DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Images: Remove NGINX v1.21. (#12031)

Browse source
This commit is contained in:
Marco Ebert 2024-10-01 10:33:49 +02:00 committed by GitHub
parent f3bfa56c61
commit e33ca05c7b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
65 changed files with 244 additions and 2535 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
.github/workflows/ci.yaml vendored
View file

@ -9,7 +9,7 @@ on:
- 'deploy/**'
- '**.md'
- 'images/**' # Images changes should be tested on their own workflow
- '!images/nginx-1.25/**'
- '!images/nginx/**'
push:
branches:
@ -68,7 +68,7 @@ jobs:
- 'NGINX_BASE'
baseimage:
- 'NGINX_BASE'
- 'images/nginx-1.25/**'
- 'images/nginx/**'
docs:
- '**/*.md'
lua:
@ -180,8 +180,8 @@ jobs:
if: |
needs.changes.outputs.baseimage == 'true'
run: |
export TAG=$(cat images/nginx-1.25/TAG)
cd images/nginx-1.25/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --load -t registry.k8s.io/ingress-nginx/nginx-1.25:${TAG} .
export TAG=$(cat images/nginx/TAG)
cd images/nginx/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --load -t registry.k8s.io/ingress-nginx/nginx:${TAG} .
- name: Build images
env:
@ -190,8 +190,8 @@ jobs:
REGISTRY: ingress-controller
run: |
echo "building images..."
export TAGNGINX=$(cat images/nginx-1.25/TAG)
make BASE_IMAGE=registry.k8s.io/ingress-nginx/nginx-1.25:${TAGNGINX} clean-image build image image-chroot
export TAGNGINX=$(cat images/nginx/TAG)
make BASE_IMAGE=registry.k8s.io/ingress-nginx/nginx:${TAGNGINX} clean-image build image image-chroot
make -C test/e2e-image image
echo "creating images cache..."

11
.github/workflows/images.yaml vendored
View file

@ -36,7 +36,6 @@ jobs:
kube-webhook-certgen: ${{ steps.filter.outputs.kube-webhook-certgen }}
ext-auth-example-authsvc: ${{ steps.filter.outputs.ext-auth-example-authsvc }}
nginx: ${{ steps.filter.outputs.nginx }}
nginx125: ${{ steps.filter.outputs.nginx125 }}
steps:
- name: Checkout
@ -64,8 +63,6 @@ jobs:
- 'images/ext-auth-example-authsvc/**'
nginx:
- 'images/nginx/**'
nginx125:
- 'images/nginx-1.25/TAG'
#### TODO: Make the below jobs 'less dumb' and use the job name as parameter (the github.job context does not work here)
cfssl:
@ -163,14 +160,14 @@ jobs:
run: |
cd images/ && make NAME=kube-webhook-certgen test test-e2e
nginx125:
nginx:
permissions:
contents: write
packages: write
runs-on: ubuntu-latest
needs: changes
if: |
(github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.changes.outputs.nginx125 == 'true')
(github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.changes.outputs.nginx == 'true')
env:
PLATFORMS: linux/amd64,linux/arm,linux/arm64,linux/s390x
steps:
@ -191,5 +188,5 @@ jobs:
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: build-image
run: |
export TAG=$(cat images/nginx-1.25/TAG)
cd images/nginx-1.25/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --push -t ingressnginx/nginx-1.25:${TAG} .
export TAG=$(cat images/nginx/TAG)
cd images/nginx/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --push -t ingressnginx/nginx:${TAG} .

59
images/nginx-1.25/Makefile
View file

@ -1,59 +0,0 @@
# Copyright 2024 The Kubernetes Authors. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
.DEFAULT_GOAL:=build
# set default shell
SHELL=/bin/bash -o pipefail -o errexit
DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))))
INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh
# 0.0.0 shouldn't clobber any released builds
SHORT_SHA ?=$(shell git rev-parse --short HEAD)
TAG ?=$(shell cat TAG)
REGISTRY ?= gcr.io/k8s-staging-ingress-nginx
IMAGE = $(REGISTRY)/nginx-1.25
# required to enable buildx
export DOCKER_CLI_EXPERIMENTAL=enabled
# build with buildx
PLATFORMS?=linux/amd64,linux/arm,linux/arm64,linux/s390x
OUTPUT=
PROGRESS=plain
build: ensure-buildx
docker buildx build \
--platform=${PLATFORMS} $(OUTPUT) \
--progress=$(PROGRESS) \
--pull \
--tag $(IMAGE):$(TAG) rootfs
# push the cross built image
push: OUTPUT=--push
push: build
# enable buildx
ensure-buildx:
# this is required for cloudbuild
ifeq ("$(wildcard $(INIT_BUILDX))","")
@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash
else
@exec $(INIT_BUILDX)
endif
@echo "done"
.PHONY: build push ensure-buildx

47
images/nginx-1.25/README.md
View file

@ -1,47 +0,0 @@
NGINX 1.25 base image
### HTTP/3 Support
**HTTP/3 support is experimental and under development**
[HTTP/3](https://datatracker.ietf.org/doc/html/rfc9114)\
[QUIC](https://datatracker.ietf.org/doc/html/rfc9000)
[According to the documentation, NGINX 1.25.0 or higher supports HTTP/3:](https://nginx.org/en/docs/quic.html)
> Support for QUIC and HTTP/3 protocols is available since 1.25.0.
But this requires adding a new flag during the build:
> When configuring nginx, it is possible to enable QUIC and HTTP/3 using the --with-http_v3_module configuration parameter.
[We have added this flag](https://github.com/kubernetes/ingress-nginx/pull/11470), but it is not enough to use HTTP/3 in ingress-nginx, this is the first step.
The next steps will be:
1. **Waiting for OpenSSL 3.4.**\
The main problem is, that we still use OpenSSL (3.x) and it does not support the important mechanism of TLS 1.3 - [early_data](https://datatracker.ietf.org/doc/html/rfc8446#section-2.3):
> Otherwise, the OpenSSL compatibility layer will be used that does not support early data.
[And although another part of the documentation says that the directive is supported with OpenSSL:](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data)
> The directive is supported when using OpenSSL 1.1.1 or higher.
But this is incomplete support, because OpenSSL does not support this feature, and [it has only client side support:](https://github.com/openssl/openssl)
> ... the QUIC (currently client side only) version 1 protocol
[And also there are some issues even with client side](https://github.com/openssl/openssl/discussions/23339)
Due to this, we currently have incomplete HTTP/3 support, without important security and performance features.\
But the good news is that [OpenSSL plans to add server-side support in 3.4](https://github.com/openssl/web/blob/master/roadmap.md):
> Server-side QUIC support
[Overview of SSL libraries(HAProxy Documentation)](https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status#tldr)
2. **Adding [parameters](https://nginx.org/en/docs/http/ngx_http_v3_module.html) to the configmap to configure HTTP/3 and quic(enableHTTP3, enableHTTP/0.9, maxCurrentStream, and so on).**
3. **Adding options to the nginx config template(`listen 443 quic` to server blocks and `add_header Alt-Svc 'h3=":8443"; ma=86400';` to location blocks).**
4. **Opening the https port for UDP in the container(because QUIC uses UDP).**
5. **Adding tests.**

1
images/nginx-1.25/TAG
View file

@ -1 +0,0 @@
v0.0.12

14
images/nginx-1.25/cloudbuild.yaml
View file

@ -1,14 +0,0 @@
options:
# Increase machine type for multi-arch builds.
machineType: E2_HIGHCPU_32
# Ignore Prow provided substitutions.
substitution_option: ALLOW_LOOSE
steps:
- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20240523-a15ad90fc9
env:
- REGISTRY=gcr.io/k8s-staging-ingress-nginx
entrypoint: bash
args:
- -c
- gcloud auth configure-docker && cd images/nginx-1.25 && make push
timeout: 7200s

74
images/nginx-1.25/rootfs/Dockerfile
View file

@ -1,74 +0,0 @@
# Copyright 2024 The Kubernetes Authors. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
FROM alpine:3.20 as builder
COPY . /
RUN apk update \
&& apk upgrade \
&& apk add -U bash --no-cache \
&& /build.sh
# Use a multi-stage build
FROM alpine:3.20
ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin
ENV LUA_PATH="/usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/lib/lua/?.lua;;"
ENV LUA_CPATH="/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;"
COPY --from=builder /usr/local /usr/local
COPY --from=builder /usr/lib/libopentelemetry* /usr/local/lib
COPY --from=builder /opt /opt
COPY --from=builder /etc/nginx /etc/nginx
RUN apk update \
&& apk upgrade \
&& apk add -U --no-cache \
bash \
openssl \
pcre \
zlib \
ca-certificates \
patch \
yajl \
lmdb \
libxml2 \
libmaxminddb \
yaml-cpp \
dumb-init \
tzdata \
grpc-cpp \
libprotobuf \
&& ln -s /usr/local/nginx/sbin/nginx /sbin/nginx \
&& adduser -S -D -H -u 101 -h /usr/local/nginx \
-s /sbin/nologin -G www-data -g www-data www-data \
&& bash -eu -c ' \
writeDirs=( \
/var/log/nginx \
/var/lib/nginx/body \
/var/lib/nginx/fastcgi \
/var/lib/nginx/proxy \
/var/lib/nginx/scgi \
/var/lib/nginx/uwsgi \
/var/log/audit \
); \
for dir in "${writeDirs[@]}"; do \
mkdir -p ${dir}; \
chown -R www-data.www-data ${dir}; \
done'
EXPOSE 80 443
CMD ["nginx", "-g", "daemon off;"]

