diff --git a/net/nginx/Config.in b/net/nginx/Config.in deleted file mode 100644 index ccb5e240..00000000 --- a/net/nginx/Config.in +++ /dev/null @@ -1,270 +0,0 @@ -# -# Copyright (C) 2010-2016 OpenWrt.org -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# - -menu "Configuration" - depends on PACKAGE_nginx - -config NGINX_SSL - bool - prompt "Enable SSL module" - help - Enable HTTPS/SSL support. - default n - -config NGINX_DAV - bool - prompt "Enable WebDAV module" - help - Enable the HTTP and WebDAV methods PUT, DELETE, MKCOL, COPY and MOVE. - default n - -config NGINX_UBUS - bool - prompt "Enable UBUS module" - help - Enable UBUS api support directly from the server. - default y - -config NGINX_FLV - bool - prompt "Enable FLV module" - help - Provides the ability to seek within FLV (Flash) files using time-based offsets. - default n - -config NGINX_STUB_STATUS - bool - prompt "Enable stub status module" - help - Enable the stub status module which gives some status from the server. - default n - -config NGINX_HTTP_CHARSET - bool - prompt "Enable HTTP charset module" - default y - -config NGINX_HTTP_GZIP - bool - prompt "Enable HTTP gzip module" - default y - -config NGINX_HTTP_SSI - bool - prompt "Enable HTTP ssi module" - default y - -config NGINX_HTTP_USERID - bool - prompt "Enable HTTP userid module" - default y - -config NGINX_HTTP_ACCESS - bool - prompt "Enable HTTP access module" - default y - -config NGINX_HTTP_AUTH_BASIC - bool - prompt "Enable HTTP auth basic" - default y - -config NGINX_HTTP_AUTH_REQUEST - bool - prompt "Enable HTTP auth request module" - default n - -config NGINX_HTTP_AUTOINDEX - bool - prompt "Enable HTTP autoindex module" - default y - -config NGINX_HTTP_GEO - bool - prompt "Enable HTTP geo module" - default y - -config NGINX_HTTP_MAP - bool - prompt "Enable HTTP map module" - default y - -config NGINX_HTTP_SPLIT_CLIENTS - bool - prompt "Enable HTTP split clients" - default y - -config NGINX_HTTP_REFERER - bool - prompt "Enable HTTP referer module" - default y - -config NGINX_HTTP_REWRITE - bool - prompt "Enable HTTP rewrite module" - select NGINX_PCRE - default y - -config NGINX_HTTP_PROXY - bool - prompt "Enable HTTP proxy module" - default y - -config NGINX_HTTP_FASTCGI - bool - prompt "Enable HTTP fastcgi module" - default y - -config NGINX_HTTP_UWSGI - bool - prompt "Enable HTTP uwsgi module" - default y - -config NGINX_HTTP_SCGI - bool - prompt "Enable HTTP scgi module" - default y - -config NGINX_HTTP_MEMCACHED - bool - prompt "Enable HTTP memcached module" - default y - -config NGINX_HTTP_LIMIT_CONN - bool - prompt "Enable HTTP limit conn" - default y - -config NGINX_HTTP_LIMIT_REQ - bool - prompt "Enable HTTP limit req" - default y - -config NGINX_HTTP_EMPTY_GIF - bool - prompt "Enable HTTP empty gif" - default y - -config NGINX_HTTP_BROWSER - bool - prompt "Enable HTTP browser module" - default y - -config NGINX_HTTP_UPSTREAM_HASH - bool - prompt "Enable HTTP hash module" - default y - -config NGINX_HTTP_UPSTREAM_IP_HASH - bool - prompt "Enable HTTP IP hash module" - default y - -config NGINX_HTTP_UPSTREAM_LEAST_CONN - bool - prompt "Enable HTTP least conn module" - default y - -config NGINX_HTTP_UPSTREAM_KEEPALIVE - bool - prompt "Enable HTTP keepalive module" - default y - -config NGINX_HTTP_CACHE - bool - prompt "Enable HTTP cache" - default y - -config NGINX_HTTP_V2 - bool - prompt "Enable HTTP_V2 module" - default n - -config NGINX_PCRE - bool - prompt "Enable PCRE library usage" - default y - -config NGINX_NAXSI - bool - prompt "Enable NAXSI module" - default y - -config NGINX_LUA - bool - prompt "Enable Lua module" - default n - -config NGINX_HTTP_REAL_IP - bool - prompt "Enable HTTP real ip module" - default n - -config NGINX_HTTP_SECURE_LINK - bool - prompt "Enable HTTP secure link module" - default n - -config NGINX_HTTP_SUB - bool - prompt "Enable HTTP sub module" - default n - -config NGINX_HEADERS_MORE - bool - prompt "Enable Headers_more module" - help - Set and clear input and output headers...more than "add"! - default y - -config NGINX_HTTP_BROTLI - bool - prompt "Enable Brotli compression module" - help - Add support for brotli compression module. - default n - -config NGINX_STREAM_CORE_MODULE - bool - prompt "Enable stream support" - help - Add support for NGINX request streaming. - default n - -config NGINX_STREAM_SSL_MODULE - bool - prompt "Enable stream support with SSL/TLS termination" - depends on NGINX_STREAM_CORE_MODULE - help - Add support for NGINX request streaming with SSL/TLS termination. - default n - -config NGINX_STREAM_SSL_PREREAD_MODULE - bool - prompt "Enable stream support with SSL/TLS pre-read" - depends on NGINX_STREAM_CORE_MODULE - help - Add support for NGINX request streaming using information from the ClientHello message without terminating SSL/TLS. - default n - -config NGINX_RTMP_MODULE - bool - prompt "Enable RTMP module" - depends on NGINX_SSL - help - Add support for NGINX-based Media Streaming Server module. - DASH enhanced - https://github.com/ut0mt8/nginx-rtmp-module - default n - -config NGINX_TS_MODULE - bool - prompt "Enable TS module" - help - Add support for MPEG-TS Live Module module. - default n - -endmenu diff --git a/net/nginx/Config_ssl.in b/net/nginx/Config_ssl.in index 050d71fe..1c53dab6 100644 --- a/net/nginx/Config_ssl.in +++ b/net/nginx/Config_ssl.in @@ -175,7 +175,7 @@ config NGINX_HTTP_CACHE config NGINX_HTTP_V2 bool prompt "Enable HTTP_V2 module" - default n + default y config NGINX_PCRE bool diff --git a/net/nginx/Makefile b/net/nginx/Makefile index 38bd987c..37da27e1 100644 --- a/net/nginx/Makefile +++ b/net/nginx/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nginx -PKG_VERSION:=1.19.0 +PKG_VERSION:=1.19.6 PKG_RELEASE:=1 PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://nginx.org/download/ -PKG_HASH:=44a616171fcd7d7ad7c6af3e6f3ad0879b54db5a5d21be874cd458b5691e36c8 +PKG_HASH:=b11195a02b1d3285ddf2987e02c6b6d28df41bb1b1dd25f33542848ef4fc33b5 PKG_MAINTAINER:=Thomas Heil \ Ansuel Smith @@ -25,7 +25,6 @@ PKG_BUILD_PARALLEL:=1 PKG_INSTALL:=1 PKG_CONFIG_DEPENDS := \ - CONFIG_NGINX_SSL \ CONFIG_NGINX_DAV \ CONFIG_NGINX_FLV \ CONFIG_NGINX_UBUS \ @@ -72,8 +71,7 @@ PKG_CONFIG_DEPENDS := \ CONFIG_NGINX_RTMP_MODULE \ CONFIG_NGINX_TS_MODULE \ CONFIG_OPENSSL_ENGINE \ - CONFIG_OPENSSL_WITH_NPN \ - CONFIG_NGINX_NOPCRE + CONFIG_OPENSSL_WITH_NPN include $(INCLUDE_DIR)/package.mk @@ -83,31 +81,26 @@ define Package/nginx/default SUBMENU:=Web Servers/Proxies TITLE:=Nginx web server URL:=http://nginx.org/ - DEPENDS:=+NGINX_PCRE:libpcre +NGINX_SSL:libopenssl \ - +NGINX_HTTP_GZIP:zlib +NGINX_LUA:liblua +libpthread +NGINX_DAV:libxml2 \ - +NGINX_UBUS:libubus +NGINX_UBUS:libblobmsg-json +NGINX_UBUS:libjson-c + DEPENDS:=+libopenssl +libpthread + # TODO: add PROVIDES when removing nginx + # PROVIDES:=nginx endef define Package/nginx/description nginx is an HTTP and reverse proxy server, as well as a mail proxy server, \ - written by Igor Sysoev. (Some module require SSL module enable to show up in \ - config menu) -endef - -define Package/nginx - $(Package/nginx/default) - DEPENDS += +!NGINX_SSL:nginx-util +NGINX_SSL&&NGINX_PCRE:nginx-ssl-util \ - +NGINX_SSL&&NGINX_NOPCRE:nginx-ssl-util-nopcre - VARIANT:=no-ssl + written by Igor Sysoev. endef define Package/nginx-ssl $(Package/nginx/default) TITLE += with SSL support - DEPENDS += +libopenssl +NGINX_PCRE:nginx-ssl-util \ - +!NGINX_PCRE:nginx-ssl-util-nopcre VARIANT:=ssl - PROVIDES:=nginx + DEPENDS+= +NGINX_PCRE:libpcre \ + +NGINX_PCRE:nginx-ssl-util +!NGINX_PCRE:nginx-ssl-util-nopcre \ + +NGINX_HTTP_GZIP:zlib +NGINX_LUA:liblua +NGINX_DAV:libxml2 \ + +NGINX_UBUS:libubus +NGINX_UBUS:libblobmsg-json +NGINX_UBUS:libjson-c + EXTRA_DEPENDS:=nginx-ssl-util$(if $(CONFIG_NGINX_PCRE),,-nopcre) (>=1.5-1) (<2) + CONFLICTS:=nginx-all-module endef Package/nginx-ssl/description = $(Package/nginx/description) \ @@ -117,23 +110,16 @@ Package/nginx-ssl/description = $(Package/nginx/description) \ define Package/nginx-all-module $(Package/nginx/default) TITLE += with ALL module selected - DEPENDS:=+libpcre +libopenssl +zlib +liblua +libpthread +libxml2 \ - +libubus +libblobmsg-json +libjson-c +nginx-ssl-util + DEPENDS+=+libpcre +nginx-ssl-util +zlib +liblua +libxml2 +libubus \ + +libblobmsg-json +libjson-c + EXTRA_DEPENDS:=nginx-ssl-util (>=1.5-1) (<2) VARIANT:=all-module - PROVIDES:=nginx nginx-ssl + PROVIDES += nginx-ssl endef Package/nginx-all-module/description = $(Package/nginx/description) \ This variant is compiled with ALL module selected. -define Package/nginx/config - source "$(SOURCE)/Config.in" -config NGINX_NOPCRE - bool - default y if !NGINX_PCRE - default n if NGINX_PCRE -endef - define Package/nginx-ssl/config source "$(SOURCE)/Config_ssl.in" endef @@ -148,7 +134,7 @@ Package/nginx-ssl/conffiles = $(Package/nginx/conffiles) Package/nginx-all-module/conffiles = $(Package/nginx/conffiles) -ADDITIONAL_MODULES:= +ADDITIONAL_MODULES:= --with-http_ssl_module ifneq ($(BUILD_VARIANT),all-module) ifneq ($(CONFIG_NGINX_HTTP_CACHE),y) @@ -238,16 +224,6 @@ ifneq ($(BUILD_VARIANT),all-module) ifneq ($(CONFIG_NGINX_HTTP_UPSTREAM_KEEPALIVE),y) ADDITIONAL_MODULES += --without-http_upstream_keepalive_module endif - - ifeq ($(BUILD_VARIANT),ssl) - ifneq ($(CONFIG_NGINX_SSL),y) - ADDITIONAL_MODULES += --with-http_ssl_module - endif - endif - - ifeq ($(CONFIG_NGINX_SSL),y) - ADDITIONAL_MODULES += --with-http_ssl_module - endif ifeq ($(CONFIG_NGINX_NAXSI),y) ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src endif @@ -314,44 +290,36 @@ else CONFIG_NGINX_LUA:=y CONFIG_NGINX_DAV:=y CONFIG_NGINX_UBUS:=y - ADDITIONAL_MODULES += --with-http_ssl_module --add-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src \ - --add-module=$(PKG_BUILD_DIR)/lua-nginx --with-ipv6 --with-http_stub_status_module --with-http_flv_module \ - --with-http_dav_module --add-module=$(PKG_BUILD_DIR)/nginx-dav-ext-module \ + ADDITIONAL_MODULES += --with-ipv6 --with-http_stub_status_module --with-http_flv_module \ + --with-http_dav_module \ --with-http_auth_request_module --with-http_v2_module --with-http_realip_module \ - --with-http_secure_link_module --with-http_sub_module --add-module=$(PKG_BUILD_DIR)/nginx-headers-more \ + --with-http_secure_link_module --with-http_sub_module \ --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \ + --add-module=$(PKG_BUILD_DIR)/nginx-headers-more \ + --add-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src \ + --add-module=$(PKG_BUILD_DIR)/lua-nginx \ + --add-module=$(PKG_BUILD_DIR)/nginx-dav-ext-module \ --add-module=$(PKG_BUILD_DIR)/nginx-brotli --add-module=$(PKG_BUILD_DIR)/nginx-rtmp \ --add-module=$(PKG_BUILD_DIR)/nginx-ts --add-module=$(PKG_BUILD_DIR)/nginx-ubus-module config_files += koi-utf koi-win win-utf fastcgi_params uwsgi_params endif -define Package/nginx-mod-luci/default +define Package/nginx-mod-luci TITLE:=Nginx on LuCI SECTION:=net CATEGORY:=Network SUBMENU:=Web Servers/Proxies TITLE:=Support file for Nginx URL:=http://nginx.org/ - DEPENDS:=+uwsgi +uwsgi-luci-support -endef - -define Package/nginx-mod-luci - $(Package/nginx-mod-luci/default) - DEPENDS += +nginx + DEPENDS:=+uwsgi +uwsgi-luci-support +nginx + # TODO: add PROVIDES when removing nginx-mod-luci-ssl + # PROVIDES:=nginx-mod-luci-ssl endef define Package/nginx-mod-luci/description Support file for LuCI in nginx. Include custom nginx configuration, autostart script for uwsgi. endef -define Package/nginx-mod-luci-ssl - $(Package/nginx-mod-luci/default) - TITLE += with HTTPS support - DEPENDS += +nginx-ssl -endef - -Package/nginx-mod-luci-ssl/description = $(define Package/nginx-mod-luci/description) \ - This also include redirect from http to https and cert autogeneration. TARGET_CFLAGS += -fvisibility=hidden -ffunction-sections -fdata-sections -DNGX_LUA_NO_BY_LUA_BLOCK TARGET_LDFLAGS += -Wl,--gc-sections @@ -387,15 +355,11 @@ define Package/nginx-mod-luci/install $(INSTALL_BIN) ./files-luci-support/60_nginx-luci-support $(1)/etc/uci-defaults/60_nginx-luci-support endef -Package/nginx-mod-luci-ssl/install = $(Package/nginx-mod-luci/install) - -define Package/nginx/install +define Package/nginx-ssl/install $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/nginx $(1)/usr/sbin/ $(INSTALL_DIR) $(1)/etc/nginx/conf.d $(INSTALL_DATA) $(addprefix $(PKG_INSTALL_DIR)/etc/nginx/,$(config_files)) $(1)/etc/nginx/ - $(INSTALL_CONF) ./files/nginx.conf $(1)/etc/nginx/ - $(INSTALL_CONF) ./files/_lan.conf $(1)/etc/nginx/conf.d/ $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/nginx.init $(1)/etc/init.d/nginx ifeq ($(CONFIG_NGINX_NAXSI),y) @@ -405,20 +369,6 @@ ifeq ($(CONFIG_NGINX_NAXSI),y) endif $(if $(CONFIG_NGINX_NAXSI),$($(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx)) $(if $(CONFIG_NGINX_NAXSI),$(chmod 0640 $(1)/etc/nginx/naxsi_core.rules)) -ifeq ($(CONFIG_NGINX_SSL),y) - $(INSTALL_CONF) ./files/_redirect2ssl.conf $(1)/etc/nginx/conf.d/ -endif -ifneq ($(CONFIG_IPV6),y) - $(SED) '/listen\s*\[/d' $(1)/etc/nginx/conf.d/*.conf # without IPv6 [::] -endif -endef - -define Package/nginx-ssl/install - $(call Package/nginx/install, $(1)) - $(INSTALL_CONF) ./files/_redirect2ssl.conf $(1)/etc/nginx/conf.d/ -ifneq ($(CONFIG_IPV6),y) - $(SED) '/listen\s*\[/d' $(1)/etc/nginx/conf.d/*.conf # without IPv6 [::] -endif endef Package/nginx-all-module/install = $(Package/nginx-ssl/install) @@ -426,27 +376,14 @@ Package/nginx-all-module/install = $(Package/nginx-ssl/install) define Package/nginx-ssl/prerm #!