diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 5717b86b3bea6..4aeca17543261 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -313,9 +313,12 @@ let ${optionalString (hasSSL && vhost.sslTrustedCertificate != null) '' ssl_trusted_certificate ${vhost.sslTrustedCertificate}; ''} - ${optionalString vhost.rejectSSL '' + ${optionalString (hasSSL && vhost.rejectSSL) '' ssl_reject_handshake on; ''} + ${optionalString (hasSSL && vhost.kTLS) '' + ssl_conf_command Options KTLS; + ''} ${mkBasicAuth vhostName vhost} @@ -820,6 +823,14 @@ in ''; } + { + assertion = any (host: host.kTLS) (attrValues virtualHosts) -> versionAtLeast cfg.package.version "1.21.4"; + message = '' + services.nginx.virtualHosts..kTLS requires nginx version + 1.21.4 or above; see the documentation for services.nginx.package. + ''; + } + { assertion = all (host: !(host.enableACME && host.useACMEHost != null)) (attrValues virtualHosts); message = '' @@ -896,7 +907,7 @@ in PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid @mincore"; + SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid @mincore" ] ++ optionals (cfg.package != pkgs.tengine) [ "~@ipc" ]; }; }; diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index 7ee041d372113..7f49ce9586cac 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -147,6 +147,17 @@ with lib; ''; }; + kTLS = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable kTLS support. + Implementing TLS in the kernel (kTLS) improves performance by significantly + reducing the need for copying operations between user space and the kernel. + Required Nginx version 1.21.4 or later. + ''; + }; + sslCertificate = mkOption { type = types.path; example = "/var/host.cert"; diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index ca2e240dd869f..b8cd042cb3012 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -108,6 +108,7 @@ let "-DUSE_CRYPTODEV_DIGESTS" ] ++ lib.optional enableSSL2 "enable-ssl2" ++ lib.optional enableSSL3 "enable-ssl3" + ++ lib.optional (versionAtLeast version "3.0.0") "enable-ktls" ++ lib.optional (versionAtLeast version "1.1.0" && stdenv.hostPlatform.isAarch64) "no-afalgeng" # OpenSSL needs a specific `no-shared` configure flag. # See https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options diff --git a/pkgs/servers/http/nginx/generic.nix b/pkgs/servers/http/nginx/generic.nix index 7465589d636e9..fa711d1dff4f0 100644 --- a/pkgs/servers/http/nginx/generic.nix +++ b/pkgs/servers/http/nginx/generic.nix @@ -3,6 +3,7 @@ , nixosTests , substituteAll, gd, geoip, perl , withDebug ? false +, withKTLS ? false , withStream ? true , withMail ? false , withPerl ? true @@ -80,6 +81,8 @@ stdenv.mkDerivation { "--http-scgi-temp-path=/var/cache/nginx/scgi" ] ++ optionals withDebug [ "--with-debug" + ] ++ optionals withKTLS [ + "--with-openssl-opt=enable-ktls" ] ++ optionals withStream [ "--with-stream" "--with-stream_realip_module" diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index e9526189b7f35..15f4cb5cee859 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -21035,6 +21035,7 @@ with pkgs; nginxMainline = callPackage ../servers/http/nginx/mainline.nix { zlib = zlib-ng.override { withZlibCompat = true; }; + withKTLS = true; withPerl = false; # We don't use `with` statement here on purpose! # See https://github.com/NixOS/nixpkgs/pull/10474#discussion_r42369334