This thread contains a patchset. You're looking at the original emails,
but you may wish to use the patch review UI.
Review patch
1
[alpine-devel] [PATCH] main/nginx-naxsi: new aport
NGINX with naxsi WAF support https://github.com/nbs-system/naxsi
Built with the same modules as Debian + SysGuard from Tengine.
Nginx patched to anonymise server strings.
With the WAF & SysGuard enabled nginx-naxsi benchmarked @ approx
600 connections / second (the same as the standard Alpine nginx pkg).
With the WAF disabled 640 connections / second (as the mail modules
are removed as per the naxsi author's recommendation).
---
main/nginx-naxsi/APKBUILD | 127 +++++++++++++++++++++++++++++++
main/nginx-naxsi/anonymise.patch | 76 ++++++++++++++++++
main/nginx-naxsi/ipv6.patch | 42 ++++++++++
main/nginx-naxsi/musl-crypt-fix.patch | 13 ++++
main/nginx-naxsi/nginx-naxsi.pre-install | 9 +++
main/nginx-naxsi/nginx-naxsi.pre-upgrade | 1 +
main/nginx-naxsi/nginx.initd | 42 ++++++++++
main/nginx-naxsi/nginx.logrotate | 12 +++
main/nginx-naxsi/sysguard.patch | 10 +++
9 files changed, 332 insertions(+)
create mode 100644 main/nginx-naxsi/APKBUILD
create mode 100644 main/nginx-naxsi/anonymise.patch
create mode 100644 main/nginx-naxsi/ipv6.patch
create mode 100644 main/nginx-naxsi/musl-crypt-fix.patch
create mode 100644 main/nginx-naxsi/nginx-naxsi.pre-install
create mode 120000 main/nginx-naxsi/nginx-naxsi.pre-upgrade
create mode 100644 main/nginx-naxsi/nginx.initd
create mode 100644 main/nginx-naxsi/nginx.logrotate
create mode 100644 main/nginx-naxsi/sysguard.patch
diff --git a/main/nginx-naxsi/APKBUILD b/main/nginx-naxsi/APKBUILD
new file mode 100644
index 0000000..a7ec5ca
--- /dev/null
+++ b/main/nginx-naxsi/APKBUILD
@@ -0,0 +1,127 @@
+# Maintainer: Cameron Banta <cbanta@gmail.com>
+# Contributor: Jeff Bilyk <jbilyk@gmail.com>
+# Contributor: Bartłomiej Piotrowski <nospam@bpiotrowski.pl>
+# Contributor: Stuart Cardall <developer@it-offshore.co.uk>
+
+pkgname=nginx-naxsi
+_pkgname=nginx
+pkgver=1.6.1
+_ngx_naxsi_ver=0.53-2
+_ngx_cache_purge_ver=2.1
+pkgrel=0
+pkgdesc="lightweight HTTP and reverse proxy server with Naxsi WAF support, see also 'naxsi-utils'"
+url="http://www.nginx.org | https://github.com/nbs-system/naxsi"
+arch="all"
+license="Custom"
+install="$pkgname.pre-install $pkgname.pre-upgrade"
+depends="!nginx"
+makedepends="pcre-dev openssl-dev zlib-dev paxctl"
+source="http://nginx.org/download/$_pkgname-$pkgver.tar.gz
+ naxsi-$_ngx_naxsi_ver.tar.gz::https://github.com/nbs-system/naxsi/archive/$_ngx_naxsi_ver.tar.gz
+ ngx_cache_purge-$_ngx_cache_purge_ver.tar.gz::https://github.com/FRiCKLE/ngx_cache_purge/archive/2.1.tar.gz
+ upstream-fair.zip::https://github.com/gnosek/nginx-upstream-fair/archive/master.zip
+ sysguard.zip::https://github.com/alibaba/nginx-http-sysguard/archive/master.zip
+
+ anonymise.patch
+ musl-crypt-fix.patch
+ ipv6.patch
+ sysguard.patch
+
+ nginx.initd
+ nginx.logrotate
+ "
+
+_builddir="$srcdir"/$_pkgname-$pkgver
+
+prepare() {
+ local i
+ cd "$_builddir"
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
+}
+
+build() {
+ cd "$_builddir"
+ ./configure \
+ --add-module="$srcdir/naxsi-$_ngx_naxsi_ver/naxsi_src" \
+ --add-module="$srcdir/nginx-http-sysguard-master" \
+ --prefix=/usr \
+ --conf-path=/etc/$_pkgname/$_pkgname.conf \
+ --pid-path=/var/run/$_pkgname.pid \
+ --lock-path=/var/run/$_pkgname.lock \
+ --error-log-path=/var/log/$_pkgname/error.log \
+ --http-log-path=/var/log/$_pkgname/access.log \
+ --http-client-body-temp-path=/tmp/$_pkgname/client-body \
+ --http-proxy-temp-path=/tmp/$_pkgname/proxy \
+ --http-fastcgi-temp-path=/tmp/$_pkgname/fastcgi \
+ --user=nginx \
+ --group=nginx \
+ --with-ipv6 \
+ --with-pcre-jit \
+ --with-http_ssl_module \
+ --with-http_gzip_static_module \
+ --with-http_spdy_module \
+ --without-mail_pop3_module \
+ --without-mail_smtp_module \
+ --without-mail_imap_module \
+ --without-http_uwsgi_module \
