From cdda7e3aba7adaef12c3d598c494988820a501f1 Mon Sep 17 00:00:00 2001 From: Marcin Deranek Date: Fri, 30 Jun 2023 16:08:08 +0200 Subject: www-servers/nginx fork with updated lua modules --- .../nginx/files/http_brotli-detect-brotli-r3.patch | 28 +++ .../nginx/files/http_cache_purge-1.11.6+.patch | 22 ++ .../nginx/files/http_sticky-nginx-1.23.0.patch | 25 +++ .../files/http_uploadprogress-nginx-1.23.0.patch | 74 +++++++ .../files/http_upstream_check-nginx-1.11.5+.patch | 246 +++++++++++++++++++++ .../files/nginx-1.23.2-mod_auth_ldap-fix.patch | 21 ++ .../files/nginx-1.4.1-fix-perl-install-path.patch | 13 ++ .../nginx/files/nginx-httpoxy-mitigation-r1.patch | 54 +++++ www-servers/nginx/files/nginx.conf-r3 | 70 ++++++ www-servers/nginx/files/nginx.confd | 32 +++ www-servers/nginx/files/nginx.initd-r4 | 92 ++++++++ www-servers/nginx/files/nginx.logrotate-r1 | 11 + www-servers/nginx/files/nginx.service-r1 | 15 ++ 13 files changed, 703 insertions(+) create mode 100644 www-servers/nginx/files/http_brotli-detect-brotli-r3.patch create mode 100644 www-servers/nginx/files/http_cache_purge-1.11.6+.patch create mode 100644 www-servers/nginx/files/http_sticky-nginx-1.23.0.patch create mode 100644 www-servers/nginx/files/http_uploadprogress-nginx-1.23.0.patch create mode 100644 www-servers/nginx/files/http_upstream_check-nginx-1.11.5+.patch create mode 100644 www-servers/nginx/files/nginx-1.23.2-mod_auth_ldap-fix.patch create mode 100644 www-servers/nginx/files/nginx-1.4.1-fix-perl-install-path.patch create mode 100644 www-servers/nginx/files/nginx-httpoxy-mitigation-r1.patch create mode 100644 www-servers/nginx/files/nginx.conf-r3 create mode 100644 www-servers/nginx/files/nginx.confd create mode 100644 www-servers/nginx/files/nginx.initd-r4 create mode 100644 www-servers/nginx/files/nginx.logrotate-r1 create mode 100644 www-servers/nginx/files/nginx.service-r1 (limited to 'www-servers/nginx/files') diff --git a/www-servers/nginx/files/http_brotli-detect-brotli-r3.patch b/www-servers/nginx/files/http_brotli-detect-brotli-r3.patch new file mode 100644 index 0000000..9ccb8c2 --- /dev/null +++ b/www-servers/nginx/files/http_brotli-detect-brotli-r3.patch @@ -0,0 +1,28 @@ +--- a/filter/config ++++ b/filter/config +@@ -42,22 +42,13 @@ fi + ngx_module_type=HTTP_FILTER + ngx_module_name=ngx_http_brotli_filter_module + +-brotli="$ngx_addon_dir/deps/brotli/c" +-if [ ! -f "$brotli/include/brotli/encode.h" ]; then +- brotli="/usr/local" +-fi +-if [ ! -f "$brotli/include/brotli/encode.h" ]; then +- brotli="/usr" +-fi ++brotli=$(pkg-config --variable=prefix libbrotlienc) ++ + if [ ! -f "$brotli/include/brotli/encode.h" ]; then + cat << END + + $0: error: \ +-Brotli library is missing from the $brotli directory. +- +-Please make sure that the git submodule has been checked out: +- +- cd $ngx_addon_dir && git submodule update --init && cd $PWD ++Brotli library not found. Don't you have app-arch/brotli installed? + + END + exit 1 diff --git a/www-servers/nginx/files/http_cache_purge-1.11.6+.patch b/www-servers/nginx/files/http_cache_purge-1.11.6+.patch new file mode 100644 index 0000000..c4596bf --- /dev/null +++ b/www-servers/nginx/files/http_cache_purge-1.11.6+.patch @@ -0,0 +1,22 @@ +Fix compatibility with nginx-1.11.6+ + +https://github.com/FRiCKLE/ngx_cache_purge/pull/51 + +--- + ngx_cache_purge_module.