Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: www-servers/nginx/, www-servers/nginx/files/
Date: Tue, 24 Oct 2017 18:53:27
Message-Id: 1508871194.808d03f69901c05159d8baf470d9a6ec3d65d8cc.whissi@gentoo
1 commit: 808d03f69901c05159d8baf470d9a6ec3d65d8cc
2 Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3 AuthorDate: Tue Oct 24 18:52:35 2017 +0000
4 Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5 CommitDate: Tue Oct 24 18:53:14 2017 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=808d03f6
7
8 www-servers/nginx: Rev bump to fix http_cache_purge module
9
10 Closes: https://bugs.gentoo.org/635330
11 Package-Manager: Portage-2.3.11, Repoman-2.3.3
12
13 .../nginx/files/http_cache_purge-1.11.6+.patch | 22 +
14 www-servers/nginx/nginx-1.12.2-r1.ebuild | 1005 +++++++++++++++++++
15 www-servers/nginx/nginx-1.13.6-r1.ebuild | 1006 ++++++++++++++++++++
16 3 files changed, 2033 insertions(+)
17
18 diff --git a/www-servers/nginx/files/http_cache_purge-1.11.6+.patch b/www-servers/nginx/files/http_cache_purge-1.11.6+.patch
19 new file mode 100644
20 index 00000000000..c4596bf97ad
21 --- /dev/null
22 +++ b/www-servers/nginx/files/http_cache_purge-1.11.6+.patch
23 @@ -0,0 +1,22 @@
24 +Fix compatibility with nginx-1.11.6+
25 +
26 +https://github.com/FRiCKLE/ngx_cache_purge/pull/51
27 +
28 +---
29 + ngx_cache_purge_module.c | 4 ++++
30 + 1 file changed, 4 insertions(+)
31 +
32 +--- a/ngx_cache_purge_module.c
33 ++++ b/ngx_cache_purge_module.c
34 +@@ -492,7 +492,11 @@ typedef struct {
35 + ngx_str_t body_source;
36 + # endif /* nginx_version < 1007008 */
37 +
38 ++# if (nginx_version >= 1011006)
39 ++ ngx_http_complex_value_t *method;
40 ++# else
41 + ngx_str_t method;
42 ++# endif /* nginx_version >= 1011006 */
43 + ngx_str_t location;
44 + ngx_str_t url;
45 +
46
47 diff --git a/www-servers/nginx/nginx-1.12.2-r1.ebuild b/www-servers/nginx/nginx-1.12.2-r1.ebuild
48 new file mode 100644
49 index 00000000000..fdf52f005cc
50 --- /dev/null
51 +++ b/www-servers/nginx/nginx-1.12.2-r1.ebuild
52 @@ -0,0 +1,1005 @@
53 +# Copyright 1999-2017 Gentoo Foundation
54 +# Distributed under the terms of the GNU General Public License v2
55 +
56 +EAPI="6"
57 +
58 +# Maintainer notes:
59 +# - http_rewrite-independent pcre-support makes sense for matching locations without an actual rewrite
60 +# - any http-module activates the main http-functionality and overrides USE=-http
61 +# - keep the following requirements in mind before adding external modules:
62 +# * alive upstream
63 +# * sane packaging
64 +# * builds cleanly
65 +# * does not need a patch for nginx core
66 +# - TODO: test the google-perftools module (included in vanilla tarball)
67 +
68 +# prevent perl-module from adding automagic perl DEPENDs
69 +GENTOO_DEPEND_ON_PERL="no"
70 +
71 +# devel_kit (https://github.com/simpl/ngx_devel_kit, BSD license)
72 +DEVEL_KIT_MODULE_PV="0.3.0"
73 +DEVEL_KIT_MODULE_P="ngx_devel_kit-${DEVEL_KIT_MODULE_PV}-r1"
74 +DEVEL_KIT_MODULE_URI="https://github.com/simpl/ngx_devel_kit/archive/v${DEVEL_KIT_MODULE_PV}.tar.gz"
75 +DEVEL_KIT_MODULE_WD="${WORKDIR}/ngx_devel_kit-${DEVEL_KIT_MODULE_PV}"
76 +
77 +# http_uploadprogress (https://github.com/masterzen/nginx-upload-progress-module, BSD-2 license)
78 +HTTP_UPLOAD_PROGRESS_MODULE_PV="0.9.2"
79 +HTTP_UPLOAD_PROGRESS_MODULE_P="ngx_http_upload_progress-${HTTP_UPLOAD_PROGRESS_MODULE_PV}-r1"
80 +HTTP_UPLOAD_PROGRESS_MODULE_URI="https://github.com/masterzen/nginx-upload-progress-module/archive/v${HTTP_UPLOAD_PROGRESS_MODULE_PV}.tar.gz"
81 +HTTP_UPLOAD_PROGRESS_MODULE_WD="${WORKDIR}/nginx-upload-progress-module-${HTTP_UPLOAD_PROGRESS_MODULE_PV}"
82 +
83 +# http_headers_more (https://github.com/agentzh/headers-more-nginx-module, BSD license)
84 +HTTP_HEADERS_MORE_MODULE_PV="0.32"
85 +HTTP_HEADERS_MORE_MODULE_P="ngx_http_headers_more-${HTTP_HEADERS_MORE_MODULE_PV}"
86 +HTTP_HEADERS_MORE_MODULE_URI="https://github.com/agentzh/headers-more-nginx-module/archive/v${HTTP_HEADERS_MORE_MODULE_PV}.tar.gz"
87 +HTTP_HEADERS_MORE_MODULE_WD="${WORKDIR}/headers-more-nginx-module-${HTTP_HEADERS_MORE_MODULE_PV}"
88 +
89 +# http_cache_purge (http://labs.frickle.com/nginx_ngx_cache_purge/, https://github.com/FRiCKLE/ngx_cache_purge, BSD-2 license)
90 +HTTP_CACHE_PURGE_MODULE_PV="2.3"
91 +HTTP_CACHE_PURGE_MODULE_P="ngx_http_cache_purge-${HTTP_CACHE_PURGE_MODULE_PV}"
92 +HTTP_CACHE_PURGE_MODULE_URI="http://labs.frickle.com/files/ngx_cache_purge-${HTTP_CACHE_PURGE_MODULE_PV}.tar.gz"
93 +HTTP_CACHE_PURGE_MODULE_WD="${WORKDIR}/ngx_cache_purge-${HTTP_CACHE_PURGE_MODULE_PV}"
94 +
95 +# http_slowfs_cache (http://labs.frickle.com/nginx_ngx_slowfs_cache/, BSD-2 license)
96 +HTTP_SLOWFS_CACHE_MODULE_PV="1.10"
97 +HTTP_SLOWFS_CACHE_MODULE_P="ngx_http_slowfs_cache-${HTTP_SLOWFS_CACHE_MODULE_PV}"
98 +HTTP_SLOWFS_CACHE_MODULE_URI="http://labs.frickle.com/files/ngx_slowfs_cache-${HTTP_SLOWFS_CACHE_MODULE_PV}.tar.gz"
99 +HTTP_SLOWFS_CACHE_MODULE_WD="${WORKDIR}/ngx_slowfs_cache-${HTTP_SLOWFS_CACHE_MODULE_PV}"
100 +
101 +# http_fancyindex (https://github.com/aperezdc/ngx-fancyindex, BSD license)
102 +HTTP_FANCYINDEX_MODULE_PV="0.4.2"
103 +HTTP_FANCYINDEX_MODULE_P="ngx_http_fancyindex-${HTTP_FANCYINDEX_MODULE_PV}"
104 +HTTP_FANCYINDEX_MODULE_URI="https://github.com/aperezdc/ngx-fancyindex/archive/v${HTTP_FANCYINDEX_MODULE_PV}.tar.gz"
105 +HTTP_FANCYINDEX_MODULE_WD="${WORKDIR}/ngx-fancyindex-${HTTP_FANCYINDEX_MODULE_PV}"
106 +
107 +# http_lua (https://github.com/openresty/lua-nginx-module, BSD license)
108 +HTTP_LUA_MODULE_PV="0.10.10"
109 +HTTP_LUA_MODULE_P="ngx_http_lua-${HTTP_LUA_MODULE_PV}"
110 +HTTP_LUA_MODULE_URI="https://github.com/openresty/lua-nginx-module/archive/v${HTTP_LUA_MODULE_PV}.tar.gz"
111 +HTTP_LUA_MODULE_WD="${WORKDIR}/lua-nginx-module-${HTTP_LUA_MODULE_PV}"
112 +
113 +# http_auth_pam (https://github.com/stogh/ngx_http_auth_pam_module/, http://web.iti.upv.es/~sto/nginx/, BSD-2 license)
114 +HTTP_AUTH_PAM_MODULE_PV="1.5.1"
115 +HTTP_AUTH_PAM_MODULE_P="ngx_http_auth_pam-${HTTP_AUTH_PAM_MODULE_PV}"
116 +HTTP_AUTH_PAM_MODULE_URI="https://github.com/stogh/ngx_http_auth_pam_module/archive/v${HTTP_AUTH_PAM_MODULE_PV}.tar.gz"
117 +HTTP_AUTH_PAM_MODULE_WD="${WORKDIR}/ngx_http_auth_pam_module-${HTTP_AUTH_PAM_MODULE_PV}"
118 +
119 +# http_upstream_check (https://github.com/yaoweibin/nginx_upstream_check_module, BSD license)
120 +HTTP_UPSTREAM_CHECK_MODULE_PV="31b1b42873fa56620d8a873ac13f5f26b52d0cd6"
121 +HTTP_UPSTREAM_CHECK_MODULE_P="ngx_http_upstream_check-${HTTP_UPSTREAM_CHECK_MODULE_PV}"
122 +HTTP_UPSTREAM_CHECK_MODULE_URI="https://github.com/yaoweibin/nginx_upstream_check_module/archive/${HTTP_UPSTREAM_CHECK_MODULE_PV}.tar.gz"
123 +HTTP_UPSTREAM_CHECK_MODULE_WD="${WORKDIR}/nginx_upstream_check_module-${HTTP_UPSTREAM_CHECK_MODULE_PV}"
124 +
125 +# http_metrics (https://github.com/zenops/ngx_metrics, BSD license)
126 +HTTP_METRICS_MODULE_PV="0.1.1"
127 +HTTP_METRICS_MODULE_P="ngx_metrics-${HTTP_METRICS_MODULE_PV}"
128 +HTTP_METRICS_MODULE_URI="https://github.com/madvertise/ngx_metrics/archive/v${HTTP_METRICS_MODULE_PV}.tar.gz"
129 +HTTP_METRICS_MODULE_WD="${WORKDIR}/ngx_metrics-${HTTP_METRICS_MODULE_PV}"
130 +
131 +# naxsi-core (https://github.com/nbs-system/naxsi, GPLv2+)
132 +HTTP_NAXSI_MODULE_PV="0.55.3"
133 +HTTP_NAXSI_MODULE_P="ngx_http_naxsi-${HTTP_NAXSI_MODULE_PV}"
134 +HTTP_NAXSI_MODULE_URI="https://github.com/nbs-system/naxsi/archive/${HTTP_NAXSI_MODULE_PV}.tar.gz"
135 +HTTP_NAXSI_MODULE_WD="${WORKDIR}/naxsi-${HTTP_NAXSI_MODULE_PV}/naxsi_src"
136 +
137 +# nginx-rtmp-module (https://github.com/arut/nginx-rtmp-module, BSD license)
138 +RTMP_MODULE_PV="1.2.0"
139 +RTMP_MODULE_P="ngx_rtmp-${RTMP_MODULE_PV}"
140 +RTMP_MODULE_URI="https://github.com/arut/nginx-rtmp-module/archive/v${RTMP_MODULE_PV}.tar.gz"
141 +RTMP_MODULE_WD="${WORKDIR}/nginx-rtmp-module-${RTMP_MODULE_PV}"
142 +
143 +# nginx-dav-ext-module (https://github.com/arut/nginx-dav-ext-module, BSD license)
144 +HTTP_DAV_EXT_MODULE_PV="0.1.0"
145 +HTTP_DAV_EXT_MODULE_P="ngx_http_dav_ext-${HTTP_DAV_EXT_MODULE_PV}"
146 +HTTP_DAV_EXT_MODULE_URI="https://github.com/arut/nginx-dav-ext-module/archive/v${HTTP_DAV_EXT_MODULE_PV}.tar.gz"
147 +HTTP_DAV_EXT_MODULE_WD="${WORKDIR}/nginx-dav-ext-module-${HTTP_DAV_EXT_MODULE_PV}"
148 +
149 +# echo-nginx-module (https://github.com/openresty/echo-nginx-module, BSD license)
150 +HTTP_ECHO_MODULE_PV="0.61"
151 +HTTP_ECHO_MODULE_P="ngx_http_echo-${HTTP_ECHO_MODULE_PV}"
152 +HTTP_ECHO_MODULE_URI="https://github.com/openresty/echo-nginx-module/archive/v${HTTP_ECHO_MODULE_PV}.tar.gz"
153 +HTTP_ECHO_MODULE_WD="${WORKDIR}/echo-nginx-module-${HTTP_ECHO_MODULE_PV}"
154 +
155 +# mod_security for nginx (https://modsecurity.org/, Apache-2.0)
156 +# keep the MODULE_P here consistent with upstream to avoid tarball duplication
157 +HTTP_SECURITY_MODULE_PV="2.9.2"
158 +HTTP_SECURITY_MODULE_P="modsecurity-${HTTP_SECURITY_MODULE_PV}"
159 +HTTP_SECURITY_MODULE_URI="https://www.modsecurity.org/tarball/${HTTP_SECURITY_MODULE_PV}/${HTTP_SECURITY_MODULE_P}.tar.gz"
160 +HTTP_SECURITY_MODULE_WD="${WORKDIR}/${HTTP_SECURITY_MODULE_P}"
161 +
162 +# push-stream-module (http://www.nginxpushstream.com, https://github.com/wandenberg/nginx-push-stream-module, GPL-3)
163 +HTTP_PUSH_STREAM_MODULE_PV="0.5.2"
164 +HTTP_PUSH_STREAM_MODULE_P="ngx_http_push_stream-${HTTP_PUSH_STREAM_MODULE_PV}"
165 +HTTP_PUSH_STREAM_MODULE_URI="https://github.com/wandenberg/nginx-push-stream-module/archive/${HTTP_PUSH_STREAM_MODULE_PV}.tar.gz"
166 +HTTP_PUSH_STREAM_MODULE_WD="${WORKDIR}/nginx-push-stream-module-${HTTP_PUSH_STREAM_MODULE_PV}"
167 +
168 +# sticky-module (https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng, BSD-2)
