[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Running Substitute Server over https
|
From: |
Tobias Geerinckx-Rice |
|
Subject: |
Re: Running Substitute Server over https |
|
Date: |
Sat, 06 Feb 2021 11:52:23 +0100 |
Phil,
Phil 写道:
I have a substitute server running trivially using http,
That's all ‘guix publish’ does; it doesn't speak HTTPS.
That's by design (at least I hope it is): TLS should be handled by
a separate, well-audited proxy layer. Ideally one written in C.
but there doesn't seem to be anything in the manual about
how/where
to configure my certificate file, etc, to run a server over
https.
I use nginx to proxy my local ‘guix publish’ server[0]. I think
that's what everyone[1][2][3] does.
Basically:
server {
server_name guix.tobias.gr;
listen [::]:443 ssl http2;
listen 443 ssl http2;
listen [::]:80;
listen 80;
ssl_certificate /etc/tls/tobias.gr/fullchain.pem;
ssl_certificate_key /etc/tls/tobias.gr/privkey.pem;
ssl_trusted_certificate /etc/tls/tobias.gr/chain.pem;
set $upstream athena.tobias.gr; # hack to respect TTL
location = /nix-cache-info {
proxy_pass http://$upstream:3000;
}
location ~ /(file|log|nar) {
proxy_pass http://$upstream:3000;
}
location / { # /*.narinfo
proxy_pass http://$upstream:3000;
}
[...several pages of caching, APIs, &c. snipped...]
}
You'd probably use ‘localhost’ since your publisher is probably
not running on a separate node.
Kind regards,
T G-R
[0]: https://guix.tobias.gr
[1]: https://ci.guix.gnu.org
[2]: https://bayfront.guix.gnu.org
[3]: https://guix.cbaines.net
signature.asc
Description: PGP signature