diff options
| -rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2305.section.xml | 8 | ||||
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2305.section.md | 2 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/discourse.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 64 | ||||
| -rw-r--r-- | pkgs/servers/http/nginx/modules.nix | 10 |
5 files changed, 77 insertions, 9 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml index 23a39a52ab20..2b4fb6fc92f2 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml @@ -393,6 +393,14 @@ </listitem> <listitem> <para> + A new option <literal>recommendedBrotliSettings</literal> has + been added to <literal>services.nginx</literal>. Learn more + about compression in Brotli format + <link xlink:href="https://github.com/google/ngx_brotli/blob/master/README.md">here</link>. + </para> + </listitem> + <listitem> + <para> Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store. diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 3e4f0fd490f6..1328f317dbfa 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -107,6 +107,8 @@ In addition to numerous new and upgraded packages, this release has the followin - Enabling global redirect in `services.nginx.virtualHosts` now allows one to add exceptions with the `locations` option. +- A new option `recommendedBrotliSettings` has been added to `services.nginx`. Learn more about compression in Brotli format [here](https://github.com/google/ngx_brotli/blob/master/README.md). + - Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store. - The `firewall` and `nat` module now has a nftables based implementation. Enable `networking.nftables` to use it. diff --git a/nixos/modules/services/web-apps/discourse.nix b/nixos/modules/services/web-apps/discourse.nix index 1ab0e679a54b..b8104ade4676 100644 --- a/nixos/modules/services/web-apps/discourse.nix +++ b/nixos/modules/services/web-apps/discourse.nix @@ -820,10 +820,10 @@ in services.nginx = lib.mkIf cfg.nginx.enable { enable = true; - additionalModules = [ pkgs.nginxModules.brotli ]; recommendedTlsSettings = true; recommendedOptimisation = true; + recommendedBrotliSettings = true; recommendedGzipSettings = true; recommendedProxySettings = true; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 8377e8a76d52..95e600ea79a5 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -29,6 +29,43 @@ let ) cfg.virtualHosts; enableIPv6 = config.networking.enableIPv6; + # Mime.types values are taken from brotli sample configuration - https://github.com/google/ngx_brotli + # and Nginx Server Configs - https://github.com/h5bp/server-configs-nginx + compressMimeTypes = [ + "application/atom+xml" + "application/geo+json" + "application/json" + "application/ld+json" + "application/manifest+json" + "application/rdf+xml" + "application/vnd.ms-fontobject" + "application/wasm" + "application/x-rss+xml" + "application/x-web-app-manifest+json" + "application/xhtml+xml" + "application/xliff+xml" + "application/xml" + "font/collection" + "font/otf" + "font/ttf" + "image/bmp" + "image/svg+xml" + "image/vnd.microsoft.icon" + "text/cache-manifest" + "text/calendar" + "text/css" + "text/csv" + "text/html" + "text/javascript" + "text/markdown" + "text/plain" + "text/vcard" + "text/vnd.rim.location.xloc" + "text/vtt" + "text/x-component" + "text/xml" + ]; + defaultFastcgiParams = { SCRIPT_FILENAME = "$document_root$fastcgi_script_name"; QUERY_STRING = "$query_string"; @@ -140,6 +177,16 @@ let ssl_stapling_verify on; ''} + ${optionalString (cfg.recommendedBrotliSettings) '' + brotli on; + brotli_static on; + brotli_comp_level 5; + brotli_window 512k; + brotli_min_length 256; + brotli_types ${lib.concatStringsSep " " compressMimeTypes}; + brotli_buffers 32 8k; + ''} + ${optionalString (cfg.recommendedGzipSettings) '' gzip on; gzip_proxied any; @@ -456,6 +503,16 @@ in ''; }; + recommendedBrotliSettings = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + Enable recommended brotli settings. Learn more about compression in Brotli format [here](https://github.com/google/ngx_brotli/blob/master/README.md). + + This adds `pkgs.nginxModules.brotli` to `services.nginx.additionalModules`. + ''; + }; + recommendedGzipSettings = mkOption { default = false; type = types.bool; @@ -537,11 +594,10 @@ in additionalModules = mkOption { default = []; type = types.listOf (types.attrsOf types.anything); - example = literalExpression "[ pkgs.nginxModules.brotli ]"; + example = literalExpression "[ pkgs.nginxModules.echo ]"; description = lib.mdDoc '' Additional [third-party nginx modules](https://www.nginx.com/resources/wiki/modules/) - to install. Packaged modules are available in - `pkgs.nginxModules`. + to install. Packaged modules are available in `pkgs.nginxModules`. ''; }; @@ -999,6 +1055,8 @@ in groups = config.users.groups; }) dependentCertNames; + services.nginx.additionalModules = optional cfg.recommendedBrotliSettings pkgs.nginxModules.brotli; + systemd.services.nginx = { description = "Nginx Web Server"; wantedBy = [ "multi-user.target" ]; diff --git a/pkgs/servers/http/nginx/modules.nix b/pkgs/servers/http/nginx/modules.nix index 64be47874a40..7c3e6255c403 100644 --- a/pkgs/servers/http/nginx/modules.nix +++ b/pkgs/servers/http/nginx/modules.nix @@ -102,15 +102,15 @@ let self = { brotli = { name = "brotli"; - src = let gitsrc = fetchFromGitHub { + src = let src' = fetchFromGitHub { name = "brotli"; owner = "google"; repo = "ngx_brotli"; - rev = "25f86f0bac1101b6512135eac5f93c49c63609e3"; - sha256 = "02hfvfa6milj40qc2ikpb9f95sxqvxk4hly3x74kqhysbdi06hhv"; + rev = "6e975bcb015f62e1f303054897783355e2a877dc"; + sha256 = "sha256-G0IDYlvaQzzJ6cNTSGbfuOuSXFp3RsEwIJLGapTbDgo="; }; in - runCommand "ngx_brotli-src" { } '' - cp -a ${gitsrc} $out + runCommand "brotli" { } '' + cp -a ${src'} $out substituteInPlace $out/filter/config \ --replace '$ngx_addon_dir/deps/brotli/c' ${lib.getDev brotli} ''; |