169 +HTTP_STICKY_MODULE_PV="1.2.6-10-g08a395c66e42"
170 +HTTP_STICKY_MODULE_P="nginx_http_sticky_module_ng-${HTTP_STICKY_MODULE_PV}"
171 +HTTP_STICKY_MODULE_URI="https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/get/${HTTP_STICKY_MODULE_PV}.tar.bz2"
172 +HTTP_STICKY_MODULE_WD="${WORKDIR}/nginx-goodies-nginx-sticky-module-ng-08a395c66e42"
173 +
174 +# mogilefs-module (https://github.com/vkholodkov/nginx-mogilefs-module, BSD-2)
175 +HTTP_MOGILEFS_MODULE_PV="1.0.4"
176 +HTTP_MOGILEFS_MODULE_P="ngx_mogilefs_module-${HTTP_MOGILEFS_MODULE_PV}"
177 +HTTP_MOGILEFS_MODULE_URI="https://github.com/vkholodkov/nginx-mogilefs-module/archive/${HTTP_MOGILEFS_MODULE_PV}.tar.gz"
178 +HTTP_MOGILEFS_MODULE_WD="${WORKDIR}/nginx_mogilefs_module-${HTTP_MOGILEFS_MODULE_PV}"
179 +
180 +# memc-module (https://github.com/openresty/memc-nginx-module, BSD-2)
181 +HTTP_MEMC_MODULE_PV="0.18"
182 +HTTP_MEMC_MODULE_P="ngx_memc_module-${HTTP_MEMC_MODULE_PV}"
183 +HTTP_MEMC_MODULE_URI="https://github.com/openresty/memc-nginx-module/archive/v${HTTP_MEMC_MODULE_PV}.tar.gz"
184 +HTTP_MEMC_MODULE_WD="${WORKDIR}/memc-nginx-module-${HTTP_MEMC_MODULE_PV}"
185 +
186 +# nginx-ldap-auth-module (https://github.com/kvspb/nginx-auth-ldap, BSD-2)
187 +HTTP_LDAP_MODULE_PV="49a8b4d28fc4a518563c82e0b52821e5f37db1fc"
188 +HTTP_LDAP_MODULE_P="nginx-auth-ldap-${HTTP_LDAP_MODULE_PV}"
189 +HTTP_LDAP_MODULE_URI="https://github.com/kvspb/nginx-auth-ldap/archive/${HTTP_LDAP_MODULE_PV}.tar.gz"
190 +HTTP_LDAP_MODULE_WD="${WORKDIR}/nginx-auth-ldap-${HTTP_LDAP_MODULE_PV}"
191 +
192 +# We handle deps below ourselves
193 +SSL_DEPS_SKIP=1
194 +AUTOTOOLS_AUTO_DEPEND="no"
195 +
196 +inherit autotools ssl-cert toolchain-funcs perl-module flag-o-matic user systemd versionator multilib
197 +
198 +DESCRIPTION="Robust, small and high performance http and reverse proxy server"
199 +HOMEPAGE="https://nginx.org"
200 +SRC_URI="https://nginx.org/download/${P}.tar.gz
201 + ${DEVEL_KIT_MODULE_URI} -> ${DEVEL_KIT_MODULE_P}.tar.gz
202 + nginx_modules_http_upload_progress? ( ${HTTP_UPLOAD_PROGRESS_MODULE_URI} -> ${HTTP_UPLOAD_PROGRESS_MODULE_P}.tar.gz )
203 + nginx_modules_http_headers_more? ( ${HTTP_HEADERS_MORE_MODULE_URI} -> ${HTTP_HEADERS_MORE_MODULE_P}.tar.gz )
204 + nginx_modules_http_cache_purge? ( ${HTTP_CACHE_PURGE_MODULE_URI} -> ${HTTP_CACHE_PURGE_MODULE_P}.tar.gz )
205 + nginx_modules_http_slowfs_cache? ( ${HTTP_SLOWFS_CACHE_MODULE_URI} -> ${HTTP_SLOWFS_CACHE_MODULE_P}.tar.gz )
206 + nginx_modules_http_fancyindex? ( ${HTTP_FANCYINDEX_MODULE_URI} -> ${HTTP_FANCYINDEX_MODULE_P}.tar.gz )
207 + nginx_modules_http_lua? ( ${HTTP_LUA_MODULE_URI} -> ${HTTP_LUA_MODULE_P}.tar.gz )
208 + nginx_modules_http_auth_pam? ( ${HTTP_AUTH_PAM_MODULE_URI} -> ${HTTP_AUTH_PAM_MODULE_P}.tar.gz )
209 + nginx_modules_http_upstream_check? ( ${HTTP_UPSTREAM_CHECK_MODULE_URI} -> ${HTTP_UPSTREAM_CHECK_MODULE_P}.tar.gz )
210 + nginx_modules_http_metrics? ( ${HTTP_METRICS_MODULE_URI} -> ${HTTP_METRICS_MODULE_P}.tar.gz )
211 + nginx_modules_http_naxsi? ( ${HTTP_NAXSI_MODULE_URI} -> ${HTTP_NAXSI_MODULE_P}.tar.gz )
212 + rtmp? ( ${RTMP_MODULE_URI} -> ${RTMP_MODULE_P}.tar.gz )
213 + nginx_modules_http_dav_ext? ( ${HTTP_DAV_EXT_MODULE_URI} -> ${HTTP_DAV_EXT_MODULE_P}.tar.gz )
214 + nginx_modules_http_echo? ( ${HTTP_ECHO_MODULE_URI} -> ${HTTP_ECHO_MODULE_P}.tar.gz )
215 + nginx_modules_http_security? ( ${HTTP_SECURITY_MODULE_URI} -> ${HTTP_SECURITY_MODULE_P}.tar.gz )
216 + nginx_modules_http_push_stream? ( ${HTTP_PUSH_STREAM_MODULE_URI} -> ${HTTP_PUSH_STREAM_MODULE_P}.tar.gz )
217 + nginx_modules_http_sticky? ( ${HTTP_STICKY_MODULE_URI} -> ${HTTP_STICKY_MODULE_P}.tar.bz2 )
218 + nginx_modules_http_mogilefs? ( ${HTTP_MOGILEFS_MODULE_URI} -> ${HTTP_MOGILEFS_MODULE_P}.tar.gz )
219 + nginx_modules_http_memc? ( ${HTTP_MEMC_MODULE_URI} -> ${HTTP_MEMC_MODULE_P}.tar.gz )
220 + nginx_modules_http_auth_ldap? ( ${HTTP_LDAP_MODULE_URI} -> ${HTTP_LDAP_MODULE_P}.tar.gz )"
221 +
222 +LICENSE="BSD-2 BSD SSLeay MIT GPL-2 GPL-2+
223 + nginx_modules_http_security? ( Apache-2.0 )
224 + nginx_modules_http_push_stream? ( GPL-3 )"
225 +
226 +SLOT="0"
227 +KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~x86 ~x86-fbsd ~amd64-linux ~x86-linux"
228 +
229 +# Package doesn't provide a real test suite
230 +RESTRICT="test"
231 +
232 +NGINX_MODULES_STD="access auth_basic autoindex browser charset empty_gif
233 + fastcgi geo gzip limit_req limit_conn map memcached proxy referer
234 + rewrite scgi ssi split_clients upstream_hash upstream_ip_hash
235 + upstream_keepalive upstream_least_conn upstream_zone userid uwsgi"
236 +NGINX_MODULES_OPT="addition auth_request dav degradation flv geoip gunzip
237 + gzip_static image_filter mp4 perl random_index realip secure_link
238 + slice stub_status sub xslt"
239 +NGINX_MODULES_STREAM_STD="access geo limit_conn map return split_clients
240 + upstream_hash upstream_least_conn upstream_zone"
241 +NGINX_MODULES_STREAM_OPT="geoip realip ssl_preread"
242 +NGINX_MODULES_MAIL="imap pop3 smtp"
243 +NGINX_MODULES_3RD="
244 + http_upload_progress
245 + http_headers_more
246 + http_cache_purge
247 + http_slowfs_cache
248 + http_fancyindex
249 + http_lua
250 + http_auth_pam
251 + http_upstream_check
252 + http_metrics
253 + http_naxsi
254 + http_dav_ext
255 + http_echo
256 + http_security
257 + http_push_stream
258 + http_sticky
259 + http_mogilefs
260 + http_memc
261 + http_auth_ldap"
262 +
263 +IUSE="aio debug +http +http2 +http-cache +ipv6 libatomic libressl luajit +pcre
264 + pcre-jit rtmp selinux ssl threads userland_GNU vim-syntax"
265 +
266 +for mod in $NGINX_MODULES_STD; do
267 + IUSE="${IUSE} +nginx_modules_http_${mod}"
268 +done
269 +
270 +for mod in $NGINX_MODULES_OPT; do
271 + IUSE="${IUSE} nginx_modules_http_${mod}"
272 +done
273 +
274 +for mod in $NGINX_MODULES_STREAM_STD; do
275 + IUSE="${IUSE} nginx_modules_stream_${mod}"
276 +done
277 +
278 +for mod in $NGINX_MODULES_STREAM_OPT; do
279 + IUSE="${IUSE} nginx_modules_stream_${mod}"
280 +done
281 +
282 +for mod in $NGINX_MODULES_MAIL; do
283 + IUSE="${IUSE} nginx_modules_mail_${mod}"
284 +done
285 +
286 +for mod in $NGINX_MODULES_3RD; do
287 + IUSE="${IUSE} nginx_modules_${mod}"
288 +done
289 +
290 +# Add so we can warn users updating about config changes
291 +# @TODO: jbergstroem: remove on next release series
292 +IUSE="${IUSE} nginx_modules_http_spdy"
293 +
294 +CDEPEND="
295 + pcre? ( dev-libs/libpcre:= )
296 + pcre-jit? ( dev-libs/libpcre:=[jit] )
297 + ssl? (
298 + !libressl? ( dev-libs/openssl:0= )
299 + libressl? ( dev-libs/libressl:= )
300 + )
301 + http2? (
302 + !libressl? ( >=dev-libs/openssl-1.0.1c:0= )
303 + libressl? ( dev-libs/libressl:= )
304 + )
305 + http-cache? (
306 + userland_GNU? (
307 + !libressl? ( dev-libs/openssl:0= )
308 + libressl? ( dev-libs/libressl:= )
309 + )
310 + )
311 + nginx_modules_http_geoip? ( dev-libs/geoip )
312 + nginx_modules_http_gunzip? ( sys-libs/zlib )
313 + nginx_modules_http_gzip? ( sys-libs/zlib )
314 + nginx_modules_http_gzip_static? ( sys-libs/zlib )
315 + nginx_modules_http_image_filter? ( media-libs/gd:=[jpeg,png] )
316 + nginx_modules_http_perl? ( >=dev-lang/perl-5.8:= )
317 + nginx_modules_http_rewrite? ( dev-libs/libpcre:= )
318 + nginx_modules_http_secure_link? (
319 + userland_GNU? (
320 + !libressl? ( dev-libs/openssl:0= )
321 + libressl? ( dev-libs/libressl:= )
322 + )
323 + )
324 + nginx_modules_http_xslt? ( dev-libs/libxml2:= dev-libs/libxslt )
325 + nginx_modules_http_lua? ( !luajit? ( dev-lang/lua:0= ) luajit? ( dev-lang/luajit:2= ) )
326 + nginx_modules_http_auth_pam? ( virtual/pam )
327 + nginx_modules_http_metrics? ( dev-libs/yajl:= )
328 + nginx_modules_http_dav_ext? ( dev-libs/expat )
329 + nginx_modules_http_security? (
330 + dev-libs/apr:=
331 + dev-libs/apr-util:=
332 + dev-libs/libxml2:=
333 + net-misc/curl
334 + www-servers/apache
335 + )
336 + nginx_modules_http_auth_ldap? ( net-nds/openldap[ssl?] )"
337 +RDEPEND="${CDEPEND}
338 + selinux? ( sec-policy/selinux-nginx )
339 + !www-servers/nginx:mainline"
340 +DEPEND="${CDEPEND}
341 + nginx_modules_http_security? ( ${AUTOTOOLS_DEPEND} )
342 + arm? ( dev-libs/libatomic_ops )
343 + libatomic? ( dev-libs/libatomic_ops )"
344 +PDEPEND="vim-syntax? ( app-vim/nginx-syntax )"
345 +
346 +REQUIRED_USE="pcre-jit? ( pcre )
347 + nginx_modules_http_lua? ( nginx_modules_http_rewrite )
348 + nginx_modules_http_naxsi? ( pcre )
349 + nginx_modules_http_dav_ext? ( nginx_modules_http_dav )
350 + nginx_modules_http_metrics? ( nginx_modules_http_stub_status )
351 + nginx_modules_http_security? ( pcre )
352 + nginx_modules_http_push_stream? ( ssl )"
353 +
354 +pkg_setup() {
355 + NGINX_HOME="/var/lib/nginx"
356 + NGINX_HOME_TMP="${NGINX_HOME}/tmp"
357 +
358 + ebegin "Creating nginx user and group"
359 + enewgroup ${PN}
360 + enewuser ${PN} -1 -1 "${NGINX_HOME}" ${PN}
361 + eend $?
362 +
363 + if use libatomic; then
364 + ewarn "GCC 4.1+ features built-in atomic operations."
365 + ewarn "Using libatomic_ops is only needed if using"
366 + ewarn "a different compiler or a GCC prior to 4.1"
367 + fi
368 +
369 + if [[ -n $NGINX_ADD_MODULES ]]; then
370 + ewarn "You are building custom modules via \$NGINX_ADD_MODULES!"
371 + ewarn "This nginx installation is not supported!"
372 + ewarn "Make sure you can reproduce the bug without those modules"
373 + ewarn "_before_ reporting bugs."
374 + fi
375 +
376 + if use !http; then
377 + ewarn "To actually disable all http-functionality you also have to disable"
378 + ewarn "all nginx http modules."
379 + fi
380 +
381 + if use nginx_modules_http_mogilefs && use threads; then
382 + eerror "mogilefs won't compile with threads support."
383 + eerror "Please disable either flag and try again."
