import nginx-1.14.1-9.module+el8.0.0+4108+af250afe

This commit is contained in:
CentOS Sources 2021-01-09 00:14:16 +00:00 committed by root
commit 603665f835
23 changed files with 2094 additions and 0 deletions

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
SOURCES/nginx-1.14.1.tar.gz
SOURCES/poweredby.png

2
.nginx.metadata Normal file
View File

@ -0,0 +1,2 @@
a9dc8c5b055a3f0021d09c112d27422f45dd439c SOURCES/nginx-1.14.1.tar.gz
2ec82988cd0d9b1304c95a16b28eff70f0f69abc SOURCES/poweredby.png

View File

@ -0,0 +1,30 @@
From f446736d4f4c5f7ae81bb8bf84fda7ce3c9d49a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
Date: Wed, 24 Jan 2018 12:37:48 +0100
Subject: [PATCH] unix/ngx_user: Apply fix for really old bug in glibc libcrypt
if needed
---
src/os/unix/ngx_user.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/os/unix/ngx_user.c b/src/os/unix/ngx_user.c
index 7ebe2b57..d0fe9238 100644
--- a/src/os/unix/ngx_user.c
+++ b/src/os/unix/ngx_user.c
@@ -21,8 +21,10 @@ ngx_libc_crypt(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted)
struct crypt_data cd;
cd.initialized = 0;
-#ifdef __GLIBC__
- /* work around the glibc bug */
+#if (defined(__GLIBC__) && __GLIBC__ == 2) && \
+ (defined(__GLIBC_MINOR__) && __GLIBC_MINOR__ >= 2 && __GLIBC_MINOR__ < 4)
+ /* work around glibc-2.2.5 bug,
+ * has been fixed at some time in glibc-2.3.X */
cd.current_salt[0] = ~salt[0];
#endif
--
2.16.1

120
SOURCES/404.html Normal file
View File

@ -0,0 +1,120 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>The page is not found</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
/*<![CDATA[*/
body {
background-color: #fff;
color: #000;
font-size: 0.9em;
font-family: sans-serif,helvetica;
margin: 0;
padding: 0;
}
:link {
color: #c00;
}
:visited {
color: #c00;
}
a:hover {
color: #f50;
}
h1 {
text-align: center;
margin: 0;
padding: 0.6em 2em 0.4em;
background-color: #900;
color: #fff;
font-weight: normal;
font-size: 1.75em;
border-bottom: 2px solid #000;
}
h1 strong {
font-weight: bold;
font-size: 1.5em;
}
h2 {
text-align: center;
background-color: #900;
font-size: 1.1em;
font-weight: bold;
color: #fff;
margin: 0;
padding: 0.5em;
border-bottom: 2px solid #000;
}
h3 {
text-align: center;
background-color: #ff0000;
padding: 0.5em;
color: #fff;
}
hr {
display: none;
}
.content {
padding: 1em 5em;
}
.alert {
border: 2px solid #000;
}
img {
border: 2px solid #fff;
padding: 2px;
margin: 2px;
}
a:hover img {
border: 2px solid #294172;
}
.logos {
margin: 1em;
text-align: center;
}
/*]]>*/
</style>
</head>
<body>
<h1><strong>nginx error!</strong></h1>
<div class="content">
<h3>The page you are looking for is not found.</h3>
<div class="alert">
<h2>Website Administrator</h2>
<div class="content">
<p>Something has triggered missing webpage on your
website. This is the default 404 error page for
<strong>nginx</strong> that is distributed with
Red Hat Enterprise Linux. It is located
<tt>/usr/share/nginx/html/404.html</tt></p>
<p>You should customize this error page for your own
site or edit the <tt>error_page</tt> directive in
the <strong>nginx</strong> configuration file
<tt>/etc/nginx/nginx.conf</tt>.</p>
<p>For information on Red Hat Enterprise Linux, please visit the <a href="http://www.redhat.com/">Red Hat, Inc. website</a>. The documentation for Red Hat Enterprise Linux is <a href="http://www.redhat.com/docs/manuals/enterprise/">available on the Red Hat, Inc. website</a>.</p>
</div>
</div>
<div class="logos">
<a href="http://nginx.net/"><img
src="nginx-logo.png"
alt="[ Powered by nginx ]"
width="121" height="32" /></a>
<a href="http://www.redhat.com/"><img
src="poweredby.png"
alt="[ Powered by Red Hat Enterprise Linux ]"
width="88" height="31" /></a>
</div>
</div>
</body>
</html>

120
SOURCES/50x.html Normal file
View File

@ -0,0 +1,120 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>The page is temporarily unavailable</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
/*<![CDATA[*/
body {
background-color: #fff;
color: #000;
font-size: 0.9em;
font-family: sans-serif,helvetica;
margin: 0;
padding: 0;
}
:link {
color: #c00;
}
:visited {
color: #c00;
}
a:hover {
color: #f50;
}
h1 {
text-align: center;
margin: 0;
padding: 0.6em 2em 0.4em;
background-color: #900;
color: #fff;
font-weight: normal;
font-size: 1.75em;
border-bottom: 2px solid #000;
}
h1 strong {
font-weight: bold;
font-size: 1.5em;
}
h2 {
text-align: center;
background-color: #900;
font-size: 1.1em;
font-weight: bold;
color: #fff;
margin: 0;
padding: 0.5em;
border-bottom: 2px solid #000;
}
h3 {
text-align: center;
background-color: #ff0000;
padding: 0.5em;
color: #fff;
}
hr {
display: none;
}
.content {
padding: 1em 5em;
}
.alert {
border: 2px solid #000;
}
img {
border: 2px solid #fff;
padding: 2px;
margin: 2px;
}
a:hover img {
border: 2px solid #294172;
}
.logos {
margin: 1em;
text-align: center;
}
/*]]>*/
</style>
</head>
<body>
<h1><strong>nginx error!</strong></h1>
<div class="content">
<h3>The page you are looking for is temporarily unavailable. Please try again later.</h3>
<div class="alert">
<h2>Website Administrator</h2>
<div class="content">
<p>Something has triggered missing webpage on your
website. This is the default error page for
<strong>nginx</strong> that is distributed with
Red Hat Enterprise Linux. It is located
<tt>/usr/share/nginx/html/50x.html</tt></p>
<p>You should customize this error page for your own
site or edit the <tt>error_page</tt> directive in
the <strong>nginx</strong> configuration file
<tt>/etc/nginx/nginx.conf</tt>.</p>
<p>For information on Red Hat Enterprise Linux, please visit the <a href="http://www.redhat.com/">Red Hat, Inc. website</a>. The documentation for Red Hat Enterprise Linux is <a href="http://www.redhat.com/docs/manuals/enterprise/">available on the Red Hat, Inc. website</a>.</p>
</div>
</div>
<div class="logos">
<a href="http://nginx.net/"><img
src="nginx-logo.png"
alt="[ Powered by nginx ]"
width="121" height="32" /></a>
<a href="http://www.redhat.com/"><img
src="poweredby.png"
alt="[ Powered by Red Hat Enterprise Linux ]"
width="88" height="31" /></a>
</div>
</div>
</body>
</html>

20
SOURCES/README.dynamic Normal file
View File

@ -0,0 +1,20 @@
###############
Dynamic modules
###############
Dynamic modules are loaded using the "load_modules" directive. The RPM package
for each module has a '.conf' file in the /usr/share/nginx/modules directory.
The '.conf' file contains a single "load_modules" directive.
This means that whenever a new dynamic module is installed, it will
automatically be enabled and Nginx will be reloaded.
--------------------------------------------------------
Prevent dynamic modules from being enabled automatically
--------------------------------------------------------
You may want to avoid dynamic modules being enabled automatically. Simply
remove this line from the top of /etc/nginx/nginx.conf:
include /usr/lib64/nginx/modules/*.conf;

View File

@ -0,0 +1,88 @@
#############
Upgrade notes
#############
To resolve numerous security flaws, the nginx package was updated to 1.10.x.
You should review your configuration files in /etc/nginx to determine if there
are any incompatibilities. Below is a summary of the main incompatible changes.
Some nginx directives have been changed or removed, so you may need to modify
your configuration.
Please see upstream release notes for a complete list of new features,
bug fixes, and changes: http://nginx.org/en/CHANGES-1.10
One notable feature is support for HTTP/2.
Nginx gained support for dynamic modules. As part of this update, dynamic
modules have been split into subpackages. For the time being these are hard
dependencies to aid the upgrade path. When you install nginx, all of these
modules are installed and enabled by default:
- nginx-mod-http-geoip
- nginx-mod-http-image-filter
- nginx-mod-http-perl
- nginx-mod-http-xslt-filter
- nginx-mod-mail
- nginx-mod-stream
Changes with nginx 1.10.x
*) Change: non-idempotent requests (POST, LOCK, PATCH) are no longer
passed to the next server by default if a request has been sent to a
backend; the "non_idempotent" parameter of the "proxy_next_upstream"
directive explicitly allows retrying such requests.
*) Change: now the "output_buffers" directive uses two buffers by
default.
*) Change: now nginx limits subrequests recursion, not simultaneous
subrequests.
*) Change: now nginx checks the whole cache key when returning a
response from cache.
Thanks to Gena Makhomed and Sergey Brester.
*) Change: the "proxy_downstream_buffer" and "proxy_upstream_buffer"
directives of the stream module are replaced with the
"proxy_buffer_size" directive.
*) Change: duplicate "http", "mail", and "stream" blocks are now
disallowed.
*) Change: now SSLv3 protocol is disabled by default.
*) Change: some long deprecated directives are not supported anymore.
*) Change: obsolete aio and rtsig event methods have been removed.
Changes with nginx 1.8.x
*) Change: the "sendfile" parameter of the "aio" directive is
deprecated; now nginx automatically uses AIO to pre-load data for
sendfile if both "aio" and "sendfile" directives are used.
*) Change: now the "If-Modified-Since", "If-Range", etc. client request
header lines are passed to a backend while caching if nginx knows in
advance that the response will not be cached (e.g., when using
proxy_cache_min_uses).
*) Change: now after proxy_cache_lock_timeout nginx sends a request to a
backend with caching disabled; the new directives
"proxy_cache_lock_age", "fastcgi_cache_lock_age",
"scgi_cache_lock_age", and "uwsgi_cache_lock_age" specify a time
after which the lock will be released and another attempt to cache a
response will be made.
*) Change: the "log_format" directive can now be used only at http
level.
*) Change: now nginx takes into account the "Vary" header line in a
backend response while caching.
*) Change: the deprecated "limit_zone" directive is not supported
anymore.
*) Change: now the "stub_status" directive does not require a parameter.
*) Change: URI escaping now uses uppercase hexadecimal digits.
Thanks to Piotr Sikora.

117
SOURCES/index.html Normal file
View File

@ -0,0 +1,117 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
/*<![CDATA[*/
body {
background-color: #fff;
color: #000;
font-size: 0.9em;
font-family: sans-serif,helvetica;
margin: 0;
padding: 0;
}
:link {
color: #c00;
}
:visited {
color: #c00;
}
a:hover {
color: #f50;
}
h1 {
text-align: center;
margin: 0;
padding: 0.6em 2em 0.4em;
background-color: #900;
color: #fff;
font-weight: normal;
font-size: 1.75em;
border-bottom: 2px solid #000;
}
h1 strong {
font-weight: bold;
font-size: 1.5em;
}
h2 {
text-align: center;
background-color: #900;
font-size: 1.1em;
font-weight: bold;
color: #fff;
margin: 0;
padding: 0.5em;
border-bottom: 2px solid #000;
}
hr {
display: none;
}
.content {
padding: 1em 5em;
}
.alert {
border: 2px solid #000;
}
img {
border: 2px solid #fff;
padding: 2px;
margin: 2px;
}
a:hover img {
border: 2px solid #294172;
}
.logos {
margin: 1em;
text-align: center;
}
/*]]>*/
</style>
</head>
<body>
<h1>Welcome to <strong>nginx</strong> on Red Hat Enterprise Linux!</h1>
<div class="content">
<p>This page is used to test the proper operation of the
<strong>nginx</strong> HTTP server after it has been
installed. If you can read this page, it means that the
web server installed at this site is working
properly.</p>
<div class="alert">
<h2>Website Administrator</h2>
<div class="content">
<p>This is the default <tt>index.html</tt> page that
is distributed with <strong>nginx</strong> on
Red Hat Enterprise Linux. It is located in
<tt>/usr/share/nginx/html</tt>.</p>
<p>You should now put your content in a location of
your choice and edit the <tt>root</tt> configuration
directive in the <strong>nginx</strong>
configuration file
<tt>/etc/nginx/nginx.conf</tt>.</p>
<p>For information on Red Hat Enterprise Linux, please visit the <a href="http://www.redhat.com/">Red Hat, Inc. website</a>. The documentation for Red Hat Enterprise Linux is <a href="http://www.redhat.com/docs/manuals/enterprise/">available on the Red Hat, Inc. website</a>.</p>
</div>
</div>
<div class="logos">
<a href="http://nginx.net/"><img
src="nginx-logo.png"
alt="[ Powered by nginx ]"
width="121" height="32" /></a>
<a href="http://www.redhat.com/"><img
src="poweredby.png"
alt="[ Powered by Red Hat Enterprise Linux ]"
width="88" height="31" /></a>
</div>
</div>
</body>
</html>

View File

@ -0,0 +1,13 @@
diff --git a/src/core/ngx_cycle.c b/src/core/ngx_cycle.c
index aee7a58..bcceecb 100644
--- a/src/core/ngx_cycle.c
+++ b/src/core/ngx_cycle.c
@@ -1108,7 +1108,7 @@ ngx_reopen_files(ngx_cycle_t *cycle, ngx_uid_t user)
}
fd = ngx_open_file(file[i].name.data, NGX_FILE_APPEND,
- NGX_FILE_CREATE_OR_OPEN, NGX_FILE_DEFAULT_ACCESS);
+ NGX_FILE_CREATE_OR_OPEN, NGX_FILE_DEFAULT_ACCESS | 0220);
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, cycle->log, 0,
"reopen file \"%s\", old:%d new:%d",

View File

@ -0,0 +1,42 @@
# HG changeset patch
# User Anderson Sasaki <ansasaki@redhat.com>
# Date 1533742801 -7200
# Wed Aug 08 17:40:01 2018 +0200
# Node ID ae457c9b2967da1b05aefcf1e81c099e9375c0d7
# Parent ba971deb4b447662e3c47fcc860b34d43469162a
SSL: added ENGINE_init() call before loading key.
It is necessary to call ENGINE_init() before using an OpenSSL engine
to get the engine functional reference. Without this, when
ENGINE_load_private_key() is called, the engine is still uninitialized.
diff -r ba971deb4b44 -r ae457c9b2967 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Tue Aug 07 02:16:07 2018 +0300
+++ b/src/event/ngx_event_openssl.c Wed Aug 08 17:40:01 2018 +0200
@@ -533,6 +533,13 @@
return NGX_ERROR;
}
+ if (!ENGINE_init(engine)) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "ENGINE_init(\"%s\") failed", p);
+ ENGINE_free(engine);
+ return NGX_ERROR;
+ }
+
*last++ = ':';
pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
@@ -540,10 +547,12 @@
if (pkey == NULL) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"ENGINE_load_private_key(\"%s\") failed", last);
+ ENGINE_finish(engine);
ENGINE_free(engine);
return NGX_ERROR;
}
+ ENGINE_finish(engine);
ENGINE_free(engine);
if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) {

View File

@ -0,0 +1,70 @@
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
index 12214e1..3b7f892 100644
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -4335,6 +4335,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc)
*/
pool = stream->pool;
+ h2c->frames -= stream->frames;
+
ngx_http_free_request(stream->request, rc);
if (pool != h2c->state.pool) {
diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
index bec2216..715b7d3 100644
--- a/src/http/v2/ngx_http_v2.h
+++ b/src/http/v2/ngx_http_v2.h
@@ -192,6 +192,8 @@ struct ngx_http_v2_stream_s {
ngx_buf_t *preread;
+ ngx_uint_t frames;
+
ngx_http_v2_out_frame_t *free_frames;
ngx_chain_t *free_frame_headers;
ngx_chain_t *free_bufs;
diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c
index 029e8ec..c7ee553 100644
--- a/src/http/v2/ngx_http_v2_filter_module.c
+++ b/src/http/v2/ngx_http_v2_filter_module.c
@@ -1661,22 +1661,34 @@ static ngx_http_v2_out_frame_t *
ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream,
size_t len, ngx_chain_t *first, ngx_chain_t *last)
{
- u_char flags;
- ngx_buf_t *buf;
- ngx_chain_t *cl;
- ngx_http_v2_out_frame_t *frame;
+ u_char flags;
+ ngx_buf_t *buf;
+ ngx_chain_t *cl;
+ ngx_http_v2_out_frame_t *frame;
+ ngx_http_v2_connection_t *h2c;
frame = stream->free_frames;
+ h2c = stream->connection;
if (frame) {
stream->free_frames = frame->next;
- } else {
+ } else if (h2c->frames < 10000) {
frame = ngx_palloc(stream->request->pool,
sizeof(ngx_http_v2_out_frame_t));
if (frame == NULL) {
return NULL;
}
+
+ stream->frames++;
+ h2c->frames++;
+
+ } else {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "http2 flood detected");
+
+ h2c->connection->error = 1;
+ return NULL;
}
flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0;

View File

@ -0,0 +1,47 @@
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
index 3b7f892..0aaea47 100644
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -275,6 +275,7 @@ ngx_http_v2_init(ngx_event_t *rev)
h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module);
h2c->concurrent_pushes = h2scf->concurrent_pushes;
+ h2c->priority_limit = h2scf->concurrent_streams;
h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log);
if (h2c->pool == NULL) {
@@ -1798,6 +1799,13 @@ ngx_http_v2_state_priority(ngx_http_v2_connection_t *h2c, u_char *pos,
return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR);
}
+ if (--h2c->priority_limit == 0) {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "client sent too many PRIORITY frames");
+
+ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM);
+ }
+
if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) {
return ngx_http_v2_state_save(h2c, pos, end,
ngx_http_v2_state_priority);
@@ -3112,6 +3120,8 @@ ngx_http_v2_create_stream(ngx_http_v2_connection_t *h2c, ngx_uint_t push)
h2c->processing++;
}
+ h2c->priority_limit += h2scf->concurrent_streams;
+
return stream;
}
diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
index 715b7d3..69d55d1 100644
--- a/src/http/v2/ngx_http_v2.h
+++ b/src/http/v2/ngx_http_v2.h
@@ -122,6 +122,7 @@ struct ngx_http_v2_connection_s {
ngx_uint_t processing;
ngx_uint_t frames;
ngx_uint_t idle;
+ ngx_uint_t priority_limit;
ngx_uint_t pushing;
ngx_uint_t concurrent_pushes;

View File

@ -0,0 +1,30 @@
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
index 0aaea47..fd6ecb0 100644
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -1549,6 +1549,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
header->name.len = h2c->state.field_end - h2c->state.field_start;
header->name.data = h2c->state.field_start;
+ if (header->name.len == 0) {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "client sent zero header name length");
+
+ return ngx_http_v2_connection_error(h2c,
+ NGX_HTTP_V2_PROTOCOL_ERROR);
+ }
+
return ngx_http_v2_state_field_len(h2c, pos, end);
}
@@ -3259,10 +3267,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header)
ngx_uint_t i;
ngx_http_core_srv_conf_t *cscf;
- if (header->name.len == 0) {
- return NGX_ERROR;
- }
-
r->invalid_header = 0;
cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);

View File

@ -0,0 +1,147 @@
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 570abd7..ac37936 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -232,6 +232,8 @@ ngx_ssl_init(ngx_log_t *log)
ngx_int_t
ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
{
+ ngx_uint_t prot = NGX_SSL_NO_PROT;
+
ssl->ctx = SSL_CTX_new(SSLv23_method());
if (ssl->ctx == NULL) {
@@ -296,39 +298,53 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
-#ifdef SSL_CTRL_CLEAR_OPTIONS
- /* only in 0.9.8m+ */
- SSL_CTX_clear_options(ssl->ctx,
- SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
+ if (protocols){
+#ifdef SSL_OP_NO_TLSv1_3
+ if (protocols & NGX_SSL_TLSv1_3) {
+ prot = TLS1_3_VERSION;
+ } else
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+ if (protocols & NGX_SSL_TLSv1_2) {
+ prot = TLS1_2_VERSION;
+ } else
+#endif
+#ifdef SSL_OP_NO_TLSv1_1
+ if (protocols & NGX_SSL_TLSv1_1) {
+ prot = TLS1_1_VERSION;
+ } else
#endif
+ if (protocols & NGX_SSL_TLSv1) {
+ prot = TLS1_VERSION;
+ }
- if (!(protocols & NGX_SSL_SSLv2)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
- }
- if (!(protocols & NGX_SSL_SSLv3)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
- }
- if (!(protocols & NGX_SSL_TLSv1)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
- }
+ if (prot == NGX_SSL_NO_PROT) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "No SSL protocols available [hint: ssl_protocols]");
+ return NGX_ERROR;
+ }
+
+ SSL_CTX_set_max_proto_version(ssl->ctx, prot);
+
+ /* Now, we have to scan for minimal protocol version,
+ *without allowing holes between min and max*/
+#if SSL_OP_NO_TLSv1_3
+ if ((prot == TLS1_3_VERSION) && (protocols & NGX_SSL_TLSv1_2)) {
+ prot = TLS1_2_VERSION;
+ }
+#endif
#ifdef SSL_OP_NO_TLSv1_1
- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
- if (!(protocols & NGX_SSL_TLSv1_1)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
- }
+ if ((prot == TLS1_2_VERSION) && (protocols & NGX_SSL_TLSv1_1)) {
+ prot = TLS1_1_VERSION;
+ }
#endif
#ifdef SSL_OP_NO_TLSv1_2
- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
- if (!(protocols & NGX_SSL_TLSv1_2)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
- }
+ if ((prot == TLS1_1_VERSION) && (protocols & NGX_SSL_TLSv1)) {
+ prot = TLS1_VERSION;
+ }
#endif
-#ifdef SSL_OP_NO_TLSv1_3
- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
- if (!(protocols & NGX_SSL_TLSv1_3)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
+ SSL_CTX_set_min_proto_version(ssl->ctx, prot);
}
-#endif
#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index 623d851..6f3d7ee 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -132,6 +132,7 @@ typedef struct {
#endif
+#define NGX_SSL_NO_PROT 0x0000
#define NGX_SSL_SSLv2 0x0002
#define NGX_SSL_SSLv3 0x0004
#define NGX_SSL_TLSv1 0x0008
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index 7d62176..f9ef07d 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -590,8 +588,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
prev->prefer_server_ciphers, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
- |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
+ 0)
ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
NGX_SSL_BUFSIZE);
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
index aebd179..50c7023 100644
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -285,8 +283,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
prev->prefer_server_ciphers, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
- |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
+ 0);
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
index 3e5a1f2..c8fce57 100644
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -554,8 +552,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
prev->prefer_server_ciphers, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
- |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
+ 0);
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);

