[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#46049] [PATCH] services: nginx: Add ssl-protocols option.
From: |
Jonathan Brielmaier |
Subject: |
[bug#46049] [PATCH] services: nginx: Add ssl-protocols option. |
Date: |
Sun, 24 Jan 2021 14:25:32 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Icedove/78.6.1 |
On 24.01.21 02:36, Tobias Geerinckx-Rice wrote:
Jonathan Brielmaier 写道:
The default settings is accordingly to Mozillas "Intermediate"
configuration for nginx: https://ssl-config.mozilla.org
Oh, I see! Hiding subjective tweaks to upstream defaults in Guix
services is a bad idea.
Imagine debugging this at 2 a.m., staring at the official nginx
documentation through your tears.
I see your point, but I usually start with the Guix service
documentation and it clearly would state "TLSv1.2 TLSv1.3". If your
client doesn't support TLSv1.2 (thats 12 years old), it's maybe a better
idea to fallback to HTTP...
I think in general its a good idea to follow upstreams default, but it
should not hinder us to make more secure defaults
I would also like to implement an option with good defaults for
`ssl_ciphers` if you have ideas how to do that in a nice way speak up :)
How about writing ‘mozilla-recommended’ nginx configuration presets that
users can inherit from? This would imply keeping them up to date,
including the specific versions of nginx and *ssl in Guix.
Hm, I try to keep stuff simple and to be honest all those service
"matroska" stuff grows over my head. If theres an error I can not debug
them at 2am or at any other time...
A compromise would maybe something like :
(ssl-protocols %upstream-default OR %mozilla-default OR "Your custom
string")