384 + die "Can't compile mogilefs with threads support"
385 + fi
386 +}
387 +
388 +src_prepare() {
389 + eapply "${FILESDIR}/${PN}-1.4.1-fix-perl-install-path.patch"
390 + eapply "${FILESDIR}/${PN}-httpoxy-mitigation-r1.patch"
391 +
392 + if use nginx_modules_http_upstream_check; then
393 + #eapply -p0 "${HTTP_UPSTREAM_CHECK_MODULE_WD}"/check_1.11.1+.patch
394 + eapply -p0 "${FILESDIR}"/http_upstream_check-nginx-1.11.5+.patch
395 + fi
396 +
397 + if use nginx_modules_http_cache_purge; then
398 + cd "${HTTP_CACHE_PURGE_MODULE_WD}" || die
399 + eapply "${FILESDIR}"/http_cache_purge-1.11.6+.patch
400 + cd "${S}" || die
401 + fi
402 +
403 + if use nginx_modules_http_security; then
404 + cd "${HTTP_SECURITY_MODULE_WD}" || die
405 +
406 + eautoreconf
407 +
408 + if use luajit ; then
409 + sed -i \
410 + -e 's|^\(LUA_PKGNAMES\)=.*|\1="luajit"|' \
411 + configure || die
412 + fi
413 +
414 + cd "${S}" || die
415 + fi
416 +
417 + if use nginx_modules_http_upload_progress; then
418 + cd "${HTTP_UPLOAD_PROGRESS_MODULE_WD}" || die
419 + eapply "${FILESDIR}"/http_uploadprogress-issue_50-r1.patch
420 + cd "${S}" || die
421 + fi
422 +
423 + find auto/ -type f -print0 | xargs -0 sed -i 's:\&\& make:\&\& \\$(MAKE):' || die
424 + # We have config protection, don't rename etc files
425 + sed -i 's:.default::' auto/install || die
426 + # remove useless files
427 + sed -i -e '/koi-/d' -e '/win-/d' auto/install || die
428 +
429 + # don't install to /etc/nginx/ if not in use
430 + local module
431 + for module in fastcgi scgi uwsgi ; do
432 + if ! use nginx_modules_http_${module}; then
433 + sed -i -e "/${module}/d" auto/install || die
434 + fi
435 + done
436 +
437 + eapply_user
438 +}
439 +
440 +src_configure() {
441 + # mod_security needs to generate nginx/modsecurity/config before including it
442 + if use nginx_modules_http_security; then
443 + cd "${HTTP_SECURITY_MODULE_WD}" || die
444 +
445 + ./configure \
446 + --enable-standalone-module \
447 + --disable-mlogc \
448 + --with-ssdeep=no \
449 + $(use_enable pcre-jit) \
450 + $(use_with nginx_modules_http_lua lua) || die "configure failed for mod_security"
451 +
452 + cd "${S}" || die
453 + fi
454 +
455 + local myconf=() http_enabled= mail_enabled= stream_enabled=
456 +
457 + use aio && myconf+=( --with-file-aio )
458 + use debug && myconf+=( --with-debug )
459 + use http2 && myconf+=( --with-http_v2_module )
460 + use libatomic && myconf+=( --with-libatomic )
461 + use pcre && myconf+=( --with-pcre )
462 + use pcre-jit && myconf+=( --with-pcre-jit )
463 + use threads && myconf+=( --with-threads )
464 +
465 + # HTTP modules
466 + for mod in $NGINX_MODULES_STD; do
467 + if use nginx_modules_http_${mod}; then
468 + http_enabled=1
469 + else
470 + myconf+=( --without-http_${mod}_module )
471 + fi
472 + done
473 +
474 + for mod in $NGINX_MODULES_OPT; do
475 + if use nginx_modules_http_${mod}; then
476 + http_enabled=1
477 + myconf+=( --with-http_${mod}_module )
478 + fi
479 + done
480 +
481 + if use nginx_modules_http_fastcgi; then
482 + myconf+=( --with-http_realip_module )
483 + fi
484 +
485 + # third-party modules
486 + if use nginx_modules_http_upload_progress; then
487 + http_enabled=1
488 + myconf+=( --add-module=${HTTP_UPLOAD_PROGRESS_MODULE_WD} )
489 + fi
490 +
491 + if use nginx_modules_http_headers_more; then
492 + http_enabled=1
493 + myconf+=( --add-module=${HTTP_HEADERS_MORE_MODULE_WD} )
494 + fi
495 +
496 + if use nginx_modules_http_cache_purge; then
497 + http_enabled=1
498 + myconf+=( --add-module=${HTTP_CACHE_PURGE_MODULE_WD} )
499 + fi
500 +
501 + if use nginx_modules_http_slowfs_cache; then
502 + http_enabled=1
503 + myconf+=( --add-module=${HTTP_SLOWFS_CACHE_MODULE_WD} )
504 + fi
505 +
506 + if use nginx_modules_http_fancyindex; then
507 + http_enabled=1
508 + myconf+=( --add-module=${HTTP_FANCYINDEX_MODULE_WD} )
509 + fi
510 +
511 + if use nginx_modules_http_lua; then
512 + http_enabled=1
513 + if use luajit; then
514 + export LUAJIT_LIB=$(pkg-config --variable libdir luajit)
515 + export LUAJIT_INC=$(pkg-config --variable includedir luajit)
516 + else
517 + export LUA_LIB=$(pkg-config --variable libdir lua)
518 + export LUA_INC=$(pkg-config --variable includedir lua)
519 + fi
520 + myconf+=( --add-module=${DEVEL_KIT_MODULE_WD} )
521 + myconf+=( --add-module=${HTTP_LUA_MODULE_WD} )
522 + fi
523 +
524 + if use nginx_modules_http_auth_pam; then
525 + http_enabled=1
526 + myconf+=( --add-module=${HTTP_AUTH_PAM_MODULE_WD} )
527 + fi
528 +
529 + if use nginx_modules_http_upstream_check; then
530 + http_enabled=1
531 + myconf+=( --add-module=${HTTP_UPSTREAM_CHECK_MODULE_WD} )
532 + fi
533 +
534 + if use nginx_modules_http_metrics; then
535 + http_enabled=1
536 + myconf+=( --add-module=${HTTP_METRICS_MODULE_WD} )
537 + fi
538 +
539 + if use nginx_modules_http_naxsi ; then
540 + http_enabled=1
541 + myconf+=( --add-module=${HTTP_NAXSI_MODULE_WD} )
542 + fi
543 +
544 + if use rtmp ; then
545 + http_enabled=1
546 + myconf+=( --add-module=${RTMP_MODULE_WD} )
547 + fi
548 +
549 + if use nginx_modules_http_dav_ext ; then
550 + http_enabled=1
551 + myconf+=( --add-module=${HTTP_DAV_EXT_MODULE_WD} )
552 + fi
553 +
554 + if use nginx_modules_http_echo ; then
555 + http_enabled=1
556 + myconf+=( --add-module=${HTTP_ECHO_MODULE_WD} )
557 + fi
558 +
559 + if use nginx_modules_http_security ; then
560 + http_enabled=1
561 + myconf+=( --add-module=${HTTP_SECURITY_MODULE_WD}/nginx/modsecurity )
562 + fi
563 +
564 + if use nginx_modules_http_push_stream ; then
565 + http_enabled=1
566 + myconf+=( --add-module=${HTTP_PUSH_STREAM_MODULE_WD} )
567 + fi
568 +
569 + if use nginx_modules_http_sticky ; then
570 + http_enabled=1
571 + myconf+=( --add-module=${HTTP_STICKY_MODULE_WD} )
572 + fi
573 +
574 + if use nginx_modules_http_mogilefs ; then
575 + http_enabled=1
576 + myconf+=( --add-module=${HTTP_MOGILEFS_MODULE_WD} )
577 + fi
578 +
579 + if use nginx_modules_http_memc ; then
580 + http_enabled=1
581 + myconf+=( --add-module=${HTTP_MEMC_MODULE_WD} )
582 + fi
583 +
584 + if use nginx_modules_http_auth_ldap; then
585 + http_enabled=1
586 + myconf+=( --add-module=${HTTP_LDAP_MODULE_WD} )
587 + fi
588 +
589 + if use http || use http-cache || use http2; then
590 + http_enabled=1
591 + fi
592 +
593 + if [ $http_enabled ]; then
594 + use http-cache || myconf+=( --without-http-cache )
595 + use ssl && myconf+=( --with-http_ssl_module )
596 + else
597 + myconf+=( --without-http --without-http-cache )
598 + fi
599 +
600 + # Stream modules
601 + for mod in $NGINX_MODULES_STREAM_STD; do
602 + if use nginx_modules_stream_${mod}; then
603 + stream_enabled=1
604 + else
605 + myconf+=( --without-stream_${mod}_module )
606 + fi
607 + done
608 +
609 + for mod in $NGINX_MODULES_STREAM_OPT; do
610 + if use nginx_modules_stream_${mod}; then
611 + stream_enabled=1
612 + myconf+=( --with-stream_${mod}_module )
613 + fi
614 + done
615 +
616 + if [ $stream_enabled ]; then
617 + myconf+=( --with-stream )
618 + use ssl && myconf+=( --with-stream_ssl_module )
619 + fi
620 +
621 + # MAIL modules
622 + for mod in $NGINX_MODULES_MAIL; do
623 + if use nginx_modules_mail_${mod}; then
624 + mail_enabled=1
625 + else
626 + myconf+=( --without-mail_${mod}_module )
627 + fi
628 + done
629 +
630 + if [ $mail_enabled ]; then
631 + myconf+=( --with-mail )
632 + use ssl && myconf+=( --with-mail_ssl_module )
633 + fi
634 +
635 + # custom modules
636 + for mod in $NGINX_ADD_MODULES; do
637 + myconf+=( --add-module=${mod} )
638 + done
639 +
640 + # https://bugs.gentoo.org/286772
641 + export LANG=C LC_ALL=C
642 + tc-export CC
643 +
644 + if ! use prefix; then
645 + myconf+=( --user=${PN} )
646 + myconf+=( --group=${PN} )
647 + fi
648 +
649 + local WITHOUT_IPV6=
650 + if ! use ipv6; then
651 + WITHOUT_IPV6=" -DNGX_HAVE_INET6=0"
652 + fi
653 +
654 + ./configure \
655 + --prefix="${EPREFIX}"/usr \
656 + --conf-path="${EPREFIX}"/etc/${PN}/${PN}.conf \
657 + --error-log-path="${EPREFIX}"/var/log/${PN}/error_log \
658 + --pid-path="${EPREFIX}"/run/${PN}.pid \
659 + --lock-path="${EPREFIX}"/run/lock/${PN}.lock \
660 + --with-cc-opt="-I${EROOT}usr/include${WITHOUT_IPV6}" \
661 + --with-ld-opt="-L${EROOT}usr/$(get_libdir)" \
662 + --http-log-path="${EPREFIX}"/var/log/${PN}/access_log \
663 + --http-client-body-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/client \
664 + --http-proxy-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/proxy \
665 + --http-fastcgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/fastcgi \
666 + --http-scgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/scgi \
667 + --http-uwsgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/uwsgi \
668 + --with-compat \
669 + "${myconf[@]}" || die "configure failed"
670 +
671 + # A purely cosmetic change that makes nginx -V more readable. This can be
672 + # good if people outside the gentoo community would troubleshoot and
673 + # question the users setup.
674 + sed -i -e "s|${WORKDIR}|external_module|g" objs/ngx_auto_config.h || die
675 +}
676 +
677 +src_compile() {
678 + use nginx_modules_http_security && emake -C "${HTTP_SECURITY_MODULE_WD}"
679 +
680 + # https://bugs.gentoo.org/286772
681 + export LANG=C LC_ALL=C
682 + emake LINK="${CC} ${LDFLAGS}" OTHERLDFLAGS="${LDFLAGS}"
683 +}
684 +
685 +src_install() {
686 + emake DESTDIR="${D%/}" install
687 +
688 + cp "${FILESDIR}"/nginx.conf-r2 "${ED}"etc/nginx/nginx.conf || die
689 +
690 + newinitd "${FILESDIR}"/nginx.initd-r4 nginx
691 + newconfd "${FILESDIR}"/nginx.confd nginx
692 +
693 + systemd_newunit "${FILESDIR}"/nginx.service-r1 nginx.service
694 +
695 + doman man/nginx.8
696 + dodoc CHANGES* README
697 +
698 + # just keepdir. do not copy the default htdocs files (bug #449136)
699 + keepdir /var/www/localhost
700 + rm -rf "${D}"usr/html || die
701 +
702 + # set up a list of directories to keep
703 + local keepdir_list="${NGINX_HOME_TMP}"/client
704 + local module
705 + for module in proxy fastcgi scgi uwsgi; do
706 + use nginx_modules_http_${module} && keepdir_list+=" ${NGINX_HOME_TMP}/${module}"
707 + done
708 +
709 + keepdir /var/log/nginx ${keepdir_list}
710 +
711 + # this solves a problem with SELinux where nginx doesn't see the directories
712 + # as root and tries to create them as nginx
713 + fperms 0750 "${NGINX_HOME_TMP}"
714 + fowners ${PN}:0 "${NGINX_HOME_TMP}"
715 +
716 + fperms 0700 ${keepdir_list}
717 + fowners ${PN}:${PN} ${keepdir_list}
718 +
719 + fperms 0710 /var/log/nginx
720 + fowners 0:${PN} /var/log/nginx
721 +
722 + # logrotate
723 + insinto /etc/logrotate.d
724 + newins "${FILESDIR}"/nginx.logrotate-r1 nginx
725 +
726 + if use nginx_modules_http_perl; then
727 + cd "${S}"/objs/src/http/modules/perl/ || die
728 + emake DESTDIR="${D}" INSTALLDIRS=vendor
729 + perl_delete_localpod
730 + cd "${S}" || die
731 + fi
732 +
733 + if use nginx_modules_http_cache_purge; then
734 + docinto ${HTTP_CACHE_PURGE_MODULE_P}
735 + dodoc "${HTTP_CACHE_PURGE_MODULE_WD}"/{CHANGES,README.md,TODO.md}
736 + fi
737 +
738 + if use nginx_modules_http_slowfs_cache; then
739 + docinto ${HTTP_SLOWFS_CACHE_MODULE_P}
740 + dodoc "${HTTP_SLOWFS_CACHE_MODULE_WD}"/{CHANGES,README.md}
741 + fi
742 +
743 + if use nginx_modules_http_fancyindex; then
744 + docinto ${HTTP_FANCYINDEX_MODULE_P}
745 + dodoc "${HTTP_FANCYINDEX_MODULE_WD}"/README.rst
746 + fi
747 +
748 + if use nginx_modules_http_lua; then
749 + docinto ${HTTP_LUA_MODULE_P}
750 + dodoc "${HTTP_LUA_MODULE_WD}"/README.markdown
751 + fi
752 +
753 + if use nginx_modules_http_auth_pam; then
754 + docinto ${HTTP_AUTH_PAM_MODULE_P}
755 + dodoc "${HTTP_AUTH_PAM_MODULE_WD}"/{README.md,ChangeLog}
756 + fi
757 +
758 + if use nginx_modules_http_upstream_check; then
759 + docinto ${HTTP_UPSTREAM_CHECK_MODULE_P}
760 + dodoc "${HTTP_UPSTREAM_CHECK_MODULE_WD}"/{README,CHANGES}
761 + fi
762 +
763 + if use nginx_modules_http_naxsi; then
764 + insinto /etc/nginx
765 + doins "${HTTP_NAXSI_MODULE_WD}"/../naxsi_config/naxsi_core.rules
766 + fi
767 +
768 + if use rtmp; then
769 + docinto ${RTMP_MODULE_P}
770 + dodoc "${RTMP_MODULE_WD}"/{AUTHORS,README.md,stat.xsl}
771 + fi
772 +
773 + if use nginx_modules_http_dav_ext; then
774 + docinto ${HTTP_DAV_EXT_MODULE_P}
775 + dodoc "${HTTP_DAV_EXT_MODULE_WD}"/README.rst
776 + fi
777 +
778 + if use nginx_modules_http_echo; then
779 + docinto ${HTTP_ECHO_MODULE_P}
780 + dodoc "${HTTP_ECHO_MODULE_WD}"/README.markdown
781 + fi
782 +
783 + if use nginx_modules_http_security; then
784 + docinto ${HTTP_SECURITY_MODULE_P}
785 + dodoc "${HTTP_SECURITY_MODULE_WD}"/{CHANGES,README.TXT,authors.txt}
786 + fi
787 +
788 + if use nginx_modules_http_push_stream; then
789 + docinto ${HTTP_PUSH_STREAM_MODULE_P}
790 + dodoc "${HTTP_PUSH_STREAM_MODULE_WD}"/{AUTHORS,CHANGELOG.textile,README.textile}
791 + fi
792 +
793 + if use nginx_modules_http_sticky; then
794 + docinto ${HTTP_STICKY_MODULE_P}
795 + dodoc "${HTTP_STICKY_MODULE_WD}"/{README.md,Changelog.txt,docs/sticky.pdf}
796 + fi
797 +
798 + if use nginx_modules_http_memc; then
799 + docinto ${HTTP_MEMC_MODULE_P}
800 + dodoc "${HTTP_MEMC_MODULE_WD}"/README.markdown
801 + fi
802 +
803 + if use nginx_modules_http_auth_ldap; then
804 + docinto ${HTTP_LDAP_MODULE_P}
805 + dodoc "${HTTP_LDAP_MODULE_WD}"/example.conf
806 + fi
807 +}
808 +
809 +pkg_postinst() {
810 + if use ssl; then
811 + if [[ ! -f "${EROOT}"etc/ssl/${PN}/${PN}.key ]]; then
812 + install_cert /etc/ssl/${PN}/${PN}
813 + use prefix || chown ${PN}:${PN} "${EROOT}"etc/ssl/${PN}/${PN}.{crt,csr,key,pem}
814 + fi
815 + fi
816 +
817 + if use nginx_modules_http_spdy; then
818 + ewarn ""
819 + ewarn "In nginx 1.9.5 the spdy module was superseded by http2."