619
images/nginx-1.25/rootfs/build.sh
View file

@ -1,619 +0,0 @@
#!/bin/bash
# Copyright 2023 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -o errexit
set -o nounset
set -o pipefail
export NGINX_VERSION=1.25.5
# Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.3...master
export NDK_VERSION=v0.3.3
# Check for recent changes: https://github.com/openresty/set-misc-nginx-module/compare/v0.33...master
export SETMISC_VERSION=796f5a3e518748eb29a93bd450324e0ad45b704e
# Check for recent changes: https://github.com/openresty/headers-more-nginx-module/compare/v0.37...master
export MORE_HEADERS_VERSION=v0.37
# Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...atomx:master
export NGINX_DIGEST_AUTH=v1.0.0
# Check for recent changes: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/compare/v0.6.4...master
export NGINX_SUBSTITUTIONS=e12e965ac1837ca709709f9a26f572a54d83430e
# Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.3...master
export MODSECURITY_VERSION=v1.0.3
# Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.8...v3/master
export MODSECURITY_LIB_VERSION=v3.0.12
# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.5...v4.0/main
export OWASP_MODSECURITY_CRS_VERSION=v4.4.0
# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.26``...master
export LUA_NGX_VERSION=v0.10.26
# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/bea8a0c0de94cede71554f53818ac0267d675d63...master
export LUA_STREAM_NGX_VERSION=bea8a0c0de94cede71554f53818ac0267d675d63
# Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/8aa93ead98ba2060d4efd594ae33a35d153589bf...master
export LUA_UPSTREAM_VERSION=542be0893543a4e42d89f6dd85372972f5ff2a36
# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.13...openresty:master
export LUA_CJSON_VERSION=2.1.0.13
# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/a607a41a8115fecfc05b5c283c81532a3d605425...master
export GEOIP2_VERSION=a607a41a8115fecfc05b5c283c81532a3d605425
# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20240314...v2.1-agentzh
export LUAJIT_VERSION=v2.1-20240314
# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/1cd4363c0a239afe4765ec607dcfbbb4e5900eea...master
export LUA_RESTY_BALANCER=1cd4363c0a239afe4765ec607dcfbbb4e5900eea
# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/99e7578465b40f36f596d099b82eab404f2b42ed...master
export LUA_RESTY_CACHE=99e7578465b40f36f596d099b82eab404f2b42ed
# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.27...master
export LUA_RESTY_CORE=v0.1.28
# Check for recent changes: https://github.com/cloudflare/lua-resty-cookie/compare/f418d77082eaef48331302e84330488fdc810ef4...master
export LUA_RESTY_COOKIE_VERSION=f418d77082eaef48331302e84330488fdc810ef4
# Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/8bb53516e2933e61c317db740a9b7c2048847c2f...master
export LUA_RESTY_DNS=8bb53516e2933e61c317db740a9b7c2048847c2f
# Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.17.1...master
export LUA_RESTY_HTTP=v0.17.1
# Check for recent changes: https://github.com/openresty/lua-resty-lock/compare/v0.09...master
export LUA_RESTY_LOCK=405d0bf4cbfa74d742c6ed3158d442221e6212a9
# Check for recent changes: https://github.com/openresty/lua-resty-upload/compare/v0.11...master
export LUA_RESTY_UPLOAD_VERSION=979372cce011f3176af3c9aff53fd0e992c4bfd3
# Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.15...master
export LUA_RESTY_STRING_VERSION=6f1bc21d86daef804df3cc34d6427ef68da26844
# Check for recent changes: https://github.com/openresty/lua-resty-memcached/compare/v0.17...master
export LUA_RESTY_MEMCACHED_VERSION=2f02b68bf65fa2332cce070674a93a69a6c7239b
# Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.30...master
export LUA_RESTY_REDIS_VERSION=8641b9f1b6f75cca50c90cf8ca5c502ad8950aa8
# Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/v0.6.1...master
export LUA_RESTY_IPMATCHER_VERSION=3e93c53eb8c9884efe939ef070486a0e507cc5be
# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.1.7...master
export MIMALOC_VERSION=v2.1.7
# Check on https://github.com/open-telemetry/opentelemetry-cpp
export OPENTELEMETRY_CPP_VERSION="v1.11.0"
# Check on https://github.com/open-telemetry/opentelemetry-proto
export OPENTELEMETRY_PROTO_VERSION="v1.1.0"
export BUILD_PATH=/tmp/build
ARCH=$(uname -m)
get_src()
{
hash="$1"
url="$2"
dest="${3-}"
ARGS=""
f=$(basename "$url")
echo "Downloading $url"
curl -sSL "$url" -o "$f"
# TODO: Reenable checksum verification but make it smarter
# echo "$hash $f" | sha256sum -c - || exit 10
if [ ! -z "$dest" ]; then
mkdir ${BUILD_PATH}/${dest}
ARGS="-C ${BUILD_PATH}/${dest} --strip-components=1"
fi
tar xvzf "$f" $ARGS
rm -rf "$f"
}
# install required packages to build
# Dependencies from "ninja" and below are OTEL dependencies
apk add \
bash \
gcc \
clang \
libc-dev \
make \
automake \
openssl-dev \
pcre-dev \
zlib-dev \
linux-headers \
libxslt-dev \
gd-dev \
perl-dev \
libedit-dev \
mercurial \
alpine-sdk \
findutils \
curl \
ca-certificates \
patch \
libaio-dev \
openssl \
cmake \
util-linux \
lmdb-tools \
wget \
curl-dev \
libprotobuf \
git g++ pkgconf flex bison doxygen yajl-dev lmdb-dev libtool autoconf libxml2 libxml2-dev \
python3 \
libmaxminddb-dev \
bc \
unzip \
dos2unix \
yaml-cpp \
coreutils \
ninja \
gtest-dev \
git \
build-base \
pkgconfig \
c-ares-dev \
re2-dev \
grpc-dev \
protobuf-dev
# apk add -X http://dl-cdn.alpinelinux.org/alpine/edge/testing opentelemetry-cpp-dev
# There is some bug with some platforms and git, so force HTTP/1.1
git config --global http.version HTTP/1.1
git config --global http.postBuffer 157286400
mkdir -p /etc/nginx
mkdir --verbose -p "$BUILD_PATH"
cd "$BUILD_PATH"
# download, verify and extract the source files
get_src 66dc7081488811e9f925719e34d1b4504c2801c81dee2920e5452a86b11405ae \
"https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz"
get_src aa961eafb8317e0eb8da37eb6e2c9ff42267edd18b56947384e719b85188f58b \
"https://github.com/vision5/ngx_devel_kit/archive/$NDK_VERSION.tar.gz" "ngx_devel_kit"
get_src abc123 \
"https://github.com/open-telemetry/opentelemetry-cpp/archive/$OPENTELEMETRY_CPP_VERSION.tar.gz" "opentelemetry-cpp"
get_src abc123 \
"https://github.com/open-telemetry/opentelemetry-proto/archive/$OPENTELEMETRY_PROTO_VERSION.tar.gz" "opentelemetry-proto"
get_src cd5e2cc834bcfa30149e7511f2b5a2183baf0b70dc091af717a89a64e44a2985 \
"https://github.com/openresty/set-misc-nginx-module/archive/$SETMISC_VERSION.tar.gz" "set-misc-nginx-module"
get_src 0c0d2ced2ce895b3f45eb2b230cd90508ab2a773299f153de14a43e44c1209b3 \
"https://github.com/openresty/headers-more-nginx-module/archive/$MORE_HEADERS_VERSION.tar.gz" "headers-more-nginx-module"
get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \
"https://github.com/atomx/nginx-http-auth-digest/archive/$NGINX_DIGEST_AUTH.tar.gz" "nginx-http-auth-digest"
get_src a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f \
"https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz" "ngx_http_substitutions_filter_module"
get_src 32a42256616cc674dca24c8654397390adff15b888b77eb74e0687f023c8751b \
"https://github.com/SpiderLabs/ModSecurity-nginx/archive/$MODSECURITY_VERSION.tar.gz" "ModSecurity-nginx"
get_src bc764db42830aeaf74755754b900253c233ad57498debe7a441cee2c6f4b07c2 \
"https://github.com/openresty/lua-nginx-module/archive/$LUA_NGX_VERSION.tar.gz" "lua-nginx-module"
get_src 01b715754a8248cc7228e0c8f97f7488ae429d90208de0481394e35d24cef32f \
"https://github.com/openresty/stream-lua-nginx-module/archive/$LUA_STREAM_NGX_VERSION.tar.gz" "stream-lua-nginx-module"
get_src a92c9ee6682567605ece55d4eed5d1d54446ba6fba748cff0a2482aea5713d5f \
"https://github.com/openresty/lua-upstream-nginx-module/archive/$LUA_UPSTREAM_VERSION.tar.gz" "lua-upstream-nginx-module"
get_src 77bbcbb24c3c78f51560017288f3118d995fe71240aa379f5818ff6b166712ff \
"https://github.com/openresty/luajit2/archive/$LUAJIT_VERSION.tar.gz" "luajit2"
get_src b6c9c09fd43eb34a71e706ad780b2ead26549a9a9f59280fe558f5b7b980b7c6 \
"https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz" "ngx_http_geoip2_module"
get_src deb4ab1ffb9f3d962c4b4a2c4bdff692b86a209e3835ae71ebdf3b97189e40a9 \
"https://github.com/openresty/lua-resty-upload/archive/$LUA_RESTY_UPLOAD_VERSION.tar.gz" "lua-resty-upload"
get_src bdbf271003d95aa91cab0a92f24dca129e99b33f79c13ebfcdbbcbb558129491 \
"https://github.com/openresty/lua-resty-string/archive/$LUA_RESTY_STRING_VERSION.tar.gz" "lua-resty-string"
get_src 16d72ed133f0c6df376a327386c3ef4e9406cf51003a700737c3805770ade7c5 \
"https://github.com/openresty/lua-resty-balancer/archive/$LUA_RESTY_BALANCER.tar.gz" "lua-resty-balancer"
get_src 39baab9e2b31cc48cecf896cea40ef6e80559054fd8a6e440cc804a858ea84d4 \
"https://github.com/openresty/lua-resty-core/archive/$LUA_RESTY_CORE.tar.gz" "lua-resty-core"
get_src a77b9de160d81712f2f442e1de8b78a5a7ef0d08f13430ff619f79235db974d4 \
"https://github.com/openresty/lua-cjson/archive/$LUA_CJSON_VERSION.tar.gz" "lua-cjson"
get_src 5ed48c36231e2622b001308622d46a0077525ac2f751e8cc0c9905914254baa4 \
"https://github.com/cloudflare/lua-resty-cookie/archive/$LUA_RESTY_COOKIE_VERSION.tar.gz" "lua-resty-cookie"
get_src 573184006b98ccee2594b0d134fa4d05e5d2afd5141cbad315051ccf7e9b6403 \
"https://github.com/openresty/lua-resty-lrucache/archive/$LUA_RESTY_CACHE.tar.gz" "lua-resty-lrucache"
get_src b4ddcd47db347e9adf5c1e1491a6279a6ae2a3aff3155ef77ea0a65c998a69c1 \
"https://github.com/openresty/lua-resty-lock/archive/$LUA_RESTY_LOCK.tar.gz" "lua-resty-lock"
get_src 70e9a01eb32ccade0d5116a25bcffde0445b94ad35035ce06b94ccd260ad1bf0 \
"https://github.com/openresty/lua-resty-dns/archive/$LUA_RESTY_DNS.tar.gz" "lua-resty-dns"
get_src 9fcb6db95bc37b6fce77d3b3dc740d593f9d90dce0369b405eb04844d56ac43f \
"https://github.com/ledgetech/lua-resty-http/archive/$LUA_RESTY_HTTP.tar.gz" "lua-resty-http"
get_src 02733575c4aed15f6cab662378e4b071c0a4a4d07940c4ef19a7319e9be943d4 \
"https://github.com/openresty/lua-resty-memcached/archive/$LUA_RESTY_MEMCACHED_VERSION.tar.gz" "lua-resty-memcached"
get_src c15aed1a01c88a3a6387d9af67a957dff670357f5fdb4ee182beb44635eef3f1 \
"https://github.com/openresty/lua-resty-redis/archive/$LUA_RESTY_REDIS_VERSION.tar.gz" "lua-resty-redis"
get_src efb767487ea3f6031577b9b224467ddbda2ad51a41c5867a47582d4ad85d609e \
"https://github.com/api7/lua-resty-ipmatcher/archive/$LUA_RESTY_IPMATCHER_VERSION.tar.gz" "lua-resty-ipmatcher"
get_src d74f86ada2329016068bc5a243268f1f555edd620b6a7d6ce89295e7d6cf18da \
"https://github.com/microsoft/mimalloc/archive/${MIMALOC_VERSION}.tar.gz" "mimalloc"
# improve compilation times
CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1))
export MAKEFLAGS=-j${CORES}
export CTEST_BUILD_FLAGS=${MAKEFLAGS}
# Install luajit from openresty fork
export LUAJIT_LIB=/usr/local/lib
export LUA_LIB_DIR="$LUAJIT_LIB/lua"
export LUAJIT_INC=/usr/local/include/luajit-2.1
cd "$BUILD_PATH/luajit2"
make CCDEBUG=-g
make install
ln -s /usr/local/bin/luajit /usr/local/bin/lua
ln -s "$LUAJIT_INC" /usr/local/include/lua
cd "$BUILD_PATH/opentelemetry-cpp"
export CXXFLAGS="-DBENCHMARK_HAS_NO_INLINE_ASSEMBLY"
cmake -B build -G Ninja -Wno-dev \
-DOTELCPP_PROTO_PATH="${BUILD_PATH}/opentelemetry-proto/" \
-DCMAKE_INSTALL_PREFIX=/usr \
-DBUILD_SHARED_LIBS=ON \
-DBUILD_TESTING="OFF" \
-DBUILD_W3CTRACECONTEXT_TEST="OFF" \
-DCMAKE_BUILD_TYPE=None \
-DWITH_ABSEIL=ON \
-DWITH_STL=ON \
-DWITH_EXAMPLES=OFF \
-DWITH_ZPAGES=OFF \
-DWITH_OTLP_GRPC=ON \
-DWITH_OTLP_HTTP=ON \
-DWITH_ZIPKIN=ON \
-DWITH_PROMETHEUS=OFF \
-DWITH_ASYNC_EXPORT_PREVIEW=OFF \
-DWITH_METRICS_EXEMPLAR_PREVIEW=OFF
cmake --build build
cmake --install build
# Git tuning
git config --global --add core.compression -1
# Get Brotli source and deps
cd "$BUILD_PATH"
git clone --depth=100 https://github.com/google/ngx_brotli.git
cd ngx_brotli
# https://github.com/google/ngx_brotli/issues/156
git reset --hard 63ca02abdcf79c9e788d2eedcc388d2335902e52
git submodule init
git submodule update
cd "$BUILD_PATH"
git clone --depth=1 https://github.com/ssdeep-project/ssdeep
cd ssdeep/
./bootstrap
./configure
make
make install
# build modsecurity library
cd "$BUILD_PATH"
git clone -n https://github.com/SpiderLabs/ModSecurity
cd ModSecurity/
git checkout $MODSECURITY_LIB_VERSION
git submodule init
git submodule update
sh build.sh
# https://github.com/SpiderLabs/ModSecurity/issues/1909#issuecomment-465926762
sed -i '115i LUA_CFLAGS="${LUA_CFLAGS} -DWITH_LUA_JIT_2_1"' build/lua.m4
sed -i '117i AC_SUBST(LUA_CFLAGS)' build/lua.m4
./configure \
--disable-doxygen-doc \
--disable-doxygen-html \
--disable-examples
make
make install
mkdir -p /etc/nginx/modsecurity
cp modsecurity.conf-recommended /etc/nginx/modsecurity/modsecurity.conf
cp unicode.mapping /etc/nginx/modsecurity/unicode.mapping
# Replace serial logging with concurrent
sed -i 's|SecAuditLogType Serial|SecAuditLogType Concurrent|g' /etc/nginx/modsecurity/modsecurity.conf
# Concurrent logging implies the log is stored in several files
echo "SecAuditLogStorageDir /var/log/audit/" >> /etc/nginx/modsecurity/modsecurity.conf
# Download owasp modsecurity crs
cd /etc/nginx/
git clone -b $OWASP_MODSECURITY_CRS_VERSION https://github.com/coreruleset/coreruleset
mv coreruleset owasp-modsecurity-crs
cd owasp-modsecurity-crs
mv crs-setup.conf.example crs-setup.conf
mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
cd ..
# OWASP CRS v4 rules
echo "
Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-922-MULTIPART-ATTACK.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-955-WEB-SHELLS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
" > /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
# build nginx
cd "$BUILD_PATH/nginx-$NGINX_VERSION"
# apply nginx patches
for PATCH in `ls /patches`;do
echo "Patch: $PATCH"
if [[ "$PATCH" == *.txt ]]; then
patch -p0 < /patches/$PATCH
else
patch -p1 < /patches/$PATCH
fi
done
WITH_FLAGS="--with-debug \
--with-compat \
--with-pcre-jit \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_realip_module \
--with-http_auth_request_module \
--with-http_addition_module \
--with-http_gzip_static_module \
--with-http_sub_module \
--with-http_v2_module \
--with-http_v3_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_ssl_preread_module \
--with-threads \
--with-http_secure_link_module \
--with-http_gunzip_module"
# "Combining -flto with -g is currently experimental and expected to produce unexpected results."
# https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html
CC_OPT="-g -O2 -fPIE -fstack-protector-strong \
-Wformat \
-Werror=format-security \
-Wno-deprecated-declarations \
-fno-strict-aliasing \
-D_FORTIFY_SOURCE=2 \
--param=ssp-buffer-size=4 \
-DTCP_FASTOPEN=23 \
-fPIC \
-Wno-cast-function-type"
LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now"
if [[ ${ARCH} != "aarch64" ]]; then
WITH_FLAGS+=" --with-file-aio"
fi
if [[ ${ARCH} == "x86_64" ]]; then
CC_OPT+=' -m64 -mtune=generic'
fi
WITH_MODULES=" \
--add-module=$BUILD_PATH/ngx_devel_kit \
--add-module=$BUILD_PATH/set-misc-nginx-module \
--add-module=$BUILD_PATH/headers-more-nginx-module \
--add-module=$BUILD_PATH/ngx_http_substitutions_filter_module \
--add-module=$BUILD_PATH/lua-nginx-module \
--add-module=$BUILD_PATH/stream-lua-nginx-module \
--add-module=$BUILD_PATH/lua-upstream-nginx-module \
--add-dynamic-module=$BUILD_PATH/nginx-http-auth-digest \
--add-dynamic-module=$BUILD_PATH/ModSecurity-nginx \
--add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module \
--add-dynamic-module=$BUILD_PATH/ngx_brotli"
./configure \
--prefix=/usr/local/nginx \
--conf-path=/etc/nginx/nginx.conf \
--modules-path=/etc/nginx/modules \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx.pid \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
${WITH_FLAGS} \
--without-mail_pop3_module \
--without-mail_smtp_module \
--without-mail_imap_module \
--without-http_uwsgi_module \
--without-http_scgi_module \
--with-cc-opt="${CC_OPT}" \
--with-ld-opt="${LD_OPT}" \
--user=www-data \
--group=www-data \
${WITH_MODULES}
make
make modules
make install
export OPENTELEMETRY_CONTRIB_COMMIT=e11348bb400d5472bf1da5d6128bead66fa111ff
cd "$BUILD_PATH"
git clone https://github.com/open-telemetry/opentelemetry-cpp-contrib.git opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT}
cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT}
git reset --hard ${OPENTELEMETRY_CONTRIB_COMMIT}
export OTEL_TEMP_INSTALL=/tmp/otel
mkdir -p ${OTEL_TEMP_INSTALL}
cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT}/instrumentation/nginx
mkdir -p build
cd build
cmake -DCMAKE_BUILD_TYPE=Release \
-G Ninja \
-DCMAKE_CXX_STANDARD=17 \
-DCMAKE_INSTALL_PREFIX=${OTEL_TEMP_INSTALL} \
-DBUILD_SHARED_LIBS=ON \
-DNGINX_VERSION=${NGINX_VERSION} \
..
cmake --build . -j ${CORES} --target install
mkdir -p /etc/nginx/modules
cp ${OTEL_TEMP_INSTALL}/otel_ngx_module.so /etc/nginx/modules/otel_ngx_module.so
cd "$BUILD_PATH/lua-resty-core"
make install
cd "$BUILD_PATH/lua-resty-balancer"
make all
make install
export LUA_INCLUDE_DIR=/usr/local/include/luajit-2.1
ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1
cd "$BUILD_PATH/lua-cjson"
make all
make install
cd "$BUILD_PATH/lua-resty-cookie"
make all
make install
cd "$BUILD_PATH/lua-resty-lrucache"
make install
cd "$BUILD_PATH/lua-resty-dns"
make install
cd "$BUILD_PATH/lua-resty-lock"
make install
# required for OCSP verification
cd "$BUILD_PATH/lua-resty-http"
make install
cd "$BUILD_PATH/lua-resty-upload"
make install
cd "$BUILD_PATH/lua-resty-string"
make install
cd "$BUILD_PATH/lua-resty-memcached"
make install
cd "$BUILD_PATH/lua-resty-redis"
make install
cd "$BUILD_PATH/lua-resty-ipmatcher"
INST_LUADIR=/usr/local/lib/lua make install
cd "$BUILD_PATH/mimalloc"
mkdir -p out/release
cd out/release
cmake ../..
make
make install
# update image permissions
writeDirs=( \
/etc/nginx \
/usr/local/nginx \
/opt/modsecurity/var/log \
/opt/modsecurity/var/upload \
/opt/modsecurity/var/audit \
/var/log/audit \
/var/log/nginx \
);
adduser -S -D -H -u 101 -h /usr/local/nginx -s /sbin/nologin -G www-data -g www-data www-data
for dir in "${writeDirs[@]}"; do
mkdir -p ${dir};
chown -R www-data.www-data ${dir};
done
rm -rf /etc/nginx/owasp-modsecurity-crs/.git
rm -rf /etc/nginx/owasp-modsecurity-crs/tests
# remove .a files
find /usr/local -name "*.a" -print | xargs /bin/rm

4
images/nginx/Makefile
View file

@ -1,4 +1,4 @@
# Copyright 2017 The Kubernetes Authors. All rights reserved.
# Copyright 2024 The Kubernetes Authors. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -22,7 +22,7 @@ INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh
# 0.0.0 shouldn't clobber any released builds
SHORT_SHA ?=$(shell git rev-parse --short HEAD)
TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA)
TAG ?=$(shell cat TAG)
REGISTRY ?= gcr.io/k8s-staging-ingress-nginx