+ --without-http_scgi_module \
+ --with-http_realip_module \
+ --with-http_stub_status_module \
+ --with-http_auth_request_module \
+ --add-module="$srcdir/ngx_cache_purge-$_ngx_cache_purge_ver" \
+ --add-module="$srcdir/nginx-upstream-fair-master" \
+ || return 1
+ make || return 1
+}
+
+package() {
+ cd "$_builddir"
+ make DESTDIR="$pkgdir" install
+
+ local paxflags="-m"
+ [ "$CARCH" = "x86" ] && paxflags="-msp"
+ paxctl -c $paxflags "$pkgdir"/usr/sbin/nginx || return 1
+
+ install -m755 -D "$srcdir"/$_pkgname.initd "$pkgdir"/etc/init.d/$_pkgname
+ install -m644 -D "$srcdir"/$_pkgname.logrotate "$pkgdir"/etc/logrotate.d/$_pkgname
+
+ install -m644 -D LICENSE "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
+ install -m644 -D "$srcdir"/naxsi-$_ngx_naxsi_ver/naxsi_config/naxsi_core.rules "$pkgdir"/etc/nginx/naxsi_core.rules
+}
+md5sums="45e5a11f48b001644676f7767980a2bf nginx-1.6.1.tar.gz
+348b50914a1eedaed09a2509621adf43 naxsi-0.53-2.tar.gz
+e63c0ff65be23f877a9975a65298e8fe ngx_cache_purge-2.1.tar.gz
+2c8537e2c6eb11baebd26d863d528d64 upstream-fair.zip
+a72a0ec1176b47c6ceecc3b30c85d07c sysguard.zip
+a07569b8a023f1b89dcd11e0beda4df6 anonymise.patch
+3aeb488921109e60d02ed64d36790aeb musl-crypt-fix.patch
+801a87f7f9d27f8ad85b41a78b4c4461 ipv6.patch
+50357b75049d878c0bcce10d0c60f9ed sysguard.patch
+a00403a764478f5459d850bb387ca19b nginx.initd
+8823274a834332d3db4f62bf7dd1fb7d nginx.logrotate"
+sha256sums="f5cfe682a1aeef4602c2ca705402d5049b748f946563f41d8256c18674836067 nginx-1.6.1.tar.gz
+3eadff1d91995beae41b92733ade28091c2075a24ae37058f4d6aa90b0f4b660 naxsi-0.53-2.tar.gz
+c8d67b9c0ed7ec23315071df352e95b69e9f14285cd7f8883d26a7fda237bd87 ngx_cache_purge-2.1.tar.gz
+e7c4208f19175db896dd2aede9326960314fc131c3a8829b19d3024d475562cf upstream-fair.zip
+800536eb9f269e1478500758e859ef7c4b4c7852580f2aeee8d7eb4c1fb51f18 sysguard.zip
+1923ebdb4a64a22f8903c3da619677bd3aaf769c99bee1aa4262edac58f05ba3 anonymise.patch
+8c398640bd379c1c6a2fafcd2b3848a72902e47924e8e2490b312c141eec5d70 musl-crypt-fix.patch
+a24ef5843ae0afa538b00c37eb7da7870f9d7f146f52a9668678f7296cf71d9b ipv6.patch
+18090329435c32d91621a5943acc5b8bbe89aaa3c2fa334c3a4cdeb00efb6226 sysguard.patch
+67df748bd7ef4f3c3b5eef9dd7e3b352ef671dd7cfb9db56e096eed77a442d67 nginx.initd
+cea0c6f8de55a4c3a3eccc57910de1c3116634082c8e5b660630fb927a29f38d nginx.logrotate"
+sha512sums="07762a7b25b7624142e9d8633eb952e7627501a183c82de7f31b20336f3f997171b366124a41c0fbc8c2a73ed6c68db1a084ca89cf8c5ad4f2bc5e8e7c7be105 nginx-1.6.1.tar.gz
+ada592f5e7f80a6d549cc435ee8720df01a788dc88cf27a7d55521bb7e4c66fa11b9ec28216aff7e13c70a5faf12cb745bd398b8a782ed4dea1eecd04b07e24c naxsi-0.53-2.tar.gz
+9c958c9cbc16206c023f2e879bf301005117a2358104439513c1a3965894ba2c035fc68518ce7c7a4e23548477826ac0c6439bf1da4d4560c972d9a6a75f2a01 ngx_cache_purge-2.1.tar.gz
+bbe1330e86a9650326858d893a1143df9b431873062b64a89b0befdbaca9f135e872225c7a7874231537c74da85ca8c56ac3d80739227721246c096cf4f2b7da upstream-fair.zip
+b361a8316d6e1f419d63f229756d3af08b32e235199285a18f8478be42a57a9c0b2ff126e7018ba750c6e9d1e33bb053f83aacd96ebc5d3b876bedb973a92712 sysguard.zip
+5899097b6b6ed04deb7ae474fb65205d9c50843f30929c1370c0c1d70df3f02fe51b8ea90d3d2c3b4c53aeb3895717729e0c9773b880ca529e89a5b07fc26a5b anonymise.patch
+21114c775e4bdd1f7b8b9abc143284945e96ed1d8c49904ddf918abad87b16253f918ba47976cd2df32f0fdb8a7dad399d4200e879db2da6cf93a28aab236a75 musl-crypt-fix.patch
+68d64a84568ec2df0366925ab282a05ebe21a85044b6c7844a47573cfd8cc8ed119cc772358bc3fff36e2d4fdf583a730592825f5f98632993ca86d1f8438d5f ipv6.patch
+2dca2ac74fb92e330fde7b6b6120b2fd2565c377a629c9536cf77beebe41aa4b092d4229d5b487b0fb02be4f2cc5b897c429c87bbbbc7b0d31e1cbb94231ddce sysguard.patch
+9c6b357c460998187d7a26c0f3c8abc69c91b523a6f340c1f6ed3c863101a39eeb61e92b4cfec6a04af2b495c354c33f232ce5e59ed29edd6855e430ca73d168 nginx.initd
+01b77cff16f6e8bfd7fa1d4d20f625bbcddd08f0509173452d060c342c93dc315a7b0560f4734323a5d29ea294de0491f2e3f32e5337574e1a28ebc005eceea8 nginx.logrotate"