820 + ewarn "Update your configs and package.use accordingly."
821 + fi
822 +
823 + if use nginx_modules_http_lua; then
824 + ewarn ""
825 + ewarn "While you can build lua 3rd party module against ${P}"
826 + ewarn "the author warns that >=${PN}-1.11.11 is still not an"
827 + ewarn "officially supported target yet. You are on your own."
828 + ewarn "Expect runtime failures, memory leaks and other problems!"
829 + fi
830 +
831 + if use nginx_modules_http_lua && use http2; then
832 + ewarn ""
833 + ewarn "Lua 3rd party module author warns against using ${P} with"
834 + ewarn "NGINX_MODULES_HTTP=\"lua http2\". For more info, see http://git.io/OldLsg"
835 + fi
836 +
837 + local _n_permission_layout_checks=0
838 + local _has_to_adjust_permissions=0
839 + local _has_to_show_permission_warning=0
840 +
841 + # Defaults to 1 to inform people doing a fresh installation
842 + # that we ship modified {scgi,uwsgi,fastcgi}_params files
843 + local _has_to_show_httpoxy_mitigation_notice=1
844 +
845 + local _replacing_version=
846 + for _replacing_version in ${REPLACING_VERSIONS}; do
847 + _n_permission_layout_checks=$((${_n_permission_layout_checks}+1))
848 +
849 + if [[ ${_n_permission_layout_checks} -gt 1 ]]; then
850 + # Should never happen:
851 + # Package is abusing slots but doesn't allow multiple parallel installations.
852 + # If we run into this situation it is unsafe to automatically adjust any
853 + # permission...
854 + _has_to_show_permission_warning=1
855 +
856 + ewarn "Replacing multiple ${PN}' versions is unsupported! " \
857 + "You will have to adjust permissions on your own."
858 +
859 + break
860 + fi
861 +
862 + local _replacing_version_branch=$(get_version_component_range 1-2 "${_replacing_version}")
863 + debug-print "Updating an existing installation (v${_replacing_version}; branch '${_replacing_version_branch}') ..."
864 +
865 + # Do we need to adjust permissions to fix CVE-2013-0337 (bug #458726, #469094)?
866 + # This was before we introduced multiple nginx versions so we
867 + # do not need to distinguish between stable and mainline
868 + local _need_to_fix_CVE2013_0337=1
869 +
870 + if version_is_at_least "1.4.1-r2" "${_replacing_version}"; then
871 + # We are updating an installation which should already be fixed
872 + _need_to_fix_CVE2013_0337=0
873 + debug-print "Skipping CVE-2013-0337 ... existing installation should not be affected!"
874 + else
875 + _has_to_adjust_permissions=1
876 + debug-print "Need to adjust permissions to fix CVE-2013-0337!"
877 + fi
878 +
879 + # Do we need to inform about HTTPoxy mitigation?
880 + # In repository since commit 8be44f76d4ac02cebcd1e0e6e6284bb72d054b0f
881 + if ! version_is_at_least "1.10" "${_replacing_version_branch}"; then
882 + # Updating from <1.10
883 + _has_to_show_httpoxy_mitigation_notice=1
884 + debug-print "Need to inform about HTTPoxy mitigation!"
885 + else
886 + # Updating from >=1.10
887 + local _fixed_in_pvr=
888 + case "${_replacing_version_branch}" in
889 + "1.10")
890 + _fixed_in_pvr="1.10.1-r2"
891 + ;;
892 + "1.11")
893 + _fixed_in_pvr="1.11.3-r1"
894 + ;;
895 + *)
896 + # This should be any future branch.
897 + # If we run this code it is safe to assume that the user has
898 + # already seen the HTTPoxy mitigation notice because he/she is doing
899 + # an update from previous version where we have already shown
900 + # the warning. Otherwise, we wouldn't hit this code path ...
901 + _fixed_in_pvr=
902 + esac
903 +
904 + if [[ -z "${_fixed_in_pvr}" ]] || version_is_at_least "${_fixed_in_pvr}" "${_replacing_version}"; then
905 + # We are updating an installation where we already informed
906 + # that we are mitigating HTTPoxy per default
907 + _has_to_show_httpoxy_mitigation_notice=0
908 + debug-print "No need to inform about HTTPoxy mitigation ... information was already shown for existing installation!"
909 + else
910 + _has_to_show_httpoxy_mitigation_notice=1
911 + debug-print "Need to inform about HTTPoxy mitigation!"
912 + fi
913 + fi
914 +
915 + # Do we need to adjust permissions to fix CVE-2016-1247 (bug #605008)?
916 + # All branches up to 1.11 are affected
917 + local _need_to_fix_CVE2016_1247=1
918 +
919 + if ! version_is_at_least "1.10" "${_replacing_version_branch}"; then
920 + # Updating from <1.10
921 + _has_to_adjust_permissions=1
922 + debug-print "Need to adjust permissions to fix CVE-2016-1247!"
923 + else
924 + # Updating from >=1.10
925 + local _fixed_in_pvr=
926 + case "${_replacing_version_branch}" in
927 + "1.10")
928 + _fixed_in_pvr="1.10.2-r3"
929 + ;;
930 + "1.11")
931 + _fixed_in_pvr="1.11.6-r1"
932 + ;;
933 + *)
934 + # This should be any future branch.
935 + # If we run this code it is safe to assume that we have already
936 + # adjusted permissions or were never affected because user is
937 + # doing an update from previous version which was safe or did
938 + # the adjustments. Otherwise, we wouldn't hit this code path ...
939 + _fixed_in_pvr=
940 + esac
941 +
942 + if [[ -z "${_fixed_in_pvr}" ]] || version_is_at_least "${_fixed_in_pvr}" "${_replacing_version}"; then
943 + # We are updating an installation which should already be adjusted
944 + # or which was never affected
945 + _need_to_fix_CVE2016_1247=0
946 + debug-print "Skipping CVE-2016-1247 ... existing installation should not be affected!"
947 + else
948 + _has_to_adjust_permissions=1
949 + debug-print "Need to adjust permissions to fix CVE-2016-1247!"
950 + fi
951 + fi
952 + done
953 +
954 + if [[ ${_has_to_adjust_permissions} -eq 1 ]]; then
955 + # We do not DIE when chmod/chown commands are failing because
956 + # package is already merged on user's system at this stage
957 + # and we cannot retry without losing the information that
958 + # the existing installation needs to adjust permissions.
959 + # Instead we are going to a show a big warning ...
960 +
961 + if [[ ${_has_to_show_permission_warning} -eq 0 ]] && [[ ${_need_to_fix_CVE2013_0337} -eq 1 ]]; then
962 + ewarn ""
963 + ewarn "The world-readable bit (if set) has been removed from the"
964 + ewarn "following directories to mitigate a security bug"
965 + ewarn "(CVE-2013-0337, bug #458726):"
966 + ewarn ""
967 + ewarn " ${EPREFIX%/}/var/log/nginx"
968 + ewarn " ${EPREFIX%/}${NGINX_HOME_TMP}/{,client,proxy,fastcgi,scgi,uwsgi}"
969 + ewarn ""
970 + ewarn "Check if this is correct for your setup before restarting nginx!"
971 + ewarn "This is a one-time change and will not happen on subsequent updates."
972 + ewarn "Furthermore nginx' temp directories got moved to '${EPREFIX%/}${NGINX_HOME_TMP}'"
973 + chmod o-rwx \
974 + "${EPREFIX%/}"/var/log/nginx \
975 + "${EPREFIX%/}"${NGINX_HOME_TMP}/{,client,proxy,fastcgi,scgi,uwsgi} || \
976 + _has_to_show_permission_warning=1
977 + fi
978 +
979 + if [[ ${_has_to_show_permission_warning} -eq 0 ]] && [[ ${_need_to_fix_CVE2016_1247} -eq 1 ]]; then
980 + ewarn ""
981 + ewarn "The permissions on the following directory have been reset in"
982 + ewarn "order to mitigate a security bug (CVE-2016-1247, bug #605008):"
983 + ewarn ""
984 + ewarn " ${EPREFIX%/}/var/log/nginx"
985 + ewarn ""
986 + ewarn "Check if this is correct for your setup before restarting nginx!"
987 + ewarn "Also ensure that no other log directory used by any of your"
988 + ewarn "vhost(s) is not writeable for nginx user. Any of your log files"
989 + ewarn "used by nginx can be abused to escalate privileges!"
990 + ewarn "This is a one-time change and will not happen on subsequent updates."
991 + chown 0:nginx "${EPREFIX%/}"/var/log/nginx || _has_to_show_permission_warning=1
992 + chmod 710 "${EPREFIX%/}"/var/log/nginx || _has_to_show_permission_warning=1
993 + fi
994 +
995 + if [[ ${_has_to_show_permission_warning} -eq 1 ]]; then
996 + # Should never happen ...
997 + ewarn ""
998 + ewarn "*************************************************************"
999 + ewarn "*************** W A R N I N G ***************"
1000 + ewarn "*************************************************************"
1001 + ewarn "The one-time only attempt to adjust permissions of the"
1002 + ewarn "existing nginx installation failed. Be aware that we will not"
1003 + ewarn "try to adjust the same permissions again because now you are"
1004 + ewarn "using a nginx version where we expect that the permissions"
1005 + ewarn "are already adjusted or that you know what you are doing and"
1006 + ewarn "want to keep custom permissions."
1007 + ewarn ""
1008 + fi
1009 + fi
1010 +
1011 + # Sanity check for CVE-2016-1247
1012 + # Required to warn users who received the warning above and thought
1013 + # they could fix it by unmerging and re-merging the package or have
1014 + # unmerged a affected installation on purpose in the past leaving
1015 + # /var/log/nginx on their system due to keepdir/non-empty folder
1016 + # and are now installing the package again.
1017 + local _sanity_check_testfile=$(mktemp --dry-run "${EPREFIX%/}"/var/log/nginx/.CVE-2016-1247.XXXXXXXXX)
1018 + su -s /bin/sh -c "touch ${_sanity_check_testfile}" nginx >&/dev/null
1019 + if [ $? -eq 0 ] ; then
1020 + # Cleanup -- no reason to die here!
1021 + rm -f "${_sanity_check_testfile}"
1022 +
1023 + ewarn ""
1024 + ewarn "*************************************************************"
1025 + ewarn "*************** W A R N I N G ***************"
1026 + ewarn "*************************************************************"
1027 + ewarn "Looks like your installation is vulnerable to CVE-2016-1247"
1028 + ewarn "(bug #605008) because nginx user is able to create files in"
1029 + ewarn ""
1030 + ewarn " ${EPREFIX%/}/var/log/nginx"
1031 + ewarn ""
1032 + ewarn "Also ensure that no other log directory used by any of your"
1033 + ewarn "vhost(s) is not writeable for nginx user. Any of your log files"
1034 + ewarn "used by nginx can be abused to escalate privileges!"
1035 + fi
1036 +
1037 + if [[ ${_has_to_show_httpoxy_mitigation_notice} -eq 1 ]]; then
1038 + # HTTPoxy mitigation
1039 + ewarn ""
1040 + ewarn "This nginx installation comes with a mitigation for the HTTPoxy"
1041 + ewarn "vulnerability for FastCGI, SCGI and uWSGI applications by setting"
1042 + ewarn "the HTTP_PROXY parameter to an empty string per default when you"
1043 + ewarn "are sourcing one of the default"
1044 + ewarn ""
1045 + ewarn " - 'fastcgi_params' or 'fastcgi.conf'"
1046 + ewarn " - 'scgi_params'"
1047 + ewarn " - 'uwsgi_params'"
1048 + ewarn ""
1049 + ewarn "files in your server block(s)."
1050 + ewarn ""
1051 + ewarn "If this is causing any problems for you make sure that you are sourcing the"
1052 + ewarn "default parameters _before_ you set your own values."
1053 + ewarn "If you are relying on user-supplied proxy values you have to remove the"
1054 + ewarn "correlating lines from the file(s) mentioned above."
