nixos/nginx: fix config validation with hostnames in proxy_pass

nixos/modules/services/web-servers/nginx/default.nix

@@ -401,25 +401,68 @@ let
     openssl req -new -key $out/server.key -out server.csr \
     -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com"
     openssl x509 -req -days 1 -in server.csr -signkey $out/server.key -out $out/server.crt
+    openssl dhparam -out $out/dhparam.pem 1024
   '';
-  validatedConfigFile = pkgs.runCommand "validated-nginx.conf" { nativeBuildInputs = [ cfg.package ]; } ''
+  fakednsConfig = builtins.toFile "fakednsConfig" ''
+    [Settings]
+    ListenOnPort = 53
+    [DomainPattern]
+    name_pattern = *
+    answer_A = 192.168.42.42
+    answer_AAAA = fdac:3d9f:2940:bddd::1
+  '';
+  nginxWithResolver = pkgs.writeShellScript "nginxWithResolver" ''
+    set -e
+    fakedns --config ${fakednsConfig} &
+    # wait for the server to be ready
+    for i in $(seq 1 1000); do
+      if getent hosts foo.bar; then
+        break
+      fi
+      sleep 1
+    done
+    nginx -t -c /etc/nginx.conf || true
+  '';
+
+  validatedConfigFile = pkgs.runCommand "validated-nginx.conf" { nativeBuildInputs = [ cfg.package pkgs.bubblewrap pkgs.fakedns pkgs.getent ]; } ''
     # nginx absolutely wants to read the certificates even when told to only validate config, so let's provide fake certs
     sed ${configFile} \
-    -e "s|ssl_certificate .*;|ssl_certificate ${snakeOilCert}/server.crt;|g" \
-    -e "s|ssl_trusted_certificate .*;|ssl_trusted_certificate ${snakeOilCert}/server.crt;|g" \
-    -e "s|ssl_certificate_key .*;|ssl_certificate_key ${snakeOilCert}/server.key;|g" \
+    -e "s|ssl_certificate [^;]*;|ssl_certificate ${snakeOilCert}/server.crt;|g" \
+    -e "s|ssl_trusted_certificate [^;]*;|ssl_trusted_certificate ${snakeOilCert}/server.crt;|g" \
+    -e "s|ssl_certificate_key [^;]*;|ssl_certificate_key ${snakeOilCert}/server.key;|g" \
+    -e "s|ssl_password_file [^;]*;||g" \
+    -e "s|ssl_dhparam [^;]*;|ssl_dhparam ${snakeOilCert}/dhparam.pem;|g" \
     > conf
 
-    LD_PRELOAD=${pkgs.libredirect}/lib/libredirect.so \
-      NIX_REDIRECTS="/etc/resolv.conf=/dev/null" \
-      nginx -t -c $(readlink -f ./conf) > out 2>&1 || true
+
+    # nginx absolutely wants to resolve hostnames of upstream servers during parsing.
+    # we run a fake dns server inside a network namespace to fake that.
+    mkdir -p root/etc
+    for i in passwd group hosts; do cp /etc/$i root/etc/; done
+    mkdir -p root/var/log/nginx
+    echo "nameserver 127.0.0.1" > root/etc/resolv.conf
+    cp conf root/etc/nginx.conf
+    bwrun="bwrap --unshare-net --cap-add CAP_NET_BIND_SERVICE --bind root / --bind /nix /nix"
+    if $bwrun true; then
+      # user namespaces are available
+      userns=yes;
+      $bwrun ${nginxWithResolver} > out 2>&1;
+    else
+      userns=no;
+      echo "user namespaces are not available, dns resolution will fail if required";
+      nginx -t -c $(readlink -f ./conf) > out 2>&1 || true;
+    fi
     if ! grep -q "syntax is ok" out; then
-      echo nginx config validation failed.
-      echo config was ${configFile}.
-      echo 'in case of false positive, set `services.nginx.validateConfig` to false.'
-      echo nginx output:
-      cat out
-      exit 1
+      if grep -q "host not found" out && [[ $userns == no ]]; then
+        echo "validation failed because user namespaces are not available and the configuration contains hostnames. Accepting config."
+      else
+        echo nginx config validation failed.
+        echo config was ${configFile}.
+        echo 'in case of false positive, set `services.nginx.validateConfig` to false.'
+        echo nginx output:
+        cat out
+        exit 1
+      fi
     fi
     cp ${configFile} $out
   '';

nixos/tests/nginx.nix

@@ -59,6 +59,24 @@ import ./make-test-python.nix ({ pkgs, ... }: {
         services.nginx.package = pkgs.nginxMainline;
       };
 
