Merge branch 'master' into epel7
This commit is contained in:
commit
02037aa84e
20
README.fedora
Normal file
20
README.fedora
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
###############
|
||||||
|
Dynamic modules
|
||||||
|
###############
|
||||||
|
|
||||||
|
Dynamic modules are loaded using the "load_modules" directive. The RPM package
|
||||||
|
for each module has a '.conf' file in the /usr/share/nginx/modules directory.
|
||||||
|
The '.conf' file contains a single "load_modules" directive.
|
||||||
|
|
||||||
|
This means that whenever a new dynamic module is installed, it will
|
||||||
|
automatically be enabled and Nginx will be reloaded.
|
||||||
|
|
||||||
|
--------------------------------------------------------
|
||||||
|
Prevent dynamic modules from being enabled automatically
|
||||||
|
--------------------------------------------------------
|
||||||
|
|
||||||
|
You may want to avoid dynamic modules being enabled automatically. Simply
|
||||||
|
remove this line from the top of /etc/nginx/nginx.conf:
|
||||||
|
|
||||||
|
include /usr/lib64/nginx/modules/*.conf;
|
||||||
|
|
89
UPGRADE-NOTES-1.6-to-1.10
Normal file
89
UPGRADE-NOTES-1.6-to-1.10
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
#############
|
||||||
|
Upgrade notes
|
||||||
|
#############
|
||||||
|
|
||||||
|
To resolve numerous security flaws, the nginx package was updated to 1.10.x.
|
||||||
|
|
||||||
|
You should review your configuration files in /etc/nginx to determine if there
|
||||||
|
are any incompatibilities.
|
||||||
|
|
||||||
|
Please see upstream release notes for a complete list of new features,
|
||||||
|
bug fixes, and changes: http://nginx.org/en/CHANGES-1.10
|
||||||
|
|
||||||
|
Below is a summary of the main changes. If you have not modified any files in
|
||||||
|
/etc/nginx directory, the update will work seamlessly. However, if you are
|
||||||
|
using any nginx directives that have changed or been removed then you should
|
||||||
|
amend your configuration.
|
||||||
|
|
||||||
|
Nginx gained support for dynamic modules. Some modules have been split into
|
||||||
|
subpackages, which for the time being are hard dependencies to aid the upgrade
|
||||||
|
path. The new subpackages are:
|
||||||
|
- nginx-mod-http-geoip
|
||||||
|
- nginx-mod-http-image-filter
|
||||||
|
- nginx-mod-http-perl
|
||||||
|
- nginx-mod-http-xslt-filter
|
||||||
|
- nginx-mod-mail
|
||||||
|
- nginx-mod-stream
|
||||||
|
|
||||||
|
Changes with nginx 1.10.x
|
||||||
|
|
||||||
|
*) Change: non-idempotent requests (POST, LOCK, PATCH) are no longer
|
||||||
|
passed to the next server by default if a request has been sent to a
|
||||||
|
backend; the "non_idempotent" parameter of the "proxy_next_upstream"
|
||||||
|
directive explicitly allows retrying such requests.
|
||||||
|
|
||||||
|
*) Change: now the "output_buffers" directive uses two buffers by
|
||||||
|
default.
|
||||||
|
|
||||||
|
*) Change: now nginx limits subrequests recursion, not simultaneous
|
||||||
|
subrequests.
|
||||||
|
|
||||||
|
*) Change: now nginx checks the whole cache key when returning a
|
||||||
|
response from cache.
|
||||||
|
Thanks to Gena Makhomed and Sergey Brester.
|
||||||
|
|
||||||
|
*) Change: the "proxy_downstream_buffer" and "proxy_upstream_buffer"
|
||||||
|
directives of the stream module are replaced with the
|
||||||
|
"proxy_buffer_size" directive.
|
||||||
|
|
||||||
|
*) Change: duplicate "http", "mail", and "stream" blocks are now
|
||||||
|
disallowed.
|
||||||
|
|
||||||
|
*) Change: now SSLv3 protocol is disabled by default.
|
||||||
|
|
||||||
|
*) Change: some long deprecated directives are not supported anymore.
|
||||||
|
|
||||||
|
*) Change: obsolete aio and rtsig event methods have been removed.
|
||||||
|
|
||||||
|
Changes with nginx 1.8.x
|
||||||
|
|
||||||
|
*) Change: the "sendfile" parameter of the "aio" directive is
|
||||||
|
deprecated; now nginx automatically uses AIO to pre-load data for
|
||||||
|
sendfile if both "aio" and "sendfile" directives are used.
|
||||||
|
|
||||||
|
*) Change: now the "If-Modified-Since", "If-Range", etc. client request
|
||||||
|
header lines are passed to a backend while caching if nginx knows in
|
||||||
|
advance that the response will not be cached (e.g., when using
|
||||||
|
proxy_cache_min_uses).
|
||||||
|
|
||||||
|
*) Change: now after proxy_cache_lock_timeout nginx sends a request to a
|
||||||
|
backend with caching disabled; the new directives
|
||||||
|
"proxy_cache_lock_age", "fastcgi_cache_lock_age",
|
||||||
|
"scgi_cache_lock_age", and "uwsgi_cache_lock_age" specify a time
|
||||||
|
after which the lock will be released and another attempt to cache a
|
||||||
|
response will be made.
|
||||||
|
|
||||||
|
*) Change: the "log_format" directive can now be used only at http
|
||||||
|
level.
|
||||||
|
|
||||||
|
*) Change: now nginx takes into account the "Vary" header line in a
|
||||||
|
backend response while caching.
|
||||||
|
|
||||||
|
*) Change: the deprecated "limit_zone" directive is not supported
|
||||||
|
anymore.
|
||||||
|
|
||||||
|
*) Change: now the "stub_status" directive does not require a parameter.
|
||||||
|
|
||||||
|
*) Change: URI escaping now uses uppercase hexadecimal digits.
|
||||||
|
Thanks to Piotr Sikora.
|
||||||
|
|
@ -1,181 +0,0 @@
|
|||||||
exporting patch:
|
|
||||||
# HG changeset patch
|
|
||||||
# User Roman Arutyunyan <arut@nginx.com>
|
|
||||||
# Date 1453816008 -10800
|
|
||||||
# Tue Jan 26 16:46:48 2016 +0300
|
|
||||||
# Branch stable-1.8
|
|
||||||
# Node ID 5557bf31e25da68d5cda19dbc91d86f47430df1f
|
|
||||||
# Parent 838946300825379ccdd3acfb131cf66d6ae3cb85
|
|
||||||
Resolver: changed the ngx_resolver_create_*_query() arguments.
|
|
||||||
|
|
||||||
No functional changes.
|
|
||||||
|
|
||||||
This is needed by the following change.
|
|
||||||
|
|
||||||
diff -r 838946300825 -r 5557bf31e25d src/core/ngx_resolver.c
|
|
||||||
--- a/src/core/ngx_resolver.c Tue Jan 26 16:46:38 2016 +0300
|
|
||||||
+++ b/src/core/ngx_resolver.c Tue Jan 26 16:46:48 2016 +0300
|
|
||||||
@@ -64,10 +64,10 @@
|
|
||||||
ngx_queue_t *queue);
|
|
||||||
static ngx_int_t ngx_resolver_send_query(ngx_resolver_t *r,
|
|
||||||
ngx_resolver_node_t *rn);
|
|
||||||
-static ngx_int_t ngx_resolver_create_name_query(ngx_resolver_node_t *rn,
|
|
||||||
- ngx_resolver_ctx_t *ctx);
|
|
||||||
-static ngx_int_t ngx_resolver_create_addr_query(ngx_resolver_node_t *rn,
|
|
||||||
- ngx_resolver_ctx_t *ctx);
|
|
||||||
+static ngx_int_t ngx_resolver_create_name_query(ngx_resolver_t *r,
|
|
||||||
+ ngx_resolver_node_t *rn, ngx_str_t *name);
|
|
||||||
+static ngx_int_t ngx_resolver_create_addr_query(ngx_resolver_t *r,
|
|
||||||
+ ngx_resolver_node_t *rn, ngx_addr_t *addr);
|
|
||||||
static void ngx_resolver_resend_handler(ngx_event_t *ev);
|
|
||||||
static time_t ngx_resolver_resend(ngx_resolver_t *r, ngx_rbtree_t *tree,
|
|
||||||
ngx_queue_t *queue);
|
|
||||||
@@ -651,7 +651,7 @@
|
|
||||||
ngx_rbtree_insert(&r->name_rbtree, &rn->node);
|
|
||||||
}
|
|
||||||
|
|
||||||
- rc = ngx_resolver_create_name_query(rn, ctx);
|
|
||||||
+ rc = ngx_resolver_create_name_query(r, rn, &ctx->name);
|
|
||||||
|
|
||||||
if (rc == NGX_ERROR) {
|
|
||||||
goto failed;
|
|
||||||
@@ -878,7 +878,7 @@
|
|
||||||
ngx_rbtree_insert(tree, &rn->node);
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (ngx_resolver_create_addr_query(rn, ctx) != NGX_OK) {
|
|
||||||
+ if (ngx_resolver_create_addr_query(r, rn, &ctx->addr) != NGX_OK) {
|
|
||||||
goto failed;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -2511,27 +2511,23 @@
|
|
||||||
|
|
||||||
|
|
||||||
static ngx_int_t
|
|
||||||