1055 + ewarn ""
1056 + fi
1057 +}
1058
1059 diff --git a/www-servers/nginx/nginx-1.13.6-r1.ebuild b/www-servers/nginx/nginx-1.13.6-r1.ebuild
1060 new file mode 100644
1061 index 00000000000..98e2bf7e78a
1062 --- /dev/null
1063 +++ b/www-servers/nginx/nginx-1.13.6-r1.ebuild
1064 @@ -0,0 +1,1006 @@
1065 +# Copyright 1999-2017 Gentoo Foundation
1066 +# Distributed under the terms of the GNU General Public License v2
1067 +
1068 +EAPI="6"
1069 +
1070 +# Maintainer notes:
1071 +# - http_rewrite-independent pcre-support makes sense for matching locations without an actual rewrite
1072 +# - any http-module activates the main http-functionality and overrides USE=-http
1073 +# - keep the following requirements in mind before adding external modules:
1074 +# * alive upstream
1075 +# * sane packaging
1076 +# * builds cleanly
1077 +# * does not need a patch for nginx core
1078 +# - TODO: test the google-perftools module (included in vanilla tarball)
1079 +
1080 +# prevent perl-module from adding automagic perl DEPENDs
1081 +GENTOO_DEPEND_ON_PERL="no"
1082 +
1083 +# devel_kit (https://github.com/simpl/ngx_devel_kit, BSD license)
1084 +DEVEL_KIT_MODULE_PV="0.3.0"
1085 +DEVEL_KIT_MODULE_P="ngx_devel_kit-${DEVEL_KIT_MODULE_PV}-r1"
1086 +DEVEL_KIT_MODULE_URI="https://github.com/simpl/ngx_devel_kit/archive/v${DEVEL_KIT_MODULE_PV}.tar.gz"
1087 +DEVEL_KIT_MODULE_WD="${WORKDIR}/ngx_devel_kit-${DEVEL_KIT_MODULE_PV}"
1088 +
1089 +# http_uploadprogress (https://github.com/masterzen/nginx-upload-progress-module, BSD-2 license)
1090 +HTTP_UPLOAD_PROGRESS_MODULE_PV="0.9.2"
1091 +HTTP_UPLOAD_PROGRESS_MODULE_P="ngx_http_upload_progress-${HTTP_UPLOAD_PROGRESS_MODULE_PV}-r1"
1092 +HTTP_UPLOAD_PROGRESS_MODULE_URI="https://github.com/masterzen/nginx-upload-progress-module/archive/v${HTTP_UPLOAD_PROGRESS_MODULE_PV}.tar.gz"
1093 +HTTP_UPLOAD_PROGRESS_MODULE_WD="${WORKDIR}/nginx-upload-progress-module-${HTTP_UPLOAD_PROGRESS_MODULE_PV}"
1094 +
1095 +# http_headers_more (https://github.com/agentzh/headers-more-nginx-module, BSD license)
1096 +HTTP_HEADERS_MORE_MODULE_PV="0.32"
1097 +HTTP_HEADERS_MORE_MODULE_P="ngx_http_headers_more-${HTTP_HEADERS_MORE_MODULE_PV}"
1098 +HTTP_HEADERS_MORE_MODULE_URI="https://github.com/agentzh/headers-more-nginx-module/archive/v${HTTP_HEADERS_MORE_MODULE_PV}.tar.gz"
1099 +HTTP_HEADERS_MORE_MODULE_WD="${WORKDIR}/headers-more-nginx-module-${HTTP_HEADERS_MORE_MODULE_PV}"
1100 +
1101 +# http_cache_purge (http://labs.frickle.com/nginx_ngx_cache_purge/, https://github.com/FRiCKLE/ngx_cache_purge, BSD-2 license)
1102 +HTTP_CACHE_PURGE_MODULE_PV="2.3"
1103 +HTTP_CACHE_PURGE_MODULE_P="ngx_http_cache_purge-${HTTP_CACHE_PURGE_MODULE_PV}"
1104 +HTTP_CACHE_PURGE_MODULE_URI="http://labs.frickle.com/files/ngx_cache_purge-${HTTP_CACHE_PURGE_MODULE_PV}.tar.gz"
1105 +HTTP_CACHE_PURGE_MODULE_WD="${WORKDIR}/ngx_cache_purge-${HTTP_CACHE_PURGE_MODULE_PV}"
1106 +
1107 +# http_slowfs_cache (http://labs.frickle.com/nginx_ngx_slowfs_cache/, BSD-2 license)
1108 +HTTP_SLOWFS_CACHE_MODULE_PV="1.10"
1109 +HTTP_SLOWFS_CACHE_MODULE_P="ngx_http_slowfs_cache-${HTTP_SLOWFS_CACHE_MODULE_PV}"
1110 +HTTP_SLOWFS_CACHE_MODULE_URI="http://labs.frickle.com/files/ngx_slowfs_cache-${HTTP_SLOWFS_CACHE_MODULE_PV}.tar.gz"
1111 +HTTP_SLOWFS_CACHE_MODULE_WD="${WORKDIR}/ngx_slowfs_cache-${HTTP_SLOWFS_CACHE_MODULE_PV}"
1112 +
1113 +# http_fancyindex (https://github.com/aperezdc/ngx-fancyindex, BSD license)
1114 +HTTP_FANCYINDEX_MODULE_PV="0.4.2"
1115 +HTTP_FANCYINDEX_MODULE_P="ngx_http_fancyindex-${HTTP_FANCYINDEX_MODULE_PV}"
1116 +HTTP_FANCYINDEX_MODULE_URI="https://github.com/aperezdc/ngx-fancyindex/archive/v${HTTP_FANCYINDEX_MODULE_PV}.tar.gz"
1117 +HTTP_FANCYINDEX_MODULE_WD="${WORKDIR}/ngx-fancyindex-${HTTP_FANCYINDEX_MODULE_PV}"
1118 +
1119 +# http_lua (https://github.com/openresty/lua-nginx-module, BSD license)
1120 +HTTP_LUA_MODULE_PV="0.10.10"
1121 +HTTP_LUA_MODULE_P="ngx_http_lua-${HTTP_LUA_MODULE_PV}"
1122 +HTTP_LUA_MODULE_URI="https://github.com/openresty/lua-nginx-module/archive/v${HTTP_LUA_MODULE_PV}.tar.gz"
1123 +HTTP_LUA_MODULE_WD="${WORKDIR}/lua-nginx-module-${HTTP_LUA_MODULE_PV}"
1124 +
1125 +# http_auth_pam (https://github.com/stogh/ngx_http_auth_pam_module/, http://web.iti.upv.es/~sto/nginx/, BSD-2 license)
1126 +HTTP_AUTH_PAM_MODULE_PV="1.5.1"
1127 +HTTP_AUTH_PAM_MODULE_P="ngx_http_auth_pam-${HTTP_AUTH_PAM_MODULE_PV}"
1128 +HTTP_AUTH_PAM_MODULE_URI="https://github.com/stogh/ngx_http_auth_pam_module/archive/v${HTTP_AUTH_PAM_MODULE_PV}.tar.gz"
1129 +HTTP_AUTH_PAM_MODULE_WD="${WORKDIR}/ngx_http_auth_pam_module-${HTTP_AUTH_PAM_MODULE_PV}"
1130 +
1131 +# http_upstream_check (https://github.com/yaoweibin/nginx_upstream_check_module, BSD license)
1132 +HTTP_UPSTREAM_CHECK_MODULE_PV="31b1b42873fa56620d8a873ac13f5f26b52d0cd6"
1133 +HTTP_UPSTREAM_CHECK_MODULE_P="ngx_http_upstream_check-${HTTP_UPSTREAM_CHECK_MODULE_PV}"
1134 +HTTP_UPSTREAM_CHECK_MODULE_URI="https://github.com/yaoweibin/nginx_upstream_check_module/archive/${HTTP_UPSTREAM_CHECK_MODULE_PV}.tar.gz"
1135 +HTTP_UPSTREAM_CHECK_MODULE_WD="${WORKDIR}/nginx_upstream_check_module-${HTTP_UPSTREAM_CHECK_MODULE_PV}"
1136 +
1137 +# http_metrics (https://github.com/zenops/ngx_metrics, BSD license)
1138 +HTTP_METRICS_MODULE_PV="0.1.1"
1139 +HTTP_METRICS_MODULE_P="ngx_metrics-${HTTP_METRICS_MODULE_PV}"
1140 +HTTP_METRICS_MODULE_URI="https://github.com/madvertise/ngx_metrics/archive/v${HTTP_METRICS_MODULE_PV}.tar.gz"
1141 +HTTP_METRICS_MODULE_WD="${WORKDIR}/ngx_metrics-${HTTP_METRICS_MODULE_PV}"
1142 +
1143 +# naxsi-core (https://github.com/nbs-system/naxsi, GPLv2+)
1144 +HTTP_NAXSI_MODULE_PV="0.55.3"
1145 +HTTP_NAXSI_MODULE_P="ngx_http_naxsi-${HTTP_NAXSI_MODULE_PV}"
1146 +HTTP_NAXSI_MODULE_URI="https://github.com/nbs-system/naxsi/archive/${HTTP_NAXSI_MODULE_PV}.tar.gz"
1147 +HTTP_NAXSI_MODULE_WD="${WORKDIR}/naxsi-${HTTP_NAXSI_MODULE_PV}/naxsi_src"
1148 +
1149 +# nginx-rtmp-module (https://github.com/arut/nginx-rtmp-module, BSD license)
1150 +RTMP_MODULE_PV="1.2.0"
1151 +RTMP_MODULE_P="ngx_rtmp-${RTMP_MODULE_PV}"
1152 +RTMP_MODULE_URI="https://github.com/arut/nginx-rtmp-module/archive/v${RTMP_MODULE_PV}.tar.gz"
1153 +RTMP_MODULE_WD="${WORKDIR}/nginx-rtmp-module-${RTMP_MODULE_PV}"
1154 +
1155 +# nginx-dav-ext-module (https://github.com/arut/nginx-dav-ext-module, BSD license)
1156 +HTTP_DAV_EXT_MODULE_PV="0.1.0"
1157 +HTTP_DAV_EXT_MODULE_P="ngx_http_dav_ext-${HTTP_DAV_EXT_MODULE_PV}"
1158 +HTTP_DAV_EXT_MODULE_URI="https://github.com/arut/nginx-dav-ext-module/archive/v${HTTP_DAV_EXT_MODULE_PV}.tar.gz"
1159 +HTTP_DAV_EXT_MODULE_WD="${WORKDIR}/nginx-dav-ext-module-${HTTP_DAV_EXT_MODULE_PV}"
1160 +
1161 +# echo-nginx-module (https://github.com/openresty/echo-nginx-module, BSD license)
1162 +HTTP_ECHO_MODULE_PV="0.61"
1163 +HTTP_ECHO_MODULE_P="ngx_http_echo-${HTTP_ECHO_MODULE_PV}"
1164 +HTTP_ECHO_MODULE_URI="https://github.com/openresty/echo-nginx-module/archive/v${HTTP_ECHO_MODULE_PV}.tar.gz"
1165 +HTTP_ECHO_MODULE_WD="${WORKDIR}/echo-nginx-module-${HTTP_ECHO_MODULE_PV}"
1166 +
1167 +# mod_security for nginx (https://modsecurity.org/, Apache-2.0)
1168 +# keep the MODULE_P here consistent with upstream to avoid tarball duplication
1169 +HTTP_SECURITY_MODULE_PV="2.9.2"
1170 +HTTP_SECURITY_MODULE_P="modsecurity-${HTTP_SECURITY_MODULE_PV}"
1171 +HTTP_SECURITY_MODULE_URI="https://www.modsecurity.org/tarball/${HTTP_SECURITY_MODULE_PV}/${HTTP_SECURITY_MODULE_P}.tar.gz"
1172 +HTTP_SECURITY_MODULE_WD="${WORKDIR}/${HTTP_SECURITY_MODULE_P}"
1173 +
1174 +# push-stream-module (http://www.nginxpushstream.com, https://github.com/wandenberg/nginx-push-stream-module, GPL-3)
1175 +HTTP_PUSH_STREAM_MODULE_PV="0.5.2"
1176 +HTTP_PUSH_STREAM_MODULE_P="ngx_http_push_stream-${HTTP_PUSH_STREAM_MODULE_PV}"
1177 +HTTP_PUSH_STREAM_MODULE_URI="https://github.com/wandenberg/nginx-push-stream-module/archive/${HTTP_PUSH_STREAM_MODULE_PV}.tar.gz"
1178 +HTTP_PUSH_STREAM_MODULE_WD="${WORKDIR}/nginx-push-stream-module-${HTTP_PUSH_STREAM_MODULE_PV}"
1179 +
1180 +# sticky-module (https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng, BSD-2)
1181 +HTTP_STICKY_MODULE_PV="1.2.6-10-g08a395c66e42"
1182 +HTTP_STICKY_MODULE_P="nginx_http_sticky_module_ng-${HTTP_STICKY_MODULE_PV}"
1183 +HTTP_STICKY_MODULE_URI="https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/get/${HTTP_STICKY_MODULE_PV}.tar.bz2"
1184 +HTTP_STICKY_MODULE_WD="${WORKDIR}/nginx-goodies-nginx-sticky-module-ng-08a395c66e42"
1185 +
1186 +# mogilefs-module (https://github.com/vkholodkov/nginx-mogilefs-module, BSD-2)
1187 +HTTP_MOGILEFS_MODULE_PV="1.0.4"
1188 +HTTP_MOGILEFS_MODULE_P="ngx_mogilefs_module-${HTTP_MOGILEFS_MODULE_PV}"
1189 +HTTP_MOGILEFS_MODULE_URI="https://github.com/vkholodkov/nginx-mogilefs-module/archive/${HTTP_MOGILEFS_MODULE_PV}.tar.gz"
1190 +HTTP_MOGILEFS_MODULE_WD="${WORKDIR}/nginx_mogilefs_module-${HTTP_MOGILEFS_MODULE_PV}"
1191 +
1192 +# memc-module (https://github.com/openresty/memc-nginx-module, BSD-2)
1193 +HTTP_MEMC_MODULE_PV="0.18"
