How to make NixOS compile nginx with OpenSSL 1.x
Published on , 411 words, 2 minutes to read
cloud sea, xenoblade chronicles 2, azurda, blue sky, giant tree, orca, 1girl, red hair, katana - Waifu Diffusion v1.3 (float16)One of the strengths of NixOS is that you can use NixOS modules to do things like override versions of packages so that you can customize what software is running on your computer. You can use this to manually patch programs, or alternatively override dependencies with other versions. Today I'm going to show you how to use an overlay to force NixOS to rebuild nginx with OpenSSL 1.1.1 instead of OpenSSL 3.x. You may want to do this if you want to reduce risks involved with the CRITICAL security issue announced for OpenSSL 3.x (OpenSSL 1.1.1 isn't listed as CRITICAL).
Open your configuration.nix
file and add this inside the module block:
nixpkgs.overlays = [
(final: prev: {
nginxStable = prev.nginxStable.override { openssl = prev.openssl_1_1; };
})
];
If you are using NixOS 22.05, use the package openssl
instead of
openssl_1_1
.
This will create an overlay that will replace the nginx package with a version that has OpenSSL replaced with the OpenSSL 1.x package.
nginxStable
here
instead of nginx
because services.nginx.package
defaults to nginxStable
.
Alternatively you can use something like this to change the nginx package
directly: services.nginx.package = (pkgs.nginxStable.override { openssl = pkgs.openssl_1_1; });
This may be ideal depending on facts and
circumstances.It uses an override
to change the version of OpenSSL that is passed into the package build. This
works because packages in nixpkgs
are defined something like this:
{ stdenv, openssl, fetchurl }:
stdenv.mkDerivation {
# whatever is needed to build the software
}
Each of the inputs in the top line are arguments to the package (which is
modeled as a function). When you use .override
, you are overriding the
arguments you pass to the package functions. This means that when you use that
overlay I pasted, you will be overriding the version of OpenSSL passed to the
nginx build process, which will make nginx depend on OpenSSL 1.x.
Depending on the software in question, you should be able to use this strategy to patch any other public-facing programs. The only catch is that software will need to be compatible with OpenSSL 1.x.
You may want to remove this as soon as NixOS unstable advances to OpenSSL 3.0.7.
Thanks to ckie for reviewing this post for correctness!
Facts and circumstances may have changed since publication. Please contact me before jumping to conclusions if something seems wrong or unclear.
Tags: openssl, nginx