update nginx to 1.19.6-1

use UCI configuration provided by nginx-util
2025-05-01 04:20:09 +08:00 · 2021-02-11 10:38:13 +08:00 · 2021-02-11 10:38:13 +08:00 · 374a1e85da
commit 374a1e85da
parent 71129086ca
9 changed files with 110 additions and 772 deletions
--- a/net/nginx/Config.in
+++ b/net/nginx/Config.in
@ -1,270 +0,0 @@
 #
 # Copyright (C) 2010-2016 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 #
 menu "Configuration"
        depends on PACKAGE_nginx
 config NGINX_SSL
 	bool
 	prompt "Enable SSL module"
 	help
 		Enable HTTPS/SSL support.
 	default n
 config NGINX_DAV
 	bool
 	prompt "Enable WebDAV module"
 	help
 		Enable the HTTP and WebDAV methods PUT, DELETE, MKCOL, COPY and MOVE.
 	default n
 config NGINX_UBUS
 	bool
 	prompt "Enable UBUS module"
 	help
 		Enable UBUS api support directly from the server.
 	default y
 config NGINX_FLV
 	bool
 	prompt "Enable FLV module"
 	help
 		Provides the ability to seek within FLV (Flash) files using time-based offsets.
 	default n
 config NGINX_STUB_STATUS
 	bool
 	prompt "Enable stub status module"
 	help
 		Enable the stub status module which gives some status from the server.
 	default n
 config NGINX_HTTP_CHARSET
 	bool
 	prompt "Enable HTTP charset module"
 	default y
 config NGINX_HTTP_GZIP
 	bool
 	prompt "Enable HTTP gzip module"
 	default y
 config NGINX_HTTP_SSI
 	bool
 	prompt "Enable HTTP ssi module"
 	default y
 config NGINX_HTTP_USERID
 	bool
 	prompt "Enable HTTP userid module"
 	default y
 config NGINX_HTTP_ACCESS
 	bool
 	prompt "Enable HTTP access module"
 	default y
 config NGINX_HTTP_AUTH_BASIC
 	bool
 	prompt "Enable HTTP auth basic"
 	default y
 config NGINX_HTTP_AUTH_REQUEST
 	bool
 	prompt "Enable HTTP auth request module"
 	default n
 config NGINX_HTTP_AUTOINDEX
 	bool
 	prompt "Enable HTTP autoindex module"
 	default y
 config NGINX_HTTP_GEO
 	bool
 	prompt "Enable HTTP geo module"
 	default y
 config NGINX_HTTP_MAP
 	bool
 	prompt "Enable HTTP map module"
 	default y
 config NGINX_HTTP_SPLIT_CLIENTS
 	bool
 	prompt "Enable HTTP split clients"
 	default y
 config NGINX_HTTP_REFERER
 	bool
 	prompt "Enable HTTP referer module"
 	default y
 config NGINX_HTTP_REWRITE
 	bool
 	prompt "Enable HTTP rewrite module"
 	select NGINX_PCRE
 	default y
 config NGINX_HTTP_PROXY
 	bool
 	prompt "Enable HTTP proxy module"
 	default y
 config NGINX_HTTP_FASTCGI
 	bool
 	prompt "Enable HTTP fastcgi module"
 	default y
 config NGINX_HTTP_UWSGI
 	bool
 	prompt "Enable HTTP uwsgi module"
 	default y
 config NGINX_HTTP_SCGI
 	bool
 	prompt "Enable HTTP scgi module"
 	default y
 config NGINX_HTTP_MEMCACHED
 	bool
 	prompt "Enable HTTP memcached module"
 	default y
 config NGINX_HTTP_LIMIT_CONN
 	bool
 	prompt "Enable HTTP limit conn"
 	default y
 config NGINX_HTTP_LIMIT_REQ
 	bool
 	prompt "Enable HTTP limit req"
 	default y
 config NGINX_HTTP_EMPTY_GIF
 	bool
 	prompt "Enable HTTP empty gif"
 	default y
 config NGINX_HTTP_BROWSER
 	bool
 	prompt "Enable HTTP browser module"
 	default y
 config NGINX_HTTP_UPSTREAM_HASH
 	bool
 	prompt "Enable HTTP hash module"
 	default y
 config NGINX_HTTP_UPSTREAM_IP_HASH
 	bool
 	prompt "Enable HTTP IP hash module"
 	default y
 config NGINX_HTTP_UPSTREAM_LEAST_CONN
 	bool
 	prompt "Enable HTTP least conn module"
 	default y
 config NGINX_HTTP_UPSTREAM_KEEPALIVE
 	bool
 	prompt "Enable HTTP keepalive module"
 	default y
 config NGINX_HTTP_CACHE
 	bool
 	prompt "Enable HTTP cache"
 	default y
 config NGINX_HTTP_V2
 	bool
 	prompt "Enable HTTP_V2 module"
 	default n
 config NGINX_PCRE
 	bool
 	prompt "Enable PCRE library usage"
 	default y
 config NGINX_NAXSI
 	bool
 	prompt "Enable NAXSI module"
 	default y
 config NGINX_LUA
 	bool
 	prompt "Enable Lua module"
 	default n
 config NGINX_HTTP_REAL_IP
 	bool
 	prompt "Enable HTTP real ip module"
 	default n
 config NGINX_HTTP_SECURE_LINK
 	bool
 	prompt "Enable HTTP secure link module"
 	default n
 config NGINX_HTTP_SUB
 	bool
 	prompt "Enable HTTP sub module"
 	default n
 config NGINX_HEADERS_MORE
 	bool
 	prompt "Enable Headers_more module"
 	help
 		Set and clear input and output headers...more than "add"!