1194 +HTTP_MEMC_MODULE_P="ngx_memc_module-${HTTP_MEMC_MODULE_PV}"
1195 +HTTP_MEMC_MODULE_URI="https://github.com/openresty/memc-nginx-module/archive/v${HTTP_MEMC_MODULE_PV}.tar.gz"
1196 +HTTP_MEMC_MODULE_WD="${WORKDIR}/memc-nginx-module-${HTTP_MEMC_MODULE_PV}"
1197 +
1198 +# nginx-ldap-auth-module (https://github.com/kvspb/nginx-auth-ldap, BSD-2)
1199 +HTTP_LDAP_MODULE_PV="49a8b4d28fc4a518563c82e0b52821e5f37db1fc"
1200 +HTTP_LDAP_MODULE_P="nginx-auth-ldap-${HTTP_LDAP_MODULE_PV}"
1201 +HTTP_LDAP_MODULE_URI="https://github.com/kvspb/nginx-auth-ldap/archive/${HTTP_LDAP_MODULE_PV}.tar.gz"
1202 +HTTP_LDAP_MODULE_WD="${WORKDIR}/nginx-auth-ldap-${HTTP_LDAP_MODULE_PV}"
1203 +
1204 +# We handle deps below ourselves
1205 +SSL_DEPS_SKIP=1
1206 +AUTOTOOLS_AUTO_DEPEND="no"
1207 +
1208 +inherit autotools ssl-cert toolchain-funcs perl-module flag-o-matic user systemd versionator multilib
1209 +
1210 +DESCRIPTION="Robust, small and high performance http and reverse proxy server"
1211 +HOMEPAGE="https://nginx.org"
1212 +SRC_URI="https://nginx.org/download/${P}.tar.gz
1213 + ${DEVEL_KIT_MODULE_URI} -> ${DEVEL_KIT_MODULE_P}.tar.gz
1214 + nginx_modules_http_upload_progress? ( ${HTTP_UPLOAD_PROGRESS_MODULE_URI} -> ${HTTP_UPLOAD_PROGRESS_MODULE_P}.tar.gz )
1215 + nginx_modules_http_headers_more? ( ${HTTP_HEADERS_MORE_MODULE_URI} -> ${HTTP_HEADERS_MORE_MODULE_P}.tar.gz )
1216 + nginx_modules_http_cache_purge? ( ${HTTP_CACHE_PURGE_MODULE_URI} -> ${HTTP_CACHE_PURGE_MODULE_P}.tar.gz )
1217 + nginx_modules_http_slowfs_cache? ( ${HTTP_SLOWFS_CACHE_MODULE_URI} -> ${HTTP_SLOWFS_CACHE_MODULE_P}.tar.gz )
1218 + nginx_modules_http_fancyindex? ( ${HTTP_FANCYINDEX_MODULE_URI} -> ${HTTP_FANCYINDEX_MODULE_P}.tar.gz )
1219 + nginx_modules_http_lua? ( ${HTTP_LUA_MODULE_URI} -> ${HTTP_LUA_MODULE_P}.tar.gz )
1220 + nginx_modules_http_auth_pam? ( ${HTTP_AUTH_PAM_MODULE_URI} -> ${HTTP_AUTH_PAM_MODULE_P}.tar.gz )
1221 + nginx_modules_http_upstream_check? ( ${HTTP_UPSTREAM_CHECK_MODULE_URI} -> ${HTTP_UPSTREAM_CHECK_MODULE_P}.tar.gz )
1222 + nginx_modules_http_metrics? ( ${HTTP_METRICS_MODULE_URI} -> ${HTTP_METRICS_MODULE_P}.tar.gz )
1223 + nginx_modules_http_naxsi? ( ${HTTP_NAXSI_MODULE_URI} -> ${HTTP_NAXSI_MODULE_P}.tar.gz )
1224 + rtmp? ( ${RTMP_MODULE_URI} -> ${RTMP_MODULE_P}.tar.gz )
1225 + nginx_modules_http_dav_ext? ( ${HTTP_DAV_EXT_MODULE_URI} -> ${HTTP_DAV_EXT_MODULE_P}.tar.gz )
1226 + nginx_modules_http_echo? ( ${HTTP_ECHO_MODULE_URI} -> ${HTTP_ECHO_MODULE_P}.tar.gz )
1227 + nginx_modules_http_security? ( ${HTTP_SECURITY_MODULE_URI} -> ${HTTP_SECURITY_MODULE_P}.tar.gz )
1228 + nginx_modules_http_push_stream? ( ${HTTP_PUSH_STREAM_MODULE_URI} -> ${HTTP_PUSH_STREAM_MODULE_P}.tar.gz )
1229 + nginx_modules_http_sticky? ( ${HTTP_STICKY_MODULE_URI} -> ${HTTP_STICKY_MODULE_P}.tar.bz2 )
1230 + nginx_modules_http_mogilefs? ( ${HTTP_MOGILEFS_MODULE_URI} -> ${HTTP_MOGILEFS_MODULE_P}.tar.gz )
1231 + nginx_modules_http_memc? ( ${HTTP_MEMC_MODULE_URI} -> ${HTTP_MEMC_MODULE_P}.tar.gz )
1232 + nginx_modules_http_auth_ldap? ( ${HTTP_LDAP_MODULE_URI} -> ${HTTP_LDAP_MODULE_P}.tar.gz )"
1233 +
1234 +LICENSE="BSD-2 BSD SSLeay MIT GPL-2 GPL-2+
1235 + nginx_modules_http_security? ( Apache-2.0 )
1236 + nginx_modules_http_push_stream? ( GPL-3 )"
1237 +
1238 +SLOT="mainline"
1239 +KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~x86 ~x86-fbsd ~amd64-linux ~x86-linux"
1240 +
1241 +# Package doesn't provide a real test suite
1242 +RESTRICT="test"
1243 +
1244 +NGINX_MODULES_STD="access auth_basic autoindex browser charset empty_gif
1245 + fastcgi geo gzip limit_req limit_conn map memcached mirror proxy
1246 + referer rewrite scgi ssi split_clients upstream_hash
1247 + upstream_ip_hash upstream_keepalive upstream_least_conn
1248 + upstream_zone userid uwsgi"
1249 +NGINX_MODULES_OPT="addition auth_request dav degradation flv geoip gunzip
1250 + gzip_static image_filter mp4 perl random_index realip secure_link
1251 + slice stub_status sub xslt"
1252 +NGINX_MODULES_STREAM_STD="access geo limit_conn map return split_clients
1253 + upstream_hash upstream_least_conn upstream_zone"
1254 +NGINX_MODULES_STREAM_OPT="geoip realip ssl_preread"
1255 +NGINX_MODULES_MAIL="imap pop3 smtp"
1256 +NGINX_MODULES_3RD="
1257 + http_upload_progress
1258 + http_headers_more
1259 + http_cache_purge
1260 + http_slowfs_cache
1261 + http_fancyindex
1262 + http_lua
1263 + http_auth_pam
1264 + http_upstream_check
1265 + http_metrics
1266 + http_naxsi
1267 + http_dav_ext
1268 + http_echo
1269 + http_security
1270 + http_push_stream
1271 + http_sticky
1272 + http_mogilefs
1273 + http_memc
1274 + http_auth_ldap"
1275 +
1276 +IUSE="aio debug +http +http2 +http-cache +ipv6 libatomic libressl luajit +pcre
1277 + pcre-jit rtmp selinux ssl threads userland_GNU vim-syntax"
1278 +
1279 +for mod in $NGINX_MODULES_STD; do
1280 + IUSE="${IUSE} +nginx_modules_http_${mod}"
1281 +done
1282 +
1283 +for mod in $NGINX_MODULES_OPT; do
1284 + IUSE="${IUSE} nginx_modules_http_${mod}"
1285 +done
1286 +
1287 +for mod in $NGINX_MODULES_STREAM_STD; do
1288 + IUSE="${IUSE} nginx_modules_stream_${mod}"
1289 +done
1290 +
1291 +for mod in $NGINX_MODULES_STREAM_OPT; do
1292 + IUSE="${IUSE} nginx_modules_stream_${mod}"
1293 +done
1294 +
1295 +for mod in $NGINX_MODULES_MAIL; do
1296 + IUSE="${IUSE} nginx_modules_mail_${mod}"
1297 +done
1298 +
1299 +for mod in $NGINX_MODULES_3RD; do
1300 + IUSE="${IUSE} nginx_modules_${mod}"
1301 +done
1302 +
1303 +# Add so we can warn users updating about config changes
1304 +# @TODO: jbergstroem: remove on next release series
1305 +IUSE="${IUSE} nginx_modules_http_spdy"
1306 +
1307 +CDEPEND="
1308 + pcre? ( dev-libs/libpcre:= )
1309 + pcre-jit? ( dev-libs/libpcre:=[jit] )
1310 + ssl? (
1311 + !libressl? ( dev-libs/openssl:0= )
1312 + libressl? ( dev-libs/libressl:= )
1313 + )
1314 + http2? (
1315 + !libressl? ( >=dev-libs/openssl-1.0.1c:0= )
1316 + libressl? ( dev-libs/libressl:= )
1317 + )
1318 + http-cache? (
1319 + userland_GNU? (
1320 + !libressl? ( dev-libs/openssl:0= )
1321 + libressl? ( dev-libs/libressl:= )
1322 + )
1323 + )
1324 + nginx_modules_http_geoip? ( dev-libs/geoip )
1325 + nginx_modules_http_gunzip? ( sys-libs/zlib )
1326 + nginx_modules_http_gzip? ( sys-libs/zlib )
1327 + nginx_modules_http_gzip_static? ( sys-libs/zlib )
1328 + nginx_modules_http_image_filter? ( media-libs/gd:=[jpeg,png] )
1329 + nginx_modules_http_perl? ( >=dev-lang/perl-5.8:= )
1330 + nginx_modules_http_rewrite? ( dev-libs/libpcre:= )
1331 + nginx_modules_http_secure_link? (
1332 + userland_GNU? (
1333 + !libressl? ( dev-libs/openssl:0= )
1334 + libressl? ( dev-libs/libressl:= )
1335 + )
1336 + )
1337 + nginx_modules_http_xslt? ( dev-libs/libxml2:= dev-libs/libxslt )
1338 + nginx_modules_http_lua? ( !luajit? ( dev-lang/lua:0= ) luajit? ( dev-lang/luajit:2= ) )
1339 + nginx_modules_http_auth_pam? ( virtual/pam )
1340 + nginx_modules_http_metrics? ( dev-libs/yajl:= )
1341 + nginx_modules_http_dav_ext? ( dev-libs/expat )
1342 + nginx_modules_http_security? (
1343 + dev-libs/apr:=
1344 + dev-libs/apr-util:=
1345 + dev-libs/libxml2:=
1346 + net-misc/curl
1347 + www-servers/apache
1348 + )
1349 + nginx_modules_http_auth_ldap? ( net-nds/openldap[ssl?] )"
1350 +RDEPEND="${CDEPEND}
1351 + selinux? ( sec-policy/selinux-nginx )
1352 + !www-servers/nginx:0"
1353 +DEPEND="${CDEPEND}
1354 + nginx_modules_http_security? ( ${AUTOTOOLS_DEPEND} )
1355 + arm? ( dev-libs/libatomic_ops )
1356 + libatomic? ( dev-libs/libatomic_ops )"
1357 +PDEPEND="vim-syntax? ( app-vim/nginx-syntax )"
1358 +
1359 +REQUIRED_USE="pcre-jit? ( pcre )
1360 + nginx_modules_http_lua? ( nginx_modules_http_rewrite )
1361 + nginx_modules_http_naxsi? ( pcre )
1362 + nginx_modules_http_dav_ext? ( nginx_modules_http_dav )
1363 + nginx_modules_http_metrics? ( nginx_modules_http_stub_status )
1364 + nginx_modules_http_security? ( pcre )
1365 + nginx_modules_http_push_stream? ( ssl )"
1366 +
1367 +pkg_setup() {
1368 + NGINX_HOME="/var/lib/nginx"
1369 + NGINX_HOME_TMP="${NGINX_HOME}/tmp"
1370 +
1371 + ebegin "Creating nginx user and group"
1372 + enewgroup ${PN}
1373 + enewuser ${PN} -1 -1 "${NGINX_HOME}" ${PN}
1374 + eend $?
1375 +
1376 + if use libatomic; then
1377 + ewarn "GCC 4.1+ features built-in atomic operations."
1378 + ewarn "Using libatomic_ops is only needed if using"
1379 + ewarn "a different compiler or a GCC prior to 4.1"
1380 + fi
1381 +
1382 + if [[ -n $NGINX_ADD_MODULES ]]; then
1383 + ewarn "You are building custom modules via \$NGINX_ADD_MODULES!"
1384 + ewarn "This nginx installation is not supported!"
1385 + ewarn "Make sure you can reproduce the bug without those modules"
1386 + ewarn "_before_ reporting bugs."
1387 + fi
1388 +
1389 + if use !http; then
1390 + ewarn "To actually disable all http-functionality you also have to disable"
1391 + ewarn "all nginx http modules."
1392 + fi
1393 +
1394 + if use nginx_modules_http_mogilefs && use threads; then
1395 + eerror "mogilefs won't compile with threads support."
1396 + eerror "Please disable either flag and try again."