/bin/sh [ -z "$${IPKG_INSTROOT}" ] || exit 0 -if [ "$${PKG_UPGRADE}" = "1" ]; then - eval $$(/usr/bin/nginx-util get_env) - TMP_CRT=$$(mktemp -p "$${CONF_DIR}" "$${LAN_NAME}.crt.tmp-XXXXXX") - ln -f "$${CONF_DIR}$${LAN_NAME}.crt" "$${TMP_CRT}" - TMP_KEY=$$(mktemp -p "$${CONF_DIR}" "$${LAN_NAME}.key.tmp-XXXXXX") - ln -f "$${CONF_DIR}$${LAN_NAME}.key" "$${TMP_KEY}" -fi -/usr/bin/nginx-util del_ssl -[ -f "$${TMP_CRT}" ] && -rm -f "$${CONF_DIR}$${LAN_NAME}.crt" && -mv -f "$${TMP_CRT}" "$${CONF_DIR}$${LAN_NAME}.crt" -[ -f "$${TMP_KEY}" ] && -rm -f "$${CONF_DIR}$${LAN_NAME}.key" && -mv -f "$${TMP_KEY}" "$${CONF_DIR}$${LAN_NAME}.key" +[ "$${PKG_UPGRADE}" = "1" ] && exit 0 +eval $$(/usr/bin/nginx-util get_env) +[ "$$(uci get "nginx.$${LAN_NAME}.$${MANAGE_SSL}")" = "self-signed" ] || exit 0 +rm -f "$$(uci get "nginx.$${LAN_NAME}.ssl_certificate")" +rm -f "$$(uci get "nginx.$${LAN_NAME}.ssl_certificate_key")" exit 0 endef -ifeq ($(CONFIG_NGINX_SSL),y) -Package/nginx/prerm = $(Package/nginx-ssl/prerm) -endif - Package/nginx-all-module/prerm = $(Package/nginx-ssl/prerm) define Build/Prepare @@ -591,11 +528,11 @@ endif ifeq ($(CONFIG_NGINX_UBUS),y) define Download/nginx-ubus-module - VERSION:=f30b0167a2cdb40f23bd90928d601bdb0c1b8fad + VERSION:=b2d7260dcb428b2fb65540edb28d7538602b4a26 SUBDIR:=nginx-ubus-module FILE:=nginx-ubus-module-$$(VERSION).tar.xz URL:=https://github.com/Ansuel/nginx-ubus-module.git - MIRROR_HASH:=02c7d4b0df7f4b69605e71b0fefdc99b5a9470c68cad7ccfb31ebefe4e7e0704 + MIRROR_HASH:=472cef416d25effcac66c85417ab6596e634a7a64d45b709bb090892d567553c PROTO:=git endef $(eval $(call Download,nginx-ubus-module)) @@ -606,8 +543,34 @@ ifeq ($(CONFIG_NGINX_UBUS),y) endef endif -$(eval $(call BuildPackage,nginx)) $(eval $(call BuildPackage,nginx-ssl)) $(eval $(call BuildPackage,nginx-all-module)) $(eval $(call BuildPackage,nginx-mod-luci)) + +# TODO: remove after a transition period (together with pkg nginx-util): +# It is for smoothly substituting nginx and nginx-mod-luci-ssl (by nginx-ssl +# respectively nginx-mod-luci). Add above commented PROVIDES when removing. + +define Package/nginx + TITLE:=Dummy package for transition when upgrading. + DEPENDS:=+nginx-ssl + PKGARCH:=all +endef + +define Package/nginx/install + $(INSTALL_DIR) $(1)/usr/bin +endef + +$(eval $(call BuildPackage,nginx)) + +define Package/nginx-mod-luci-ssl + TITLE:=Dummy package for transition when upgrading. + DEPENDS:=+nginx-mod-luci + PKGARCH:=all +endef + +define Package/nginx-mod-luci-ssl/install + $(INSTALL_DIR) $(1)/usr/bin +endef + $(eval $(call BuildPackage,nginx-mod-luci-ssl)) diff --git a/net/nginx/files-luci-support/60_nginx-luci-support b/net/nginx/files-luci-support/60_nginx-luci-support index b1fe3582..b2564444 100644 --- a/net/nginx/files-luci-support/60_nginx-luci-support +++ b/net/nginx/files-luci-support/60_nginx-luci-support @@ -6,13 +6,16 @@ if nginx -V 2>&1 | grep -q ubus; then location /ubus { ubus_interpreter; - ubus_socket_path /var/run/ubus.sock; + ubus_socket_path /var/run/ubus/ubus.sock; ubus_parallel_req 2; } EOT fi fi +grep -q /var/run/ubus.sock /etc/nginx/conf.d/luci.locations && + sed -i 's#/var/run/ubus.sock#/var/run/ubus/ubus.sock#' /etc/nginx/conf.d/luci.locations + if [ -x /etc/init.d/uhttpd ]; then /etc/init.d/uhttpd disable if [ -n "$(pgrep uhttpd)" ]; then diff --git a/net/nginx/files/README.sh b/net/nginx/files/README.sh deleted file mode 100755 index 6227e661..00000000 --- a/net/nginx/files/README.sh +++ /dev/null @@ -1,327 +0,0 @@ -#!