From 5cffe853e694d7eea60cad00c9033d1ad69c0eb5 Mon Sep 17 00:00:00 2001 From: Peter Stadler Date: Thu, 23 Jul 2020 15:30:45 +0200 Subject: [PATCH] nginx: use UCI configuration provided by nginx-util * update to version 1.19.6 * remove default configuration files and documentation as they are in the package `nginx-util`. * do not install a `/etc/nginx/nginx.conf` file. * use the dynamic `/etc/nginx/uci.conf` if the symlink (to `/var/lib/nginx/uci.conf`) is not dead after calling `nginx-util init_lan` (else try `/etc/nginx/nginx.conf`) * replace nginx package by a dummy depending on `nginx-ssl`; the dummies will be removed after a transition period. Signed-off-by: Peter Stadler --- net/nginx/Makefile | 43 ++-- net/nginx/files/README.sh | 302 ----------------------------- net/nginx/files/_lan.conf | 12 -- net/nginx/files/_redirect2ssl.conf | 7 - net/nginx/files/nginx.conf | 30 --- net/nginx/files/nginx.init | 18 +- 6 files changed, 34 insertions(+), 378 deletions(-) delete mode 100755 net/nginx/files/README.sh delete mode 100644 net/nginx/files/_lan.conf delete mode 100644 net/nginx/files/_redirect2ssl.conf delete mode 100644 net/nginx/files/nginx.conf diff --git a/net/nginx/Makefile b/net/nginx/Makefile index c15b7bdc5..37da27e15 100644 --- a/net/nginx/Makefile +++ b/net/nginx/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nginx -PKG_VERSION:=1.19.4 +PKG_VERSION:=1.19.6 PKG_RELEASE:=1 PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://nginx.org/download/ -PKG_HASH:=61df546927905a0d624f9396bb7a8bc7ca7fd26522ce9714d56a78b73284000e +PKG_HASH:=b11195a02b1d3285ddf2987e02c6b6d28df41bb1b1dd25f33542848ef4fc33b5 PKG_MAINTAINER:=Thomas Heil \ Ansuel Smith @@ -82,7 +82,8 @@ define Package/nginx/default TITLE:=Nginx web server URL:=http://nginx.org/ DEPENDS:=+libopenssl +libpthread - PROVIDES:=nginx + # TODO: add PROVIDES when removing nginx + # PROVIDES:=nginx endef define Package/nginx/description @@ -96,8 +97,9 @@ define Package/nginx-ssl VARIANT:=ssl DEPENDS+= +NGINX_PCRE:libpcre \ +NGINX_PCRE:nginx-ssl-util +!NGINX_PCRE:nginx-ssl-util-nopcre \ - +NGINX_HTTP_GZIP:zlib +NGINX_LUA:liblua +libpthread +NGINX_DAV:libxml2 \ + +NGINX_HTTP_GZIP:zlib +NGINX_LUA:liblua +NGINX_DAV:libxml2 \ +NGINX_UBUS:libubus +NGINX_UBUS:libblobmsg-json +NGINX_UBUS:libjson-c + EXTRA_DEPENDS:=nginx-ssl-util$(if $(CONFIG_NGINX_PCRE),,-nopcre) (>=1.5-1) (<2) CONFLICTS:=nginx-all-module endef @@ -110,6 +112,7 @@ define Package/nginx-all-module TITLE += with ALL module selected DEPENDS+=+libpcre +nginx-ssl-util +zlib +liblua +libxml2 +libubus \ +libblobmsg-json +libjson-c + EXTRA_DEPENDS:=nginx-ssl-util (>=1.5-1) (<2) VARIANT:=all-module PROVIDES += nginx-ssl endef @@ -357,8 +360,6 @@ define Package/nginx-ssl/install $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/nginx $(1)/usr/sbin/ $(INSTALL_DIR) $(1)/etc/nginx/conf.d $(INSTALL_DATA) $(addprefix $(PKG_INSTALL_DIR)/etc/nginx/,$(config_files)) $(1)/etc/nginx/ - $(INSTALL_CONF) ./files/nginx.conf $(1)/etc/nginx/ - $(INSTALL_CONF) ./files/_lan.conf $(1)/etc/nginx/conf.d/ $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/nginx.init $(1)/etc/init.d/nginx ifeq ($(CONFIG_NGINX_NAXSI),y) @@ -368,10 +369,6 @@ ifeq ($(CONFIG_NGINX_NAXSI),y) endif $(if $(CONFIG_NGINX_NAXSI),$($(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx)) $(if $(CONFIG_NGINX_NAXSI),$(chmod 0640 $(1)/etc/nginx/naxsi_core.rules)) - $(INSTALL_CONF) ./files/_redirect2ssl.conf $(1)/etc/nginx/conf.d/ -ifneq ($(CONFIG_IPV6),y) - $(SED) '/listen\s*\[/d' $(1)/etc/nginx/conf.d/*.conf # without IPv6 [::] -endif endef Package/nginx-all-module/install = $(Package/nginx-ssl/install) @@ -381,8 +378,9 @@ define Package/nginx-ssl/prerm [ -z "$${IPKG_INSTROOT}" ] || exit 0 [ "$${PKG_UPGRADE}" = "1" ] && exit 0 eval $$(/usr/bin/nginx-util get_env) -rm -f "$${CONF_DIR}$${LAN_NAME}.crt" -rm -f "$${CONF_DIR}$${LAN_NAME}.key" +[ "$$(uci get "nginx.$${LAN_NAME}.$${MANAGE_SSL}")" = "self-signed" ] || exit 0 +rm -f "$$(uci get "nginx.$${LAN_NAME}.ssl_certificate")" +rm -f "$$(uci get "nginx.