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/ngx_cache_purge_module.c ++++ b/ngx_cache_purge_module.c +@@ -492,7 +492,11 @@ typedef struct { + ngx_str_t body_source; + # endif /* nginx_version < 1007008 */ + ++# if (nginx_version >= 1011006) ++ ngx_http_complex_value_t *method; ++# else + ngx_str_t method; ++# endif /* nginx_version >= 1011006 */ + ngx_str_t location; + ngx_str_t url; + diff --git a/www-servers/nginx/files/http_sticky-nginx-1.23.0.patch b/www-servers/nginx/files/http_sticky-nginx-1.23.0.patch new file mode 100644 index 0000000..da6126e --- /dev/null +++ b/www-servers/nginx/files/http_sticky-nginx-1.23.0.patch @@ -0,0 +1,25 @@ +From 105c946c0c1af93099502417784888acf60da540 Mon Sep 17 00:00:00 2001 +From: Younes El-karama +Date: Sat, 2 Jul 2022 04:56:12 +0000 +Subject: [PATCH] make it compatible with nginx 1.23 + +--- + ngx_http_sticky_module.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ngx_http_sticky_module.c b/ngx_http_sticky_module.c +index c9a0a04..37b5bc3 100644 +--- a/ngx_http_sticky_module.c ++++ b/ngx_http_sticky_module.c +@@ -204,7 +204,7 @@ static ngx_int_t ngx_http_init_sticky_peer(ngx_http_request_t *r, ngx_http_upstr + iphp->request = r; + + /* check weather a cookie is present or not and save it */ +- if (ngx_http_parse_multi_header_lines(&r->headers_in.cookies, &iphp->sticky_conf->cookie_name, &route) != NGX_DECLINED) { ++ if (ngx_http_parse_multi_header_lines(r, r->headers_in.cookie, &iphp->sticky_conf->cookie_name, &route) != NULL) { + /* a route cookie has been found. Let's give it a try */ + ngx_log_debug(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "[sticky/init_sticky_peer] got cookie route=%V, let's try to find a matching peer", &route); + +-- +2.36.1 + diff --git a/www-servers/nginx/files/http_uploadprogress-nginx-1.23.0.patch b/www-servers/nginx/files/http_uploadprogress-nginx-1.23.0.patch new file mode 100644 index 0000000..3635aa4 --- /dev/null +++ b/www-servers/nginx/files/http_uploadprogress-nginx-1.23.0.patch @@ -0,0 +1,74 @@ +diff -pNura http-uploadprogress.orig/ngx_http_uploadprogress_module.c http-uploadprogress/ngx_http_uploadprogress_module.c +--- http-uploadprogress.orig/ngx_http_uploadprogress_module.c 2020-10-03 02:05:45.000000000 +0700 ++++ http-uploadprogress/ngx_http_uploadprogress_module.c 2022-06-24 16:24:16.196626939 +0700 +@@ -550,12 +550,12 @@ ngx_http_reportuploads_handler(ngx_http_ + ngx_chain_t out; + ngx_int_t rc, found=0, done=0, err_status=0; + off_t rest=0, length=0; +- ngx_uint_t len, i; ++ ngx_uint_t len; + ngx_slab_pool_t *shpool; + ngx_http_uploadprogress_conf_t *upcf; + ngx_http_uploadprogress_ctx_t *ctx; + ngx_http_uploadprogress_node_t *up; +- ngx_table_elt_t *expires, *cc, **ccp; ++ ngx_table_elt_t *expires, *cc; + ngx_http_uploadprogress_state_t state; + ngx_http_uploadprogress_template_t *t; + +@@ -628,6 +628,7 @@ ngx_http_reportuploads_handler(ngx_http_ + } + + r->headers_out.expires = expires; ++ expires->next = NULL; + + expires->hash = 1; + expires->key.len = sizeof("Expires") - 1; +@@ -637,37 +638,30 @@ ngx_http_reportuploads_handler(ngx_http_ + len = sizeof("Mon, 28 Sep 1970 06:00:00 GMT"); + expires->value.len = len - 1; + +- ccp = r->headers_out.cache_control.elts; +- if (ccp == NULL) { ++ cc = r->headers_out.cache_control; + +- if (ngx_array_init(&r->headers_out.cache_control, r->pool, +- 1, sizeof(ngx_table_elt_t *)) +- != NGX_OK) { +- return NGX_HTTP_INTERNAL_SERVER_ERROR; +- } +- +- ccp = ngx_array_push(&r->headers_out.cache_control); +- if (ccp == NULL) { +- return NGX_HTTP_INTERNAL_SERVER_ERROR; +- } ++ if (cc == NULL) { + + cc = ngx_list_push(&r->headers_out.headers); + if (cc == NULL) { ++ expires->hash = 0; + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + ++ r->headers_out.cache_control = cc; ++ cc->next = NULL; ++ + cc->hash = 1; + cc->key.len = sizeof("Cache-Control") - 1; + cc->key.data = (u_char *) "Cache-Control"; + +- *ccp = cc; +- + } else { +- for (i = 1; i < r->headers_out.cache_control.nelts; i++) { +- ccp[i]->hash = 0; ++ for (cc = cc->next; cc; cc = cc->next) { ++ cc->hash = 0; + } + +- cc = ccp[0]; ++ cc = r->headers_out.cache_control; ++ cc->next = NULL; + } + + expires->value.data = (u_char *) "Thu, 01 Jan 1970 00:00:01 GMT"; diff --git a/www-servers/nginx/files/http_upstream_check-nginx-1.11.5+.patch b/www-servers/nginx/files/http_upstream_check-nginx-1.11.5+.patch new file mode 100644 index 0000000..a894bde --- /dev/null +++ b/www-servers/nginx/files/http_upstream_check-nginx-1.11.5+.patch @@ -0,0 +1,246 @@ +Upstream: https://github.com/yaoweibin/nginx_upstream_check_module/pull/119 + +diff --git src/http/modules/ngx_http_upstream_hash_module.c src/http/modules/ngx_http_upstream_hash_module.c +index 6c28c64..a187887 100644 +--- src/http/modules/ngx_http_upstream_hash_module.c ++++ src/http/modules/ngx_http_upstream_hash_module.c +@@ -9,6 +9,9 @@ + #include + #include + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++#include "ngx_http_upstream_check_module.h" ++#endif + + typedef struct { + uint32_t hash; +@@ -235,6 +238,16 @@ ngx_http_upstream_get_hash_peer(ngx_peer_connection_t *pc, void *data) + goto next; + } + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0, ++ "get hash peer, check_index: %ui", ++ peer->check_index); ++ if (ngx_http_upstream_check_peer_down(peer->check_index)) { ++ goto next; ++ } ++#endif ++ ++ + if (peer->max_fails + && peer->fails >= peer->max_fails + && now - peer->checked <= peer->fail_timeout) +@@ -538,6 +551,15 @@ ngx_http_upstream_get_chash_peer(ngx_peer_connection_t *pc, void *data) + continue; + } + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0, ++ "get consistent_hash peer, check_index: %ui", ++ peer->check_index); ++ if (ngx_http_upstream_check_peer_down(peer->check_index)) { ++ continue; ++ } ++#endif ++ + if (peer->server.len != server->len + || ngx_strncmp(peer->server.data, server->data, server->len) + != 0) +diff --git src/http/modules/ngx_http_upstream_ip_hash_module.c src/http/modules/ngx_http_upstream_ip_hash_module.c +index 296108f..135ce5d 100644 +--- src/http/modules/ngx_http_upstream_ip_hash_module.c ++++ src/http/modules/ngx_http_upstream_ip_hash_module.c +@@ -9,6 +9,9 @@ + #include + #include + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++#include "ngx_http_upstream_check_module.h" ++#endif + + typedef struct { + /* the round robin data must be first */ +@@ -205,6 +208,15 @@ ngx_http_upstream_get_ip_hash_peer(ngx_peer_connection_t *pc, void *data) + goto next; + } + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0, ++ "get ip_hash peer, check_index: %ui", ++ peer->check_index); ++ if (ngx_http_upstream_check_peer_down(peer->check_index)) { ++ goto next; ++ } ++#endif ++ + if (peer->max_fails + && peer->fails >= peer->max_fails + && now - peer->checked <= peer->fail_timeout) +diff --git src/http/modules/ngx_http_upstream_least_conn_module.c src/http/modules/ngx_http_upstream_least_conn_module.c +index ebe0627..94f1883 100644 +--- src/http/modules/ngx_http_upstream_least_conn_module.c ++++ src/http/modules/ngx_http_upstream_least_conn_module.c +@@ -9,6 +9,10 @@ + #include + #include + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++#include "ngx_http_upstream_check_module.h" ++#endif ++ + + static ngx_int_t ngx_http_upstream_init_least_conn_peer(ngx_http_request_t *r, + ngx_http_upstream_srv_conf_t *us); +@@ -147,6 +151,16 @@ ngx_http_upstream_get_least_conn_peer(ngx_peer_connection_t *pc, void *data) + continue; + } + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0, ++ "get least_conn peer, check_index: %ui", ++ peer->check_index); ++ ++ if (ngx_http_upstream_check_peer_down(peer->check_index)) { ++ continue; ++ } ++#endif ++ + if (peer->max_fails + && peer->fails >= peer->max_fails + && now - peer->checked <= peer->fail_timeout) +@@ -202,6 +216,16 @@ ngx_http_upstream_get_least_conn_peer(ngx_peer_connection_t *pc, void *data) + continue; + } + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0, ++ "get least_conn peer, check_index: %ui", ++ peer->check_index); ++ ++ if (ngx_http_upstream_check_peer_down(peer->check_index)) { ++ continue; ++ } ++#endif ++ + if (peer->conns * best->weight != best->conns * peer->weight) { + continue; + } +diff --git src/http/ngx_http_upstream_round_robin.c src/http/ngx_http_upstream_round_robin.c +index 0137bf6..99f0923 100644 +--- src/http/ngx_http_upstream_round_robin.c ++++ src/http/ngx_http_upstream_round_robin.c +@@ -9,6 +9,9 @@ + #include + #include + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++#include "ngx_http_upstream_check_module.h" ++#endif + + #define ngx_http_upstream_tries(p) ((p)->number \ + + ((p)->next ? (p)->next->number : 0)) +@@ -97,7 +100,14 @@ ngx_http_upstream_init_round_robin(ngx_conf_t *cf, + peer[n].fail_timeout = server[i].fail_timeout; + peer[n].down = server[i].down; + peer[n].server = server[i].name; +- ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ if (!server[i].down) { ++ peer[n].check_index = ++ ngx_http_upstream_check_add_peer(cf, us, &server[i].addrs[j]); ++ } else { ++ peer[n].check_index = (ngx_uint_t) NGX_ERROR; ++ } ++#endif + *peerp = &peer[n]; + peerp = &peer[n].next; + n++; +@@ -161,7 +171,15 @@ ngx_http_upstream_init_round_robin(ngx_conf_t *cf, + peer[n].fail_timeout = server[i].fail_timeout; + peer[n].down = server[i].down; + peer[n].server = server[i].name; +- ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ if (!server[i].down) { ++ peer[n].check_index = ++ ngx_http_upstream_check_add_peer(cf, us, &server[i].addrs[j]); ++ } ++ else { ++ peer[n].check_index = (ngx_uint_t) NGX_ERROR; ++ } ++#endif + *peerp = &peer[n]; + peerp = &peer[n].next; + n++; +@@ -228,6 +246,9 @@ ngx_http_upstream_init_round_robin(ngx_conf_t *cf, + peer[i].max_conns = 0; + peer[i].max_fails = 1; + peer[i].fail_timeout = 10; ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ peer[i].check_index = (ngx_uint_t) NGX_ERROR; ++#endif + *peerp = &peer[i]; + peerp = &peer[i].next; + } +@@ -344,6 +365,9 @@ ngx_http_upstream_create_round_robin_peer(ngx_http_request_t *r, + peer[0].max_conns = 0; + peer[0].max_fails = 1; + peer[0].fail_timeout = 10; ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ peer[0].check_index = (ngx_uint_t) NGX_ERROR; ++#endif + peers->peer = peer; + + } else { +@@ -378,6 +402,9 @@ ngx_http_upstream_create_round_robin_peer(ngx_http_request_t *r, + peer[i].max_conns = 0; + peer[i].max_fails = 1; + peer[i].fail_timeout = 10; ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ peer[i].check_index = (ngx_uint_t) NGX_ERROR; ++#endif + *peerp = &peer[i]; + peerp = &peer[i].next; + } +@@ -443,6 +470,12 @@ ngx_http_upstream_get_round_robin_peer(ngx_peer_connection_t *pc, void *data) + goto failed; + } + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ if (ngx_http_upstream_check_peer_down(peer->check_index)) { ++ goto failed; ++ } ++#endif ++ + rrp->current = peer; + + } else { +@@ -537,6 +570,12 @@ ngx_http_upstream_get_peer(ngx_http_upstream_rr_peer_data_t *rrp) + continue; + } + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ if (ngx_http_upstream_check_peer_down(peer->check_index)) { ++ continue; ++ } ++#endif ++ + if (peer->max_fails + && peer->fails >= peer->max_fails + && now - peer->checked <= peer->fail_timeout) +diff --git src/http/ngx_http_upstream_round_robin.h src/http/ngx_http_upstream_round_robin.h +index 45f258d..dee91d0 100644 +--- src/http/ngx_http_upstream_round_robin.h ++++ src/http/ngx_http_upstream_round_robin.h +@@ -38,6 +38,10 @@ struct ngx_http_upstream_rr_peer_s { + ngx_msec_t slow_start; + ngx_msec_t start_time; + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ ngx_uint_t check_index; ++#endif ++ + ngx_uint_t down; + + #if (NGX_HTTP_SSL || NGX_COMPAT) diff --git a/www-servers/nginx/files/nginx-1.23.2-mod_auth_ldap-fix.patch b/www-servers/nginx/files/nginx-1.23.2-mod_auth_ldap-fix.patch new file mode 100644 index 0000000..b3b4cf4 --- /dev/null +++ b/www-servers/nginx/files/nginx-1.23.2-mod_auth_ldap-fix.patch @@ -0,0 +1,21 @@ +From f0a5f61d9aad59c23e2c877094a8f17c43bee5b5 Mon Sep 17 00:00:00 2001 +From: freultwah <631910+freultwah@users.noreply.github.com> +Date: Tue, 23 Aug 2022 18:09:45 +0300 +Subject: [PATCH] Make the module not crash with nginx >1.23.* + +--- + ngx_http_auth_ldap_module.