View File

@ -0,0 +1,13 @@
diff --git a/src/http/modules/perl/Makefile.PL b/src/http/modules/perl/Makefile.PL
index 7edadcb..2ebb7c4 100644
--- a/src/http/modules/perl/Makefile.PL
+++ b/src/http/modules/perl/Makefile.PL
@@ -14,7 +14,7 @@ WriteMakefile(
AUTHOR => 'Igor Sysoev',
CCFLAGS => "$ENV{NGX_PM_CFLAGS}",
- OPTIMIZE => '-O',
+ OPTIMIZE => '-O2',
LDDLFLAGS => "$ENV{NGX_PM_LDFLAGS}",

View File

@ -0,0 +1,13 @@
--- auto/cc/gcc.orig 2007-03-22 08:34:53.000000000 -0600
+++ auto/cc/gcc 2007-03-22 08:58:47.000000000 -0600
@@ -172,7 +172,9 @@
# stop on warning
-CFLAGS="$CFLAGS -Werror"
+# This combined with Fedora's FORTIFY_SOURCE=2 option causes it nginx
+# to not compile.
+#CFLAGS="$CFLAGS -Werror"
# debug
CFLAGS="$CFLAGS -g"

BIN
SOURCES/nginx-logo.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 368 B

19
SOURCES/nginx-upgrade Normal file
View File

@ -0,0 +1,19 @@
#!/bin/sh
[ ! -f /run/nginx.pid ] && exit 1
echo "Start new nginx master..."
/bin/systemctl kill --signal=SIGUSR2 nginx.service
sleep 5
[ ! -f /run/nginx.pid.oldbin ] && sleep 10
if [ ! -f /run/nginx.pid.oldbin ]; then
echo "Failed to start new nginx master."
exit 1
fi
echo "Stop old nginx master gracefully..."
oldpid=`/usr/bin/cat /run/nginx.pid.oldbin 2>/dev/null`
/bin/kill -s QUIT $oldpid 2>/dev/null
sleep 5
[ -f /run/nginx.pid.oldbin ] && sleep 10
if [ -f /run/nginx.pid.oldbin ]; then
echo "Failed to stop old nginx master."
exit 1
fi

151
SOURCES/nginx-upgrade.8 Normal file
View File

@ -0,0 +1,151 @@
.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "NGINX-UPGRADE 8"
.TH NGINX-UPGRADE 8 "2012-10-28" " " " "
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
nginx\-upgrade \- tool to upgrade nginx without any downtime
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fInginx-upgrade\fR
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This downstream shell script updates nginx without any downtime. After
upgrading nginx via the package manager, running this script will create
a new nginx master. This master takes over all new requests. The old
masters and workers are then gracefully shutdown without breaking any
existing connections.
.PP
For further information, see: <http://nginx.org/en/docs/control.html>
.SH "BUGS"
.IX Header "BUGS"
If you find any bugs, please send an email to the author.
.SH "AUTHOR"
.IX Header "AUTHOR"
Jamie Nguyen <jamielinux@fedoraproject.org>

90
SOURCES/nginx.conf Normal file
View File

@ -0,0 +1,90 @@
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers PROFILE=SYSTEM;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}

13
SOURCES/nginx.logrotate Normal file
View File

@ -0,0 +1,13 @@
/var/log/nginx/*log {
create 0664 nginx root
daily
rotate 10
missingok
notifempty
compress
sharedscripts
postrotate
/bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
endscript
}

21
SOURCES/nginx.service Normal file
View File

@ -0,0 +1,21 @@
[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
# Nginx will fail to start if /run/nginx.pid already exists but has the wrong
# SELinux context. This might happen when running `nginx -t` from the cmdline.
# https://bugzilla.redhat.com/show_bug.cgi?id=1268621
ExecStartPre=/usr/bin/rm -f /run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=mixed
PrivateTmp=true
[Install]
WantedBy=multi-user.target

