diff --git a/0001-remove-Werror-in-upstream-build-scripts.patch b/0001-remove-Werror-in-upstream-build-scripts.patch
index b23f719..2695031 100644
--- a/0001-remove-Werror-in-upstream-build-scripts.patch
+++ b/0001-remove-Werror-in-upstream-build-scripts.patch
@@ -1,7 +1,7 @@
 From 00cab63102084b89de0a3494a1d023c4b1d4982b Mon Sep 17 00:00:00 2001
 From: Felix Kaechele <felix@kaechele.ca>
 Date: Sun, 7 Jun 2020 12:14:02 -0400
-Subject: [PATCH 1/3] remove Werror in upstream build scripts
+Subject: [PATCH 1/2] remove Werror in upstream build scripts
 
 removes -Werror in upstream build scripts.  -Werror conflicts with
 -D_FORTIFY_SOURCE=2 causing warnings to turn into errors.
diff --git a/0002-change-logs-permissions-to-664.patch b/0002-change-logs-permissions-to-664.patch
deleted file mode 100644
index d6b9017..0000000
--- a/0002-change-logs-permissions-to-664.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 4efd7b508fa018ca9def7f42c5887cf85bf2c23d Mon Sep 17 00:00:00 2001
-From: Felix Kaechele <felix@kaechele.ca>
-Date: Sun, 7 Jun 2020 12:14:54 -0400
-Subject: [PATCH 2/3] change logs permissions to 664
-
-This patch is carried downstream only.
-
-Signed-off-by: Felix Kaechele <felix@kaechele.ca>
----
- src/core/ngx_cycle.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/core/ngx_cycle.c b/src/core/ngx_cycle.c
-index 6978c3e..1e2071c 100644
---- a/src/core/ngx_cycle.c
-+++ b/src/core/ngx_cycle.c
-@@ -1195,7 +1195,7 @@ ngx_reopen_files(ngx_cycle_t *cycle, ngx_uid_t user)
-         }
- 
-         fd = ngx_open_file(file[i].name.data, NGX_FILE_APPEND,
--                           NGX_FILE_CREATE_OR_OPEN, NGX_FILE_DEFAULT_ACCESS);
-+                           NGX_FILE_CREATE_OR_OPEN, NGX_FILE_DEFAULT_ACCESS | 0220);
- 
-         ngx_log_debug3(NGX_LOG_DEBUG_EVENT, cycle->log, 0,
-                        "reopen file \"%s\", old:%d new:%d",
--- 
-2.31.1
-
diff --git a/0003-fix-PIDFile-handling.patch b/0002-fix-PIDFile-handling.patch
similarity index 96%
rename from 0003-fix-PIDFile-handling.patch
rename to 0002-fix-PIDFile-handling.patch
index 7690dbc..5748b63 100644
--- a/0003-fix-PIDFile-handling.patch
+++ b/0002-fix-PIDFile-handling.patch
@@ -1,7 +1,7 @@
-From 5cfdf8607de1113d1dbbe1018030dc58aa7bbc0a Mon Sep 17 00:00:00 2001
+From 62470498cca9a209aa9904668c1949f5229123af Mon Sep 17 00:00:00 2001
 From: Felix Kaechele <felix@kaechele.ca>
 Date: Tue, 20 Apr 2021 21:28:18 -0400
-Subject: [PATCH 3/3] fix PIDFile handling
+Subject: [PATCH 2/2] fix PIDFile handling
 
 Corresponding RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1869026
 
diff --git a/nginx.conf b/nginx.conf
index f85920a..3cfe698 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -45,11 +45,11 @@ http {
         include /etc/nginx/default.d/*.conf;
 
         error_page 404 /404.html;
-            location = /40x.html {
+        location = /404.html {
         }
 
         error_page 500 502 503 504 /50x.html;
-            location = /50x.html {
+        location = /50x.html {
         }
     }
 
diff --git a/nginx.logrotate b/nginx.logrotate
index 353da6e..7f8b0a9 100644
--- a/nginx.logrotate
+++ b/nginx.logrotate
@@ -1,5 +1,4 @@
 /var/log/nginx/*log {
-    create 0664 nginx root
     daily
     rotate 10
     missingok
diff --git a/nginx.service b/nginx.service
index 6f5792e..b8e73a5 100644
--- a/nginx.service
+++ b/nginx.service
@@ -12,7 +12,7 @@ PIDFile=/run/nginx.pid
 ExecStartPre=/usr/bin/rm -f /run/nginx.pid
 ExecStartPre=/usr/sbin/nginx -t
 ExecStart=/usr/sbin/nginx
-ExecReload=/bin/kill -s HUP $MAINPID
+ExecReload=/usr/sbin/nginx -s reload
 KillSignal=SIGQUIT
 TimeoutStopSec=5
 KillMode=mixed
diff --git a/nginx.spec b/nginx.spec
index 59bb9b3..5156f2b 100644
--- a/nginx.spec
+++ b/nginx.spec
@@ -29,7 +29,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.20.0
-Release:           1%{?dist}
+Release:           2%{?dist}
 
