diff options
| author | Collin J. Doering | 2024-05-31 10:19:07 -0400 |
|---|---|---|
| committer | Collin J. Doering | 2024-05-31 10:19:07 -0400 |
| commit | bf8119a027a680c3f05714cbd2d38ed5c365f496 (patch) | |
| tree | fea9bebeeec36eda71207513b6de7c9629e39a7b /.guix/guix-na/config | |
| parent | 80570af8dd0176ac301e5be48aeefed8789c5856 (diff) | |
| download | guix-north-america-bf8119a027a680c3f05714cbd2d38ed5c365f496.tar.gz | |
balg02: Re-enable https (that was disabled in 4230616)
- https was initially disabled as nginx failed to start due to a missing certificate
- Worth noting that dhparam's were manually generated on balg02
Diffstat (limited to '.guix/guix-na/config')
| -rw-r--r-- | .guix/guix-na/config/balg02.scm | 38 |
1 files changed, 19 insertions, 19 deletions
diff --git a/.guix/guix-na/config/balg02.scm b/.guix/guix-na/config/balg02.scm index 7945465..371f514 100644 --- a/.guix/guix-na/config/balg02.scm +++ b/.guix/guix-na/config/balg02.scm @@ -225,7 +225,6 @@ PUBLISH-URL." "ssl_ciphers HIGH:!aNULL:!MD5;" "ssl_prefer_server_ciphers on;" - ;; TODO: these need to be generated ;; Use our own DH parameters created with: ;; openssl dhparam -out dhparams.pem 2048 ;; as suggested at <https://weakdh.org/sysadmin.html>. @@ -306,24 +305,25 @@ synonymous IETF language tags that should be mapped to the same $lang." "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"))) ;; HTTPS servers - ;; (nginx-server-configuration - ;; (listen '("443 ssl")) - ;; (server-name '("cuirass.genenetwork.org")) - ;; (ssl-certificate (le "cuirass.genenetwork.org")) - ;; (ssl-certificate-key (le "cuirass.genenetwork.org" 'key)) - ;; (locations (balg02-locations %publish-url)) - ;; (raw-content - ;; (append - ;; %tls-settings - ;; (list - ;; "access_log /var/run/nginx/https.access.log;" - ;; "proxy_set_header X-Forwarded-Host $host;" - ;; "proxy_set_header X-Forwarded-Port $server_port;" - ;; "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" - ;; ;; For Cuirass admin interface authentication - ;; "ssl_client_certificate /etc/ssl-ca/certs/ca.crt;" - ;; "ssl_verify_client optional;")))) - )) + (nginx-server-configuration + (listen '("443 ssl")) + (server-name '("cuirass.genenetwork.org")) + (ssl-certificate (le "cuirass.genenetwork.org")) + (ssl-certificate-key (le "cuirass.genenetwork.org" 'key)) + (locations (balg02-locations %publish-url)) + (raw-content + (append + %tls-settings + (list + "access_log /var/run/nginx/https.access.log;" + "proxy_set_header X-Forwarded-Host $host;" + "proxy_set_header X-Forwarded-Port $server_port;" + "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" + ;; TODO: + ;; For Cuirass admin interface authentication + ;; "ssl_client_certificate /etc/ssl-ca/certs/ca.crt;" + ;; "ssl_verify_client optional;" + )))))) (define %extra-content (list |