From a768871934dd263423fca2979cedd7f5e8c7379d Mon Sep 17 00:00:00 2001 From: Guillaume Girol Date: Sat, 10 Dec 2022 12:00:00 +0000 Subject: [PATCH 1/2] nixos/nginx: validate syntax of config file at build time Shamelessly stolen from nixcloud-webservices: https://github.com/nixcloud/nixcloud-webservices/blob/master/modules/web/webserver/lib/nginx_check_config.nix The nixos test testing the behavior of nginx in case of faulty config would not build with this change (on purpose), so I modified it so that the failure is not syntactic. --- .../services/web-servers/nginx/default.nix | 47 +++++++++++++++++-- nixos/tests/nginx.nix | 2 +- 2 files changed, 45 insertions(+), 4 deletions(-) diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 85c76ed59d6..a7cde85a588 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -241,7 +241,7 @@ let configPath = if cfg.enableReload then "/etc/nginx/nginx.conf" - else configFile; + else finalConfigFile; execCommand = "${cfg.package}/bin/nginx -c '${configPath}'"; @@ -391,6 +391,38 @@ let ); mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix; + + snakeOilCert = pkgs.runCommand "nginx-config-validate-cert" { nativeBuildInputs = [ pkgs.openssl.bin ]; } '' + mkdir $out + openssl genrsa -des3 -passout pass:xxxxx -out server.pass.key 2048 + openssl rsa -passin pass:xxxxx -in server.pass.key -out $out/server.key + openssl req -new -key $out/server.key -out server.csr \ + -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com" + openssl x509 -req -days 1 -in server.csr -signkey $out/server.key -out $out/server.crt + ''; + validatedConfigFile = pkgs.runCommand "validated-nginx.conf" { nativeBuildInputs = [ cfg.package ]; } '' + # nginx absolutely wants to read the certificates even when told to only validate config, so let's provide fake certs + sed ${configFile} \ + -e "s|ssl_certificate .*;|ssl_certificate ${snakeOilCert}/server.crt;|g" \ + -e "s|ssl_trusted_certificate .*;|ssl_trusted_certificate ${snakeOilCert}/server.crt;|g" \ + -e "s|ssl_certificate_key .*;|ssl_certificate_key ${snakeOilCert}/server.key;|g" \ + > conf + + LD_PRELOAD=${pkgs.libredirect}/lib/libredirect.so \ + NIX_REDIRECTS="/etc/resolv.conf=/dev/null" \ + nginx -t -c $(readlink -f ./conf) > out 2>&1 || true + if ! grep -q "syntax is ok" out; then + echo nginx config validation failed. + echo config was ${configFile}. + echo 'in case of false positive, set `services.nginx.validateConfig` to false.' + echo nginx output: + cat out + exit 1 + fi + cp ${configFile} $out + ''; + + finalConfigFile = if cfg.validateConfig then validatedConfigFile else configFile; in { @@ -489,6 +521,15 @@ in ''; }; + validateConfig = mkOption { + default = pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform; + defaultText = literalExpression "pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform"; + type = types.bool; + description = lib.mdDoc '' + Validate the generated nginx config at build time. The check is not very robust and can be disabled in case of false positives. This is notably the case when cross-compiling or when using `include` with files outside of the store. + ''; + }; + additionalModules = mkOption { default = []; type = types.listOf (types.attrsOf types.anything); @@ -1027,7 +1068,7 @@ in }; environment.etc."nginx/nginx.conf" = mkIf cfg.enableReload { - source = configFile; + source = finalConfigFile; }; # This service waits for all certificates to be available @@ -1046,7 +1087,7 @@ in # certs are updated _after_ config has been reloaded. before = sslTargets; after = sslServices; - restartTriggers = optionals (cfg.enableReload) [ configFile ]; + restartTriggers = optionals (cfg.enableReload) [ finalConfigFile ]; # Block reloading if not all certs exist yet. # Happens when config changes add new vhosts/certs. unitConfig.ConditionPathExists = optionals (sslServices != []) (map (certName: certs.${certName}.directory + "/fullchain.pem") dependentCertNames); diff --git a/nixos/tests/nginx.nix b/nixos/tests/nginx.nix index d9d073822a1..73f1133bd6c 100644 --- a/nixos/tests/nginx.nix +++ b/nixos/tests/nginx.nix @@ -61,7 +61,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { specialisation.reloadWithErrorsSystem.configuration = { services.nginx.package = pkgs.nginxMainline; - services.nginx.virtualHosts."!@$$(#*%".locations."~@#*$*!)".proxyPass = ";;;"; + services.nginx.virtualHosts."hello".extraConfig = "access_log /does/not/exist.log;"; }; }; }; From 26a411b2cb177f88856dfbd1c85367a7647d4d61 Mon Sep 17 00:00:00 2001 From: Guillaume Girol Date: Sat, 10 Dec 2022 12:00:00 +0000 Subject: [PATCH 2/2] nixos: add release notes for nginx config validation --- .../manual/from_md/release-notes/rl-2305.section.xml | 10 ++++++++++ nixos/doc/manual/release-notes/rl-2305.section.md | 2 ++ 2 files changed, 12 insertions(+) diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml index 61daeac86a6..15aa99a7c25 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml @@ -117,6 +117,16 @@ true, or configure your firewall. + + + The Nginx module now validates the syntax of config files at + build time. For more complex configurations (using + include with out-of-store files notably) + you may need to disable this check by setting + services.nginx.validateConfig + to false. + + The EC2 image module previously detected and automatically diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index f9c76b02f89..b00719314e3 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -37,6 +37,8 @@ In addition to numerous new and upgraded packages, this release has the followin - The [services.unifi-video.openFirewall](#opt-services.unifi-video.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitely set this option to `true`, or configure your firewall. +- The Nginx module now validates the syntax of config files at build time. For more complex configurations (using `include` with out-of-store files notably) you may need to disable this check by setting [services.nginx.validateConfig](#opt-services.nginx.validateConfig) to `false`. + - The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2. - The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation.