Nginx mutualTLS optional

AmbroiseS · April 19, 2024, 8:47am

Hello,

I need to implement mutual TLS.

I also need to have simple TLS for my frontend based at ‘/’

I found this code for nginx that allows this use case, but I can’t see how to script it in nixos.

Especially the ‘if’ part and the conditionning on the location.

server {
    listen                 443 ssl;
    server_name         "myserver.net";
    ssl_certificate     server.crt;
    ssl_certificate_key server.key;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_client_certificate /etc/nixos/client_certs/ca.crt;
    ssl_verify_client      optional;

    # ...

    location /api {
      if ($ssl_client_verify != SUCCESS) {
        return 403;
      }
      proxyPass = "http://127.0.0.1:8761";

    # ...
     }
    location / {
         root /www/data;
        # ...
    }
}

My current configuration has 1 virtual host and several locations served on port 443.

nginx = {
                   enable = true;
                   virtualHosts.${config.networking.hostName} = {
                      forceSSL = true;
                      sslCertificate = "/etc/nixos/certs/example.com.crt";
                      sslCertificateKey = "/etc/nixos/certs/example.com.key";
                  
                     locations."api" {
                   # ....

Thanks for the help

AmbroiseS · April 19, 2024, 1:13pm

I think I can just put the complex part into the extraConfig block.

So should be ok, I am still building the mutual TLS solution but this seems promising :


  services.nginx = {
                 enable = true;

                  virtualHosts."frontend" = {

                    serverName = "example.net";

                    forceSSL = true;
                    sslCertificate = "/etc/nixos/certs/intercom-broker.crt";
                    sslCertificateKey = "/etc/nixos/certs/intercom-broker.key";
                    extraConfig = ''

                   location /api  {
                            proxy_pass http://127.0.0.1:8761;
                            proxy_set_header Connection $http_connection;
                            proxy_http_version 1.1;
                            chunked_transfer_encoding off;
                            proxy_buffering off;
                            proxy_cache off;
                        }

                   location / {
                            root "/etc/nixos/root_last";
                            try_files $uri $uri/ /index.html;
                              }
                          '';
                  };
        };

I should be able to put my ifs into the extra config.

ada7urhb · November 26, 2024, 12:49pm

Hi @AmbroiseS did you get this working in the end? I am looking to implement mtls for some self-hosted services.

AmbroiseS · November 26, 2024, 2:47pm

Hello @ada7urhb

Yes it’s working, I can post it if you want, but it is actually not nixos specific.

I am using it for local networks, your needs may differ.

The takeaway from my posts above is that you can do your nginx as usual and put it in “extraConfig” if the provided declarative parameters don’t cover your needs.

ada7urhb · November 27, 2024, 12:03pm

Thanks @AmbroiseS it was more, did you get nix to create and manage the certs used, or manually create them externally and point nix to them in your config?

AmbroiseS · November 28, 2024, 1:02pm

I created myself and automatically copy certs on my new installs