nginx: make global redirect vhost option accept exceptions

By moving the return into a location directive, one can provide
exceptions by adding locations. This is similar to what the forceSSL
option does.
This commit is contained in:
Vincent Bernat 2022-12-03 18:58:33 +01:00
parent 04f574a1c0
commit fc39b5ecc8
6 changed files with 39 additions and 2 deletions

View File

@ -268,6 +268,14 @@
dynamically.
</para>
</listitem>
<listitem>
<para>
Enabling global redirect in
<literal>services.nginx.virtualHosts</literal> now allows one
to add exceptions with the <literal>locations</literal>
option.
</para>
</listitem>
<listitem>
<para>
Resilio sync secret keys can now be provided using a secrets

View File

@ -78,6 +78,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- The new option `users.motdFile` allows configuring a Message Of The Day that can be updated dynamically.
- Enabling global redirect in `services.nginx.virtualHosts` now allows one to add exceptions with the `locations` option.
- Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.
- The `services.fwupd` module now allows arbitrary daemon settings to be configured in a structured manner ([`services.fwupd.daemonSettings`](#opt-services.fwupd.daemonSettings)).

View File

@ -318,7 +318,9 @@ let
${acmeLocation}
${optionalString (vhost.root != null) "root ${vhost.root};"}
${optionalString (vhost.globalRedirect != null) ''
return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri;
location / {
return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri;
}
''}
${optionalString hasSSL ''
ssl_certificate ${vhost.sslCertificate};

View File

@ -435,6 +435,7 @@ in {
nginx = handleTest ./nginx.nix {};
nginx-auth = handleTest ./nginx-auth.nix {};
nginx-etag = handleTest ./nginx-etag.nix {};
nginx-globalredirect = handleTest ./nginx-globalredirect.nix {};
nginx-http3 = handleTest ./nginx-http3.nix {};
nginx-modsecurity = handleTest ./nginx-modsecurity.nix {};
nginx-njs = handleTest ./nginx-njs.nix {};

View File

@ -0,0 +1,24 @@
import ./make-test-python.nix ({ pkgs, ... }: {
name = "nginx-globalredirect";
nodes = {
webserver = { pkgs, lib, ... }: {
services.nginx = {
enable = true;
virtualHosts.localhost = {
globalRedirect = "other.example.com";
# Add an exception
locations."/noredirect".return = "200 'foo'";
};
};
};
};
testScript = ''
webserver.wait_for_unit("nginx")
webserver.wait_for_open_port(80)
webserver.succeed("curl --fail -si http://localhost/alf | grep '^Location:.*/alf'")
webserver.fail("curl --fail -si http://localhost/noredirect | grep '^Location:'")
'';
})

View File

@ -176,7 +176,7 @@ stdenv.mkDerivation {
passthru = {
modules = modules;
tests = {
inherit (nixosTests) nginx nginx-auth nginx-etag nginx-http3 nginx-pubhtml nginx-sandbox nginx-sso;
inherit (nixosTests) nginx nginx-auth nginx-etag nginx-globalredirect nginx-http3 nginx-pubhtml nginx-sandbox nginx-sso;
variants = lib.recurseIntoAttrs nixosTests.nginx-variants;
acme-integration = nixosTests.acme;
} // passthru.tests;