$${LAN_NAME}.ssl_certificate_key")" exit 0 endef @@ -545,18 +543,25 @@ ifeq ($(CONFIG_NGINX_UBUS),y) endef endif +$(eval $(call BuildPackage,nginx-ssl)) +$(eval $(call BuildPackage,nginx-all-module)) +$(eval $(call BuildPackage,nginx-mod-luci)) + # TODO: remove after a transition period (together with pkg nginx-util): # It is for smoothly substituting nginx and nginx-mod-luci-ssl (by nginx-ssl # respectively nginx-mod-luci). Add above commented PROVIDES when removing. -Package/nginx = $(Package/nginx-ssl) -Package/nginx/install = $(Package/nginx-ssl/install) -Package/nginx/prerm = $(Package/nginx-ssl/prerm) -$(eval $(call BuildPackage,nginx)) +define Package/nginx + TITLE:=Dummy package for transition when upgrading. + DEPENDS:=+nginx-ssl + PKGARCH:=all +endef -$(eval $(call BuildPackage,nginx-ssl)) -$(eval $(call BuildPackage,nginx-all-module)) -$(eval $(call BuildPackage,nginx-mod-luci)) +define Package/nginx/install + $(INSTALL_DIR) $(1)/usr/bin +endef + +$(eval $(call BuildPackage,nginx)) define Package/nginx-mod-luci-ssl TITLE:=Dummy package for transition when upgrading. diff --git a/net/nginx/files/README.sh b/net/nginx/files/README.sh deleted file mode 100755 index 2fde1f9ab..000000000 --- a/net/nginx/files/README.sh +++ /dev/null @@ -1,302 +0,0 @@ -#!/bin/sh -# This is a template copy it by: ./README.sh | xclip -selection c -# to https://openwrt.org/docs/guide-user/services/webserver/nginx#configuration - -NGINX_UTIL="/usr/bin/nginx-util" - -EXAMPLE_COM="example.com" - -MSG=" -/* Created by the following bash script that includes the source of some files: - * https://github.com/openwrt/packages/net/nginx/files/README.sh - */" - -eval $("${NGINX_UTIL}" get_env) - -code() { printf "\n%s" "$1" "$(cat "$(basename $1)")"; } - -ifConfEcho() { sed -nE "s/^\s*$1=\s*(\S*)\s*\\\\$/\n$2 \"\1\";/p" ../Makefile;} - -cat <$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} ${EXAMPLE_COM} - - - -==== Basic ====${MSG} - - -We modify the configuration by creating different configuration files in the -''${CONF_DIR}'' directory. -The configuration files use the file extensions ''.locations'' and -''.conf'' plus ''.crt'' and ''.key'' for SSL certificates and keys. -We can disable single configuration parts by giving them another extension, -e.g., by adding ''.disabled''. -For the new configuration to take effect, we must reload it by: -service nginx reload - -For OpenWrt we use a special initial configuration, which is explained below in -the section [[#openwrt_s_defaults|OpenWrt’s Defaults]]. -So, we can make a site available at a specific URL in the **LAN** by creating a -''.locations'' file in the directory ''${CONF_DIR}''. -Such a file consists just of some -[[https://nginx.org/en/docs/http/ngx_http_core_module.html#location| -location blocks]]. -Under the latter link, you can find also the official documentation for all -available directives of the HTTP core of Nginx. -Look for //location// in the Context list. - -The following example provides a simple template, see at the end for -different [[#locations_for_apps|Locations for Apps]] and look for -[[https://github.com/search?utf8=%E2%9C%93&q=repo%3Aopenwrt%2Fpackages -+extension%3Alocations&type=Code&ref=advsearch&l=&l=| -other packages using a .locations file]], too: - -location /ex/am/ple { - access_log off; # default: not logging accesses. - # access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout). - # error_log stderr; # default: logging to logd (init forwards stderr). - error_log /dev/null; # disable error logging after config file is read. - # (state path of a file for access_log/error_log to the file instead.) - index index.html; -} -# location /eg/static { … } - - -All location blocks in all ''.locations'' files must use different URLs, -since they are all included in the ''${LAN_NAME}.conf'' that is part of the -[[#openwrt_s_defaults|OpenWrt’s Defaults]]. -We reserve the ''location /'' for making LuCI available under the root URL, -e.g. [[https://192.168.1.1/|192.168.1.1/]]. -All other sites shouldn’t use the root ''location /'' without suffix. -We can make other sites