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ngx_http_auth_ldap_module.c b/ngx_http_auth_ldap_module.c +index 2f4e592..83b481c 100644 +--- a/ngx_http_auth_ldap_module.c ++++ b/ngx_http_auth_ldap_module.c +@@ -1779,6 +1779,7 @@ ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm) + } + + r->headers_out.www_authenticate->hash = 1; ++ r->headers_out.www_authenticate->next = NULL; + r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1; + r->headers_out.www_authenticate->key.data = (u_char *) "WWW-Authenticate"; + r->headers_out.www_authenticate->value = *realm; diff --git a/www-servers/nginx/files/nginx-1.4.1-fix-perl-install-path.patch b/www-servers/nginx/files/nginx-1.4.1-fix-perl-install-path.patch new file mode 100644 index 0000000..601a79b --- /dev/null +++ b/www-servers/nginx/files/nginx-1.4.1-fix-perl-install-path.patch @@ -0,0 +1,13 @@ +diff --git a/auto/lib/perl/make b/auto/lib/perl/make +index 260bd95..857ece6 100644 +--- a/auto/lib/perl/make ++++ b/auto/lib/perl/make +@@ -35,6 +35,8 @@ $NGX_OBJS/src/http/modules/perl/Makefile: \\ + NGX_DEPS="\$(CORE_DEPS) \$(HTTP_DEPS)" \\ + $NGX_PERL Makefile.PL \\ + LIB=$NGX_PERL_MODULES \\ ++ PREFIX=$NGX_PREFIX \\ ++ INSTALLDIRS=vendor \\ + INSTALLSITEMAN3DIR=$NGX_PERL_MODULES_MAN + + END diff --git a/www-servers/nginx/files/nginx-httpoxy-mitigation-r1.patch b/www-servers/nginx/files/nginx-httpoxy-mitigation-r1.patch new file mode 100644 index 0000000..4a6372a --- /dev/null +++ b/www-servers/nginx/files/nginx-httpoxy-mitigation-r1.patch @@ -0,0 +1,54 @@ +httpoxy mitigation + +See https://httpoxy.org/ and https://www.nginx.com/blog/?p=41962 for details. +--- + conf/fastcgi.conf | 3 +++ + conf/fastcgi_params | 3 +++ + conf/scgi_params | 3 +++ + conf/uwsgi_params | 3 +++ + 4 files changed, 12 insertions(+) + +diff --git a/conf/fastcgi.conf b/conf/fastcgi.conf +index 091738c..9f7e192 100644 +--- a/conf/fastcgi.conf ++++ b/conf/fastcgi.conf +@@ -24,3 +24,6 @@ fastcgi_param SERVER_NAME $server_name; + + # PHP only, required if PHP was built with --enable-force-cgi-redirect + fastcgi_param REDIRECT_STATUS 200; ++ ++# httpoxy mitigation (https://httpoxy.org/ https://www.nginx.com/blog/?p=41962) ++fastcgi_param HTTP_PROXY ""; +diff --git a/conf/fastcgi_params b/conf/fastcgi_params +index 28decb9..3be3a95 100644 +--- a/conf/fastcgi_params ++++ b/conf/fastcgi_params +@@ -23,3 +23,6 @@ fastcgi_param SERVER_NAME $server_name; + + # PHP only, required if PHP was built with --enable-force-cgi-redirect + fastcgi_param REDIRECT_STATUS 200; ++ ++# httpoxy mitigation (https://httpoxy.org/ https://www.nginx.com/blog/?p=41962) ++fastcgi_param HTTP_PROXY ""; +diff --git a/conf/scgi_params b/conf/scgi_params +index 6d4ce4f..a9da34f 100644 +--- a/conf/scgi_params ++++ b/conf/scgi_params +@@ -15,3 +15,6 @@ scgi_param REMOTE_ADDR $remote_addr; + scgi_param REMOTE_PORT $remote_port; + scgi_param SERVER_PORT $server_port; + scgi_param SERVER_NAME $server_name; ++ ++# httpoxy mitigation (https://httpoxy.org/ https://www.nginx.com/blog/?p=41962) ++scgi_param HTTP_PROXY ""; +diff --git a/conf/uwsgi_params b/conf/uwsgi_params +index 09c732c..9d67d3d 100644 +--- a/conf/uwsgi_params ++++ b/conf/uwsgi_params +@@ -15,3 +15,6 @@ uwsgi_param REMOTE_ADDR $remote_addr; + uwsgi_param REMOTE_PORT $remote_port; + uwsgi_param SERVER_PORT $server_port; + uwsgi_param SERVER_NAME $server_name; ++ ++# httpoxy mitigation (https://httpoxy.org/ https://www.nginx.com/blog/?p=41962) ++uwsgi_param