diff --git a/main/nginx-naxsi/anonymise.patch b/main/nginx-naxsi/anonymise.patch
new file mode 100644
index 0000000..ebedc7f
--- /dev/null
+++ b/main/nginx-naxsi/anonymise.patch
@@ -0,0 +1,76 @@
+--- nginx-1.6.1/src/http/ngx_http_header_filter_module.c
++++ nginx-1.6.1/src/http/ngx_http_header_filter_module.c
+@@ -46,8 +46,8 @@
+ };
+
+
+-static char ngx_http_server_string[] = "Server: nginx" CRLF;
+-static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
++static char ngx_http_server_string[] = "";
++static char ngx_http_server_full_string[] = "";
+
+
+ static ngx_str_t ngx_http_status_lines[] = {
+@@ -278,8 +278,8 @@
+ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
+
+ if (r->headers_out.server == NULL) {
+- len += clcf->server_tokens ? sizeof(ngx_http_server_full_string) - 1:
+- sizeof(ngx_http_server_string) - 1;
++ len += clcf->server_tokens ? sizeof(ngx_http_server_full_string) - 0:
++ sizeof(ngx_http_server_string) - 0;
+ }
+
+ if (r->headers_out.date == NULL) {
+--- nginx-1.6.1/src/http/ngx_http_spdy_filter_module.c
++++ nginx-1.6.1/src/http/ngx_http_spdy_filter_module.c
+@@ -175,11 +175,12 @@
+
+ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
+
+- if (r->headers_out.server == NULL) {
++/* if (r->headers_out.server == NULL) {
+ len += ngx_http_spdy_nv_nsize("server");
+ len += clcf->server_tokens ? ngx_http_spdy_nv_vsize(NGINX_VER)
+ : ngx_http_spdy_nv_vsize("nginx");
+ }
++*/
+
+ if (r->headers_out.date == NULL) {
+ len += ngx_http_spdy_nv_nsize("date")
+@@ -326,7 +327,7 @@
+
+ count = 2;
+
+- if (r->headers_out.server == NULL) {
++ /* if (r->headers_out.server == NULL) {
+ last = ngx_http_spdy_nv_write_name(last, "server");
+ last = clcf->server_tokens
+ ? ngx_http_spdy_nv_write_val(last, NGINX_VER)
+@@ -334,6 +335,7 @@
+
+ count++;
+ }
++*/
+
+ if (r->headers_out.date == NULL) {
+ last = ngx_http_spdy_nv_write_name(last, "date");
+--- nginx-1.6.1/src/http/ngx_http_special_response.c
++++ nginx-1.6.1/src/http/ngx_http_special_response.c
+@@ -19,14 +19,14 @@
+
+
+ static u_char ngx_http_error_full_tail[] =
+-"<hr><center>" NGINX_VER "</center>" CRLF
++"<hr><center>127.0.0.1</center>" CRLF
+ "</body>" CRLF
+ "</html>" CRLF
+ ;
+
+
+ static u_char ngx_http_error_tail[] =
+-"<hr><center>nginx</center>" CRLF
++"<hr><center>localhost</center>" CRLF
+ "</body>" CRLF
+ "</html>" CRLF
+ ;
diff --git a/main/nginx-naxsi/ipv6.patch b/main/nginx-naxsi/ipv6.patch
new file mode 100644
index 0000000..9b05f8f
--- /dev/null
+++ b/main/nginx-naxsi/ipv6.patch
@@ -0,0 +1,42 @@
+--- a/src/http/ngx_http_core_module.c
++++ b/src/http/ngx_http_core_module.c
+@@ -2442,7 +2442,11 @@
+ ngx_uint_t i;
+ ngx_conf_t pcf;
+ ngx_http_module_t *module;
++#if (NGX_HAVE_INET6)
++ struct sockaddr_in6 *sin6;
++#else
+ struct sockaddr_in *sin;
++#endif
+ ngx_http_conf_ctx_t *ctx, *http_ctx;
+ ngx_http_listen_opt_t lsopt;
+ ngx_http_core_srv_conf_t *cscf, **cscfp;
+@@ -2526,6 +2530,19 @@
+ if (rv == NGX_CONF_OK && !cscf->listen) {
+ ngx_memzero(&lsopt, sizeof(ngx_http_listen_opt_t));
+
++#if (NGX_HAVE_INET6)
++ sin6 = &lsopt.u.sockaddr_in6;
++
++ sin6->sin6_family = AF_INET6;
++#if (NGX_WIN32)
++ sin6->sin6_port = htons(80);
++#else
++ sin6->sin6_port = htons((getuid() == 0) ? 80 : 8000);
++#endif
++ sin6->sin6_addr = in6addr_any;
++
++ lsopt.socklen = sizeof(struct sockaddr_in6);
++#else
+ sin = &lsopt.u.sockaddr_in;
+
+ sin->sin_family = AF_INET;
+@@ -2537,6 +2554,7 @@
+ sin->sin_addr.s_addr = INADDR_ANY;
+
+ lsopt.socklen = sizeof(struct sockaddr_in);
++#endif
+
+ lsopt.backlog = NGX_LISTEN_BACKLOG;
+ lsopt.rcvbuf = -1;
diff --git a/main/nginx-naxsi/musl-crypt-fix.patch b/main/nginx-naxsi/musl-crypt-fix.patch
new file mode 100644
index 0000000..2f11fe2
--- /dev/null
+++ b/main/nginx-naxsi/musl-crypt-fix.patch
@@ -0,0 +1,13 @@
+--- nginx-1.4.4/src/os/unix/ngx_user.c.orig
++++ nginx-1.4.4/src/os/unix/ngx_user.c
+@@ -31,8 +31,10 @@
+ struct crypt_data cd;
+
+ cd.initialized = 0;
++#ifdef __GLIBC__
+ /* work around the glibc bug */
+ cd.current_salt[0] = ~salt[0];
++#endif
+
+ value = crypt_r((char *) key, (char *) salt, &cd);
+
diff --git a/main/nginx-naxsi/nginx-naxsi.pre-install b/main/nginx-naxsi/nginx-naxsi.pre-install
new file mode 100644
index 0000000..55b5bfc
--- /dev/null
+++ b/main/nginx-naxsi/nginx-naxsi.pre-install
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+addgroup -g 82 -S www-data 2>/dev/null
+addgroup -S nginx 2>/dev/null
+adduser -S -G nginx -H -h /var/www/localhost/htdocs -s /sbin/nologin \
+ -D nginx 2>/dev/null
+addgroup nginx www-data 2>/dev/null
+
+exit 0
diff --git a/main/nginx-naxsi/nginx-naxsi.pre-upgrade b/main/nginx-naxsi/nginx-naxsi.pre-upgrade
new file mode 120000
index 0000000..364e0b9
--- /dev/null
+++ b/main/nginx-naxsi/nginx-naxsi.pre-upgrade
@@ -0,0 +1 @@
+nginx-naxsi.pre-install
\ No newline at end of file
diff --git a/main/nginx-naxsi/nginx.initd b/main/nginx-naxsi/nginx.initd
new file mode 100644
index 0000000..ce2b7b8
--- /dev/null
+++ b/main/nginx-naxsi/nginx.initd
@@ -0,0 +1,42 @@
+#!/sbin/runscript
+
+extra_started_commands="reload"
+extra_commands="configtest"
+
+depend() {
+ need net
+ use dns logger netmount
+}
+
+CONFFILE=${CONFFILE:-/etc/nginx/${SVCNAME}.conf}
+PIDFILE=${PIDFILE:-/var/run/${SVCNAME}.pid}
+
+configtest() {
+ ebegin "Checking ${SVCNAME} configuration"
+ mkdir -p /tmp/nginx
+ /usr/sbin/nginx -c ${CONFFILE} -t
+ eend $? "failed, please correct errors above"
+}
+
+start() {
+ configtest || return 1
+ ebegin "Starting ${SVCNAME}"
+ start-stop-daemon --start --pidfile "${PIDFILE}" \
+ --exec /usr/sbin/nginx -- -c ${CONFFILE} -g "pid ${PIDFILE};"
+ eend $? "Failed to start ${SVCNAME}"
+}
+
+stop() {
+ configtest || return 1
+ ebegin "Stopping ${SVCNAME}"
+ start-stop-daemon --stop --pidfile "${PIDFILE}"
+ eend $? "Failed to stop ${SVCNAME}"
+ rm -f "${PIDFILE}"
+}
+
+reload() {
+ configtest || return 1
+ ebegin "Refreshing ${SVCNAME} configuration"
+ kill -HUP $(cat "${PIDFILE}") &>/dev/null
+ eend $? "Failed to reload nginx"
+}
diff --git a/main/nginx-naxsi/nginx.logrotate b/main/nginx-naxsi/nginx.logrotate
new file mode 100644
index 0000000..7778b11
--- /dev/null
+++ b/main/nginx-naxsi/nginx.logrotate
@@ -0,0 +1,12 @@
+# Copyright 1999-2010 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/www-servers/nginx/files/nginx.logrotate,v 1.1 2010/01/03 20:29:40 djc Exp $
+
+/var/log/nginx/*.log {
+ missingok
+ sharedscripts
+ postrotate
+ kill -USR1 `cat /var/run/nginx.pid`
+ endscript
+}
+
diff --git a/main/nginx-naxsi/sysguard.patch b/main/nginx-naxsi/sysguard.patch
new file mode 100644
index 0000000..be8b0d2
--- /dev/null
+++ b/main/nginx-naxsi/sysguard.patch
@@ -0,0 +1,10 @@
+--- a/src/http/ngx_http_request.h
++++ b/src/http/ngx_http_request.h
+@@ -498,6 +498,7 @@
+ */
+ unsigned limit_conn_set:1;
+ unsigned limit_req_set:1;
++ unsigned sysguard_set:1;
+
+ #if 0
+ unsigned cacheable:1;
--
2.1.0
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
On Thu, 18 Sep 2014 03:20:50 +0000
Stuart Cardall <developer@it-offshore.co.uk> wrote:
> NGINX with naxsi WAF support https://github.com/nbs-system/naxsi
>
> Built with the same modules as Debian + SysGuard from Tengine.
>
> Nginx patched to anonymise server strings.
>
> With the WAF & SysGuard enabled nginx-naxsi benchmarked @ approx
> 600 connections / second (the same as the standard Alpine nginx pkg).
> With the WAF disabled 640 connections / second (as the mail modules
> are removed as per the naxsi author's recommendation).
we have already nginx and nginx-lua. I don't think we want maintain
1000 nginx variants of all kinds of module combinations.
problem is upstream nginx that does not really support dynamically
linked plugins. I wonder if we could favor tengine which seems to be
nginx-with-plugins-done-right.