1397 + die "Can't compile mogilefs with threads support"
1398 + fi
1399 +}
1400 +
1401 +src_prepare() {
1402 + eapply "${FILESDIR}/${PN}-1.4.1-fix-perl-install-path.patch"
1403 + eapply "${FILESDIR}/${PN}-httpoxy-mitigation-r1.patch"
1404 +
1405 + if use nginx_modules_http_upstream_check; then
1406 + #eapply -p0 "${HTTP_UPSTREAM_CHECK_MODULE_WD}"/check_1.11.1+.patch
1407 + eapply -p0 "${FILESDIR}"/http_upstream_check-nginx-1.11.5+.patch
1408 + fi
1409 +
1410 + if use nginx_modules_http_cache_purge; then
1411 + cd "${HTTP_CACHE_PURGE_MODULE_WD}" || die
1412 + eapply "${FILESDIR}"/http_cache_purge-1.11.6+.patch
1413 + cd "${S}" || die
1414 + fi
1415 +
1416 + if use nginx_modules_http_security; then
1417 + cd "${HTTP_SECURITY_MODULE_WD}" || die
1418 +
1419 + eautoreconf
1420 +
1421 + if use luajit ; then
1422 + sed -i \
1423 + -e 's|^\(LUA_PKGNAMES\)=.*|\1="luajit"|' \
1424 + configure || die
1425 + fi
1426 +
1427 + cd "${S}" || die
1428 + fi
1429 +
1430 + if use nginx_modules_http_upload_progress; then
1431 + cd "${HTTP_UPLOAD_PROGRESS_MODULE_WD}" || die
1432 + eapply "${FILESDIR}"/http_uploadprogress-issue_50-r1.patch
1433 + cd "${S}" || die
1434 + fi
1435 +
1436 + find auto/ -type f -print0 | xargs -0 sed -i 's:\&\& make:\&\& \\$(MAKE):' || die
1437 + # We have config protection, don't rename etc files
1438 + sed -i 's:.default::' auto/install || die
1439 + # remove useless files
1440 + sed -i -e '/koi-/d' -e '/win-/d' auto/install || die
1441 +
1442 + # don't install to /etc/nginx/ if not in use
1443 + local module
1444 + for module in fastcgi scgi uwsgi ; do
1445 + if ! use nginx_modules_http_${module}; then
1446 + sed -i -e "/${module}/d" auto/install || die
1447 + fi
1448 + done
1449 +
1450 + eapply_user
1451 +}
1452 +
1453 +src_configure() {
1454 + # mod_security needs to generate nginx/modsecurity/config before including it
1455 + if use nginx_modules_http_security; then
1456 + cd "${HTTP_SECURITY_MODULE_WD}" || die
1457 +
1458 + ./configure \
1459 + --enable-standalone-module \
1460 + --disable-mlogc \
1461 + --with-ssdeep=no \
1462 + $(use_enable pcre-jit) \
1463 + $(use_with nginx_modules_http_lua lua) || die "configure failed for mod_security"
1464 +
1465 + cd "${S}" || die
1466 + fi
1467 +
1468 + local myconf=() http_enabled= mail_enabled= stream_enabled=
1469 +
1470 + use aio && myconf+=( --with-file-aio )
1471 + use debug && myconf+=( --with-debug )
1472 + use http2 && myconf+=( --with-http_v2_module )
1473 + use libatomic && myconf+=( --with-libatomic )
1474 + use pcre && myconf+=( --with-pcre )
1475 + use pcre-jit && myconf+=( --with-pcre-jit )
1476 + use threads && myconf+=( --with-threads )
1477 +
1478 + # HTTP modules
1479 + for mod in $NGINX_MODULES_STD; do
1480 + if use nginx_modules_http_${mod}; then
1481 + http_enabled=1
1482 + else
1483 + myconf+=( --without-http_${mod}_module )
1484 + fi
1485 + done
1486 +
1487 + for mod in $NGINX_MODULES_OPT; do
1488 + if use nginx_modules_http_${mod}; then
1489 + http_enabled=1
1490 + myconf+=( --with-http_${mod}_module )
1491 + fi
1492 + done
1493 +
1494 + if use nginx_modules_http_fastcgi; then
1495 + myconf+=( --with-http_realip_module )
1496 + fi
1497 +
1498 + # third-party modules
1499 + if use nginx_modules_http_upload_progress; then
1500 + http_enabled=1
1501 + myconf+=( --add-module=${HTTP_UPLOAD_PROGRESS_MODULE_WD} )
1502 + fi
1503 +
1504 + if use nginx_modules_http_headers_more; then
1505 + http_enabled=1
1506 + myconf+=( --add-module=${HTTP_HEADERS_MORE_MODULE_WD} )
1507 + fi
1508 +
1509 + if use nginx_modules_http_cache_purge; then
1510 + http_enabled=1
1511 + myconf+=( --add-module=${HTTP_CACHE_PURGE_MODULE_WD} )
1512 + fi
1513 +
1514 + if use nginx_modules_http_slowfs_cache; then
1515 + http_enabled=1
1516 + myconf+=( --add-module=${HTTP_SLOWFS_CACHE_MODULE_WD} )
1517 + fi
1518 +
1519 + if use nginx_modules_http_fancyindex; then
1520 + http_enabled=1
1521 + myconf+=( --add-module=${HTTP_FANCYINDEX_MODULE_WD} )
1522 + fi
1523 +
1524 + if use nginx_modules_http_lua; then
1525 + http_enabled=1
1526 + if use luajit; then
1527 + export LUAJIT_LIB=$(pkg-config --variable libdir luajit)
1528 + export LUAJIT_INC=$(pkg-config --variable includedir luajit)
1529 + else
1530 + export LUA_LIB=$(pkg-config --variable libdir lua)
1531 + export LUA_INC=$(pkg-config --variable includedir lua)
1532 + fi
1533 + myconf+=( --add-module=${DEVEL_KIT_MODULE_WD} )
1534 + myconf+=( --add-module=${HTTP_LUA_MODULE_WD} )
1535 + fi
1536 +
1537 + if use nginx_modules_http_auth_pam; then
1538 + http_enabled=1
1539 + myconf+=( --add-module=${HTTP_AUTH_PAM_MODULE_WD} )
1540 + fi
1541 +
1542 + if use nginx_modules_http_upstream_check; then
1543 + http_enabled=1
1544 + myconf+=( --add-module=${HTTP_UPSTREAM_CHECK_MODULE_WD} )
1545 + fi
1546 +
1547 + if use nginx_modules_http_metrics; then
1548 + http_enabled=1
1549 + myconf+=( --add-module=${HTTP_METRICS_MODULE_WD} )
1550 + fi
1551 +
1552 + if use nginx_modules_http_naxsi ; then
1553 + http_enabled=1
1554 + myconf+=( --add-module=${HTTP_NAXSI_MODULE_WD} )
1555 + fi
1556 +
1557 + if use rtmp ; then
1558 + http_enabled=1
1559 + myconf+=( --add-module=${RTMP_MODULE_WD} )
1560 + fi
1561 +
1562 + if use nginx_modules_http_dav_ext ; then
1563 + http_enabled=1
1564 + myconf+=( --add-module=${HTTP_DAV_EXT_MODULE_WD} )
1565 + fi
1566 +
1567 + if use nginx_modules_http_echo ; then
1568 + http_enabled=1
1569 + myconf+=( --add-module=${HTTP_ECHO_MODULE_WD} )
1570 + fi
1571 +
1572 + if use nginx_modules_http_security ; then
1573 + http_enabled=1
1574 + myconf+=( --add-module=${HTTP_SECURITY_MODULE_WD}/nginx/modsecurity )
1575 + fi
1576 +
1577 + if use nginx_modules_http_push_stream ; then
1578 + http_enabled=1
1579 + myconf+=( --add-module=${HTTP_PUSH_STREAM_MODULE_WD} )
1580 + fi
1581 +
1582 + if use nginx_modules_http_sticky ; then
1583 + http_enabled=1
1584 + myconf+=( --add-module=${HTTP_STICKY_MODULE_WD} )
1585 + fi
1586 +
1587 + if use nginx_modules_http_mogilefs ; then
1588 + http_enabled=1
1589 + myconf+=( --add-module=${HTTP_MOGILEFS_MODULE_WD} )
1590 + fi
1591 +
1592 + if use nginx_modules_http_memc ; then
1593 + http_enabled=1
1594 + myconf+=( --add-module=${HTTP_MEMC_MODULE_WD} )
1595 + fi
1596 +
1597 + if use nginx_modules_http_auth_ldap; then
1598 + http_enabled=1
1599 + myconf+=( --add-module=${HTTP_LDAP_MODULE_WD} )
1600 + fi
1601 +
1602 + if use http || use http-cache || use http2; then
1603 + http_enabled=1
1604 + fi
1605 +
1606 + if [ $http_enabled ]; then
1607 + use http-cache || myconf+=( --without-http-cache )
1608 + use ssl && myconf+=( --with-http_ssl_module )
1609 + else
1610 + myconf+=( --without-http --without-http-cache )
1611 + fi
1612 +
1613 + # Stream modules
1614 + for mod in $NGINX_MODULES_STREAM_STD; do
1615 + if use nginx_modules_stream_${mod}; then
1616 + stream_enabled=1
1617 + else
1618 + myconf+=( --without-stream_${mod}_module )
1619 + fi
1620 + done
1621 +
1622 + for mod in $NGINX_MODULES_STREAM_OPT; do
1623 + if use nginx_modules_stream_${mod}; then
1624 + stream_enabled=1
1625 + myconf+=( --with-stream_${mod}_module )
1626 + fi
1627 + done
1628 +
1629 + if [ $stream_enabled ]; then
1630 + myconf+=( --with-stream )
1631 + use ssl && myconf+=( --with-stream_ssl_module )
1632 + fi
1633 +
1634 + # MAIL modules
1635 + for mod in $NGINX_MODULES_MAIL; do
1636 + if use nginx_modules_mail_${mod}; then
1637 + mail_enabled=1
1638 + else
1639 + myconf+=( --without-mail_${mod}_module )
1640 + fi
1641 + done
1642 +
1643 + if [ $mail_enabled ]; then
1644 + myconf+=( --with-mail )
1645 + use ssl && myconf+=( --with-mail_ssl_module )
1646 + fi
1647 +
1648 + # custom modules
1649 + for mod in $NGINX_ADD_MODULES; do
1650 + myconf+=( --add-module=${mod} )
1651 + done
1652 +
1653 + # https://bugs.gentoo.org/286772
1654 + export LANG=C LC_ALL=C
1655 + tc-export CC
1656 +
1657 + if ! use prefix; then
1658 + myconf+=( --user=${PN} )
1659 + myconf+=( --group=${PN} )
1660 + fi
1661 +
1662 + local WITHOUT_IPV6=
1663 + if ! use ipv6; then
1664 + WITHOUT_IPV6=" -DNGX_HAVE_INET6=0"
1665 + fi
1666 +
1667 + ./configure \
1668 + --prefix="${EPREFIX}"/usr \
1669 + --conf-path="${EPREFIX}"/etc/${PN}/${PN}.conf \
1670 + --error-log-path="${EPREFIX}"/var/log/${PN}/error_log \
1671 + --pid-path="${EPREFIX}"/run/${PN}.pid \
1672 + --lock-path="${EPREFIX}"/run/lock/${PN}.lock \
1673 + --with-cc-opt="-I${EROOT}usr/include${WITHOUT_IPV6}" \
1674 + --with-ld-opt="-L${EROOT}usr/$(get_libdir)" \
1675 + --http-log-path="${EPREFIX}"/var/log/${PN}/access_log \
1676 + --http-client-body-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/client \
1677 + --http-proxy-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/proxy \
1678 + --http-fastcgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/fastcgi \
1679 + --http-scgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/scgi \
1680 + --http-uwsgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/uwsgi \
1681 + --with-compat \
1682 + "${myconf[@]}" || die "configure failed"
1683 +
1684 + # A purely cosmetic change that makes nginx -V more readable. This can be
1685 + # good if people outside the gentoo community would troubleshoot and
1686 + # question the users setup.
1687 + sed -i -e "s|${WORKDIR}|external_module|g" objs/ngx_auto_config.h || die
1688 +}
1689 +
1690 +src_compile() {
1691 + use nginx_modules_http_security && emake -C "${HTTP_SECURITY_MODULE_WD}"
1692 +
1693 + # https://bugs.gentoo.org/286772
1694 + export LANG=C LC_ALL=C
1695 + emake LINK="${CC} ${LDFLAGS}" OTHERLDFLAGS="${LDFLAGS}"
1696 +}
1697 +
1698 +src_install() {
1699 + emake DESTDIR="${D%/}" install
1700 +
1701 + cp "${FILESDIR}"/nginx.conf-r2 "${ED}"etc/nginx/nginx.conf || die
1702 +
1703 + newinitd "${FILESDIR}"/nginx.initd-r4 nginx
1704 + newconfd "${FILESDIR}"/nginx.confd nginx
1705 +
1706 + systemd_newunit "${FILESDIR}"/nginx.service-r1 nginx.service
1707 +
1708 + doman man/nginx.8
1709 + dodoc CHANGES* README
1710 +
1711 + # just keepdir. do not copy the default htdocs files (bug #449136)
1712 + keepdir /var/www/localhost
1713 + rm -rf "${D}"usr/html || die
1714 +
1715 + # set up a list of directories to keep
1716 + local keepdir_list="${NGINX_HOME_TMP}"/client
1717 + local module
1718 + for module in proxy fastcgi scgi uwsgi; do
1719 + use nginx_modules_http_${module} && keepdir_list+=" ${NGINX_HOME_TMP}/${module}"
1720 + done
1721 +
1722 + keepdir /var/log/nginx ${keepdir_list}
1723 +
1724 + # this solves a problem with SELinux where nginx doesn't see the directories
1725 + # as root and tries to create them as nginx
1726 + fperms 0750 "${NGINX_HOME_TMP}"
1727 + fowners ${PN}:0 "${NGINX_HOME_TMP}"
1728 +
1729 + fperms 0700 ${keepdir_list}
1730 + fowners ${PN}:${PN} ${keepdir_list}
1731 +
1732 + fperms 0710 /var/log/nginx
1733 + fowners 0:${PN} /var/log/nginx
1734 +
1735 + # logrotate
1736 + insinto /etc/logrotate.d
1737 + newins "${FILESDIR}"/nginx.logrotate-r1 nginx
1738 +
1739 + if use nginx_modules_http_perl; then
1740 + cd "${S}"/objs/src/http/modules/perl/ || die
1741 + emake DESTDIR="${D}" INSTALLDIRS=vendor
1742 + perl_delete_localpod
1743 + cd "${S}" || die
1744 + fi
1745 +
1746 + if use nginx_modules_http_cache_purge; then
1747 + docinto ${HTTP_CACHE_PURGE_MODULE_P}
1748 + dodoc "${HTTP_CACHE_PURGE_MODULE_WD}"/{CHANGES,README.md,TODO.md}
1749 + fi
1750 +
1751 + if use nginx_modules_http_slowfs_cache; then
1752 + docinto ${HTTP_SLOWFS_CACHE_MODULE_P}
1753 + dodoc "${HTTP_SLOWFS_CACHE_MODULE_WD}"/{CHANGES,README.md}
1754 + fi
1755 +
1756 + if use nginx_modules_http_fancyindex; then
1757 + docinto ${HTTP_FANCYINDEX_MODULE_P}
1758 + dodoc "${HTTP_FANCYINDEX_MODULE_WD}"/README.rst
1759 + fi
1760 +
1761 + if use nginx_modules_http_lua; then
1762 + docinto ${HTTP_LUA_MODULE_P}
1763 + dodoc "${HTTP_LUA_MODULE_WD}"/README.markdown
1764 + fi
1765 +
1766 + if use nginx_modules_http_auth_pam; then
1767 + docinto ${HTTP_AUTH_PAM_MODULE_P}
1768 + dodoc "${HTTP_AUTH_PAM_MODULE_WD}"/{README.md,ChangeLog}
1769 + fi
1770 +
1771 + if use nginx_modules_http_upstream_check; then
1772 + docinto ${HTTP_UPSTREAM_CHECK_MODULE_P}
1773 + dodoc "${HTTP_UPSTREAM_CHECK_MODULE_WD}"/{README,CHANGES}
1774 + fi
1775 +
1776 + if use nginx_modules_http_naxsi; then
1777 + insinto /etc/nginx
1778 + doins "${HTTP_NAXSI_MODULE_WD}"/../naxsi_config/naxsi_core.rules
1779 + fi
1780 +
1781 + if use rtmp; then
1782 + docinto ${RTMP_MODULE_P}
1783 + dodoc "${RTMP_MODULE_WD}"/{AUTHORS,README.md,stat.xsl}
1784 + fi
1785 +
1786 + if use nginx_modules_http_dav_ext; then
1787 + docinto ${HTTP_DAV_EXT_MODULE_P}
1788 + dodoc "${HTTP_DAV_EXT_MODULE_WD}"/README.rst
1789 + fi
1790 +
1791 + if use nginx_modules_http_echo; then
1792 + docinto ${HTTP_ECHO_MODULE_P}
1793 + dodoc "${HTTP_ECHO_MODULE_WD}"/README.markdown
1794 + fi
1795 +
1796 + if use nginx_modules_http_security; then
1797 + docinto ${HTTP_SECURITY_MODULE_P}
1798 + dodoc "${HTTP_SECURITY_MODULE_WD}"/{CHANGES,README.TXT,authors.txt}
1799 + fi
1800 +
1801 + if use nginx_modules_http_push_stream; then
1802 + docinto ${HTTP_PUSH_STREAM_MODULE_P}
1803 + dodoc "${HTTP_PUSH_STREAM_MODULE_WD}"/{AUTHORS,CHANGELOG.textile,README.textile}
1804 + fi
1805 +
1806 + if use nginx_modules_http_sticky; then
1807 + docinto ${HTTP_STICKY_MODULE_P}
1808 + dodoc "${HTTP_STICKY_MODULE_WD}"/{README.md,Changelog.txt,docs/sticky.pdf}
1809 + fi
1810 +
1811 + if use nginx_modules_http_memc; then
1812 + docinto ${HTTP_MEMC_MODULE_P}
1813 + dodoc "${HTTP_MEMC_MODULE_WD}"/README.markdown
1814 + fi
1815 +
1816 + if use nginx_modules_http_auth_ldap; then
1817 + docinto ${HTTP_LDAP_MODULE_P}
1818 + dodoc "${HTTP_LDAP_MODULE_WD}"/example.conf
1819 + fi
1820 +}
1821 +
1822 +pkg_postinst() {
1823 + if use ssl; then
1824 + if [[ ! -f "${EROOT}"etc/ssl/${PN}/${PN}.key ]]; then
1825 + install_cert /etc/ssl/${PN}/${PN}
1826 + use prefix || chown ${PN}:${PN} "${EROOT}"etc/ssl/${PN}/${PN}.{crt,csr,key,pem}
1827 + fi
1828 + fi
1829 +
1830 + if use nginx_modules_http_spdy; then
1831 + ewarn ""
1832 + ewarn "In nginx 1.9.5 the spdy module was superseded by http2."