 	default y
 config NGINX_HTTP_BROTLI
 	bool
 	prompt "Enable Brotli compression module"
 	help
 		Add support for brotli compression module.
 	default n
 config NGINX_STREAM_CORE_MODULE
 	bool
 	prompt "Enable stream support"
 	help
 		Add support for NGINX request streaming.
 	default n
 config NGINX_STREAM_SSL_MODULE
 	bool
 	prompt "Enable stream support with SSL/TLS termination"
 	depends on NGINX_STREAM_CORE_MODULE
 	help
 		Add support for NGINX request streaming with SSL/TLS termination.
 	default n
 config NGINX_STREAM_SSL_PREREAD_MODULE
 	bool
 	prompt "Enable stream support with SSL/TLS pre-read"
 	depends on NGINX_STREAM_CORE_MODULE
 	help
 		Add support for NGINX request streaming using information from the ClientHello message without terminating SSL/TLS.
 	default n
 config NGINX_RTMP_MODULE
 	bool
 	prompt "Enable RTMP module"
 	depends on NGINX_SSL
 	help
 		Add support for NGINX-based Media Streaming Server module.
 		DASH enhanced - https://github.com/ut0mt8/nginx-rtmp-module
 	default n
 config NGINX_TS_MODULE
 	bool
 	prompt "Enable TS module"
 	help
 		Add support for MPEG-TS Live Module module.
 	default n
 endmenu
--- a/net/nginx/Config_ssl.in
+++ b/net/nginx/Config_ssl.in
@ -175,7 +175,7 @@ config NGINX_HTTP_CACHE
 config NGINX_HTTP_V2
 	bool
 	prompt "Enable HTTP_V2 module"
-	default n
+	default y
 config NGINX_PCRE
 	bool
--- a/net/nginx/Makefile
+++ b/net/nginx/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=nginx
-PKG_VERSION:=1.19.0
+PKG_VERSION:=1.19.6
 PKG_RELEASE:=1
 PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://nginx.org/download/
-PKG_HASH:=44a616171fcd7d7ad7c6af3e6f3ad0879b54db5a5d21be874cd458b5691e36c8
+PKG_HASH:=b11195a02b1d3285ddf2987e02c6b6d28df41bb1b1dd25f33542848ef4fc33b5
 PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de> \
 				Ansuel Smith <ansuelsmth@gmail.com>
@ -25,7 +25,6 @@ PKG_BUILD_PARALLEL:=1
 PKG_INSTALL:=1
 PKG_CONFIG_DEPENDS := \
 	CONFIG_NGINX_SSL \
 	CONFIG_NGINX_DAV \
 	CONFIG_NGINX_FLV \
 	CONFIG_NGINX_UBUS \
@ -72,8 +71,7 @@ PKG_CONFIG_DEPENDS := \
 	CONFIG_NGINX_RTMP_MODULE \
 	CONFIG_NGINX_TS_MODULE \
 	CONFIG_OPENSSL_ENGINE \
-	CONFIG_OPENSSL_WITH_NPN \
+	CONFIG_OPENSSL_WITH_NPN
 	CONFIG_NGINX_NOPCRE
 include $(INCLUDE_DIR)/package.mk
@ -83,31 +81,26 @@ define Package/nginx/default
  SUBMENU:=Web Servers/Proxies
  TITLE:=Nginx web server
  URL:=http://nginx.org/
-  DEPENDS:=+NGINX_PCRE:libpcre +NGINX_SSL:libopenssl \
+  DEPENDS:=+libopenssl +libpthread
-	+NGINX_HTTP_GZIP:zlib +NGINX_LUA:liblua +libpthread +NGINX_DAV:libxml2 \
+  # TODO: add PROVIDES when removing nginx
-	+NGINX_UBUS:libubus +NGINX_UBUS:libblobmsg-json +NGINX_UBUS:libjson-c
+  # PROVIDES:=nginx
 endef
 define Package/nginx/description
 nginx is an HTTP and reverse proxy server, as well as a mail proxy server, \
- written by Igor Sysoev. (Some module require SSL module enable to show up in \
+ written by Igor Sysoev.
 config menu)
 endef
 define Package/nginx
  $(Package/nginx/default)
  DEPENDS += +!NGINX_SSL:nginx-util +NGINX_SSL&&NGINX_PCRE:nginx-ssl-util \
 	+NGINX_SSL&&NGINX_NOPCRE:nginx-ssl-util-nopcre
  VARIANT:=no-ssl
 endef
 define Package/nginx-ssl
  $(Package/nginx/default)
  TITLE += with SSL support
  DEPENDS += +libopenssl +NGINX_PCRE:nginx-ssl-util \
 	+!NGINX_PCRE:nginx-ssl-util-nopcre
  VARIANT:=ssl
-  PROVIDES:=nginx
+  DEPENDS+= +NGINX_PCRE:libpcre \
 	+NGINX_PCRE:nginx-ssl-util +!NGINX_PCRE:nginx-ssl-util-nopcre \
 	+NGINX_HTTP_GZIP:zlib +NGINX_LUA:liblua +NGINX_DAV:libxml2 \
 	+NGINX_UBUS:libubus +NGINX_UBUS:libblobmsg-json +NGINX_UBUS:libjson-c
  EXTRA_DEPENDS:=nginx-ssl-util$(if $(CONFIG_NGINX_PCRE),,-nopcre) (>=1.5-1) (<2)
  CONFLICTS:=nginx-all-module
 endef
 Package/nginx-ssl/description = $(Package/nginx/description) \
@ -117,23 +110,16 @@ Package/nginx-ssl/description = $(Package/nginx/description) \
 define Package/nginx-all-module
  $(Package/nginx/default)
  TITLE += with ALL module selected
-  DEPENDS:=+libpcre +libopenssl +zlib +liblua +libpthread +libxml2 \
+  DEPENDS+=+libpcre +nginx-ssl-util +zlib +liblua +libxml2 +libubus \
-   +libubus +libblobmsg-json +libjson-c +nginx-ssl-util
+	+libblobmsg-json +libjson-c
  EXTRA_DEPENDS:=nginx-ssl-util (>=1.5-1) (<2)
  VARIANT:=all-module
-  PROVIDES:=nginx nginx-ssl
+  PROVIDES += nginx-ssl
 endef
 Package/nginx-all-module/description = $(Package/nginx/description) \
  This variant is compiled with ALL module selected.
 define Package/nginx/config
  source "$(SOURCE)/Config.in"
 config NGINX_NOPCRE
 	bool
 	default y if !NGINX_PCRE
 	default n if NGINX_PCRE
 endef
 define Package/nginx-ssl/config
  source "$(SOURCE)/Config_ssl.in"
 endef
@ -148,7 +134,7 @@ Package/nginx-ssl/conffiles = $(Package/nginx/conffiles)
 Package/nginx-all-module/conffiles = $(Package/nginx/conffiles)
-ADDITIONAL_MODULES:=
+ADDITIONAL_MODULES:= --with-http_ssl_module
 ifneq ($(BUILD_VARIANT),all-module)
  ifneq ($(CONFIG_NGINX_HTTP_CACHE),y)
@ -238,16 +224,6 @@ ifneq ($(BUILD_VARIANT),all-module)
  ifneq ($(CONFIG_NGINX_HTTP_UPSTREAM_KEEPALIVE),y)
    ADDITIONAL_MODULES += --without-http_upstream_keepalive_module
  endif
  ifeq ($(BUILD_VARIANT),ssl)
    ifneq ($(CONFIG_NGINX_SSL),y)
      ADDITIONAL_MODULES += --with-http_ssl_module
    endif
  endif
  ifeq ($(CONFIG_NGINX_SSL),y)
    ADDITIONAL_MODULES += --with-http_ssl_module
  endif
  ifeq ($(CONFIG_NGINX_NAXSI),y)
    ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src
  endif
@ -314,44 +290,36 @@ else
  CONFIG_NGINX_LUA:=y
  CONFIG_NGINX_DAV:=y
  CONFIG_NGINX_UBUS:=y
-  ADDITIONAL_MODULES += --with-http_ssl_module --add-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src \
+  ADDITIONAL_MODULES += --with-ipv6 --with-http_stub_status_module --with-http_flv_module \
-    --add-module=$(PKG_BUILD_DIR)/lua-nginx --with-ipv6 --with-http_stub_status_module --with-http_flv_module \
+	--with-http_dav_module \
 	--with-http_dav_module --add-module=$(PKG_BUILD_DIR)/nginx-dav-ext-module \
 	--with-http_auth_request_module --with-http_v2_module --with-http_realip_module \
-	--with-http_secure_link_module --with-http_sub_module --add-module=$(PKG_BUILD_DIR)/nginx-headers-more \
+	--with-http_secure_link_module --with-http_sub_module \
 	--with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
 	--add-module=$(PKG_BUILD_DIR)/nginx-headers-more \
 	--add-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src \
 	--add-module=$(PKG_BUILD_DIR)/lua-nginx \
 	--add-module=$(PKG_BUILD_DIR)/nginx-dav-ext-module \
 	--add-module=$(PKG_BUILD_DIR)/nginx-brotli --add-module=$(PKG_BUILD_DIR)/nginx-rtmp \
 	--add-module=$(PKG_BUILD_DIR)/nginx-ts --add-module=$(PKG_BUILD_DIR)/nginx-ubus-module
  config_files += koi-utf koi-win win-utf fastcgi_params uwsgi_params
 endif
-define Package/nginx-mod-luci/default
+define Package/nginx-mod-luci
  TITLE:=Nginx on LuCI
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=Web Servers/Proxies
  TITLE:=Support file for Nginx
  URL:=http://nginx.org/
-  DEPENDS:=+uwsgi +uwsgi-luci-support
+  DEPENDS:=+uwsgi +uwsgi-luci-support +nginx
-endef
+  # TODO: add PROVIDES when removing nginx-mod-luci-ssl
-
+  # PROVIDES:=nginx-mod-luci-ssl
 define Package/nginx-mod-luci
  $(Package/nginx-mod-luci/default)
  DEPENDS += +nginx
 endef
 define Package/nginx-mod-luci/description
 Support file for LuCI in nginx. Include custom nginx configuration, autostart script for uwsgi.
 endef
 define Package/nginx-mod-luci-ssl
  $(Package/nginx-mod-luci/default)
  TITLE += with HTTPS support
  DEPENDS += +nginx-ssl
 endef
 Package/nginx-mod-luci-ssl/description = $(define Package/nginx-mod-luci/description) \
  This also include redirect from http to https and cert autogeneration.
