Nginx
services.nginx.additionalModules
Additional third-party nginx modules
to install. Packaged modules are available in pkgs.nginxModules.
Type: list of attribute set of anything
Default
[ ]
Example
[ pkgs.nginxModules.echo ]
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.appendConfig
Configuration lines appended to the generated Nginx
configuration file. Commonly used by different modules
providing http snippets. {option}appendConfig
can be specified more than once and its value will be
concatenated (contrary to {option}config which
can be set only once).
Type: strings concatenated with "\n"
Default
""
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.appendHttpConfig
Configuration lines to be appended to the generated http block. This is mutually exclusive with using config and httpConfig for specifying the whole http block verbatim.
Type: strings concatenated with "\n"
Default
""
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.clientMaxBodySize
Set nginx global client_max_body_size.
Type: string
Default
"10m"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.commonHttpConfig
With nginx you must provide common http context definitions before they are used, e.g. log_format, resolver, etc. inside of server or location contexts. Use this attribute to set these definitions at the appropriate location.
Type: strings concatenated with "\n"
Default
""
Example
`#!nix '' resolver 127.0.0.1 valid=5s;
log_format myformat '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; ''`
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.config
Verbatim {file}nginx.conf configuration.
This is mutually exclusive to any other config option for
{file}nginx.conf except for
-
-
-
If additional verbatim config in addition to other options is needed, should be used instead.
Type: string
Default
""
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.defaultHTTPListenPort
If vhosts do not specify listen.port, use these ports for HTTP by default.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default
80
Example
8080
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.defaultListen
If vhosts do not specify listen, use these addresses by default.
This option takes precedence over {option}defaultListenAddresses and
other listen-related defaults options.
Type: list of (submodule)
Default
[ ]
Example
[{ addr = "10.0.0.12"; proxyProtocol = true; ssl = true; }{ addr = "0.0.0.0"; }{ addr = "[::0]"; }]
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.defaultListen.*.addr
IP address.
Type: string
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.defaultListen.*.extraParameters
Extra parameters of this listen directive.
Type: list of string
Default
[ ]
Example
["backlog=1024""deferred"]
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.defaultListen.*.port
Port number.
Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.defaultListen.*.proxyProtocol
Enable PROXY protocol.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.defaultListen.*.ssl
Enable SSL.
Type: null or boolean
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.defaultListenAddresses
If vhosts do not specify listenAddresses, use these addresses by default.
This is akin to writing defaultListen = [ { addr = "0.0.0.0" } ].
Type: list of string
Default
[ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]"
Example
[ "10.0.0.12" "[2002:a00:1::]" ]
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.defaultMimeTypes
Default MIME types for NGINX, as MIME types definitions from NGINX are very incomplete, we use by default the ones bundled in the mailcap package, used by most of the other Linux distributions.
Type: path
Default
$''{pkgs.mailcap}/etc/nginx/mime.types
Example
$''{pkgs.nginx}/conf/mime.types
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.defaultSSLListenPort
If vhosts do not specify listen.port, use these ports for SSL by default.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default
443
Example
8443
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.enable
Whether to enable Nginx Web Server.
Type: boolean
Default
false
Example
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.enableQuicBPF
Enables routing of QUIC packets using eBPF. When enabled, this allows
to support QUIC connection migration. The directive is only supported
on Linux 5.7+.
Note that enabling this option will make nginx run with extended
capabilities that are usually limited to processes running as root
namely CAP_SYS_ADMIN and CAP_NET_ADMIN.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.enableReload
Reload nginx when configuration file changes (instead of restart).
The configuration file is exposed at {file}/etc/nginx/nginx.conf.
See also systemd.services.*.restartIfChanged.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.eventsConfig
Configuration lines to be set inside the events block.
Type: strings concatenated with "\n"
Default
""
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.gitweb.enable
If true, enable gitweb in nginx.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/gitweb.nix
services.nginx.gitweb.group
Group that the CGI process will belong to. (Set to config.services.gitolite.group if you are using gitolite.)
Type: string
Default
"nginx"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/gitweb.nix
services.nginx.gitweb.location
Location to serve gitweb on.
Type: string
Default
"/gitweb"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/gitweb.nix
services.nginx.gitweb.user
Existing user that the CGI process will belong to. (Default almost surely will do.)