+      # configuration validation must not fail when configuration references
+      # unreachable hostnames, https://github.com/NixOS/nixpkgs/issues/207409
+      specialisation.configValidationRegression.configuration = {
+        services.nginx.virtualHosts."1.my.test" = {
+          addSSL = true;
+          sslTrustedCertificate = "/dev/nonexistent/ca";
+          sslCertificateKey = "/dev/nonexistent/key";
+          sslCertificate = "/dev/nonexistent/cert";
+          locations."/".proxyPass = "http://some.other.domain";
+        };
+        services.nginx.upstreams."yay".servers."1.2.3.4:3000" = {};
+        services.nginx.sslDhparam = "/var/lib/dhparams/nginx.pem";
+        security.dhparams = {
+          stateful = true;
+          params = { nginx.bits = 2048; };
+        };
+      };
+
       specialisation.reloadWithErrorsSystem.configuration = {
         services.nginx.package = pkgs.nginxMainline;
         services.nginx.virtualHosts."hello".extraConfig = "access_log /does/not/exist.log;";

pkgs/development/python-modules/cli-formatter/default.nix

@@ -0,0 +1,17 @@
+{ buildPythonPackage, fetchPypi, lib }:
+buildPythonPackage rec {
+  pname = "cli-formatter";
+  version = "1.2.0";
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "sha256-Vpi2R0DHL9ouxsEtcyJx+reMjItlvtihfbMxJbECfak=";
+  };
+
+  meta = {
+    description = "Utility for formatting console output for cli scripts";
+    homepage = "https://github.com/wahlflo/cli-formatter";
+    license = [ lib.licenses.mit ];
+    maintainers = [ lib.maintainers.symphorien ];
+  };
+}

pkgs/development/python-modules/dns-messages/default.nix

@@ -0,0 +1,23 @@
+{ buildPythonPackage, fetchPypi, lib }:
+
+buildPythonPackage rec {
+  pname = "dns-messages";
+  version = "1.0.0";
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "sha256-00gjYwEUeizid/kXxGV2WjBzO/PCpDjV2hMmYUdjPd4=";
+  };
+
+  # has no tests
+  doCheck = false;
+
+  pythonImportsCheck = [ "dns_messages" ];
+
+  meta = {
+    description = "A Python3 library for parsing and generating DNS messages";
+    homepage = "https://github.com/wahlflo/dns-messages";
+    license = [ lib.licenses.mit ];
+    maintainers = [ lib.maintainers.symphorien ];
+  };
+}

pkgs/tools/networking/fakedns/default.nix

@@ -0,0 +1,27 @@
+{ python3, fetchFromGitHub, lib }:
+
+python3.pkgs.buildPythonApplication {
+  pname = "fakedns";
+  version = "2022-08-14";
+
+  src = fetchFromGitHub {
+    owner = "wahlflo";
+    repo = "fakedns";
+    rev = "11397c3e5180f30de184fba1dbfe9fc8ea85fadd";
+    sha256 = "sha256-ZGNZ8pa9loSTDqrx3ra7sRfsDKzJ1Z2UDlsg+qGq9xo=";
+  };
+
+  propagatedBuildInputs = with python3.pkgs; [
+    cli-formatter
+    dns-messages
+  ];
+
+  pythonImportsCheck = [ "fakedns" ];
+
+  meta = {
+    description = "A fake DNS server for malware analysis";
+    homepage = "https://github.com/wahlflo/fakedns";
+    license = [ lib.licenses.mit ];
+    maintainers = [ lib.maintainers.symphorien ];
+  };
+}

pkgs/top-level/all-packages.nix

@@ -4444,6 +4444,8 @@ with pkgs;
 
   facter = callPackage ../tools/system/facter { };
 
+  fakedns = callPackage ../tools/networking/fakedns { };
+
   faketty = callPackage ../tools/misc/faketty { };
 
   fasd = callPackage ../tools/misc/fasd { };

pkgs/top-level/python-packages.nix

@@ -1815,6 +1815,8 @@ self: super: with self; {
 
   clize = callPackage ../development/python-modules/clize { };
 
+  cli-formatter = callPackage ../development/python-modules/cli-formatter { };
+
   clldutils = callPackage ../development/python-modules/clldutils { };
 
   cloudflare = callPackage ../development/python-modules/cloudflare { };
@@ -2694,6 +2696,8 @@ self: super: with self; {
 
   dnspython = callPackage ../development/python-modules/dnspython { };
 
+  dns-messages = callPackage ../development/python-modules/dns-messages { };
+
   doc8 = callPackage ../development/python-modules/doc8 { };
 
   docformatter = callPackage ../development/python-modules/docformatter { };