 TARGET_CFLAGS += -fvisibility=hidden -ffunction-sections -fdata-sections -DNGX_LUA_NO_BY_LUA_BLOCK
 TARGET_LDFLAGS += -Wl,--gc-sections
@ -387,15 +355,11 @@ define Package/nginx-mod-luci/install
 	$(INSTALL_BIN) ./files-luci-support/60_nginx-luci-support $(1)/etc/uci-defaults/60_nginx-luci-support
 endef
-Package/nginx-mod-luci-ssl/install = $(Package/nginx-mod-luci/install)
+define Package/nginx-ssl/install
 define Package/nginx/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/nginx $(1)/usr/sbin/
 	$(INSTALL_DIR) $(1)/etc/nginx/conf.d
 	$(INSTALL_DATA) $(addprefix $(PKG_INSTALL_DIR)/etc/nginx/,$(config_files)) $(1)/etc/nginx/
 	$(INSTALL_CONF) ./files/nginx.conf $(1)/etc/nginx/
 	$(INSTALL_CONF) ./files/_lan.conf $(1)/etc/nginx/conf.d/
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/nginx.init $(1)/etc/init.d/nginx
 ifeq ($(CONFIG_NGINX_NAXSI),y)
@ -405,20 +369,6 @@ ifeq ($(CONFIG_NGINX_NAXSI),y)
 endif
 	$(if $(CONFIG_NGINX_NAXSI),$($(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx))
 	$(if $(CONFIG_NGINX_NAXSI),$(chmod 0640 $(1)/etc/nginx/naxsi_core.rules))
 ifeq ($(CONFIG_NGINX_SSL),y)
 	$(INSTALL_CONF) ./files/_redirect2ssl.conf $(1)/etc/nginx/conf.d/
 endif
 ifneq ($(CONFIG_IPV6),y)
 	$(SED) '/listen\s*\[/d' $(1)/etc/nginx/conf.d/*.conf # without IPv6 [::]
 endif
 endef
 define Package/nginx-ssl/install
 	$(call Package/nginx/install, $(1))
 	$(INSTALL_CONF) ./files/_redirect2ssl.conf $(1)/etc/nginx/conf.d/
 ifneq ($(CONFIG_IPV6),y)
 	$(SED) '/listen\s*\[/d' $(1)/etc/nginx/conf.d/*.conf # without IPv6 [::]
 endif
 endef
 Package/nginx-all-module/install = $(Package/nginx-ssl/install)
@ -426,27 +376,14 @@ Package/nginx-all-module/install = $(Package/nginx-ssl/install)
 define Package/nginx-ssl/prerm
 #!/bin/sh
 [ -z "$${IPKG_INSTROOT}" ] || exit 0
-if [ "$${PKG_UPGRADE}" = "1" ]; then
+[ "$${PKG_UPGRADE}" = "1" ] && exit 0
-	eval $$(/usr/bin/nginx-util get_env)
+eval $$(/usr/bin/nginx-util get_env)
-	TMP_CRT=$$(mktemp -p "$${CONF_DIR}" "$${LAN_NAME}.crt.tmp-XXXXXX")
+[ "$$(uci get "nginx.$${LAN_NAME}.$${MANAGE_SSL}")" = "self-signed" ] || exit 0
-	ln -f "$${CONF_DIR}$${LAN_NAME}.crt" "$${TMP_CRT}"
+rm -f "$$(uci get "nginx.$${LAN_NAME}.ssl_certificate")"
-	TMP_KEY=$$(mktemp -p "$${CONF_DIR}" "$${LAN_NAME}.key.tmp-XXXXXX")
+rm -f "$$(uci get "nginx.$${LAN_NAME}.ssl_certificate_key")"
 	ln -f "$${CONF_DIR}$${LAN_NAME}.key" "$${TMP_KEY}"
 fi
 /usr/bin/nginx-util del_ssl
 [ -f "$${TMP_CRT}" ] &&
 rm -f "$${CONF_DIR}$${LAN_NAME}.crt" &&
 mv -f "$${TMP_CRT}" "$${CONF_DIR}$${LAN_NAME}.crt"
 [ -f "$${TMP_KEY}" ] &&
 rm -f "$${CONF_DIR}$${LAN_NAME}.key" &&
 mv -f "$${TMP_KEY}" "$${CONF_DIR}$${LAN_NAME}.key"
 exit 0
 endef
 ifeq ($(CONFIG_NGINX_SSL),y)
 Package/nginx/prerm = $(Package/nginx-ssl/prerm)
 endif
 Package/nginx-all-module/prerm = $(Package/nginx-ssl/prerm)
 define Build/Prepare
@ -591,11 +528,11 @@ endif
 ifeq ($(CONFIG_NGINX_UBUS),y)
  define Download/nginx-ubus-module
-    VERSION:=f30b0167a2cdb40f23bd90928d601bdb0c1b8fad
+    VERSION:=b2d7260dcb428b2fb65540edb28d7538602b4a26
    SUBDIR:=nginx-ubus-module
    FILE:=nginx-ubus-module-$$(VERSION).tar.xz
    URL:=https://github.com/Ansuel/nginx-ubus-module.git
-    MIRROR_HASH:=02c7d4b0df7f4b69605e71b0fefdc99b5a9470c68cad7ccfb31ebefe4e7e0704
+    MIRROR_HASH:=472cef416d25effcac66c85417ab6596e634a7a64d45b709bb090892d567553c
    PROTO:=git
  endef
  $(eval $(call Download,nginx-ubus-module))
@ -606,8 +543,34 @@ ifeq ($(CONFIG_NGINX_UBUS),y)
  endef
 endif
 $(eval $(call BuildPackage,nginx))
 $(eval $(call BuildPackage,nginx-ssl))
 $(eval $(call BuildPackage,nginx-all-module))
 $(eval $(call BuildPackage,nginx-mod-luci))
 # TODO: remove after a transition period (together with pkg nginx-util):
 # It is for smoothly substituting nginx and nginx-mod-luci-ssl (by nginx-ssl
 # respectively nginx-mod-luci). Add above commented PROVIDES when removing.
 define Package/nginx
  TITLE:=Dummy package for transition when upgrading.