available on the root URL of other domain names, e.g. -on www.example.com/. -In order to do that, we create a ''.conf'' file for every domain name: -see the next section [[#new_server_parts|New Server Parts]]. -We can also activate SSL there, as described below in the section -[[#ssl_server_parts|SSL Server Parts]]. -We use such server parts also for publishing sites to the internet (WAN) -instead of making them available just in the LAN. - -Via ''.conf'' files we can also add directives to the //http// part of the -configuration. The difference to editing the main ''${NGINX_CONF}'' -file instead is the following: If the package’s ''nginx.conf'' file is updated -it will only be installed if the old file has not been changed. - - - -==== New Server Parts ====${MSG} - - -For making the router reachable from the WAN at a registered domain name, -it is not enough to give the name server the internet IP address of the router -(maybe updated automatically by a -[[docs:guide-user:services:ddns:client|DDNS Client]]). -We also need to set up virtual hosting for this domain name by creating an -appropriate server part in a ''${CONF_DIR}*.conf'' file. -All such files are included at the start of Nginx by the default main -configuration of OpenWrt ''${NGINX_CONF}'' as depicted in -[[#openwrt_s_defaults|OpenWrt’s Defaults]]. - -In the server part, we state the domain as -[[https://nginx.org/en/docs/http/ngx_http_core_module.html#server_name| -server_name]]. -The link points to the same document as for the location blocks in the -[[#basic|Basic Configuration]]: the official documentation for all available -directives of the HTTP core of Nginx. -This time look for //server// in the Context list, too. -The server part should also contain similar location blocks as before. -We can re-include a ''.locations'' file that is included in the server part for -the LAN by default. -Then the site is reachable under the same path at both domains, e.g., by -http://192.168.1.1/ex/am/ple as well as by http://example.com/ex/am/ple. - -The following example is a simple template: - -server { - listen 80; - listen [::]:80; - server_name ${EXAMPLE_COM}; - # location / { … } # root location for this server. - include '${CONF_DIR}${EXAMPLE_COM}.locations'; -} - - - - -==== SSL Server Parts ====${MSG} - - -We can enable HTTPS for a domain if Nginx is installed with SSL support. -We need a SSL certificate as well as its key and add them by the directives -//ssl_certificate// respective //ssl_certificate_key// to the server part of the -domain. -The rest of the configuration is similar as described in the previous section -[[#new_server_parts|New Server Parts]], -we only have to adjust the listen directives by adding the //ssl// parameter, -see the official documentation for -[[https://nginx.org/en/docs/http/configuring_https_servers.html| -configuring HTTPS servers]], too. - -The [[#openwrt_s_defaults|OpenWrt’s Defaults]] include a ''${LAN_NAME}.conf'' -file containing a server part that listens on the LAN address(es) and acts as -//default_server// with ssl on port 443. -For making the domain name accessible in the LAN, too, the corresponding -server part must listen **explicitly** on the local IP address(es), cf. the -official documentation on -[[https://nginx.org/en/docs/http/request_processing.html|request_processing]]. -We can include the file ''${LAN_SSL_LISTEN}'' that contains the listen -directives with ssl parameter for all LAN addresses on the HTTP port 443 and is -updated automatically. - -The official documentation of the SSL module contains an -[[https://nginx.org/en/docs/http/ngx_http_ssl_module.html#example| -example]], -which includes some optimizations. -The following template is extended similarly: - -server { - listen 443 ssl; - listen [::]:443 ssl; - include '${LAN_SSL_LISTEN}'; - server_name ${EXAMPLE_COM}; - ssl_certificate '${CONF_DIR}${EXAMPLE_COM}.crt'; - ssl_certificate_key '${CONF_DIR}${EXAMPLE_COM}.key'; - ssl_session_cache ${SSL_SESSION_CACHE_ARG}; - ssl_session_timeout ${SSL_SESSION_TIMEOUT_ARG}; - # location / { … } # root location for this server. - include '${CONF_DIR}${EXAMPLE_COM}.locations'; -} - - -For creating a certificate (and its key) we can use Let’s Encrypt by installing -[[https://github.com/Neilpang/acme.sh|ACME Shell Script]]: -opkg update && opkg install acme # and for LuCI: luci-app-acme - -For the LAN server in the ''${LAN_NAME}.conf'' file, the init script -''/etc/init.d/nginx'' script installs automatically a self-signed certificate. -We can use this mechanism also for other sites by issuing, e.g.: -$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} ${EXAMPLE_COM} - - It adds SSL directives to the server part of \ - ''${CONF_DIR}${EXAMPLE_COM}.conf'' like in the example above. - - Then, it checks if there is a certificate and key for the given domain name\ - that is valid for at least 13 months or tries to create a self-signed one. - - When cron is activated, it installs a cron job for renewing the self-signed\ - certificate every year if needed, too. We can activate cron by: \ - service cron enable && service cron start - -Beside the ''${LAN_NAME}.conf'' file, the -[[#openwrt_s_defaults|OpenWrt’s Defaults]] include also the -''_redirect2ssl.conf'' file containing a server part that redirects all HTTP -request for inexistent URIs to HTTPS. - - - -==== OpenWrt’s Defaults ====${MSG} - - -The default main configuration file is: -$(code ${NGINX_CONF}) - -We can pretend the main configuration contains also the following presets, -since Nginx is configured with them: -$(ifConfEcho --pid-path pid)\ -$(ifConfEcho --lock-path lock_file)\ -$(ifConfEcho --error-log-path error_log)\ -$(false && ifConfEcho --http-log-path access_log)\ -$(ifConfEcho --http-proxy-temp-path proxy_temp_path)\ -$(ifConfEcho --http-client-body-temp-path client_body_temp_path)\ -$(ifConfEcho --http-fastcgi-temp-path fastcgi_temp_path)\ - - -So, the access log is turned off by default and we can look at the error log -by ''logread'', as Nginx’s init file forwards stderr and stdout to the -[[docs:guide-user:base-system:log.essentials|logd]]. -We can set the //error_log// and //access_log// to files where the log -messages are forwarded to instead (after the configuration is read). -And for redirecting the access log of a //server// or //location// to the logd, -too, we insert the following directive in the corresponding block: - - access_log /proc/self/fd/1 openwrt; - - -At the end, the main configuration pulls in all ''.conf'' files from the -directory ''${CONF_DIR}'' into the http block, especially the following -server part for the LAN: -$(code ${CONF_DIR}${LAN_NAME}.conf) - -It pulls in all ''.locations'' files from the directory ''${CONF_DIR}''. -We can install the location parts of different sites there (see above in the -[[#basic|Basic Configuration]]) and re-include them in server parts of other -''${CONF_DIR}*.conf'' files. -This is needed especially for making them available to the WAN as described -above in the section [[#new_server_parts|New Server Parts]]. -All ''.locations'' become available on the LAN through the file -''$(basename ${LAN_SSL_LISTEN}).default'', which contains one of the following -directives for every local IP address: - - listen IPv4:443 ssl default_server; - listen [IPv6]:443 ssl default_server; - -The ''${LAN_SSL_LISTEN}'' file contains the same directives without the -parameter ''default_server''. -We can include this file in other server parts that should be reachable in the -LAN through their //server_name//. -Both files ''${LAN_SSL_LISTEN}{,.default}'' are (re-)created if Nginx starts -through its init for OpenWrt or the LAN interface changes. - -There is also the following server part that redirects requests for an -inexistent ''server_name'' from HTTP to HTTPS (using an invalid name, more in -the official documentation on -[[https://nginx.org/en/docs/http/request_processing.html|request_processing]]): -$(code ${CONF_DIR}_redirect2ssl.conf) - -Nginx’s init file for OpenWrt installs automatically a self-signed certificate -for the LAN server part if needed and possible: - - Everytime Nginx starts, we check if the LAN is set up for SSL. - - We add //ssl*// directives (like in the example of the previous section \ - [[#ssl_server_parts|SSL Server Parts]]) to the configuration file \ - ''${CONF_DIR}${LAN_NAME}.conf'' if needed and if it looks “normal”, i.e., \ - it has a ''server_name ${LAN_NAME};'' part. - - If there is no corresponding certificate that is valid for more than 13 \ - months at ''${CONF_DIR}${LAN_NAME}.