nixos/modules/services/networking/nghttpx/backend-params-submodule.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131

{ lib, ...}:
{ options = {
    proto = lib.mkOption {
      type        = lib.types.enum [ "h2" "http/1.1" ];
      default     = "http/1.1";
      description = lib.mdDoc ''
        This option configures the protocol the backend server expects
        to use.

        Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b
        for more detail.
      '';
    };

    tls = lib.mkOption {
      type        = lib.types.bool;
      default     = false;
      description = lib.mdDoc ''
        This option determines whether nghttpx will negotiate its
        connection with a backend server using TLS or not. The burden
        is on the backend server to provide the TLS certificate!

        Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b
        for more detail.
      '';
    };

    sni = lib.mkOption {
      type        = lib.types.nullOr lib.types.str;
      default     = null;
      description = lib.mdDoc ''
        Override the TLS SNI field value. This value (in nghttpx)
        defaults to the host value of the backend configuration.

        Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b
        for more detail.
      '';
    };

    fall = lib.mkOption {
      type        = lib.types.int;
      default     = 0;
      description = lib.mdDoc ''
        If nghttpx cannot connect to the backend N times in a row, the
        backend is assumed to be offline and is excluded from load
        balancing. If N is 0 the backend is never excluded from load
        balancing.

        Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b
        for more detail.
      '';
    };

    rise = lib.mkOption {
      type        = lib.types.int;
      default     = 0;
      description = lib.mdDoc ''
        If the backend is excluded from load balancing, nghttpx will
        periodically attempt to make a connection to the backend. If
        the connection is successful N times in a row the backend is
        re-included in load balancing. If N is 0 a backend is never
        reconsidered for load balancing once it falls.

        Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b
        for more detail.
      '';
    };

    affinity = lib.mkOption {
      type        = lib.types.enum [ "ip" "none" ];
      default     = "none";
      description = lib.mdDoc ''
        If "ip" is given, client IP based session affinity is
        enabled. If "none" is given, session affinity is disabled.

        Session affinity is enabled (by nghttpx) per-backend
        pattern. If at least one backend has a non-"none" affinity,
        then session affinity is enabled for all backend servers
        sharing the same pattern.

        It is advised to set affinity on all backends explicitly if
        session affinity is desired. The session affinity may break if
        one of the backend gets unreachable, or backend settings are
        reloaded or replaced by API.

        Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b
        for more detail.
      '';
    };

    dns = lib.mkOption {
      type        = lib.types.bool;
      default     = false;
      description = lib.mdDoc ''
        Name resolution of a backends host name is done at start up,
        or configuration reload. If "dns" is true, name resolution
        takes place dynamically.

        This is useful if a backends address changes frequently. If
        "dns" is true, name resolution of a backend's host name at
        start up, or configuration reload is skipped.

        Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b
        for more detail.
      '';
    };

    redirect-if-not-tls = lib.mkOption {
      type        = lib.types.bool;
      default     = false;
      description = lib.mdDoc ''
        If true, a backend match requires the frontend connection be
        TLS encrypted. If it is not, nghttpx responds to the request
        with a 308 status code and https URI the client should use
        instead in the Location header.

        The port number in the redirect URI is 443 by default and can
        be changed using 'services.nghttpx.redirect-https-port'
        option.

        If at least one backend has "redirect-if-not-tls" set to true,
        this feature is enabled for all backend servers with the same
        pattern. It is advised to set "redirect-if-no-tls" parameter
        to all backends explicitly if this feature is desired.

        Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b
        for more detail.
      '';
    };
  };
}