/bin/sh -# This is a template copy it by: ./README.sh | xclip -selection c -# to https://openwrt.org/docs/guide-user/services/webserver/nginx#configuration - -NGINX_UTIL="/usr/bin/nginx-util" - -EXAMPLE_COM="example.com" - -MSG=" -/* Created by the following bash script that includes the source of some files: - * https://github.com/openwrt/packages/net/nginx/files/README.sh - */" - -eval $("${NGINX_UTIL}" get_env) - -code() { printf "\n%s" "$1" "$(cat "$(basename $1)")"; } - -ifConfEcho() { sed -nE "s/^\s*$1=\s*(\S*)\s*\\\\$/\n$2 \"\1\";/p" ../Makefile;} - -cat <$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} ${EXAMPLE_COM} - - - -==== Basic ====${MSG} - - -We modify the configuration by creating different configuration files in the -''${CONF_DIR}'' directory. -The configuration files use the file extensions ''.locations'' and -''.conf'' (plus ''.crt'' and ''.key'' for Nginx with SSL). -We can disable single configuration parts by giving them another extension, -e.g., by adding ''.disabled''. -For the new configuration to take effect, we must reload it by: -service nginx reload - -For OpenWrt we use a special initial configuration, which is explained below in -the section [[#openwrt_s_defaults|OpenWrt’s Defaults]]. -So, we can make a site available at a specific URL in the **LAN** by creating a -''.locations'' file in the directory ''${CONF_DIR}''. -Such a file consists just of some -[[https://nginx.org/en/docs/http/ngx_http_core_module.html#location| -location blocks]]. -Under the latter link, you can find also the official documentation for all -available directives of the HTTP core of Nginx. -Look for //location// in the Context list. - -The following example provides a simple template, see at the end for -different [[#locations_for_apps|Locations for Apps]] and look for -[[https://github.com/search?utf8=%E2%9C%93&q=repo%3Aopenwrt%2Fpackages -+extension%3Alocations&type=Code&ref=advsearch&l=&l=| -other packages using a .locations file]], too: - -location /ex/am/ple { - access_log off; # default: not logging accesses. - # access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout). - # error_log stderr; # default: logging to logd (init forwards stderr). - error_log /dev/null; # disable error logging after config file is read. - # (state path of a file for access_log/error_log to the file instead.) - index index.html; -} -# location /eg/static { … } - - -All location blocks in all ''.locations'' files must use different URLs, -since they are all included in the ''${LAN_NAME}.conf'' that is part of the -[[#openwrt_s_defaults|OpenWrt’s Defaults]]. -We reserve the ''location /'' for making LuCI available under the root URL, -e.g. [[http://192.168.1.1/|192.168.1.1/]]. -All other sites shouldn’t use the root ''location /'' without suffix. -We can make other sites available on the root URL of other domain names, e.g. -on www.example.com/. -In order to do that, we create a ''.conf'' file for every domain name: -see the next section [[#new_server_parts|New Server Parts]]. -For Nginx with SSL we can also activate SSL there, as described below in the -section [[#ssl_server_parts|SSL Server Parts]]. -We use such server parts also for publishing sites to the internet (WAN) -instead of making them available just in the LAN. - -Via ''.conf'' files we can also add directives to the //http// part of the -configuration. The difference to editing the main ''${NGINX_CONF}'' -file instead is the following: If the package’s ''nginx.conf'' file is updated -it will only be installed if the old file has not been changed. - - - -==== New Server Parts ====${MSG} - - -For making the router reachable from the WAN at a registered domain name, -it is not enough to give the name server the internet IP address of the router -(maybe updated automatically by a -[[docs:guide-user:services:ddns:client|DDNS Client]]). -We also need to set up virtual hosting for this domain name by creating an -appropriate server part in a ''${CONF_DIR}*.conf'' file. -All such files are included at the start of Nginx by the default main -configuration of OpenWrt ''${NGINX_CONF}'' as depicted in -[[#openwrt_s_defaults|OpenWrt’s Defaults]]. - -In the server part, we state the domain as -[[https://nginx.org/en/docs/http/ngx_http_core_module.html#server_name| -server_name]]. -The link points to the same document as for the location blocks in the -[[#basic|Basic Configuration]]: the official documentation for all available -directives of the HTTP core of Nginx. -This time look for //server// in the Context list, too. -The server part should also contain similar location blocks as before. -We can re-include a ''.locations'' file that is included in the server part for -the LAN