{crt,key}'', we create a self-signed one. - - We activate SSL by including the ssl listen directives from \ - ''${LAN_SSL_LISTEN}.default'' and it becomes available by the default \ - redirect from ''listen *:80;'' in ''${CONF_DIR}_redirect2ssl.conf'' - - If cron is available, i.e., its status is not ''inactive'', we use it \ - to check the certificate for validity once a year and renew it if there \ - are only about 13 months of the more than 3 years life time left. - -The points 2, 3 and 5 can be used for other domains, too: -As described in the section [[#new_server_parts|New Server Parts]] above, we -create a server part in ''${CONF_DIR}www.example.com.conf'' with -a corresponding ''server_name www.example.com;'' directive and call -$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} www.example.com -EOF diff --git a/net/nginx/files/_lan.conf b/net/nginx/files/_lan.conf deleted file mode 100644 index 2aec00151..000000000 --- a/net/nginx/files/_lan.conf +++ /dev/null @@ -1,12 +0,0 @@ -# default_server for the LAN addresses getting the IPs by: -# ifstatus lan | jsonfilter -e '@["ipv4-address","ipv6-address"].*.address' -server { - server_name _lan; - include '/var/lib/nginx/lan_ssl.listen.default'; - ssl_certificate '/etc/nginx/conf.d/_lan.crt'; - ssl_certificate_key '/etc/nginx/conf.d/_lan.key'; - ssl_session_cache 'shared:SSL:32k'; - ssl_session_timeout '64m'; - # access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout). - include conf.d/*.locations; -} diff --git a/net/nginx/files/_redirect2ssl.conf b/net/nginx/files/_redirect2ssl.conf deleted file mode 100644 index 1877f0287..000000000 --- a/net/nginx/files/_redirect2ssl.conf +++ /dev/null @@ -1,7 +0,0 @@ -# acts as default server if there is no other. -server { - listen 80; - listen [::]:80; - server_name _redirect2ssl; - return 302 https://$host$request_uri; -} diff --git a/net/nginx/files/nginx.conf b/net/nginx/files/nginx.conf deleted file mode 100644 index da1cbdf42..000000000 --- a/net/nginx/files/nginx.conf +++ /dev/null @@ -1,30 +0,0 @@ -# Please consider creating files in /etc/nginx/conf.d/ instead of editing this. -# For details see https://openwrt.org/docs/guide-user/services/webserver/nginx - -worker_processes auto; - -user root; - -events {} - -http { - access_log off; - log_format openwrt - '$request_method $scheme://$host$request_uri => $status' - ' (${body_bytes_sent}B in ${request_time}s) <- $http_referer'; - - include mime.types; - default_type application/octet-stream; - sendfile on; - - client_max_body_size 128M; - large_client_header_buffers 2 1k; - - gzip on; - gzip_vary on; - gzip_proxied any; - - root /www; - - include conf.d/*.conf; -} diff --git a/net/nginx/files/nginx.init b/net/nginx/files/nginx.init index bedde754a..300a8c657 100644 --- a/net/nginx/files/nginx.init +++ b/net/nginx/files/nginx.init @@ -20,9 +20,13 @@ nginx_init() { [ -d /var/log/nginx ] || mkdir -p /var/log/nginx [ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx + rm -f "$(readlink "${UCI_CONF}")" ${NGINX_UTIL} init_lan - CONF="${NGINX_CONF}" + if [ -e "${UCI_CONF}" ] + then CONF="${UCI_CONF}" + else CONF="${NGINX_CONF}" + fi local message message="$(/usr/sbin/nginx -t -c "${CONF}" -g "${G_OPTS}" 2>&1)" || @@ -51,16 +55,14 @@ start_service() { } -service_triggers() { - procd_add_reload_interface_trigger loopback - procd_add_reload_interface_trigger lan -} - - reload_service() { nginx_init - procd_send_signal nginx + if [ "$(cat "/proc/$(cat "/var/run/nginx.pid")/cmdline")" = \ + "nginx: master process /usr/sbin/nginx -c ${CONF} -g ${G_OPTS}" ] + then procd_send_signal nginx + else restart + fi }