Type: string
Default
"nginx"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/gitweb.nix
services.nginx.gitweb.virtualHost
VirtualHost to serve gitweb on. Default is catch-all.
Type: string
Default
"_"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/gitweb.nix
services.nginx.group
Group account under which nginx runs.
Type: string
Default
"nginx"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.httpConfig
Configuration lines to be set inside the http block. This is mutually exclusive with the structured configuration via virtualHosts and the recommendedXyzSettings configuration options. See appendHttpConfig for appending to the generated http block.
Type: strings concatenated with "\n"
Default
""
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.logError
Configures logging. The first parameter defines a file that will store the log. The special value stderr selects the standard error file. Logging to syslog can be configured by specifying the “syslog:” prefix. The second parameter determines the level of logging, and can be one of the following: debug, info, notice, warn, error, crit, alert, or emerg. Log levels above are listed in the order of increasing severity. Setting a certain log level will cause all messages of the specified and more severe log levels to be logged. If this parameter is omitted then error is used.
Type: string
Default
"stderr"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.mapHashBucketSize
Sets the bucket size for the map variables hash tables. Default value depends on the processor’s cache line size.
Type: null or one of 32, 64, 128
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.mapHashMaxSize
Sets the maximum size of the map variables hash tables.
Type: null or (positive integer, meaning >0)
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.package
Nginx package to use. This defaults to the stable version. Note
that the nginx team recommends to use the mainline version which
available in nixpkgs as nginxMainline.
Supported Nginx forks include angie, openresty and tengine.
For HTTP/3 support use nginxQuic or angieQuic.
Type: package
Default
pkgs.nginxStable
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.preStart
Shell commands executed before the service's nginx is started.
Type: strings concatenated with "\n"
Default
""
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.proxyCachePath
Configure a proxy cache path entry. See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path for documentation.
Type: attribute set of (submodule)
Default
{ }
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.proxyCachePath.<name>.enable
Whether to enable this proxy cache path entry.
Type: boolean
Default
false
Example
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.proxyCachePath.<name>.inactive
Cached data that has not been accessed for the time specified by the inactive parameter is removed from the cache, regardless of its freshness.
Type: string
Default
"10m"
Example
"1d"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.proxyCachePath.<name>.keysZoneName
Set name to shared memory zone.
Type: string
Default
"cache"
Example
"my_cache"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.proxyCachePath.<name>.keysZoneSize
Set size to shared memory zone.
Type: string
Default
"10m"
Example
"32m"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.proxyCachePath.<name>.levels
The levels parameter defines structure of subdirectories in cache: from
1 to 3, each level accepts values 1 or 2. Сan be used any combination of
1 and 2 in these formats: x, x:x and x
x.
Type: string
Default
"1:2"
Example
"1:2:2"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.proxyCachePath.<name>.maxSize
Set maximum cache size
Type: string
Default
"1g"
Example
"2048m"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.proxyCachePath.<name>.useTempPath
Nginx first writes files that are destined for the cache to a temporary storage area, and the use_temp_path=off directive instructs Nginx to write them to the same directories where they will be cached. Recommended that you set this parameter to off to avoid unnecessary copying of data between file systems.
Type: boolean
Default
false
Example
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.proxyResolveWhileRunning
Resolves domains of proxyPass targets at runtime and not only at start, you have to set services.nginx.resolver, too.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.proxyTimeout
Change the proxy related timeouts in recommendedProxySettings.
Type: string
Default
"60s"
Example
"20s"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.recommendedBrotliSettings
Enable recommended brotli settings. Learn more about compression in Brotli format here.
This adds pkgs.nginxModules.brotli to services.nginx.additionalModules.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.recommendedGzipSettings
Enable recommended gzip settings. Learn more about compression in Gzip format here.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.recommendedOptimisation
Enable recommended optimisation settings.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.recommendedProxySettings
Whether to enable recommended proxy settings if a vhost does not specify the option manually.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.recommendedTlsSettings
Enable recommended TLS settings.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.recommendedZstdSettings
Enable recommended zstd settings. Learn more about compression in Zstd format here.
