diff --git a/net/nginx/Makefile b/net/nginx/Makefile index 17eb05d2e..496bb7e4c 100644 --- a/net/nginx/Makefile +++ b/net/nginx/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nginx PKG_VERSION:=1.17.7 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://nginx.org/download/ @@ -72,7 +72,8 @@ PKG_CONFIG_DEPENDS := \ CONFIG_NGINX_RTMP_MODULE \ CONFIG_NGINX_TS_MODULE \ CONFIG_OPENSSL_ENGINE \ - CONFIG_OPENSSL_WITH_NPN + CONFIG_OPENSSL_WITH_NPN \ + CONFIG_NGINX_NOPCRE include $(INCLUDE_DIR)/package.mk @@ -95,13 +96,16 @@ endef define Package/nginx $(Package/nginx/default) + DEPENDS += +!NGINX_SSL:nginx-util +NGINX_SSL&&NGINX_PCRE:nginx-ssl-util \ + +NGINX_SSL&&NGINX_NOPCRE:nginx-ssl-util-nopcre VARIANT:=no-ssl endef define Package/nginx-ssl $(Package/nginx/default) TITLE += with SSL support - DEPENDS +=+libopenssl + DEPENDS += +libopenssl +NGINX_PCRE:nginx-ssl-util \ + +!NGINX_PCRE:nginx-ssl-util-nopcre VARIANT:=ssl PROVIDES:=nginx endef @@ -114,7 +118,7 @@ define Package/nginx-all-module $(Package/nginx/default) TITLE += with ALL module selected DEPENDS:=+libpcre +libopenssl +zlib +liblua +libpthread +libxml2 \ - +libubus +libblobmsg-json +libjson-c + +libubus +libblobmsg-json +libjson-c +nginx-ssl-util VARIANT:=all-module PROVIDES:=nginx endef @@ -124,13 +128,17 @@ Package/nginx-all-module/description = $(Package/nginx/description) \ define Package/nginx/config source "$(SOURCE)/Config.in" +config NGINX_NOPCRE + bool + default y if !NGINX_PCRE + default n if NGINX_PCRE endef define Package/nginx-ssl/config source "$(SOURCE)/Config_ssl.in" endef -config_files=nginx.conf mime.types +config_files=mime.types define Package/nginx/conffiles /etc/nginx/ @@ -358,7 +366,7 @@ CONFIGURE_ARGS += \ --prefix=/usr \ --conf-path=/etc/nginx/nginx.conf \ $(ADDITIONAL_MODULES) \ - --error-log-path=/var/log/nginx/error.log \ + --error-log-path=stderr \ --pid-path=/var/run/nginx.pid \ --lock-path=/var/lock/nginx.lock \ --http-log-path=/var/log/nginx/access.log \ @@ -371,26 +379,21 @@ CONFIGURE_ARGS += \ --without-http_upstream_zone_module define Package/nginx-mod-luci/install - $(INSTALL_DIR) $(1)/etc/nginx - $(INSTALL_BIN) ./files-luci-support/luci_uwsgi.conf $(1)/etc/nginx/luci_uwsgi.conf - $(INSTALL_BIN) ./files-luci-support/luci_nginx.conf $(1)/etc/nginx/luci_nginx.conf + $(INSTALL_DIR) $(1)/etc/nginx/conf.d + $(INSTALL_CONF) ./files-luci-support/luci.locations $(1)/etc/nginx/conf.d/ $(INSTALL_DIR) $(1)/etc/uci-defaults $(INSTALL_BIN) ./files-luci-support/60_nginx-luci-support $(1)/etc/uci-defaults/60_nginx-luci-support endef -define Package/nginx-mod-luci-ssl/install - $(Package/nginx-mod-luci/install) - $(INSTALL_DIR) $(1)/etc/nginx - $(INSTALL_BIN) ./files-luci-support/luci_nginx_ssl.conf $(1)/etc/nginx/luci_nginx_ssl.conf - $(INSTALL_DIR) $(1)/etc/uci-defaults - $(INSTALL_BIN) ./files-luci-support/70_nginx-luci-support-ssl $(1)/etc/uci-defaults/70_nginx-luci-support-ssl -endef +Package/nginx-mod-luci-ssl/install = $(Package/nginx-mod-luci/install) define Package/nginx/install $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/nginx $(1)/usr/sbin/ - $(INSTALL_DIR) $(1)/etc/nginx + $(INSTALL_DIR) $(1)/etc/nginx/conf.d $(INSTALL_DATA) $(addprefix $(PKG_INSTALL_DIR)/etc/nginx/,$(config_files)) $(1)/etc/nginx/ + $(INSTALL_CONF) ./files/nginx.conf $(1)/etc/nginx/ + $(INSTALL_CONF) ./files/_lan.conf $(1)/etc/nginx/conf.d/ $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/nginx.init $(1)/etc/init.d/nginx ifeq ($(CONFIG_NGINX_NAXSI),y) @@ -400,10 +403,45 @@ ifeq ($(CONFIG_NGINX_NAXSI),y) endif $(if $(CONFIG_NGINX_NAXSI),$($(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx)) $(if $(CONFIG_NGINX_NAXSI),$(chmod 0640 $(1)/etc/nginx/naxsi_core.rules)) +ifeq ($(CONFIG_NGINX_SSL),y) + $(INSTALL_CONF) ./files/_redirect2ssl.conf $(1)/etc/nginx/conf.d/ +endif +ifneq ($(CONFIG_IPV6),y) + $(SED) '/listen\s*\[/d' $(1)/etc/nginx/conf.d/*.conf # without IPv6 [::] +endif endef -Package/nginx-ssl/install = $(Package/nginx/install) -Package/nginx-all-module/install = $(Package/nginx/install) +define Package/nginx-ssl/install + $(call Package/nginx/install, $(1)) + $(INSTALL_CONF) ./files/_redirect2ssl.conf $(1)/etc/nginx/conf.d/ +ifneq ($(CONFIG_IPV6),y) + $(SED) '/listen\s*\[/d' $(1)/etc/nginx/conf.d/*.conf # without IPv6 [::] +endif +endef + +Package/nginx-all-module/install = $(Package/nginx-ssl/install) + +define Package/nginx-ssl/prerm +#!/bin/sh +[ -z "$${IPKG_INSTROOT}" ] || exit 0 +if [ "$${PKG_UPGRADE}" == "1" ]; then + eval $$(/usr/bin/nginx-util get_env) + TMP_CRT=$$(mktemp -p "$${CONF_DIR}" "$${LAN_NAME}.crt.tmp-XXXXXX") + ln -f "$${CONF_DIR}$${LAN_NAME}.crt" "$${TMP_CRT}" + TMP_KEY=$$(mktemp -p "$${CONF_DIR}" "$${LAN_NAME}.key.tmp-XXXXXX") + ln -f "$${CONF_DIR}$${LAN_NAME}.key" "$${TMP_KEY}" +fi +/usr/bin/nginx-util del_ssl +[ -f "$${TMP_CRT}" ] && mv -f "$${TMP_CRT}" "$${CONF_DIR}$${LAN_NAME}.crt" +[ -f "$${TMP_KEY}" ] && mv -f "$${TMP_KEY}" "$${CONF_DIR}$${LAN_NAME}.key" +exit 0 +endef + +ifeq ($(CONFIG_NGINX_SSL),y) +Package/nginx/prerm = $(Package/nginx-ssl/prerm) +endif + +Package/nginx-all-module/prerm = $(Package/nginx-ssl/prerm) define Build/Prepare $(Build/Prepare/Default) diff --git a/net/nginx/files-luci-support/60_nginx-luci-support b/net/nginx/files-luci-support/60_nginx-luci-support index b682a832e..b1fe35824 100644 --- a/net/nginx/files-luci-support/60_nginx-luci-support +++ b/net/nginx/files-luci-support/60_nginx-luci-support @@ -1,33 +1,8 @@ #!/bin/sh -if [ -f "/etc/nginx/luci_nginx.conf" ] && [ -f "/etc/nginx/nginx.conf" ]; then - if [ ! "$(cat '/etc/nginx/nginx.conf' | grep 'luci_uwsgi.conf')" ]; then - mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf_old - mv /etc/nginx/luci_nginx.conf /etc/nginx/nginx.conf - core_number=$(grep -c ^processor /proc/cpuinfo) - sed -i "3s/.*/worker_processes "$core_number";/" /etc/nginx/nginx.conf - if [ -n "$(pgrep uhttpd)" ]; then - /etc/init.d/uhttpd stop - /etc/init.d/uhttpd disable - fi - if [ -n "$(pgrep nginx)" ]; then - /etc/init.d/nginx restart - else - /etc/init.d/nginx start - fi - if [ -n "$(pgrep uwsgi)" ]; then - /etc/init.d/uwsgi restart - else - /etc/init.d/uwsgi start - fi - else - rm /etc/nginx/luci_nginx.conf - fi -fi - if nginx -V 2>&1 | grep -q ubus; then - if [ -z "$(cat /etc/nginx/luci_uwsgi.conf | grep ubus)" ]; then - cat <> /etc/nginx/luci_uwsgi.conf + if [ -z "$(cat /etc/nginx/conf.d/luci.locations | grep ubus)" ]; then + cat <> /etc/nginx/conf.d/luci.locations location /ubus { ubus_interpreter; @@ -38,4 +13,26 @@ EOT fi fi +if [ -x /etc/init.d/uhttpd ]; then + /etc/init.d/uhttpd disable + if [ -n "$(pgrep uhttpd)" ]; then + /etc/init.d/uhttpd stop + fi +fi + +/etc/init.d/nginx enable +if [ -n "$(pgrep nginx)" ]; then + /etc/init.d/nginx restart +else + /etc/init.d/nginx start +fi + +/etc/init.d/uwsgi enable +if [ -n "$(pgrep uwsgi)" ]; then + /etc/init.d/uwsgi restart +else + /etc/init.d/uwsgi start +fi + + exit 0 diff --git a/net/nginx/files-luci-support/70_nginx-luci-support-ssl b/net/nginx/files-luci-support/70_nginx-luci-support-ssl deleted file mode 100644 index 76ce3a819..000000000 --- a/net/nginx/files-luci-support/70_nginx-luci-support-ssl +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/sh - - -if [ -f "/etc/nginx/luci_nginx_ssl.conf" ] && [ -f "/etc/nginx/nginx.conf" ]; then - if [ ! "$(cat '/etc/nginx/nginx.conf' | grep 'return 301 https://$host$request_uri;')" ]; then - if [ -f "/etc/nginx/nginx.conf_old" ]; then - rm /etc/nginx/nginx.conf - else - mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf_old - fi - mv /etc/nginx/luci_nginx_ssl.conf /etc/nginx/nginx.conf - core_number=$(grep -c ^processor /proc/cpuinfo) - sed -i "3s/.*/worker_processes "$core_number";/" /etc/nginx/nginx.conf - if [ -n "$(pgrep nginx)" ]; then - /etc/init.d/nginx restart - else - /etc/init.d/nginx start - fi - else - rm /etc/nginx/luci_nginx_ssl.conf - fi -fi - - -if [ ! -f "/etc/nginx/nginx.key" ]; then - - NGINX_KEY=/etc/nginx/nginx.key - NGINX_CER=/etc/nginx/nginx.cer - OPENSSL_BIN=/usr/bin/openssl - PX5G_BIN=/usr/sbin/px5g - - # Prefer px5g for certificate generation (existence evaluated last) - GENKEY_CMD="" - UNIQUEID=$(dd if=/dev/urandom bs=1 count=4 | hexdump -e '1/1 "%02x"') - [ -x "$OPENSSL_BIN" ] && GENKEY_CMD="$OPENSSL_BIN req -x509 -nodes" - [ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned" - [ -n "$GENKEY_CMD" ] && { - $GENKEY_CMD \ - -days 730 -newkey rsa:2048 -keyout "${NGINX_KEY}.new" -out "${NGINX_CER}.new" \ - -subj /C="ZZ"/ST="Somewhere"/L="Unknown"/O="OpenWrt""$UNIQUEID"/CN="OpenWrt" - sync - mv "${NGINX_KEY}.new" "${NGINX_KEY}" - mv "${NGINX_CER}.new" "${NGINX_CER}" - } -fi - - -exit 0 diff --git a/net/nginx/files-luci-support/luci_uwsgi.conf b/net/nginx/files-luci-support/luci.locations similarity index 100% rename from net/nginx/files-luci-support/luci_uwsgi.conf rename to net/nginx/files-luci-support/luci.locations diff --git a/net/nginx/files-luci-support/luci_nginx.conf b/net/nginx/files-luci-support/luci_nginx.conf deleted file mode 100644 index 75f0f78a6..000000000 --- a/net/nginx/files-luci-support/luci_nginx.conf +++ /dev/null @@ -1,52 +0,0 @@ - -user root; -worker_processes 1; - -#error_log logs/error.log; -#error_log logs/error.log notice; -#error_log logs/error.log info; - -pid /var/run/nginx.pid; - - -events { - worker_connections 1024; -} - - -http { - include mime.types; - default_type application/octet-stream; - - sendfile on; - keepalive_timeout 0; - - client_body_buffer_size 10K; - client_header_buffer_size 1k; - client_max_body_size 1G; - large_client_header_buffers 2 1k; - - gzip on; - gzip_http_version 1.1; - gzip_vary on; - gzip_comp_level 1; - gzip_proxied any; - gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml; - - root /www; - - server { - listen 80 default_server; - listen [::]:80 default_server; - server_name localhost; - - location ~* .(jpg|jpeg|png|gif|ico|css|js)$ { - expires 365d; - } - - include luci_uwsgi.conf; - - } - - include /etc/nginx/conf.d/*.conf; -} diff --git a/net/nginx/files-luci-support/luci_nginx_ssl.conf b/net/nginx/files-luci-support/luci_nginx_ssl.conf deleted file mode 100644 index db33e554c..000000000 --- a/net/nginx/files-luci-support/luci_nginx_ssl.conf +++ /dev/null @@ -1,67 +0,0 @@ - -user root; -worker_processes 1; - -#error_log logs/error.log; -#error_log logs/error.log notice; -#error_log logs/error.log info; - -pid /var/run/nginx.pid; - - -events { - worker_connections 1024; -} - - -http { - include mime.types; - default_type application/octet-stream; - - sendfile on; - keepalive_timeout 0; - - client_body_buffer_size 10K; - client_header_buffer_size 1k; - client_max_body_size 1G; - large_client_header_buffers 