-ngx_resolver_create_name_query(ngx_resolver_node_t *rn, ngx_resolver_ctx_t *ctx)
|
|
||||||
+ngx_resolver_create_name_query(ngx_resolver_t *r, ngx_resolver_node_t *rn,
|
|
||||||
+ ngx_str_t *name)
|
|
||||||
{
|
|
||||||
u_char *p, *s;
|
|
||||||
size_t len, nlen;
|
|
||||||
ngx_uint_t ident;
|
|
||||||
-#if (NGX_HAVE_INET6)
|
|
||||||
- ngx_resolver_t *r;
|
|
||||||
-#endif
|
|
||||||
ngx_resolver_qs_t *qs;
|
|
||||||
ngx_resolver_hdr_t *query;
|
|
||||||
|
|
||||||
- nlen = ctx->name.len ? (1 + ctx->name.len + 1) : 1;
|
|
||||||
+ nlen = name->len ? (1 + name->len + 1) : 1;
|
|
||||||
|
|
||||||
len = sizeof(ngx_resolver_hdr_t) + nlen + sizeof(ngx_resolver_qs_t);
|
|
||||||
|
|
||||||
#if (NGX_HAVE_INET6)
|
|
||||||
- r = ctx->resolver;
|
|
||||||
-
|
|
||||||
- p = ngx_resolver_alloc(ctx->resolver, r->ipv6 ? len * 2 : len);
|
|
||||||
+ p = ngx_resolver_alloc(r, r->ipv6 ? len * 2 : len);
|
|
||||||
#else
|
|
||||||
- p = ngx_resolver_alloc(ctx->resolver, len);
|
|
||||||
+ p = ngx_resolver_alloc(r, len);
|
|
||||||
#endif
|
|
||||||
if (p == NULL) {
|
|
||||||
return NGX_ERROR;
|
|
||||||
@@ -2550,8 +2546,8 @@
|
|
||||||
|
|
||||||
ident = ngx_random();
|
|
||||||
|
|
||||||
- ngx_log_debug2(NGX_LOG_DEBUG_CORE, ctx->resolver->log, 0,
|
|
||||||
- "resolve: \"%V\" A %i", &ctx->name, ident & 0xffff);
|
|
||||||
+ ngx_log_debug2(NGX_LOG_DEBUG_CORE, r->log, 0,
|
|
||||||
+ "resolve: \"%V\" A %i", name, ident & 0xffff);
|
|
||||||
|
|
||||||
query->ident_hi = (u_char) ((ident >> 8) & 0xff);
|
|
||||||
query->ident_lo = (u_char) (ident & 0xff);
|
|
||||||
@@ -2581,11 +2577,11 @@
|
|
||||||
p--;
|
|
||||||
*p-- = '\0';
|
|
||||||
|
|
||||||
- if (ctx->name.len == 0) {
|
|
||||||
+ if (name->len == 0) {
|
|
||||||
return NGX_DECLINED;
|
|
||||||
}
|
|
||||||
|
|
||||||
- for (s = ctx->name.data + ctx->name.len - 1; s >= ctx->name.data; s--) {
|
|
||||||
+ for (s = name->data + name->len - 1; s >= name->data; s--) {
|
|
||||||
if (*s != '.') {
|
|
||||||
*p = *s;
|
|
||||||
len++;
|
|
||||||
@@ -2621,8 +2617,8 @@
|
|
||||||
|
|
||||||
ident = ngx_random();
|
|
||||||
|
|
||||||
- ngx_log_debug2(NGX_LOG_DEBUG_CORE, ctx->resolver->log, 0,
|
|
||||||
- "resolve: \"%V\" AAAA %i", &ctx->name, ident & 0xffff);
|
|
||||||
+ ngx_log_debug2(NGX_LOG_DEBUG_CORE, r->log, 0,
|
|
||||||
+ "resolve: \"%V\" AAAA %i", name, ident & 0xffff);
|
|
||||||
|
|
||||||
query->ident_hi = (u_char) ((ident >> 8) & 0xff);
|
|
||||||
query->ident_lo = (u_char) (ident & 0xff);
|
|
||||||
@@ -2639,11 +2635,12 @@
|
|
||||||
|
|
||||||
|
|
||||||
static ngx_int_t
|
|
||||||
-ngx_resolver_create_addr_query(ngx_resolver_node_t *rn, ngx_resolver_ctx_t *ctx)
|
|
||||||
+ngx_resolver_create_addr_query(ngx_resolver_t *r, ngx_resolver_node_t *rn,
|
|
||||||
+ ngx_addr_t *addr)
|
|
||||||
{
|
|
||||||
u_char *p, *d;
|
|
||||||
size_t len;
|
|
||||||
- in_addr_t addr;
|
|
||||||
+ in_addr_t inaddr;
|
|
||||||
ngx_int_t n;
|
|
||||||
ngx_uint_t ident;
|
|
||||||
ngx_resolver_hdr_t *query;
|
|
||||||
@@ -2652,7 +2649,7 @@
|
|
||||||
struct sockaddr_in6 *sin6;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- switch (ctx->addr.sockaddr->sa_family) {
|
|
||||||
+ switch (addr->sockaddr->sa_family) {
|
|
||||||
|
|
||||||
#if (NGX_HAVE_INET6)
|
|
||||||
case AF_INET6:
|
|
||||||
@@ -2669,7 +2666,7 @@
|
|
||||||
+ sizeof(ngx_resolver_qs_t);
|
|
||||||
}
|
|
||||||
|
|
||||||
- p = ngx_resolver_alloc(ctx->resolver, len);
|
|
||||||
+ p = ngx_resolver_alloc(r, len);
|
|
||||||
if (p == NULL) {
|
|
||||||
return NGX_ERROR;
|
|
||||||
}
|
|
||||||
@@ -2693,11 +2690,11 @@
|
|
||||||
|
|
||||||
p += sizeof(ngx_resolver_hdr_t);
|
|
||||||
|
|
||||||
- switch (ctx->addr.sockaddr->sa_family) {
|
|
||||||
+ switch (addr->sockaddr->sa_family) {
|
|
||||||
|
|
||||||
#if (NGX_HAVE_INET6)
|
|
||||||
case AF_INET6:
|
|
||||||
- sin6 = (struct sockaddr_in6 *) ctx->addr.sockaddr;
|
|
||||||
+ sin6 = (struct sockaddr_in6 *) addr->sockaddr;
|
|
||||||
|
|
||||||
for (n = 15; n >= 0; n--) {
|
|
||||||
p = ngx_sprintf(p, "\1%xd\1%xd",
|
|
||||||
@@ -2712,11 +2709,11 @@
|
|
||||||
|
|
||||||
default: /* AF_INET */
|
|
||||||
|
|
||||||
- sin = (struct sockaddr_in *) ctx->addr.sockaddr;
|
|
||||||
- addr = ntohl(sin->sin_addr.s_addr);
|
|
||||||
+ sin = (struct sockaddr_in *) addr->sockaddr;
|
|
||||||
+ inaddr = ntohl(sin->sin_addr.s_addr);
|
|
||||||
|
|
||||||
for (n = 0; n < 32; n += 8) {
|
|
||||||
- d = ngx_sprintf(&p[1], "%ud", (addr >> n) & 0xff);
|
|
||||||
+ d = ngx_sprintf(&p[1], "%ud", (inaddr >> n) & 0xff);
|
|
||||||
*p = (u_char) (d - &p[1]);
|
|
||||||
p = d;
|
|
||||||
}
|
|
@ -1,80 +0,0 @@
|
|||||||
exporting patch:
|
|
||||||
# HG changeset patch
|
|
||||||
# User Ruslan Ermilov <ru@nginx.com>
|
|
||||||
# Date 1453815998 -10800
|
|
||||||
# Tue Jan 26 16:46:38 2016 +0300
|
|
||||||
# Branch stable-1.8
|
|
||||||
# Node ID 838946300825379ccdd3acfb131cf66d6ae3cb85
|
|
||||||
# Parent f63dd04c158062d73fcb6aff59124910fa1fae75
|
|
||||||
Resolver: fixed CNAME processing for several requests.
|
|
||||||
|
|
||||||
When several requests were waiting for a response, then after getting
|
|
||||||
a CNAME response only the last request was properly processed, while
|
|
||||||
others were left waiting.
|
|
||||||
|
|
||||||
diff -r f63dd04c1580 -r 838946300825 src/core/ngx_resolver.c
|
|
||||||
--- a/src/core/ngx_resolver.c Tue Jan 26 16:46:31 2016 +0300
|
|
||||||
+++ b/src/core/ngx_resolver.c Tue Jan 26 16:46:38 2016 +0300
|
|
||||||
@@ -473,7 +473,7 @@
|
|
||||||
ngx_int_t rc;
|
|
||||||
ngx_uint_t naddrs;
|
|
||||||
ngx_addr_t *addrs;
|
|
||||||
- ngx_resolver_ctx_t *next;
|
|
||||||
+ ngx_resolver_ctx_t *next, *last;
|
|
||||||
ngx_resolver_node_t *rn;
|
|
||||||
|
|
||||||
ngx_strlow(ctx->name.data, ctx->name.data, ctx->name.len);
|
|
||||||
@@ -484,6 +484,9 @@
|
|
||||||
|
|
||||||
if (rn) {
|
|
||||||
|
|
||||||
+ /* ctx can be a list after NGX_RESOLVE_CNAME */
|
|
||||||
+ for (last = ctx; last->next; last = last->next);
|
|
||||||
+
|
|
||||||
if (rn->valid >= ngx_time()) {
|
|
||||||
|
|
||||||
ngx_log_debug0(NGX_LOG_DEBUG_CORE, r->log, 0, "resolve cached");
|
|
||||||
@@ -511,7 +514,7 @@
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- ctx->next = rn->waiting;
|
|
||||||
+ last->next = rn->waiting;
|
|
||||||
rn->waiting = NULL;
|
|
||||||
|
|
||||||
/* unlock name mutex */
|
|
||||||
@@ -557,7 +560,7 @@
|
|
||||||
return ngx_resolve_name_locked(r, ctx);
|
|
||||||
}
|
|
||||||
|
|
||||||
- ctx->next = rn->waiting;
|
|
||||||
+ last->next = rn->waiting;
|
|
||||||
rn->waiting = NULL;
|
|
||||||
|
|
||||||
/* unlock name mutex */
|
|
||||||
@@ -590,7 +593,7 @@
|
|
||||||
ngx_add_timer(ctx->event, ctx->timeout);
|
|
||||||
}
|
|
||||||
|
|
||||||
- ctx->next = rn->waiting;
|
|
||||||
+ last->next = rn->waiting;
|
|
||||||
rn->waiting = ctx;
|
|
||||||
ctx->state = NGX_AGAIN;
|
|
||||||
|
|
||||||
@@ -661,8 +664,14 @@
|
|
||||||
ngx_resolver_free(r, rn->name);
|
|
||||||
ngx_resolver_free(r, rn);
|
|
||||||
|
|
||||||
- ctx->state = NGX_RESOLVE_NXDOMAIN;
|
|
||||||
- ctx->handler(ctx);
|
|
||||||
+ do {
|
|
||||||
+ ctx->state = NGX_RESOLVE_NXDOMAIN;
|
|
||||||
+ next = ctx->next;
|
|
||||||
+
|
|
||||||
+ ctx->handler(ctx);
|
|
||||||
+
|
|
||||||
+ ctx = next;
|
|
||||||
+ } while (ctx);
|
|
||||||
|
|
||||||
return NGX_OK;
|
|
||||||
}
|
|
@ -1,134 +0,0 @@
|
|||||||
exporting patch:
|
|
||||||
# HG changeset patch
|
|
||||||
# User Ruslan Ermilov <ru@nginx.com>
|
|
||||||
# Date 1453815991 -10800
|
|
||||||
# Tue Jan 26 16:46:31 2016 +0300
|
|
||||||
# Branch stable-1.8
|
|
||||||
# Node ID f63dd04c158062d73fcb6aff59124910fa1fae75
|
|
||||||
# Parent c36482d0a79fe0f2e1467f80ec2fbcd0a2d682c6
|
|
||||||
Resolver: fixed crashes in timeout handler.