This adds pkgs.nginxModules.zstd to services.nginx.additionalModules.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.resolver
Configures name servers used to resolve names of upstream servers into addresses
Type: submodule
Default
{ }
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.resolver.addresses
List of resolvers to use
Type: list of string
Default
[ ]
Example
[ "[::1]" "127.0.0.1:5353" ]
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.resolver.ipv4
By default, nginx will look up both IPv4 and IPv6 addresses while resolving. If looking up of IPv4 addresses is not desired, the ipv4=off parameter can be specified.
Type: boolean
Default
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.resolver.ipv6
By default, nginx will look up both IPv4 and IPv6 addresses while resolving. If looking up of IPv6 addresses is not desired, the ipv6=off parameter can be specified.
Type: boolean
Default
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.resolver.valid
By default, nginx caches answers using the TTL value of a response. An optional valid parameter allows overriding it
Type: string
Default
""
Example
"30s"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.serverNamesHashBucketSize
Sets the bucket size for the server names hash tables. Default value depends on the processor’s cache line size.
Type: null or (positive integer, meaning >0)
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.serverNamesHashMaxSize
Sets the maximum size of the server names hash tables.
Type: null or (positive integer, meaning >0)
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.serverTokens
Show nginx version in headers and error pages.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.sslCiphers
Ciphers to choose from when negotiating TLS handshakes.
Type: null or string
Default
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.sslDhparam
Path to DH parameters file.
Type: null or path
Default
null
Example
"/path/to/dhparams.pem"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.sslProtocols
Allowed TLS protocol versions.
Type: string
Default
"TLSv1.2 TLSv1.3"
Example
"TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.sso.configuration
nginx-sso configuration (documentation) as a Nix attribute set.
Type: attribute set of unspecified value
Default
{ }
Example
`#!nix { listen = { addr = "127.0.0.1"; port = 8080; };
providers.token.tokens = { myuser = "MyToken"; };
acl = { rule_sets = [ { rules = [ { field = "x-application"; equals = "MyApp"; } ]; allow = [ "myuser" ]; } ]; }; } `
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/nginx-sso.nix
services.nginx.sso.enable
Whether to enable nginx-sso service.
Type: boolean
Default
false
Example
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/nginx-sso.nix
services.nginx.sso.package
The nginx-sso package to use.
Type: package
Default
pkgs.nginx-sso
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/nginx-sso.nix
services.nginx.statusPage
Enable status page reachable from localhost on http://127.0.0.1/nginx_status.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.streamConfig
Configuration lines to be set inside the stream block.
Type: strings concatenated with "\n"
Default
""
Example
'' server { listen 127.0.0.1:53 udp reuseport; proxy_timeout 20s; proxy_pass 192.168.0.1:53535; }''
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.tailscaleAuth.enable
Whether to enable tailscale.nginx-auth, to authenticate nginx users via tailscale.
Type: boolean
Default
false
Example
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/tailscale-auth.nix
services.nginx.tailscaleAuth.expectedTailnet
If you want to prevent node sharing from allowing users to access services across tailnets, declare your expected tailnets domain here.
Type: null or string
Default
""
Example
"tailnet012345.ts.net"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/tailscale-auth.nix
services.nginx.tailscaleAuth.group
Alias of {option}services.tailscaleAuth.group.
Type: string
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/tailscale-auth.nix
services.nginx.tailscaleAuth.package
Alias of {option}services.tailscaleAuth.package.
Type: package
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/tailscale-auth.nix
services.nginx.tailscaleAuth.socketPath
Alias of {option}services.tailscaleAuth.socketPath.
Type: path
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/tailscale-auth.nix
services.nginx.tailscaleAuth.user
Alias of {option}services.tailscaleAuth.user.
Type: string
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/tailscale-auth.nix
services.nginx.tailscaleAuth.virtualHosts
A list of nginx virtual hosts to put behind tailscale.nginx-auth
Type: list of string
Default
[ ]
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/tailscale-auth.nix
services.nginx.upstreams
Defines a group of servers to use as proxy target.
Type: attribute set of (submodule)
Default
{ }
Example
{backend = {extraConfig = '' keepalive 16; '';servers = {"backend1.example.com:8080" = {weight = 5;};"backend2.example.com" = {fail_timeout = "30s";max_fails = 3;};"backend3.example.com" = { };"backup1.example.com" = {backup = true;};"backup2.example.com" = {backup = true;};};};memcached = {servers = {"unix:/run//memcached/memcached.sock" = { };};};}
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.upstreams.<name>.extraConfig
These lines go to the end of the upstream verbatim.