2 1k; - - gzip on; - gzip_http_version 1.1; - gzip_vary on; - gzip_comp_level 1; - gzip_proxied any; - gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml; - - root /www; - - server { - listen 80 default_server; - listen [::]:80 default_server; - server_name _; - return 301 https://$host$request_uri; - } - - server { - listen 443 ssl default_server; - listen [::]:443 ssl default_server; - server_name localhost; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!CAMELLIA:!SEED"; - ssl_session_tickets off; - - ssl_certificate /etc/nginx/nginx.cer; - ssl_certificate_key /etc/nginx/nginx.key; - - location ~* .(jpg|jpeg|png|gif|ico|css|js)$ { - expires 365d; - } - - include luci_uwsgi.conf; - - } - - include /etc/nginx/conf.d/*.conf; -} diff --git a/net/nginx/files/README.sh b/net/nginx/files/README.sh new file mode 100755 index 000000000..6227e6613 --- /dev/null +++ b/net/nginx/files/README.sh @@ -0,0 +1,327 @@ +#!/bin/sh +# This is a template copy it by: ./README.sh | xclip -selection c +# to https://openwrt.org/docs/guide-user/services/webserver/nginx#configuration + +NGINX_UTIL="/usr/bin/nginx-util" + +EXAMPLE_COM="example.com" + +MSG=" +/* Created by the following bash script that includes the source of some files: + * https://github.com/openwrt/packages/net/nginx/files/README.sh + */" + +eval $("${NGINX_UTIL}" get_env) + +code() { printf "\n%s" "$1" "$(cat "$(basename $1)")"; } + +ifConfEcho() { sed -nE "s/^\s*$1=\s*(\S*)\s*\\\\$/\n$2 \"\1\";/p" ../Makefile;} + +cat <$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} ${EXAMPLE_COM} + + + +==== Basic ====${MSG} + + +We modify the configuration by creating different configuration files in the +''${CONF_DIR}'' directory. +The configuration files use the file extensions ''.locations'' and +''.conf'' (plus ''.crt'' and ''.key'' for Nginx with SSL). +We can disable single configuration parts by giving them another extension, +e.g., by adding ''.disabled''. +For the new configuration to take effect, we must reload it by: +service nginx reload + +For OpenWrt we use a special initial configuration, which is explained below in +the section [[#openwrt_s_defaults|OpenWrt’s Defaults]]. +So, we can make a site available at a specific URL in the **LAN** by creating a +''.locations'' file in the directory ''${CONF_DIR}''. +Such a file consists just of some +[[https://nginx.org/en/docs/http/ngx_http_core_module.html#location| +location blocks]]. +Under the latter link, you can find also the official documentation for all +available directives of the HTTP core of Nginx. +Look for //location// in the Context list. + +The following example provides a simple template, see at the end for +different [[#locations_for_apps|Locations for Apps]] and look for +[[https://github.com/search?utf8=%E2%9C%93&q=repo%3Aopenwrt%2Fpackages ++extension%3Alocations&type=Code&ref=advsearch&l=&l=| +other packages using a .locations file]], too: + +location /ex/am/ple { + access_log off; # default: not logging accesses. + # access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout). + # error_log stderr; # default: logging to logd (init forwards stderr). + error_log /dev/null; # disable error logging after config file is read. + # (state path of a file for access_log/error_log to the file instead.) + index index.html; +} +# location /eg/static { … } + + +All location blocks in all ''.locations'' files must use different URLs, +since they are all included in the ''${LAN_NAME}.conf'' that is part of the +[[#openwrt_s_defaults|OpenWrt’s Defaults]]. +We reserve