|
|
||||||
|
|
||||||
If one or more requests were waiting for a response, then after
|
|
||||||
getting a CNAME response, the timeout event on the first request
|
|
||||||
remained active, pointing to the wrong node with an empty
|
|
||||||
rn->waiting list, and that could cause either null pointer
|
|
||||||
dereference or use-after-free memory access if this timeout
|
|
||||||
expired.
|
|
||||||
|
|
||||||
If several requests were waiting for a response, and the first
|
|
||||||
request terminated (e.g., due to client closing a connection),
|
|
||||||
other requests were left without a timeout and could potentially
|
|
||||||
wait indefinitely.
|
|
||||||
|
|
||||||
This is fixed by introducing per-request independent timeouts.
|
|
||||||
This change also reverts 954867a2f0a6 and 5004210e8c78.
|
|
||||||
|
|
||||||
diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
|
|
||||||
index fe0ce50..7aa88a6 100644
|
|
||||||
--- a/src/core/ngx_resolver.c
|
|
||||||
+++ b/src/core/ngx_resolver.c
|
|
||||||
@@ -417,7 +417,7 @@ ngx_resolve_name_done(ngx_resolver_ctx_t *ctx)
|
|
||||||
|
|
||||||
/* lock name mutex */
|
|
||||||
|
|
||||||
- if (ctx->state == NGX_AGAIN) {
|
|
||||||
+ if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) {
|
|
||||||
|
|
||||||
hash = ngx_crc32_short(ctx->name.data, ctx->name.len);
|
|
||||||
|
|
||||||
@@ -571,6 +571,20 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
|
|
||||||
|
|
||||||
if (rn->waiting) {
|
|
||||||
|
|
||||||
+ if (ctx->event == NULL) {
|
|
||||||
+ ctx->event = ngx_resolver_calloc(r, sizeof(ngx_event_t));
|
|
||||||
+ if (ctx->event == NULL) {
|
|
||||||
+ return NGX_ERROR;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ctx->event->handler = ngx_resolver_timeout_handler;
|
|
||||||
+ ctx->event->data = ctx;
|
|
||||||
+ ctx->event->log = r->log;
|
|
||||||
+ ctx->ident = -1;
|
|
||||||
+
|
|
||||||
+ ngx_add_timer(ctx->event, ctx->timeout);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ctx->next = rn->waiting;
|
|
||||||
rn->waiting = ctx;
|
|
||||||
ctx->state = NGX_AGAIN;
|
|
||||||
@@ -664,7 +678,7 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
|
|
||||||
}
|
|
||||||
|
|
||||||
ctx->event->handler = ngx_resolver_timeout_handler;
|
|
||||||
- ctx->event->data = rn;
|
|
||||||
+ ctx->event->data = ctx;
|
|
||||||
ctx->event->log = r->log;
|
|
||||||
ctx->ident = -1;
|
|
||||||
|
|
||||||
@@ -794,6 +808,18 @@ ngx_resolve_addr(ngx_resolver_ctx_t *ctx)
|
|
||||||
|
|
||||||
if (rn->waiting) {
|
|
||||||
|
|
||||||
+ ctx->event = ngx_resolver_calloc(r, sizeof(ngx_event_t));
|
|
||||||
+ if (ctx->event == NULL) {
|
|
||||||
+ return NGX_ERROR;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ctx->event->handler = ngx_resolver_timeout_handler;
|
|
||||||
+ ctx->event->data = ctx;
|
|
||||||
+ ctx->event->log = r->log;
|
|
||||||
+ ctx->ident = -1;
|
|
||||||
+
|
|
||||||
+ ngx_add_timer(ctx->event, ctx->timeout);
|
|
||||||
+
|
|
||||||
ctx->next = rn->waiting;
|
|
||||||
rn->waiting = ctx;
|
|
||||||
ctx->state = NGX_AGAIN;
|
|
||||||
@@ -857,7 +883,7 @@ ngx_resolve_addr(ngx_resolver_ctx_t *ctx)
|
|
||||||
}
|
|
||||||
|
|
||||||
ctx->event->handler = ngx_resolver_timeout_handler;
|
|
||||||
- ctx->event->data = rn;
|
|
||||||
+ ctx->event->data = ctx;
|
|
||||||
ctx->event->log = r->log;
|
|
||||||
ctx->ident = -1;
|
|
||||||
|
|
||||||
@@ -949,7 +975,7 @@ ngx_resolve_addr_done(ngx_resolver_ctx_t *ctx)
|
|
||||||
|
|
||||||
/* lock addr mutex */
|
|
||||||
|
|
||||||
- if (ctx->state == NGX_AGAIN) {
|
|
||||||
+ if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) {
|
|
||||||
|
|
||||||
switch (ctx->addr.sockaddr->sa_family) {
|
|
||||||
|
|
||||||
@@ -2791,21 +2817,13 @@ done:
|
|
||||||
static void
|
|
||||||
ngx_resolver_timeout_handler(ngx_event_t *ev)
|
|
||||||
{
|
|
||||||
- ngx_resolver_ctx_t *ctx, *next;
|
|
||||||
- ngx_resolver_node_t *rn;
|
|
||||||
+ ngx_resolver_ctx_t *ctx;
|
|
||||||
|
|
||||||
- rn = ev->data;
|
|
||||||
- ctx = rn->waiting;
|
|
||||||
- rn->waiting = NULL;
|
|
||||||
+ ctx = ev->data;
|
|
||||||
|
|
||||||
- do {
|
|
||||||
- ctx->state = NGX_RESOLVE_TIMEDOUT;
|
|
||||||
- next = ctx->next;
|
|
||||||
-
|
|
||||||
- ctx->handler(ctx);
|
|
||||||
+ ctx->state = NGX_RESOLVE_TIMEDOUT;
|
|
||||||
|
|
||||||
- ctx = next;
|
|
||||||
- } while (ctx);
|
|
||||||
+ ctx->handler(ctx);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
--
|
|
||||||
2.5.0
|
|
||||||
|
|
@ -1,22 +0,0 @@
|
|||||||
exporting patch:
|
|
||||||
# HG changeset patch
|
|
||||||
# User Roman Arutyunyan <arut@nginx.com>
|
|
||||||
# Date 1453815978 -10800
|
|
||||||
# Tue Jan 26 16:46:18 2016 +0300
|
|
||||||
# Branch stable-1.8
|
|
||||||
# Node ID c36482d0a79fe0f2e1467f80ec2fbcd0a2d682c6
|
|
||||||
# Parent e9a4531a2a5dabb9bee93cb8b41f24b8aeeba504
|
|
||||||
Resolver: fixed possible segmentation fault on DNS format error.
|
|
||||||
|
|
||||||
diff -r e9a4531a2a5d -r c36482d0a79f src/core/ngx_resolver.c
|
|
||||||
--- a/src/core/ngx_resolver.c Mon Jan 25 21:58:21 2016 +0300
|
|
||||||
+++ b/src/core/ngx_resolver.c Tue Jan 26 16:46:18 2016 +0300
|
|
||||||
@@ -1292,7 +1292,7 @@
|
|
||||||
times = 0;
|
|
||||||
|
|
||||||
for (q = ngx_queue_head(&r->name_resend_queue);
|
|
||||||
- q != ngx_queue_sentinel(&r->name_resend_queue) || times++ < 100;
|
|
||||||
+ q != ngx_queue_sentinel(&r->name_resend_queue) && times++ < 100;
|
|
||||||
q = ngx_queue_next(q))
|
|
||||||
{
|
|
||||||
rn = ngx_queue_data(q, ngx_resolver_node_t, queue);
|
|
@ -1,252 +0,0 @@
|
|||||||
exporting patch:
|
|
||||||
# HG changeset patch
|
|
||||||
# User Roman Arutyunyan <arut@nginx.com>
|
|
||||||
# Date 1453816019 -10800
|
|
||||||
# Tue Jan 26 16:46:59 2016 +0300
|
|
||||||
# Branch stable-1.8
|
|
||||||
# Node ID dac6eda40475f08b7372159d78dad1e13cd5bc7f
|
|
||||||
# Parent 5557bf31e25da68d5cda19dbc91d86f47430df1f
|
|
||||||
Resolver: fixed use-after-free memory accesses with CNAME.
|
|
||||||
|
|
||||||
When several requests were waiting for a response, then after getting
|
|
||||||
a CNAME response only the last request's context had the name updated.
|
|
||||||
Contexts of other requests had the wrong name. This name was used by
|
|
||||||
ngx_resolve_name_done() to find the node to remove the request context
|
|
||||||
from. When the name was wrong, the request could not be properly
|
|
||||||
cancelled, its context was freed but stayed linked to the node's waiting
|
|
||||||
list. This happened e.g. when the first request was aborted or timed
|
|
||||||
out before the resolving completed. When it completed, this triggered
|
|
||||||
a use-after-free memory access by calling ctx->handler of already freed
|
|
||||||
request context. The bug manifests itself by
|
|
||||||
"could not cancel <name> resolving" alerts in error_log.
|
|
||||||
|
|
||||||
When a request was responded with a CNAME, the request context kept
|
|
||||||
the pointer to the original node's rn->u.cname. If the original node
|
|
||||||
expired before the resolving timed out or completed with an error,
|
|
||||||
this would trigger a use-after-free memory access via ctx->name in
|
|
||||||
ctx->handler().
|
|
||||||
|
|
||||||
The fix is to keep ctx->name unmodified. The name from context
|
|
||||||
is no longer used by ngx_resolve_name_done(). Instead, we now keep
|
|
||||||
the pointer to resolver node to which this request is linked.
|
|
||||||
Keeping the original name intact also improves logging.
