Phil, Phil 写道:
I have a substitute server running trivially using http,
That's all ‘guix publish’ does; it doesn't speak HTTPS.That's by design (at least I hope it is): TLS should be handled by a separate, well-audited proxy layer. Ideally one written in C.
but there doesn't seem to be anything in the manual about how/where to configure my certificate file, etc, to run a server over https.
I use nginx to proxy my local ‘guix publish’ server[0]. I think that's what everyone[1][2][3] does.
Basically:
server {
server_name guix.tobias.gr;
listen [::]:443 ssl http2;
listen 443 ssl http2;
listen [::]:80;
listen 80;
ssl_certificate /etc/tls/tobias.gr/fullchain.pem;
ssl_certificate_key /etc/tls/tobias.gr/privkey.pem;
ssl_trusted_certificate /etc/tls/tobias.gr/chain.pem;
set $upstream athena.tobias.gr; # hack to respect TTL
location = /nix-cache-info {
proxy_pass http://$upstream:3000;
}
location ~ /(file|log|nar) {
proxy_pass http://$upstream:3000;
}
location / { # /*.narinfo
proxy_pass http://$upstream:3000;
}
[...several pages of caching, APIs, &c. snipped...]
}
You'd probably use ‘localhost’ since your publisher is probably
not running on a separate node.
Kind regards, T G-R [0]: https://guix.tobias.gr [1]: https://ci.guix.gnu.org [2]: https://bayfront.guix.gnu.org [3]: https://guix.cbaines.net
signature.asc
Description: PGP signature