Type: strings concatenated with "\n"
Default
""
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.upstreams.<name>.servers
Defines the address and other parameters of the upstream servers. See the documentation for the available parameters.
Type: attribute set of (attribute set of (boolean or signed integer or string))
Default
{ }
Example
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.upstreams.<name>.servers.<name>.backup
Marks the server as a backup server. It will be passed requests when the primary servers are unavailable.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.user
User account under which nginx runs.
Type: string
Default
"nginx"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.validateConfigFile
Whether to enable validating configuration with pkgs.writeNginxConfig.
Type: boolean
Default
true
Example
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts
Declarative vhost config
Type: attribute set of (submodule)
Default
{localhost = { };}
Example
{"hydra.example.com" = {forceSSL = true;enableACME = true;locations."/" = {proxyPass = "http://localhost:3000";};};};
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.acmeFallbackHost
Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.
With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.
Type: null or string
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.acmeRoot
Directory for the ACME challenge, which is public. Don't put certs or keys in here. Set to null to inherit from config.security.acme.
Type: null or string
Default
"/var/lib/acme/acme-challenge"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.addSSL
Whether to enable HTTPS in addition to plain HTTP. This will set defaults for
listen to listen on all interfaces on the respective default
ports (80, 443).
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.basicAuth
Basic Auth protection for a vhost.
WARNING: This is implemented to store the password in plain text in the Nix store.
Type: attribute set of string
Default
{ }
Example
{user = "password";};
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.basicAuthFile
Basic Auth password file for a vhost.
Can be created via: {command}htpasswd -c <filename> <username>.
WARNING: The generate file contains the users' passwords in a non-cryptographically-securely hashed way.
Type: null or path
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.default
Makes this vhost the default.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.enableACME
Whether to ask Let's Encrypt to sign a certificate for this vhost.
Alternately, you can use an existing certificate through {option}useACMEHost.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.extraConfig
These lines go to the end of the vhost verbatim.
Type: strings concatenated with "\n"
Default
""
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.forceSSL
Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with redirectCode) all plain HTTP traffic to
HTTPS. This will set defaults for listen to listen on all interfaces
on the respective default ports (80, 443), where the non-SSL listens
are used for the redirect vhosts.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.globalRedirect
If set, all requests for this host are redirected (defaults to 301,
configurable with redirectCode) to the given hostname.
Type: null or string
Default
null
Example
"newserver.example.org"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.http2
Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx's implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.
Type: boolean
Default
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.http3
Whether to enable the HTTP/3 protocol.
This requires using pkgs.nginxQuic package
which can be achieved by setting services.nginx.package = pkgs.nginxQuic;
and activate the QUIC transport protocol
services.nginx.virtualHosts.<name>.quic = true;.
Note that HTTP/3 support is experimental and not yet recommended for production.
Read more at https://quic.nginx.org/
HTTP/3 availability must be manually advertised, preferably in each location block.
Type: boolean
Default
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.http3_hq
Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests.
This requires using pkgs.nginxQuic package
which can be achieved by setting services.nginx.package = pkgs.nginxQuic;
and activate the QUIC transport protocol
services.nginx.virtualHosts.<name>.quic = true;.
Note that special application protocol support is experimental and not yet recommended for production.
Read more at https://quic.nginx.org/
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.kTLS
Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.listen
Listen addresses and ports for this virtual host.
IPv6 addresses must be enclosed in square brackets.
Note: this option overrides addSSL
and onlySSL.
If you only want to set the addresses manually and not
the ports, take a look at listenAddresses.
Type: list of (submodule)
Default
[ ]
Example
[{addr = "195.154.1.1";port = 443;ssl = true;}{addr = "192.154.1.1";port = 80;}{addr = "unix:/var/run/nginx.sock";}]
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.listen.*.addr
Listen address.
Type: string
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.listen.*.extraParameters
Extra parameters of this listen directive.
Type: list of string
Default
[ ]
Example
["backlog=1024""deferred"]
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.listen.*.port
Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.
Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.listen.*.proxyProtocol
Enable PROXY protocol.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.listen.*.ssl
Enable SSL.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.listenAddresses
Listen addresses for this virtual host.
Compared to listen this only sets the addresses
and the ports are chosen automatically.