the ''location /'' for making LuCI available under the root URL, +e.g. [[http://192.168.1.1/|192.168.1.1/]]. +All other sites shouldn’t use the root ''location /'' without suffix. +We can make other sites available on the root URL of other domain names, e.g. +on www.example.com/. +In order to do that, we create a ''.conf'' file for every domain name: +see the next section [[#new_server_parts|New Server Parts]]. +For Nginx with SSL we can also activate SSL there, as described below in the +section [[#ssl_server_parts|SSL Server Parts]]. +We use such server parts also for publishing sites to the internet (WAN) +instead of making them available just in the LAN. + +Via ''.conf'' files we can also add directives to the //http// part of the +configuration. The difference to editing the main ''${NGINX_CONF}'' +file instead is the following: If the package’s ''nginx.conf'' file is updated +it will only be installed if the old file has not been changed. + + + +==== New Server Parts ====${MSG} + + +For making the router reachable from the WAN at a registered domain name, +it is not enough to give the name server the internet IP address of the router +(maybe updated automatically by a +[[docs:guide-user:services:ddns:client|DDNS Client]]). +We also need to set up virtual hosting for this domain name by creating an +appropriate server part in a ''${CONF_DIR}*.conf'' file. +All such files are included at the start of Nginx by the default main +configuration of OpenWrt ''${NGINX_CONF}'' as depicted in +[[#openwrt_s_defaults|OpenWrt’s Defaults]]. + +In the server part, we state the domain as +[[https://nginx.org/en/docs/http/ngx_http_core_module.html#server_name| +server_name]]. +The link points to the same document as for the location blocks in the +[[#basic|Basic Configuration]]: the official documentation for all available +directives of the HTTP core of Nginx. +This time look for //server// in the Context list, too. +The server part should also contain similar location blocks as before. +We can re-include a ''.locations'' file that is included in the server part for +the LAN by default. +Then the site is reachable under the same path at both domains, e.g., by +http://192.168.1.1/ex/am/ple as well as by http://example.com/ex/am/ple. + +The [[#openwrt_s_defaults|OpenWrt’s Defaults]] include a ''${LAN_NAME}.conf'' +file containing a server part that listens on the LAN address(es) and acts as +//default_server//. +For making the domain name accessible in the LAN, too, the corresponding +server part must listen **explicitly** on the local IP address(es), cf. the +official documentation on +[[https://nginx.org/en/docs/http/request_processing.html|request_processing]]. +We can include the file ''${LAN_LISTEN}'' that contains the listen +directives for all LAN addresses on the HTTP port 80 and is automatically +updated. + +The following example is a simple template, see +[[https://github.com/search?q=repo%3Aopenwrt%2Fpackages ++include+${LAN_LISTEN}+extension%3Aconf&type=Code| +such server parts of other packages]], too: + +server { + listen 80; + listen [::]:80; + include '${LAN_LISTEN}'; + server_name ${EXAMPLE_COM}; + # location / { … } # root location for this server. + include '${CONF_DIR}${EXAMPLE_COM}.locations'; +} + + + + +==== SSL Server Parts ====${MSG} + + +We can enable HTTPS for a domain if Nginx is installed with SSL support. +We need a SSL certificate as well as its key and add them by the directives +//ssl_certificate// respective //ssl_certificate_key// to the server part of the +domain. +The