|
|
||||||
|
|
||||||
diff -r 5557bf31e25d -r dac6eda40475 src/core/ngx_resolver.c
|
|
||||||
--- a/src/core/ngx_resolver.c Tue Jan 26 16:46:48 2016 +0300
|
|
||||||
+++ b/src/core/ngx_resolver.c Tue Jan 26 16:46:59 2016 +0300
|
|
||||||
@@ -59,7 +59,7 @@
|
|
||||||
static void ngx_resolver_cleanup(void *data);
|
|
||||||
static void ngx_resolver_cleanup_tree(ngx_resolver_t *r, ngx_rbtree_t *tree);
|
|
||||||
static ngx_int_t ngx_resolve_name_locked(ngx_resolver_t *r,
|
|
||||||
- ngx_resolver_ctx_t *ctx);
|
|
||||||
+ ngx_resolver_ctx_t *ctx, ngx_str_t *name);
|
|
||||||
static void ngx_resolver_expire(ngx_resolver_t *r, ngx_rbtree_t *tree,
|
|
||||||
ngx_queue_t *queue);
|
|
||||||
static ngx_int_t ngx_resolver_send_query(ngx_resolver_t *r,
|
|
||||||
@@ -375,7 +375,7 @@
|
|
||||||
|
|
||||||
/* lock name mutex */
|
|
||||||
|
|
||||||
- rc = ngx_resolve_name_locked(r, ctx);
|
|
||||||
+ rc = ngx_resolve_name_locked(r, ctx, &ctx->name);
|
|
||||||
|
|
||||||
if (rc == NGX_OK) {
|
|
||||||
return NGX_OK;
|
|
||||||
@@ -402,7 +402,6 @@
|
|
||||||
void
|
|
||||||
ngx_resolve_name_done(ngx_resolver_ctx_t *ctx)
|
|
||||||
{
|
|
||||||
- uint32_t hash;
|
|
||||||
ngx_resolver_t *r;
|
|
||||||
ngx_resolver_ctx_t *w, **p;
|
|
||||||
ngx_resolver_node_t *rn;
|
|
||||||
@@ -424,9 +423,7 @@
|
|
||||||
|
|
||||||
if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) {
|
|
||||||
|
|
||||||
- hash = ngx_crc32_short(ctx->name.data, ctx->name.len);
|
|
||||||
-
|
|
||||||
- rn = ngx_resolver_lookup_name(r, &ctx->name, hash);
|
|
||||||
+ rn = ctx->node;
|
|
||||||
|
|
||||||
if (rn) {
|
|
||||||
p = &rn->waiting;
|
|
||||||
@@ -467,20 +464,22 @@
|
|
||||||
|
|
||||||
|
|
||||||
static ngx_int_t
|
|
||||||
-ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
|
|
||||||
+ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx,
|
|
||||||
+ ngx_str_t *name)
|
|
||||||
{
|
|
||||||
uint32_t hash;
|
|
||||||
ngx_int_t rc;
|
|
||||||
+ ngx_str_t cname;
|
|
||||||
ngx_uint_t naddrs;
|
|
||||||
ngx_addr_t *addrs;
|
|
||||||
ngx_resolver_ctx_t *next, *last;
|
|
||||||
ngx_resolver_node_t *rn;
|
|
||||||
|
|
||||||
- ngx_strlow(ctx->name.data, ctx->name.data, ctx->name.len);
|
|
||||||
-
|
|
||||||
- hash = ngx_crc32_short(ctx->name.data, ctx->name.len);
|
|
||||||
-
|
|
||||||
- rn = ngx_resolver_lookup_name(r, &ctx->name, hash);
|
|
||||||
+ ngx_strlow(name->data, name->data, name->len);
|
|
||||||
+
|
|
||||||
+ hash = ngx_crc32_short(name->data, name->len);
|
|
||||||
+
|
|
||||||
+ rn = ngx_resolver_lookup_name(r, name, hash);
|
|
||||||
|
|
||||||
if (rn) {
|
|
||||||
|
|
||||||
@@ -554,10 +553,10 @@
|
|
||||||
|
|
||||||
if (ctx->recursion++ < NGX_RESOLVER_MAX_RECURSION) {
|
|
||||||
|
|
||||||
- ctx->name.len = rn->cnlen;
|
|
||||||
- ctx->name.data = rn->u.cname;
|
|
||||||
-
|
|
||||||
- return ngx_resolve_name_locked(r, ctx);
|
|
||||||
+ cname.len = rn->cnlen;
|
|
||||||
+ cname.data = rn->u.cname;
|
|
||||||
+
|
|
||||||
+ return ngx_resolve_name_locked(r, ctx, &cname);
|
|
||||||
}
|
|
||||||
|
|
||||||
last->next = rn->waiting;
|
|
||||||
@@ -597,6 +596,11 @@
|
|
||||||
rn->waiting = ctx;
|
|
||||||
ctx->state = NGX_AGAIN;
|
|
||||||
|
|
||||||
+ do {
|
|
||||||
+ ctx->node = rn;
|
|
||||||
+ ctx = ctx->next;
|
|
||||||
+ } while (ctx);
|
|
||||||
+
|
|
||||||
return NGX_AGAIN;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -635,14 +639,14 @@
|
|
||||||
return NGX_ERROR;
|
|
||||||
}
|
|
||||||
|
|
||||||
- rn->name = ngx_resolver_dup(r, ctx->name.data, ctx->name.len);
|
|
||||||
+ rn->name = ngx_resolver_dup(r, name->data, name->len);
|
|
||||||
if (rn->name == NULL) {
|
|
||||||
ngx_resolver_free(r, rn);
|
|
||||||
return NGX_ERROR;
|
|
||||||
}
|
|
||||||
|
|
||||||
rn->node.key = hash;
|
|
||||||
- rn->nlen = (u_short) ctx->name.len;
|
|
||||||
+ rn->nlen = (u_short) name->len;
|
|
||||||
rn->query = NULL;
|
|
||||||
#if (NGX_HAVE_INET6)
|
|
||||||
rn->query6 = NULL;
|
|
||||||
@@ -651,7 +655,7 @@
|
|
||||||
ngx_rbtree_insert(&r->name_rbtree, &rn->node);
|
|
||||||
}
|
|
||||||
|
|
||||||
- rc = ngx_resolver_create_name_query(r, rn, &ctx->name);
|
|
||||||
+ rc = ngx_resolver_create_name_query(r, rn, name);
|
|
||||||
|
|
||||||
if (rc == NGX_ERROR) {
|
|
||||||
goto failed;
|
|
||||||
@@ -715,6 +719,11 @@
|
|
||||||
|
|
||||||
ctx->state = NGX_AGAIN;
|
|
||||||
|
|
||||||
+ do {
|
|
||||||
+ ctx->node = rn;
|
|
||||||
+ ctx = ctx->next;
|
|
||||||
+ } while (ctx);
|
|
||||||
+
|
|
||||||
return NGX_AGAIN;
|
|
||||||
|
|
||||||
failed:
|
|
||||||
@@ -837,6 +846,7 @@
|
|
||||||
ctx->next = rn->waiting;
|
|
||||||
rn->waiting = ctx;
|
|
||||||
ctx->state = NGX_AGAIN;
|
|
||||||
+ ctx->node = rn;
|
|
||||||
|
|
||||||
/* unlock addr mutex */
|
|
||||||
|
|
||||||
@@ -922,6 +932,7 @@
|
|
||||||
/* unlock addr mutex */
|
|
||||||
|
|
||||||
ctx->state = NGX_AGAIN;
|
|
||||||
+ ctx->node = rn;
|
|
||||||
|
|
||||||
return NGX_OK;
|
|
||||||
|
|
||||||
@@ -952,17 +963,11 @@
|
|
||||||
void
|
|
||||||
ngx_resolve_addr_done(ngx_resolver_ctx_t *ctx)
|
|
||||||
{
|
|
||||||
- in_addr_t addr;
|
|
||||||
ngx_queue_t *expire_queue;
|
|
||||||
ngx_rbtree_t *tree;
|
|
||||||
ngx_resolver_t *r;
|
|
||||||
ngx_resolver_ctx_t *w, **p;
|
|
||||||
- struct sockaddr_in *sin;
|
|
||||||
ngx_resolver_node_t *rn;
|
|
||||||
-#if (NGX_HAVE_INET6)
|
|
||||||
- uint32_t hash;
|
|
||||||
- struct sockaddr_in6 *sin6;
|
|
||||||
-#endif
|
|
||||||
|
|
||||||
r = ctx->resolver;
|
|
||||||
|
|
||||||
@@ -991,21 +996,7 @@
|
|
||||||
|
|
||||||
if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) {
|
|
||||||
|
|
||||||
- switch (ctx->addr.sockaddr->sa_family) {
|
|
||||||
-
|
|
||||||
-#if (NGX_HAVE_INET6)
|
|
||||||
- case AF_INET6:
|
|
||||||
- sin6 = (struct sockaddr_in6 *) ctx->addr.sockaddr;
|
|
||||||
- hash = ngx_crc32_short(sin6->sin6_addr.s6_addr, 16);
|
|
||||||
- rn = ngx_resolver_lookup_addr6(r, &sin6->sin6_addr, hash);
|
|
||||||
- break;
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
- default: /* AF_INET */
|
|
||||||
- sin = (struct sockaddr_in *) ctx->addr.sockaddr;
|
|
||||||
- addr = ntohl(sin->sin_addr.s_addr);
|
|
||||||
- rn = ngx_resolver_lookup_addr(r, addr);
|
|
||||||
- }
|
|
||||||
+ rn = ctx->node;
|
|
||||||
|
|
||||||
if (rn) {
|
|
||||||
p = &rn->waiting;
|
|
||||||
@@ -1994,9 +1985,12 @@
|
|
||||||
rn->waiting = NULL;
|
|
||||||
|
|
||||||
if (ctx) {
|
|
||||||
- ctx->name = name;
|
|
||||||
-
|
|
||||||
- (void) ngx_resolve_name_locked(r, ctx);
|
|
||||||
+
|
|
||||||
+ for (next = ctx; next; next = next->next) {
|
|
||||||
+ next->node = NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ (void) ngx_resolve_name_locked(r, ctx, &name);
|
|
||||||
}
|
|
||||||
|
|
||||||
ngx_resolver_free(r, rn->query);
|
|
||||||
diff -r 5557bf31e25d -r dac6eda40475 src/core/ngx_resolver.h
|
|
||||||
--- a/src/core/ngx_resolver.h Tue Jan 26 16:46:48 2016 +0300
|
|
||||||
+++ b/src/core/ngx_resolver.h Tue Jan 26 16:46:59 2016 +0300
|
|
||||||
@@ -161,6 +161,8 @@
|
|
||||||
ngx_uint_t quick; /* unsigned quick:1; */
|
|
||||||
ngx_uint_t recursion;
|
|
||||||
ngx_event_t *event;
|
|
||||||
+
|
|
||||||
+ ngx_resolver_node_t *node;
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
@ -1,68 +0,0 @@
|
|||||||
exporting patch:
|
|
||||||
# HG changeset patch
|
|
||||||
# User Ruslan Ermilov <ru@nginx.com>
|
|
||||||
# Date 1453816034 -10800
|
|
||||||
# Tue Jan 26 16:47:14 2016 +0300
|
|
||||||
# Branch stable-1.8
|
|
||||||
# Node ID 93d70d87914c350948ab701cc99569680320e198
|
|
||||||
# Parent dac6eda40475f08b7372159d78dad1e13cd5bc7f
|
|
||||||
Resolver: limited CNAME recursion.
