-
Ciphers to choose from when negotiating TLS handshakes.
Type
null or string
Default
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
Declarations
-
Whether to enable Global rate limiting.
Type
boolean
Default
false
Example
true
Declarations
-
Whether to enable FC-customized nginx.
Type
boolean
Default
false
Example
true
Declarations
-
Listen addresses for this virtual host.
Compared to listen this only sets the addresses
and the ports are chosen automatically.
Note: This option overrides enableIPv6
Type
list of string
Default
[
"192.168.2.1"
"[2001:db8:2::1]"
]
Example
[
"127.0.0.1"
"[::1]"
]
Declarations
-
If set, all requests for this host are redirected (defaults to 301,
configurable with redirectCode) to the given hostname.
Type
null or string
Default
null
Example
"newserver.example.org"
Declarations
-
Additional names of virtual hosts served by this virtual host configuration.
Type
list of string
Default
[ ]
Example
[
"www.example.org"
"example.org"
]
Declarations
-
Path to root SSL certificate for stapling and client certificates.
Type
null or path
Default
null
Example
"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
Declarations
-
IPv6 address to listen on.
If neither <option>listenAddress</option> nor <option>listenAddress6</option> is set,
the service listens on the frontend addresses.
If you need more options, use <option>listen</option>.
If you want to configure any number of IPs use <literal>listenAddresses</literal>.
Type
null or string
Default
null
Declarations
-
IPv4 address to listen on.
If neither <option>listenAddress</option> nor <option>listenAddress6</option> is set,
the service listens on the frontend addresses.
If you need more options, use <option>listen</option>.
If you want to configure any number of IPs use <literal>listenAddresses</literal>.
Type
null or string
Default
null
Declarations
-
Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with redirectCode) all plain HTTP traffic to
HTTPS. This will set defaults for listen to listen on all interfaces
on the respective default ports (80, 443), where the non-SSL listens
are used for the redirect vhosts.
Type
boolean
Default
false
Declarations
-
These lines go to the end of the vhost verbatim.
Type
strings concatenated with "\n"
Default
""
Declarations
-
Whether to enable the HTTP/3 protocol.
This requires using pkgs.nginxQuic package
which can be achieved by setting services.nginx.package = pkgs.nginxQuic;
and activate the QUIC transport protocol
services.nginx.virtualHosts.<name>.quic = true;.
Note that HTTP/3 support is experimental and not yet recommended for production.
Read more at https://quic.nginx.org/
HTTP/3 availability must be manually advertised, preferably in each location block.
Type
boolean
Default
false
Declarations
-
Whether to enable kTLS support.
Implementing TLS in the kernel (kTLS) improves performance by significantly
reducing the need for copying operations between user space and the kernel.
Required Nginx version 1.21.4 or later.
Type
boolean
Default
false
Declarations
-
Disable the suggested mitigations against the D(HE)at Attack
Type
boolean
Default
false
Declarations
-
Order of this location block in relation to the others in the vhost.
The semantics are the same as with lib.mkOrder. Smaller values have
a greater priority.
Type
signed integer
Default
1000
Declarations