> ---
> main/nginx-naxsi/APKBUILD | 127 +++++++++++++++++++++++++++++++
new aports should always got to testing first.
I moved it there and updated the commit message
Thanks!
-nc
> main/nginx-naxsi/anonymise.patch | 76 ++++++++++++++++++
> main/nginx-naxsi/ipv6.patch | 42 ++++++++++
> main/nginx-naxsi/musl-crypt-fix.patch | 13 ++++
> main/nginx-naxsi/nginx-naxsi.pre-install | 9 +++
> main/nginx-naxsi/nginx-naxsi.pre-upgrade | 1 +
> main/nginx-naxsi/nginx.initd | 42 ++++++++++
> main/nginx-naxsi/nginx.logrotate | 12 +++
> main/nginx-naxsi/sysguard.patch | 10 +++
> 9 files changed, 332 insertions(+)
> create mode 100644 main/nginx-naxsi/APKBUILD
> create mode 100644 main/nginx-naxsi/anonymise.patch
> create mode 100644 main/nginx-naxsi/ipv6.patch
> create mode 100644 main/nginx-naxsi/musl-crypt-fix.patch
> create mode 100644 main/nginx-naxsi/nginx-naxsi.pre-install
> create mode 120000 main/nginx-naxsi/nginx-naxsi.pre-upgrade
> create mode 100644 main/nginx-naxsi/nginx.initd
> create mode 100644 main/nginx-naxsi/nginx.logrotate
> create mode 100644 main/nginx-naxsi/sysguard.patch
>
> diff --git a/main/nginx-naxsi/APKBUILD b/main/nginx-naxsi/APKBUILD
> new file mode 100644
> index 0000000..a7ec5ca
> --- /dev/null
> +++ b/main/nginx-naxsi/APKBUILD
> @@ -0,0 +1,127 @@
> +# Maintainer: Cameron Banta <cbanta@gmail.com>
> +# Contributor: Jeff Bilyk <jbilyk@gmail.com>
> +# Contributor: Bart*omiej Piotrowski <nospam@bpiotrowski.pl>
> +# Contributor: Stuart Cardall <developer@it-offshore.co.uk>
> +
> +pkgname=nginx-naxsi
> +_pkgname=nginx
> +pkgver=1.6.1
> +_ngx_naxsi_ver=0.53-2
> +_ngx_cache_purge_ver=2.1
> +pkgrel=0
> +pkgdesc="lightweight HTTP and reverse proxy server with Naxsi WAF support, see also 'naxsi-utils'"
> +url="http://www.nginx.org | https://github.com/nbs-system/naxsi"
> +arch="all"
> +license="Custom"
> +install="$pkgname.pre-install $pkgname.pre-upgrade"
> +depends="!nginx"
> +makedepends="pcre-dev openssl-dev zlib-dev paxctl"
> +source="http://nginx.org/download/$_pkgname-$pkgver.tar.gz
> + naxsi-$_ngx_naxsi_ver.tar.gz::https://github.com/nbs-system/naxsi/archive/$_ngx_naxsi_ver.tar.gz
> + ngx_cache_purge-$_ngx_cache_purge_ver.tar.gz::https://github.com/FRiCKLE/ngx_cache_purge/archive/2.1.tar.gz
> + upstream-fair.zip::https://github.com/gnosek/nginx-upstream-fair/archive/master.zip
> + sysguard.zip::https://github.com/alibaba/nginx-http-sysguard/archive/master.zip
> +
> + anonymise.patch
> + musl-crypt-fix.patch
> + ipv6.patch
> + sysguard.patch
> +
> + nginx.initd
> + nginx.logrotate
> + "
> +
> +_builddir="$srcdir"/$_pkgname-$pkgver
> +
> +prepare() {
> + local i
> + cd "$_builddir"
> + for i in $source; do
> + case $i in
> + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
> + esac
> + done
> +}
> +
> +build() {
> + cd "$_builddir"
> + ./configure \
> + --add-module="$srcdir/naxsi-$_ngx_naxsi_ver/naxsi_src" \
> + --add-module="$srcdir/nginx-http-sysguard-master" \
> + --prefix=/usr \
> + --conf-path=/etc/$_pkgname/$_pkgname.conf \
> + --pid-path=/var/run/$_pkgname.pid \
> + --lock-path=/var/run/$_pkgname.lock \
> + --error-log-path=/var/log/$_pkgname/error.log \
> + --http-log-path=/var/log/$_pkgname/access.log \
> + --http-client-body-temp-path=/tmp/$_pkgname/client-body \
> + --http-proxy-temp-path=/tmp/$_pkgname/proxy \
> + --http-fastcgi-temp-path=/tmp/$_pkgname/fastcgi \
> + --user=nginx \
> + --group=nginx \
> + --with-ipv6 \
> + --with-pcre-jit \
> + --with-http_ssl_module \
> + --with-http_gzip_static_module \
> + --with-http_spdy_module \
> + --without-mail_pop3_module \
> + --without-mail_smtp_module \
> + --without-mail_imap_module \
> + --without-http_uwsgi_module \
> + --without-http_scgi_module \
> + --with-http_realip_module \
> + --with-http_stub_status_module \
> + --with-http_auth_request_module \