HTTP_PROXY ""; diff --git a/www-servers/nginx/files/nginx.conf-r3 b/www-servers/nginx/files/nginx.conf-r3 new file mode 100644 index 0000000..aedaad4 --- /dev/null +++ b/www-servers/nginx/files/nginx.conf-r3 @@ -0,0 +1,70 @@ +user nginx nginx; +worker_processes 1; + +error_log /var/log/nginx/error_log info; + +events { + worker_connections 1024; + use epoll; +} + +http { + include /etc/nginx/mime.types.nginx; + types_hash_max_size 4096; + default_type application/octet-stream; + + log_format main + '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '"$gzip_ratio"'; + + client_header_timeout 10m; + client_body_timeout 10m; + send_timeout 10m; + + connection_pool_size 256; + client_header_buffer_size 1k; + large_client_header_buffers 4 2k; + request_pool_size 4k; + + gzip off; + + output_buffers 1 32k; + postpone_output 1460; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + + keepalive_timeout 75 20; + + ignore_invalid_headers on; + + index index.html; + + server { + listen 127.0.0.1; + server_name localhost; + + access_log /var/log/nginx/localhost.access_log main; + error_log /var/log/nginx/localhost.error_log info; + + root /var/www/localhost/htdocs; + } + + # SSL example + #server { + # listen 127.0.0.1:443; + # server_name localhost; + + # ssl on; + # ssl_certificate /etc/ssl/nginx/nginx.pem; + # ssl_certificate_key /etc/ssl/nginx/nginx.key; + + # access_log /var/log/nginx/localhost.ssl_access_log main; + # error_log /var/log/nginx/localhost.ssl_error_log info; + + # root /var/www/localhost/htdocs; + #} +} diff --git a/www-servers/nginx/files/nginx.confd b/www-servers/nginx/files/nginx.confd new file mode 100644 index 0000000..f4b8043 --- /dev/null +++ b/www-servers/nginx/files/nginx.confd @@ -0,0 +1,32 @@ +# /etc/conf.d/nginx + +# Configuration file +#NGINX_CONFIGFILE="/etc/nginx/nginx.conf" + +# PID file +# If you should ever change this, remember to update +# "/etc/logrotate.d/nginx", too. +#NGINX_PIDFILE="/run/nginx.pid" + +# User to run nginx as +# If you should ever change this, make sure this user has +# execution permission on any of your log directories +# (/var/log/nginx per default) but do NOT forget other log directories +# one of your vhost(s) maybe using or logging after logrotation will +# be broken). +#NGINX_USER="nginx" + +# Group to run nginx as +# See the note above regarding NGINX_USER. +#NGINX_GROUP="nginx" + +# You can use this configuration option to pass additional options to the +# start-stop-daemon, see start-stop-daemon(8) for more details. +# Per default we wait 1000ms after we have started the service to ensure +# that the daemon is really up and running. +#NGINX_SSDARGS="--wait 1000" + +# The termination timeout (start-stop-daemon parameter "retry") ensures +# that the service will be terminated within a given time (60 + 5 seconds +# per default) when you are stopping the service. +#NGINX_TERMTIMEOUT="TERM/60/KILL/5" diff --git a/www-servers/nginx/files/nginx.initd-r4 b/www-servers/nginx/files/nginx.initd-r4 new file mode 100644 index 0000000..31f79ba --- /dev/null +++ b/www-servers/nginx/files/nginx.initd-r4 @@ -0,0 +1,92 @@ +#!