[gentoo-commits] repo/gentoo:master commit in: www-servers/nginx/, www-servers/nginx/files/ - gentoo-commits

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: www-servers/nginx/, www-servers/nginx/files/
Date:	Tue, 26 May 2020 18:41:42
Message-Id:	`1590518455.cea207f843acb7cd1d09b56a4302eb1155bf560f.whissi@gentoo`

1

commit:     cea207f843acb7cd1d09b56a4302eb1155bf560f

2

Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

3

AuthorDate: Tue May 26 18:11:37 2020 +0000

4

Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

5

CommitDate: Tue May 26 18:40:55 2020 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cea207f8

7

8

www-servers/nginx: bump to v1.19.0 mainline

9

10

- brotli module bumped to 1.0.0rc from new upstream

11

12

- HTTP LUA module bumped to v0.10.16rc5

13

14

- fancyindex module bumped to v0.4.3

15

16

- nginScript module bumped to v0.4.1

17

18

Closes: https://bugs.gentoo.org/724646

19

Package-Manager: Portage-2.3.100, Repoman-2.3.22

20

Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

21

22

 www-servers/nginx/Manifest                         |    3 +

23

 .../nginx/files/http_brotli-detect-brotli-r3.patch |   28 +

24

 www-servers/nginx/nginx-1.19.0.ebuild              | 1093 ++++++++++++++++++++

25

 3 files changed, 1124 insertions(+)

26

27

diff --git a/www-servers/nginx/Manifest b/www-servers/nginx/Manifest

28

index 523b0974076..2365b9621d9 100644

29

--- a/www-servers/nginx/Manifest

30

+++ b/www-servers/nginx/Manifest

31

@@ -1,7 +1,9 @@

32

 DIST modsecurity-2.9.3.tar.gz 4307670 BLAKE2B 337ea15cc8805af7ab43aed8aecf4c72ccc586d0d7e9d9b91f036a61baa70d1ac8b4ad8045a2bb7a13515912a15fba7d3cdb9670ae6730de43b1e44ee90ded6d SHA512 4e1ea5dd8edadf8f630e4fe92a200d3a8e78963fce3128b5975a1e1ecd0e8bf9ceecd9905c95f8c508932ccd837f1d8ae8bb2ba423307718c3c6a4ae9b783ddd

33

 DIST nginx-1.18.0.tar.gz 1039530 BLAKE2B a8962a6af96acb043ff0c3dc4ad5192083773c449950aff53b01f6f7c46a2a540eb061a43432acccd753fa71067b1451d75f440ba5526575b78608be9d40a50b SHA512 8c21eeb62ab6e32e436932500f700bd2fb99fd2d29e43c08a5bfed4714c189c29c7141db551fcd5d2437303b7439f71758f7407dfd3e801e704e45e7daa78ddb

34

+DIST nginx-1.19.0.tar.gz 1043748 BLAKE2B 46647676c2e5dd0b06a1079329d211f7449312873f40d762b1c81841863f61dbc11f836956c006e0283dc79ab9b6bb4b9430136e4c66ff194402413fdc0bdf83 SHA512 3240d5dc59877f9d6a95c8779240675cec9290df079b9d52c06147e58900f2e060e768729669ffaf9a2a90bb9abbe8ab7fba24ff65d45fec9eeb3b6733b65f30

35

 DIST nginx-auth-ldap-42d195d7a7575ebab1c369ad3fc5d78dc2c2669c.tar.gz 18457 BLAKE2B 22225ca9e5299b20ab5a93a001cac48e446bd86b3a24ac49e716bc975b128890bdb4b0dbbf5730fbaaeadfd958160093c7a6af798dd0e6de27062f149a760333 SHA512 ec59637fda5acac053e815cb1d04b545fc6b765e5ec63d8c2c9c301abad87afaa2698145acac08e9e14c91e1423ebff7aff0cca2b940b19ccccbf4cf53973269

36

 DIST nginx_http_sticky_module_ng-1.2.6-10-g08a395c66e42.tar.bz2 124047 BLAKE2B d37ef9a15c91abe3c6258e420d1f99fa452f9d9966a0e13102174973314a3bac5413957a5fe632a9dcb1163b3be5df8116e05cc053ee061e19319ec25f341570 SHA512 6c1bfdcf89884b2855d51ae7da0f6e53a4ca3629e1aaf58433b70c07dcb2af797ba6e87d9b3eb4fe2fb6d4d697e862f2b4c2f8d8b3fdaea201740c97ec936529

37

+DIST ngx_brotli-25f86f0bac1101b6512135eac5f93c49c63609e3.tar.gz 16201 BLAKE2B 2da3ce8a9f29b713da4de4cd60fe22256742ff61e1718346e5246ffa0169d5a2e1babb625b16ac52e3b79431f749adb3ee0170957024953c139aaebc7a496478 SHA512 c6eb026f204e1e6f930ab7ca68cca78054318e05a0dc11d897d3516380dbc4e42e93d40334e3088bf348d4b7b182e87c77473974719e5850a4f97666f9babbd6

38

 DIST ngx_brotli-8104036af9cff4b1d34f22d00ba857e2a93a243c.tar.gz 12672 BLAKE2B fa2febfa63b98303f8890c6774de6ccb09475ccd639d3b74493a4ffd97c90febdc22755c5928018bdac24a537bd13cde165f97e5d2b50bebf598c3fb22ec0206 SHA512 169566b8764bb2b82e029f954a99063a9c61e2cbf982861c5f6818b389a5f37bf5389afb1b5627de9bd3f7af7b3c404be0230f943d47ab621c2a2bd825cc8203

39

 DIST ngx_devel_kit-0.3.1.tar.gz 66542 BLAKE2B 8242d884464d99a131a48f599f9d0c2b546610f73f646e7eb0dcfdb98220810d949189cffa721360ddbe3b7b8adc8b678a848b9d1a56db6c62fd4439ecb63d24 SHA512 de1e3349d8dd08e5982279b2219dc8a8006739f0409b8e0f5c50d93434beff1fbafba43e9c5ac85a5fab90afc5c0a7244a340610339c36f82f2cba7233e72de9

40

 DIST ngx_http_auth_pam-1.5.1.tar.gz 6863 BLAKE2B 00807cc3db8f6c007c968b8a30d7f6094b7d9db4eaa60d211fcb3ac60aeb28c5f8193578a7e1ca67acbbf57a319c8442fe44efc1e193927c3bce5961539f9c16 SHA512 973b94874d8a58c0df0ac2d31571eafc1e80b11179cba33ec88421a826207fbf7e99b0387e135a1ca48d82daacb78f19a4c21d3a27b49b16dc86b4748bb72261

41

@@ -12,6 +14,7 @@ DIST ngx_http_fancyindex-0.4.4.tar.gz 26292 BLAKE2B a1ed76cb31cd4f7a349bcbe63d75

42

 DIST ngx_http_geoip2_module-3.3.tar.gz 8509 BLAKE2B 4841e1bdd13b9b85f34732d1eb7447638f62bb09e1bd480da0fa8b0085d3b2d90a740732ef534c355feb71d7db613c73f68a4e6e3624b47a0937be046dfa1f8d SHA512 06963b598c54e22d75ce837fb222f5aa6c9494c29e558ff46f1205d7159fc305414bfac4ed3288c836dcbf7628d92f26458e1992d34fc2f4b73275a32847bdc0

43

 DIST ngx_http_headers_more-0.33.tar.gz 28130 BLAKE2B fe3097a7700ce5da087058f7bb44c95164b75137031187400473f6833bf0e33e5c4920807225a6ff94174fe7dbd6186cca176a33a629ca0911faab6804bdd12a SHA512 13165b1b8d4be281b8bd2404fa48d456013d560bace094c81da08a35dc6a4f025a809a3ae3a42be6bbf67abbcbe41e0730aba06f905220f3baeb01e1192a7d37

44

 DIST ngx_http_lua-0.10.15.tar.gz 655110 BLAKE2B 73bf8e2f157c93f3d4e54b5aa63deb266731a10e3e48b2257756efee8d752e86440ca9c27bd27bc1d90075a5ffb58772eecb7c445db44cd055d2b9e0b4bac082 SHA512 1feea538464275e6e571860592628ad639b2259c8aab7f38575b81c0b355f1ade32a91643267bc9ec16519e3bcf3d132511513dc8c949f74a3bff975c85d8ff7

45

+DIST ngx_http_lua-0.10.16rc5.tar.gz 646734 BLAKE2B a122bd16999fa45303dc9a860a992c22c31ad64f56df5ab9f90274b91a1c073cbb29e29a1befc347a11f1024926b51ee5f1cac154beff63359beeaafbc5b0fe3 SHA512 da98161be84a4f829cb105ee46e5c1e3c91d2d3b473b0bee26fb1c4dec00137c814f37996b83e52d898ec1ff43e3bd5178b1621cb6e3ec6bc1629896ac6e7110

46

 DIST ngx_http_naxsi-0.56.tar.gz 192120 BLAKE2B cdbfc278f346ccdc0d5407d70ddd4740816d9fe786d3d65189d47e6f3b030c02352a30ed86bf1650139a21a8408e74c1ec7d7aa3512df1428870279ab384dd15 SHA512 4660751849bce303af6010b7257532404710106a94817e78d4bc4b566f8019620f24f30207f1d4366b88132a5124e34b164dc67ed80b6710f4bad66115564cbd

47

 DIST ngx_http_push_stream-0.5.4.tar.gz 183493 BLAKE2B ccae3113071cee38fa6a7accd580922dc2fc9fa22af737f400c2c5f59352d93ca6cceb47f2aee70dfc111afdf98d27aeb64ddc5a4dbf617359ea4da09486ac7f SHA512 467ae49409adb675979ff591f98df8c96d71ab5ebc2ef9b3c9430e38e7e84d311b4a98c2b1cb1886d895735223dd2a43370aab61b57b34adb1427c184e6b8c86