> + --add-module="$srcdir/ngx_cache_purge-$_ngx_cache_purge_ver" \
> + --add-module="$srcdir/nginx-upstream-fair-master" \
> + || return 1
> + make || return 1
> +}
> +
> +package() {
> + cd "$_builddir"
> + make DESTDIR="$pkgdir" install
> +
> + local paxflags="-m"
> + [ "$CARCH" = "x86" ] && paxflags="-msp"
> + paxctl -c $paxflags "$pkgdir"/usr/sbin/nginx || return 1
> +
> + install -m755 -D "$srcdir"/$_pkgname.initd "$pkgdir"/etc/init.d/$_pkgname
> + install -m644 -D "$srcdir"/$_pkgname.logrotate "$pkgdir"/etc/logrotate.d/$_pkgname
> +
> + install -m644 -D LICENSE "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
> + install -m644 -D "$srcdir"/naxsi-$_ngx_naxsi_ver/naxsi_config/naxsi_core.rules "$pkgdir"/etc/nginx/naxsi_core.rules
> +}
> +md5sums="45e5a11f48b001644676f7767980a2bf nginx-1.6.1.tar.gz
> +348b50914a1eedaed09a2509621adf43 naxsi-0.53-2.tar.gz
> +e63c0ff65be23f877a9975a65298e8fe ngx_cache_purge-2.1.tar.gz
> +2c8537e2c6eb11baebd26d863d528d64 upstream-fair.zip
> +a72a0ec1176b47c6ceecc3b30c85d07c sysguard.zip
> +a07569b8a023f1b89dcd11e0beda4df6 anonymise.patch
> +3aeb488921109e60d02ed64d36790aeb musl-crypt-fix.patch
> +801a87f7f9d27f8ad85b41a78b4c4461 ipv6.patch
> +50357b75049d878c0bcce10d0c60f9ed sysguard.patch
> +a00403a764478f5459d850bb387ca19b nginx.initd
> +8823274a834332d3db4f62bf7dd1fb7d nginx.logrotate"
> +sha256sums="f5cfe682a1aeef4602c2ca705402d5049b748f946563f41d8256c18674836067 nginx-1.6.1.tar.gz
> +3eadff1d91995beae41b92733ade28091c2075a24ae37058f4d6aa90b0f4b660 naxsi-0.53-2.tar.gz
> +c8d67b9c0ed7ec23315071df352e95b69e9f14285cd7f8883d26a7fda237bd87 ngx_cache_purge-2.1.tar.gz
> +e7c4208f19175db896dd2aede9326960314fc131c3a8829b19d3024d475562cf upstream-fair.zip
> +800536eb9f269e1478500758e859ef7c4b4c7852580f2aeee8d7eb4c1fb51f18 sysguard.zip
> +1923ebdb4a64a22f8903c3da619677bd3aaf769c99bee1aa4262edac58f05ba3 anonymise.patch
> +8c398640bd379c1c6a2fafcd2b3848a72902e47924e8e2490b312c141eec5d70 musl-crypt-fix.patch
> +a24ef5843ae0afa538b00c37eb7da7870f9d7f146f52a9668678f7296cf71d9b ipv6.patch
> +18090329435c32d91621a5943acc5b8bbe89aaa3c2fa334c3a4cdeb00efb6226 sysguard.patch
> +67df748bd7ef4f3c3b5eef9dd7e3b352ef671dd7cfb9db56e096eed77a442d67 nginx.initd
> +cea0c6f8de55a4c3a3eccc57910de1c3116634082c8e5b660630fb927a29f38d nginx.logrotate"
> +sha512sums="07762a7b25b7624142e9d8633eb952e7627501a183c82de7f31b20336f3f997171b366124a41c0fbc8c2a73ed6c68db1a084ca89cf8c5ad4f2bc5e8e7c7be105 nginx-1.6.1.tar.gz
> +ada592f5e7f80a6d549cc435ee8720df01a788dc88cf27a7d55521bb7e4c66fa11b9ec28216aff7e13c70a5faf12cb745bd398b8a782ed4dea1eecd04b07e24c naxsi-0.53-2.tar.gz
> +9c958c9cbc16206c023f2e879bf301005117a2358104439513c1a3965894ba2c035fc68518ce7c7a4e23548477826ac0c6439bf1da4d4560c972d9a6a75f2a01 ngx_cache_purge-2.1.tar.gz
> +bbe1330e86a9650326858d893a1143df9b431873062b64a89b0befdbaca9f135e872225c7a7874231537c74da85ca8c56ac3d80739227721246c096cf4f2b7da upstream-fair.zip
> +b361a8316d6e1f419d63f229756d3af08b32e235199285a18f8478be42a57a9c0b2ff126e7018ba750c6e9d1e33bb053f83aacd96ebc5d3b876bedb973a92712 sysguard.zip
> +5899097b6b6ed04deb7ae474fb65205d9c50843f30929c1370c0c1d70df3f02fe51b8ea90d3d2c3b4c53aeb3895717729e0c9773b880ca529e89a5b07fc26a5b anonymise.patch
> +21114c775e4bdd1f7b8b9abc143284945e96ed1d8c49904ddf918abad87b16253f918ba47976cd2df32f0fdb8a7dad399d4200e879db2da6cf93a28aab236a75 musl-crypt-fix.patch
> +68d64a84568ec2df0366925ab282a05ebe21a85044b6c7844a47573cfd8cc8ed119cc772358bc3fff36e2d4fdf583a730592825f5f98632993ca86d1f8438d5f ipv6.patch
> +2dca2ac74fb92e330fde7b6b6120b2fd2565c377a629c9536cf77beebe41aa4b092d4229d5b487b0fb02be4f2cc5b897c429c87bbbbc7b0d31e1cbb94231ddce sysguard.patch
> +9c6b357c460998187d7a26c0f3c8abc69c91b523a6f340c1f6ed3c863101a39eeb61e92b4cfec6a04af2b495c354c33f232ce5e59ed29edd6855e430ca73d168 nginx.initd