60
images/nginx/README.md
View file

@ -1,27 +1,47 @@
NGINX base image using [alpine](https://www.alpinelinux.org/)
NGINX base image
This custom image contains:
### HTTP/3 Support
- [nginx-http-auth-digest](https://github.com/atomx/nginx-http-auth-digest)
- [ngx_http_substitutions_filter_module](https://github.com/yaoweibin/ngx_http_substitutions_filter_module)
- [OpenTelemetry-CPP](https://github.com/open-telemetry/opentelemetry-cpp)
- [OpenTelemetry-CPP-Nginx](https://github.com/open-telemetry/opentelemetry-cpp-contrib/tree/main/instrumentation/nginx)
- [nginx-opentracing](https://github.com/opentracing-contrib/nginx-opentracing)
- [opentracing-cpp](https://github.com/opentracing/opentracing-cpp)
- [zipkin-cpp-opentracing](https://github.com/rnburn/zipkin-cpp-opentracing)
- [dd-opentracing-cpp](https://github.com/DataDog/dd-opentracing-cpp)
- [ModSecurity-nginx](https://github.com/SpiderLabs/ModSecurity-nginx) (only supported in x86_64)
- [brotli](https://github.com/google/brotli)
- [geoip2](https://github.com/leev/ngx_http_geoip2_module)
**HTTP/3 support is experimental and under development**
**How to use this image:**
This image provides a default configuration file with no backend servers.
[HTTP/3](https://datatracker.ietf.org/doc/html/rfc9114)\
[QUIC](https://datatracker.ietf.org/doc/html/rfc9000)
_Using docker_
[According to the documentation, NGINX 1.25.0 or higher supports HTTP/3:](https://nginx.org/en/docs/quic.html)
NGINX base image we use is defined in NGINX_BASE file at the root of the project
> Support for QUIC and HTTP/3 protocols is available since 1.25.0.
```console
docker run -v /some/nginx.conf:/etc/nginx/nginx.conf:ro $(cat ../../NGINX_BASE)
```
But this requires adding a new flag during the build:
> When configuring nginx, it is possible to enable QUIC and HTTP/3 using the --with-http_v3_module configuration parameter.
[We have added this flag](https://github.com/kubernetes/ingress-nginx/pull/11470), but it is not enough to use HTTP/3 in ingress-nginx, this is the first step.
The next steps will be:
1. **Waiting for OpenSSL 3.4.**\
The main problem is, that we still use OpenSSL (3.x) and it does not support the important mechanism of TLS 1.3 - [early_data](https://datatracker.ietf.org/doc/html/rfc8446#section-2.3):
> Otherwise, the OpenSSL compatibility layer will be used that does not support early data.
[And although another part of the documentation says that the directive is supported with OpenSSL:](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data)
> The directive is supported when using OpenSSL 1.1.1 or higher.
But this is incomplete support, because OpenSSL does not support this feature, and [it has only client side support:](https://github.com/openssl/openssl)
> ... the QUIC (currently client side only) version 1 protocol
[And also there are some issues even with client side](https://github.com/openssl/openssl/discussions/23339)
Due to this, we currently have incomplete HTTP/3 support, without important security and performance features.\
But the good news is that [OpenSSL plans to add server-side support in 3.4](https://github.com/openssl/web/blob/master/roadmap.md):
> Server-side QUIC support
[Overview of SSL libraries(HAProxy Documentation)](https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status#tldr)
2. **Adding [parameters](https://nginx.org/en/docs/http/ngx_http_v3_module.html) to the configmap to configure HTTP/3 and quic(enableHTTP3, enableHTTP/0.9, maxCurrentStream, and so on).**
3. **Adding options to the nginx config template(`listen 443 quic` to server blocks and `add_header Alt-Svc 'h3=":8443"; ma=86400';` to location blocks).**
4. **Opening the https port for UDP in the container(because QUIC uses UDP).**
5. **Adding tests.**

2
images/nginx/TAG
View file

@ -1 +1 @@
v1.0.0
v0.0.12

7
images/nginx/rootfs/Dockerfile
View file

@ -1,4 +1,4 @@
# Copyright 2015 The Kubernetes Authors. All rights reserved.
# Copyright 2024 The Kubernetes Authors. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -29,11 +29,10 @@ ENV LUA_PATH="/usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1
ENV LUA_CPATH="/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;"
COPY --from=builder /usr/local /usr/local
COPY --from=builder /usr/lib/libopentelemetry* /usr/local/lib
COPY --from=builder /opt /opt
COPY --from=builder /etc/nginx /etc/nginx
LABEL org.opencontainers.image.source=https://github.com/kubernetes/ingress-nginx
RUN apk update \
&& apk upgrade \
&& apk add -U --no-cache \
@ -50,6 +49,8 @@ RUN apk update \
yaml-cpp \
dumb-init \
tzdata \
grpc-cpp \
libprotobuf \
&& ln -s /usr/local/nginx/sbin/nginx /sbin/nginx \
&& adduser -S -D -H -u 101 -h /usr/local/nginx \
-s /sbin/nologin -G www-data -g www-data www-data \