48

 DIST ngx_http_slowfs_cache-1.10.tar.gz 11809 BLAKE2B 54ec1bd0d1cc43cdaafc93ebd46b33374c57351c7f022eae0351d6961680abb03d896e7f058e67c43c4fee300253354feccb92d00e62bf91250e251e1860ec03 SHA512 fbc9609a8d6913aeefe535f206b9e53477503f131934ead2ae5a6169e395af2f5fb54778704824d5eeb22a4ef40a11ebbcde580db62a631f70edcc2cfc06b15d

49

50

diff --git a/www-servers/nginx/files/http_brotli-detect-brotli-r3.patch b/www-servers/nginx/files/http_brotli-detect-brotli-r3.patch

51

new file mode 100644

52

index 00000000000..9ccb8c2379f

53

--- /dev/null

54

+++ b/www-servers/nginx/files/http_brotli-detect-brotli-r3.patch

55

@@ -0,0 +1,28 @@

56

+--- a/filter/config

57

++++ b/filter/config

58

+@@ -42,22 +42,13 @@ fi

59

+ ngx_module_type=HTTP_FILTER

60

+ ngx_module_name=ngx_http_brotli_filter_module

61

+

62

+-brotli="$ngx_addon_dir/deps/brotli/c"

63

+-if [ ! -f "$brotli/include/brotli/encode.h" ]; then

64

+-  brotli="/usr/local"

65

+-fi

66

+-if [ ! -f "$brotli/include/brotli/encode.h" ]; then

67

+-  brotli="/usr"

68

+-fi

69

++brotli=$(pkg-config --variable=prefix libbrotlienc)

70

++

71

+ if [ ! -f "$brotli/include/brotli/encode.h" ]; then

72

+ cat << END

73

+

74

+ $0: error: \

75

+-Brotli library is missing from the $brotli directory.

76

+-

77

+-Please make sure that the git submodule has been checked out:

78

+-

79

+-    cd $ngx_addon_dir && git submodule update --init && cd $PWD

80

++Brotli library not found. Don't you have app-arch/brotli installed?

81

+

82

+ END

83

+     exit 1

84

85

diff --git a/www-servers/nginx/nginx-1.19.0.ebuild b/www-servers/nginx/nginx-1.19.0.ebuild

86

new file mode 100644

87

index 00000000000..ab215dc844a

88

--- /dev/null

89

+++ b/www-servers/nginx/nginx-1.19.0.ebuild

90

@@ -0,0 +1,1093 @@

91

+# Copyright 1999-2020 Gentoo Authors

92

+# Distributed under the terms of the GNU General Public License v2

93

+

94

+EAPI="6"

95

+

96

+# Maintainer notes:

97

+# - http_rewrite-independent pcre-support makes sense for matching locations without an actual rewrite

98

+# - any http-module activates the main http-functionality and overrides USE=-http

99

+# - keep the following requirements in mind before adding external modules:

100

+#	* alive upstream

101

+#	* sane packaging

102

+#	* builds cleanly

103

+#	* does not need a patch for nginx core

104

+# - TODO: test the google-perftools module (included in vanilla tarball)

105

+

106

+# prevent perl-module from adding automagic perl DEPENDs

107

+GENTOO_DEPEND_ON_PERL="no"

108

+

109

+# devel_kit (https://github.com/simpl/ngx_devel_kit, BSD license)

110

+DEVEL_KIT_MODULE_PV="0.3.1"

111

+DEVEL_KIT_MODULE_P="ngx_devel_kit-${DEVEL_KIT_MODULE_PV}"

112

+DEVEL_KIT_MODULE_URI="https://github.com/simpl/ngx_devel_kit/archive/v${DEVEL_KIT_MODULE_PV}.tar.gz"

113

+DEVEL_KIT_MODULE_WD="${WORKDIR}/ngx_devel_kit-${DEVEL_KIT_MODULE_PV}"

114

+

115

+# ngx_brotli (https://github.com/eustas/ngx_brotli, BSD-2)

116

+HTTP_BROTLI_MODULE_PV="25f86f0bac1101b6512135eac5f93c49c63609e3"

117

+HTTP_BROTLI_MODULE_P="ngx_brotli-${HTTP_BROTLI_MODULE_PV}"

118

+HTTP_BROTLI_MODULE_URI="https://github.com/google/ngx_brotli/archive/${HTTP_BROTLI_MODULE_PV}.tar.gz"

119

+HTTP_BROTLI_MODULE_WD="${WORKDIR}/ngx_brotli-${HTTP_BROTLI_MODULE_PV}"

120

+

121

+# http_uploadprogress (https://github.com/masterzen/nginx-upload-progress-module, BSD-2 license)

122

+HTTP_UPLOAD_PROGRESS_MODULE_PV="0.9.2"

123

+HTTP_UPLOAD_PROGRESS_MODULE_P="ngx_http_upload_progress-${HTTP_UPLOAD_PROGRESS_MODULE_PV}-r1"

124

+HTTP_UPLOAD_PROGRESS_MODULE_URI="https://github.com/masterzen/nginx-upload-progress-module/archive/v${HTTP_UPLOAD_PROGRESS_MODULE_PV}.tar.gz"

125

+HTTP_UPLOAD_PROGRESS_MODULE_WD="${WORKDIR}/nginx-upload-progress-module-${HTTP_UPLOAD_PROGRESS_MODULE_PV}"

126

+

127

+# http_headers_more (https://github.com/agentzh/headers-more-nginx-module, BSD license)

128

+HTTP_HEADERS_MORE_MODULE_PV="0.33"

129

+HTTP_HEADERS_MORE_MODULE_P="ngx_http_headers_more-${HTTP_HEADERS_MORE_MODULE_PV}"

130

+HTTP_HEADERS_MORE_MODULE_URI="https://github.com/agentzh/headers-more-nginx-module/archive/v${HTTP_HEADERS_MORE_MODULE_PV}.tar.gz"

131

+HTTP_HEADERS_MORE_MODULE_WD="${WORKDIR}/headers-more-nginx-module-${HTTP_HEADERS_MORE_MODULE_PV}"

132

+

133

+# http_cache_purge (http://labs.frickle.com/nginx_ngx_cache_purge/, https://github.com/FRiCKLE/ngx_cache_purge, BSD-2 license)

134

+HTTP_CACHE_PURGE_MODULE_PV="2.3"

135

+HTTP_CACHE_PURGE_MODULE_P="ngx_http_cache_purge-${HTTP_CACHE_PURGE_MODULE_PV}"

136

+HTTP_CACHE_PURGE_MODULE_URI="http://labs.frickle.com/files/ngx_cache_purge-${HTTP_CACHE_PURGE_MODULE_PV}.tar.gz"

137

+HTTP_CACHE_PURGE_MODULE_WD="${WORKDIR}/ngx_cache_purge-${HTTP_CACHE_PURGE_MODULE_PV}"

138

+

139

+# http_slowfs_cache (http://labs.frickle.com/nginx_ngx_slowfs_cache/, BSD-2 license)

140

+HTTP_SLOWFS_CACHE_MODULE_PV="1.10"

141

+HTTP_SLOWFS_CACHE_MODULE_P="ngx_http_slowfs_cache-${HTTP_SLOWFS_CACHE_MODULE_PV}"

142

+HTTP_SLOWFS_CACHE_MODULE_URI="http://labs.frickle.com/files/ngx_slowfs_cache-${HTTP_SLOWFS_CACHE_MODULE_PV}.tar.gz"

143

+HTTP_SLOWFS_CACHE_MODULE_WD="${WORKDIR}/ngx_slowfs_cache-${HTTP_SLOWFS_CACHE_MODULE_PV}"

144

+

145

+# http_fancyindex (https://github.com/aperezdc/ngx-fancyindex, BSD license)

146

+HTTP_FANCYINDEX_MODULE_PV="0.4.4"

147

+HTTP_FANCYINDEX_MODULE_P="ngx_http_fancyindex-${HTTP_FANCYINDEX_MODULE_PV}"

148

+HTTP_FANCYINDEX_MODULE_URI="https://github.com/aperezdc/ngx-fancyindex/archive/v${HTTP_FANCYINDEX_MODULE_PV}.tar.gz"

149

+HTTP_FANCYINDEX_MODULE_WD="${WORKDIR}/ngx-fancyindex-${HTTP_FANCYINDEX_MODULE_PV}"

150

+

151

+# http_lua (https://github.com/openresty/lua-nginx-module, BSD license)

152

+HTTP_LUA_MODULE_PV="0.10.16rc5"

153

+HTTP_LUA_MODULE_P="ngx_http_lua-${HTTP_LUA_MODULE_PV}"

154

+HTTP_LUA_MODULE_URI="https://github.com/openresty/lua-nginx-module/archive/v${HTTP_LUA_MODULE_PV}.tar.gz"

155

+HTTP_LUA_MODULE_WD="${WORKDIR}/lua-nginx-module-${HTTP_LUA_MODULE_PV}"

156

+

157

+# http_auth_pam (https://github.com/stogh/ngx_http_auth_pam_module/, http://web.iti.upv.es/~sto/nginx/, BSD-2 license)

158

+HTTP_AUTH_PAM_MODULE_PV="1.5.1"

159

+HTTP_AUTH_PAM_MODULE_P="ngx_http_auth_pam-${HTTP_AUTH_PAM_MODULE_PV}"

160

+HTTP_AUTH_PAM_MODULE_URI="https://github.com/stogh/ngx_http_auth_pam_module/archive/v${HTTP_AUTH_PAM_MODULE_PV}.tar.gz"