> +01b77cff16f6e8bfd7fa1d4d20f625bbcddd08f0509173452d060c342c93dc315a7b0560f4734323a5d29ea294de0491f2e3f32e5337574e1a28ebc005eceea8 nginx.logrotate"
> diff --git a/main/nginx-naxsi/anonymise.patch b/main/nginx-naxsi/anonymise.patch
> new file mode 100644
> index 0000000..ebedc7f
> --- /dev/null
> +++ b/main/nginx-naxsi/anonymise.patch
> @@ -0,0 +1,76 @@
> +--- nginx-1.6.1/src/http/ngx_http_header_filter_module.c
> ++++ nginx-1.6.1/src/http/ngx_http_header_filter_module.c
> +@@ -46,8 +46,8 @@
> + };
> +
> +
> +-static char ngx_http_server_string[] = "Server: nginx" CRLF;
> +-static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
> ++static char ngx_http_server_string[] = "";
> ++static char ngx_http_server_full_string[] = "";
> +
> +
> + static ngx_str_t ngx_http_status_lines[] = {
> +@@ -278,8 +278,8 @@
> + clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
> +
> + if (r->headers_out.server == NULL) {
> +- len += clcf->server_tokens ? sizeof(ngx_http_server_full_string) - 1:
> +- sizeof(ngx_http_server_string) - 1;
> ++ len += clcf->server_tokens ? sizeof(ngx_http_server_full_string) - 0:
> ++ sizeof(ngx_http_server_string) - 0;
> + }
> +
> + if (r->headers_out.date == NULL) {
> +--- nginx-1.6.1/src/http/ngx_http_spdy_filter_module.c
> ++++ nginx-1.6.1/src/http/ngx_http_spdy_filter_module.c
> +@@ -175,11 +175,12 @@
> +
> + clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
> +
> +- if (r->headers_out.server == NULL) {
> ++/* if (r->headers_out.server == NULL) {
> + len += ngx_http_spdy_nv_nsize("server");
> + len += clcf->server_tokens ? ngx_http_spdy_nv_vsize(NGINX_VER)
> + : ngx_http_spdy_nv_vsize("nginx");
> + }
> ++*/
> +
> + if (r->headers_out.date == NULL) {
> + len += ngx_http_spdy_nv_nsize("date")
> +@@ -326,7 +327,7 @@
> +
> + count = 2;
> +
> +- if (r->headers_out.server == NULL) {
> ++ /* if (r->headers_out.server == NULL) {
> + last = ngx_http_spdy_nv_write_name(last, "server");
> + last = clcf->server_tokens
> + ? ngx_http_spdy_nv_write_val(last, NGINX_VER)
> +@@ -334,6 +335,7 @@
> +
> + count++;
> + }
> ++*/
> +
> + if (r->headers_out.date == NULL) {
> + last = ngx_http_spdy_nv_write_name(last, "date");
> +--- nginx-1.6.1/src/http/ngx_http_special_response.c
> ++++ nginx-1.6.1/src/http/ngx_http_special_response.c
> +@@ -19,14 +19,14 @@
> +
> +
> + static u_char ngx_http_error_full_tail[] =
> +-"<hr><center>" NGINX_VER "</center>" CRLF
> ++"<hr><center>127.0.0.1</center>" CRLF
> + "</body>" CRLF
> + "</html>" CRLF
> + ;
> +
> +
> + static u_char ngx_http_error_tail[] =
> +-"<hr><center>nginx</center>" CRLF
> ++"<hr><center>localhost</center>" CRLF
> + "</body>" CRLF
> + "</html>" CRLF
> + ;
> diff --git a/main/nginx-naxsi/ipv6.patch b/main/nginx-naxsi/ipv6.patch
> new file mode 100644
> index 0000000..9b05f8f
> --- /dev/null
> +++ b/main/nginx-naxsi/ipv6.patch
> @@ -0,0 +1,42 @@
> +--- a/src/http/ngx_http_core_module.c
> ++++ b/src/http/ngx_http_core_module.c
> +@@ -2442,7 +2442,11 @@
> + ngx_uint_t i;
> + ngx_conf_t pcf;
> + ngx_http_module_t *module;
> ++#if (NGX_HAVE_INET6)
> ++ struct sockaddr_in6 *sin6;
> ++#else
> + struct sockaddr_in *sin;
> ++#endif
> + ngx_http_conf_ctx_t *ctx, *http_ctx;
> + ngx_http_listen_opt_t lsopt;
> + ngx_http_core_srv_conf_t *cscf, **cscfp;
> +@@ -2526,6 +2530,19 @@
> + if (rv == NGX_CONF_OK && !cscf->listen) {
> + ngx_memzero(&lsopt, sizeof(ngx_http_listen_opt_t));
> +
> ++#if (NGX_HAVE_INET6)
> ++ sin6 = &lsopt.u.sockaddr_in6;
> ++
> ++ sin6->sin6_family = AF_INET6;
> ++#if (NGX_WIN32)
> ++ sin6->sin6_port = htons(80);
> ++#else
> ++ sin6->sin6_port = htons((getuid() == 0) ? 80 : 8000);
> ++#endif
> ++ sin6->sin6_addr = in6addr_any;
> ++
> ++ lsopt.socklen = sizeof(struct sockaddr_in6);
> ++#else
> + sin = &lsopt.u.sockaddr_in;
> +
> + sin->sin_family = AF_INET;
> +@@ -2537,6 +2554,7 @@