/sbin/openrc-run +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="configtest" +extra_started_commands="upgrade reload" + +description="Robust, small and high performance http and reverse proxy server" +description_configtest="Run nginx' internal config check." +description_upgrade="Upgrade the nginx binary without losing connections." +description_reload="Reload the nginx configuration without losing connections." + +NGINX_CONFIGFILE=${NGINX_CONFIGFILE:-/etc/nginx/nginx.conf} + +command="/usr/sbin/nginx" +command_args="-c \"${NGINX_CONFIGFILE}\"" +start_stop_daemon_args=${NGINX_SSDARGS:-"--wait 1000"} +pidfile=${NGINX_PIDFILE:-/run/nginx.pid} +user=${NGINX_USER:-nginx} +group=${NGINX_GROUP:-nginx} +retry=${NGINX_TERMTIMEOUT:-"TERM/60/KILL/5"} + +depend() { + need net + use dns logger netmount +} + +start_pre() { + if [ "${RC_CMD}" != "restart" ]; then + configtest || return 1 + fi +} + +stop_pre() { + if [ "${RC_CMD}" = "restart" ]; then + configtest || return 1 + fi +} + +stop_post() { + rm -f ${pidfile} +} + +reload() { + configtest || return 1 + ebegin "Refreshing nginx' configuration" + start-stop-daemon --signal SIGHUP --pidfile "${pidfile}" + eend $? "Failed to reload nginx" +} + +upgrade() { + configtest || return 1 + ebegin "Upgrading nginx" + + einfo "Sending USR2 to old binary" + start-stop-daemon --signal SIGUSR2 --pidfile "${pidfile}" + + einfo "Sleeping 3 seconds before pid-files checking" + sleep 3 + + if [ ! -f "${pidfile}.oldbin" ]; then + eerror "File with old pid not found" + return 1 + fi + + if [ ! -f "${pidfile}" ]; then + eerror "New binary failed to start" + return 1 + fi + + einfo "Sleeping 3 seconds before WINCH" + sleep 3 + # Cannot send "WINCH" using start-stop-daemon yet, https://bugs.gentoo.org/604986 + kill -WINCH $(cat "${pidfile}.oldbin") + + einfo "Sending QUIT to old binary" + start-stop-daemon --signal SIGQUIT --pidfile "${pidfile}.oldbin" + + einfo "Upgrade completed" + eend $? "Upgrade failed" +} + +configtest() { + ebegin "Checking nginx' configuration" + ${command} -c "${NGINX_CONFIGFILE}" -t -q + + if [ $? -ne 0 ]; then + ${command} -c "${NGINX_CONFIGFILE}" -t + fi + + eend $? "failed, please correct errors above" +} diff --git a/www-servers/nginx/files/nginx.logrotate-r1 b/www-servers/nginx/files/nginx.logrotate-r1 new file mode 100644 index 0000000..bc9d87a --- /dev/null +++ b/www-servers/nginx/files/nginx.logrotate-r1 @@ -0,0 +1,11 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +/var/log/nginx/*_log { + missingok + delaycompress + sharedscripts + postrotate + test -r /run/nginx.pid && kill -USR1 `cat /run/nginx.pid` + endscript +} diff --git a/www-servers/nginx/files/nginx.service-r1 b/www-servers/nginx/files/nginx.service-r1 new file mode 100644 index 0000000..e160af7 --- /dev/null +++ b/www-servers/nginx/files/nginx.service-r1 @@ -0,0 +1,15 @@ +[Unit] +Description=The nginx HTTP and reverse proxy server +After=network.target remote-fs.target nss-lookup.target + +[Service] +Type=forking +PIDFile=/run/nginx.pid +ExecStartPre=/usr/sbin/nginx -t +ExecStart=/usr/sbin/nginx +ExecStartPost=/bin/sleep 0.1 +ExecReload=/bin/kill -HUP $MAINPID +ExecStop=/bin/kill -QUIT $MAINPID + +[Install] +WantedBy=multi-user.target -- cgit v1.2.3