161

+HTTP_AUTH_PAM_MODULE_WD="${WORKDIR}/ngx_http_auth_pam_module-${HTTP_AUTH_PAM_MODULE_PV}"

162

+

163

+# http_upstream_check (https://github.com/yaoweibin/nginx_upstream_check_module, BSD license)

164

+HTTP_UPSTREAM_CHECK_MODULE_PV="9aecf15ec379fe98f62355c57b60c0bc83296f04"

165

+HTTP_UPSTREAM_CHECK_MODULE_P="ngx_http_upstream_check-${HTTP_UPSTREAM_CHECK_MODULE_PV}"

166

+HTTP_UPSTREAM_CHECK_MODULE_URI="https://github.com/yaoweibin/nginx_upstream_check_module/archive/${HTTP_UPSTREAM_CHECK_MODULE_PV}.tar.gz"

167

+HTTP_UPSTREAM_CHECK_MODULE_WD="${WORKDIR}/nginx_upstream_check_module-${HTTP_UPSTREAM_CHECK_MODULE_PV}"

168

+

169

+# http_metrics (https://github.com/zenops/ngx_metrics, BSD license)

170

+HTTP_METRICS_MODULE_PV="0.1.1"

171

+HTTP_METRICS_MODULE_P="ngx_metrics-${HTTP_METRICS_MODULE_PV}"

172

+HTTP_METRICS_MODULE_URI="https://github.com/madvertise/ngx_metrics/archive/v${HTTP_METRICS_MODULE_PV}.tar.gz"

173

+HTTP_METRICS_MODULE_WD="${WORKDIR}/ngx_metrics-${HTTP_METRICS_MODULE_PV}"

174

+

175

+# http_vhost_traffic_status (https://github.com/vozlt/nginx-module-vts, BSD license)

176

+HTTP_VHOST_TRAFFIC_STATUS_MODULE_PV="46d85558e344dfe2b078ce757fd36c69a1ec2dd3"

177

+HTTP_VHOST_TRAFFIC_STATUS_MODULE_P="ngx_http_vhost_traffic_status-${HTTP_VHOST_TRAFFIC_STATUS_MODULE_PV}"

178

+HTTP_VHOST_TRAFFIC_STATUS_MODULE_URI="https://github.com/vozlt/nginx-module-vts/archive/${HTTP_VHOST_TRAFFIC_STATUS_MODULE_PV}.tar.gz"

179

+HTTP_VHOST_TRAFFIC_STATUS_MODULE_WD="${WORKDIR}/nginx-module-vts-${HTTP_VHOST_TRAFFIC_STATUS_MODULE_PV}"

180

+

181

+# naxsi-core (https://github.com/nbs-system/naxsi, GPLv2+)

182

+HTTP_NAXSI_MODULE_PV="0.56"

183

+HTTP_NAXSI_MODULE_P="ngx_http_naxsi-${HTTP_NAXSI_MODULE_PV}"

184

+HTTP_NAXSI_MODULE_URI="https://github.com/nbs-system/naxsi/archive/${HTTP_NAXSI_MODULE_PV}.tar.gz"

185

+HTTP_NAXSI_MODULE_WD="${WORKDIR}/naxsi-${HTTP_NAXSI_MODULE_PV}/naxsi_src"

186

+

187

+# nginx-rtmp-module (https://github.com/arut/nginx-rtmp-module, BSD license)

188

+RTMP_MODULE_PV="1.2.1"

189

+RTMP_MODULE_P="ngx_rtmp-${RTMP_MODULE_PV}"

190

+RTMP_MODULE_URI="https://github.com/arut/nginx-rtmp-module/archive/v${RTMP_MODULE_PV}.tar.gz"

191

+RTMP_MODULE_WD="${WORKDIR}/nginx-rtmp-module-${RTMP_MODULE_PV}"

192

+

193

+# nginx-dav-ext-module (https://github.com/arut/nginx-dav-ext-module, BSD license)

194

+HTTP_DAV_EXT_MODULE_PV="3.0.0"

195

+HTTP_DAV_EXT_MODULE_P="ngx_http_dav_ext-${HTTP_DAV_EXT_MODULE_PV}"

196

+HTTP_DAV_EXT_MODULE_URI="https://github.com/arut/nginx-dav-ext-module/archive/v${HTTP_DAV_EXT_MODULE_PV}.tar.gz"

197

+HTTP_DAV_EXT_MODULE_WD="${WORKDIR}/nginx-dav-ext-module-${HTTP_DAV_EXT_MODULE_PV}"

198

+

199

+# echo-nginx-module (https://github.com/openresty/echo-nginx-module, BSD license)

200

+HTTP_ECHO_MODULE_PV="0.62rc1"

201

+HTTP_ECHO_MODULE_P="ngx_http_echo-${HTTP_ECHO_MODULE_PV}"

202

+HTTP_ECHO_MODULE_URI="https://github.com/openresty/echo-nginx-module/archive/v${HTTP_ECHO_MODULE_PV}.tar.gz"

203

+HTTP_ECHO_MODULE_WD="${WORKDIR}/echo-nginx-module-${HTTP_ECHO_MODULE_PV}"

204

+

205

+# mod_security for nginx (https://modsecurity.org/, Apache-2.0)

206

+# keep the MODULE_P here consistent with upstream to avoid tarball duplication

207

+HTTP_SECURITY_MODULE_PV="2.9.3"

208

+HTTP_SECURITY_MODULE_P="modsecurity-${HTTP_SECURITY_MODULE_PV}"

209

+HTTP_SECURITY_MODULE_URI="https://www.modsecurity.org/tarball/${HTTP_SECURITY_MODULE_PV}/${HTTP_SECURITY_MODULE_P}.tar.gz"

210

+HTTP_SECURITY_MODULE_WD="${WORKDIR}/${HTTP_SECURITY_MODULE_P}"

211

+

212

+# push-stream-module (http://www.nginxpushstream.com, https://github.com/wandenberg/nginx-push-stream-module, GPL-3)

213

+HTTP_PUSH_STREAM_MODULE_PV="0.5.4"

214

+HTTP_PUSH_STREAM_MODULE_P="ngx_http_push_stream-${HTTP_PUSH_STREAM_MODULE_PV}"

215

+HTTP_PUSH_STREAM_MODULE_URI="https://github.com/wandenberg/nginx-push-stream-module/archive/${HTTP_PUSH_STREAM_MODULE_PV}.tar.gz"

216

+HTTP_PUSH_STREAM_MODULE_WD="${WORKDIR}/nginx-push-stream-module-${HTTP_PUSH_STREAM_MODULE_PV}"

217

+

218

+# sticky-module (https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng, BSD-2)

219

+HTTP_STICKY_MODULE_PV="1.2.6-10-g08a395c66e42"

220

+HTTP_STICKY_MODULE_P="nginx_http_sticky_module_ng-${HTTP_STICKY_MODULE_PV}"

221

+HTTP_STICKY_MODULE_URI="https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/get/${HTTP_STICKY_MODULE_PV}.tar.bz2"

222

+HTTP_STICKY_MODULE_WD="${WORKDIR}/nginx-goodies-nginx-sticky-module-ng-08a395c66e42"

223

+

224

+# mogilefs-module (https://github.com/vkholodkov/nginx-mogilefs-module, BSD-2)

225

+HTTP_MOGILEFS_MODULE_PV="1.0.4"

226

+HTTP_MOGILEFS_MODULE_P="ngx_mogilefs_module-${HTTP_MOGILEFS_MODULE_PV}"

227

+HTTP_MOGILEFS_MODULE_URI="https://github.com/vkholodkov/nginx-mogilefs-module/archive/${HTTP_MOGILEFS_MODULE_PV}.tar.gz"

228

+HTTP_MOGILEFS_MODULE_WD="${WORKDIR}/nginx_mogilefs_module-${HTTP_MOGILEFS_MODULE_PV}"

229

+

230

+# memc-module (https://github.com/openresty/memc-nginx-module, BSD-2)

231

+HTTP_MEMC_MODULE_PV="0.19"

232

+HTTP_MEMC_MODULE_P="ngx_memc_module-${HTTP_MEMC_MODULE_PV}"

233

+HTTP_MEMC_MODULE_URI="https://github.com/openresty/memc-nginx-module/archive/v${HTTP_MEMC_MODULE_PV}.tar.gz"

234

+HTTP_MEMC_MODULE_WD="${WORKDIR}/memc-nginx-module-${HTTP_MEMC_MODULE_PV}"

235

+

236

+# nginx-ldap-auth-module (https://github.com/kvspb/nginx-auth-ldap, BSD-2)

237

+HTTP_LDAP_MODULE_PV="42d195d7a7575ebab1c369ad3fc5d78dc2c2669c"

238

+HTTP_LDAP_MODULE_P="nginx-auth-ldap-${HTTP_LDAP_MODULE_PV}"

239

+HTTP_LDAP_MODULE_URI="https://github.com/kvspb/nginx-auth-ldap/archive/${HTTP_LDAP_MODULE_PV}.tar.gz"

240

+HTTP_LDAP_MODULE_WD="${WORKDIR}/nginx-auth-ldap-${HTTP_LDAP_MODULE_PV}"

241

+

242

+# geoip2 (https://github.com/leev/ngx_http_geoip2_module, BSD-2)

243

+GEOIP2_MODULE_PV="3.3"

244

+GEOIP2_MODULE_P="ngx_http_geoip2_module-${GEOIP2_MODULE_PV}"

245

+GEOIP2_MODULE_URI="https://github.com/leev/ngx_http_geoip2_module/archive/${GEOIP2_MODULE_PV}.tar.gz"