 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@@ -58,13 +58,9 @@ Source210:         UPGRADE-NOTES-1.6-to-1.10
 # -D_FORTIFY_SOURCE=2 causing warnings to turn into errors.
 Patch0:            0001-remove-Werror-in-upstream-build-scripts.patch
 
-# downstream patch - changing logs permissions to 664 instead
-# previous 644
-Patch1:            0002-change-logs-permissions-to-664.patch
-
 # downstream patch - fix PIDFile race condition (rhbz#1869026)
 # rejected upstream: https://trac.nginx.org/nginx/ticket/1897
-Patch2:            0003-fix-PIDFile-handling.patch
+Patch1:            0002-fix-PIDFile-handling.patch
 
 BuildRequires:     make
 BuildRequires:     gcc
@@ -72,8 +68,12 @@ BuildRequires:     gnupg2
 %if 0%{?with_gperftools}
 BuildRequires:     gperftools-devel
 %endif
+%if 0%{?fedora} || 0%{?rhel} >= 8
 BuildRequires:     openssl-devel
-BuildRequires:     pcre2-devel
+%else
+BuildRequires:     openssl11-devel
+%endif
+BuildRequires:     pcre-devel
 BuildRequires:     zlib-devel
 
 Requires:          nginx-filesystem = %{epoch}:%{version}-%{release}
@@ -88,11 +88,6 @@ Obsoletes:         nginx-mod-http-geoip <= 1:1.16
 Requires:          system-logos-httpd
 %endif
 
-%if 0%{?rhel} > 0 && 0%{?rhel} < 8
-# Introduced at 1:1.10.0-1 to ease upgrade path. To be removed later.
-Requires:          nginx-all-modules = %{epoch}:%{version}-%{release}
-%endif
-
 Requires:          openssl
 Requires:          pcre
 Requires(pre):     nginx-filesystem
@@ -100,7 +95,9 @@ Requires(pre):     nginx-filesystem
 Requires:          nginx-mimetypes
 %endif
 Provides:          webserver
+%if 0%{?fedora} || 0%{?rhel} >= 8
 Recommends:        logrotate
+%endif
 
 BuildRequires:     systemd
 Requires(post):    systemd
@@ -207,6 +204,13 @@ sed -i -e 's#KillMode=.*#KillMode=process#g' nginx.service
 sed -i -e 's#PROFILE=SYSTEM#HIGH:!aNULL:!MD5#' nginx.conf
 %endif
 
+%if 0%{?rhel} == 7
+sed \
+  -e 's|\(ngx_feature_path=\)$|\1%{_includedir}/openssl11|' \
+  -e 's|\(ngx_feature_libs="\)|\1-L%{_libdir}/openssl11 |' \
+  -i auto/lib/openssl/conf
+%endif
+
 
 %build
 # nginx does not utilize a standard configure script.  It has its own
@@ -262,7 +266,6 @@ if ! ./configure \
     --with-http_sub_module \
     --with-http_v2_module \
     --with-http_xslt_module=dynamic \
-    --with-ipv6 \
     --with-mail=dynamic \
     --with-mail_ssl_module \
     --with-pcre \
@@ -453,7 +456,7 @@ fi
 %config(noreplace) %{_sysconfdir}/logrotate.d/nginx
 %attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx
 %attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx/tmp
-%attr(770,%{nginx_user},root) %dir %{_localstatedir}/log/nginx
+%dir %{_localstatedir}/log/nginx
 %dir %{_libdir}/nginx/modules
 
 %files all-modules
@@ -498,6 +501,15 @@ fi
 
 
 %changelog
+* Wed Apr 21 2021 Felix Kaechele <heffer@fedoraproject.org> - 1:1.20.0-2
+- sync rawhide and EPEL7 spec files again
+- systemd service reload now checks config file (rhbz#1565377)
+- drop nginx requirement on nginx-all-modules (rhbz#1708799)
+- let nginx handle log creation on logrotate (rhbz#1683388)
+- have log directory owned by root (rhbz#1390183, CVE-2016-1247)
+- remove obsolete --with-ipv6 (src PR#8)
+- correction: pcre2 is actually not supported by nginx, reintroduce pcre
+
 * Wed Apr 21 2021 Felix Kaechele <heffer@fedoraproject.org> - 1:1.20.0-1
 - update to 1.20.0
 - sync with mainline spec file