Cadey is coffee
<Cadey> Hello! Thank you for visiting my website. You seem to be using an ad-blocker. I understand why you do this, but I'd really appreciate if it you would turn it off for my website. These ads help pay for running the website and are done by Ethical Ads. I do not receive detailed analytics on the ads and from what I understand neither does Ethical Ads. If you don't want to disable your ad blocker, please consider donating on Patreon or sending some extra cash to xeiaso.eth or 0xeA223Ca8968Ca59e0Bc79Ba331c2F6f636A3fB82. It helps fund the website's hosting bills and pay for the expensive technical editor that I use for my longer articles. Thanks and be well!

How to make NixOS compile nginx with OpenSSL 1.x

Read time in minutes: 3

hero image alrest-orcas
Image generated by Waifu Diffusion v1.3 (float16) -- cloud sea, xenoblade chronicles 2, azurda, blue sky, giant tree, orca, 1girl, red hair, katana

One of the strengths of NixOS is that you can use NixOS modules to do things like override versions of packages so that you can customize what software is running on your computer. You can use this to manually patch programs, or alternatively override dependencies with other versions. Today I'm going to show you how to use an overlay to force NixOS to rebuild nginx with OpenSSL 1.1.1 instead of OpenSSL 3.x. You may want to do this if you want to reduce risks involved with the CRITICAL security issue announced for OpenSSL 3.x (OpenSSL 1.1.1 isn't listed as CRITICAL).

Open your configuration.nix file and add this inside the module block:

nixpkgs.overlays = [
  (final: prev: {
    nginxStable = prev.nginxStable.override { openssl = prev.openssl_1_1; };
  })
];

Mara is hacker
<Mara> If you are using NixOS 22.05, use the package openssl instead of openssl_1_1.

This will create an overlay that will replace the nginx package with a version that has OpenSSL replaced with the OpenSSL 1.x package.

Mara is hacker
<Mara> You need to use nginxStable here instead of nginx because services.nginx.package defaults to nginxStable. Alternatively you can use something like this to change the nginx package directly: services.nginx.package = (pkgs.nginxStable.override { openssl = pkgs.openssl_1_1; }); This may be ideal depending on facts and circumstances.

It uses an override to change the version of OpenSSL that is passed into the package build. This works because packages in nixpkgs are defined something like this:

{ stdenv, openssl, fetchurl }:

stdenv.mkDerivation {
  # whatever is needed to build the software
}

Each of the inputs in the top line are arguments to the package (which is modeled as a function). When you use .override, you are overriding the arguments you pass to the package functions. This means that when you use that overlay I pasted, you will be overriding the version of OpenSSL passed to the nginx build process, which will make nginx depend on OpenSSL 1.x.

Depending on the software in question, you should be able to use this strategy to patch any other public-facing programs. The only catch is that software will need to be compatible with OpenSSL 1.x.

Cadey is coffee
<Cadey> You may want to remove this as soon as NixOS unstable advances to OpenSSL 3.0.7.

Mara is hacker
<Mara> Thanks to ckie for reviewing this post for correctness!

This article was posted on M10 29 2022. Facts and circumstances may have changed since publication. Please contact me before jumping to conclusions if something seems wrong or unclear.

Series: nixos

Tags: openssl nginx

This post was not WebMentioned yet. You could be the first!

The art for Mara was drawn by Selicre.

The art for Cadey was drawn by ArtZora Studios.

Some of the art for Aoi was drawn by @Sandra_Thomas01.