246

+GEOIP2_MODULE_WD="${WORKDIR}/ngx_http_geoip2_module-${GEOIP2_MODULE_PV}"

247

+

248

+# njs-module (https://github.com/nginx/njs, as-is)

249

+NJS_MODULE_PV="0.4.1"

250

+NJS_MODULE_P="njs-${NJS_MODULE_PV}"

251

+NJS_MODULE_URI="https://github.com/nginx/njs/archive/${NJS_MODULE_PV}.tar.gz"

252

+NJS_MODULE_WD="${WORKDIR}/njs-${NJS_MODULE_PV}"

253

+

254

+# We handle deps below ourselves

255

+SSL_DEPS_SKIP=1

256

+AUTOTOOLS_AUTO_DEPEND="no"

257

+

258

+inherit autotools ssl-cert toolchain-funcs perl-module flag-o-matic user systemd versionator multilib pax-utils

259

+

260

+DESCRIPTION="Robust, small and high performance http and reverse proxy server"

261

+HOMEPAGE="https://nginx.org"

262

+SRC_URI="https://nginx.org/download/${P}.tar.gz

263

+	${DEVEL_KIT_MODULE_URI} -> ${DEVEL_KIT_MODULE_P}.tar.gz

264

+	nginx_modules_http_auth_ldap? ( ${HTTP_LDAP_MODULE_URI} -> ${HTTP_LDAP_MODULE_P}.tar.gz )

265

+	nginx_modules_http_auth_pam? ( ${HTTP_AUTH_PAM_MODULE_URI} -> ${HTTP_AUTH_PAM_MODULE_P}.tar.gz )

266

+	nginx_modules_http_brotli? ( ${HTTP_BROTLI_MODULE_URI} -> ${HTTP_BROTLI_MODULE_P}.tar.gz )

267

+	nginx_modules_http_cache_purge? ( ${HTTP_CACHE_PURGE_MODULE_URI} -> ${HTTP_CACHE_PURGE_MODULE_P}.tar.gz )

268

+	nginx_modules_http_dav_ext? ( ${HTTP_DAV_EXT_MODULE_URI} -> ${HTTP_DAV_EXT_MODULE_P}.tar.gz )

269

+	nginx_modules_http_echo? ( ${HTTP_ECHO_MODULE_URI} -> ${HTTP_ECHO_MODULE_P}.tar.gz )

270

+	nginx_modules_http_fancyindex? ( ${HTTP_FANCYINDEX_MODULE_URI} -> ${HTTP_FANCYINDEX_MODULE_P}.tar.gz )

271

+	nginx_modules_http_geoip2? ( ${GEOIP2_MODULE_URI} -> ${GEOIP2_MODULE_P}.tar.gz )

272

+	nginx_modules_http_headers_more? ( ${HTTP_HEADERS_MORE_MODULE_URI} -> ${HTTP_HEADERS_MORE_MODULE_P}.tar.gz )

273

+	nginx_modules_http_javascript? ( ${NJS_MODULE_URI} -> ${NJS_MODULE_P}.tar.gz )

274

+	nginx_modules_http_lua? ( ${HTTP_LUA_MODULE_URI} -> ${HTTP_LUA_MODULE_P}.tar.gz )

275

+	nginx_modules_http_memc? ( ${HTTP_MEMC_MODULE_URI} -> ${HTTP_MEMC_MODULE_P}.tar.gz )

276

+	nginx_modules_http_metrics? ( ${HTTP_METRICS_MODULE_URI} -> ${HTTP_METRICS_MODULE_P}.tar.gz )

277

+	nginx_modules_http_mogilefs? ( ${HTTP_MOGILEFS_MODULE_URI} -> ${HTTP_MOGILEFS_MODULE_P}.tar.gz )

278

+	nginx_modules_http_naxsi? ( ${HTTP_NAXSI_MODULE_URI} -> ${HTTP_NAXSI_MODULE_P}.tar.gz )

279

+	nginx_modules_http_push_stream? ( ${HTTP_PUSH_STREAM_MODULE_URI} -> ${HTTP_PUSH_STREAM_MODULE_P}.tar.gz )

280

+	nginx_modules_http_security? ( ${HTTP_SECURITY_MODULE_URI} -> ${HTTP_SECURITY_MODULE_P}.tar.gz )

281

+	nginx_modules_http_slowfs_cache? ( ${HTTP_SLOWFS_CACHE_MODULE_URI} -> ${HTTP_SLOWFS_CACHE_MODULE_P}.tar.gz )

282

+	nginx_modules_http_sticky? ( ${HTTP_STICKY_MODULE_URI} -> ${HTTP_STICKY_MODULE_P}.tar.bz2 )

283

+	nginx_modules_http_upload_progress? ( ${HTTP_UPLOAD_PROGRESS_MODULE_URI} -> ${HTTP_UPLOAD_PROGRESS_MODULE_P}.tar.gz )

284

+	nginx_modules_http_upstream_check? ( ${HTTP_UPSTREAM_CHECK_MODULE_URI} -> ${HTTP_UPSTREAM_CHECK_MODULE_P}.tar.gz )

285

+	nginx_modules_http_vhost_traffic_status? ( ${HTTP_VHOST_TRAFFIC_STATUS_MODULE_URI} -> ${HTTP_VHOST_TRAFFIC_STATUS_MODULE_P}.tar.gz )

286

+	nginx_modules_stream_geoip2? ( ${GEOIP2_MODULE_URI} -> ${GEOIP2_MODULE_P}.tar.gz )

287

+	nginx_modules_stream_javascript? ( ${NJS_MODULE_URI} -> ${NJS_MODULE_P}.tar.gz )

288

+	rtmp? ( ${RTMP_MODULE_URI} -> ${RTMP_MODULE_P}.tar.gz )"

289

+

290

+LICENSE="BSD-2 BSD SSLeay MIT GPL-2 GPL-2+

291

+	nginx_modules_http_security? ( Apache-2.0 )

292

+	nginx_modules_http_push_stream? ( GPL-3 )"

293

+

294

+SLOT="mainline"

295

+KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~x86 ~amd64-linux ~x86-linux"

296

+

297

+# Package doesn't provide a real test suite

298

+RESTRICT="test"

299

+

300

+NGINX_MODULES_STD="access auth_basic autoindex browser charset empty_gif

301

+	fastcgi geo grpc gzip limit_req limit_conn map memcached mirror

302

+	proxy referer rewrite scgi ssi split_clients upstream_hash

303

+	upstream_ip_hash upstream_keepalive upstream_least_conn

304

+	upstream_zone userid uwsgi"

305

+NGINX_MODULES_OPT="addition auth_request dav degradation flv geoip gunzip

306

+	gzip_static image_filter mp4 perl random_index realip secure_link

307

+	slice stub_status sub xslt"

308

+NGINX_MODULES_STREAM_STD="access geo limit_conn map return split_clients

309

+	upstream_hash upstream_least_conn upstream_zone"

310

+NGINX_MODULES_STREAM_OPT="geoip realip ssl_preread"

311

+NGINX_MODULES_MAIL="imap pop3 smtp"

312

+NGINX_MODULES_3RD="

313

+	http_auth_ldap

314

+	http_auth_pam

315

+	http_brotli

316

+	http_cache_purge

317

+	http_dav_ext

318

+	http_echo

319

+	http_fancyindex

320

+	http_geoip2

321

+	http_headers_more

322

+	http_javascript

323

+	http_lua

324

+	http_memc

325

+	http_metrics

326

+	http_mogilefs

327

+	http_naxsi

328

+	http_push_stream

329

+	http_security

330

+	http_slowfs_cache

331

+	http_sticky

332

+	http_upload_progress

333

+	http_upstream_check

334

+	http_vhost_traffic_status

335

+	stream_geoip2

336

+	stream_javascript

337

+"

338

+

339

+IUSE="aio debug +http +http2 +http-cache +ipv6 libatomic libressl luajit +pcre

340

+	pcre-jit rtmp selinux ssl threads userland_GNU vim-syntax"

341

+

342

+for mod in $NGINX_MODULES_STD; do

343

+	IUSE="${IUSE} +nginx_modules_http_${mod}"

344

+done

345

+

346

+for mod in $NGINX_MODULES_OPT; do

347

+	IUSE="${IUSE} nginx_modules_http_${mod}"

348

+done

349

+

350

+for mod in $NGINX_MODULES_STREAM_STD; do

351

+	IUSE="${IUSE} nginx_modules_stream_${mod}"

352

+done

353

+

354

+for mod in $NGINX_MODULES_STREAM_OPT; do

355

+	IUSE="${IUSE} nginx_modules_stream_${mod}"

356

+done

357

+

358

+for mod in $NGINX_MODULES_MAIL; do

359

+	IUSE="${IUSE} nginx_modules_mail_${mod}"

360

+done

361

+

362

+for mod in $NGINX_MODULES_3RD; do

363

+	IUSE="${IUSE} nginx_modules_${mod}"

364

+done

365

+

366

+# Add so we can warn users updating about config changes

367

+# @TODO: jbergstroem: remove on next release series

368

+IUSE="${IUSE} nginx_modules_http_spdy"

369

+

370

+CDEPEND="

371

+	pcre? ( dev-libs/libpcre:= )

372

+	pcre-jit? ( dev-libs/libpcre:=[jit] )

373

+	ssl? (

374

+		!libressl? ( dev-libs/openssl:0= )

375

+		libressl? ( dev-libs/libressl:= )

376

+	)

377

+	http2? (

378

+		!libressl? ( >=dev-libs/openssl-1.0.1c:0= )

379

+		libressl? ( dev-libs/libressl:= )

380

+	)