1833 + ewarn "Update your configs and package.use accordingly."
1834 + fi
1835 +
1836 + if use nginx_modules_http_lua; then
1837 + ewarn ""
1838 + ewarn "While you can build lua 3rd party module against ${P}"
1839 + ewarn "the author warns that >=${PN}-1.11.11 is still not an"
1840 + ewarn "officially supported target yet. You are on your own."
1841 + ewarn "Expect runtime failures, memory leaks and other problems!"
1842 + fi
1843 +
1844 + if use nginx_modules_http_lua && use http2; then
1845 + ewarn ""
1846 + ewarn "Lua 3rd party module author warns against using ${P} with"
1847 + ewarn "NGINX_MODULES_HTTP=\"lua http2\". For more info, see http://git.io/OldLsg"
1848 + fi
1849 +
1850 + local _n_permission_layout_checks=0
1851 + local _has_to_adjust_permissions=0
1852 + local _has_to_show_permission_warning=0
1853 +
1854 + # Defaults to 1 to inform people doing a fresh installation
1855 + # that we ship modified {scgi,uwsgi,fastcgi}_params files
1856 + local _has_to_show_httpoxy_mitigation_notice=1
1857 +
1858 + local _replacing_version=
1859 + for _replacing_version in ${REPLACING_VERSIONS}; do
1860 + _n_permission_layout_checks=$((${_n_permission_layout_checks}+1))
1861 +
1862 + if [[ ${_n_permission_layout_checks} -gt 1 ]]; then
1863 + # Should never happen:
1864 + # Package is abusing slots but doesn't allow multiple parallel installations.
1865 + # If we run into this situation it is unsafe to automatically adjust any
1866 + # permission...
1867 + _has_to_show_permission_warning=1
1868 +
1869 + ewarn "Replacing multiple ${PN}' versions is unsupported! " \
1870 + "You will have to adjust permissions on your own."
1871 +
1872 + break
1873 + fi
1874 +
1875 + local _replacing_version_branch=$(get_version_component_range 1-2 "${_replacing_version}")
1876 + debug-print "Updating an existing installation (v${_replacing_version}; branch '${_replacing_version_branch}') ..."
1877 +
1878 + # Do we need to adjust permissions to fix CVE-2013-0337 (bug #458726, #469094)?
1879 + # This was before we introduced multiple nginx versions so we
1880 + # do not need to distinguish between stable and mainline
1881 + local _need_to_fix_CVE2013_0337=1
1882 +
1883 + if version_is_at_least "1.4.1-r2" "${_replacing_version}"; then
1884 + # We are updating an installation which should already be fixed
1885 + _need_to_fix_CVE2013_0337=0
1886 + debug-print "Skipping CVE-2013-0337 ... existing installation should not be affected!"
1887 + else
1888 + _has_to_adjust_permissions=1
1889 + debug-print "Need to adjust permissions to fix CVE-2013-0337!"
1890 + fi
1891 +
1892 + # Do we need to inform about HTTPoxy mitigation?
1893 + # In repository since commit 8be44f76d4ac02cebcd1e0e6e6284bb72d054b0f
1894 + if ! version_is_at_least "1.10" "${_replacing_version_branch}"; then
1895 + # Updating from <1.10
1896 + _has_to_show_httpoxy_mitigation_notice=1
1897 + debug-print "Need to inform about HTTPoxy mitigation!"
1898 + else
1899 + # Updating from >=1.10
1900 + local _fixed_in_pvr=
1901 + case "${_replacing_version_branch}" in
1902 + "1.10")
1903 + _fixed_in_pvr="1.10.1-r2"
1904 + ;;
1905 + "1.11")
1906 + _fixed_in_pvr="1.11.3-r1"
1907 + ;;
1908 + *)
1909 + # This should be any future branch.
1910 + # If we run this code it is safe to assume that the user has
1911 + # already seen the HTTPoxy mitigation notice because he/she is doing
1912 + # an update from previous version where we have already shown
1913 + # the warning. Otherwise, we wouldn't hit this code path ...
1914 + _fixed_in_pvr=
1915 + esac
1916 +
1917 + if [[ -z "${_fixed_in_pvr}" ]] || version_is_at_least "${_fixed_in_pvr}" "${_replacing_version}"; then
1918 + # We are updating an installation where we already informed
1919 + # that we are mitigating HTTPoxy per default
1920 + _has_to_show_httpoxy_mitigation_notice=0
1921 + debug-print "No need to inform about HTTPoxy mitigation ... information was already shown for existing installation!"
1922 + else
1923 + _has_to_show_httpoxy_mitigation_notice=1
1924 + debug-print "Need to inform about HTTPoxy mitigation!"
1925 + fi
1926 + fi
1927 +
1928 + # Do we need to adjust permissions to fix CVE-2016-1247 (bug #605008)?
1929 + # All branches up to 1.11 are affected
1930 + local _need_to_fix_CVE2016_1247=1
1931 +
1932 + if ! version_is_at_least "1.10" "${_replacing_version_branch}"; then
1933 + # Updating from <1.10
1934 + _has_to_adjust_permissions=1
1935 + debug-print "Need to adjust permissions to fix CVE-2016-1247!"
1936 + else
1937 + # Updating from >=1.10
1938 + local _fixed_in_pvr=
1939 + case "${_replacing_version_branch}" in
1940 + "1.10")
1941 + _fixed_in_pvr="1.10.2-r3"
1942 + ;;
1943 + "1.11")
1944 + _fixed_in_pvr="1.11.6-r1"
1945 + ;;
1946 + *)
1947 + # This should be any future branch.
1948 + # If we run this code it is safe to assume that we have already
1949 + # adjusted permissions or were never affected because user is
1950 + # doing an update from previous version which was safe or did
1951 + # the adjustments. Otherwise, we wouldn't hit this code path ...
1952 + _fixed_in_pvr=
1953 + esac
1954 +
1955 + if [[ -z "${_fixed_in_pvr}" ]] || version_is_at_least "${_fixed_in_pvr}" "${_replacing_version}"; then
1956 + # We are updating an installation which should already be adjusted
1957 + # or which was never affected
1958 + _need_to_fix_CVE2016_1247=0
1959 + debug-print "Skipping CVE-2016-1247 ... existing installation should not be affected!"
1960 + else
1961 + _has_to_adjust_permissions=1
1962 + debug-print "Need to adjust permissions to fix CVE-2016-1247!"
1963 + fi
1964 + fi
1965 + done
1966 +
1967 + if [[ ${_has_to_adjust_permissions} -eq 1 ]]; then
1968 + # We do not DIE when chmod/chown commands are failing because
1969 + # package is already merged on user's system at this stage
1970 + # and we cannot retry without losing the information that
1971 + # the existing installation needs to adjust permissions.
1972 + # Instead we are going to a show a big warning ...
1973 +
1974 + if [[ ${_has_to_show_permission_warning} -eq 0 ]] && [[ ${_need_to_fix_CVE2013_0337} -eq 1 ]]; then
1975 + ewarn ""
1976 + ewarn "The world-readable bit (if set) has been removed from the"
1977 + ewarn "following directories to mitigate a security bug"
1978 + ewarn "(CVE-2013-0337, bug #458726):"
1979 + ewarn ""
1980 + ewarn " ${EPREFIX%/}/var/log/nginx"
1981 + ewarn " ${EPREFIX%/}${NGINX_HOME_TMP}/{,client,proxy,fastcgi,scgi,uwsgi}"
1982 + ewarn ""
1983 + ewarn "Check if this is correct for your setup before restarting nginx!"
1984 + ewarn "This is a one-time change and will not happen on subsequent updates."
1985 + ewarn "Furthermore nginx' temp directories got moved to '${EPREFIX%/}${NGINX_HOME_TMP}'"
1986 + chmod o-rwx \
1987 + "${EPREFIX%/}"/var/log/nginx \
1988 + "${EPREFIX%/}"${NGINX_HOME_TMP}/{,client,proxy,fastcgi,scgi,uwsgi} || \
1989 + _has_to_show_permission_warning=1
1990 + fi
1991 +
1992 + if [[ ${_has_to_show_permission_warning} -eq 0 ]] && [[ ${_need_to_fix_CVE2016_1247} -eq 1 ]]; then
1993 + ewarn ""
1994 + ewarn "The permissions on the following directory have been reset in"
1995 + ewarn "order to mitigate a security bug (CVE-2016-1247, bug #605008):"
1996 + ewarn ""
1997 + ewarn " ${EPREFIX%/}/var/log/nginx"
1998 + ewarn ""
1999 + ewarn "Check if this is correct for your setup before restarting nginx!"
2000 + ewarn "Also ensure that no other log directory used by any of your"
2001 + ewarn "vhost(s) is not writeable for nginx user. Any of your log files"
2002 + ewarn "used by nginx can be abused to escalate privileges!"
2003 + ewarn "This is a one-time change and will not happen on subsequent updates."
2004 + chown 0:nginx "${EPREFIX%/}"/var/log/nginx || _has_to_show_permission_warning=1
2005 + chmod 710 "${EPREFIX%/}"/var/log/nginx || _has_to_show_permission_warning=1
2006 + fi
2007 +
2008 + if [[ ${_has_to_show_permission_warning} -eq 1 ]]; then
2009 + # Should never happen ...
2010 + ewarn ""
2011 + ewarn "*************************************************************"
2012 + ewarn "*************** W A R N I N G ***************"
2013 + ewarn "*************************************************************"
2014 + ewarn "The one-time only attempt to adjust permissions of the"
2015 + ewarn "existing nginx installation failed. Be aware that we will not"
2016 + ewarn "try to adjust the same permissions again because now you are"
2017 + ewarn "using a nginx version where we expect that the permissions"
2018 + ewarn "are already adjusted or that you know what you are doing and"
2019 + ewarn "want to keep custom permissions."
2020 + ewarn ""
2021 + fi
2022 + fi
2023 +
2024 + # Sanity check for CVE-2016-1247
2025 + # Required to warn users who received the warning above and thought
2026 + # they could fix it by unmerging and re-merging the package or have
2027 + # unmerged a affected installation on purpose in the past leaving
2028 + # /var/log/nginx on their system due to keepdir/non-empty folder
2029 + # and are now installing the package again.
2030 + local _sanity_check_testfile=$(mktemp --dry-run "${EPREFIX%/}"/var/log/nginx/.CVE-2016-1247.XXXXXXXXX)
2031 + su -s /bin/sh -c "touch ${_sanity_check_testfile}" nginx >&/dev/null
2032 + if [ $? -eq 0 ] ; then
2033 + # Cleanup -- no reason to die here!
2034 + rm -f "${_sanity_check_testfile}"
2035 +
2036 + ewarn ""
2037 + ewarn "*************************************************************"
2038 + ewarn "*************** W A R N I N G ***************"
2039 + ewarn "*************************************************************"
2040 + ewarn "Looks like your installation is vulnerable to CVE-2016-1247"
2041 + ewarn "(bug #605008) because nginx user is able to create files in"
2042 + ewarn ""
2043 + ewarn " ${EPREFIX%/}/var/log/nginx"
2044 + ewarn ""
2045 + ewarn "Also ensure that no other log directory used by any of your"
2046 + ewarn "vhost(s) is not writeable for nginx user. Any of your log files"
2047 + ewarn "used by nginx can be abused to escalate privileges!"
2048 + fi
2049 +
2050 + if [[ ${_has_to_show_httpoxy_mitigation_notice} -eq 1 ]]; then
2051 + # HTTPoxy mitigation
2052 + ewarn ""
2053 + ewarn "This nginx installation comes with a mitigation for the HTTPoxy"
2054 + ewarn "vulnerability for FastCGI, SCGI and uWSGI applications by setting"
2055 + ewarn "the HTTP_PROXY parameter to an empty string per default when you"
2056 + ewarn "are sourcing one of the default"
2057 + ewarn ""
2058 + ewarn " - 'fastcgi_params' or 'fastcgi.conf'"
2059 + ewarn " - 'scgi_params'"
2060 + ewarn " - 'uwsgi_params'"
2061 + ewarn ""
2062 + ewarn "files in your server block(s)."
2063 + ewarn ""
2064 + ewarn "If this is causing any problems for you make sure that you are sourcing the"
2065 + ewarn "default parameters _before_ you set your own values."
2066 + ewarn "If you are relying on user-supplied proxy values you have to remove the"
2067 + ewarn "correlating lines from the file(s) mentioned above."
2068 + ewarn ""
2069 + fi
2070 +}
Report Message
Find on MARC Find on Google Groups