# Maintainer: Jakub Jirutka # Contributor: Jeff Bilyk # Contributor: Bartłomiej Piotrowski # Contributor: Jakub Jirutka # # secfixes: # 1.16.1-r6: # - CVE-2019-20372 # 1.16.1-r0: # - CVE-2019-9511 # - CVE-2019-9513 # - CVE-2019-9516 # 1.14.1-r0: # - CVE-2018-16843 # - CVE-2018-16844 # - CVE-2018-16845 # 1.12.1-r0: # - CVE-2017-7529 # pkgname=nginx # NOTE: Upgrade only to even-numbered versions (e.g. 1.14.z, 1.16.z)! # Odd-numbered versions are mainline (development) versions. pkgver=1.18.0 pkgrel=2 # Revision of nginx-tests to use for check(). _tests_hgrev=c1d167a13c24 _njs_ver=0.3.8 pkgdesc="HTTP and reverse proxy server (stable version)" url="https://www.nginx.org/" arch="all" license="BSD-2-Clause" depends="" makedepends=" brotli-dev gd-dev geoip-dev libmaxminddb-dev libxml2-dev libxslt-dev linux-headers luajit-dev openssl-dev paxmark pcre-dev perl-dev pkgconf zlib-dev " checkdepends=" gd perl perl-fcgi perl-io-socket-ssl perl-net-ssleay perl-protocol-websocket tzdata uwsgi-python3 " pkgusers="nginx" _grp_ngx="nginx" _grp_www="www-data" pkggroups="$_grp_ngx $_grp_www" install="$pkgname.pre-install $pkgname.pre-upgrade $pkgname.post-upgrade" subpackages="$pkgname-debug $pkgname-doc $pkgname-openrc $pkgname-vim::noarch" replaces="$pkgname-common $pkgname-initscripts $pkgname-lua $pkgname-rtmp" source="https://nginx.org/download/$pkgname-$pkgver.tar.gz $pkgname-tests-$_tests_hgrev.tar.gz::https://hg.nginx.org/nginx-tests/archive/$_tests_hgrev.tar.gz $pkgname-njs-$_njs_ver.tar.gz::https://hg.nginx.org/njs/archive/$_njs_ver.tar.gz nginx.conf default.conf $pkgname.logrotate $pkgname.initd $pkgname.confd " builddir="$srcdir/$pkgname-$pkgver" _modules_dir="usr/lib/$pkgname/modules" _stream_js_depends="$pkgname-mod-stream" # Built-in dynamic modules for _mod in \ http-geoip \ http-image-filter \ http-js \ http-perl \ http-xslt-filter \ mail \ stream \ stream-geoip \ stream-js do subpackages="$subpackages $pkgname-mod-$_mod:_module" done # Third-party dynamic modules # For simplicity we assume that module is hosted on GitHub. _add_module() { local name="$1" ver="$2" url="$3" subdir="$4" local dirname=${url##*/}-${ver#v} # Don't add new flag and source if it's already there, i.e. two or more # modules share the same source (e.g. geoip2 that provides http-geoip2 # and stream-geoip2). if ! printf '%s\n' $_extra_flags | grep -qFw "$srcdir/$dirname"; then _extra_flags="$_extra_flags --add-dynamic-module=$srcdir/$dirname/$subdir" source="$source $dirname.tar.gz::$url/archive/$ver.tar.gz" fi subpackages="$subpackages $pkgname-mod-$name:_module" } _add_module "devel-kit" "v0.3.1" "https://github.com/simpl/ngx_devel_kit" _devel_kit_so="ndk_http_module.so" _add_module "http-brotli" "v1.0.0rc" "https://github.com/google/ngx_brotli" _http_brotli_so="ngx_http_brotli_filter_module.so ngx_http_brotli_static_module.so" _add_module "http-cache-purge" "2.5" "https://github.com/nginx-modules/ngx_cache_purge" _add_module "http-dav-ext" "v3.0.0" "https://github.com/arut/nginx-dav-ext-module" _add_module "http-echo" "v0.61" "https://github.com/openresty/echo-nginx-module" _add_module "http-fancyindex" "v0.4.4" "https://github.com/aperezdc/ngx-fancyindex" _add_module "http-headers-more" "v0.33" "https://github.com/openresty/headers-more-nginx-module" _http_headers_more_so="ngx_http_headers_more_filter_module.so" # luajit is required for lua-nginx-module since v0.10.14 _add_module "http-lua" "v0.10.15" "https://github.com/openresty/lua-nginx-module" _http_lua_depends="$pkgname-mod-devel-kit" _http_lua_provides="$pkgname-lua" # for backward compatibility _add_module "http-lua-upstream" "v0.07" "https://github.com/openresty/lua-upstream-nginx-module" _http_lua_upstream_depends="$pkgname-mod-http-lua" _add_module "http-nchan" "v1.2.7" "https://github.com/slact/nchan" _http_nchan_so="ngx_nchan_module.so" _add_module "http-shibboleth" "v2.0.1" "https://github.com/nginx-shib/nginx-http-shibboleth" _add_module "http-redis2" "v0.15" "https://github.com/openresty/redis2-nginx-module" _add_module "http-set-misc" "v0.32" "https://github.com/openresty/set-misc-nginx-module" _http_set_misc_depends="$pkgname-mod-devel-kit" _add_module "http-upload-progress" "v0.9.2" "https://github.com/masterzen/nginx-upload-progress-module" _http_upload_progress_so="ngx_http_uploadprogress_module.so" _add_module "http-upstream-fair" "0.1.3" "https://github.com/itoffshore/nginx-upstream-fair" _add_module "rtmp" "v1.2.1" "https://github.com/arut/nginx-rtmp-module" _rtmp_provides="$pkgname-rtmp" # for backward compatibility _add_module "http-vod" "1.25" "https://github.com/kaltura/nginx-vod-module" _add_module "http-geoip2" "3.3" "https://github.com/leev/ngx_http_geoip2_module" _add_module "stream-geoip2" "3.3" "https://github.com/leev/ngx_http_geoip2_module" _stream_geoip2_depends="$pkgname-mod-stream" _add_module "http-naxsi" "0.56" "https://github.com/nbs-system/naxsi" "naxsi_src" prepare() { local file; for file in $source; do case $file in *~*.patch) msg $file cd "$srcdir"/${file%%~*}-* patch -p 1 -i "$srcdir/$file" ;; *.patch) msg $file cd "$builddir" patch -p 1 -i "$srcdir/$file" ;; esac done # This test requires superuser privileges and CAP_NET_ADMIN. rm "$srcdir"/nginx-tests-*/proxy_bind_transparent.t rm "$srcdir"/nginx-tests-*/proxy_bind_transparent_capability.t # Travis and Drone.io does not support IPv6... rm -f "$srcdir"/nginx-tests-*/upstream_ip_hash_ipv6.t } _build() { export LUAJIT_LIB="$(pkgconf --variable=libdir luajit)" export LUAJIT_INC="$(pkgconf --variable=includedir luajit)" ./configure \ --prefix=/var/lib/$pkgname \ --sbin-path=/usr/sbin/$pkgname \ --modules-path=/$_modules_dir \ --conf-path=/etc/$pkgname/$pkgname.conf \ --pid-path=/run/$pkgname/$pkgname.pid \ --lock-path=/run/$pkgname/$pkgname.lock \ --http-client-body-temp-path=/var/lib/$pkgname/tmp/client_body \ --http-proxy-temp-path=/var/lib/$pkgname/tmp/proxy \ --http-fastcgi-temp-path=/var/lib/$pkgname/tmp/fastcgi \ --http-uwsgi-temp-path=/var/lib/$pkgname/tmp/uwsgi \ --http-scgi-temp-path=/var/lib/$pkgname/tmp/scgi \ --with-perl_modules_path=/usr/lib/perl5/vendor_perl \ \ --user=$pkgusers \ --group=$_grp_ngx \ --with-threads \ --with-file-aio \ \ --with-http_ssl_module \ --with-http_v2_module \ --with-http_realip_module \ --with-http_addition_module \ --with-http_xslt_module=dynamic \ --with-http_image_filter_module=dynamic \ --with-http_geoip_module=dynamic \ --with-http_sub_module \ --with-http_dav_module \ --with-http_flv_module \ --with-http_mp4_module \ --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_auth_request_module \ --with-http_random_index_module \ --with-http_secure_link_module \ --with-http_degradation_module \ --with-http_slice_module \ --with-http_stub_status_module \ --with-http_perl_module=dynamic \ --with-mail=dynamic \ --with-mail_ssl_module \ --with-stream=dynamic \ --with-stream_ssl_module \ --with-stream_realip_module \ --with-stream_geoip_module=dynamic \ --with-stream_ssl_preread_module \ \ --add-dynamic-module="$srcdir/njs-$_njs_ver/nginx" \ $_extra_flags \ "$@" make } build() { cd "$builddir" _build --with-debug mv objs objs-debug make clean _build } check() { msg "Running nginx tests..." cd "$srcdir"/nginx-tests-* case "$CARCH" in mips*) # Sporadic failure on builder. rm ssl.t ;; esac TEST_NGINX_BINARY="$builddir/objs/nginx" prove . } package() { cd "$builddir" make DESTDIR="$pkgdir" install # Disable some PaX protections; this is needed for Lua module. local paxflags="-m" [ "$CARCH" = "x86" ] && paxflags="-msp" paxmark $paxflags "$pkgdir"/usr/sbin/nginx paxmark $paxflags objs-debug/nginx install -Dm644 LICENSE "$pkgdir"/usr/share/licenses/$pkgname/LICENSE install -Dm644 README "$pkgdir"/usr/share/doc/$pkgname/README install -Dm644 objs/$pkgname.8 "$pkgdir"/usr/share/man/man8/$pkgname.8 local name; for name in ngx_devel_kit lua-nginx-module nginx-rtmp-module; do cp -r "$srcdir"/$name-*/doc* "$pkgdir"/usr/share/doc/$pkgname/$name done cd "$pkgdir" install -Dm644 "$srcdir"/nginx.conf ./etc/$pkgname/nginx.conf install -Dm644 "$srcdir"/default.conf ./etc/$pkgname/conf.d/default.conf install -Dm755 "$srcdir"/$pkgname.initd ./etc/init.d/$pkgname install -Dm644 "$srcdir"/$pkgname.confd ./etc/conf.d/$pkgname install -Dm644 "$srcdir"/$pkgname.logrotate ./etc/logrotate.d/$pkgname install -dm755 ./etc/$pkgname/modules install -dm750 -o $pkgusers -g $_grp_ngx ./var/lib/$pkgname install -dm700 -o $pkgusers -g $_grp_ngx ./var/lib/$pkgname/tmp install -dm755 -g $_grp_www ./var/www/localhost/htdocs install -dm755 ./var/log mv ./var/lib/$pkgname/logs ./var/log/$pkgname ln -sf /$_modules_dir ./var/lib/$pkgname/modules ln -sf /var/log/$pkgname ./var/lib/$pkgname/logs ln -sf /run/$pkgname ./var/lib/$pkgname/run # Remove archaic charset maps. rm ./etc/$pkgname/koi-* ./etc/$pkgname/win-utf rm -rf ./run ./etc/$pkgname/*.default } # http://nginx.org/en/docs/debugging_log.html debug() { pkgdesc="nginx built with support for debugging log" depends="$pkgname=$pkgver-r$pkgrel" options="!strip" install -Dm755 "$builddir"/objs-debug/nginx "$subpkgdir"/usr/sbin/nginx-debug } vim() { pkgdesc="$pkgdesc (vim syntax)" install_if="vim $pkgname=$pkgver-r$pkgrel" depends= mkdir -p "$subpkgdir"/usr/share/vim cp -r "$builddir"/contrib/vim "$subpkgdir"/usr/share/vim/vimfiles } _module() { local name="${subpkgname#$pkgname-mod-}" name="${name//-/_}" local sonames="$(eval "echo \$_${name}_so")"; sonames="${sonames:-"ngx_${name}_module.so"}" pkgdesc="$pkgdesc (module $name)" depends="$pkgname $(eval "echo \$_${name}_depends")" provides="$(eval "echo \$_${name}_provides")" mkdir -p "$subpkgdir"/$_modules_dir mkdir -p "$subpkgdir"/etc/nginx/modules cd "$subpkgdir" local soname; for soname in $sonames; do mv "$pkgdir"/$_modules_dir/$soname ./$_modules_dir/$soname echo "load_module \"modules/$soname\";" >> ./etc/nginx/modules/$name.conf done case "$name" in http_perl) mv "$pkgdir"/usr/lib/perl5 "$subpkgdir"/usr/lib/ ;; http_naxsi) install -m644 -D "$srcdir"/naxsi-*/naxsi_config/naxsi_core.rules \ ./etc/nginx/naxsi_core.rules ;; esac } sha512sums="8c21eeb62ab6e32e436932500f700bd2fb99fd2d29e43c08a5bfed4714c189c29c7141db551fcd5d2437303b7439f71758f7407dfd3e801e704e45e7daa78ddb nginx-1.18.0.tar.gz 34b112d0cad5b6aeca58a7cfccbbb7626f2ae295e76e39048a226e5c375bf0371175d3fec2b893634d94b52ce4ba37b8079ecfefb4d435da84b24688fe374384 nginx-tests-c1d167a13c24.tar.gz e9e96c8e2daf9e6007d9b878eebae9f7f7ab7622edf81d9561688844379aae461fe2e30a103d5bdc0564330f804cd40e6654141933cd7f7ec292849653ebc560 nginx-njs-0.3.8.tar.gz ac7e3153ab698b4cde077f0d5d7ac0a58897927eb36cf3b58cb01268ca0296f1d589c0a5b4f889b96b5b4a57bef05b17c59be59a9d7c4d7a3d3be58f101f7f41 nginx.conf 0907f69dc2d3dc1bad3a04fb6673f741f1a8be964e22b306ef9ae2f8e736e1f5733a8884bfe54f3553fff5132a0e5336716250f54272c3fec2177d6ba16986f3 default.conf 09b110693e3f4377349ccea3c43cb8199c8579ee351eae34283299be99fdf764b0c1bddd552e13e4d671b194501618b29c822e1ad53b34101a73a63954363dbb nginx.logrotate ee10a5687740dde0c3d18d8b3555f49fcdc6abfc0a3bc2de1de3be0e99951a346fe8027d916aab73071ecd4e2c50871e7c867aca3a7a0fd16e3374c5caed1c57 nginx.initd 0b9b9ed01ac077e334c034faa2679f6e26740fb3362eebf8cef82d22b2af2a3faaa53bae3c9e14af51cbf64720a7c66431905ca5cc43f978366456cc4e3b7f4a nginx.confd de1e3349d8dd08e5982279b2219dc8a8006739f0409b8e0f5c50d93434beff1fbafba43e9c5ac85a5fab90afc5c0a7244a340610339c36f82f2cba7233e72de9 ngx_devel_kit-0.3.1.tar.gz 