381

+	http-cache? (

382

+		userland_GNU? (

383

+			!libressl? ( dev-libs/openssl:0= )

384

+			libressl? ( dev-libs/libressl:= )

385

+		)

386

+	)

387

+	nginx_modules_http_brotli? ( app-arch/brotli:= )

388

+	nginx_modules_http_geoip? ( dev-libs/geoip )

389

+	nginx_modules_http_geoip2? ( dev-libs/libmaxminddb:= )

390

+	nginx_modules_http_gunzip? ( sys-libs/zlib )

391

+	nginx_modules_http_gzip? ( sys-libs/zlib )

392

+	nginx_modules_http_gzip_static? ( sys-libs/zlib )

393

+	nginx_modules_http_image_filter? ( media-libs/gd:=[jpeg,png] )

394

+	nginx_modules_http_perl? ( >=dev-lang/perl-5.8:= )

395

+	nginx_modules_http_rewrite? ( dev-libs/libpcre:= )

396

+	nginx_modules_http_secure_link? (

397

+		userland_GNU? (

398

+			!libressl? ( dev-libs/openssl:0= )

399

+			libressl? ( dev-libs/libressl:= )

400

+		)

401

+	)

402

+	nginx_modules_http_xslt? ( dev-libs/libxml2:= dev-libs/libxslt )

403

+	nginx_modules_http_lua? ( dev-lang/luajit:2= )

404

+	nginx_modules_http_auth_pam? ( sys-libs/pam )

405

+	nginx_modules_http_metrics? ( dev-libs/yajl:= )

406

+	nginx_modules_http_dav_ext? ( dev-libs/libxml2 )

407

+	nginx_modules_http_security? (

408

+		dev-libs/apr:=

409

+		dev-libs/apr-util:=

410

+		dev-libs/libxml2:=

411

+		net-misc/curl

412

+		www-servers/apache

413

+	)

414

+	nginx_modules_http_auth_ldap? ( net-nds/openldap[ssl?] )

415

+	nginx_modules_stream_geoip? ( dev-libs/geoip )

416

+	nginx_modules_stream_geoip2? ( dev-libs/libmaxminddb:= )"

417

+RDEPEND="${CDEPEND}

418

+	selinux? ( sec-policy/selinux-nginx )

419

+	!www-servers/nginx:0"

420

+DEPEND="${CDEPEND}

421

+	nginx_modules_http_brotli? ( virtual/pkgconfig )

422

+	nginx_modules_http_security? ( ${AUTOTOOLS_DEPEND} )

423

+	arm? ( dev-libs/libatomic_ops )

424

+	libatomic? ( dev-libs/libatomic_ops )"

425

+PDEPEND="vim-syntax? ( app-vim/nginx-syntax )"

426

+

427

+REQUIRED_USE="pcre-jit? ( pcre )

428

+	nginx_modules_http_fancyindex? ( nginx_modules_http_addition )

429

+	nginx_modules_http_grpc? ( http2 )

430

+	nginx_modules_http_lua? (

431

+		luajit

432

+		nginx_modules_http_rewrite

433

+	)

434

+	nginx_modules_http_naxsi? ( pcre )

435

+	nginx_modules_http_dav_ext? ( nginx_modules_http_dav nginx_modules_http_xslt )

436

+	nginx_modules_http_metrics? ( nginx_modules_http_stub_status )

437

+	nginx_modules_http_security? ( pcre )

438

+	nginx_modules_http_push_stream? ( ssl )"

439

+

440

+pkg_setup() {

441

+	NGINX_HOME="/var/lib/nginx"

442

+	NGINX_HOME_TMP="${NGINX_HOME}/tmp"

443

+

444

+	ebegin "Creating nginx user and group"

445

+	enewgroup ${PN}

446

+	enewuser ${PN} -1 -1 "${NGINX_HOME}" ${PN}

447

+	eend $?

448

+

449

+	if use libatomic; then

450

+		ewarn "GCC 4.1+ features built-in atomic operations."

451

+		ewarn "Using libatomic_ops is only needed if using"

452

+		ewarn "a different compiler or a GCC prior to 4.1"

453

+	fi

454

+

455

+	if [[ -n $NGINX_ADD_MODULES ]]; then

456

+		ewarn "You are building custom modules via \$NGINX_ADD_MODULES!"

457

+		ewarn "This nginx installation is not supported!"

458

+		ewarn "Make sure you can reproduce the bug without those modules"

459

+		ewarn "_before_ reporting bugs."

460

+	fi

461

+

462

+	if use !http; then

463

+		ewarn "To actually disable all http-functionality you also have to disable"

464

+		ewarn "all nginx http modules."

465

+	fi

466

+

467

+	if use nginx_modules_http_mogilefs && use threads; then

468

+		eerror "mogilefs won't compile with threads support."

469

+		eerror "Please disable either flag and try again."

470

+		die "Can't compile mogilefs with threads support"

471

+	fi

472

+}

473

+

474

+src_prepare() {

475

+	eapply "${FILESDIR}/${PN}-1.4.1-fix-perl-install-path.patch"

476

+	eapply "${FILESDIR}/${PN}-httpoxy-mitigation-r1.patch"

477

+

478

+	if use nginx_modules_http_auth_pam; then

479

+		cd "${HTTP_AUTH_PAM_MODULE_WD}" || die

480

+		eapply "${FILESDIR}"/http_auth_pam-1.5.1-adjust-loglevel-for-authentication-failures.patch

481

+		cd "${S}" || die

482

+	fi

483

+

484

+	if use nginx_modules_http_brotli; then

485

+		cd "${HTTP_BROTLI_MODULE_WD}" || die

486

+		eapply "${FILESDIR}"/http_brotli-detect-brotli-r3.patch

487

+		cd "${S}" || die

488

+	fi

489

+

490

+	if use nginx_modules_http_upstream_check; then

491

+		eapply -p0 "${FILESDIR}"/http_upstream_check-nginx-1.11.5+.patch

492

+	fi

493

+

494

+	if use nginx_modules_http_cache_purge; then

495

+		cd "${HTTP_CACHE_PURGE_MODULE_WD}" || die

496

+		eapply "${FILESDIR}"/http_cache_purge-1.11.6+.patch

497

+		cd "${S}" || die

498

+	fi

499

+

500

+	if use nginx_modules_http_security; then

501

+		cd "${HTTP_SECURITY_MODULE_WD}" || die

502

+

503

+		eautoreconf

504

+

505

+		if use luajit ; then

506

+			sed -i \

507

+				-e 's|^\(LUA_PKGNAMES\)=.*|\1="luajit"|' \

508

+				configure || die

509

+		fi

510

+

511

+		cd "${S}" || die

512

+	fi

513

+

514

+	if use nginx_modules_http_upload_progress; then

515

+		cd "${HTTP_UPLOAD_PROGRESS_MODULE_WD}" || die

516

+		eapply "${FILESDIR}"/http_uploadprogress-issue_50-r1.patch

517

+		cd "${S}" || die

518

+	fi

519

+

520

+	find auto/ -type f -print0 | xargs -0 sed -i 's:\&\& make:\&\& \\$(MAKE):' || die

521

+	# We have config protection, don't rename etc files

522

+	sed -i 's:.default::' auto/install || die

523

+	# remove useless files

524

+	sed -i -e '/koi-/d' -e '/win-/d' auto/install || die

525

+

526

+	# don't install to /etc/nginx/ if not in use

527

+	local module

528

+	for module in fastcgi scgi uwsgi ; do

529

+		if ! use nginx_modules_http_${module}; then

530

+			sed -i -e "/${module}/d" auto/install || die

531

+		fi

532

+	done

533

+

534

+	eapply_user

535

+}

536

+

537

+src_configure() {

538

+	# mod_security needs to generate nginx/modsecurity/config before including it

539

+	if use nginx_modules_http_security; then

540

+		cd "${HTTP_SECURITY_MODULE_WD}" || die

541

+

542

+		./configure \

543

+			--enable-standalone-module \

544

+			--disable-mlogc \

545

+			--with-ssdeep=no \

546

+			$(use_enable pcre-jit) \

547

+			$(use_with nginx_modules_http_lua lua) || die "configure failed for mod_security"

548

+

549

+		cd "${S}" || die

550

+	fi

551

+

552

+	local myconf=() http_enabled= mail_enabled= stream_enabled=

553

+

554

+	use aio       && myconf+=( --with-file-aio )

555

+	use debug     && myconf+=( --with-debug )

556

+	use http2     && myconf+=( --with-http_v2_module )

557

+	use libatomic && myconf+=( --with-libatomic )

558

+	use pcre      && myconf+=( --with-pcre )

559

+	use pcre-jit  && myconf+=( --with-pcre-jit )

560

+	use threads   && myconf+=( --with-threads )

561

+

562

+	# HTTP modules

563

+	for mod in $NGINX_MODULES_STD; do

564

+		if use nginx_modules_http_${mod}; then

565

+			http_enabled=1

566

+		else

567

+			myconf+=( --without-http_${mod}_module )

568

+		fi

569

+	done

570

+

571

+	for mod in $NGINX_MODULES_OPT; do

572

+		if use nginx_modules_http_${mod}; then

573

+			http_enabled=1

574

+			myconf+=( --with-http_${mod}_module )

575

+		fi

576

+	done

577

+

578

+	if use nginx_modules_http_fastcgi; then

579

+		myconf+=( --with-http_realip_module )

580

+	fi

581

+

582

+	# third-party modules

583

+	if use nginx_modules_http_upload_progress; then

584

+		http_enabled=1

585

+		myconf+=( --add-module=${HTTP_UPLOAD_PROGRESS_MODULE_WD} )