926
SPECS/nginx.spec Normal file
View File

@ -0,0 +1,926 @@
%global _hardened_build 1
%global nginx_user nginx
# Disable strict symbol checks in the link editor.
# See: https://src.fedoraproject.org/rpms/redhat-rpm-config/c/078af19
%undefine _strict_symbol_defs_build
%global with_gperftools 0
%bcond_with geoip
%global with_aio 1
%if 0%{?fedora} > 22
%global with_mailcap_mimetypes 1
%endif
Name: nginx
Epoch: 1
Version: 1.14.1
Release: 9%{?dist}
Summary: A high performance web server and reverse proxy server
Group: System Environment/Daemons
# BSD License (two clause)
# http://www.freebsd.org/copyright/freebsd-license.html
License: BSD
URL: http://nginx.org/
Source0: https://nginx.org/download/nginx-%{version}.tar.gz
Source10: nginx.service
Source11: nginx.logrotate
Source12: nginx.conf
Source13: nginx-upgrade
Source14: nginx-upgrade.8
Source100: index.html
Source101: poweredby.png
Source102: nginx-logo.png
Source103: 404.html
Source104: 50x.html
Source200: README.dynamic
Source210: UPGRADE-NOTES-1.6-to-1.10
# removes -Werror in upstream build scripts. -Werror conflicts with
# -D_FORTIFY_SOURCE=2 causing warnings to turn into errors.
Patch0: nginx-auto-cc-gcc.patch
# Apply fix for bug in glibc libcrypt, if needed only.
# That has been fixed some time in glibc-2.3.X and is
# not needed with libxcrypt anyways.
Patch1: 0001-unix-ngx_user-Apply-fix-for-really-old-bug-in-glibc-.patch
# downstream patch - changing logs permissions to 664 instead
# previous 644
Patch2: nginx-1.14.0-logs-perm.patch
# PKCS#11 engine fix
Patch3: nginx-1.14.0-pkcs11.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1655530
Patch4: nginx-1.14.1-perl-module-hardening.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1643647
Patch5: nginx-1.14.1-enable-tls1v3-by-default.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1741860
# https://bugzilla.redhat.com/show_bug.cgi?id=1735741
# https://bugzilla.redhat.com/show_bug.cgi?id=1741864
Patch200: nginx-1.14.1-CVE-2019-9511.patch
Patch201: nginx-1.14.1-CVE-2019-9513.patch
Patch202: nginx-1.14.1-CVE-2019-9516.patch
%if 0%{?with_gperftools}
BuildRequires: gperftools-devel
%endif
BuildRequires: openssl-devel
BuildRequires: pcre-devel
BuildRequires: zlib-devel
Requires: nginx-filesystem = %{epoch}:%{version}-%{release}
%if 0%{?rhel} || 0%{?fedora} < 24
# Introduced at 1:1.10.0-1 to ease upgrade path. To be removed later.
Requires: nginx-all-modules = %{epoch}:%{version}-%{release}
%endif
Requires: openssl
Requires: pcre
Requires(pre): nginx-filesystem
%if 0%{?with_mailcap_mimetypes}
Requires: nginx-mimetypes
%endif
Provides: webserver
BuildRequires: systemd
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
%description
Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and
IMAP protocols, with a strong focus on high concurrency, performance and low
memory usage.
%package all-modules
Group: System Environment/Daemons
Summary: A meta package that installs all available Nginx modules
BuildArch: noarch
%if %{with geoip}
Requires: nginx-mod-http-geoip = %{epoch}:%{version}-%{release}
%endif
Requires: nginx-mod-http-image-filter = %{epoch}:%{version}-%{release}
Requires: nginx-mod-http-perl = %{epoch}:%{version}-%{release}
Requires: nginx-mod-http-xslt-filter = %{epoch}:%{version}-%{release}
Requires: nginx-mod-mail = %{epoch}:%{version}-%{release}
Requires: nginx-mod-stream = %{epoch}:%{version}-%{release}
%description all-modules
%{summary}.
%if 0%{?rhel}
The main nginx package depends on this to ease the upgrade path. After a grace
period of several months, modules will become optional.
%endif
%if 0%{?fedora} && 0%{?fedora} < 24
The main nginx package depends on this to ease the upgrade path. Starting from
Fedora 24, modules are optional.
%endif
%package filesystem
Group: System Environment/Daemons
Summary: The basic directory layout for the Nginx server
BuildArch: noarch
Requires(pre): shadow-utils
%description filesystem
The nginx-filesystem package contains the basic directory layout
for the Nginx server including the correct permissions for the
directories.
%if %{with geoip}
%package mod-http-geoip
Group: System Environment/Daemons
Summary: Nginx HTTP geoip module
BuildRequires: GeoIP-devel
Requires: nginx
Requires: GeoIP
%description mod-http-geoip
%{summary}.
%endif
%package mod-http-image-filter
Group: System Environment/Daemons
Summary: Nginx HTTP image filter module
BuildRequires: gd-devel
Requires: nginx
Requires: gd
%description mod-http-image-filter
%{summary}.
%package mod-http-perl
Group: System Environment/Daemons
Summary: Nginx HTTP perl module
BuildRequires: perl-devel
%if 0%{?fedora} >= 24
BuildRequires: perl-generators
%endif
BuildRequires: perl(ExtUtils::Embed)
Requires: nginx
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
Requires: perl(constant)
%description mod-http-perl
%{summary}.
%package mod-http-xslt-filter
Group: System Environment/Daemons
Summary: Nginx XSLT module
BuildRequires: libxslt-devel
Requires: nginx
%description mod-http-xslt-filter
%{summary}.
%package mod-mail
Group: System Environment/Daemons
Summary: Nginx mail modules
Requires: nginx
%description mod-mail
%{summary}.
%package mod-stream
Group: System Environment/Daemons
Summary: Nginx stream modules
Requires: nginx
%description mod-stream
%{summary}.
%prep
%setup -q
%patch0 -p0
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch200 -p1
%patch201 -p1
%patch202 -p1
cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} .
%if 0%{?rhel} > 0 && 0%{?rhel} < 8
sed -i -e 's#KillMode=.*#KillMode=process#g' nginx.service
sed -i -e 's#PROFILE=SYSTEM#HIGH:!aNULL:!MD5#' nginx.conf
%endif
%build
# nginx does not utilize a standard configure script. It has its own
# and the standard configure options cause the nginx configure script
# to error out. This is is also the reason for the DESTDIR environment
# variable.
export DESTDIR=%{buildroot}
./configure \
--prefix=%{_datadir}/nginx \
--sbin-path=%{_sbindir}/nginx \
--modules-path=%{_libdir}/nginx/modules \
--conf-path=%{_sysconfdir}/nginx/nginx.conf \
--error-log-path=%{_localstatedir}/log/nginx/error.log \
--http-log-path=%{_localstatedir}/log/nginx/access.log \
--http-client-body-temp-path=%{_localstatedir}/lib/nginx/tmp/client_body \
--http-proxy-temp-path=%{_localstatedir}/lib/nginx/tmp/proxy \
--http-fastcgi-temp-path=%{_localstatedir}/lib/nginx/tmp/fastcgi \
--http-uwsgi-temp-path=%{_localstatedir}/lib/nginx/tmp/uwsgi \
--http-scgi-temp-path=%{_localstatedir}/lib/nginx/tmp/scgi \
--pid-path=/run/nginx.pid \
--lock-path=/run/lock/subsys/nginx \
--user=%{nginx_user} \
--group=%{nginx_user} \
%if 0%{?with_aio}
--with-file-aio \
%endif
--with-ipv6 \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic \
%if %{with geoip}
--with-http_geoip_module=dynamic \
%endif
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-http_perl_module=dynamic \
--with-http_auth_request_module \
--with-mail=dynamic \
--with-mail_ssl_module \
--with-pcre \
--with-pcre-jit \
--with-stream=dynamic \
--with-stream_ssl_module \
%if 0%{?with_gperftools}
--with-google_perftools_module \
%endif
--with-debug \
--with-cc-opt="%{optflags} $(pcre-config --cflags)" \
--with-ld-opt="$RPM_LD_FLAGS -Wl,-E" # so the perl module finds its symbols
make %{?_smp_mflags}
%install
make install DESTDIR=%{buildroot} INSTALLDIRS=vendor
find %{buildroot} -type f -name .packlist -exec rm -f '{}' \;
find %{buildroot} -type f -name perllocal.pod -exec rm -f '{}' \;
find %{buildroot} -type f -empty -exec rm -f '{}' \;
find %{buildroot} -type f -iname '*.so' -exec chmod 0755 '{}' \;
install -p -D -m 0644 ./nginx.service \
%{buildroot}%{_unitdir}/nginx.service
install -p -D -m 0644 %{SOURCE11} \
%{buildroot}%{_sysconfdir}/logrotate.d/nginx