rest of the configuration is similar as described in the previous section +[[#new_server_parts|New Server Parts]], +we only have to adjust the listen directives by adding the //ssl// parameter, +see the official documentation for +[[https://nginx.org/en/docs/http/configuring_https_servers.html| +configuring HTTPS servers]], too. +For making the domain available also in the LAN, we can include the file +''${LAN_SSL_LISTEN}'' that contains the listen directives with ssl +parameter for all LAN addresses on the HTTPS port 443 and is automatically +updated. + +The official documentation of the SSL module contains an +[[https://nginx.org/en/docs/http/ngx_http_ssl_module.html#example| +example]], +which includes some optimizations. +The following template is extended similarly, see also +[[https://github.com/search?q=repo%3Aopenwrt%2Fpackages ++include+${LAN_SSL_LISTEN}+extension%3Aconf&type=Code| +other packages providing SSL server parts]]: + +server { + listen 443 ssl; + listen [::]:443 ssl; + include '${LAN_SSL_LISTEN}'; + server_name ${EXAMPLE_COM}; + ssl_certificate '${CONF_DIR}${EXAMPLE_COM}.crt'; + ssl_certificate_key '${CONF_DIR}${EXAMPLE_COM}.key'; + ssl_session_cache ${SSL_SESSION_CACHE_ARG}; + ssl_session_timeout ${SSL_SESSION_TIMEOUT_ARG}; + # location / { … } # root location for this server. + include '${CONF_DIR}${EXAMPLE_COM}.locations'; +} + + +For creating a certificate (and its key) we can use Let’s Encrypt by installing +[[https://github.com/Neilpang/acme.sh|ACME Shell Script]]: +opkg update && opkg install acme # and for LuCI: luci-app-acme + +For the LAN server in the ''${LAN_NAME}.conf'' file, the init script +''/etc/init.d/nginx'' script installs automatically a self-signed certificate. +We can use this mechanism also for other sites by issuing, e.g.: +$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} ${EXAMPLE_COM} + - It adds SSL directives to the server part of \ + ''${CONF_DIR}${EXAMPLE_COM}.conf'' like in the example above. + - Then, it checks if there is a certificate and key for the given domain name\ + that is valid for at least 13 months or tries to create a self-signed one. + - When cron is activated, it installs a cron job for renewing the self-signed\ + certificate every year if needed, too. We can activate cron by: \ + service cron enable && service cron start + +Beside the ''${LAN_NAME}.conf'' file, the +[[#openwrt_s_defaults|OpenWrt’s Defaults]] include also the +''_redirect2ssl.conf'' file containing a server part that redirects all HTTP +request for inexistent URIs to HTTPS. + + + +==== OpenWrt’s Defaults ====${MSG} + + +The default main configuration file is: +$(code ${NGINX_CONF}) + +We can pretend the main configuration contains also the following presets, +since Nginx is configured with them: +$(ifConfEcho --pid-path pid)\ +$(ifConfEcho --lock-path lock_file)\ +$(ifConfEcho --error-log-path error_log)\ +$(false && ifConfEcho --http-log-path access_log)\ +$(ifConfEcho --http-proxy-temp-path proxy_temp_path)\ +$(ifConfEcho --http-client-body-temp-path client_body_temp_path)\ +$(ifConfEcho --http-fastcgi-temp-path fastcgi_temp_path)\ + + +So, the access log is turned off by default and we can look at the error log +by ''logread'', as Nginx’s init file forwards stderr and stdout to the +[[docs:guide-user:base-system:log.essentials|logd]]. +We can set the //error_log// and //access_log// to files where the log +messages are forwarded to instead (after the configuration is read). +And for redirecting the access log of a //server// or //location// to the