586

+	fi

587

+

588

+	if use nginx_modules_http_headers_more; then

589

+		http_enabled=1

590

+		myconf+=( --add-module=${HTTP_HEADERS_MORE_MODULE_WD} )

591

+	fi

592

+

593

+	if use nginx_modules_http_cache_purge; then

594

+		http_enabled=1

595

+		myconf+=( --add-module=${HTTP_CACHE_PURGE_MODULE_WD} )

596

+	fi

597

+

598

+	if use nginx_modules_http_slowfs_cache; then

599

+		http_enabled=1

600

+		myconf+=( --add-module=${HTTP_SLOWFS_CACHE_MODULE_WD} )

601

+	fi

602

+

603

+	if use nginx_modules_http_fancyindex; then

604

+		http_enabled=1

605

+		myconf+=( --add-module=${HTTP_FANCYINDEX_MODULE_WD} )

606

+	fi

607

+

608

+	if use nginx_modules_http_lua; then

609

+		http_enabled=1

610

+		export LUAJIT_LIB=$(pkg-config --variable libdir luajit)

611

+		export LUAJIT_INC=$(pkg-config --variable includedir luajit)

612

+		myconf+=( --add-module=${DEVEL_KIT_MODULE_WD} )

613

+		myconf+=( --add-module=${HTTP_LUA_MODULE_WD} )

614

+	fi

615

+

616

+	if use nginx_modules_http_auth_pam; then

617

+		http_enabled=1

618

+		myconf+=( --add-module=${HTTP_AUTH_PAM_MODULE_WD} )

619

+	fi

620

+

621

+	if use nginx_modules_http_upstream_check; then

622

+		http_enabled=1

623

+		myconf+=( --add-module=${HTTP_UPSTREAM_CHECK_MODULE_WD} )

624

+	fi

625

+

626

+	if use nginx_modules_http_metrics; then

627

+		http_enabled=1

628

+		myconf+=( --add-module=${HTTP_METRICS_MODULE_WD} )

629

+	fi

630

+

631

+	if use nginx_modules_http_naxsi ; then

632

+		http_enabled=1

633

+		myconf+=(  --add-module=${HTTP_NAXSI_MODULE_WD} )

634

+	fi

635

+

636

+	if use rtmp ; then

637

+		http_enabled=1

638

+		myconf+=( --add-module=${RTMP_MODULE_WD} )

639

+	fi

640

+

641

+	if use nginx_modules_http_dav_ext ; then

642

+		http_enabled=1

643

+		myconf+=( --add-module=${HTTP_DAV_EXT_MODULE_WD} )

644

+	fi

645

+

646

+	if use nginx_modules_http_echo ; then

647

+		http_enabled=1

648

+		myconf+=( --add-module=${HTTP_ECHO_MODULE_WD} )

649

+	fi

650

+

651

+	if use nginx_modules_http_security ; then

652

+		http_enabled=1

653

+		myconf+=( --add-module=${HTTP_SECURITY_MODULE_WD}/nginx/modsecurity )

654

+	fi

655

+

656

+	if use nginx_modules_http_push_stream ; then

657

+		http_enabled=1

658

+		myconf+=( --add-module=${HTTP_PUSH_STREAM_MODULE_WD} )

659

+	fi

660

+

661

+	if use nginx_modules_http_sticky ; then

662

+		http_enabled=1

663

+		myconf+=( --add-module=${HTTP_STICKY_MODULE_WD} )

664

+	fi

665

+

666

+	if use nginx_modules_http_mogilefs ; then

667

+		http_enabled=1

668

+		myconf+=( --add-module=${HTTP_MOGILEFS_MODULE_WD} )

669

+	fi

670

+

671

+	if use nginx_modules_http_memc ; then

672

+		http_enabled=1

673

+		myconf+=( --add-module=${HTTP_MEMC_MODULE_WD} )

674

+	fi

675

+

676

+	if use nginx_modules_http_auth_ldap; then

677

+		http_enabled=1

678

+		myconf+=( --add-module=${HTTP_LDAP_MODULE_WD} )

679

+	fi

680

+

681

+	if use nginx_modules_http_vhost_traffic_status; then

682

+		http_enabled=1

683

+		myconf+=( --add-module=${HTTP_VHOST_TRAFFIC_STATUS_MODULE_WD} )

684

+	fi

685

+

686

+	if use nginx_modules_http_geoip2 || use nginx_modules_stream_geoip2; then

687

+		myconf+=( --add-module=${GEOIP2_MODULE_WD} )

688

+	fi

689

+

690

+	if use nginx_modules_http_javascript || use nginx_modules_stream_javascript; then

691

+		myconf+=( --add-module="${NJS_MODULE_WD}/nginx" )

692

+	fi

693

+

694

+	if use nginx_modules_http_brotli; then

695

+		http_enabled=1

696

+		myconf+=( --add-module=${HTTP_BROTLI_MODULE_WD} )

697

+	fi

698

+

699

+	if use http || use http-cache || use http2 || use nginx_modules_http_javascript; then

700

+		http_enabled=1

701

+	fi

702

+

703

+	if [ $http_enabled ]; then

704

+		use http-cache || myconf+=( --without-http-cache )

705

+		use ssl && myconf+=( --with-http_ssl_module )

706

+	else

707

+		myconf+=( --without-http --without-http-cache )

708

+	fi

709

+

710

+	# Stream modules

711

+	for mod in $NGINX_MODULES_STREAM_STD; do

712

+		if use nginx_modules_stream_${mod}; then

713

+			stream_enabled=1

714

+		else

715

+			myconf+=( --without-stream_${mod}_module )

716

+		fi

717

+	done

718

+

719

+	for mod in $NGINX_MODULES_STREAM_OPT; do

720

+		if use nginx_modules_stream_${mod}; then

721

+			stream_enabled=1

722

+			myconf+=( --with-stream_${mod}_module )

723

+		fi

724

+	done

725

+

726

+	if use nginx_modules_stream_geoip2 || use nginx_modules_stream_javascript; then

727

+		stream_enabled=1

728

+	fi

729

+

730

+	if [ $stream_enabled ]; then

731

+		myconf+=( --with-stream )

732

+		use ssl && myconf+=( --with-stream_ssl_module )

733

+	fi

734

+

735

+	# MAIL modules

736

+	for mod in $NGINX_MODULES_MAIL; do

737

+		if use nginx_modules_mail_${mod}; then

738

+			mail_enabled=1

739

+		else

740

+			myconf+=( --without-mail_${mod}_module )

741

+		fi

742

+	done

743

+

744

+	if [ $mail_enabled ]; then

745

+		myconf+=( --with-mail )

746

+		use ssl && myconf+=( --with-mail_ssl_module )

747

+	fi

748

+

749

+	# custom modules

750

+	for mod in $NGINX_ADD_MODULES; do

751

+		myconf+=(  --add-module=${mod} )

752

+	done

753

+

754

+	# https://bugs.gentoo.org/286772

755

+	export LANG=C LC_ALL=C

756

+	tc-export CC

757

+

758

+	if ! use prefix; then

759

+		myconf+=( --user=${PN} )

760

+		myconf+=( --group=${PN} )

761

+	fi

762

+

763

+	local WITHOUT_IPV6=

764

+	if ! use ipv6; then

765

+		WITHOUT_IPV6=" -DNGX_HAVE_INET6=0"

766

+	fi

767

+

768

+	if [[ -n "${EXTRA_ECONF}" ]]; then

769

+		myconf+=( ${EXTRA_ECONF} )

770

+		ewarn "EXTRA_ECONF applied. Now you are on your own, good luck!"

771

+	fi

772

+

773

+	./configure \

774

+		--prefix="${EPREFIX}"/usr \

775

+		--conf-path="${EPREFIX}"/etc/${PN}/${PN}.conf \

776

+		--error-log-path="${EPREFIX}"/var/log/${PN}/error_log \

777

+		--pid-path="${EPREFIX}"/run/${PN}.pid \

778

+		--lock-path="${EPREFIX}"/run/lock/${PN}.lock \

779

+		--with-cc-opt="-I${EROOT}usr/include${WITHOUT_IPV6}" \

780

+		--with-ld-opt="-L${EROOT}usr/$(get_libdir)" \

781

+		--http-log-path="${EPREFIX}"/var/log/${PN}/access_log \

782

+		--http-client-body-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/client \

783

+		--http-proxy-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/proxy \

784

+		--http-fastcgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/fastcgi \

785

+		--http-scgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/scgi \

786

+		--http-uwsgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/uwsgi \

787

+		--with-compat \

788

+		"${myconf[@]}" || die "configure failed"

789

+

790

+	# A purely cosmetic change that makes nginx -V more readable. This can be

791

+	# good if people outside the gentoo community would troubleshoot and

792

+	# question the users setup.