install -p -d -m 0755 %{buildroot}%{_sysconfdir}/systemd/system/nginx.service.d
install -p -d -m 0755 %{buildroot}%{_unitdir}/nginx.service.d
install -p -d -m 0755 %{buildroot}%{_sysconfdir}/nginx/conf.d
install -p -d -m 0755 %{buildroot}%{_sysconfdir}/nginx/default.d
install -p -d -m 0700 %{buildroot}%{_localstatedir}/lib/nginx
install -p -d -m 0700 %{buildroot}%{_localstatedir}/lib/nginx/tmp
install -p -d -m 0700 %{buildroot}%{_localstatedir}/log/nginx
install -p -d -m 0755 %{buildroot}%{_datadir}/nginx/html
install -p -d -m 0755 %{buildroot}%{_datadir}/nginx/modules
install -p -d -m 0755 %{buildroot}%{_libdir}/nginx/modules
install -p -m 0644 ./nginx.conf \
%{buildroot}%{_sysconfdir}/nginx
install -p -m 0644 %{SOURCE100} \
%{buildroot}%{_datadir}/nginx/html
install -p -m 0644 %{SOURCE101} %{SOURCE102} \
%{buildroot}%{_datadir}/nginx/html
install -p -m 0644 %{SOURCE103} %{SOURCE104} \
%{buildroot}%{_datadir}/nginx/html
%if 0%{?with_mailcap_mimetypes}
rm -f %{buildroot}%{_sysconfdir}/nginx/mime.types
%endif
install -p -D -m 0644 %{_builddir}/nginx-%{version}/objs/nginx.8 \
%{buildroot}%{_mandir}/man8/nginx.8
install -p -D -m 0755 %{SOURCE13} %{buildroot}%{_bindir}/nginx-upgrade
install -p -D -m 0644 %{SOURCE14} %{buildroot}%{_mandir}/man8/nginx-upgrade.8
for i in ftdetect indent syntax; do
install -p -D -m644 contrib/vim/${i}/nginx.vim \
%{buildroot}%{_datadir}/vim/vimfiles/${i}/nginx.vim
done
%if %{with geoip}
echo 'load_module "%{_libdir}/nginx/modules/ngx_http_geoip_module.so";' \
> %{buildroot}%{_datadir}/nginx/modules/mod-http-geoip.conf
%endif
echo 'load_module "%{_libdir}/nginx/modules/ngx_http_image_filter_module.so";' \
> %{buildroot}%{_datadir}/nginx/modules/mod-http-image-filter.conf
echo 'load_module "%{_libdir}/nginx/modules/ngx_http_perl_module.so";' \
> %{buildroot}%{_datadir}/nginx/modules/mod-http-perl.conf
echo 'load_module "%{_libdir}/nginx/modules/ngx_http_xslt_filter_module.so";' \
> %{buildroot}%{_datadir}/nginx/modules/mod-http-xslt-filter.conf
echo 'load_module "%{_libdir}/nginx/modules/ngx_mail_module.so";' \
> %{buildroot}%{_datadir}/nginx/modules/mod-mail.conf
echo 'load_module "%{_libdir}/nginx/modules/ngx_stream_module.so";' \
> %{buildroot}%{_datadir}/nginx/modules/mod-stream.conf
%pre filesystem
getent group %{nginx_user} > /dev/null || groupadd -r %{nginx_user}
getent passwd %{nginx_user} > /dev/null || \
useradd -r -d %{_localstatedir}/lib/nginx -g %{nginx_user} \
-s /sbin/nologin -c "Nginx web server" %{nginx_user}
exit 0
%post
%systemd_post nginx.service
%if %{with geoip}
%post mod-http-geoip
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%endif
%post mod-http-image-filter
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%post mod-http-perl
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%post mod-http-xslt-filter
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%post mod-mail
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%post mod-stream
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%preun
%systemd_preun nginx.service
%postun
%systemd_postun nginx.service
if [ $1 -ge 1 ]; then
/usr/bin/nginx-upgrade >/dev/null 2>&1 || :
fi
%files
%license LICENSE
%doc CHANGES README README.dynamic
%if 0%{?rhel} == 7
%doc UPGRADE-NOTES-1.6-to-1.10
%endif
%{_datadir}/nginx/html/*
%{_bindir}/nginx-upgrade
%{_sbindir}/nginx
%{_datadir}/vim/vimfiles/ftdetect/nginx.vim
%{_datadir}/vim/vimfiles/syntax/nginx.vim
%{_datadir}/vim/vimfiles/indent/nginx.vim
%{_mandir}/man3/nginx.3pm*
%{_mandir}/man8/nginx.8*
%{_mandir}/man8/nginx-upgrade.8*
%{_unitdir}/nginx.service
%config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf
%config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf.default
%config(noreplace) %{_sysconfdir}/nginx/fastcgi_params
%config(noreplace) %{_sysconfdir}/nginx/fastcgi_params.default
%config(noreplace) %{_sysconfdir}/nginx/koi-utf
%config(noreplace) %{_sysconfdir}/nginx/koi-win
%if ! 0%{?with_mailcap_mimetypes}
%config(noreplace) %{_sysconfdir}/nginx/mime.types
%endif
%config(noreplace) %{_sysconfdir}/nginx/mime.types.default
%config(noreplace) %{_sysconfdir}/nginx/nginx.conf
%config(noreplace) %{_sysconfdir}/nginx/nginx.conf.default
%config(noreplace) %{_sysconfdir}/nginx/scgi_params
%config(noreplace) %{_sysconfdir}/nginx/scgi_params.default
%config(noreplace) %{_sysconfdir}/nginx/uwsgi_params
%config(noreplace) %{_sysconfdir}/nginx/uwsgi_params.default
%config(noreplace) %{_sysconfdir}/nginx/win-utf
%config(noreplace) %{_sysconfdir}/logrotate.d/nginx
%attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx
%attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx/tmp
%attr(770,%{nginx_user},root) %dir %{_localstatedir}/log/nginx
%dir %{_libdir}/nginx/modules
%files all-modules
%files filesystem
%dir %{_datadir}/nginx
%dir %{_datadir}/nginx/html
%dir %{_sysconfdir}/nginx
%dir %{_sysconfdir}/nginx/conf.d
%dir %{_sysconfdir}/nginx/default.d
%dir %{_sysconfdir}/systemd/system/nginx.service.d
%dir %{_unitdir}/nginx.service.d
%if %{with geoip}
%files mod-http-geoip
%{_datadir}/nginx/modules/mod-http-geoip.conf
%{_libdir}/nginx/modules/ngx_http_geoip_module.so
%endif
%files mod-http-image-filter
%{_datadir}/nginx/modules/mod-http-image-filter.conf
%{_libdir}/nginx/modules/ngx_http_image_filter_module.so
%files mod-http-perl
%{_datadir}/nginx/modules/mod-http-perl.conf
%{_libdir}/nginx/modules/ngx_http_perl_module.so
%dir %{perl_vendorarch}/auto/nginx
%{perl_vendorarch}/nginx.pm
%{perl_vendorarch}/auto/nginx/nginx.so
%files mod-http-xslt-filter
%{_datadir}/nginx/modules/mod-http-xslt-filter.conf
%{_libdir}/nginx/modules/ngx_http_xslt_filter_module.so
%files mod-mail
%{_datadir}/nginx/modules/mod-mail.conf
%{_libdir}/nginx/modules/ngx_mail_module.so
%files mod-stream
%{_datadir}/nginx/modules/mod-stream.conf
%{_libdir}/nginx/modules/ngx_stream_module.so
%changelog
* Fri Aug 30 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.14.1-9
- Resolves: #1744811 - CVE-2019-9511 nginx:1.14/nginx: HTTP/2: large amount of
data request leads to denial of service
- Resolves: #1744325 - CVE-2019-9513 nginx:1.14/nginx: HTTP/2: flood using
PRIORITY frames resulting in excessive resource consumption
- Resolves: #1745094 - CVE-2019-9516 nginx:1.14/nginx: HTTP/2: 0-length
headers leads to denial of service
* Wed Dec 12 2018 Lubos Uhliarik <luhliari@redhat.com> - 1:1.14.1-8
- enable TLS 1.3 by default (#1643647)
- TLSv1.0 and TLSv1.1 can be enabled now (#1644746)
* Tue Dec 11 2018 Joe Orton <jorton@redhat.com> - 1:1.14.1-3
- fix unexpanded paths in nginx(8) (#1643069)
* Mon Dec 03 2018 Lubos Uhliarik <luhliari@redhat.com> - 1:1.14.1-2
- Resolves: #1655530 - Hardening tests fail for nginx
* Mon Nov 19 2018 Lubos Uhliarik <luhliari@redhat.com> - 1:1.14.1-1
- new version 1.14.1
- Resolves: #1647257 - CVE-2018-16845 nginx: Denial of service and
memory disclosure via mp4 module
- Resolves: #1647262 - CVE-2018-16844 nginx: Excessive CPU usage
via flaw in HTTP/2 implementation
- Resolves: #1647263 - CVE-2018-16843 nginx: Excessive memory consumption
via flaw in HTTP/2 implementation
* Wed Aug 8 2018 Joe Orton <jorton@redhat.com> - 1:1.14.0-3
- fix PKCS#11 support (Anderson Sasaki, #1545526)
* Mon Aug 06 2018 Lubos Uhliarik <luhliari@redhat.com> - 1:1.14.0-2
- add dependency on perl(constant)
* Mon Jul 30 2018 Luboš Uhliarik <luhliari@redhat.com> - 1:1.14.0-1
- Resolves: #1558420 - directory permissions are now correct after processing
USR1 signal
- Resolves: #1601414 - nginx: drop GeoIP support
* Thu Jul 19 2018 Joe Orton <jorton@redhat.com> - 1:1.12.1-12
- add build conditional for geoip support
* Thu May 03 2018 Luboš Uhliarik <luhliari@redhat.com> - 1:1.14.0-1
- new version 1.14.0