logd, +too, we insert the following directive in the corresponding block: + + access_log /proc/self/fd/1 openwrt; + + +At the end, the main configuration pulls in all ''.conf'' files from the +directory ''${CONF_DIR}'' into the http block, especially the following +server part for the LAN: +$(code ${CONF_DIR}${LAN_NAME}.conf) + +It pulls in all ''.locations'' files from the directory ''${CONF_DIR}''. +We can install the location parts of different sites there (see above in the +[[#basic|Basic Configuration]]) and re-include them in server parts of other +''${CONF_DIR}*.conf'' files. +This is needed especially for making them available to the WAN as described +above in the section [[#new_server_parts|New Server Parts]]. +All ''.locations'' become available on the LAN through the file +''$(basename ${LAN_LISTEN}).default'', which contains one of the following +directives for every local IP address: + + listen IPv4:80 default_server; + listen [IPv6]:80 default_server; + +The ''${LAN_LISTEN}'' file contains the same directives without the +parameter ''default_server''. +We can include this file in other server parts that should be reachable in the +LAN through their //server_name//. +Both files ''${LAN_LISTEN}{,.default}'' are (re-)created if Nginx starts +through its init for OpenWrt or the LAN interface changes. + +=== Additional Defaults for OpenWrt if Nginx is installed with SSL support === + +When Nginx is installed with SSL support, there will be automatically managed +files ''$(basename ${LAN_SSL_LISTEN}).default'' and +''$(basename ${LAN_SSL_LISTEN})'' in the directory +''$(dirname ${LAN_SSL_LISTEN})/'' containing the following directives for all +IPv4 and IPv6 addresses of the LAN: + + listen IP:443 ssl; # with respectively without: default_server + +Both files as well as the ''${LAN_LISTEN}{,.default}'' files are (re-)created +if Nginx starts through its init for OpenWrt or the LAN interface changes. + +For Nginx with SSL there is also the following server part that redirects +requests for an inexistent ''server_name'' from HTTP to HTTPS (using an invalid +name, more in the official documentation on +[[https://nginx.org/en/docs/http/request_processing.html|request_processing]]): +$(code ${CONF_DIR}_redirect2ssl.conf) + +Nginx’s init file for OpenWrt installs automatically a self-signed certificate +for the LAN server part if needed and possible: + - Everytime Nginx starts, we check if the LAN is set up for SSL. + - We add //ssl*// directives (like in the example of the previous section \ + [[#ssl_server_parts|SSL Server Parts]]) to the configuration file \ + ''${CONF_DIR}${LAN_NAME}.conf'' if needed and if it looks “normal”, i.e., \ + it has a ''server_name ${LAN_NAME};'' part. + - If there is no corresponding certificate that is valid for more than 13 \ + months at ''${CONF_DIR}${LAN_NAME}.{crt,key}'', we create a self-signed one. + - We activate SSL by including the ssl listen directives from \ + ''${LAN_SSL_LISTEN}.default'' and it becomes available by the default \ + redirect from ''listen *:80;'' in ''${CONF_DIR}_redirect2ssl.conf'' + - If cron is available, i.e., its status is not ''inactive'', we use it \ + to check the certificate for validity once a year and renew it if there \ + are only about 13 months of the more than 3 years life time left. + +The points 2, 3 and 5 can be used for other domains, too: +As described in the section [[#new_server_parts|New Server Parts]] above, we +create a server part in ''${CONF_DIR}www.example.com.conf'' with +a corresponding ''server_name www.example.com;'' directive and call +$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} www.example.com +EOF diff --git a/net/nginx/files/_lan.conf b/net/nginx/files/_lan.conf new file mode 100644 index 000000000..d44871f3c --- /dev/null +++ b/net/nginx/files/_lan.conf @@ -0,0 +1,8 @@ +# default_server for the LAN addresses getting the IPs by: +# ifstatus lan | jsonfilter -e '@["ipv4-address","ipv6-address"].