793

+	sed -i -e "s|${WORKDIR}|external_module|g" objs/ngx_auto_config.h || die

794

+}

795

+

796

+src_compile() {

797

+	use nginx_modules_http_security && emake -C "${HTTP_SECURITY_MODULE_WD}"

798

+

799

+	# https://bugs.gentoo.org/286772

800

+	export LANG=C LC_ALL=C

801

+	emake LINK="${CC} ${LDFLAGS}" OTHERLDFLAGS="${LDFLAGS}"

802

+}

803

+

804

+src_install() {

805

+	emake DESTDIR="${D%/}" install

806

+

807

+	cp "${FILESDIR}"/nginx.conf-r2 "${ED%/}"/etc/nginx/nginx.conf || die

808

+

809

+	newinitd "${FILESDIR}"/nginx.initd-r4 nginx

810

+	newconfd "${FILESDIR}"/nginx.confd nginx

811

+

812

+	systemd_newunit "${FILESDIR}"/nginx.service-r1 nginx.service

813

+

814

+	doman man/nginx.8

815

+	dodoc CHANGES* README

816

+

817

+	# just keepdir. do not copy the default htdocs files (bug #449136)

818

+	keepdir /var/www/localhost

819

+	rm -rf "${ED%/}"/usr/html || die

820

+

821

+	# set up a list of directories to keep

822

+	local keepdir_list="${NGINX_HOME_TMP}"/client

823

+	local module

824

+	for module in proxy fastcgi scgi uwsgi; do

825

+		use nginx_modules_http_${module} && keepdir_list+=" ${NGINX_HOME_TMP}/${module}"

826

+	done

827

+

828

+	keepdir /var/log/nginx ${keepdir_list}

829

+

830

+	# this solves a problem with SELinux where nginx doesn't see the directories

831

+	# as root and tries to create them as nginx

832

+	fperms 0750 "${NGINX_HOME_TMP}"

833

+	fowners ${PN}:0 "${NGINX_HOME_TMP}"

834

+

835

+	fperms 0700 ${keepdir_list}

836

+	fowners ${PN}:${PN} ${keepdir_list}

837

+

838

+	fperms 0710 /var/log/nginx

839

+	fowners 0:${PN} /var/log/nginx

840

+

841

+	# logrotate

842

+	insinto /etc/logrotate.d

843

+	newins "${FILESDIR}"/nginx.logrotate-r1 nginx

844

+

845

+	# Don't create /run

846

+	rm -rf "${ED%/}"/run || die

847

+

848

+	if use luajit; then

849

+		pax-mark m "${ED%/}/usr/sbin/nginx"

850

+	fi

851

+

852

+	if use nginx_modules_http_perl; then

853

+		cd "${S}"/objs/src/http/modules/perl/ || die

854

+		emake DESTDIR="${D}" INSTALLDIRS=vendor

855

+		perl_delete_localpod

856

+		cd "${S}" || die

857

+	fi

858

+

859

+	if use nginx_modules_http_cache_purge; then

860

+		docinto ${HTTP_CACHE_PURGE_MODULE_P}

861

+		dodoc "${HTTP_CACHE_PURGE_MODULE_WD}"/{CHANGES,README.md,TODO.md}

862

+	fi

863

+

864

+	if use nginx_modules_http_slowfs_cache; then

865

+		docinto ${HTTP_SLOWFS_CACHE_MODULE_P}

866

+		dodoc "${HTTP_SLOWFS_CACHE_MODULE_WD}"/{CHANGES,README.md}

867

+	fi

868

+

869

+	if use nginx_modules_http_fancyindex; then

870

+		docinto ${HTTP_FANCYINDEX_MODULE_P}

871

+		dodoc "${HTTP_FANCYINDEX_MODULE_WD}"/README.rst

872

+	fi

873

+

874

+	if use nginx_modules_http_lua; then

875

+		docinto ${HTTP_LUA_MODULE_P}

876

+		dodoc "${HTTP_LUA_MODULE_WD}"/README.markdown

877

+	fi

878

+

879

+	if use nginx_modules_http_auth_pam; then

880

+		docinto ${HTTP_AUTH_PAM_MODULE_P}

881

+		dodoc "${HTTP_AUTH_PAM_MODULE_WD}"/{README.md,ChangeLog}

882

+	fi

883

+

884

+	if use nginx_modules_http_upstream_check; then

885

+		docinto ${HTTP_UPSTREAM_CHECK_MODULE_P}

886

+		dodoc "${HTTP_UPSTREAM_CHECK_MODULE_WD}"/{README,CHANGES}

887

+	fi

888

+

889

+	if use nginx_modules_http_naxsi; then

890

+		insinto /etc/nginx

891

+		doins "${HTTP_NAXSI_MODULE_WD}"/../naxsi_config/naxsi_core.rules

892

+	fi

893

+

894

+	if use rtmp; then

895

+		docinto ${RTMP_MODULE_P}

896

+		dodoc "${RTMP_MODULE_WD}"/{AUTHORS,README.md,stat.xsl}

897

+	fi

898

+

899

+	if use nginx_modules_http_dav_ext; then

900

+		docinto ${HTTP_DAV_EXT_MODULE_P}

901

+		dodoc "${HTTP_DAV_EXT_MODULE_WD}"/README.rst

902

+	fi

903

+

904

+	if use nginx_modules_http_echo; then

905

+		docinto ${HTTP_ECHO_MODULE_P}

906

+		dodoc "${HTTP_ECHO_MODULE_WD}"/README.markdown

907

+	fi

908

+

909

+	if use nginx_modules_http_security; then

910

+		docinto ${HTTP_SECURITY_MODULE_P}

911

+		dodoc "${HTTP_SECURITY_MODULE_WD}"/{CHANGES,README.md,authors.txt}

912

+	fi

913

+

914

+	if use nginx_modules_http_push_stream; then

915

+		docinto ${HTTP_PUSH_STREAM_MODULE_P}

916

+		dodoc "${HTTP_PUSH_STREAM_MODULE_WD}"/{AUTHORS,CHANGELOG.textile,README.textile}

917

+	fi

918

+

919

+	if use nginx_modules_http_sticky; then

920

+		docinto ${HTTP_STICKY_MODULE_P}

921

+		dodoc "${HTTP_STICKY_MODULE_WD}"/{README.md,Changelog.txt,docs/sticky.pdf}

922

+	fi

923

+

924

+	if use nginx_modules_http_memc; then

925

+		docinto ${HTTP_MEMC_MODULE_P}

926

+		dodoc "${HTTP_MEMC_MODULE_WD}"/README.markdown

927

+	fi

928

+

929

+	if use nginx_modules_http_auth_ldap; then

930

+		docinto ${HTTP_LDAP_MODULE_P}

931

+		dodoc "${HTTP_LDAP_MODULE_WD}"/example.conf

932

+	fi

933

+}

934

+

935

+pkg_postinst() {

936

+	if use ssl; then

937

+		if [[ ! -f "${EROOT}"etc/ssl/${PN}/${PN}.key ]]; then

938

+			install_cert /etc/ssl/${PN}/${PN}

939

+			use prefix || chown ${PN}:${PN} "${EROOT}"etc/ssl/${PN}/${PN}.{crt,csr,key,pem}

940

+		fi

941

+	fi

942

+

943

+	if use nginx_modules_http_spdy; then

944

+		ewarn ""

945

+		ewarn "In nginx 1.9.5 the spdy module was superseded by http2."

946

+		ewarn "Update your configs and package.use accordingly."

947

+	fi

948

+

949

+	if use nginx_modules_http_lua; then

950

+		ewarn ""

951

+		ewarn "While you can build lua 3rd party module against ${P}"

952

+		ewarn "the author warns that >=${PN}-1.11.11 is still not an"

953

+		ewarn "officially supported target yet. You are on your own."

954

+		ewarn "Expect runtime failures, memory leaks and other problems!"

955

+	fi

956

+

957

+	if use nginx_modules_http_lua && use http2; then

958

+		ewarn ""

959

+		ewarn "Lua 3rd party module author warns against using ${P} with"

960

+		ewarn "NGINX_MODULES_HTTP=\"lua http2\". For more info, see https://git.io/OldLsg"

961

+	fi

962

+

963

+	local _n_permission_layout_checks=0

964

+	local _has_to_adjust_permissions=0

965

+	local _has_to_show_permission_warning=0

966

+

967

+	# Defaults to 1 to inform people doing a fresh installation

968

+	# that we ship modified {scgi,uwsgi,fastcgi}_params files

969

+	local _has_to_show_httpoxy_mitigation_notice=1

970

+

971

+	local _replacing_version=

972

+	for _replacing_version in ${REPLACING_VERSIONS}; do

973

+		_n_permission_layout_checks=$((${_n_permission_layout_checks}+1))

974

+

975

+		if [[ ${_n_permission_layout_checks} -gt 1 ]]; then

976

+			# Should never happen:

977

+			# Package is abusing slots but doesn't allow multiple parallel installations.

978

+			# If we run into this situation it is unsafe to automatically adjust any

979

+			# permission...

980

+			_has_to_show_permission_warning=1

981

+

982

+			ewarn "Replacing multiple ${PN}' versions is unsupported! " \

983

+				"You will have to adjust permissions on your own."

984

+

985

+			break

986

+		fi

987

+

988

+		local _replacing_version_branch=$(get_version_component_range 1-2 "${_replacing_version}")

989

+		debug-print "Updating an existing installation (v${_replacing_version}; branch '${_replacing_version_branch}') ..."

990

+

991

+		# Do we need to adjust permissions to fix CVE-2013-0337 (bug #458726, #469094)?

992

+		# This was before we introduced multiple nginx versions so we

993

+		# do not need to distinguish between stable and mainline

994

+		local _need_to_fix_CVE2013_0337=1

995

+

996

+		if version_is_at_least "1.4.1-r2" "${_replacing_version}"; then

997

+			# We are updating an installation which should already be fixed

998

+			_need_to_fix_CVE2013_0337=0

999

+			debug-print "Skipping CVE-2013-0337 ... existing installation should not be affected!"

1000

+		else

1001

+			_has_to_adjust_permissions=1

1002

+			debug-print "Need to adjust permissions to fix CVE-2013-0337!"

1003

+		fi

1004

+

1005

+		# Do we need to inform about HTTPoxy mitigation?

1006

+		# In repository since commit 8be44f76d4ac02cebcd1e0e6e6284bb72d054b0f

1007

+		if ! version_is_at_least "1.10" "${_replacing_version_branch}"; then

1008

+			# Updating from <1.10

1009

+			_has_to_show_httpoxy_mitigation_notice=1

1010

+			debug-print "Need to inform about HTTPoxy mitigation!"