* Wed Apr 25 2018 Luboš Uhliarik <luhliari@redhat.com> - 1:1.12.1-9
- changed directory permissions (#1558420)
* Fri Mar 23 2018 Joe Orton <jorton@redhat.com> - 1:1.12.1-8
- disable gperftools (#1496868)
* Thu Mar 22 2018 Joe Orton <jorton@redhat.com> - 1:1.12.1-7
- update branding (#1512565)
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.12.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Jan 24 2018 Björn Esser <besser82@fedoraproject.org> - 1:1.12.1-5
- Add patch to apply glibc bugfix if really needed only
- Disable strict symbol checks in the link editor
* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 1:1.12.1-4
- Rebuilt for switch to libxcrypt
* Tue Oct 24 2017 Joe Orton <jorton@redhat.com> - 1:1.12.1-3
- rebuild
* Tue Sep 19 2017 Remi Collet <remi@fedoraproject.org> - 1:1.12.1-2
- own system drop-in directories #1493036
* Tue Aug 15 2017 Joe Orton <jorton@redhat.com> - 1:1.12.1-1
- update to 1.12.1 (#1469924)
- enable http_auth_request_module (Tim Niemueller, #1471106)
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.12.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.12.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sun Jun 04 2017 Jitka Plesnikova <jplesnik@redhat.com> - 1:1.12.0-2
- Perl 5.26 rebuild
* Tue May 30 2017 Luboš Uhliarik <luhliari@redhat.com> - 1:1.12.0-1
- new version 1.12.0
* Wed Feb 8 2017 Joe Orton <jorton@redhat.com> - 1:1.10.3-1
- update to upstream release 1.10.3
* Mon Oct 31 2016 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.10.2-1
- update to upstream release 1.10.2
* Tue May 31 2016 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.10.1-1
- update to upstream release 1.10.1
* Sun May 15 2016 Jitka Plesnikova <jplesnik@redhat.com> - 1:1.10.0-4
- Perl 5.24 rebuild
* Sun May 8 2016 Peter Robinson <pbrobinson@fedoraproject.org> 1:1.10.0-3
- Enable AIO on aarch64 (rhbz 1258414)
* Wed Apr 27 2016 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.10.0-2
- only Require nginx-all-modules for EPEL and current Fedora releases
* Wed Apr 27 2016 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.10.0-1
- update to upstream release 1.10.0
- split dynamic modules into subpackages
- spec file cleanup
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.8.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Tue Jan 26 2016 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.1-1
- update to upstream release 1.8.1
- CVE-2016-0747: Insufficient limits of CNAME resolution in resolver
- CVE-2016-0746: Use-after-free during CNAME response processing in resolver
- CVE-2016-0742: Invalid pointer dereference in resolver
* Sun Oct 04 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-14
- consistently use '%%global with_foo' style of logic
- remove PID file before starting nginx (#1268621)
* Fri Sep 25 2015 Ville Skyttä <ville.skytta@iki.fi> - 1:1.8.0-13
- Use nginx-mimetypes from mailcap (#1248736)
- Mark LICENSE as %%license
* Thu Sep 10 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-12
- also build with gperftools on aarch64 (#1258412)
* Wed Aug 12 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 1:1.8.0-11
- nginx.conf: added commented-out SSL configuration directives (#1179232)
* Fri Jul 03 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-10
- switch back to /bin/kill in logrotate script due to SELinux denials
* Tue Jun 16 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-9
- fix path to png in error pages (#1232277)
- optimize png images with optipng
* Sun Jun 14 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-8
- replace /bin/kill with /usr/bin/systemctl kill in logrotate script (#1231543)
- remove After=syslog.target in nginx.service (#1231543)
- replace ExecStop with KillSignal=SIGQUIT in nginx.service (#1231543)
* Wed Jun 03 2015 Jitka Plesnikova <jplesnik@redhat.com> - 1:1.8.0-7
- Perl 5.22 rebuild
* Sun May 10 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-6
- revert previous change
* Sun May 10 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-5
- move default server to default.conf (#1220094)
* Sun May 10 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-4
- add TimeoutStopSec=5 and KillMode=mixed to nginx.service
- set worker_processes to auto
- add some common options to the http block in nginx.conf
- run nginx-upgrade on package update
- remove some redundant scriptlet commands
- listen on ipv6 for default server (#1217081)
* Wed Apr 22 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-3
- improve nginx-upgrade script
* Wed Apr 22 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-2
- add --with-pcre-jit
* Wed Apr 22 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-1
- update to upstream release 1.8.0
* Thu Apr 09 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.7.12-1
- update to upstream release 1.7.12
* Sun Feb 15 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.7.10-1
- update to upstream release 1.7.10
- remove systemd conditionals
* Wed Oct 22 2014 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.2-4
- fix package ownership of directories
* Wed Oct 22 2014 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.2-3
- add vim files (#1142849)
* Mon Sep 22 2014 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.2-2
- create nginx-filesystem subpackage (patch from Remi Collet)
- create /etc/nginx/default.d as a drop-in directory for configuration files
for the default server block
- clean up nginx.conf
* Wed Sep 17 2014 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.2-1
- update to upstream release 1.6.2
- CVE-2014-3616 nginx: virtual host confusion (#1142573)
* Wed Aug 27 2014 Jitka Plesnikova <jplesnik@redhat.com> - 1:1.6.1-4
- Perl 5.20 rebuild
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.6.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Tue Aug 05 2014 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.1-2
- add logic for EPEL 7
* Tue Aug 05 2014 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.1-1
- update to upstream release 1.6.1
- (#1126891) CVE-2014-3556: SMTP STARTTLS plaintext injection flaw
* Wed Jul 02 2014 Yaakov Selkowitz <yselkowi@redhat.com> - 1:1.6.0-3
- Fix FTBFS on aarch64 (#1115559)
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.6.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Sat Apr 26 2014 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.0-1
- update to upstream release 1.6.0
* Tue Mar 18 2014 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.4.7-1
- update to upstream release 1.4.7
* Wed Mar 05 2014 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.4.6-1
- update to upstream release 1.4.6
* Sun Feb 16 2014 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.4.5-2
- avoid multiple index directives (#1065488)
* Sun Feb 16 2014 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.4.5-1
- update to upstream release 1.4.5
* Wed Nov 20 2013 Peter Borsa <peter.borsa@gmail.com> - 1:1.4.4-1
- Update to upstream release 1.4.4
- Security fix BZ 1032267
* Sun Nov 03 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.4.3-1
- update to upstream release 1.4.3
* Fri Aug 09 2013 Jonathan Steffan <jsteffan@fedoraproject.org> - 1:1.4.2-3
- Add in conditionals to build for non-systemd targets
* Sat Aug 03 2013 Petr Pisar <ppisar@redhat.com> - 1:1.4.2-2
- Perl 5.18 rebuild
* Fri Jul 19 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.4.2-1
- update to upstream release 1.4.2
* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> - 1:1.4.1-3
- Perl 5.18 rebuild
* Tue Jun 11 2013 Remi Collet <rcollet@redhat.com> - 1:1.4.1-2
- rebuild for new GD 2.1.0
* Tue May 07 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.4.1-1
- update to upstream release 1.4.1 (#960605, #960606):