  DEPENDS:=+nginx-ssl
  PKGARCH:=all
 endef
 define Package/nginx/install
 	$(INSTALL_DIR) $(1)/usr/bin
 endef
 $(eval $(call BuildPackage,nginx))
 define Package/nginx-mod-luci-ssl
  TITLE:=Dummy package for transition when upgrading.
  DEPENDS:=+nginx-mod-luci
  PKGARCH:=all
 endef
 define Package/nginx-mod-luci-ssl/install
 	$(INSTALL_DIR) $(1)/usr/bin
 endef
 $(eval $(call BuildPackage,nginx-mod-luci-ssl))
--- a/net/nginx/files-luci-support/60_nginx-luci-support
+++ b/net/nginx/files-luci-support/60_nginx-luci-support
@ -6,13 +6,16 @@ if nginx -V 2>&1 | grep -q ubus; then
 location /ubus {
        ubus_interpreter;
-        ubus_socket_path /var/run/ubus.sock;
+        ubus_socket_path /var/run/ubus/ubus.sock;
        ubus_parallel_req 2;
 }
 EOT
 	fi
 fi
 grep -q /var/run/ubus.sock /etc/nginx/conf.d/luci.locations &&
 	sed -i 's#/var/run/ubus.sock#/var/run/ubus/ubus.sock#' /etc/nginx/conf.d/luci.locations
 if [ -x /etc/init.d/uhttpd ]; then
        /etc/init.d/uhttpd disable
        if [ -n "$(pgrep uhttpd)" ]; then
--- a/net/nginx/files/README.sh
+++ b/net/nginx/files/README.sh
@ -1,327 +0,0 @@
 #!/bin/sh
 # This is a template copy it by: ./README.sh | xclip -selection c
 # to https://openwrt.org/docs/guide-user/services/webserver/nginx#configuration
 NGINX_UTIL="/usr/bin/nginx-util"
 EXAMPLE_COM="example.com"
 MSG="
 /* Created by the following bash script that includes the source of some files:
 * https://github.com/openwrt/packages/net/nginx/files/README.sh
 */"
 eval $("${NGINX_UTIL}" get_env)
 code() { printf "<file nginx %s>\n%s</file>" "$1" "$(cat "$(basename $1)")"; }
 ifConfEcho() { sed -nE "s/^\s*$1=\s*(\S*)\s*\\\\$/\n$2 \"\1\";/p" ../Makefile;}
 cat <<EOF
 ===== Configuration =====${MSG}
 The official Documentation contains a
 [[https://docs.nginx.com/nginx/admin-guide/|Admin Guide]].
 Here we will look at some often used configuration parts and how we handle them
 at OpenWrt.
 At different places there are references to the official
 [[https://docs.nginx.com/nginx/technical-specs/|Technical Specs]]
 for further reading.
 **tl;dr:** The main configuration is a minimal configuration enabling the
 ''${CONF_DIR}'' directory:
  * There is a ''${LAN_NAME}.conf'' containing a default server for the LAN, \
 which includes all ''*.locations''.
  * We can disable parts of the configuration by renaming them.
  * If we want to install other servers that are also reachable from the LAN, \
  we can include the ''${LAN_LISTEN}'' file (or ''${LAN_SSL_LISTEN}'' for \
  HTTPS servers).
  * If Nginx is installed with SSL support, we have a server \
 in ''_redirect2ssl.conf'' that redirects inexistent URLs to HTTPS, too.
  * We can create a self-signed certificate and add corresponding directives \
 to e.g. ''${EXAMPLE_COM}.conf'' by invoking \
 <code>$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} ${EXAMPLE_COM}</code>
 ==== Basic ====${MSG}
 We modify the configuration by creating different configuration files in the
 ''${CONF_DIR}'' directory.
 The configuration files use the file extensions ''.locations'' and
 ''.conf'' (plus ''.crt'' and ''.key'' for Nginx with SSL).
 We can disable single configuration parts by giving them another extension,
 e.g., by adding ''.disabled''.
 For the new configuration to take effect, we must reload it by:
 <code>service nginx reload</code>
 For OpenWrt we use a special initial configuration, which is explained below in
 the section [[#openwrt_s_defaults|OpenWrt’s Defaults]].
 So, we can make a site available at a specific URL in the **LAN** by creating a
 ''.locations'' file in the directory ''${CONF_DIR}''.
 Such a file consists just of some
 [[https://nginx.org/en/docs/http/ngx_http_core_module.html#location|
 location blocks]].
 Under the latter link, you can find also the official documentation for all
 available directives of the HTTP core of Nginx.
 Look for //location// in the Context list.
 The following example provides a simple template, see at the end for
 different [[#locations_for_apps|Locations for Apps]] and look for
 [[https://github.com/search?utf8=%E2%9C%93&q=repo%3Aopenwrt%2Fpackages
 +extension%3Alocations&type=Code&ref=advsearch&l=&l=|
 other packages using a .locations file]], too:
 <code nginx ${CONF_DIR}example.locations>
 location /ex/am/ple {
 	access_log off; # default: not logging accesses.
 	# access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout).
 	# error_log stderr; # default: logging to logd (init forwards stderr).
 	error_log /dev/null; # disable error logging after config file is read.