|
|
||||||
|
|
||||||
Previously, the recursion was only limited for cached responses.
|
|
||||||
|
|
||||||
diff -r dac6eda40475 -r 93d70d87914c src/core/ngx_resolver.c
|
|
||||||
--- a/src/core/ngx_resolver.c Tue Jan 26 16:46:59 2016 +0300
|
|
||||||
+++ b/src/core/ngx_resolver.c Tue Jan 26 16:47:14 2016 +0300
|
|
||||||
@@ -1981,24 +1981,40 @@
|
|
||||||
|
|
||||||
ngx_queue_insert_head(&r->name_expire_queue, &rn->queue);
|
|
||||||
|
|
||||||
- ctx = rn->waiting;
|
|
||||||
- rn->waiting = NULL;
|
|
||||||
-
|
|
||||||
- if (ctx) {
|
|
||||||
-
|
|
||||||
- for (next = ctx; next; next = next->next) {
|
|
||||||
- next->node = NULL;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- (void) ngx_resolve_name_locked(r, ctx, &name);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
ngx_resolver_free(r, rn->query);
|
|
||||||
rn->query = NULL;
|
|
||||||
#if (NGX_HAVE_INET6)
|
|
||||||
rn->query6 = NULL;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+ ctx = rn->waiting;
|
|
||||||
+ rn->waiting = NULL;
|
|
||||||
+
|
|
||||||
+ if (ctx) {
|
|
||||||
+
|
|
||||||
+ if (ctx->recursion++ >= NGX_RESOLVER_MAX_RECURSION) {
|
|
||||||
+
|
|
||||||
+ /* unlock name mutex */
|
|
||||||
+
|
|
||||||
+ do {
|
|
||||||
+ ctx->state = NGX_RESOLVE_NXDOMAIN;
|
|
||||||
+ next = ctx->next;
|
|
||||||
+
|
|
||||||
+ ctx->handler(ctx);
|
|
||||||
+
|
|
||||||
+ ctx = next;
|
|
||||||
+ } while (ctx);
|
|
||||||
+
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (next = ctx; next; next = next->next) {
|
|
||||||
+ next->node = NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ (void) ngx_resolve_name_locked(r, ctx, &name);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* unlock name mutex */
|
|
||||||
|
|
||||||
return;
|
|
@ -1,15 +0,0 @@
|
|||||||
--- src/os/unix/ngx_files.c
|
|
||||||
+++ src/os/unix/ngx_files.c
|
|
||||||
@@ -183,6 +183,12 @@ ngx_write_chain_to_file(ngx_file_t *file
|
|
||||||
/* create the iovec and coalesce the neighbouring bufs */
|
|
||||||
|
|
||||||
while (cl && vec.nelts < IOV_MAX) {
|
|
||||||
+
|
|
||||||
+ if (ngx_buf_special(cl->buf)) {
|
|
||||||
+ cl = cl->next;
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (prev == cl->buf->pos) {
|
|
||||||
iov->iov_len += cl->buf->last - cl->buf->pos;
|
|
||||||
|
|
35
nginx.conf
35
nginx.conf
@ -7,6 +7,9 @@ worker_processes auto;
|
|||||||
error_log /var/log/nginx/error.log;
|
error_log /var/log/nginx/error.log;
|
||||||
pid /run/nginx.pid;
|
pid /run/nginx.pid;
|
||||||
|
|
||||||
|
# Load dynamic modules. See /usr/share/nginx/README.fedora.
|
||||||
|
include /usr/share/nginx/modules/*.conf;
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 1024;
|
worker_connections 1024;
|
||||||
}
|
}
|
||||||
@ -52,4 +55,36 @@ http {
|
|||||||
location = /50x.html {
|
location = /50x.html {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Settings for a TLS enabled server.
|
||||||
|
#
|
||||||
|
# server {
|
||||||
|
# listen 443 ssl;
|
||||||
|
# listen [::]:443 ssl;
|
||||||
|
# server_name _;
|
||||||
|
# root /usr/share/nginx/html;
|
||||||
|
#
|
||||||
|
# ssl_certificate "/etc/pki/nginx/server.crt";
|
||||||
|
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
|
||||||
|
# ssl_session_cache shared:SSL:1m;
|
||||||
|
# ssl_session_timeout 10m;
|
||||||
|
# ssl_ciphers PROFILE=SYSTEM;
|
||||||
|
# ssl_prefer_server_ciphers on;
|
||||||
|
#
|
||||||
|
# # Load configuration files for the default server block.
|
||||||
|
# include /etc/nginx/default.d/*.conf;
|
||||||
|
#
|
||||||
|
# location / {
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# error_page 404 /404.html;
|
||||||
|
# location = /40x.html {
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# error_page 500 502 503 504 /50x.html;
|
||||||
|
# location = /50x.html {
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -12,9 +12,9 @@ ExecStartPre=/usr/bin/rm -f /run/nginx.pid
|
|||||||
ExecStartPre=/usr/sbin/nginx -t
|
ExecStartPre=/usr/sbin/nginx -t
|
||||||
ExecStart=/usr/sbin/nginx
|
ExecStart=/usr/sbin/nginx
|
||||||
ExecReload=/bin/kill -s HUP $MAINPID
|
ExecReload=/bin/kill -s HUP $MAINPID
|
||||||
KillMode=process
|
|
||||||
KillSignal=SIGQUIT
|
KillSignal=SIGQUIT
|
||||||
TimeoutStopSec=5
|
TimeoutStopSec=5
|
||||||
|
KillMode=mixed
|
||||||
PrivateTmp=true
|
PrivateTmp=true
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
|
435
nginx.spec
435
nginx.spec
@ -1,27 +1,21 @@
|
|||||||
%global _hardened_build 1
|
%global _hardened_build 1
|
||||||
%global nginx_user nginx
|
%global nginx_user nginx
|
||||||
%global nginx_group %{nginx_user}
|
|
||||||
%global nginx_home %{_localstatedir}/lib/nginx
|
|
||||||
%global nginx_home_tmp %{nginx_home}/tmp
|
|
||||||
%global nginx_confdir %{_sysconfdir}/nginx
|
|
||||||
%global nginx_datadir %{_datadir}/nginx
|
|
||||||
%global nginx_logdir %{_localstatedir}/log/nginx
|
|
||||||
%global nginx_webroot %{nginx_datadir}/html
|
|
||||||
|
|
||||||
# gperftools exist only on selected arches
|
# gperftools exist only on selected arches
|
||||||
%ifarch %{ix86} x86_64 ppc ppc64 %{arm}
|
%ifnarch s390 s390x
|
||||||
%global with_gperftools 1
|
%global with_gperftools 1
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# AIO missing on some arches
|
%global with_aio 1
|
||||||
%ifnarch aarch64
|
|
||||||
%global with_aio 1
|
%if 0%{?fedora} > 22
|
||||||
|
%global with_mailcap_mimetypes 1
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
Name: nginx
|
Name: nginx
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 1.6.3
|
Version: 1.10.1
|
||||||
Release: 9%{?dist}
|
Release: 1%{?dist}
|
||||||
|
|
||||||
Summary: A high performance web server and reverse proxy server
|
Summary: A high performance web server and reverse proxy server
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
@ -42,42 +36,33 @@ Source101: poweredby.png
|
|||||||
Source102: nginx-logo.png
|
Source102: nginx-logo.png
|
||||||
Source103: 404.html
|
Source103: 404.html
|
||||||
Source104: 50x.html
|
Source104: 50x.html
|
||||||
|
Source200: README.fedora
|
||||||
|
Source210: UPGRADE-NOTES-1.6-to-1.10
|
||||||
|
|
||||||
# removes -Werror in upstream build scripts. -Werror conflicts with
|
# removes -Werror in upstream build scripts. -Werror conflicts with
|
||||||
# -D_FORTIFY_SOURCE=2 causing warnings to turn into errors.
|
# -D_FORTIFY_SOURCE=2 causing warnings to turn into errors.
|
||||||
Patch0: nginx-auto-cc-gcc.patch
|
Patch0: nginx-auto-cc-gcc.patch
|
||||||
# CVE-2016-4450
|
|
||||||
Patch1: nginx-1.8.1-null-pointer-deref.patch
|
|
||||||
|
|
||||||
# Patches taken from 1.8.1 release. Only the second patch in this series
|
|
||||||
# failed to apply and had to be modified.
|
|
||||||
Patch10: nginx-1.6.3-Resolver-fix-possible-segmentation-fault.patch
|
|
||||||
Patch11: nginx-1.6.3-Resolver-fix-crashes-in-timeout-handler.patch
|
|
||||||
Patch12: nginx-1.6.3-Resolver-fix-CNAME-processing.patch
|
|
||||||
Patch13: nginx-1.6.3-Resolver-change-ngx_resolver_create-arguments.patch
|
|
||||||
Patch14: nginx-1.6.3-Resolver-fix-use-after-free-with-CNAME.patch
|
|
||||||
Patch15: nginx-1.6.3-Resolver-limit-CNAME-recursion.patch
|
|
||||||
|
|
||||||
|
|
||||||
BuildRequires: GeoIP-devel
|
|
||||||
BuildRequires: gd-devel
|
|
||||||
%if 0%{?with_gperftools}
|
%if 0%{?with_gperftools}
|
||||||
BuildRequires: gperftools-devel
|
BuildRequires: gperftools-devel
|
||||||
%endif
|
%endif
|
||||||
BuildRequires: libxslt-devel
|
|
||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl-devel
|
||||||
BuildRequires: pcre-devel
|
BuildRequires: pcre-devel
|
||||||
BuildRequires: perl-devel
|
|
||||||
BuildRequires: perl(ExtUtils::Embed)
|
|
||||||
BuildRequires: zlib-devel
|
BuildRequires: zlib-devel
|
||||||
|
|
||||||
Requires: nginx-filesystem = %{epoch}:%{version}-%{release}
|
Requires: nginx-filesystem = %{epoch}:%{version}-%{release}
|
||||||
Requires: GeoIP
|
|
||||||
Requires: gd
|
%if 0%{?rhel} || 0%{?fedora} < 24
|
||||||
|
# Introduced at 1:1.10.0-1 to ease upgrade path. To be removed later.
|
||||||
|
Requires: nginx-all-modules = %{epoch}:%{version}-%{release}
|
||||||
|
%endif
|
||||||
|
|
||||||
Requires: openssl
|
Requires: openssl
|
||||||
Requires: pcre
|
Requires: pcre
|
||||||
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
|
|
||||||
Requires(pre): nginx-filesystem
|
Requires(pre): nginx-filesystem
|
||||||
|
%if 0%{?with_mailcap_mimetypes}
|
||||||
|
Requires: nginx-mimetypes
|
||||||
|
%endif
|
||||||
Provides: webserver
|
Provides: webserver
|
||||||
|
|
||||||
BuildRequires: systemd
|
BuildRequires: systemd
|
||||||
@ -90,6 +75,29 @@ Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and
|
|||||||
IMAP protocols, with a strong focus on high concurrency, performance and low
|
IMAP protocols, with a strong focus on high concurrency, performance and low
|
||||||
memory usage.
