Nginx mutualTLS optional

Help
1

Hello,

I need to implement mutual TLS.

I also need to have simple TLS for my frontend based at ‘/’

I found this code for nginx that allows this use case, but I can’t see how to script it in nixos.

Especially the ‘if’ part and the conditionning on the location.

server {
    listen                 443 ssl;
    server_name         "myserver.net";
    ssl_certificate     server.crt;
    ssl_certificate_key server.key;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_client_certificate /etc/nixos/client_certs/ca.crt;
    ssl_verify_client      optional;

    # ...

    location /api {
      if ($ssl_client_verify != SUCCESS) {
        return 403;
      }
      proxyPass = "http://127.0.0.1:8761";

    # ...
     }
    location / {
         root /www/data;
        # ...
    }
}

My current configuration has 1 virtual host and several locations served on port 443.

nginx = {
                   enable = true;
                   virtualHosts.${config.networking.hostName} = {
                      forceSSL = true;
                      sslCertificate = "/etc/nixos/certs/example.com.crt";
                      sslCertificateKey = "/etc/nixos/certs/example.com.key";
                  
                     locations."api" {
                   # ....

Thanks for the help

2

I think I can just put the complex part into the extraConfig block.

So should be ok, I am still building the mutual TLS solution but this seems promising :


  services.nginx = {
                 enable = true;

                  virtualHosts."frontend" = {

                    serverName = "example.net";

                    forceSSL = true;
                    sslCertificate = "/etc/nixos/certs/intercom-broker.crt";
                    sslCertificateKey = "/etc/nixos/certs/intercom-broker.key";
                    extraConfig = ''

                   location /api  {
                            proxy_pass http://127.0.0.1:8761;
                            proxy_set_header Connection $http_connection;
                            proxy_http_version 1.1;
                            chunked_transfer_encoding off;
                            proxy_buffering off;
                            proxy_cache off;
                        }

                   location / {
                            root "/etc/nixos/root_last";
                            try_files $uri $uri/ /index.html;
                              }
                          '';
                  };
        };

I should be able to put my ifs into the extra config.