 	# (state path of a file for access_log/error_log to the file instead.)
 	index index.html;
 }
 # location /eg/static { … }
 </code>
 All location blocks in all ''.locations'' files must use different URLs,
 since they are all included in the ''${LAN_NAME}.conf'' that is part of the
 [[#openwrt_s_defaults|OpenWrt’s Defaults]].
 We reserve the ''location /'' for making LuCI available under the root URL,
 e.g. [[http://192.168.1.1/|192.168.1.1/]].
 All other sites shouldn’t use the root ''location /'' without suffix.
 We can make other sites available on the root URL of other domain names, e.g.
 on www.example.com/.
 In order to do that, we create a ''.conf'' file for every domain name:
 see the next section [[#new_server_parts|New Server Parts]].
 For Nginx with SSL we can also activate SSL there, as described below in the
 section [[#ssl_server_parts|SSL Server Parts]].
 We use such server parts also for publishing sites to the internet (WAN)
 instead of making them available just in the LAN.
 Via ''.conf'' files we can also add directives to the //http// part of the
 configuration. The difference to editing the main ''${NGINX_CONF}''
 file instead is the following: If the package’s ''nginx.conf'' file is updated
 it will only be installed if the old file has not been changed.
 ==== New Server Parts ====${MSG}
 For making the router reachable from the WAN at a registered domain name,
 it is not enough to give the name server the internet IP address of the router
 (maybe updated automatically by a
 [[docs:guide-user:services:ddns:client|DDNS Client]]).
 We also need to set up virtual hosting for this domain name by creating an
 appropriate server part in a ''${CONF_DIR}*.conf'' file.
 All such files are included at the start of Nginx by the default main
 configuration of OpenWrt ''${NGINX_CONF}'' as depicted in
 [[#openwrt_s_defaults|OpenWrt’s Defaults]].
 In the server part, we state the domain as
 [[https://nginx.org/en/docs/http/ngx_http_core_module.html#server_name|
 server_name]].
 The link points to the same document as for the location blocks in the
 [[#basic|Basic Configuration]]: the official documentation for all available
 directives of the HTTP core of Nginx.
 This time look for //server// in the Context list, too.
 The server part should also contain similar location blocks as before.
 We can re-include a ''.locations'' file that is included in the server part for
 the LAN by default.
 Then the site is reachable under the same path at both domains, e.g., by
 http://192.168.1.1/ex/am/ple as well as by http://example.com/ex/am/ple.
 The [[#openwrt_s_defaults|OpenWrt’s Defaults]] include a ''${LAN_NAME}.conf''
 file containing a server part that listens on the LAN address(es) and acts as
 //default_server//.
 For making the domain name accessible in the LAN, too, the corresponding
 server part must listen **explicitly** on the local IP address(es), cf. the
 official documentation on
 [[https://nginx.org/en/docs/http/request_processing.html|request_processing]].
 We can include the file ''${LAN_LISTEN}'' that contains the listen
 directives for all LAN addresses on the HTTP port 80 and is automatically
 updated.
 The following example is a simple template, see
 [[https://github.com/search?q=repo%3Aopenwrt%2Fpackages
 +include+${LAN_LISTEN}+extension%3Aconf&type=Code|
 such server parts of other packages]], too:
 <code nginx ${CONF_DIR}${EXAMPLE_COM}.conf>
 server {
 	listen 80;
 	listen [::]:80;
 	include '${LAN_LISTEN}';
 	server_name ${EXAMPLE_COM};
 	# location / { … } # root location for this server.
 	include '${CONF_DIR}${EXAMPLE_COM}.locations';
 }
 </code>
 ==== SSL Server Parts ====${MSG}
 We can enable HTTPS for a domain if Nginx is installed with SSL support.
 We need a SSL certificate as well as its key and add them by the directives
 //ssl_certificate// respective //ssl_certificate_key// to the server part of the
 domain.
 The rest of the configuration is similar as described in the previous section
 [[#new_server_parts|New Server Parts]],
 we only have to adjust the listen directives by adding the //ssl// parameter,
 see the official documentation for
 [[https://nginx.org/en/docs/http/configuring_https_servers.html|
 configuring HTTPS servers]], too.
 For making the domain available also in the LAN, we can include the file
 ''${LAN_SSL_LISTEN}'' that contains the listen directives with ssl
 parameter for all LAN addresses on the HTTPS port 443 and is automatically
 updated.
 The official documentation of the SSL module contains an
 [[https://nginx.org/en/docs/http/ngx_http_ssl_module.html#example|
 example]],
 which includes some optimizations.
 The following template is extended similarly, see also
 [[https://github.com/search?q=repo%3Aopenwrt%2Fpackages
 +include+${LAN_SSL_LISTEN}+extension%3Aconf&type=Code|
 other packages providing SSL server parts]]:
 <code nginx ${CONF_DIR}${EXAMPLE_COM}>
 server {
 	listen 443 ssl;
 	listen [::]:443 ssl;
 	include '${LAN_SSL_LISTEN}';
 	server_name ${EXAMPLE_COM};
 	ssl_certificate '${CONF_DIR}${EXAMPLE_COM}.crt';
 	ssl_certificate_key '${CONF_DIR}${EXAMPLE_COM}.key';
 	ssl_session_cache ${SSL_SESSION_CACHE_ARG};
 	ssl_session_timeout ${SSL_SESSION_TIMEOUT_ARG};
 	# location / { … } # root location for this server.
 	include '${CONF_DIR}${EXAMPLE_COM}.locations';
 }
 </code>
 For creating a certificate (and its key) we can use Let’s Encrypt by installing
 [[https://github.com/Neilpang/acme.sh|ACME Shell Script]]:
 <code>opkg update && opkg install acme # and for LuCI: luci-app-acme</code>
 For the LAN server in the ''${LAN_NAME}.conf'' file, the init script
 ''/etc/init.d/nginx'' script installs automatically a self-signed certificate.