by default. -Then the site is reachable under the same path at both domains, e.g., by -http://192.168.1.1/ex/am/ple as well as by http://example.com/ex/am/ple. - -The [[#openwrt_s_defaults|OpenWrt’s Defaults]] include a ''${LAN_NAME}.conf'' -file containing a server part that listens on the LAN address(es) and acts as -//default_server//. -For making the domain name accessible in the LAN, too, the corresponding -server part must listen **explicitly** on the local IP address(es), cf. the -official documentation on -[[https://nginx.org/en/docs/http/request_processing.html|request_processing]]. -We can include the file ''${LAN_LISTEN}'' that contains the listen -directives for all LAN addresses on the HTTP port 80 and is automatically -updated. - -The following example is a simple template, see -[[https://github.com/search?q=repo%3Aopenwrt%2Fpackages -+include+${LAN_LISTEN}+extension%3Aconf&type=Code| -such server parts of other packages]], too: - -server { - listen 80; - listen [::]:80; - include '${LAN_LISTEN}'; - server_name ${EXAMPLE_COM}; - # location / { … } # root location for this server. - include '${CONF_DIR}${EXAMPLE_COM}.locations'; -} - - - - -==== SSL Server Parts ====${MSG} - - -We can enable HTTPS for a domain if Nginx is installed with SSL support. -We need a SSL certificate as well as its key and add them by the directives -//ssl_certificate// respective //ssl_certificate_key// to the server part of the -domain. -The rest of the configuration is similar as described in the previous section -[[#new_server_parts|New Server Parts]], -we only have to adjust the listen directives by adding the //ssl// parameter, -see the official documentation for -[[https://nginx.org/en/docs/http/configuring_https_servers.html| -configuring HTTPS servers]], too. -For making the domain available also in the LAN, we can include the file -''${LAN_SSL_LISTEN}'' that contains the listen directives with ssl -parameter for all LAN addresses on the HTTPS port 443 and is automatically -updated. - -The official documentation of the SSL module contains an -[[https://nginx.org/en/docs/http/ngx_http_ssl_module.html#example| -example]], -which includes some optimizations. -The following template is extended similarly, see also -[[https://github.com/search?q=repo%3Aopenwrt%2Fpackages -+include+${LAN_SSL_LISTEN}+extension%3Aconf&type=Code| -other packages providing SSL server parts]]: - -server { - listen 443 ssl; - listen [::]:443 ssl; - include '${LAN_SSL_LISTEN}'; - server_name ${EXAMPLE_COM}; - ssl_certificate '${CONF_DIR}${EXAMPLE_COM}.crt'; - ssl_certificate_key '${CONF_DIR}${EXAMPLE_COM}.key'; - ssl_session_cache ${SSL_SESSION_CACHE_ARG}; - ssl_session_timeout ${SSL_SESSION_TIMEOUT_ARG}; - # location / { … } # root location for this server. - include '${CONF_DIR}${EXAMPLE_COM}.locations'; -} - - -For creating a certificate (and its key) we can use Let’s Encrypt by installing -[[https://github.com/Neilpang/acme.sh|ACME Shell Script]]: -opkg update && opkg install acme # and for LuCI: luci-app-acme - -For the LAN server in the ''${LAN_NAME}.conf'' file, the init script -''/etc/init.d/nginx'' script installs automatically a self-signed certificate. -We can use this mechanism also for other sites by issuing, e.g.: -$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} ${EXAMPLE_COM} - - It adds SSL directives to the server part of \ - ''${CONF_DIR}${EXAMPLE_COM}.conf'' like in the example above. - - Then, it checks if there is a certificate and key for the given domain name\ - that is valid for at least 13 months or tries to create a self-signed one. - - When cron is activated, it installs a cron job for renewing the self-signed\ - certificate every year if needed, too. We can activate cron by: \ - service cron enable && service cron start - -Beside the ''${LAN_NAME}.conf'' file, the -[[#openwrt_s_defaults|OpenWrt’s Defaults]] include also the -''_redirect2ssl.conf'' file containing a server part that redirects all HTTP -request for inexistent URIs to HTTPS. - - - -==== OpenWrt’s Defaults ====${MSG} - - -The default main configuration file is: -$(code ${NGINX_CONF}) - -We can pretend the main configuration contains also the following presets, -since Nginx is configured with them: -$(ifConfEcho --pid-path pid)\ -$(ifConfEcho --lock-path lock_file)\ -$(ifConfEcho --error-log-path