487
images/nginx/rootfs/build.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash
# Copyright 2015 The Kubernetes Authors.
# Copyright 2023 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -18,136 +18,121 @@ set -o errexit
set -o nounset
set -o pipefail
export NGINX_VERSION=1.21.6
export NGINX_VERSION=1.25.5
# Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.2...master
export NDK_VERSION=0.3.2
# Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.3...master
export NDK_VERSION=v0.3.3
# Check for recent changes: https://github.com/openresty/set-misc-nginx-module/compare/v0.33...master
export SETMISC_VERSION=0.33
export SETMISC_VERSION=796f5a3e518748eb29a93bd450324e0ad45b704e
# Check for recent changes: https://github.com/openresty/headers-more-nginx-module/compare/v0.37...master
export MORE_HEADERS_VERSION=0.37
export MORE_HEADERS_VERSION=v0.37
# Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...atomx:master
export NGINX_DIGEST_AUTH=1.0.0
export NGINX_DIGEST_AUTH=v1.0.0
# Check for recent changes: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/compare/v0.6.4...master
export NGINX_SUBSTITUTIONS=b8a71eacc7f986ba091282ab8b1bbbc6ae1807e0
# Check for recent changes: https://github.com/opentracing-contrib/nginx-opentracing/compare/v0.19.0...master
export NGINX_OPENTRACING_VERSION=0.19.0
#Check for recent changes: https://github.com/opentracing/opentracing-cpp/compare/v1.6.0...master
export OPENTRACING_CPP_VERSION=f86b33f3d9e7322b1298ba62d5ffa7a9519c4c41
# Check for recent changes: https://github.com/rnburn/zipkin-cpp-opentracing/compare/v0.5.2...master
export ZIPKIN_CPP_VERSION=f69593138ff84ca2f6bc115992e18ca3d35f344a
# Check for recent changes: https://github.com/jbeder/yaml-cpp/compare/yaml-cpp-0.7.0...master
export YAML_CPP_VERSION=yaml-cpp-0.7.0
# Check for recent changes: https://github.com/jaegertracing/jaeger-client-cpp/compare/v0.7.0...master
export JAEGER_VERSION=0.7.0
# Check for recent changes: https://github.com/msgpack/msgpack-c/compare/cpp-3.3.0...master
export MSGPACK_VERSION=3.3.0
# Check for recent changes: https://github.com/DataDog/dd-opentracing-cpp/compare/v1.3.7...master
export DATADOG_CPP_VERSION=1.3.7
export NGINX_SUBSTITUTIONS=e12e965ac1837ca709709f9a26f572a54d83430e
# Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.3...master
export MODSECURITY_VERSION=1.0.3
export MODSECURITY_VERSION=v1.0.3
# Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.11...v3/master
export MODSECURITY_LIB_VERSION=bbde9381cbccb49ea73f6194b08b478adc53f3bc
# Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.8...v3/master
export MODSECURITY_LIB_VERSION=v3.0.12
# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.2...v3.3/master
export OWASP_MODSECURITY_CRS_VERSION=v3.3.5
# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.5...v4.0/main
export OWASP_MODSECURITY_CRS_VERSION=v4.4.0
# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.25...master
export LUA_NGX_VERSION=0.10.25
# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.26``...master
export LUA_NGX_VERSION=v0.10.26
# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/v0.0.13...master
export LUA_STREAM_NGX_VERSION=0.0.13
# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/bea8a0c0de94cede71554f53818ac0267d675d63...master
export LUA_STREAM_NGX_VERSION=bea8a0c0de94cede71554f53818ac0267d675d63
# Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/8aa93ead98ba2060d4efd594ae33a35d153589bf...master
export LUA_UPSTREAM_VERSION=8aa93ead98ba2060d4efd594ae33a35d153589bf
export LUA_UPSTREAM_VERSION=542be0893543a4e42d89f6dd85372972f5ff2a36
# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.11...openresty:master
export LUA_CJSON_VERSION=2.1.0.11
# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.13...openresty:master
export LUA_CJSON_VERSION=2.1.0.13
# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/3.4...master
# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/a607a41a8115fecfc05b5c283c81532a3d605425...master
export GEOIP2_VERSION=a607a41a8115fecfc05b5c283c81532a3d605425
# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20230410...v2.1-agentzh
export LUAJIT_VERSION=2.1-20230410
# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20240314...v2.1-agentzh
export LUAJIT_VERSION=v2.1-20240314
# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/v0.04...master
export LUA_RESTY_BALANCER=0.04
# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/1cd4363c0a239afe4765ec607dcfbbb4e5900eea...master
export LUA_RESTY_BALANCER=1cd4363c0a239afe4765ec607dcfbbb4e5900eea
# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/v0.13...master
export LUA_RESTY_CACHE=0.13
# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/99e7578465b40f36f596d099b82eab404f2b42ed...master
export LUA_RESTY_CACHE=99e7578465b40f36f596d099b82eab404f2b42ed
# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.27...master
export LUA_RESTY_CORE=0.1.27
export LUA_RESTY_CORE=v0.1.28
# Check for recent changes: https://github.com/utix/lua-resty-cookie/compare/9533f47...master
export LUA_RESTY_COOKIE_VERSION=9533f479371663107b515590fc9daf00d61ebf11
# Check for recent changes: https://github.com/cloudflare/lua-resty-cookie/compare/f418d77082eaef48331302e84330488fdc810ef4...master
export LUA_RESTY_COOKIE_VERSION=f418d77082eaef48331302e84330488fdc810ef4
# Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/v0.22...master
export LUA_RESTY_DNS=0.22
# Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/8bb53516e2933e61c317db740a9b7c2048847c2f...master
export LUA_RESTY_DNS=8bb53516e2933e61c317db740a9b7c2048847c2f
# Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.16.1...master
export LUA_RESTY_HTTP=0ce55d6d15da140ecc5966fa848204c6fd9074e8
# Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.17.1...master
export LUA_RESTY_HTTP=v0.17.1
# Check for recent changes: https://github.com/openresty/lua-resty-lock/compare/v0.09...master
export LUA_RESTY_LOCK=0.09
export LUA_RESTY_LOCK=405d0bf4cbfa74d742c6ed3158d442221e6212a9
# Check for recent changes: https://github.com/openresty/lua-resty-upload/compare/v0.11...master
export LUA_RESTY_UPLOAD_VERSION=0.11
export LUA_RESTY_UPLOAD_VERSION=979372cce011f3176af3c9aff53fd0e992c4bfd3
# Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.15...master
export LUA_RESTY_STRING_VERSION=0.15
export LUA_RESTY_STRING_VERSION=6f1bc21d86daef804df3cc34d6427ef68da26844
# Check for recent changes: https://github.com/openresty/lua-resty-memcached/compare/v0.17...master
export LUA_RESTY_MEMCACHED_VERSION=0.17
export LUA_RESTY_MEMCACHED_VERSION=2f02b68bf65fa2332cce070674a93a69a6c7239b
# Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.30...master
export LUA_RESTY_REDIS_VERSION=0.30
export LUA_RESTY_REDIS_VERSION=8641b9f1b6f75cca50c90cf8ca5c502ad8950aa8
# Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/v0.6.1...master
export LUA_RESTY_IPMATCHER_VERSION=0.6.1
export LUA_RESTY_IPMATCHER_VERSION=3e93c53eb8c9884efe939ef070486a0e507cc5be
# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v1.7.6...master
export MIMALOC_VERSION=1.7.6
# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.1.7...master
export MIMALOC_VERSION=v2.1.7
# Check on https://github.com/open-telemetry/opentelemetry-cpp
export OPENTELEMETRY_CPP_VERSION="v1.11.0"
# Check on https://github.com/open-telemetry/opentelemetry-proto
export OPENTELEMETRY_PROTO_VERSION="v1.1.0"
export BUILD_PATH=/tmp/build
ARCH=$(uname -m)
if [[ ${ARCH} == "s390x" ]]; then
export LUAJIT_VERSION=9d5750d28478abfdcaefdfdc408f87752a21e431
export LUA_RESTY_CORE=0.1.17
export LUA_NGX_VERSION=0.10.15
export LUA_STREAM_NGX_VERSION=0.0.7
fi
get_src()
{
hash="$1"
url="$2"
dest="${3-}"
ARGS=""
f=$(basename "$url")
echo "Downloading $url"
curl -sSL "$url" -o "$f"
echo "$hash $f" | sha256sum -c - || exit 10
tar xzf "$f"
# TODO: Reenable checksum verification but make it smarter
# echo "$hash $f" | sha256sum -c - || exit 10
if [ ! -z "$dest" ]; then
mkdir ${BUILD_PATH}/${dest}
ARGS="-C ${BUILD_PATH}/${dest} --strip-components=1"
fi
tar xvzf "$f" $ARGS
rm -rf "$f"
}
# install required packages to build
# Dependencies from "ninja" and below are OTEL dependencies
apk add \
bash \
gcc \
@ -184,7 +169,22 @@ apk add \
unzip \
dos2unix \
yaml-cpp \
coreutils
coreutils \
ninja \
gtest-dev \
git \
build-base \
pkgconfig \
c-ares-dev \
re2-dev \
grpc-dev \
protobuf-dev
# apk add -X http://dl-cdn.alpinelinux.org/alpine/edge/testing opentelemetry-cpp-dev
# There is some bug with some platforms and git, so force HTTP/1.1
git config --global http.version HTTP/1.1
git config --global http.postBuffer 157286400
mkdir -p /etc/nginx
@ -196,271 +196,135 @@ get_src 66dc7081488811e9f925719e34d1b4504c2801c81dee2920e5452a86b11405ae \
"https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz"
get_src aa961eafb8317e0eb8da37eb6e2c9ff42267edd18b56947384e719b85188f58b \
"https://github.com/vision5/ngx_devel_kit/archive/v$NDK_VERSION.tar.gz"
"https://github.com/vision5/ngx_devel_kit/archive/$NDK_VERSION.tar.gz" "ngx_devel_kit"
get_src abc123 \
"https://github.com/open-telemetry/opentelemetry-cpp/archive/$OPENTELEMETRY_CPP_VERSION.tar.gz" "opentelemetry-cpp"
get_src abc123 \
"https://github.com/open-telemetry/opentelemetry-proto/archive/$OPENTELEMETRY_PROTO_VERSION.tar.gz" "opentelemetry-proto"
get_src cd5e2cc834bcfa30149e7511f2b5a2183baf0b70dc091af717a89a64e44a2985 \
"https://github.com/openresty/set-misc-nginx-module/archive/v$SETMISC_VERSION.tar.gz"
"https://github.com/openresty/set-misc-nginx-module/archive/$SETMISC_VERSION.tar.gz" "set-misc-nginx-module"
get_src cf6e169d6b350c06d0c730b0eaf4973394026ad40094cddd3b3a5b346577019d \
"https://github.com/openresty/headers-more-nginx-module/archive/v$MORE_HEADERS_VERSION.tar.gz"
get_src 0c0d2ced2ce895b3f45eb2b230cd90508ab2a773299f153de14a43e44c1209b3 \
"https://github.com/openresty/headers-more-nginx-module/archive/$MORE_HEADERS_VERSION.tar.gz" "headers-more-nginx-module"
get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \
"https://github.com/atomx/nginx-http-auth-digest/archive/v$NGINX_DIGEST_AUTH.tar.gz"
"https://github.com/atomx/nginx-http-auth-digest/archive/$NGINX_DIGEST_AUTH.tar.gz" "nginx-http-auth-digest"
get_src a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f \
"https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz"
get_src 6f97776ebdf019b105a755c7736b70bdbd7e575c7f0d39db5fe127873c7abf17 \
"https://github.com/opentracing-contrib/nginx-opentracing/archive/v$NGINX_OPENTRACING_VERSION.tar.gz"
get_src cbe625cba85291712253db5bc3870d60c709acfad9a8af5a302673d3d201e3ea \
"https://github.com/opentracing/opentracing-cpp/archive/$OPENTRACING_CPP_VERSION.tar.gz"
get_src 71de3d0658935db7ccea20e006b35e58ddc7e4c18878b9523f2addc2371e9270 \
"https://github.com/rnburn/zipkin-cpp-opentracing/archive/$ZIPKIN_CPP_VERSION.tar.gz"
"https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz" "ngx_http_substitutions_filter_module"
get_src 32a42256616cc674dca24c8654397390adff15b888b77eb74e0687f023c8751b \
"https://github.com/SpiderLabs/ModSecurity-nginx/archive/v$MODSECURITY_VERSION.tar.gz"
"https://github.com/SpiderLabs/ModSecurity-nginx/archive/$MODSECURITY_VERSION.tar.gz" "ModSecurity-nginx"
get_src 43e6a9fcb146ad871515f0d0873947e5d497a1c9c60c58cb102a97b47208b7c3 \
"https://github.com/jbeder/yaml-cpp/archive/$YAML_CPP_VERSION.tar.gz"
get_src 3a3a03060bf5e3fef52c9a2de02e6035cb557f389453d8f3b0c1d3d570636994 \
"https://github.com/jaegertracing/jaeger-client-cpp/archive/v$JAEGER_VERSION.tar.gz"
get_src 754c3ace499a63e45b77ef4bcab4ee602c2c414f58403bce826b76ffc2f77d0b \
"https://github.com/msgpack/msgpack-c/archive/cpp-$MSGPACK_VERSION.tar.gz"
if [[ ${ARCH} == "s390x" ]]; then
get_src 7d5f3439c8df56046d0564b5857fd8a30296ab1bd6df0f048aed7afb56a0a4c2 \
"https://github.com/openresty/lua-nginx-module/archive/v$LUA_NGX_VERSION.tar.gz"
get_src 99c47c75c159795c9faf76bbb9fa58e5a50b75286c86565ffcec8514b1c74bf9 \
"https://github.com/openresty/stream-lua-nginx-module/archive/v$LUA_STREAM_NGX_VERSION.tar.gz"
else
get_src bc764db42830aeaf74755754b900253c233ad57498debe7a441cee2c6f4b07c2 \
"https://github.com/openresty/lua-nginx-module/archive/v$LUA_NGX_VERSION.tar.gz"
"https://github.com/openresty/lua-nginx-module/archive/$LUA_NGX_VERSION.tar.gz" "lua-nginx-module"
get_src 01b715754a8248cc7228e0c8f97f7488ae429d90208de0481394e35d24cef32f \
"https://github.com/openresty/stream-lua-nginx-module/archive/v$LUA_STREAM_NGX_VERSION.tar.gz"
fi
"https://github.com/openresty/stream-lua-nginx-module/archive/$LUA_STREAM_NGX_VERSION.tar.gz" "stream-lua-nginx-module"
get_src a92c9ee6682567605ece55d4eed5d1d54446ba6fba748cff0a2482aea5713d5f \
"https://github.com/openresty/lua-upstream-nginx-module/archive/$LUA_UPSTREAM_VERSION.tar.gz"
"https://github.com/openresty/lua-upstream-nginx-module/archive/$LUA_UPSTREAM_VERSION.tar.gz" "lua-upstream-nginx-module"
if [[ ${ARCH} == "s390x" ]]; then
get_src 266ed1abb70a9806d97cb958537a44b67db6afb33d3b32292a2d68a2acedea75 \
"https://github.com/openresty/luajit2/archive/$LUAJIT_VERSION.tar.gz"
else
get_src 77bbcbb24c3c78f51560017288f3118d995fe71240aa379f5818ff6b166712ff \
"https://github.com/openresty/luajit2/archive/v$LUAJIT_VERSION.tar.gz"
fi
get_src 8d39c6b23f941a2d11571daaccc04e69539a3fcbcc50a631837560d5861a7b96 \
"https://github.com/DataDog/dd-opentracing-cpp/archive/v$DATADOG_CPP_VERSION.tar.gz"
"https://github.com/openresty/luajit2/archive/$LUAJIT_VERSION.tar.gz" "luajit2"
get_src b6c9c09fd43eb34a71e706ad780b2ead26549a9a9f59280fe558f5b7b980b7c6 \
"https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz"
"https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz" "ngx_http_geoip2_module"
get_src deb4ab1ffb9f3d962c4b4a2c4bdff692b86a209e3835ae71ebdf3b97189e40a9 \
"https://github.com/openresty/lua-resty-upload/archive/v$LUA_RESTY_UPLOAD_VERSION.tar.gz"
"https://github.com/openresty/lua-resty-upload/archive/$LUA_RESTY_UPLOAD_VERSION.tar.gz" "lua-resty-upload"
get_src bdbf271003d95aa91cab0a92f24dca129e99b33f79c13ebfcdbbcbb558129491 \
"https://github.com/openresty/lua-resty-string/archive/v$LUA_RESTY_STRING_VERSION.tar.gz"
"https://github.com/openresty/lua-resty-string/archive/$LUA_RESTY_STRING_VERSION.tar.gz" "lua-resty-string"
get_src 16d72ed133f0c6df376a327386c3ef4e9406cf51003a700737c3805770ade7c5 \
"https://github.com/openresty/lua-resty-balancer/archive/v$LUA_RESTY_BALANCER.tar.gz"
"https://github.com/openresty/lua-resty-balancer/archive/$LUA_RESTY_BALANCER.tar.gz" "lua-resty-balancer"
if [[ ${ARCH} == "s390x" ]]; then
get_src 8f5f76d2689a3f6b0782f0a009c56a65e4c7a4382be86422c9b3549fe95b0dc4 \
"https://github.com/openresty/lua-resty-core/archive/v$LUA_RESTY_CORE.tar.gz"
else
get_src 39baab9e2b31cc48cecf896cea40ef6e80559054fd8a6e440cc804a858ea84d4 \
"https://github.com/openresty/lua-resty-core/archive/v$LUA_RESTY_CORE.tar.gz"
fi
"https://github.com/openresty/lua-resty-core/archive/$LUA_RESTY_CORE.tar.gz" "lua-resty-core"
get_src a77b9de160d81712f2f442e1de8b78a5a7ef0d08f13430ff619f79235db974d4 \
"https://github.com/openresty/lua-cjson/archive/$LUA_CJSON_VERSION.tar.gz"
"https://github.com/openresty/lua-cjson/archive/$LUA_CJSON_VERSION.tar.gz" "lua-cjson"
get_src a404c790553617424d743b82a9f01feccd0d2930b306b370c665ca3b7c09ccb6 \
"https://github.com/utix/lua-resty-cookie/archive/$LUA_RESTY_COOKIE_VERSION.tar.gz"
get_src 5ed48c36231e2622b001308622d46a0077525ac2f751e8cc0c9905914254baa4 \
"https://github.com/cloudflare/lua-resty-cookie/archive/$LUA_RESTY_COOKIE_VERSION.tar.gz" "lua-resty-cookie"
get_src 573184006b98ccee2594b0d134fa4d05e5d2afd5141cbad315051ccf7e9b6403 \
"https://github.com/openresty/lua-resty-lrucache/archive/v$LUA_RESTY_CACHE.tar.gz"
"https://github.com/openresty/lua-resty-lrucache/archive/$LUA_RESTY_CACHE.tar.gz" "lua-resty-lrucache"
get_src b4ddcd47db347e9adf5c1e1491a6279a6ae2a3aff3155ef77ea0a65c998a69c1 \
"https://github.com/openresty/lua-resty-lock/archive/v$LUA_RESTY_LOCK.tar.gz"
"https://github.com/openresty/lua-resty-lock/archive/$LUA_RESTY_LOCK.tar.gz" "lua-resty-lock"
get_src 70e9a01eb32ccade0d5116a25bcffde0445b94ad35035ce06b94ccd260ad1bf0 \
"https://github.com/openresty/lua-resty-dns/archive/v$LUA_RESTY_DNS.tar.gz"
"https://github.com/openresty/lua-resty-dns/archive/$LUA_RESTY_DNS.tar.gz" "lua-resty-dns"
get_src 9fcb6db95bc37b6fce77d3b3dc740d593f9d90dce0369b405eb04844d56ac43f \
"https://github.com/ledgetech/lua-resty-http/archive/$LUA_RESTY_HTTP.tar.gz"
"https://github.com/ledgetech/lua-resty-http/archive/$LUA_RESTY_HTTP.tar.gz" "lua-resty-http"
get_src 02733575c4aed15f6cab662378e4b071c0a4a4d07940c4ef19a7319e9be943d4 \
"https://github.com/openresty/lua-resty-memcached/archive/v$LUA_RESTY_MEMCACHED_VERSION.tar.gz"
"https://github.com/openresty/lua-resty-memcached/archive/$LUA_RESTY_MEMCACHED_VERSION.tar.gz" "lua-resty-memcached"
get_src c15aed1a01c88a3a6387d9af67a957dff670357f5fdb4ee182beb44635eef3f1 \
"https://github.com/openresty/lua-resty-redis/archive/v$LUA_RESTY_REDIS_VERSION.tar.gz"
"https://github.com/openresty/lua-resty-redis/archive/$LUA_RESTY_REDIS_VERSION.tar.gz" "lua-resty-redis"
get_src efb767487ea3f6031577b9b224467ddbda2ad51a41c5867a47582d4ad85d609e \
"https://github.com/api7/lua-resty-ipmatcher/archive/v$LUA_RESTY_IPMATCHER_VERSION.tar.gz"
"https://github.com/api7/lua-resty-ipmatcher/archive/$LUA_RESTY_IPMATCHER_VERSION.tar.gz" "lua-resty-ipmatcher"
get_src d74f86ada2329016068bc5a243268f1f555edd620b6a7d6ce89295e7d6cf18da \
"https://github.com/microsoft/mimalloc/archive/refs/tags/v${MIMALOC_VERSION}.tar.gz"
"https://github.com/microsoft/mimalloc/archive/${MIMALOC_VERSION}.tar.gz" "mimalloc"
# improve compilation times
CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1))
export MAKEFLAGS=-j${CORES}
export CTEST_BUILD_FLAGS=${MAKEFLAGS}
export HUNTER_JOBS_NUMBER=${CORES}
export HUNTER_USE_CACHE_SERVERS=true
# Install luajit from openresty fork
export LUAJIT_LIB=/usr/local/lib
export LUA_LIB_DIR="$LUAJIT_LIB/lua"
export LUAJIT_INC=/usr/local/include/luajit-2.1
cd "$BUILD_PATH/luajit2-$LUAJIT_VERSION"
cd "$BUILD_PATH/luajit2"
make CCDEBUG=-g
make install
ln -s /usr/local/bin/luajit /usr/local/bin/lua
ln -s "$LUAJIT_INC" /usr/local/include/lua
cd "$BUILD_PATH"
cd "$BUILD_PATH/opentelemetry-cpp"
export CXXFLAGS="-DBENCHMARK_HAS_NO_INLINE_ASSEMBLY"
cmake -B build -G Ninja -Wno-dev \
-DOTELCPP_PROTO_PATH="${BUILD_PATH}/opentelemetry-proto/" \
-DCMAKE_INSTALL_PREFIX=/usr \
-DBUILD_SHARED_LIBS=ON \
-DBUILD_TESTING="OFF" \
-DBUILD_W3CTRACECONTEXT_TEST="OFF" \
-DCMAKE_BUILD_TYPE=None \
-DWITH_ABSEIL=ON \
-DWITH_STL=ON \
-DWITH_EXAMPLES=OFF \
-DWITH_ZPAGES=OFF \
-DWITH_OTLP_GRPC=ON \
-DWITH_OTLP_HTTP=ON \
-DWITH_ZIPKIN=ON \
-DWITH_PROMETHEUS=OFF \
-DWITH_ASYNC_EXPORT_PREVIEW=OFF \
-DWITH_METRICS_EXEMPLAR_PREVIEW=OFF
cmake --build build
cmake --install build
# Git tuning
git config --global --add core.compression -1
# build opentracing lib
cd "$BUILD_PATH/opentracing-cpp-$OPENTRACING_CPP_VERSION"
mkdir .build
cd .build
cmake -DCMAKE_BUILD_TYPE=Release \
-DBUILD_TESTING=OFF \
-DBUILD_SHARED_LIBS=OFF \
-DBUILD_MOCKTRACER=OFF \
-DBUILD_STATIC_LIBS=ON \
-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true \
..
make
make install
# build yaml-cpp
# TODO @timmysilv: remove this and jaeger sed calls once it is fixed in jaeger-client-cpp
cd "$BUILD_PATH/yaml-cpp-$YAML_CPP_VERSION"
mkdir .build
cd .build
cmake -DCMAKE_BUILD_TYPE=Release \
-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true \
-DYAML_BUILD_SHARED_LIBS=ON \
-DYAML_CPP_BUILD_TESTS=OFF \
-DYAML_CPP_BUILD_TOOLS=OFF \
..
make
make install
# build jaeger lib
cd "$BUILD_PATH/jaeger-client-cpp-$JAEGER_VERSION"
sed -i 's/-Werror/-Wno-psabi/' CMakeLists.txt
# use the above built yaml-cpp instead until a new version of jaeger-client-cpp fixes the yaml-cpp issue
# tl;dr new hunter is needed for new yaml-cpp, but new hunter has a conflict with old Thrift and new Boost
sed -i 's/hunter_add_package(yaml-cpp)/#hunter_add_package(yaml-cpp)/' CMakeLists.txt
sed -i 's/yaml-cpp::yaml-cpp/yaml-cpp/' CMakeLists.txt
cat <<EOF > export.map
{
global:
OpenTracingMakeTracerFactory;
local: *;
};
EOF
mkdir .build
cd .build
cmake -DCMAKE_BUILD_TYPE=Release \
-DBUILD_TESTING=OFF \
-DJAEGERTRACING_BUILD_EXAMPLES=OFF \
-DJAEGERTRACING_BUILD_CROSSDOCK=OFF \
-DJAEGERTRACING_COVERAGE=OFF \
-DJAEGERTRACING_PLUGIN=ON \
-DHUNTER_CONFIGURATION_TYPES=Release \
-DBUILD_SHARED_LIBS=OFF \
-DJAEGERTRACING_WITH_YAML_CPP=ON \
-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true \
..
make
make install
export HUNTER_INSTALL_DIR=$(cat _3rdParty/Hunter/install-root-dir) \
mv libjaegertracing_plugin.so /usr/local/lib/libjaegertracing_plugin.so
# build zipkin lib
cd "$BUILD_PATH/zipkin-cpp-opentracing-$ZIPKIN_CPP_VERSION"
cat <<EOF > export.map
{
global:
OpenTracingMakeTracerFactory;
local: *;
};
EOF
mkdir .build
cd .build
cmake -DCMAKE_BUILD_TYPE=Release \
-DBUILD_SHARED_LIBS=OFF \
-DBUILD_PLUGIN=ON \
-DBUILD_TESTING=OFF \
-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true \
..
make
make install
# build msgpack lib
cd "$BUILD_PATH/msgpack-c-cpp-$MSGPACK_VERSION"
mkdir .build
cd .build
cmake -DCMAKE_BUILD_TYPE=Release \
-DBUILD_SHARED_LIBS=OFF \
-DMSGPACK_BUILD_EXAMPLES=OFF \
-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true \
..
make
make install
# build datadog lib
cd "$BUILD_PATH/dd-opentracing-cpp-$DATADOG_CPP_VERSION"
mkdir .build
cd .build
cmake -DCMAKE_BUILD_TYPE=Release \
-DBUILD_TESTING=OFF \
-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true \
..
make
make install
# Get Brotli source and deps
cd "$BUILD_PATH"
git clone --depth=1 https://github.com/google/ngx_brotli.git
git clone --depth=100 https://github.com/google/ngx_brotli.git
cd ngx_brotli
# https://github.com/google/ngx_brotli/issues/156
git reset --hard 63ca02abdcf79c9e788d2eedcc388d2335902e52
git submodule init
git submodule update
@ -518,17 +382,13 @@ mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-E
mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
cd ..
# OWASP CRS v3 rules
# OWASP CRS v4 rules
echo "
Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
@ -537,7 +397,7 @@ Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LF
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
@ -548,6 +408,7 @@ Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.co
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-955-WEB-SHELLS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
@ -577,6 +438,7 @@ WITH_FLAGS="--with-debug \
--with-http_gzip_static_module \
--with-http_sub_module \
--with-http_v2_module \
--with-http_v3_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
@ -596,10 +458,9 @@ CC_OPT="-g -O2 -fPIE -fstack-protector-strong \
--param=ssp-buffer-size=4 \
-DTCP_FASTOPEN=23 \
-fPIC \
-I$HUNTER_INSTALL_DIR/include \
-Wno-cast-function-type"
LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now -L$HUNTER_INSTALL_DIR/lib"
LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now"
if [[ ${ARCH} != "aarch64" ]]; then
WITH_FLAGS+=" --with-file-aio"
@ -610,17 +471,16 @@ if [[ ${ARCH} == "x86_64" ]]; then
fi
WITH_MODULES=" \
--add-module=$BUILD_PATH/ngx_devel_kit-$NDK_VERSION \
--add-module=$BUILD_PATH/set-misc-nginx-module-$SETMISC_VERSION \
--add-module=$BUILD_PATH/headers-more-nginx-module-$MORE_HEADERS_VERSION \
--add-module=$BUILD_PATH/ngx_http_substitutions_filter_module-$NGINX_SUBSTITUTIONS \
--add-module=$BUILD_PATH/lua-nginx-module-$LUA_NGX_VERSION \
--add-module=$BUILD_PATH/stream-lua-nginx-module-$LUA_STREAM_NGX_VERSION \
--add-module=$BUILD_PATH/lua-upstream-nginx-module-$LUA_UPSTREAM_VERSION \
--add-dynamic-module=$BUILD_PATH/nginx-http-auth-digest-$NGINX_DIGEST_AUTH \
--add-dynamic-module=$BUILD_PATH/nginx-opentracing-$NGINX_OPENTRACING_VERSION/opentracing \
--add-dynamic-module=$BUILD_PATH/ModSecurity-nginx-$MODSECURITY_VERSION \
--add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module-${GEOIP2_VERSION} \
--add-module=$BUILD_PATH/ngx_devel_kit \
--add-module=$BUILD_PATH/set-misc-nginx-module \
--add-module=$BUILD_PATH/headers-more-nginx-module \
--add-module=$BUILD_PATH/ngx_http_substitutions_filter_module \
--add-module=$BUILD_PATH/lua-nginx-module \
--add-module=$BUILD_PATH/stream-lua-nginx-module \
--add-module=$BUILD_PATH/lua-upstream-nginx-module \
--add-dynamic-module=$BUILD_PATH/nginx-http-auth-digest \
--add-dynamic-module=$BUILD_PATH/ModSecurity-nginx \
--add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module \
--add-dynamic-module=$BUILD_PATH/ngx_brotli"
./configure \
@ -652,53 +512,80 @@ make
make modules
make install
cd "$BUILD_PATH/lua-resty-core-$LUA_RESTY_CORE"
export OPENTELEMETRY_CONTRIB_COMMIT=e11348bb400d5472bf1da5d6128bead66fa111ff
cd "$BUILD_PATH"
git clone https://github.com/open-telemetry/opentelemetry-cpp-contrib.git opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT}
cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT}
git reset --hard ${OPENTELEMETRY_CONTRIB_COMMIT}
export OTEL_TEMP_INSTALL=/tmp/otel
mkdir -p ${OTEL_TEMP_INSTALL}
cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT}/instrumentation/nginx
mkdir -p build
cd build
cmake -DCMAKE_BUILD_TYPE=Release \
-G Ninja \
-DCMAKE_CXX_STANDARD=17 \
-DCMAKE_INSTALL_PREFIX=${OTEL_TEMP_INSTALL} \
-DBUILD_SHARED_LIBS=ON \
-DNGINX_VERSION=${NGINX_VERSION} \
..
cmake --build . -j ${CORES} --target install
mkdir -p /etc/nginx/modules
cp ${OTEL_TEMP_INSTALL}/otel_ngx_module.so /etc/nginx/modules/otel_ngx_module.so
cd "$BUILD_PATH/lua-resty-core"
make install
cd "$BUILD_PATH/lua-resty-balancer-$LUA_RESTY_BALANCER"
cd "$BUILD_PATH/lua-resty-balancer"
make all
make install
export LUA_INCLUDE_DIR=/usr/local/include/luajit-2.1
ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1
cd "$BUILD_PATH/lua-cjson-$LUA_CJSON_VERSION"
cd "$BUILD_PATH/lua-cjson"
make all
make install
cd "$BUILD_PATH/lua-resty-cookie-$LUA_RESTY_COOKIE_VERSION"
cd "$BUILD_PATH/lua-resty-cookie"
make all
make install
cd "$BUILD_PATH/lua-resty-lrucache-$LUA_RESTY_CACHE"
cd "$BUILD_PATH/lua-resty-lrucache"
make install
cd "$BUILD_PATH/lua-resty-dns-$LUA_RESTY_DNS"
cd "$BUILD_PATH/lua-resty-dns"
make install
cd "$BUILD_PATH/lua-resty-lock-$LUA_RESTY_LOCK"
cd "$BUILD_PATH/lua-resty-lock"
make install
# required for OCSP verification
cd "$BUILD_PATH/lua-resty-http-$LUA_RESTY_HTTP"
cd "$BUILD_PATH/lua-resty-http"
make install
cd "$BUILD_PATH/lua-resty-upload-$LUA_RESTY_UPLOAD_VERSION"
cd "$BUILD_PATH/lua-resty-upload"
make install
cd "$BUILD_PATH/lua-resty-string-$LUA_RESTY_STRING_VERSION"
cd "$BUILD_PATH/lua-resty-string"
make install
cd "$BUILD_PATH/lua-resty-memcached-$LUA_RESTY_MEMCACHED_VERSION"
cd "$BUILD_PATH/lua-resty-memcached"
make install
cd "$BUILD_PATH/lua-resty-redis-$LUA_RESTY_REDIS_VERSION"
cd "$BUILD_PATH/lua-resty-redis"
make install
cd "$BUILD_PATH/lua-resty-ipmatcher-$LUA_RESTY_IPMATCHER_VERSION"
cd "$BUILD_PATH/lua-resty-ipmatcher"
INST_LUADIR=/usr/local/lib/lua make install
cd "$BUILD_PATH/mimalloc-$MIMALOC_VERSION"
cd "$BUILD_PATH/mimalloc"
mkdir -p out/release
cd out/release

