diff --git a/.SRCINFO b/.SRCINFO index 33d880f..14204d6 100644 --- a/.SRCINFO +++ b/.SRCINFO @@ -1,54 +1,40 @@ -# Generated by mksrcinfo v8 -# Sun Apr 24 05:51:34 UTC 2016 pkgbase = nginx-mainline-boringssl - pkgdesc = lightweight HTTP server, statically linked against BoringSSL. - pkgver = 1.9.15 + pkgdesc = Lightweight HTTP server and IMAP/POP3 proxy server, mainline release + pkgver = 1.11.10 pkgrel = 1 - url = http://nginx.org + url = https://nginx.org + install = nginx.install arch = i686 arch = x86_64 license = custom - makedepends = libxslt - makedepends = gd - makedepends = git - makedepends = cmake + makedepends = hardening-wrapper depends = pcre depends = zlib - depends = pam - depends = gd - depends = hardening-wrapper - depends = libxslt - depends = go + depends = openssl + depends = geoip provides = nginx conflicts = nginx - conflicts = nginx-libressl - conflicts = nginx-unstable - conflicts = nginx-svn - conflicts = nginx-devel - conflicts = nginx-custom-dev - conflicts = nginx-full - backup = etc/nginx/nginx.conf - backup = etc/nginx/koi-win - backup = etc/nginx/koi-utf - backup = etc/nginx/win-utf - backup = etc/nginx/mime.types backup = etc/nginx/fastcgi.conf backup = etc/nginx/fastcgi_params + backup = etc/nginx/koi-win + backup = etc/nginx/koi-utf + backup = etc/nginx/mime.types + backup = etc/nginx/nginx.conf backup = etc/nginx/scgi_params backup = etc/nginx/uwsgi_params + backup = etc/nginx/win-utf backup = etc/logrotate.d/nginx - source = nginx.conf - source = nginx.logrotate - source = nginx.service - source = http://nginx.org/download/nginx-1.9.15.tar.gz - source = openssl.patch + source = https://nginx.org/download/nginx-1.11.10.tar.gz + source = https://nginx.org/download/nginx-1.11.10.tar.gz.asc source = git+https://boringssl.googlesource.com/boringssl - sha256sums = 8d8e314da10411b29157066ea313fc080a145d2075df0c99a1d500ffc7e8b7d1 - sha256sums = adcf6507abb2d4edbc50bd92f498ba297927eed0460d71633df94f79637aa786 - sha256sums = 225228970d779e1403ba4314e3cd8d0d7d16f8c6d48d7a22f8384db040eb0bdf - sha256sums = cc89b277cc03f403c0b746d60aa5943cdecf59ae48278f8cb7e2df0cbdb6dac3 - sha256sums = dc1ea1a0323759d49a7dc2c6173811bda319c36aa4a14b775d6f589fe9c6a4c2 - sha256sums = SKIP + source = service + source = logrotate + validpgpkeys = B0F4253373F8F6F510D42178520A9993A1C052F8 + md5sums = 6fb10f579055d27a2240d51c7d85c190 + md5sums = SKIP + md5sums = SKIP + md5sums = ce9a06bcaf66ec4a3c4eb59b636e0dfd + md5sums = d6a6d4d819f03a675bacdfabd25aa37e pkgname = nginx-mainline-boringssl diff --git a/PKGBUILD b/PKGBUILD index a1fa269..8984bfa 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -1,120 +1,139 @@ -#base on aur/nginx-mainline-libressl - -_pkgname="nginx" -_user="www" -_group="www" -_doc_root="/usr/share/${_pkgname}/http" -_sysconf_path="etc" -_conf_path="${_sysconf_path}/${_pkgname}" -_tmp_path="/var/spool/${_pkgname}" -_pid_path="/run" -_lock_path="/var/lock" -_log_path="/var/log/${_pkgname}" - +# $Id: PKGBUILD 289024 2017-02-15 21:13:17Z bpiotrowski $ +# Maintainer: Bartłomiej Piotrowski +# Contributor: Sébastien Luttringer +# Contributor: Drew DeVault +# Contributor: Kasei Wang pkgname=nginx-mainline-boringssl -pkgver=1.9.15 +pkgver=1.11.10 pkgrel=1 -pkgdesc="lightweight HTTP server, statically linked against BoringSSL." +pkgdesc='Lightweight HTTP server and IMAP/POP3 proxy server, mainline release' arch=('i686' 'x86_64') - -depends=('pcre' 'zlib' 'pam' 'gd' 'hardening-wrapper' 'libxslt' 'go') -makedepends=( - 'libxslt' - 'gd' - 'git' - 'cmake' -) - -url="http://nginx.org" +url='https://nginx.org' license=('custom') -conflicts=('nginx' 'nginx-libressl' 'nginx-unstable' 'nginx-svn' 'nginx-devel' 'nginx-custom-dev' 'nginx-full') +depends=('pcre' 'zlib' 'openssl' 'geoip') +makedepends=('hardening-wrapper') +backup=('etc/nginx/fastcgi.conf' + 'etc/nginx/fastcgi_params' + 'etc/nginx/koi-win' + 'etc/nginx/koi-utf' + 'etc/nginx/mime.types' + 'etc/nginx/nginx.conf' + 'etc/nginx/scgi_params' + 'etc/nginx/uwsgi_params' + 'etc/nginx/win-utf' + 'etc/logrotate.d/nginx') +install=nginx.install