CVE-2013-2028 stack-based buffer overflow when handling certain chunked
transfer encoding requests
* Sun Apr 28 2013 Dan Horák <dan[at]danny.cz> - 1:1.4.0-2
- gperftools exist only on selected arches
* Fri Apr 26 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.4.0-1
- update to upstream release 1.4.0
- enable SPDY module (new in this version)
- enable http gunzip module (new in this version)
- enable google perftools module and add gperftools-devel to BR
- enable debugging (#956845)
- trim changelog
* Tue Apr 02 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.2.8-1
- update to upstream release 1.2.8
* Fri Feb 22 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.2.7-2
- make sure nginx directories are not world readable (#913724, #913735)
* Sat Feb 16 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.2.7-1
- update to upstream release 1.2.7
- add .asc file
* Tue Feb 05 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.2.6-6
- use 'kill' instead of 'systemctl' when rotating log files to workaround
SELinux issue (#889151)
* Wed Jan 23 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.2.6-5
- uncomment "include /etc/nginx/conf.d/*.conf by default but leave the
conf.d directory empty (#903065)
* Wed Jan 23 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.2.6-4
- add comment in nginx.conf regarding "include /etc/nginf/conf.d/*.conf"
(#903065)
* Wed Dec 19 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.2.6-3
- use correct file ownership when rotating log files
* Tue Dec 18 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.2.6-2
- send correct kill signal and use correct file permissions when rotating
log files (#888225)
- send correct kill signal in nginx-upgrade
* Tue Dec 11 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.2.6-1
- update to upstream release 1.2.6
* Sat Nov 17 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.2.5-1
- update to upstream release 1.2.5
* Sun Oct 28 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.2.4-1
- update to upstream release 1.2.4
- introduce new systemd-rpm macros (#850228)
- link to official documentation not the community wiki (#870733)
- do not run systemctl try-restart after package upgrade to allow the
administrator to run nginx-upgrade and avoid downtime
- add nginx man page (#870738)
- add nginx-upgrade man page and remove README.fedora
- remove chkconfig from Requires(post/preun)
- remove initscripts from Requires(preun/postun)
- remove separate configuration files in "/etc/nginx/conf.d" directory
and revert to upstream default of a centralized nginx.conf file
(#803635) (#842738)
* Fri Sep 21 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.2.3-1
- update to upstream release 1.2.3
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.2.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Thu Jun 28 2012 Petr Pisar <ppisar@redhat.com> - 1:1.2.1-2
- Perl 5.16 rebuild
* Sun Jun 10 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.2.1-1
- update to upstream release 1.2.1
* Fri Jun 08 2012 Petr Pisar <ppisar@redhat.com> - 1:1.2.0-2
- Perl 5.16 rebuild
* Wed May 16 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.2.0-1
- update to upstream release 1.2.0
* Wed May 16 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.0.15-4
- add nginx-upgrade to replace functionality from the nginx initscript
that was lost after migration to systemd
- add README.fedora to describe usage of nginx-upgrade
- nginx.logrotate: use built-in systemd kill command in postrotate script
- nginx.service: start after syslog.target and network.target
- nginx.service: remove unnecessary references to config file location
- nginx.service: use /bin/kill instead of "/usr/sbin/nginx -s" following
advice from nginx-devel
- nginx.service: use private /tmp
* Mon May 14 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.0.15-3
- fix incorrect postrotate script in nginx.logrotate
* Thu Apr 19 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.0.15-2
- renable auto-cc-gcc patch due to warnings on rawhide
* Sat Apr 14 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.0.15-1
- update to upstream release 1.0.15
- no need to apply auto-cc-gcc patch
- add %%global _hardened_build 1
* Thu Mar 15 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.0.14-1
- update to upstream release 1.0.14
- amend some %%changelog formatting
* Tue Mar 06 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.0.13-1
- update to upstream release 1.0.13
- amend --pid-path and --log-path
* Sun Mar 04 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.0.12-5
- change pid path in nginx.conf to match systemd service file
* Sun Mar 04 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.0.12-3
- fix %%pre scriptlet
* Mon Feb 20 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.0.12-2
- update upstream URL
- replace %%define with %%global
- remove obsolete BuildRoot tag, %%clean section and %%defattr
- remove various unnecessary commands
- add systemd service file and update scriptlets
- add Epoch to accommodate %%triggerun as part of systemd migration
* Sun Feb 19 2012 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.0.12-1
- Update to 1.0.12
* Thu Nov 17 2011 Keiran "Affix" Smith <fedora@affix.me> - 1.0.10-1
- Bugfix: a segmentation fault might occur in a worker process if resolver got a big DNS response. Thanks to Ben Hawkes.
- Bugfix: in cache key calculation if internal MD5 implementation wasused; the bug had appeared in 1.0.4.
- Bugfix: the module ngx_http_mp4_module sent incorrect "Content-Length" response header line if the "start" argument was used. Thanks to Piotr Sikora.
* Thu Oct 27 2011 Keiran "Affix" Smith <fedora@affix.me> - 1.0.8-1
- Update to new 1.0.8 stable release
* Fri Aug 26 2011 Keiran "Affix" Smith <fedora@affix.me> - 1.0.5-1
- Update nginx to Latest Stable Release
* Fri Jun 17 2011 Marcela Mašláňová <mmaslano@redhat.com> - 1.0.0-3
- Perl mass rebuild
* Thu Jun 09 2011 Marcela Mašláňová <mmaslano@redhat.com> - 1.0.0-2
- Perl 5.14 mass rebuild
* Wed Apr 27 2011 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.0.0-1
- Update to 1.0.0
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.53-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Sun Dec 12 2010 Jeremy Hinegardner <jeremy at hinegardner dot org> - 0.8.53.5
- Extract out default config into its own file (bug #635776)
* Sun Dec 12 2010 Jeremy Hinegardner <jeremy at hinegardner dot org> - 0.8.53-4
- Revert ownership of log dir
* Sun Dec 12 2010 Jeremy Hinegardner <jeremy at hinegardner dot org> - 0.8.53-3
- Change ownership of /var/log/nginx to be 0700 nginx:nginx
- update init script to use killproc -p
- add reopen_logs command to init script
- update init script to use nginx -q option
* Sun Oct 31 2010 Jeremy Hinegardner <jeremy at hinegardner dot org> - 0.8.53-2
- Fix linking of perl module
* Sun Oct 31 2010 Jeremy Hinegardner <jeremy at hinegardner dot org> - 0.8.53-1
- Update to new stable 0.8.53
* Sat Jul 31 2010 Jeremy Hinegardner <jeremy at hinegardner dot org> - 0.7.67-2
- add Provides: webserver (bug #619693)
* Sun Jun 20 2010 Jeremy Hinegardner <jeremy at hinegardner dot org> - 0.7.67-1
- Update to new stable 0.7.67
- fix bugzilla #591543
* Tue Jun 01 2010 Marcela Maslanova <mmaslano@redhat.com> - 0.7.65-2
- Mass rebuild with perl-5.12.0
* Mon Feb 15 2010 Jeremy Hinegardner <jeremy at hinegardner dot org> - 0.7.65-1
- Update to new stable 0.7.65
- change ownership of logdir to root:root
- add support for ipv6 (bug #561248)
- add random_index_module
- add secure_link_module
* Fri Dec 04 2009 Jeremy Hinegardner <jeremy at hinegardner dot org> - 0.7.64-1
- Update to new stable 0.7.64