|
memory usage.
|
||||||
|
|
||||||
|
%package all-modules
|
||||||
|
Group: System Environment/Daemons
|
||||||
|
Summary: A meta package that installs all available Nginx modules
|
||||||
|
BuildArch: noarch
|
||||||
|
|
||||||
|
Requires: nginx-mod-http-geoip = %{epoch}:%{version}-%{release}
|
||||||
|
Requires: nginx-mod-http-image-filter = %{epoch}:%{version}-%{release}
|
||||||
|
Requires: nginx-mod-http-perl = %{epoch}:%{version}-%{release}
|
||||||
|
Requires: nginx-mod-http-xslt-filter = %{epoch}:%{version}-%{release}
|
||||||
|
Requires: nginx-mod-mail = %{epoch}:%{version}-%{release}
|
||||||
|
Requires: nginx-mod-stream = %{epoch}:%{version}-%{release}
|
||||||
|
|
||||||
|
%description all-modules
|
||||||
|
%{summary}.
|
||||||
|
%if 0%{?rhel}
|
||||||
|
The main nginx package depends on this to ease the upgrade path. After a grace
|
||||||
|
period of several months, modules will become optional.
|
||||||
|
%endif
|
||||||
|
%if 0%{?fedora} && 0%{?fedora} < 24
|
||||||
|
The main nginx package depends on this to ease the upgrade path. Starting from
|
||||||
|
Fedora 24, modules are optional.
|
||||||
|
%endif
|
||||||
|
|
||||||
%package filesystem
|
%package filesystem
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
Summary: The basic directory layout for the Nginx server
|
Summary: The basic directory layout for the Nginx server
|
||||||
@ -101,17 +109,78 @@ The nginx-filesystem package contains the basic directory layout
|
|||||||
for the Nginx server including the correct permissions for the
|
for the Nginx server including the correct permissions for the
|
||||||
directories.
|
directories.
|
||||||
|
|
||||||
|
%package mod-http-geoip
|
||||||
|
Group: System Environment/Daemons
|
||||||
|
Summary: Nginx HTTP geoip module
|
||||||
|
BuildRequires: GeoIP-devel
|
||||||
|
Requires: nginx
|
||||||
|
Requires: GeoIP
|
||||||
|
|
||||||
|
%description mod-http-geoip
|
||||||
|
%{summary}.
|
||||||
|
|
||||||
|
%package mod-http-image-filter
|
||||||
|
Group: System Environment/Daemons
|
||||||
|
Summary: Nginx HTTP image filter module
|
||||||
|
BuildRequires: gd-devel
|
||||||
|
Requires: nginx
|
||||||
|
Requires: gd
|
||||||
|
|
||||||
|
%description mod-http-image-filter
|
||||||
|
%{summary}.
|
||||||
|
|
||||||
|
%package mod-http-perl
|
||||||
|
Group: System Environment/Daemons
|
||||||
|
Summary: Nginx HTTP perl module
|
||||||
|
BuildRequires: perl-devel
|
||||||
|
%if 0%{?fedora} >= 24
|
||||||
|
BuildRequires: perl-generators
|
||||||
|
%endif
|
||||||
|
BuildRequires: perl(ExtUtils::Embed)
|
||||||
|
Requires: nginx
|
||||||
|
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
|
||||||
|
|
||||||
|
%description mod-http-perl
|
||||||
|
%{summary}.
|
||||||
|
|
||||||
|
%package mod-http-xslt-filter
|
||||||
|
Group: System Environment/Daemons
|
||||||
|
Summary: Nginx XSLT module
|
||||||
|
BuildRequires: libxslt-devel
|
||||||
|
Requires: nginx
|
||||||
|
|
||||||
|
%description mod-http-xslt-filter
|
||||||
|
%{summary}.
|
||||||
|
|
||||||
|
%package mod-mail
|
||||||
|
Group: System Environment/Daemons
|
||||||
|
Summary: Nginx mail modules
|
||||||
|
Requires: nginx
|
||||||
|
|
||||||
|
%description mod-mail
|
||||||
|
%{summary}.
|
||||||
|
|
||||||
|
%package mod-stream
|
||||||
|
Group: System Environment/Daemons
|
||||||
|
Summary: Nginx stream modules
|
||||||
|
Requires: nginx
|
||||||
|
|
||||||
|
%description mod-stream
|
||||||
|
%{summary}.
|
||||||
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
%patch0 -p0
|
%patch0 -p0
|
||||||
%patch1 -p0
|
cp %{SOURCE200} .
|
||||||
%patch10 -p1
|
%if 0%{?rhel} == 7
|
||||||
%patch11 -p1
|
cp %{SOURCE210} .
|
||||||
%patch12 -p1
|
%endif
|
||||||
%patch13 -p1
|
|
||||||
%patch14 -p1
|
%if 0%{?rhel} < 8
|
||||||
%patch15 -p1
|
sed -i -e 's#KillMode=.*#KillMode=process#g' %{SOURCE10}
|
||||||
|
sed -i -e 's#PROFILE=SYSTEM#HIGH:!aNULL:!MD5#' %{SOURCE12}
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -121,31 +190,32 @@ directories.
|
|||||||
# variable.
|
# variable.
|
||||||
export DESTDIR=%{buildroot}
|
export DESTDIR=%{buildroot}
|
||||||
./configure \
|
./configure \
|
||||||
--prefix=%{nginx_datadir} \
|
--prefix=%{_datadir}/nginx \
|
||||||
--sbin-path=%{_sbindir}/nginx \
|
--sbin-path=%{_sbindir}/nginx \
|
||||||
--conf-path=%{nginx_confdir}/nginx.conf \
|
--modules-path=%{_libdir}/nginx/modules \
|
||||||
--error-log-path=%{nginx_logdir}/error.log \
|
--conf-path=%{_sysconfdir}/nginx/nginx.conf \
|
||||||
--http-log-path=%{nginx_logdir}/access.log \
|
--error-log-path=%{_localstatedir}/log/nginx/error.log \
|
||||||
--http-client-body-temp-path=%{nginx_home_tmp}/client_body \
|
--http-log-path=%{_localstatedir}/log/nginx/access.log \
|
||||||
--http-proxy-temp-path=%{nginx_home_tmp}/proxy \
|
--http-client-body-temp-path=%{_localstatedir}/lib/nginx/tmp/client_body \
|
||||||
--http-fastcgi-temp-path=%{nginx_home_tmp}/fastcgi \
|
--http-proxy-temp-path=%{_localstatedir}/lib/nginx/tmp/proxy \
|
||||||
--http-uwsgi-temp-path=%{nginx_home_tmp}/uwsgi \
|
--http-fastcgi-temp-path=%{_localstatedir}/lib/nginx/tmp/fastcgi \
|
||||||
--http-scgi-temp-path=%{nginx_home_tmp}/scgi \
|
--http-uwsgi-temp-path=%{_localstatedir}/lib/nginx/tmp/uwsgi \
|
||||||
|
--http-scgi-temp-path=%{_localstatedir}/lib/nginx/tmp/scgi \
|
||||||
--pid-path=/run/nginx.pid \
|
--pid-path=/run/nginx.pid \
|
||||||
--lock-path=/run/lock/subsys/nginx \
|
--lock-path=/run/lock/subsys/nginx \
|
||||||
--user=%{nginx_user} \
|
--user=%{nginx_user} \
|
||||||
--group=%{nginx_group} \
|
--group=%{nginx_user} \
|
||||||
%if 0%{?with_aio}
|
%if 0%{?with_aio}
|
||||||
--with-file-aio \
|
--with-file-aio \
|
||||||
%endif
|
%endif
|
||||||
--with-ipv6 \
|
--with-ipv6 \
|
||||||
--with-http_ssl_module \
|
--with-http_ssl_module \
|
||||||
--with-http_spdy_module \
|
--with-http_v2_module \
|
||||||
--with-http_realip_module \
|
--with-http_realip_module \
|
||||||
--with-http_addition_module \
|
--with-http_addition_module \
|
||||||
--with-http_xslt_module \
|
--with-http_xslt_module=dynamic \
|
||||||
--with-http_image_filter_module \
|
--with-http_image_filter_module=dynamic \
|
||||||
--with-http_geoip_module \
|
--with-http_geoip_module=dynamic \
|
||||||
--with-http_sub_module \
|
--with-http_sub_module \
|
||||||
--with-http_dav_module \
|
--with-http_dav_module \
|
||||||
--with-http_flv_module \
|
--with-http_flv_module \
|
||||||
@ -155,12 +225,15 @@ export DESTDIR=%{buildroot}
|
|||||||
--with-http_random_index_module \
|
--with-http_random_index_module \
|
||||||
--with-http_secure_link_module \
|
--with-http_secure_link_module \
|
||||||
--with-http_degradation_module \
|
--with-http_degradation_module \
|
||||||
|
--with-http_slice_module \
|
||||||
--with-http_stub_status_module \
|
--with-http_stub_status_module \
|
||||||
--with-http_perl_module \
|
--with-http_perl_module=dynamic \
|
||||||
--with-mail \
|
--with-mail=dynamic \
|
||||||
--with-mail_ssl_module \
|
--with-mail_ssl_module \
|
||||||
--with-pcre \
|
--with-pcre \
|
||||||
--with-pcre-jit \
|
--with-pcre-jit \
|
||||||
|
--with-stream=dynamic \
|
||||||
|
--with-stream_ssl_module \
|
||||||
%if 0%{?with_gperftools}
|
%if 0%{?with_gperftools}
|
||||||
--with-google_perftools_module \
|
--with-google_perftools_module \
|
||||||
%endif
|
%endif
|
||||||
@ -178,27 +251,35 @@ find %{buildroot} -type f -name .packlist -exec rm -f '{}' \;
|
|||||||
find %{buildroot} -type f -name perllocal.pod -exec rm -f '{}' \;
|
find %{buildroot} -type f -name perllocal.pod -exec rm -f '{}' \;
|
||||||
find %{buildroot} -type f -empty -exec rm -f '{}' \;
|
find %{buildroot} -type f -empty -exec rm -f '{}' \;
|
||||||
find %{buildroot} -type f -iname '*.so' -exec chmod 0755 '{}' \;
|
find %{buildroot} -type f -iname '*.so' -exec chmod 0755 '{}' \;
|
||||||
|
|
||||||
install -p -D -m 0644 %{SOURCE10} \
|
install -p -D -m 0644 %{SOURCE10} \
|
||||||
%{buildroot}%{_unitdir}/nginx.service
|
%{buildroot}%{_unitdir}/nginx.service
|
||||||
|
|
||||||
install -p -D -m 0644 %{SOURCE11} \
|
install -p -D -m 0644 %{SOURCE11} \
|
||||||
%{buildroot}%{_sysconfdir}/logrotate.d/nginx