1011

+		else

1012

+			# Updating from >=1.10

1013

+			local _fixed_in_pvr=

1014

+			case "${_replacing_version_branch}" in

1015

+				"1.10")

1016

+					_fixed_in_pvr="1.10.1-r2"

1017

+					;;

1018

+				"1.11")

1019

+					_fixed_in_pvr="1.11.3-r1"

1020

+					;;

1021

+				*)

1022

+					# This should be any future branch.

1023

+					# If we run this code it is safe to assume that the user has

1024

+					# already seen the HTTPoxy mitigation notice because he/she is doing

1025

+					# an update from previous version where we have already shown

1026

+					# the warning. Otherwise, we wouldn't hit this code path ...

1027

+					_fixed_in_pvr=

1028

+			esac

1029

+

1030

+			if [[ -z "${_fixed_in_pvr}" ]] || version_is_at_least "${_fixed_in_pvr}" "${_replacing_version}"; then

1031

+				# We are updating an installation where we already informed

1032

+				# that we are mitigating HTTPoxy per default

1033

+				_has_to_show_httpoxy_mitigation_notice=0

1034

+				debug-print "No need to inform about HTTPoxy mitigation ... information was already shown for existing installation!"

1035

+			else

1036

+				_has_to_show_httpoxy_mitigation_notice=1

1037

+				debug-print "Need to inform about HTTPoxy mitigation!"

1038

+			fi

1039

+		fi

1040

+

1041

+		# Do we need to adjust permissions to fix CVE-2016-1247 (bug #605008)?

1042

+		# All branches up to 1.11 are affected

1043

+		local _need_to_fix_CVE2016_1247=1

1044

+

1045

+		if ! version_is_at_least "1.10" "${_replacing_version_branch}"; then

1046

+			# Updating from <1.10

1047

+			_has_to_adjust_permissions=1

1048

+			debug-print "Need to adjust permissions to fix CVE-2016-1247!"

1049

+		else

1050

+			# Updating from >=1.10

1051

+			local _fixed_in_pvr=

1052

+			case "${_replacing_version_branch}" in

1053

+				"1.10")

1054

+					_fixed_in_pvr="1.10.2-r3"

1055

+					;;

1056

+				"1.11")

1057

+					_fixed_in_pvr="1.11.6-r1"

1058

+					;;

1059

+				*)

1060

+					# This should be any future branch.

1061

+					# If we run this code it is safe to assume that we have already

1062

+					# adjusted permissions or were never affected because user is

1063

+					# doing an update from previous version which was safe or did

1064

+					# the adjustments. Otherwise, we wouldn't hit this code path ...

1065

+					_fixed_in_pvr=

1066

+			esac

1067

+

1068

+			if [[ -z "${_fixed_in_pvr}" ]] || version_is_at_least "${_fixed_in_pvr}" "${_replacing_version}"; then

1069

+				# We are updating an installation which should already be adjusted

1070

+				# or which was never affected

1071

+				_need_to_fix_CVE2016_1247=0

1072

+				debug-print "Skipping CVE-2016-1247 ... existing installation should not be affected!"

1073

+			else

1074

+				_has_to_adjust_permissions=1

1075

+				debug-print "Need to adjust permissions to fix CVE-2016-1247!"

1076

+			fi

1077

+		fi

1078

+	done

1079

+

1080

+	if [[ ${_has_to_adjust_permissions} -eq 1 ]]; then

1081

+		# We do not DIE when chmod/chown commands are failing because

1082

+		# package is already merged on user's system at this stage

1083

+		# and we cannot retry without losing the information that

1084

+		# the existing installation needs to adjust permissions.

1085

+		# Instead we are going to a show a big warning ...

1086

+

1087

+		if [[ ${_has_to_show_permission_warning} -eq 0 ]] && [[ ${_need_to_fix_CVE2013_0337} -eq 1 ]]; then

1088

+			ewarn ""

1089

+			ewarn "The world-readable bit (if set) has been removed from the"

1090

+			ewarn "following directories to mitigate a security bug"

1091

+			ewarn "(CVE-2013-0337, bug #458726):"

1092

+			ewarn ""

1093

+			ewarn "  ${EPREFIX}/var/log/nginx"

1094

+			ewarn "  ${EPREFIX}${NGINX_HOME_TMP}/{,client,proxy,fastcgi,scgi,uwsgi}"

1095

+			ewarn ""

1096

+			ewarn "Check if this is correct for your setup before restarting nginx!"

1097

+			ewarn "This is a one-time change and will not happen on subsequent updates."

1098

+			ewarn "Furthermore nginx' temp directories got moved to '${EPREFIX}${NGINX_HOME_TMP}'"

1099

+			chmod o-rwx \

1100

+				"${EPREFIX}"/var/log/nginx \

1101

+				"${EPREFIX}"${NGINX_HOME_TMP}/{,client,proxy,fastcgi,scgi,uwsgi} || \

1102

+				_has_to_show_permission_warning=1

1103

+		fi

1104

+

1105

+		if [[ ${_has_to_show_permission_warning} -eq 0 ]] && [[ ${_need_to_fix_CVE2016_1247} -eq 1 ]]; then

1106

+			ewarn ""

1107

+			ewarn "The permissions on the following directory have been reset in"

1108

+			ewarn "order to mitigate a security bug (CVE-2016-1247, bug #605008):"

1109

+			ewarn ""

1110

+			ewarn "  ${EPREFIX}/var/log/nginx"

1111

+			ewarn ""

1112

+			ewarn "Check if this is correct for your setup before restarting nginx!"

1113

+			ewarn "Also ensure that no other log directory used by any of your"

1114

+			ewarn "vhost(s) is not writeable for nginx user. Any of your log files"

1115

+			ewarn "used by nginx can be abused to escalate privileges!"

1116

+			ewarn "This is a one-time change and will not happen on subsequent updates."

1117

+			chown 0:nginx "${EPREFIX}"/var/log/nginx || _has_to_show_permission_warning=1

1118

+			chmod 710 "${EPREFIX}"/var/log/nginx || _has_to_show_permission_warning=1

1119

+		fi

1120

+

1121

+		if [[ ${_has_to_show_permission_warning} -eq 1 ]]; then

1122

+			# Should never happen ...

1123

+			ewarn ""

1124

+			ewarn "*************************************************************"

1125

+			ewarn "***************         W A R N I N G         ***************"

1126

+			ewarn "*************************************************************"

1127

+			ewarn "The one-time only attempt to adjust permissions of the"

1128

+			ewarn "existing nginx installation failed. Be aware that we will not"

1129

+			ewarn "try to adjust the same permissions again because now you are"

1130

+			ewarn "using a nginx version where we expect that the permissions"

1131

+			ewarn "are already adjusted or that you know what you are doing and"

1132

+			ewarn "want to keep custom permissions."

1133

+			ewarn ""

1134

+		fi

1135

+	fi

1136

+

1137

+	# Sanity check for CVE-2016-1247

1138

+	# Required to warn users who received the warning above and thought

1139

+	# they could fix it by unmerging and re-merging the package or have

1140

+	# unmerged a affected installation on purpose in the past leaving

1141

+	# /var/log/nginx on their system due to keepdir/non-empty folder

1142

+	# and are now installing the package again.

1143

+	local _sanity_check_testfile=$(mktemp --dry-run "${EPREFIX}"/var/log/nginx/.CVE-2016-1247.XXXXXXXXX)

1144

+	su -s /bin/sh -c "touch ${_sanity_check_testfile}" nginx >&/dev/null

1145

+	if [ $? -eq 0 ] ; then

1146

+		# Cleanup -- no reason to die here!

1147

+		rm -f "${_sanity_check_testfile}"

1148

+

1149

+		ewarn ""

1150

+		ewarn "*************************************************************"

1151

+		ewarn "***************         W A R N I N G         ***************"

1152

+		ewarn "*************************************************************"

1153

+		ewarn "Looks like your installation is vulnerable to CVE-2016-1247"

1154

+		ewarn "(bug #605008) because nginx user is able to create files in"

1155

+		ewarn ""

1156

+		ewarn "  ${EPREFIX}/var/log/nginx"

1157

+		ewarn ""

1158

+		ewarn "Also ensure that no other log directory used by any of your"

1159

+		ewarn "vhost(s) is not writeable for nginx user. Any of your log files"

1160

+		ewarn "used by nginx can be abused to escalate privileges!"

1161

+	fi

1162

+

1163

+	if [[ ${_has_to_show_httpoxy_mitigation_notice} -eq 1 ]]; then

1164

+		# HTTPoxy mitigation

1165

+		ewarn ""

1166

+		ewarn "This nginx installation comes with a mitigation for the HTTPoxy"

1167

+		ewarn "vulnerability for FastCGI, SCGI and uWSGI applications by setting"

1168

+		ewarn "the HTTP_PROXY parameter to an empty string per default when you"

1169

+		ewarn "are sourcing one of the default"

1170

+		ewarn ""

1171

+		ewarn "  - 'fastcgi_params' or 'fastcgi.conf'"

1172

+		ewarn "  - 'scgi_params'"

1173

+		ewarn "  - 'uwsgi_params'"

1174

+		ewarn ""

1175

+		ewarn "files in your server block(s)."

1176

+		ewarn ""

1177

+		ewarn "If this is causing any problems for you make sure that you are sourcing the"

1178

+		ewarn "default parameters _before_ you set your own values."

1179

+		ewarn "If you are relying on user-supplied proxy values you have to remove the"

1180

+		ewarn "correlating lines from the file(s) mentioned above."

1181

+		ewarn ""

1182

+	fi

1183

+}

Gentoo Archives: gentoo-commits