0
images/nginx-1.25/rootfs/patches/00_drop-alias-root.patch → images/nginx/rootfs/patches/00_drop-alias-root.patch
View file

0
images/nginx-1.25/rootfs/patches/01_nginx-1.25.3-win32_max_err_str.patch → images/nginx/rootfs/patches/01_nginx-1.25.3-win32_max_err_str.patch
View file

0
images/nginx-1.25/rootfs/patches/02_nginx-1.25.3-stream_balancer_export.patch → images/nginx/rootfs/patches/02_nginx-1.25.3-stream_balancer_export.patch
View file

0
images/nginx-1.25/rootfs/patches/03_nginx-1.25.3-stream_proxy_get_next_upstream_tries.patch → images/nginx/rootfs/patches/03_nginx-1.25.3-stream_proxy_get_next_upstream_tries.patch
View file

0
images/nginx-1.25/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch → images/nginx/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch
View file

0
images/nginx-1.25/rootfs/patches/05_nginx-1.25.3-stream_ssl_preread_no_skip.patch → images/nginx/rootfs/patches/05_nginx-1.25.3-stream_ssl_preread_no_skip.patch
View file

0
images/nginx-1.25/rootfs/patches/06_nginx-1.25.3-resolver_conf_parsing.patch → images/nginx/rootfs/patches/06_nginx-1.25.3-resolver_conf_parsing.patch
View file

0
images/nginx-1.25/rootfs/patches/07_nginx-1.25.3-daemon_destroy_pool.patch → images/nginx/rootfs/patches/07_nginx-1.25.3-daemon_destroy_pool.patch
View file

0
images/nginx-1.25/rootfs/patches/08_nginx-1.25.3-init_cycle_pool_release.patch → images/nginx/rootfs/patches/08_nginx-1.25.3-init_cycle_pool_release.patch
View file

0
images/nginx-1.25/rootfs/patches/09_nginx-1.25.3-balancer_status_code.patch → images/nginx/rootfs/patches/09_nginx-1.25.3-balancer_status_code.patch
View file

0
images/nginx-1.25/rootfs/patches/10_nginx-1.25.3-delayed_posted_events.patch → images/nginx/rootfs/patches/10_nginx-1.25.3-delayed_posted_events.patch
View file

0
images/nginx-1.25/rootfs/patches/11_nginx-1.25.3-privileged_agent_process.patch → images/nginx/rootfs/patches/11_nginx-1.25.3-privileged_agent_process.patch
View file

0
images/nginx-1.25/rootfs/patches/12_nginx-1.25.3-privileged_agent_process_connections.patch → images/nginx/rootfs/patches/12_nginx-1.25.3-privileged_agent_process_connections.patch
View file

0
images/nginx-1.25/rootfs/patches/13_nginx-1.25.3-privileged_agent_process_thread_pool.patch → images/nginx/rootfs/patches/13_nginx-1.25.3-privileged_agent_process_thread_pool.patch
View file

0
images/nginx-1.25/rootfs/patches/14_nginx-1.25.3-single_process_graceful_exit.patch → images/nginx/rootfs/patches/14_nginx-1.25.3-single_process_graceful_exit.patch
View file

0
images/nginx-1.25/rootfs/patches/15_nginx-1.25.3-intercept_error_log.patch → images/nginx/rootfs/patches/15_nginx-1.25.3-intercept_error_log.patch
View file

0
images/nginx-1.25/rootfs/patches/16_nginx-1.25.3-upstream_pipelining.patch → images/nginx/rootfs/patches/16_nginx-1.25.3-upstream_pipelining.patch
View file

0
images/nginx-1.25/rootfs/patches/17_nginx-1.25.3-no_error_pages.patch → images/nginx/rootfs/patches/17_nginx-1.25.3-no_error_pages.patch
View file

0
images/nginx-1.25/rootfs/patches/18_nginx-1.25.3-no_Werror.patch → images/nginx/rootfs/patches/18_nginx-1.25.3-no_Werror.patch
View file

0
images/nginx-1.25/rootfs/patches/19_nginx-1.25.3-log_escape_non_ascii.patch → images/nginx/rootfs/patches/19_nginx-1.25.3-log_escape_non_ascii.patch
View file

0
images/nginx-1.25/rootfs/patches/20_nginx-1.25.3-proxy_host_port_vars.patch → images/nginx/rootfs/patches/20_nginx-1.25.3-proxy_host_port_vars.patch
View file

0
images/nginx-1.25/rootfs/patches/21_nginx-1.25.3-cache_manager_exit.patch → images/nginx/rootfs/patches/21_nginx-1.25.3-cache_manager_exit.patch
View file

0
images/nginx-1.25/rootfs/patches/22_nginx-1.25.3-larger_max_error_str.patch → images/nginx/rootfs/patches/22_nginx-1.25.3-larger_max_error_str.patch
View file

0
images/nginx-1.25/rootfs/patches/23_nginx-1.25.3-pcre_conf_opt.patch → images/nginx/rootfs/patches/23_nginx-1.25.3-pcre_conf_opt.patch
View file

0
images/nginx-1.25/rootfs/patches/24_nginx-1.25.3-always_enable_cc_feature_tests.patch → images/nginx/rootfs/patches/24_nginx-1.25.3-always_enable_cc_feature_tests.patch
View file

0
images/nginx-1.25/rootfs/patches/25_nginx-1.25.3-ssl_cert_cb_yield.patch → images/nginx/rootfs/patches/25_nginx-1.25.3-ssl_cert_cb_yield.patch
View file

0
images/nginx-1.25/rootfs/patches/26_nginx-1.25.3-ssl_sess_cb_yield.patch → images/nginx/rootfs/patches/26_nginx-1.25.3-ssl_sess_cb_yield.patch
View file

0
images/nginx-1.25/rootfs/patches/27_nginx-1.25.3-ssl_client_hello_cb_yield.patch → images/nginx/rootfs/patches/27_nginx-1.25.3-ssl_client_hello_cb_yield.patch
View file

0
images/nginx-1.25/rootfs/patches/28_nginx-1.25.3-upstream_timeout_fields.patch → images/nginx/rootfs/patches/28_nginx-1.25.3-upstream_timeout_fields.patch
View file

0
images/nginx-1.25/rootfs/patches/29_nginx-1.25.3-safe_resolver_ipv6_option.patch → images/nginx/rootfs/patches/29_nginx-1.25.3-safe_resolver_ipv6_option.patch
View file

0
images/nginx-1.25/rootfs/patches/30_nginx-1.25.3-socket_cloexec.patch → images/nginx/rootfs/patches/30_nginx-1.25.3-socket_cloexec.patch
View file

0
images/nginx-1.25/rootfs/patches/31_nginx-1.25.3-reuseport_close_unused_fds.patch → images/nginx/rootfs/patches/31_nginx-1.25.3-reuseport_close_unused_fds.patch
View file