|
%{buildroot}%{_sysconfdir}/logrotate.d/nginx
|
||||||
|
|
||||||
install -p -d -m 0755 %{buildroot}%{nginx_confdir}/conf.d
|
install -p -d -m 0755 %{buildroot}%{_sysconfdir}/nginx/conf.d
|
||||||
install -p -d -m 0755 %{buildroot}%{nginx_confdir}/default.d
|
install -p -d -m 0755 %{buildroot}%{_sysconfdir}/nginx/default.d
|
||||||
install -p -d -m 0700 %{buildroot}%{nginx_home}
|
|
||||||
install -p -d -m 0700 %{buildroot}%{nginx_home_tmp}
|
install -p -d -m 0700 %{buildroot}%{_localstatedir}/lib/nginx
|
||||||
install -p -d -m 0700 %{buildroot}%{nginx_logdir}
|
install -p -d -m 0700 %{buildroot}%{_localstatedir}/lib/nginx/tmp
|
||||||
install -p -d -m 0755 %{buildroot}%{nginx_webroot}
|
install -p -d -m 0700 %{buildroot}%{_localstatedir}/log/nginx
|
||||||
|
|
||||||
|
install -p -d -m 0755 %{buildroot}%{_datadir}/nginx/html
|
||||||
|
install -p -d -m 0755 %{buildroot}%{_datadir}/nginx/modules
|
||||||
|
install -p -d -m 0755 %{buildroot}%{_libdir}/nginx/modules
|
||||||
|
|
||||||
install -p -m 0644 %{SOURCE12} \
|
install -p -m 0644 %{SOURCE12} \
|
||||||
%{buildroot}%{nginx_confdir}
|
%{buildroot}%{_sysconfdir}/nginx
|
||||||
install -p -m 0644 %{SOURCE100} \
|
install -p -m 0644 %{SOURCE100} \
|
||||||
%{buildroot}%{nginx_webroot}
|
%{buildroot}%{_datadir}/nginx/html
|
||||||
install -p -m 0644 %{SOURCE101} %{SOURCE102} \
|
install -p -m 0644 %{SOURCE101} %{SOURCE102} \
|
||||||
%{buildroot}%{nginx_webroot}
|
%{buildroot}%{_datadir}/nginx/html
|
||||||
install -p -m 0644 %{SOURCE103} %{SOURCE104} \
|
install -p -m 0644 %{SOURCE103} %{SOURCE104} \
|
||||||
%{buildroot}%{nginx_webroot}
|
%{buildroot}%{_datadir}/nginx/html
|
||||||
|
|
||||||
|
%if 0%{?with_mailcap_mimetypes}
|
||||||
|
rm -f %{buildroot}%{_sysconfdir}/nginx/mime.types
|
||||||
|
%endif
|
||||||
|
|
||||||
install -p -D -m 0644 %{_builddir}/nginx-%{version}/man/nginx.8 \
|
install -p -D -m 0644 %{_builddir}/nginx-%{version}/man/nginx.8 \
|
||||||
%{buildroot}%{_mandir}/man8/nginx.8
|
%{buildroot}%{_mandir}/man8/nginx.8
|
||||||
@ -211,17 +292,59 @@ for i in ftdetect indent syntax; do
|
|||||||
%{buildroot}%{_datadir}/vim/vimfiles/${i}/nginx.vim
|
%{buildroot}%{_datadir}/vim/vimfiles/${i}/nginx.vim
|
||||||
done
|
done
|
||||||
|
|
||||||
|
echo 'load_module "%{_libdir}/nginx/modules/ngx_http_geoip_module.so";' \
|
||||||
|
> %{buildroot}%{_datadir}/nginx/modules/mod-http-geoip.conf
|
||||||
|
echo 'load_module "%{_libdir}/nginx/modules/ngx_http_image_filter_module.so";' \
|
||||||
|
> %{buildroot}%{_datadir}/nginx/modules/mod-http-image-filter.conf
|
||||||
|
echo 'load_module "%{_libdir}/nginx/modules/ngx_http_perl_module.so";' \
|
||||||
|
> %{buildroot}%{_datadir}/nginx/modules/mod-http-perl.conf
|
||||||
|
echo 'load_module "%{_libdir}/nginx/modules/ngx_http_xslt_filter_module.so";' \
|
||||||
|
> %{buildroot}%{_datadir}/nginx/modules/mod-http-xslt-filter.conf
|
||||||
|
echo 'load_module "%{_libdir}/nginx/modules/ngx_mail_module.so";' \
|
||||||
|
> %{buildroot}%{_datadir}/nginx/modules/mod-mail.conf
|
||||||
|
echo 'load_module "%{_libdir}/nginx/modules/ngx_stream_module.so";' \
|
||||||
|
> %{buildroot}%{_datadir}/nginx/modules/mod-stream.conf
|
||||||
|
|
||||||
%pre filesystem
|
%pre filesystem
|
||||||
getent group %{nginx_group} > /dev/null || groupadd -r %{nginx_group}
|
getent group %{nginx_user} > /dev/null || groupadd -r %{nginx_user}
|
||||||
getent passwd %{nginx_user} > /dev/null || \
|
getent passwd %{nginx_user} > /dev/null || \
|
||||||
useradd -r -d %{nginx_home} -g %{nginx_group} \
|
useradd -r -d %{_localstatedir}/lib/nginx -g %{nginx_user} \
|
||||||
-s /sbin/nologin -c "Nginx web server" %{nginx_user}
|
-s /sbin/nologin -c "Nginx web server" %{nginx_user}
|
||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%systemd_post nginx.service
|
%systemd_post nginx.service
|
||||||
|
|
||||||
|
%post mod-http-geoip
|
||||||
|
if [ $1 -eq 1 ]; then
|
||||||
|
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
|
||||||
|
fi
|
||||||
|
|
||||||
|
%post mod-http-image-filter
|
||||||
|
if [ $1 -eq 1 ]; then
|
||||||
|
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
|
||||||
|
fi
|
||||||
|
|
||||||
|
%post mod-http-perl
|
||||||
|
if [ $1 -eq 1 ]; then
|
||||||
|
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
|
||||||
|
fi
|
||||||
|
|
||||||
|
%post mod-http-xslt-filter
|
||||||
|
if [ $1 -eq 1 ]; then
|
||||||
|
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
|
||||||
|
fi
|
||||||
|
|
||||||
|
%post mod-mail
|
||||||
|
if [ $1 -eq 1 ]; then
|
||||||
|
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
|
||||||
|
fi
|
||||||
|
|
||||||
|
%post mod-stream
|
||||||
|
if [ $1 -eq 1 ]; then
|
||||||
|
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
|
||||||
|
fi
|
||||||
|
|
||||||
%preun
|
%preun
|
||||||
%systemd_preun nginx.service
|
%systemd_preun nginx.service
|
||||||
|
|
||||||
@ -232,8 +355,12 @@ if [ $1 -ge 1 ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%doc LICENSE CHANGES README
|
%license LICENSE
|
||||||
%{nginx_datadir}/html/*
|
%doc CHANGES README README.fedora
|
||||||
|
%if 0%{rhel} == 7
|
||||||
|
%doc UPGRADE-NOTES-1.6-to-1.10
|
||||||
|
%endif
|
||||||
|
%{_datadir}/nginx/html/*
|
||||||
%{_bindir}/nginx-upgrade
|
%{_bindir}/nginx-upgrade
|
||||||
%{_sbindir}/nginx
|
%{_sbindir}/nginx
|
||||||
%{_datadir}/vim/vimfiles/ftdetect/nginx.vim
|
%{_datadir}/vim/vimfiles/ftdetect/nginx.vim
|
||||||
@ -243,77 +370,151 @@ fi
|
|||||||
%{_mandir}/man8/nginx.8*
|
%{_mandir}/man8/nginx.8*
|
||||||
%{_mandir}/man8/nginx-upgrade.8*
|
%{_mandir}/man8/nginx-upgrade.8*
|
||||||
%{_unitdir}/nginx.service
|
%{_unitdir}/nginx.service
|
||||||
%config(noreplace) %{nginx_confdir}/fastcgi.conf
|
%config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf
|
||||||
%config(noreplace) %{nginx_confdir}/fastcgi.conf.default
|
%config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf.default
|
||||||
%config(noreplace) %{nginx_confdir}/fastcgi_params
|
%config(noreplace) %{_sysconfdir}/nginx/fastcgi_params
|
||||||
%config(noreplace) %{nginx_confdir}/fastcgi_params.default
|
%config(noreplace) %{_sysconfdir}/nginx/fastcgi_params.default
|
||||||
%config(noreplace) %{nginx_confdir}/koi-utf
|
%config(noreplace) %{_sysconfdir}/nginx/koi-utf
|
||||||
%config(noreplace) %{nginx_confdir}/koi-win
|
%config(noreplace) %{_sysconfdir}/nginx/koi-win
|
||||||
%config(noreplace) %{nginx_confdir}/mime.types
|
%if ! 0%{?with_mailcap_mimetypes}
|
||||||
%config(noreplace) %{nginx_confdir}/mime.types.default
|
%config(noreplace) %{_sysconfdir}/nginx/mime.types
|
||||||
%config(noreplace) %{nginx_confdir}/nginx.conf
|
%endif
|
||||||
%config(noreplace) %{nginx_confdir}/nginx.conf.default
|
%config(noreplace) %{_sysconfdir}/nginx/mime.types.default
|
||||||
%config(noreplace) %{nginx_confdir}/scgi_params
|
%config(noreplace) %{_sysconfdir}/nginx/nginx.conf
|
||||||
%config(noreplace) %{nginx_confdir}/scgi_params.default
|
%config(noreplace) %{_sysconfdir}/nginx/nginx.conf.default
|
||||||
%config(noreplace) %{nginx_confdir}/uwsgi_params
|
%config(noreplace) %{_sysconfdir}/nginx/scgi_params
|
||||||
%config(noreplace) %{nginx_confdir}/uwsgi_params.default
|
%config(noreplace) %{_sysconfdir}/nginx/scgi_params.default
|
||||||
%config(noreplace) %{nginx_confdir}/win-utf
|
%config(noreplace) %{_sysconfdir}/nginx/uwsgi_params
|
||||||
|
%config(noreplace) %{_sysconfdir}/nginx/uwsgi_params.default
|
||||||
|
%config(noreplace) %{_sysconfdir}/nginx/win-utf
|
||||||
%config(noreplace) %{_sysconfdir}/logrotate.d/nginx
|
%config(noreplace) %{_sysconfdir}/logrotate.d/nginx
|
||||||
|
%attr(700,%{nginx_user},%{nginx_user}) %dir %{_localstatedir}/lib/nginx
|
||||||
|
%attr(700,%{nginx_user},%{nginx_user}) %dir %{_localstatedir}/lib/nginx/tmp
|
||||||
|
%attr(700,%{nginx_user},%{nginx_user}) %dir %{_localstatedir}/log/nginx
|
||||||
|
%dir %{_libdir}/nginx/modules
|
||||||
|
|
||||||
|
%files all-modules
|
||||||
|
|
||||||
|
%files filesystem
|
||||||
|
%dir %{_datadir}/nginx
|
||||||
|
%dir %{_datadir}/nginx/html
|
||||||
|
%dir %{_sysconfdir}/nginx
|
||||||
|