*.address' +server { + include '/var/lib/nginx/lan.listen.default'; + server_name _lan; + # access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout). + include conf.d/*.locations; +} diff --git a/net/nginx/files/_redirect2ssl.conf b/net/nginx/files/_redirect2ssl.conf new file mode 100644 index 000000000..cfae48707 --- /dev/null +++ b/net/nginx/files/_redirect2ssl.conf @@ -0,0 +1,8 @@ +# acts as default server if there is no other. +server { + listen 80; + listen [::]:80; + include '/var/lib/nginx/lan.listen'; + server_name _redirect2ssl; + return 302 https://$host$request_uri; +} diff --git a/net/nginx/files/nginx.conf b/net/nginx/files/nginx.conf new file mode 100644 index 000000000..8f8c8b194 --- /dev/null +++ b/net/nginx/files/nginx.conf @@ -0,0 +1,28 @@ +# Please consider creating files in /etc/nginx/conf.d/ instead of editing this. +# For details see https://openwrt.org/docs/guide-user/services/webserver/nginx + +user root; + +events {} + +http { + access_log off; + log_format openwrt + '$request_method $scheme://$host$request_uri => $status' + ' (${body_bytes_sent}B in ${request_time}s) <- $http_referer'; + + include mime.types; + default_type application/octet-stream; + sendfile on; + + client_max_body_size 17M; + large_client_header_buffers 2 1k; + + gzip on; + gzip_vary on; + gzip_proxied any; + + root /www; + + include conf.d/*.conf; +} diff --git a/net/nginx/files/nginx.init b/net/nginx/files/nginx.init index 40d389719..57142950b 100644 --- a/net/nginx/files/nginx.init +++ b/net/nginx/files/nginx.init @@ -5,13 +5,55 @@ START=80 USE_PROCD=1 +NGINX_UTIL="/usr/bin/nginx-util" + +eval $("${NGINX_UTIL}" get_env) + start_service() { [ -d /var/log/nginx ] || mkdir -p /var/log/nginx [ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx + ${NGINX_UTIL} init_lan + procd_open_instance - procd_set_param command /usr/sbin/nginx -c /etc/nginx/nginx.conf -g 'daemon off;' - procd_set_param file /etc/nginx/nginx.conf + NCPUS="$(grep -c '^processor\s*:' /proc/cpuinfo)" + procd_set_param command /usr/sbin/nginx -c "${NGINX_CONF}" \ + -g "daemon off; worker_processes $NCPUS;" + procd_set_param stdout 1 + procd_set_param stderr 1 + procd_set_param file "${LAN_LISTEN}" "${LAN_LISTEN}.default" \ + "${NGINX_CONF}" "${CONF_DIR}*.conf" "${CONF_DIR}*.locations" + [ "${LAN_SSL_LISTEN}" == "" ] \ + || procd_append_param file "${CONF_DIR}*.crt" "${CONF_DIR}*.key" \ + "${LAN_SSL_LISTEN}" "${LAN_SSL_LISTEN}.default" procd_set_param respawn procd_close_instance } + +stop_service() { + rm -f "${LAN_LISTEN}" "${LAN_LISTEN}.default" + [ "${LAN_SSL_LISTEN}" == "" ] \ + || rm -f "${LAN_SSL_LISTEN}" "${LAN_SSL_LISTEN}.default" +} + +service_triggers() { + procd_add_reload_interface_trigger loopback + procd_add_reload_interface_trigger lan +} + +reload_service() { + [ -d /var/log/nginx ] || mkdir -p /var/log/nginx + [ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx + + ${NGINX_UTIL} init_lan + + procd_send_signal nginx +} + +relog() { + [ -d /var/log/nginx ] || mkdir -p /var/log/nginx + procd_send_signal nginx '*' USR1 +} + +EXTRA_COMMANDS="relog" +EXTRA_HELP=" relog Reopen log files (without reloading)"