144
images/nginx/rootfs/patches/drop-alias-root.patch
View file

@ -1,144 +0,0 @@
:100644 100644 c7463dcd 00000000 M src/http/ngx_http_core_module.c
diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index c7463dcd..e2e45931 100644
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -55,7 +55,6 @@ static char *ngx_http_core_listen(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
static char *ngx_http_core_server_name(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
-static char *ngx_http_core_root(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
static char *ngx_http_core_limit_except(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
static char *ngx_http_core_set_aio(ngx_conf_t *cf, ngx_command_t *cmd,
@@ -323,21 +322,6 @@ static ngx_command_t ngx_http_core_commands[] = {
offsetof(ngx_http_core_loc_conf_t, default_type),
NULL },
- { ngx_string("root"),
- NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
- |NGX_CONF_TAKE1,
- ngx_http_core_root,
- NGX_HTTP_LOC_CONF_OFFSET,
- 0,
- NULL },
-
- { ngx_string("alias"),
- NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
- ngx_http_core_root,
- NGX_HTTP_LOC_CONF_OFFSET,
- 0,
- NULL },
-
{ ngx_string("limit_except"),
NGX_HTTP_LOC_CONF|NGX_CONF_BLOCK|NGX_CONF_1MORE,
ngx_http_core_limit_except,
@@ -4312,108 +4296,6 @@ ngx_http_core_server_name(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
}
-static char *
-ngx_http_core_root(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
-{
- ngx_http_core_loc_conf_t *clcf = conf;
-
- ngx_str_t *value;
- ngx_int_t alias;
- ngx_uint_t n;
- ngx_http_script_compile_t sc;
-
- alias = (cmd->name.len == sizeof("alias") - 1) ? 1 : 0;
-
- if (clcf->root.data) {
-
- if ((clcf->alias != 0) == alias) {
- return "is duplicate";
- }
-
- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
- "\"%V\" directive is duplicate, "
- "\"%s\" directive was specified earlier",
- &cmd->name, clcf->alias ? "alias" : "root");
-
- return NGX_CONF_ERROR;
- }
-
- if (clcf->named && alias) {
- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
- "the \"alias\" directive cannot be used "
- "inside the named location");
-
- return NGX_CONF_ERROR;
- }
-
- value = cf->args->elts;
-
- if (ngx_strstr(value[1].data, "$document_root")
- || ngx_strstr(value[1].data, "${document_root}"))
- {
- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
- "the $document_root variable cannot be used "
- "in the \"%V\" directive",
- &cmd->name);
-
- return NGX_CONF_ERROR;
- }
-
- if (ngx_strstr(value[1].data, "$realpath_root")
- || ngx_strstr(value[1].data, "${realpath_root}"))
- {
- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
- "the $realpath_root variable cannot be used "
- "in the \"%V\" directive",
- &cmd->name);
-
- return NGX_CONF_ERROR;
- }
-
- clcf->alias = alias ? clcf->name.len : 0;
- clcf->root = value[1];
-
- if (!alias && clcf->root.len > 0
- && clcf->root.data[clcf->root.len - 1] == '/')
- {
- clcf->root.len--;
- }
-
- if (clcf->root.data[0] != '$') {
- if (ngx_conf_full_name(cf->cycle, &clcf->root, 0) != NGX_OK) {
- return NGX_CONF_ERROR;
- }
- }
-
- n = ngx_http_script_variables_count(&clcf->root);
-
- ngx_memzero(&sc, sizeof(ngx_http_script_compile_t));
- sc.variables = n;
-
-#if (NGX_PCRE)
- if (alias && clcf->regex) {
- clcf->alias = NGX_MAX_SIZE_T_VALUE;
- n = 1;
- }
-#endif
-
- if (n) {
- sc.cf = cf;
- sc.source = &clcf->root;
- sc.lengths = &clcf->root_lengths;
- sc.values = &clcf->root_values;
- sc.complete_lengths = 1;
- sc.complete_values = 1;
-
- if (ngx_http_script_compile(&sc) != NGX_OK) {
- return NGX_CONF_ERROR;
- }
- }
-
- return NGX_CONF_OK;
-}
-
-
static ngx_http_method_name_t ngx_methods_names[] = {
{ (u_char *) "GET", (uint32_t) ~NGX_HTTP_GET },
{ (u_char *) "HEAD", (uint32_t) ~NGX_HTTP_HEAD },

72
images/nginx/rootfs/patches/nginx-1.21.4-balancer_status_code.patch
View file

@ -1,72 +0,0 @@
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
index f8d5707d..6efe0047 100644
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -1515,6 +1515,11 @@ ngx_http_upstream_connect(ngx_http_request_t *r, ngx_http_upstream_t *u)
return;
}
+ if (rc >= NGX_HTTP_SPECIAL_RESPONSE) {
+ ngx_http_upstream_finalize_request(r, u, rc);
+ return;
+ }
+
u->state->peer = u->peer.name;
if (rc == NGX_BUSY) {
diff --git a/src/http/ngx_http_upstream.h b/src/http/ngx_http_upstream.h
index 3e714e5b..dfbb25e0 100644
--- a/src/http/ngx_http_upstream.h
+++ b/src/http/ngx_http_upstream.h
@@ -427,4 +427,9 @@ extern ngx_conf_bitmask_t ngx_http_upstream_cache_method_mask[];
extern ngx_conf_bitmask_t ngx_http_upstream_ignore_headers_masks[];
+#ifndef HAVE_BALANCER_STATUS_CODE_PATCH
+#define HAVE_BALANCER_STATUS_CODE_PATCH
+#endif
+
+
#endif /* _NGX_HTTP_UPSTREAM_H_INCLUDED_ */
diff --git a/src/stream/ngx_stream.h b/src/stream/ngx_stream.h
index 09d24593..d8b4b584 100644
--- a/src/stream/ngx_stream.h
+++ b/src/stream/ngx_stream.h
@@ -27,6 +27,7 @@ typedef struct ngx_stream_session_s ngx_stream_session_t;
#define NGX_STREAM_OK 200
+#define NGX_STREAM_SPECIAL_RESPONSE 300
#define NGX_STREAM_BAD_REQUEST 400
#define NGX_STREAM_FORBIDDEN 403
#define NGX_STREAM_INTERNAL_SERVER_ERROR 500
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
index 818d7329..329dcdc6 100644
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -691,6 +691,11 @@ ngx_stream_proxy_connect(ngx_stream_session_t *s)
return;
}
+ if (rc >= NGX_STREAM_SPECIAL_RESPONSE) {
+ ngx_stream_proxy_finalize(s, rc);
+ return;
+ }
+
u->state->peer = u->peer.name;
if (rc == NGX_BUSY) {
diff --git a/src/stream/ngx_stream_upstream.h b/src/stream/ngx_stream_upstream.h
index 73947f46..21bc0ad7 100644
--- a/src/stream/ngx_stream_upstream.h
+++ b/src/stream/ngx_stream_upstream.h
@@ -151,4 +151,9 @@ ngx_stream_upstream_srv_conf_t *ngx_stream_upstream_add(ngx_conf_t *cf,
extern ngx_module_t ngx_stream_upstream_module;
+#ifndef HAVE_BALANCER_STATUS_CODE_PATCH
+#define HAVE_BALANCER_STATUS_CODE_PATCH
+#endif
+
+
#endif /* _NGX_STREAM_UPSTREAM_H_INCLUDED_ */

19
images/nginx/rootfs/patches/nginx-1.21.4-cache_manager_exit.patch
View file

@ -1,19 +0,0 @@
# HG changeset patch
# User Yichun Zhang <agentzh@gmail.com>
# Date 1383598130 28800
# Node ID f64218e1ac963337d84092536f588b8e0d99bbaa
# Parent dea321e5c0216efccbb23e84bbce7cf3e28f130c
Cache: gracefully exit the cache manager process.
diff -r dea321e5c021 -r f64218e1ac96 src/os/unix/ngx_process_cycle.c
--- a/src/os/unix/ngx_process_cycle.c Thu Oct 31 18:23:49 2013 +0400
+++ b/src/os/unix/ngx_process_cycle.c Mon Nov 04 12:48:50 2013 -0800
@@ -1134,7 +1134,7 @@
if (ngx_terminate || ngx_quit) {
ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting");
- exit(0);
+ ngx_worker_process_exit(cycle);
}
if (ngx_reopen) {

98
images/nginx/rootfs/patches/nginx-1.21.4-delayed_posted_events.patch
View file

@ -1,98 +0,0 @@
diff --git a/src/event/ngx_event.c b/src/event/ngx_event.c
index 57af8132..4853945f 100644
--- a/src/event/ngx_event.c
+++ b/src/event/ngx_event.c
@@ -196,6 +196,9 @@ ngx_process_events_and_timers(ngx_cycle_t *cycle)
ngx_uint_t flags;
ngx_msec_t timer, delta;
+ ngx_queue_t *q;
+ ngx_event_t *ev;
+
if (ngx_timer_resolution) {
timer = NGX_TIMER_INFINITE;
flags = 0;
@@ -215,6 +218,13 @@ ngx_process_events_and_timers(ngx_cycle_t *cycle)
#endif
}
+ if (!ngx_queue_empty(&ngx_posted_delayed_events)) {
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, cycle->log, 0,
+ "posted delayed event queue not empty"
+ " making poll timeout 0");
+ timer = 0;
+ }
+
if (ngx_use_accept_mutex) {
if (ngx_accept_disabled > 0) {
ngx_accept_disabled--;
@@ -257,6 +267,35 @@ ngx_process_events_and_timers(ngx_cycle_t *cycle)
}
ngx_event_process_posted(cycle, &ngx_posted_events);
+
+ while (!ngx_queue_empty(&ngx_posted_delayed_events)) {
+ q = ngx_queue_head(&ngx_posted_delayed_events);
+
+ ev = ngx_queue_data(q, ngx_event_t, queue);
+ if (ev->delayed) {
+ /* start of newly inserted nodes */
+ for (/* void */;
+ q != ngx_queue_sentinel(&ngx_posted_delayed_events);
+ q = ngx_queue_next(q))
+ {
+ ev = ngx_queue_data(q, ngx_event_t, queue);
+ ev->delayed = 0;
+
+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, cycle->log, 0,
+ "skipping delayed posted event %p,"
+ " till next iteration", ev);
+ }
+
+ break;
+ }
+
+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, cycle->log, 0,
+ "delayed posted event %p", ev);
+
+ ngx_delete_posted_event(ev);
+
+ ev->handler(ev);
+ }
}
@@ -600,6 +639,7 @@ ngx_event_process_init(ngx_cycle_t *cycle)
ngx_queue_init(&ngx_posted_accept_events);
ngx_queue_init(&ngx_posted_events);
+ ngx_queue_init(&ngx_posted_delayed_events);
if (ngx_event_timer_init(cycle->log) == NGX_ERROR) {
return NGX_ERROR;
diff --git a/src/event/ngx_event_posted.c b/src/event/ngx_event_posted.c
index d851f3d1..b6cea009 100644
--- a/src/event/ngx_event_posted.c
+++ b/src/event/ngx_event_posted.c
@@ -12,6 +12,7 @@
ngx_queue_t ngx_posted_accept_events;
ngx_queue_t ngx_posted_events;
+ngx_queue_t ngx_posted_delayed_events;
void
diff --git a/src/event/ngx_event_posted.h b/src/event/ngx_event_posted.h
index 145d30fe..6c388553 100644
--- a/src/event/ngx_event_posted.h
+++ b/src/event/ngx_event_posted.h
@@ -43,6 +43,9 @@ void ngx_event_process_posted(ngx_cycle_t *cycle, ngx_queue_t *posted);
extern ngx_queue_t ngx_posted_accept_events;
extern ngx_queue_t ngx_posted_events;
+extern ngx_queue_t ngx_posted_delayed_events;
+
+#define HAVE_POSTED_DELAYED_EVENTS_PATCH
#endif /* _NGX_EVENT_POSTED_H_INCLUDED_ */

20
images/nginx/rootfs/patches/nginx-1.21.4-hash_overflow.patch
View file

@ -1,20 +0,0 @@
# HG changeset patch
# User Yichun Zhang <agentzh@gmail.com>
# Date 1412276417 25200
# Thu Oct 02 12:00:17 2014 -0700
# Node ID 4032b992f23b054c1a2cfb0be879330d2c6708e5
# Parent 1ff0f68d9376e3d184d65814a6372856bf65cfcd
Hash: buffer overflow might happen when exceeding the pre-configured limits.
diff -r 1ff0f68d9376 -r 4032b992f23b src/core/ngx_hash.c
--- a/src/core/ngx_hash.c Tue Sep 30 15:50:28 2014 -0700
+++ b/src/core/ngx_hash.c Thu Oct 02 12:00:17 2014 -0700
@@ -312,6 +312,8 @@ ngx_hash_init(ngx_hash_init_t *hinit, ng
continue;
}
+ size--;
+
ngx_log_error(NGX_LOG_WARN, hinit->pool->log, 0,
"could not build optimal %s, you should increase "
"either %s_max_size: %i or %s_bucket_size: %i; "

57
images/nginx/rootfs/patches/nginx-1.21.4-http2.patch
View file

@ -1,57 +0,0 @@
#commit 6ceef192e7af1c507826ac38a2d43f08bf265fb9
#repository: https://github.com/nginx/nginx
#Author: Maxim Dounin <mdounin@mdounin.ru>
#Date: Tue Oct 10 15:13:39 2023 +0300
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
index 7c05ff1e7..410a8be24 100644
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -347,6 +347,7 @@ ngx_http_v2_read_handler(ngx_event_t *rev)
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler");
h2c->blocked = 1;
+ h2c->new_streams = 0;
if (c->close) {
c->close = 0;
@@ -1284,6 +1285,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos,
goto rst_stream;
}
+ if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "client sent too many streams at once");
+
+ status = NGX_HTTP_V2_REFUSED_STREAM;
+ goto rst_stream;
+ }
+
if (!h2c->settings_ack
&& !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG)
&& h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW)
@@ -1349,6 +1358,12 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos,
rst_stream:
+ if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "client sent too many refused streams");
+ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR);
+ }
+
if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) {
return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR);
}
diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
index cb9014ccf..6751b3026 100644
--- a/src/http/v2/ngx_http_v2.h
+++ b/src/http/v2/ngx_http_v2.h
@@ -131,6 +131,8 @@ struct ngx_http_v2_connection_s {
ngx_uint_t processing;
ngx_uint_t frames;
ngx_uint_t idle;
+ ngx_uint_t new_streams;
+ ngx_uint_t refused_streams;
ngx_uint_t priority_limit;
size_t send_window;

59
images/nginx/rootfs/patches/nginx-1.21.4-init_cycle_pool_release.patch
View file

@ -1,59 +0,0 @@
diff -rup nginx-1.21.4/src/core/nginx.c nginx-1.21.4-patched/src/core/nginx.c
--- nginx-1.21.4/src/core/nginx.c 2017-12-17 00:00:38.136470108 -0800
+++ nginx-1.21.4-patched/src/core/nginx.c 2017-12-16 23:59:51.680958322 -0800
@@ -186,6 +186,7 @@ static u_char *ngx_prefix;
static u_char *ngx_conf_file;
static u_char *ngx_conf_params;
static char *ngx_signal;
+ngx_pool_t *saved_init_cycle_pool = NULL;
static char **ngx_os_environ;
@@ -253,6 +254,8 @@ main(int argc, char *const *argv)
return 1;
}
+ saved_init_cycle_pool = init_cycle.pool;
+
if (ngx_save_argv(&init_cycle, argc, argv) != NGX_OK) {
return 1;
}
diff -rup nginx-1.21.4/src/core/ngx_core.h nginx-1.21.4-patched/src/core/ngx_core.h
--- nginx-1.21.4/src/core/ngx_core.h 2017-10-10 08:22:51.000000000 -0700
+++ nginx-1.21.4-patched/src/core/ngx_core.h 2017-12-16 23:59:51.679958370 -0800
@@ -108,4 +108,6 @@ void ngx_cpuinfo(void);
#define NGX_DISABLE_SYMLINKS_NOTOWNER 2
#endif
+extern ngx_pool_t *saved_init_cycle_pool;
+
#endif /* _NGX_CORE_H_INCLUDED_ */
diff -rup nginx-1.21.4/src/core/ngx_cycle.c nginx-1.21.4-patched/src/core/ngx_cycle.c
--- nginx-1.21.4/src/core/ngx_cycle.c 2017-10-10 08:22:51.000000000 -0700
+++ nginx-1.21.4-patched/src/core/ngx_cycle.c 2017-12-16 23:59:51.678958419 -0800
@@ -748,6 +748,10 @@ old_shm_zone_done:
if (ngx_process == NGX_PROCESS_MASTER || ngx_is_init_cycle(old_cycle)) {
+ if (ngx_is_init_cycle(old_cycle)) {
+ saved_init_cycle_pool = NULL;
+ }
+
ngx_destroy_pool(old_cycle->pool);
cycle->old_cycle = NULL;
diff -rup nginx-1.21.4/src/os/unix/ngx_process_cycle.c nginx-1.21.4-patched/src/os/unix/ngx_process_cycle.c
--- nginx-1.21.4/src/os/unix/ngx_process_cycle.c 2017-12-17 00:00:38.142469762 -0800
+++ nginx-1.21.4-patched/src/os/unix/ngx_process_cycle.c 2017-12-16 23:59:51.691957791 -0800
@@ -687,6 +692,11 @@ ngx_master_process_exit(ngx_cycle_t *cyc
ngx_exit_cycle.files_n = ngx_cycle->files_n;
ngx_cycle = &ngx_exit_cycle;
+ if (saved_init_cycle_pool != NULL && saved_init_cycle_pool != cycle->pool) {
+ ngx_destroy_pool(saved_init_cycle_pool);
+ saved_init_cycle_pool = NULL;
+ }
+
ngx_destroy_pool(cycle->pool);
exit(0);