 We can use this mechanism also for other sites by issuing, e.g.:
 <code>$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} ${EXAMPLE_COM}</code>
  - It adds SSL directives to the server part of \
    ''${CONF_DIR}${EXAMPLE_COM}.conf'' like in the example above.
  - Then, it checks if there is a certificate and key for the given domain name\
    that is valid for at least 13 months or tries to create a self-signed one.
  - When cron is activated, it installs a cron job for renewing the self-signed\
    certificate every year if needed, too. We can activate cron by: \
    <code>service cron enable && service cron start</code>
 Beside the ''${LAN_NAME}.conf'' file, the
 [[#openwrt_s_defaults|OpenWrt’s Defaults]] include also the
 ''_redirect2ssl.conf'' file containing a server part that redirects all HTTP
 request for inexistent URIs to HTTPS.
 ==== OpenWrt’s Defaults ====${MSG}
 The default main configuration file is:
 $(code ${NGINX_CONF})
 We can pretend the main configuration contains also the following presets,
 since Nginx is configured with them:
 <code nginx>$(ifConfEcho --pid-path pid)\
 $(ifConfEcho --lock-path lock_file)\
 $(ifConfEcho --error-log-path error_log)\
 $(false && ifConfEcho --http-log-path access_log)\
 $(ifConfEcho --http-proxy-temp-path proxy_temp_path)\
 $(ifConfEcho --http-client-body-temp-path client_body_temp_path)\
 $(ifConfEcho --http-fastcgi-temp-path fastcgi_temp_path)\
 </code>
 So, the access log is turned off by default and we can look at the error log
 by ''logread'', as Nginx’s init file forwards stderr and stdout to the
 [[docs:guide-user:base-system:log.essentials|logd]].
 We can set the //error_log// and //access_log// to files where the log
 messages are forwarded to instead (after the configuration is read).
 And for redirecting the access log of a //server// or //location// to the logd,
 too, we insert the following directive in the corresponding block:
 <code nginx>
 	access_log /proc/self/fd/1 openwrt;
 </code>
 At the end, the main configuration pulls in all ''.conf'' files from the
 directory ''${CONF_DIR}'' into the http block, especially the following
 server part for the LAN:
 $(code ${CONF_DIR}${LAN_NAME}.conf)
 It pulls in all ''.locations'' files from the directory ''${CONF_DIR}''.
 We can install the location parts of different sites there (see above in the
 [[#basic|Basic Configuration]]) and re-include them in server parts  of other
 ''${CONF_DIR}*.conf'' files.
 This is needed especially for making them available to the WAN as described
 above in the section [[#new_server_parts|New Server Parts]].
 All ''.locations'' become available on the LAN through the file
 ''$(basename ${LAN_LISTEN}).default'', which contains one of the following
 directives for every local IP address:
 <code nginx>
 	listen IPv4:80 default_server;
 	listen [IPv6]:80 default_server;
 </code>
 The ''${LAN_LISTEN}'' file contains the same directives without the
 parameter ''default_server''.
 We can include this file in other server parts that should be reachable in the
 LAN through their //server_name//.
 Both files ''${LAN_LISTEN}{,.default}'' are (re-)created if Nginx starts
 through its init for OpenWrt or the LAN interface changes.
 === Additional Defaults for OpenWrt if Nginx is installed with SSL support ===
 When Nginx is installed with SSL support, there will be automatically managed
 files ''$(basename ${LAN_SSL_LISTEN}).default'' and
 ''$(basename ${LAN_SSL_LISTEN})'' in the directory
 ''$(dirname ${LAN_SSL_LISTEN})/'' containing the following directives for all
 IPv4 and IPv6 addresses of the LAN:
 <code nginx>
 	listen IP:443 ssl; # with respectively without: default_server
 </code>
 Both files as well as the ''${LAN_LISTEN}{,.default}'' files are (re-)created
 if Nginx starts through its init for OpenWrt or the LAN interface changes.
 For Nginx with SSL there is also the following server part that redirects
 requests for an inexistent ''server_name'' from HTTP to HTTPS (using an invalid
 name, more in the official documentation on
 [[https://nginx.org/en/docs/http/request_processing.html|request_processing]]):
 $(code ${CONF_DIR}_redirect2ssl.conf)
 Nginx’s init file for OpenWrt installs automatically a self-signed certificate
 for the LAN server part if needed and possible:
  - Everytime Nginx starts, we check if the LAN is set up for SSL.
  - We add //ssl*// directives (like in the example of the previous section \
    [[#ssl_server_parts|SSL Server Parts]]) to the configuration file \
    ''${CONF_DIR}${LAN_NAME}.conf'' if needed and if it looks “normal”, i.e., \
    it has a ''server_name ${LAN_NAME};'' part.
  - If there is no corresponding certificate that is valid for more than 13 \
    months at ''${CONF_DIR}${LAN_NAME}.{crt,key}'', we create a self-signed one.
  - We activate SSL by including the ssl listen directives from \
    ''${LAN_SSL_LISTEN}.default'' and it becomes available by the default \
    redirect from ''listen *:80;'' in ''${CONF_DIR}_redirect2ssl.conf''
  - If cron is available, i.e., its status is not ''inactive'', we use it \
    to check the certificate for validity once a year and renew it if there \
    are only about 13 months of the more than 3 years life time left.