%dir %{_sysconfdir}/nginx/conf.d
|
||||||
|
%dir %{_sysconfdir}/nginx/default.d
|
||||||
|
|
||||||
|
%files mod-http-geoip
|
||||||
|
%{_datadir}/nginx/modules/mod-http-geoip.conf
|
||||||
|
%{_libdir}/nginx/modules/ngx_http_geoip_module.so
|
||||||
|
|
||||||
|
%files mod-http-image-filter
|
||||||
|
%{_datadir}/nginx/modules/mod-http-image-filter.conf
|
||||||
|
%{_libdir}/nginx/modules/ngx_http_image_filter_module.so
|
||||||
|
|
||||||
|
%files mod-http-perl
|
||||||
|
%{_datadir}/nginx/modules/mod-http-perl.conf
|
||||||
|
%{_libdir}/nginx/modules/ngx_http_perl_module.so
|
||||||
%dir %{perl_vendorarch}/auto/nginx
|
%dir %{perl_vendorarch}/auto/nginx
|
||||||
%{perl_vendorarch}/nginx.pm
|
%{perl_vendorarch}/nginx.pm
|
||||||
%{perl_vendorarch}/auto/nginx/nginx.so
|
%{perl_vendorarch}/auto/nginx/nginx.so
|
||||||
%attr(700,%{nginx_user},%{nginx_group}) %dir %{nginx_home}
|
|
||||||
%attr(700,%{nginx_user},%{nginx_group}) %dir %{nginx_home_tmp}
|
|
||||||
%attr(700,%{nginx_user},%{nginx_group}) %dir %{nginx_logdir}
|
|
||||||
|
|
||||||
%files filesystem
|
%files mod-http-xslt-filter
|
||||||
%dir %{nginx_datadir}
|
%{_datadir}/nginx/modules/mod-http-xslt-filter.conf
|
||||||
%dir %{nginx_datadir}/html
|
%{_libdir}/nginx/modules/ngx_http_xslt_filter_module.so
|
||||||
%dir %{nginx_confdir}
|
|
||||||
%dir %{nginx_confdir}/conf.d
|
%files mod-mail
|
||||||
%dir %{nginx_confdir}/default.d
|
%{_datadir}/nginx/modules/mod-mail.conf
|
||||||
|
%{_libdir}/nginx/modules/ngx_mail_module.so
|
||||||
|
|
||||||
|
%files mod-stream
|
||||||
|
%{_datadir}/nginx/modules/mod-stream.conf
|
||||||
|
%{_libdir}/nginx/modules/ngx_stream_module.so
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue May 31 2016 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.3-9
|
* Tue May 31 2016 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.10.1-1
|
||||||
- fix CVE-2016-4450
|
- update to upstream release 1.10.1
|
||||||
|
|
||||||
* Tue Jan 26 2016 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.3-8
|
* Sun May 15 2016 Jitka Plesnikova <jplesnik@redhat.com> - 1:1.10.0-4
|
||||||
|
- Perl 5.24 rebuild
|
||||||
|
|
||||||
|
* Sun May 8 2016 Peter Robinson <pbrobinson@fedoraproject.org> 1:1.10.0-3
|
||||||
|
- Enable AIO on aarch64 (rhbz 1258414)
|
||||||
|
|
||||||
|
* Wed Apr 27 2016 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.10.0-2
|
||||||
|
- only Require nginx-all-modules for EPEL and current Fedora releases
|
||||||
|
|
||||||
|
* Wed Apr 27 2016 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.10.0-1
|
||||||
|
- update to upstream release 1.10.0
|
||||||
|
- split dynamic modules into subpackages
|
||||||
|
- spec file cleanup
|
||||||
|
|
||||||
|
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.8.1-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jan 26 2016 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.1-1
|
||||||
|
- update to upstream release 1.8.1
|
||||||
- CVE-2016-0747: Insufficient limits of CNAME resolution in resolver
|
- CVE-2016-0747: Insufficient limits of CNAME resolution in resolver
|
||||||
- CVE-2016-0746: Use-after-free during CNAME response processing in resolver
|
- CVE-2016-0746: Use-after-free during CNAME response processing in resolver
|
||||||
- CVE-2016-0742: Invalid pointer dereference in resolver
|
- CVE-2016-0742: Invalid pointer dereference in resolver
|
||||||
|
|
||||||
* Sun Oct 04 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.3-7
|
* Sun Oct 04 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-14
|
||||||
|
- consistently use '%%global with_foo' style of logic
|
||||||
- remove PID file before starting nginx (#1268621)
|
- remove PID file before starting nginx (#1268621)
|
||||||
|
|
||||||
* Fri Jul 03 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.3-6
|
* Fri Sep 25 2015 Ville Skyttä <ville.skytta@iki.fi> - 1:1.8.0-13
|
||||||
|
- Use nginx-mimetypes from mailcap (#1248736)
|
||||||
|
- Mark LICENSE as %%license
|
||||||
|
|
||||||
|
* Thu Sep 10 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-12
|
||||||
|
- also build with gperftools on aarch64 (#1258412)
|
||||||
|
|
||||||
|
* Wed Aug 12 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 1:1.8.0-11
|
||||||
|
- nginx.conf: added commented-out SSL configuration directives (#1179232)
|
||||||
|
|
||||||
|
* Fri Jul 03 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-10
|
||||||
- switch back to /bin/kill in logrotate script due to SELinux denials
|
- switch back to /bin/kill in logrotate script due to SELinux denials
|
||||||
|
|
||||||
* Tue Jun 16 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.3-5
|
* Tue Jun 16 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-9
|
||||||
- set KillMode=process in systemd service file
|
- fix path to png in error pages (#1232277)
|
||||||
|
|
||||||
* Tue Jun 16 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.3-4
|
|
||||||
- fix path to png images in error pages (#1232277)
|
|
||||||
- optimize png images with optipng
|
- optimize png images with optipng
|
||||||
|
|
||||||
* Sun Jun 14 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.3-3
|
* Sun Jun 14 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-8
|
||||||
- replace /bin/kill with /usr/bin/systemctl kill in logrotate script (#1231543)
|
- replace /bin/kill with /usr/bin/systemctl kill in logrotate script (#1231543)
|
||||||
- remove After=syslog.target in nginx.service (#1231543)
|
- remove After=syslog.target in nginx.service (#1231543)
|
||||||
- replace ExecStop with KillSignal=SIGQUIT in nginx.service (#1231543)
|
- replace ExecStop with KillSignal=SIGQUIT in nginx.service (#1231543)
|
||||||
- remove KillMode=mixed as this is not supported on systemd v208
|
|
||||||
|
|
||||||
* Sun May 10 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.3-2
|
* Wed Jun 03 2015 Jitka Plesnikova <jplesnik@redhat.com> - 1:1.8.0-7
|
||||||
- improve nginx-upgrade
|
- Perl 5.22 rebuild
|
||||||
- run nginx-upgrade on package updates
|
|
||||||
|
* Sun May 10 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-6
|
||||||
|
- revert previous change
|
||||||
|
|
||||||
|
* Sun May 10 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-5
|
||||||
|
- move default server to default.conf (#1220094)
|
||||||
|
|
||||||
|
* Sun May 10 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-4
|
||||||
- add TimeoutStopSec=5 and KillMode=mixed to nginx.service
|
- add TimeoutStopSec=5 and KillMode=mixed to nginx.service
|
||||||
- remove some redundant files
|
- set worker_processes to auto
|
||||||
- add some common options to the http block in nginx.conf
|
- add some common options to the http block in nginx.conf
|
||||||
- listen on ipv6 for the default server (#1217081)
|
- run nginx-upgrade on package update
|
||||||
- remove redundant commands in %%post
|
- remove some redundant scriptlet commands
|
||||||
- add --with-pcre-jit to configure options
|
- listen on ipv6 for default server (#1217081)
|
||||||
|
|
||||||
* Thu Apr 09 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.3-1
|
* Wed Apr 22 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-3
|
||||||
- update to upstream release 1.6.3
|
- improve nginx-upgrade script
|
||||||
|
|
||||||
|
* Wed Apr 22 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-2
|
||||||
|
- add --with-pcre-jit
|
||||||
|
|
||||||
|
* Wed Apr 22 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-1
|
||||||
|
- update to upstream release 1.8.0
|
||||||
|
|
||||||
|
* Thu Apr 09 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.7.12-1
|
||||||
|
- update to upstream release 1.7.12
|
||||||
|
|
||||||
|
* Sun Feb 15 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.7.10-1
|
||||||
|
- update to upstream release 1.7.10
|
||||||
|
- remove systemd conditionals
|
||||||
|
|
||||||
* Wed Oct 22 2014 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.2-4
|
* Wed Oct 22 2014 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.2-4
|
||||||
- fix package ownership of directories
|
- fix package ownership of directories
|
||||||
|
Loading…
Reference in New Issue
Block a user