13
images/nginx/rootfs/patches/nginx-1.21.4-larger_max_error_str.patch
View file

@ -1,13 +0,0 @@
--- nginx-1.21.4/src/core/ngx_log.h 2013-10-08 05:07:14.000000000 -0700
+++ nginx-1.21.4-patched/src/core/ngx_log.h 2013-12-05 20:35:35.996236720 -0800
@@ -64,7 +64,9 @@ struct ngx_log_s {
};
-#define NGX_MAX_ERROR_STR 2048
+#ifndef NGX_MAX_ERROR_STR
+#define NGX_MAX_ERROR_STR 4096
+#endif
/*********************************/

36
images/nginx/rootfs/patches/nginx-1.21.4-no_Werror.patch
View file

@ -1,36 +0,0 @@
diff -urp nginx-1.21.4/auto/cc/clang nginx-1.21.4-patched/auto/cc/clang
--- nginx-1.21.4/auto/cc/clang 2014-03-04 03:39:24.000000000 -0800
+++ nginx-1.21.4-patched/auto/cc/clang 2014-03-13 20:54:26.241413360 -0700
@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali
CFLAGS="$CFLAGS -Wno-unused-parameter"
# stop on warning
-CFLAGS="$CFLAGS -Werror"
+#CFLAGS="$CFLAGS -Werror"
# debug
CFLAGS="$CFLAGS -g"
diff -urp nginx-1.21.4/auto/cc/gcc nginx-1.21.4-patched/auto/cc/gcc
--- nginx-1.21.4/auto/cc/gcc 2014-03-04 03:39:24.000000000 -0800
+++ nginx-1.21.4-patched/auto/cc/gcc 2014-03-13 20:54:13.301355329 -0700
@@ -168,7 +168,7 @@ esac
# stop on warning
-CFLAGS="$CFLAGS -Werror"
+#CFLAGS="$CFLAGS -Werror"
# debug
CFLAGS="$CFLAGS -g"
diff -urp nginx-1.21.4/auto/cc/icc nginx-1.21.4-patched/auto/cc/icc
--- nginx-1.21.4/auto/cc/icc 2014-03-04 03:39:24.000000000 -0800
+++ nginx-1.21.4-patched/auto/cc/icc 2014-03-13 20:54:13.301355329 -0700
@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in
esac
# stop on warning
-CFLAGS="$CFLAGS -Werror"
+#CFLAGS="$CFLAGS -Werror"
# debug
CFLAGS="$CFLAGS -g"

19
images/nginx/rootfs/patches/nginx-1.21.4-proxy_host_port_vars.patch
View file

@ -1,19 +0,0 @@
--- nginx-1.21.4/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800
+++ nginx-1.21.4-patched/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800
@@ -793,13 +793,13 @@ static ngx_keyval_t ngx_http_proxy_cach
static ngx_http_variable_t ngx_http_proxy_vars[] = {
{ ngx_string("proxy_host"), NULL, ngx_http_proxy_host_variable, 0,
- NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 },
+ NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 },
{ ngx_string("proxy_port"), NULL, ngx_http_proxy_port_variable, 0,
- NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 },
+ NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 },
{ ngx_string("proxy_add_x_forwarded_for"), NULL,
- ngx_http_proxy_add_x_forwarded_for_variable, 0, NGX_HTTP_VAR_NOHASH, 0 },
+ ngx_http_proxy_add_x_forwarded_for_variable, 0, 0, 0 },
#if 0
{ ngx_string("proxy_add_via"), NULL, NULL, 0, NGX_HTTP_VAR_NOHASH, 0 },

263
images/nginx/rootfs/patches/nginx-1.21.4-resolver_conf_parsing.patch
View file

@ -1,263 +0,0 @@
diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
index cd55520c..dade1846 100644
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c
@@ -9,12 +9,26 @@
#include <ngx_core.h>
#include <ngx_event.h>
+#if !(NGX_WIN32)
+#include <resolv.h>
+#endif
+
#define NGX_RESOLVER_UDP_SIZE 4096
#define NGX_RESOLVER_TCP_RSIZE (2 + 65535)
#define NGX_RESOLVER_TCP_WSIZE 8192
+#if !(NGX_WIN32)
+/*
+ * note that 2KB should be more than enough for majority of the
+ * resolv.conf files out there. it also acts as a safety guard to prevent
+ * abuse.
+ */
+#define NGX_RESOLVER_FILE_BUF_SIZE 2048
+#define NGX_RESOLVER_FILE_NAME "/etc/resolv.conf"
+#endif
+
typedef struct {
u_char ident_hi;
@@ -131,6 +145,191 @@ static ngx_resolver_node_t *ngx_resolver_lookup_addr6(ngx_resolver_t *r,
#endif
+#if !(NGX_WIN32)
+static ngx_int_t
+ngx_resolver_read_resolv_conf(ngx_conf_t *cf, ngx_resolver_t *r, u_char *path,
+ size_t path_len)
+{
+ ngx_url_t u;
+ ngx_resolver_connection_t *rec;
+ ngx_fd_t fd;
+ ngx_file_t file;
+ u_char buf[NGX_RESOLVER_FILE_BUF_SIZE];
+ u_char ipv6_buf[NGX_INET6_ADDRSTRLEN];
+ ngx_uint_t address = 0, j, total = 0;
+ ssize_t n, i;
+ enum {
+ sw_nameserver,
+ sw_spaces,
+ sw_address,
+ sw_skip
+ } state;
+
+ file.name.data = path;
+ file.name.len = path_len;
+
+ if (ngx_conf_full_name(cf->cycle, &file.name, 1) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY,
+ NGX_FILE_OPEN, 0);
+
+ if (fd == NGX_INVALID_FILE) {
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
+ ngx_open_file_n " \"%s\" failed", file.name.data);
+
+ return NGX_ERROR;
+ }
+
+ ngx_memzero(&file, sizeof(ngx_file_t));
+
+ file.fd = fd;
+ file.log = cf->log;
+
+ state = sw_nameserver;
+
+ n = ngx_read_file(&file, buf, NGX_RESOLVER_FILE_BUF_SIZE, 0);
+
+ if (n == NGX_ERROR) {
+ ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno,
+ ngx_read_file_n " \"%s\" failed", file.name.data);
+ }
+
+ if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
+ ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno,
+ ngx_close_file_n " \"%s\" failed", file.name.data);
+ }
+
+ if (n == NGX_ERROR) {
+ return NGX_ERROR;
+ }
+
+ if (n == 0) {
+ return NGX_OK;
+ }
+
+ for (i = 0; i < n && total < MAXNS; /* void */) {
+ if (buf[i] == '#' || buf[i] == ';') {
+ state = sw_skip;
+ }
+
+ switch (state) {
+
+ case sw_nameserver:
+
+ if ((size_t) n - i >= sizeof("nameserver") - 1
+ && ngx_memcmp(buf + i, "nameserver",
+ sizeof("nameserver") - 1) == 0)
+ {
+ state = sw_spaces;
+ i += sizeof("nameserver") - 1;
+
+ continue;
+ }
+
+ break;
+
+ case sw_spaces:
+ if (buf[i] != '\t' && buf[i] != ' ') {
+ address = i;
+ state = sw_address;
+ }
+
+ break;
+
+ case sw_address:
+
+ if (buf[i] == CR || buf[i] == LF || i == n - 1) {
+ ngx_memzero(&u, sizeof(ngx_url_t));
+
+ u.url.data = buf + address;
+
+ if (i == n - 1 && buf[i] != CR && buf[i] != LF) {
+ u.url.len = n - address;
+
+ } else {
+ u.url.len = i - address;
+ }
+
+ u.default_port = 53;
+
+ /* IPv6? */
+ if (ngx_strlchr(u.url.data, u.url.data + u.url.len,
+ ':') != NULL)
+ {
+ if (u.url.len + 2 > sizeof(ipv6_buf)) {
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "IPv6 resolver address is too long:"
+ " \"%V\"", &u.url);
+
+ return NGX_ERROR;
+ }
+
+ ipv6_buf[0] = '[';
+ ngx_memcpy(ipv6_buf + 1, u.url.data, u.url.len);
+ ipv6_buf[u.url.len + 1] = ']';
+
+ u.url.data = ipv6_buf;
+ u.url.len = u.url.len + 2;
+ }
+
+ if (ngx_parse_url(cf->pool, &u) != NGX_OK) {
+ if (u.err) {
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "%s in resolver \"%V\"",
+ u.err, &u.url);
+ }
+
+ return NGX_ERROR;
+ }
+
+ rec = ngx_array_push_n(&r->connections, u.naddrs);
+ if (rec == NULL) {
+ return NGX_ERROR;
+ }
+
+ ngx_memzero(rec, u.naddrs * sizeof(ngx_resolver_connection_t));
+
+ for (j = 0; j < u.naddrs; j++) {
+ rec[j].sockaddr = u.addrs[j].sockaddr;
+ rec[j].socklen = u.addrs[j].socklen;
+ rec[j].server = u.addrs[j].name;
+ rec[j].resolver = r;
+ }
+
+ total++;
+
+#if (NGX_DEBUG)
+ /*
+ * logs with level below NGX_LOG_NOTICE will not be printed
+ * in this early phase
+ */
+ ngx_conf_log_error(NGX_LOG_NOTICE, cf, 0,
+ "parsed a resolver: \"%V\"", &u.url);
+#endif
+
+ state = sw_nameserver;
+ }
+
+ break;
+
+ case sw_skip:
+ if (buf[i] == CR || buf[i] == LF) {
+ state = sw_nameserver;
+ }
+
+ break;
+ }
+
+ i++;
+ }
+
+ return NGX_OK;
+}
+#endif
+
+
ngx_resolver_t *
ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n)
{
@@ -246,6 +445,39 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n)
}
#endif
+#if !(NGX_WIN32)
+ if (ngx_strncmp(names[i].data, "local=", 6) == 0) {
+
+ if (ngx_strcmp(&names[i].data[6], "on") == 0) {
+ if (ngx_resolver_read_resolv_conf(cf, r,
+ (u_char *)
+ NGX_RESOLVER_FILE_NAME,
+ sizeof(NGX_RESOLVER_FILE_NAME)
+ - 1)
+ != NGX_OK)
+ {
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "unable to parse local resolver");
+ return NULL;
+ }
+
+ } else if (ngx_strcmp(&names[i].data[6], "off") != 0) {
+ if (ngx_resolver_read_resolv_conf(cf, r,
+ &names[i].data[6],
+ names[i].len - 6)
+ != NGX_OK)
+ {
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "unable to parse local resolver");
+ return NULL;
+ }
+
+ }
+
+ continue;
+ }
+#endif
+
ngx_memzero(&u, sizeof(ngx_url_t));
u.url = names[i];

38
images/nginx/rootfs/patches/nginx-1.21.4-reuseport_close_unused_fds.patch
View file

@ -1,38 +0,0 @@
diff --git a/src/core/ngx_connection.c b/src/core/ngx_connection.c
--- a/src/core/ngx_connection.c
+++ b/src/core/ngx_connection.c
@@ -1118,6 +1118,12 @@ ngx_close_listening_sockets(ngx_cycle_t *cycle)
ls = cycle->listening.elts;
for (i = 0; i < cycle->listening.nelts; i++) {
+#if (NGX_HAVE_REUSEPORT)
+ if (ls[i].fd == (ngx_socket_t) -1) {
+ continue;
+ }
+#endif
+
c = ls[i].connection;
if (c) {
diff --git a/src/event/ngx_event.c b/src/event/ngx_event.c
--- a/src/event/ngx_event.c
+++ b/src/event/ngx_event.c
@@ -775,6 +775,18 @@ ngx_event_process_init(ngx_cycle_t *cycle)
#if (NGX_HAVE_REUSEPORT)
if (ls[i].reuseport && ls[i].worker != ngx_worker) {
+ ngx_log_debug2(NGX_LOG_DEBUG_CORE, cycle->log, 0,
+ "closing unused fd:%d listening on %V",
+ ls[i].fd, &ls[i].addr_text);
+
+ if (ngx_close_socket(ls[i].fd) == -1) {
+ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_socket_errno,
+ ngx_close_socket_n " %V failed",
+ &ls[i].addr_text);
+ }
+
+ ls[i].fd = (ngx_socket_t) -1;
+
continue;
}
#endif

75
images/nginx/rootfs/patches/nginx-1.21.4-single_process_graceful_exit.patch
View file

@ -1,75 +0,0 @@
diff --git a/src/os/unix/ngx_process.c b/src/os/unix/ngx_process.c
index 15680237..12a8c687 100644
--- a/src/os/unix/ngx_process.c
+++ b/src/os/unix/ngx_process.c
@@ -362,8 +362,15 @@ ngx_signal_handler(int signo, siginfo_t *siginfo, void *ucontext)
break;
case ngx_signal_value(NGX_RECONFIGURE_SIGNAL):
- ngx_reconfigure = 1;
- action = ", reconfiguring";
+ if (ngx_process == NGX_PROCESS_SINGLE) {
+ ngx_terminate = 1;
+ action = ", exiting";
+
+ } else {
+ ngx_reconfigure = 1;
+ action = ", reconfiguring";
+ }
+
break;
case ngx_signal_value(NGX_REOPEN_SIGNAL):
diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
index 5817a2c2..f3d58e97 100644
--- a/src/os/unix/ngx_process_cycle.c
+++ b/src/os/unix/ngx_process_cycle.c
@@ -305,11 +305,26 @@ ngx_single_process_cycle(ngx_cycle_t *cycle)
}
for ( ;; ) {
+ if (ngx_exiting) {
+ if (ngx_event_no_timers_left() == NGX_OK) {
+ ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting");
+
+ for (i = 0; cycle->modules[i]; i++) {
+ if (cycle->modules[i]->exit_process) {
+ cycle->modules[i]->exit_process(cycle);
+ }
+ }
+
+ ngx_master_process_exit(cycle);
+ }
+ }
+
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, cycle->log, 0, "worker cycle");
ngx_process_events_and_timers(cycle);
- if (ngx_terminate || ngx_quit) {
+ if (ngx_terminate) {
+ ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting");
for (i = 0; cycle->modules[i]; i++) {
if (cycle->modules[i]->exit_process) {
@@ -320,6 +335,20 @@ ngx_single_process_cycle(ngx_cycle_t *cycle)
ngx_master_process_exit(cycle);
}
+ if (ngx_quit) {
+ ngx_quit = 0;
+ ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0,
+ "gracefully shutting down");
+ ngx_setproctitle("process is shutting down");
+
+ if (!ngx_exiting) {
+ ngx_exiting = 1;
+ ngx_set_shutdown_timer(cycle);
+ ngx_close_listening_sockets(cycle);
+ ngx_close_idle_connections(cycle);
+ }
+ }
+
if (ngx_reconfigure) {
ngx_reconfigure = 0;
ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "reconfiguring");