> + sin->sin_addr.s_addr = INADDR_ANY;
> +
> + lsopt.socklen = sizeof(struct sockaddr_in);
> ++#endif
> +
> + lsopt.backlog = NGX_LISTEN_BACKLOG;
> + lsopt.rcvbuf = -1;
> diff --git a/main/nginx-naxsi/musl-crypt-fix.patch b/main/nginx-naxsi/musl-crypt-fix.patch
> new file mode 100644
> index 0000000..2f11fe2
> --- /dev/null
> +++ b/main/nginx-naxsi/musl-crypt-fix.patch
> @@ -0,0 +1,13 @@
> +--- nginx-1.4.4/src/os/unix/ngx_user.c.orig
> ++++ nginx-1.4.4/src/os/unix/ngx_user.c
> +@@ -31,8 +31,10 @@
> + struct crypt_data cd;
> +
> + cd.initialized = 0;
> ++#ifdef __GLIBC__
> + /* work around the glibc bug */
> + cd.current_salt[0] = ~salt[0];
> ++#endif
> +
> + value = crypt_r((char *) key, (char *) salt, &cd);
> +
> diff --git a/main/nginx-naxsi/nginx-naxsi.pre-install b/main/nginx-naxsi/nginx-naxsi.pre-install
> new file mode 100644
> index 0000000..55b5bfc
> --- /dev/null
> +++ b/main/nginx-naxsi/nginx-naxsi.pre-install
> @@ -0,0 +1,9 @@
> +#!/bin/sh
> +
> +addgroup -g 82 -S www-data 2>/dev/null
> +addgroup -S nginx 2>/dev/null
> +adduser -S -G nginx -H -h /var/www/localhost/htdocs -s /sbin/nologin \
> + -D nginx 2>/dev/null
> +addgroup nginx www-data 2>/dev/null
> +
> +exit 0
> diff --git a/main/nginx-naxsi/nginx-naxsi.pre-upgrade b/main/nginx-naxsi/nginx-naxsi.pre-upgrade
> new file mode 120000
> index 0000000..364e0b9
> --- /dev/null
> +++ b/main/nginx-naxsi/nginx-naxsi.pre-upgrade
> @@ -0,0 +1 @@
> +nginx-naxsi.pre-install
> \ No newline at end of file
> diff --git a/main/nginx-naxsi/nginx.initd b/main/nginx-naxsi/nginx.initd
> new file mode 100644
> index 0000000..ce2b7b8
> --- /dev/null
> +++ b/main/nginx-naxsi/nginx.initd
> @@ -0,0 +1,42 @@
> +#!/sbin/runscript
> +
> +extra_started_commands="reload"
> +extra_commands="configtest"
> +
> +depend() {
> + need net
> + use dns logger netmount
> +}
> +
> +CONFFILE=${CONFFILE:-/etc/nginx/${SVCNAME}.conf}
> +PIDFILE=${PIDFILE:-/var/run/${SVCNAME}.pid}
> +
> +configtest() {
> + ebegin "Checking ${SVCNAME} configuration"
> + mkdir -p /tmp/nginx
> + /usr/sbin/nginx -c ${CONFFILE} -t
> + eend $? "failed, please correct errors above"
> +}
> +
> +start() {
> + configtest || return 1
> + ebegin "Starting ${SVCNAME}"
> + start-stop-daemon --start --pidfile "${PIDFILE}" \
> + --exec /usr/sbin/nginx -- -c ${CONFFILE} -g "pid ${PIDFILE};"
> + eend $? "Failed to start ${SVCNAME}"
> +}
> +
> +stop() {
> + configtest || return 1
> + ebegin "Stopping ${SVCNAME}"
> + start-stop-daemon --stop --pidfile "${PIDFILE}"
> + eend $? "Failed to stop ${SVCNAME}"
> + rm -f "${PIDFILE}"
> +}
> +
> +reload() {
> + configtest || return 1
> + ebegin "Refreshing ${SVCNAME} configuration"
> + kill -HUP $(cat "${PIDFILE}") &>/dev/null
> + eend $? "Failed to reload nginx"
> +}
> diff --git a/main/nginx-naxsi/nginx.logrotate b/main/nginx-naxsi/nginx.logrotate
> new file mode 100644
> index 0000000..7778b11
> --- /dev/null
> +++ b/main/nginx-naxsi/nginx.logrotate
> @@ -0,0 +1,12 @@
> +# Copyright 1999-2010 Gentoo Foundation
> +# Distributed under the terms of the GNU General Public License v2
> +# $Header: /var/cvsroot/gentoo-x86/www-servers/nginx/files/nginx.logrotate,v 1.1 2010/01/03 20:29:40 djc Exp $
> +
> +/var/log/nginx/*.log {
> + missingok
> + sharedscripts
> + postrotate
> + kill -USR1 `cat /var/run/nginx.pid`
> + endscript
> +}
> +
> diff --git a/main/nginx-naxsi/sysguard.patch b/main/nginx-naxsi/sysguard.patch
> new file mode 100644
> index 0000000..be8b0d2
> --- /dev/null
> +++ b/main/nginx-naxsi/sysguard.patch
> @@ -0,0 +1,10 @@
> +--- a/src/http/ngx_http_request.h
> ++++ b/src/http/ngx_http_request.h
> +@@ -498,6 +498,7 @@
> + */
> + unsigned limit_conn_set:1;
> + unsigned limit_req_set:1;
> ++ unsigned sysguard_set:1;
> +
> + #if 0
> + unsigned cacheable:1;
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---