 The points 2, 3 and 5 can be used for other domains, too:
 As described in the section [[#new_server_parts|New Server Parts]] above, we
 create a server part in ''${CONF_DIR}www.example.com.conf'' with
 a corresponding ''server_name www.example.com;'' directive and call
 <code>$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} www.example.com</code>
 EOF
--- a/net/nginx/files/_lan.conf
+++ b/net/nginx/files/_lan.conf
@ -1,8 +0,0 @@
 # default_server for the LAN addresses getting the IPs by:
 # ifstatus lan | jsonfilter -e '@["ipv4-address","ipv6-address"].*.address'
 server {
 	include '/var/lib/nginx/lan.listen.default';
 	server_name _lan;
 	# access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout).
 	include conf.d/*.locations;
 }
--- a/net/nginx/files/_redirect2ssl.conf
+++ b/net/nginx/files/_redirect2ssl.conf
@ -1,8 +0,0 @@
 # acts as default server if there is no other.
 server {
 	listen 80;
 	listen [::]:80;
 	include '/var/lib/nginx/lan.listen';
 	server_name _redirect2ssl;
 	return 302 https://$host$request_uri;
 }
--- a/net/nginx/files/nginx.conf
+++ b/net/nginx/files/nginx.conf
@ -1,30 +0,0 @@
 # Please consider creating files in /etc/nginx/conf.d/ instead of editing this.
 # For details see https://openwrt.org/docs/guide-user/services/webserver/nginx
 worker_processes auto;
 user root;
 events {}
 http {
 	access_log off;
 	log_format openwrt
 		'$request_method $scheme://$host$request_uri => $status'
 		' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';
 	include mime.types;
 	default_type application/octet-stream;
 	sendfile on;
 	client_max_body_size 128M;
 	large_client_header_buffers 2 1k;
 	gzip on;
 	gzip_vary on;
 	gzip_proxied any;
 	root /www;
 	include conf.d/*.conf;
 }
--- a/net/nginx/files/nginx.init
+++ b/net/nginx/files/nginx.init
@ -5,54 +5,69 @@ START=80
 USE_PROCD=1
 G_OPTS="daemon off;"
 NGINX_UTIL="/usr/bin/nginx-util"
 eval $("${NGINX_UTIL}" get_env)
-start_service() {
+CONF=""
 nginx_init() {
 	[ -z "${CONF}" ] || return # already called.
 	[ -d /var/log/nginx ] || mkdir -p /var/log/nginx
 	[ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx
 	rm -f "$(readlink "${UCI_CONF}")"
 	${NGINX_UTIL} init_lan
 	if [ -e "${UCI_CONF}" ]
 	then CONF="${UCI_CONF}"
 	else CONF="${NGINX_CONF}"
 	fi
 	local message
 	message="$(/usr/sbin/nginx -t -c "${CONF}" -g "${G_OPTS}" 2>&1)" ||
 	{
 		echo -e "${message}" | logger -t "nginx_init" -p "daemon.err"
 		logger -s -t "nginx_init" -p "daemon.err" "NOT using conf file!"
 		echo "show config to be used by: nginx -T -c '${CONF}'" >&2
 		exit 1
 	}
 	logger -t "nginx_init" -p "daemon.info" "using ${CONF} (the test is ok)"
 }
 start_service() {
 	nginx_init
 	procd_open_instance
-	procd_set_param command /usr/sbin/nginx -c "${NGINX_CONF}" \
+	procd_set_param command /usr/sbin/nginx -c "${CONF}" -g "${G_OPTS}"
 		-g "daemon off;"
 	procd_set_param stdout 1
 	procd_set_param stderr 1
-	procd_set_param file "${LAN_LISTEN}" "${LAN_LISTEN}.default" \
+	procd_set_param file "${CONF}" "${CONF_DIR}*.crt" "${CONF_DIR}*.key" \
-		"${NGINX_CONF}" "${CONF_DIR}*.conf" "${CONF_DIR}*.locations"
+		"${CONF_DIR}*.conf" "${CONF_DIR}*.locations"
 	[ "${LAN_SSL_LISTEN}" == "" ] \
 	|| procd_append_param file "${CONF_DIR}*.crt" "${CONF_DIR}*.key" \
 		"${LAN_SSL_LISTEN}" "${LAN_SSL_LISTEN}.default"
 	procd_set_param respawn
 	procd_close_instance
 }
 stop_service() {
 	rm -f "${LAN_LISTEN}" "${LAN_LISTEN}.default"
 	[ "${LAN_SSL_LISTEN}" == "" ] \
 	|| rm -f "${LAN_SSL_LISTEN}" "${LAN_SSL_LISTEN}.default"
 }
 service_triggers() {
 	procd_add_reload_interface_trigger loopback
 	procd_add_reload_interface_trigger lan
 }
 reload_service() {
-	[ -d /var/log/nginx ] || mkdir -p /var/log/nginx
+	nginx_init
 	[ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx
-	${NGINX_UTIL} init_lan
+	if [ "$(cat "/proc/$(cat "/var/run/nginx.pid")/cmdline")" = \
-
+	     "nginx: master process /usr/sbin/nginx -c ${CONF} -g ${G_OPTS}" ]
-	procd_send_signal nginx
+	then procd_send_signal nginx
 	else restart
 	fi
 }
 extra_command "relog" "Reopen log files (without reloading)"
 relog() {
 	[ -d /var/log/nginx ] || mkdir -p /var/log/nginx
 	procd_send_signal nginx '*' USR1
 }
 EXTRA_COMMANDS="relog"
 EXTRA_HELP="	relog	Reopen log files (without reloading)"