Note: This option overrides enableIPv6
Type: list of string
Default
[ ]
Example
["127.0.0.1""[::1]"]
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.locations
Declarative location config
Type: attribute set of (submodule)
Default
{ }
Example
{"/" = {proxyPass = "http://localhost:3000";};};
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.locations.<name>.alias
Alias directory for requests.
Type: null or path
Default
null
Example
"/your/alias/directory"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.locations.<name>.basicAuth
Basic Auth protection for a vhost.
WARNING: This is implemented to store the password in plain text in the Nix store.
Type: attribute set of string
Default
{ }
Example
{user = "password";};
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.locations.<name>.basicAuthFile
Basic Auth password file for a vhost.
Can be created via: {command}htpasswd -c <filename> <username>.
WARNING: The generate file contains the users' passwords in a non-cryptographically-securely hashed way.
Type: null or path
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.locations.<name>.extraConfig
These lines go to the end of the location verbatim.
Type: strings concatenated with "\n"
Default
""
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.locations.<name>.fastcgiParams
FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won't unset the default values for other parameters.
Type: attribute set of (string or path)
Default
{ }
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.locations.<name>.index
Adds index directive.
Type: null or string
Default
null
Example
"index.php index.html"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.locations.<name>.priority
Order of this location block in relation to the others in the vhost.
The semantics are the same as with lib.mkOrder. Smaller values have
a greater priority.
Type: signed integer
Default
1000
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.locations.<name>.proxyPass
Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.
Type: null or string
Default
null
Example
"http://www.example.org/"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.locations.<name>.proxyWebsockets
Whether to support proxying websocket connections with HTTP/1.1.
Type: boolean
Default
false
Example
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.locations.<name>.recommendedProxySettings
Enable recommended proxy settings.
Type: boolean
Default
config.services.nginx.recommendedProxySettings
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.locations.<name>.return
Adds a return directive, for e.g. redirections.
Type: null or string or signed integer
Default
null
Example
"301 http://example.com$request_uri"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.locations.<name>.root
Root directory for requests.
Type: null or path
Default
null
Example
"/your/root/directory"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.locations.<name>.tryFiles
Adds try_files directive.
Type: null or string
Default
null
Example
"$uri =404"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.onlySSL
Whether to enable HTTPS and reject plain HTTP connections. This will set
defaults for listen to listen on all interfaces on port 443.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.quic
Whether to enable the QUIC transport protocol.
This requires using pkgs.nginxQuic package
which can be achieved by setting services.nginx.package = pkgs.nginxQuic;.
Note that QUIC support is experimental and
not yet recommended for production.
Read more at https://quic.nginx.org/
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.redirectCode
HTTP status used by globalRedirect and forceSSL. Possible usecases
include temporary (302, 307) redirects, keeping the request method and
body (307, 308), or explicitly resetting the method to GET (303).
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.
Type: integer between 300 and 399 (both inclusive)
Default
301
Example
308
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.rejectSSL
Whether to listen for and reject all HTTPS connections to this vhost. Useful in
default
server blocks to avoid serving the certificate for another vhost. Uses the
ssl_reject_handshake directive available in nginx versions
1.19.4 and above.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.reuseport
Create an individual listening socket . It is required to specify only once on one of the hosts.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.root
The path of the web root directory.
Type: null or path
Default
null
Example
"/data/webserver/docs"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.serverAliases
Additional names of virtual hosts served by this virtual host configuration.
Type: list of string
Default
[ ]
Example
["www.example.org""example.org"]
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.serverName
Name of this virtual host. Defaults to attribute name in virtualHosts.
Type: null or string
Default
null
Example
"example.org"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.sslCertificate
Path to server SSL certificate.
Type: path
Example
"/var/host.cert"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.sslCertificateKey
Path to server SSL certificate key.
Type: path
Example
"/var/host.key"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.sslTrustedCertificate
Path to root SSL certificate for stapling and client certificates.
Type: null or path
Default
null
Example
"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix
services.nginx.virtualHosts.<name>.useACMEHost
A host of an existing Let's Encrypt certificate to use.
This is useful if you have many subdomains and want to avoid hitting the
rate limit.
Alternately, you can generate a certificate through {option}enableACME.
Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using .
Type: null or string
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-servers/nginx/default.nix