error_log)\ -$(false && ifConfEcho --http-log-path access_log)\ -$(ifConfEcho --http-proxy-temp-path proxy_temp_path)\ -$(ifConfEcho --http-client-body-temp-path client_body_temp_path)\ -$(ifConfEcho --http-fastcgi-temp-path fastcgi_temp_path)\ - - -So, the access log is turned off by default and we can look at the error log -by ''logread'', as Nginx’s init file forwards stderr and stdout to the -[[docs:guide-user:base-system:log.essentials|logd]]. -We can set the //error_log// and //access_log// to files where the log -messages are forwarded to instead (after the configuration is read). -And for redirecting the access log of a //server// or //location// to the logd, -too, we insert the following directive in the corresponding block: - - access_log /proc/self/fd/1 openwrt; - - -At the end, the main configuration pulls in all ''.conf'' files from the -directory ''${CONF_DIR}'' into the http block, especially the following -server part for the LAN: -$(code ${CONF_DIR}${LAN_NAME}.conf) - -It pulls in all ''.locations'' files from the directory ''${CONF_DIR}''. -We can install the location parts of different sites there (see above in the -[[#basic|Basic Configuration]]) and re-include them in server parts of other -''${CONF_DIR}*.conf'' files. -This is needed especially for making them available to the WAN as described -above in the section [[#new_server_parts|New Server Parts]]. -All ''.locations'' become available on the LAN through the file -''$(basename ${LAN_LISTEN}).default'', which contains one of the following -directives for every local IP address: - - listen IPv4:80 default_server; - listen [IPv6]:80 default_server; - -The ''${LAN_LISTEN}'' file contains the same directives without the -parameter ''default_server''. -We can include this file in other server parts that should be reachable in the -LAN through their //server_name//. -Both files ''${LAN_LISTEN}{,.default}'' are (re-)created if Nginx starts -through its init for OpenWrt or the LAN interface changes. - -=== Additional Defaults for OpenWrt if Nginx is installed with SSL support === - -When Nginx is installed with SSL support, there will be automatically managed -files ''$(basename ${LAN_SSL_LISTEN}).default'' and -''$(basename ${LAN_SSL_LISTEN})'' in the directory -''$(dirname ${LAN_SSL_LISTEN})/'' containing the following directives for all -IPv4 and IPv6 addresses of the LAN: - - listen IP:443 ssl; # with respectively without: default_server - -Both files as well as the ''${LAN_LISTEN}{,.default}'' files are (re-)created -if Nginx starts through its init for OpenWrt or the LAN interface changes. - -For Nginx with SSL there is also the following server part that redirects -requests for an inexistent ''server_name'' from HTTP to HTTPS (using an invalid -name, more in the official documentation on -[[https://nginx.org/en/docs/http/request_processing.html|request_processing]]): -$(code ${CONF_DIR}_redirect2ssl.conf) - -Nginx’s init file for OpenWrt installs automatically a self-signed certificate -for the LAN server part if needed and possible: - - Everytime Nginx starts, we check if the LAN is set up for SSL. - - We add //ssl*// directives (like in the example of the previous section \ - [[#ssl_server_parts|SSL Server Parts]]) to the configuration file \ - ''${CONF_DIR}${LAN_NAME}.conf'' if needed and if it looks “normal”, i.e., \ - it has a ''server_name ${LAN_NAME};'' part. - - If there is no corresponding certificate that is valid for more than 13 \ - months at ''${CONF_DIR}${LAN_NAME}.{crt,key}'', we create a self-signed one. - - We activate SSL by including the ssl listen directives from \ - ''${LAN_SSL_LISTEN}.default'' and it becomes available by the default \ - redirect from ''listen *:80;'' in ''${CONF_DIR}_redirect2ssl.conf'' - - If cron is available, i.e., its status is not ''inactive'', we use it \ - to check the certificate for validity once a year and renew it if there \ - are only about 13 months of the more than 3 years life time left. - -The points 2, 3 and 5 can be used for other domains, too: -As described in the section [[#new_server_parts|New Server Parts]] above, we -create a server part in ''${CONF_DIR}www.example.com.conf'' with -a corresponding ''server_name www.example.com;'' directive and call -$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} www.example.com -EOF diff --git a/net/nginx/files/_lan.conf b/net/nginx/files/_lan.conf deleted file mode 100644 index d44871f3..00000000 --- a/net/nginx/files/_lan.conf +++ /dev/null @@ -1,8 +0,0 @@ -# default_server for the LAN addresses getting the IPs by: -# ifstatus lan | jsonfilter -e '@["ipv4-address","ipv6-address"].