provides=('nginx') -backup=("${_conf_path}/nginx.conf" - "${_conf_path}/koi-win" - "${_conf_path}/koi-utf" - "${_conf_path}/win-utf" - "${_conf_path}/mime.types" - "${_conf_path}/fastcgi.conf" - "${_conf_path}/fastcgi_params" - "${_conf_path}/scgi_params" - "${_conf_path}/uwsgi_params" - "etc/logrotate.d/nginx") +conflicts=('nginx') +source=($url/download/nginx-$pkgver.tar.gz{,.asc} + "git+https://boringssl.googlesource.com/boringssl" + "service" + "logrotate") +validpgpkeys=('B0F4253373F8F6F510D42178520A9993A1C052F8') # Maxim Dounin +md5sums=('6fb10f579055d27a2240d51c7d85c190' + 'SKIP' + 'SKIP' + 'ce9a06bcaf66ec4a3c4eb59b636e0dfd' + 'd6a6d4d819f03a675bacdfabd25aa37e') -source=( "nginx.conf" - "nginx.logrotate" - "nginx.service" - "http://nginx.org/download/nginx-$pkgver.tar.gz" - "openssl.patch" - "git+https://boringssl.googlesource.com/boringssl" +_common_flags=( + --with-pcre-jit + --with-file-aio + --with-http_addition_module + --with-http_auth_request_module + --with-http_dav_module + --with-http_degradation_module + --with-http_flv_module + --with-http_geoip_module + --with-http_gunzip_module + --with-http_gzip_static_module + --with-http_mp4_module + --with-http_realip_module + --with-http_secure_link_module + --with-http_slice_module + --with-http_ssl_module + --with-http_stub_status_module + --with-http_sub_module + --with-http_v2_module + --with-mail + --with-mail_ssl_module + --with-stream + --with-stream_ssl_module + --with-threads ) -sha256sums=('8d8e314da10411b29157066ea313fc080a145d2075df0c99a1d500ffc7e8b7d1' - 'adcf6507abb2d4edbc50bd92f498ba297927eed0460d71633df94f79637aa786' - '225228970d779e1403ba4314e3cd8d0d7d16f8c6d48d7a22f8384db040eb0bdf' - 'cc89b277cc03f403c0b746d60aa5943cdecf59ae48278f8cb7e2df0cbdb6dac3' - 'dc1ea1a0323759d49a7dc2c6173811bda319c36aa4a14b775d6f589fe9c6a4c2' - 'SKIP') +_mainline_flags=( + --with-stream_ssl_preread_module + --with-stream_geoip_module + --with-stream_realip_module +) build() { - local _src_dir="${srcdir}/${_pkgname}-${pkgver}" + export CXXFLAGS="$CXXFLAGS -fPIC" - export CFLAGS="-Wno-error -fPIC" - cd ${srcdir}/boringssl - mkdir build && cd build && cmake ../ && make && cd ${srcdir}/boringssl - mkdir -p .openssl/lib && cd .openssl && ln -s ../include . && cd ../ - cp ${srcdir}/boringssl/build/crypto/libcrypto.a ${srcdir}/boringssl/build/ssl/libssl.a .openssl/lib && cd .. + cd ${srcdir}/boringssl + mkdir build && cd build && cmake ../ && make && cd ${srcdir}/boringssl + mkdir -p .openssl/lib && cd .openssl && ln -s ../include . && cd ../ + cp ${srcdir}/boringssl/build/crypto/libcrypto.a ${srcdir}/boringssl/build/ssl/libssl.a .openssl/lib && cd .. - cd $_src_dir + cd ${srcdir}/$provides-$pkgver + ./configure \ + --prefix=/etc/nginx \ + --conf-path=/etc/nginx/nginx.conf \ + --sbin-path=/usr/bin/nginx \ + --pid-path=/run/nginx.pid \ + --lock-path=/run/lock/nginx.lock \ + --user=http \ + --group=http \ + --http-log-path=/var/log/nginx/access.log \ + --error-log-path=stderr \ + --http-client-body-temp-path=/var/lib/nginx/client-body \ + --http-proxy-temp-path=/var/lib/nginx/proxy \ + --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ + --http-scgi-temp-path=/var/lib/nginx/scgi \ + --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \ + --with-openssl=${srcdir}/boringssl \ + ${_common_flags[@]} \ + ${_mainline_flags[@]} - ./configure \ - --prefix="/${_conf_path}" \ - --conf-path="/${_conf_path}/nginx.conf" \ - --sbin-path="/usr/bin/${_pkgname}" \ - --pid-path="${_pid_path}/${_pkgname}.pid" \ - --lock-path=${_pid_path}/${_pkgname}.lock \ - --http-client-body-temp-path=${_tmp_path}/client_body_temp \ - --http-proxy-temp-path=${_tmp_path}/proxy_temp \ - --http-fastcgi-temp-path=${_tmp_path}/fastcgi_temp \ - --http-uwsgi-temp-path=${_tmp_path}/uwsgi_temp \ - --http-scgi-temp-path=${_tmp_path}scgi_temp \ - --http-log-path=${_log_path}/access.log \ - --error-log-path=${_log_path}/error.log \ - --user=${_user} \ - --group=${_group} \ - --with-ipv6 \ - --with-openssl=../boringssl \ - --with-threads \ - --with-http_ssl_module \ - --with-http_gzip_static_module \ - --with-http_realip_module \ - --with-http_v2_module \ - --with-file-aio \ - --with-pcre-jit \ - --with-stream - - touch ${srcdir}/boringssl/.openssl/include/openssl/ssl.h - patch -p0 < ../openssl.patch - - make + touch ${srcdir}/boringssl/.openssl/include/openssl/ssl.h + make } package() { - cd "${srcdir}/${_pkgname}-${pkgver}" - make DESTDIR="$pkgdir/" install + cd $provides-$pkgver + make DESTDIR="$pkgdir" install - sed -i -e "s/\ "$pkgdir"/usr/share/man/man8/nginx.8.gz + + for i in ftdetect indent syntax; do + install -Dm644 contrib/vim/${i}/nginx.vim \ + "${pkgdir}/usr/share/vim/vimfiles/${i}/nginx.vim" + done } + +# vim:set ts=2 sw=2 et: diff --git a/logrotate b/logrotate new file mode 100644 index 0000000..6fcf558 --- /dev/null +++ b/logrotate @@ -0,0 +1,10 @@ +/var/log/nginx/*log { + missingok + notifempty + create 640 http log + sharedscripts + compress + postrotate + test ! -r /var/run/nginx.pid || kill -USR1 `cat /var/run/nginx.pid` + endscript +} diff --git a/nginx.install b/nginx.install new file mode 100644 index 0000000..90d24a5 --- /dev/null +++ b/nginx.install @@ -0,0 +1,12 @@ +post_upgrade() { + if (( $(vercmp $2 1.11.8-2) < 0)); then + chown root:root var/log/nginx + fi + + if (( $(vercmp $2 1.11.9-2) < 0 )); then + chmod 755 var/log/nginx + echo ':: Security notice:' + echo ' - When additional log directories are used in /var/log/nginx make sure they' + echo ' are owned by root:root and have 755 set as permission to mitigate CVE-2016-1247' + fi +} diff --git a/nginx.logrotate b/nginx.logrotate deleted file mode 100644 index e4dddfc..0000000 --- a/nginx.logrotate +++ /dev/null @@ -1,8 +0,0 @@ - /var/log/nginx/*log { - daily - create 640 http log - compress - postrotate - [ ! -f /run/nginx.pid ] || kill -USR1 `cat /run/nginx.pid` - endscript - } diff --git a/nginx.service b/nginx.service deleted file mode 100644 index c237fd3..0000000 --- a/nginx.service +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -Description=A high performance web server and a reverse proxy server -After=network.target - -[Service] -Type=forking -PIDFile=/run/nginx.pid -PrivateDevices=yes -SyslogLevel=err - -ExecStartPre=/usr/bin/nginx -t -q -g 'pid /run/nginx.pid; error_log stderr;' -ExecStart=/usr/bin/nginx -g 'pid /run/nginx.pid; error_log stderr;' -ExecReload=/usr/bin/kill -HUP $MAINPID -KillSignal=SIGQUIT -KillMode=mixed - -[Install] -WantedBy=multi-user.target diff --git a/openssl.patch b/openssl.patch deleted file mode 100644 index 3dad007..0000000 --- a/openssl.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- src/event/ngx_event_openssl.c 2016-01-10 02:38:56.405000000 +0000 -+++ src/event/ngx_event_openssl.c.mod 2016-01-10 02:40:10.388000000 +0000 -@@ -1909,13 +1909,11 @@ - - /* handshake failures */ - if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */ -- || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */ - || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ - || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */ - || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */ - || n == SSL_R_LENGTH_MISMATCH /* 159 */ - || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ -- || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ - || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ - || n == SSL_R_NO_SHARED_CIPHER /* 193 */ - || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ diff --git a/service b/service new file mode 100644 index 0000000..29d3aa8 --- /dev/null +++ b/service @@ -0,0 +1,14 @@ +[Unit] +Description=A high performance web server and a reverse proxy server +After=syslog.target network.target + +[Service] +Type=forking +PIDFile=/run/nginx.pid +ExecStartPre=/usr/bin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;' +ExecStart=/usr/bin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;' +ExecReload=/usr/bin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;' -s reload +ExecStop=/usr/bin/nginx -g 'pid /run/nginx.pid;' -s quit + +[Install] +WantedBy=multi-user.target