}/bin/httpd -f ${httpdConf} -DNO_DETACH + ''; + +}