05a880d5e48ac83be84498ed41fb4750211b827a9d7541acfd6ef494e5205a6e853d5594bfec3ab4ae668ea3f803e4f4b0ba550c76811971c8e266e42663c56d ngx_brotli-1.0.0rc.tar.gz 1f6c15b148856e5d258ed804b8340ae286e8ef925128ba230c59c24c3412c60e58952be4511e8360695cb5301268a9a3407760b0887323e6f46ccc9e81a73642 ngx_cache_purge-2.5.tar.gz d0193ba90f1ef46c4e470630c4394bdf99d94fd2e3bd8be6cb2ba1655ec59944b1269025f032b79dc2c6dad366e54389ef6a6da2ddeb91d535a4027f2162fbde nginx-dav-ext-module-3.0.0.tar.gz c90b81a4e85a8e9beeb5ff591dc91adb25fa4e0b6cb47086b577e5fa36db2368442dd011187675e358781956c364b949bc4d920ca2b534481b21c9987d2a9a3b echo-nginx-module-0.61.tar.gz bf8ebb188c10fee5e6ebcb338fe20fdf859bb88d9b2b0e3da6f3e2f1847738d30760d2642d0dfe257092bdf2399b561631556a3a8e2fb33dc9cd0c59d371c173 ngx-fancyindex-0.4.4.tar.gz 13165b1b8d4be281b8bd2404fa48d456013d560bace094c81da08a35dc6a4f025a809a3ae3a42be6bbf67abbcbe41e0730aba06f905220f3baeb01e1192a7d37 headers-more-nginx-module-0.33.tar.gz 1feea538464275e6e571860592628ad639b2259c8aab7f38575b81c0b355f1ade32a91643267bc9ec16519e3bcf3d132511513dc8c949f74a3bff975c85d8ff7 lua-nginx-module-0.10.15.tar.gz 72887c4490854b099cb26bb3f840073a36b0d812bde4486f04dc1be182ca74f0d1e3fd709e77c240c2dcf37665f74cf04e188ea9efe8e127c6789b27b487d0cd lua-upstream-nginx-module-0.07.tar.gz d8b0e79c2b9cf4dd0b3ba8bfeeca86795b1206ec2a468829e6fd20c2286c9a8f75ad135424590cfb3a9d9cded5cefde4f19ba9e36d63a0ff95487d7139732bd9 nchan-1.2.7.tar.gz 1730845ea2e52be8c2f6cfceb2894304c5a07959a96940bb1617ee0e7cf81d22283304f411d9a219ddb71e4d9a66012bba0f6f5574d101aeb3c406f26c5d6a4e nginx-http-shibboleth-2.0.1.tar.gz d6ca250db8de93edbd7875afca35e73cecdaf82132d1a7ee933cf94c6b8afa8e629e9e647a9321f2bc1fbb92137ec0d32dcd89b82ac5fae31e342537fb7e0431 redis2-nginx-module-0.15.tar.gz 5590526f60c99630f99a49bfa9e3455baee6d58cd2a1419eab1367a838dafb87a50f5e2607aa8ac557b90dbf633dcf61069c997b3526cddc8f2fc45820a7bc3b set-misc-nginx-module-0.32.tar.gz c31c46344d49704389722325a041b9cd170fa290acefe92cfc572c07f711cd3039de78f28df48ca7dcb79b2e4bbe442580aaaf4d92883fd3a14bf41d66dd9d8c nginx-upload-progress-module-0.9.2.tar.gz 8adb7453c27748f4e685e3352e9b318b408da818754dc5b6244e908423941a8ba337561104f6e481f2553cbc0e334dcea73b57f8e810a9d6e974bb69ff8859e5 nginx-upstream-fair-0.1.3.tar.gz 4a0af5e9afa4deb0b53de8de7ddb2cfa6430d372e1ef9e421f01b509548bd134d427345442ac1ce667338cc2a1484dc2ab732e316e878ac7d3537dc527d5f922 nginx-rtmp-module-1.2.1.tar.gz 11a97ffa28d6078aa57ad1821421928f6e2a05235a2f384cd2b498e7998f1025edc1ee163a900937ee251b49bd9381813e71248e67d537531b91a998b1610c56 nginx-vod-module-1.25.tar.gz 06963b598c54e22d75ce837fb222f5aa6c9494c29e558ff46f1205d7159fc305414bfac4ed3288c836dcbf7628d92f26458e1992d34fc2f4b73275a32847bdc0 ngx_http_geoip2_module-3.3.tar.gz 4660751849bce303af6010b7257532404710106a94817e78d4bc4b566f8019620f24f30207f1d4366b88132a5124e34b164dc67ed80b6710f4bad66115564cbd naxsi-0.56.tar.gz"