*.address' -server { - include '/var/lib/nginx/lan.listen.default'; - server_name _lan; - # access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout). - include conf.d/*.locations; -} diff --git a/net/nginx/files/_redirect2ssl.conf b/net/nginx/files/_redirect2ssl.conf deleted file mode 100644 index cfae4870..00000000 --- a/net/nginx/files/_redirect2ssl.conf +++ /dev/null @@ -1,8 +0,0 @@ -# acts as default server if there is no other. -server { - listen 80; - listen [::]:80; - include '/var/lib/nginx/lan.listen'; - server_name _redirect2ssl; - return 302 https://$host$request_uri; -} diff --git a/net/nginx/files/nginx.conf b/net/nginx/files/nginx.conf deleted file mode 100644 index da1cbdf4..00000000 --- a/net/nginx/files/nginx.conf +++ /dev/null @@ -1,30 +0,0 @@ -# Please consider creating files in /etc/nginx/conf.d/ instead of editing this. -# For details see https://openwrt.org/docs/guide-user/services/webserver/nginx - -worker_processes auto; - -user root; - -events {} - -http { - access_log off; - log_format openwrt - '$request_method $scheme://$host$request_uri => $status' - ' (${body_bytes_sent}B in ${request_time}s) <- $http_referer'; - - include mime.types; - default_type application/octet-stream; - sendfile on; - - client_max_body_size 128M; - large_client_header_buffers 2 1k; - - gzip on; - gzip_vary on; - gzip_proxied any; - - root /www; - - include conf.d/*.conf; -} diff --git a/net/nginx/files/nginx.init b/net/nginx/files/nginx.init index fa189931..300a8c65 100644 --- a/net/nginx/files/nginx.init +++ b/net/nginx/files/nginx.init @@ -5,54 +5,69 @@ START=80 USE_PROCD=1 +G_OPTS="daemon off;" + NGINX_UTIL="/usr/bin/nginx-util" eval $("${NGINX_UTIL}" get_env) -start_service() { +CONF="" + + +nginx_init() { + [ -z "${CONF}" ] || return # already called. + [ -d /var/log/nginx ] || mkdir -p /var/log/nginx [ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx + rm -f "$(readlink "${UCI_CONF}")" ${NGINX_UTIL} init_lan + if [ -e "${UCI_CONF}" ] + then CONF="${UCI_CONF}" + else CONF="${NGINX_CONF}" + fi + + local message + message="$(/usr/sbin/nginx -t -c "${CONF}" -g "${G_OPTS}" 2>&1)" || + { + echo -e "${message}" | logger -t "nginx_init" -p "daemon.err" + logger -s -t "nginx_init" -p "daemon.err" "NOT using conf file!" + echo "show config to be used by: nginx -T -c '${CONF}'" >&2 + exit 1 + } + + logger -t "nginx_init" -p "daemon.info" "using ${CONF} (the test is ok)" +} + + +start_service() { + nginx_init + procd_open_instance - procd_set_param command /usr/sbin/nginx -c "${NGINX_CONF}" \ - -g "daemon off;" + procd_set_param command /usr/sbin/nginx -c "${CONF}" -g "${G_OPTS}" procd_set_param stdout 1 procd_set_param stderr 1 - procd_set_param file "${LAN_LISTEN}" "${LAN_LISTEN}.default" \ - "${NGINX_CONF}" "${CONF_DIR}*.conf" "${CONF_DIR}*.locations" - [ "${LAN_SSL_LISTEN}" == "" ] \ - || procd_append_param file "${CONF_DIR}*.crt" "${CONF_DIR}*.key" \ - "${LAN_SSL_LISTEN}" "${LAN_SSL_LISTEN}.default" + procd_set_param file "${CONF}" "${CONF_DIR}*.crt" "${CONF_DIR}*.key" \ + "${CONF_DIR}*.conf" "${CONF_DIR}*.locations" procd_set_param respawn procd_close_instance } -stop_service() { - rm -f "${LAN_LISTEN}" "${LAN_LISTEN}.default" - [ "${LAN_SSL_LISTEN}" == "" ] \ - || rm -f "${LAN_SSL_LISTEN}" "${LAN_SSL_LISTEN}.default" -} - -service_triggers() { - procd_add_reload_interface_trigger loopback - procd_add_reload_interface_trigger lan -} reload_service() { - [ -d /var/log/nginx ] || mkdir -p /var/log/nginx - [ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx + nginx_init - ${NGINX_UTIL} init_lan - - procd_send_signal nginx + if [ "$(cat "/proc/$(cat "/var/run/nginx.pid")/cmdline")" = \ + "nginx: master process /usr/sbin/nginx -c ${CONF} -g ${G_OPTS}" ] + then procd_send_signal nginx + else restart + fi } + +extra_command "relog" "Reopen log files (without reloading)" relog() { [ -d /var/log/nginx ] || mkdir -p /var/log/nginx procd_send_signal nginx '*' USR1 } - -EXTRA_COMMANDS="relog" -EXTRA_HELP=" relog Reopen log files (without reloading)"