185
images/nginx/rootfs/patches/nginx-1.21.4-socket_cloexec.patch
View file

@ -1,185 +0,0 @@
diff --git a/auto/unix b/auto/unix
index 10835f6c..b5b33bb3 100644
--- a/auto/unix
+++ b/auto/unix
@@ -990,3 +990,27 @@ ngx_feature_test='struct addrinfo *res;
if (getaddrinfo("localhost", NULL, NULL, &res) != 0) return 1;
freeaddrinfo(res)'
. auto/feature
+
+ngx_feature="SOCK_CLOEXEC support"
+ngx_feature_name="NGX_HAVE_SOCKET_CLOEXEC"
+ngx_feature_run=no
+ngx_feature_incs="#include <sys/types.h>
+ #include <sys/socket.h>"
+ngx_feature_path=
+ngx_feature_libs=
+ngx_feature_test="int fd;
+ fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);"
+. auto/feature
+
+ngx_feature="FD_CLOEXEC support"
+ngx_feature_name="NGX_HAVE_FD_CLOEXEC"
+ngx_feature_run=no
+ngx_feature_incs="#include <sys/types.h>
+ #include <sys/socket.h>
+ #include <fcntl.h>"
+ngx_feature_path=
+ngx_feature_libs=
+ngx_feature_test="int fd;
+ fd = socket(AF_INET, SOCK_STREAM, 0);
+ fcntl(fd, F_SETFD, FD_CLOEXEC);"
+. auto/feature
diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
index cd55520c..438e0806 100644
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c
@@ -4466,8 +4466,14 @@ ngx_tcp_connect(ngx_resolver_connection_t *rec)
ngx_event_t *rev, *wev;
ngx_connection_t *c;
+#if (NGX_HAVE_SOCKET_CLOEXEC)
+ s = ngx_socket(rec->sockaddr->sa_family, SOCK_STREAM | SOCK_CLOEXEC, 0);
+
+#else
s = ngx_socket(rec->sockaddr->sa_family, SOCK_STREAM, 0);
+#endif
+
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, &rec->log, 0, "TCP socket %d", s);
if (s == (ngx_socket_t) -1) {
@@ -4494,6 +4500,15 @@ ngx_tcp_connect(ngx_resolver_connection_t *rec)
goto failed;
}
+#if (NGX_HAVE_FD_CLOEXEC)
+ if (ngx_cloexec(s) == -1) {
+ ngx_log_error(NGX_LOG_ALERT, &rec->log, ngx_socket_errno,
+ ngx_cloexec_n " failed");
+
+ goto failed;
+ }
+#endif
+
rev = c->read;
wev = c->write;
diff --git a/src/event/ngx_event.h b/src/event/ngx_event.h
index 19fec68..8c2f01a 100644
--- a/src/event/ngx_event.h
+++ b/src/event/ngx_event.h
@@ -73,6 +73,9 @@ struct ngx_event_s {
/* to test on worker exit */
unsigned channel:1;
unsigned resolver:1;
+#if (HAVE_SOCKET_CLOEXEC_PATCH)
+ unsigned skip_socket_leak_check:1;
+#endif
unsigned cancelable:1;
diff --git a/src/event/ngx_event_accept.c b/src/event/ngx_event_accept.c
index 77563709..5827b9d0 100644
--- a/src/event/ngx_event_accept.c
+++ b/src/event/ngx_event_accept.c
@@ -62,7 +62,9 @@ ngx_event_accept(ngx_event_t *ev)
#if (NGX_HAVE_ACCEPT4)
if (use_accept4) {
- s = accept4(lc->fd, &sa.sockaddr, &socklen, SOCK_NONBLOCK);
+ s = accept4(lc->fd, &sa.sockaddr, &socklen,
+ SOCK_NONBLOCK | SOCK_CLOEXEC);
+
} else {
s = accept(lc->fd, &sa.sockaddr, &socklen);
}
@@ -202,6 +204,16 @@ ngx_event_accept(ngx_event_t *ev)
ngx_close_accepted_connection(c);
return;
}
+
+#if (NGX_HAVE_FD_CLOEXEC)
+ if (ngx_cloexec(s) == -1) {
+ ngx_log_error(NGX_LOG_ALERT, ev->log, ngx_socket_errno,
+ ngx_cloexec_n " failed");
+ ngx_close_accepted_connection(c);
+ return;
+ }
+#endif
+
}
}
diff --git a/src/event/ngx_event_connect.c b/src/event/ngx_event_connect.c
index c5bb8068..cf33b1d2 100644
--- a/src/event/ngx_event_connect.c
+++ b/src/event/ngx_event_connect.c
@@ -38,8 +38,15 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc)
type = (pc->type ? pc->type : SOCK_STREAM);
+#if (NGX_HAVE_SOCKET_CLOEXEC)
+ s = ngx_socket(pc->sockaddr->sa_family, type | SOCK_CLOEXEC, 0);
+
+#else
s = ngx_socket(pc->sockaddr->sa_family, type, 0);
+#endif
+
+
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pc->log, 0, "%s socket %d",
(type == SOCK_STREAM) ? "stream" : "dgram", s);
@@ -80,6 +87,15 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc)
goto failed;
}
+#if (NGX_HAVE_FD_CLOEXEC)
+ if (ngx_cloexec(s) == -1) {
+ ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno,
+ ngx_cloexec_n " failed");
+
+ goto failed;
+ }
+#endif
+
if (pc->local) {
#if (NGX_HAVE_TRANSPARENT_PROXY)
diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
index c4376a5..48e8fa8 100644
--- a/src/os/unix/ngx_process_cycle.c
+++ b/src/os/unix/ngx_process_cycle.c
@@ -960,6 +1029,9 @@ ngx_worker_process_exit(ngx_cycle_t *cycle)
for (i = 0; i < cycle->connection_n; i++) {
if (c[i].fd != -1
&& c[i].read
+#if (HAVE_SOCKET_CLOEXEC_PATCH)
+ && !c[i].read->skip_socket_leak_check
+#endif
&& !c[i].read->accept
&& !c[i].read->channel
&& !c[i].read->resolver)
diff --git a/src/os/unix/ngx_socket.h b/src/os/unix/ngx_socket.h
index fcc51533..d1eebf47 100644
--- a/src/os/unix/ngx_socket.h
+++ b/src/os/unix/ngx_socket.h
@@ -38,6 +38,17 @@ int ngx_blocking(ngx_socket_t s);
#endif
+#if (NGX_HAVE_FD_CLOEXEC)
+
+#define ngx_cloexec(s) fcntl(s, F_SETFD, FD_CLOEXEC)
+#define ngx_cloexec_n "fcntl(FD_CLOEXEC)"
+
+/* at least FD_CLOEXEC is required to ensure connection fd is closed
+ * after execve */
+#define HAVE_SOCKET_CLOEXEC_PATCH 1
+
+#endif
+
int ngx_tcp_nopush(ngx_socket_t s);
int ngx_tcp_push(ngx_socket_t s);

64
images/nginx/rootfs/patches/nginx-1.21.4-ssl_cert_cb_yield.patch
View file

@ -1,64 +0,0 @@
# HG changeset patch
# User Yichun Zhang <agentzh@openresty.org>
# Date 1451762084 28800
# Sat Jan 02 11:14:44 2016 -0800
# Node ID 449f0461859c16e95bdb18e8be6b94401545d3dd
# Parent 78b4e10b4367b31367aad3c83c9c3acdd42397c4
SSL: handled SSL_CTX_set_cert_cb() callback yielding.
OpenSSL 1.0.2+ introduces SSL_CTX_set_cert_cb() to allow custom
callbacks to serve the SSL certificiates and private keys dynamically
and lazily. The callbacks may yield for nonblocking I/O or sleeping.
Here we added support for such usage in NGINX 3rd-party modules
(like ngx_lua) in NGINX's event handlers for downstream SSL
connections.
diff -r 78b4e10b4367 -r 449f0461859c src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Thu Dec 17 16:39:15 2015 +0300
+++ b/src/event/ngx_event_openssl.c Sat Jan 02 11:14:44 2016 -0800
@@ -1445,6 +1445,23 @@ ngx_ssl_handshake(ngx_connection_t *c)
return NGX_AGAIN;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) {
+ c->read->handler = ngx_ssl_handshake_handler;
+ c->write->handler = ngx_ssl_handshake_handler;
+
+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ return NGX_AGAIN;
+ }
+#endif
+
err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
c->ssl->no_wait_shutdown = 1;
@@ -1558,6 +1575,21 @@ ngx_ssl_try_early_data(ngx_connection_t *c)
return NGX_AGAIN;
}
+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) {
+ c->read->handler = ngx_ssl_handshake_handler;
+ c->write->handler = ngx_ssl_handshake_handler;
+
+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ return NGX_AGAIN;
+ }
+
err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
c->ssl->no_wait_shutdown = 1;

41
images/nginx/rootfs/patches/nginx-1.21.4-ssl_sess_cb_yield.patch
View file

@ -1,41 +0,0 @@
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1446,7 +1446,12 @@ ngx_ssl_handshake(ngx_connection_t *c)
}
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
- if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) {
+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP
+# ifdef SSL_ERROR_PENDING_SESSION
+ || sslerr == SSL_ERROR_PENDING_SESSION
+# endif
+ )
+ {
c->read->handler = ngx_ssl_handshake_handler;
c->write->handler = ngx_ssl_handshake_handler;
@@ -1575,6 +1580,23 @@ ngx_ssl_try_early_data(ngx_connection_t *c)
return NGX_AGAIN;
}
+#ifdef SSL_ERROR_PENDING_SESSION
+ if (sslerr == SSL_ERROR_PENDING_SESSION) {
+ c->read->handler = ngx_ssl_handshake_handler;
+ c->write->handler = ngx_ssl_handshake_handler;
+
+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ return NGX_AGAIN;
+ }
+#endif
+
err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
c->ssl->no_wait_shutdown = 1;

31
images/nginx/rootfs/patches/nginx-1.21.4-stream_proxy_get_next_upstream_tries.patch
View file

@ -1,31 +0,0 @@
diff --git a/src/stream/ngx_stream.h b/src/stream/ngx_stream.h
index 09d2459..de92724 100644
--- a/src/stream/ngx_stream.h
+++ b/src/stream/ngx_stream.h
@@ -303,4 +303,7 @@ typedef ngx_int_t (*ngx_stream_filter_pt)(ngx_stream_session_t *s,
extern ngx_stream_filter_pt ngx_stream_top_filter;
+#define HAS_NGX_STREAM_PROXY_GET_NEXT_UPSTREAM_TRIES_PATCH 1
+
+
#endif /* _NGX_STREAM_H_INCLUDED_ */
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
index 0afde1c..3254ce1 100644
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -2156,3 +2156,14 @@ ngx_stream_proxy_bind(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
return NGX_CONF_OK;
}
+
+
+ngx_uint_t
+ngx_stream_proxy_get_next_upstream_tries(ngx_stream_session_t *s)
+{
+ ngx_stream_proxy_srv_conf_t *pscf;
+
+ pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module);
+
+ return pscf->next_upstream_tries;
+}

13
images/nginx/rootfs/patches/nginx-1.21.4-stream_ssl_preread_no_skip.patch
View file

@ -1,13 +0,0 @@
diff --git a/src/stream/ngx_stream_ssl_preread_module.c b/src/stream/ngx_stream_ssl_preread_module.c
index e3d11fd9..3717b5fe 100644
--- a/src/stream/ngx_stream_ssl_preread_module.c
+++ b/src/stream/ngx_stream_ssl_preread_module.c
@@ -159,7 +159,7 @@ ngx_stream_ssl_preread_handler(ngx_stream_session_t *s)
rc = ngx_stream_ssl_preread_parse_record(ctx, p, p + len);
if (rc != NGX_AGAIN) {
- return rc;
+ return rc == NGX_OK ? NGX_DECLINED : rc;
}
p += len;

23
images/nginx/rootfs/patches/nginx-1.21.4-upstream_pipelining.patch
View file

@ -1,23 +0,0 @@
commit f9907b72a76a21ac5413187b83177a919475c75f
Author: Yichun Zhang (agentzh) <agentzh@gmail.com>
Date: Wed Feb 10 16:05:08 2016 -0800
bugfix: upstream: keep sending request data after the first write attempt.
See
http://mailman.nginx.org/pipermail/nginx-devel/2012-March/002040.html
for more details on the issue.
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
index 69019417..92b7c97f 100644
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -2239,7 +2239,7 @@ ngx_http_upstream_send_request_handler(ngx_http_request_t *r,
#endif
- if (u->header_sent && !u->conf->preserve_output) {
+ if (u->request_body_sent && !u->conf->preserve_output) {
u->write_event_handler = ngx_http_upstream_dummy_handler;
(void) ngx_handle_write_event(c->write, 0);

112
images/nginx/rootfs/patches/nginx-1.21.4-upstream_timeout_fields.patch
View file

@ -1,112 +0,0 @@
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
index 69019417..2265d8f7 100644
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -509,12 +509,19 @@ void
ngx_http_upstream_init(ngx_http_request_t *r)
{
ngx_connection_t *c;
+ ngx_http_upstream_t *u;
c = r->connection;
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
"http init upstream, client timer: %d", c->read->timer_set);
+ u = r->upstream;
+
+ u->connect_timeout = u->conf->connect_timeout;
+ u->send_timeout = u->conf->send_timeout;
+ u->read_timeout = u->conf->read_timeout;
+
#if (NGX_HTTP_V2)
if (r->stream) {
ngx_http_upstream_init_request(r);
@@ -1626,7 +1633,7 @@ ngx_http_upstream_connect(ngx_http_request_t *r, ngx_http_upstream_t *u)
u->request_body_blocked = 0;
if (rc == NGX_AGAIN) {
- ngx_add_timer(c->write, u->conf->connect_timeout);
+ ngx_add_timer(c->write, u->connect_timeout);
return;
}
@@ -1704,7 +1711,7 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
if (rc == NGX_AGAIN) {
if (!c->write->timer_set) {
- ngx_add_timer(c->write, u->conf->connect_timeout);
+ ngx_add_timer(c->write, u->connect_timeout);
}
c->ssl->handler = ngx_http_upstream_ssl_handshake_handler;
@@ -2022,7 +2029,7 @@ ngx_http_upstream_send_request(ngx_http_request_t *r, ngx_http_upstream_t *u,
if (rc == NGX_AGAIN) {
if (!c->write->ready || u->request_body_blocked) {
- ngx_add_timer(c->write, u->conf->send_timeout);
+ ngx_add_timer(c->write, u->send_timeout);
} else if (c->write->timer_set) {
ngx_del_timer(c->write);
@@ -2084,7 +2091,7 @@ ngx_http_upstream_send_request(ngx_http_request_t *r, ngx_http_upstream_t *u,
return;
}
- ngx_add_timer(c->read, u->conf->read_timeout);
+ ngx_add_timer(c->read, u->read_timeout);
if (c->read->ready) {
ngx_http_upstream_process_header(r, u);
@@ -3213,7 +3220,7 @@ ngx_http_upstream_send_response(ngx_http_request_t *r, ngx_http_upstream_t *u)
p->cyclic_temp_file = 0;
}
- p->read_timeout = u->conf->read_timeout;
+ p->read_timeout = u->read_timeout;
p->send_timeout = clcf->send_timeout;
p->send_lowat = clcf->send_lowat;
@@ -3458,7 +3465,7 @@ ngx_http_upstream_process_upgraded(ngx_http_request_t *r,
}
if (upstream->write->active && !upstream->write->ready) {
- ngx_add_timer(upstream->write, u->conf->send_timeout);
+ ngx_add_timer(upstream->write, u->send_timeout);
} else if (upstream->write->timer_set) {
ngx_del_timer(upstream->write);
@@ -3470,7 +3477,7 @@ ngx_http_upstream_process_upgraded(ngx_http_request_t *r,
}
if (upstream->read->active && !upstream->read->ready) {
- ngx_add_timer(upstream->read, u->conf->read_timeout);
+ ngx_add_timer(upstream->read, u->read_timeout);
} else if (upstream->read->timer_set) {
ngx_del_timer(upstream->read);
@@ -3664,7 +3671,7 @@ ngx_http_upstream_process_non_buffered_request(ngx_http_request_t *r,
}
if (upstream->read->active && !upstream->read->ready) {
- ngx_add_timer(upstream->read, u->conf->read_timeout);
+ ngx_add_timer(upstream->read, u->read_timeout);
} else if (upstream->read->timer_set) {
ngx_del_timer(upstream->read);
diff --git a/src/http/ngx_http_upstream.h b/src/http/ngx_http_upstream.h
index c2f4dc0b..b9eef118 100644
--- a/src/http/ngx_http_upstream.h
+++ b/src/http/ngx_http_upstream.h
@@ -333,6 +333,11 @@ struct ngx_http_upstream_s {
ngx_array_t *caches;
#endif
+#define HAVE_NGX_UPSTREAM_TIMEOUT_FIELDS 1
+ ngx_msec_t connect_timeout;
+ ngx_msec_t send_timeout;
+ ngx_msec_t read_timeout;
+
ngx_http_upstream_headers_in_t headers_in;
ngx_http_upstream_resolved_t *resolved;