.gitignore

@@ -1,2 +1,2 @@
-SOURCES/nginx-1.16.1.tar.gz
+SOURCES/nginx-1.18.0.tar.gz
 SOURCES/poweredby.png

.nginx.metadata

@@ -1,2 +1,2 @@
-77ce4d26481b62f7a9d83e399454df0912f01a4b SOURCES/nginx-1.16.1.tar.gz
+47b2c5ccd12e2a7088b03d629ff6b9ab18215180 SOURCES/nginx-1.18.0.tar.gz
 2ec82988cd0d9b1304c95a16b28eff70f0f69abc SOURCES/poweredby.png

SOURCES/nginx-1.18.0-pkcs11-cert.patch

@@ -0,0 +1,76 @@
+diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
+index 0a2f260..606b6e2 100644
+--- a/src/event/ngx_event_openssl.c
++++ b/src/event/ngx_event_openssl.c
+@@ -616,6 +616,71 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
+     X509    *x509, *temp;
+     u_long   n;
+ 
++    if (ngx_strncmp(cert->data, "engine:", sizeof("engine:") - 1) == 0) {
++
++#ifndef OPENSSL_NO_ENGINE
++
++        u_char  *p, *last;
++        ENGINE  *engine;
++
++        p = cert->data + sizeof("engine:") - 1;
++        last = (u_char *) ngx_strchr(p, ':');
++
++        if (last == NULL) {
++            *err = "invalid syntax";
++            return NULL;
++        }
++
++        *last = '\0';
++
++        engine = ENGINE_by_id((char *) p);
++
++        if (engine == NULL) {
++            *err = "ENGINE_by_id() failed";
++            return NULL;
++        }
++
++        if (!ENGINE_init(engine)) {
++            *err = "ENGINE_init() failed";
++            ENGINE_free(engine);
++            return NULL;
++        }
++
++        *last++ = ':';
++
++        struct {
++            const char *cert_id;
++            X509 *cert;
++        } params = { (char *) last, NULL };
++
++        if (!ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0, &params, NULL, 1)) {
++            *err = "ENGINE_ctrl_cmd() failed - Unable to get the certificate";
++            ENGINE_free(engine);
++            return NULL;
++        }
++
++        ENGINE_finish(engine);
++        ENGINE_free(engine);
++
++        /* set chain to null */
++
++        *chain = sk_X509_new_null();
++        if (*chain == NULL) {
++           *err = "sk_X509_new_null() failed";
++           X509_free(params.cert);
++           return NULL;
++        }
++
++        return params.cert;
++
++#else
++
++        *err = "loading \"engine:...\" certificate is not supported";
++        return NULL;
++
++#endif
++    }
++
+     if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) {
+ 
+         bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1,

SOURCES/nginx.conf

@@ -25,7 +25,7 @@ http {
     tcp_nopush          on;
     tcp_nodelay         on;
     keepalive_timeout   65;
-    types_hash_max_size 2048;
+    types_hash_max_size 4096;
 
     include             /etc/nginx/mime.types;
     default_type        application/octet-stream;
@@ -36,17 +36,14 @@ http {
     include /etc/nginx/conf.d/*.conf;
 
     server {
-        listen       80 default_server;
-        listen       [::]:80 default_server;
+        listen       80;
+        listen       [::]:80;
         server_name  _;
         root         /usr/share/nginx/html;
 
         # Load configuration files for the default server block.
         include /etc/nginx/default.d/*.conf;
 
-        location / {
-        }
-
         error_page 404 /404.html;
             location = /40x.html {
         }
@@ -59,8 +56,8 @@ http {
 # Settings for a TLS enabled server.
 #
 #    server {
-#        listen       443 ssl http2 default_server;
-#        listen       [::]:443 ssl http2 default_server;
+#        listen       443 ssl http2;
+#        listen       [::]:443 ssl http2;
 #        server_name  _;
 #        root         /usr/share/nginx/html;
 #
@@ -74,9 +71,6 @@ http {
 #        # Load configuration files for the default server block.
 #        include /etc/nginx/default.d/*.conf;
 #
-#        location / {
-#        }
-#
 #        error_page 404 /404.html;
 #            location = /40x.html {
 #        }

SPECS/nginx.spec

@@ -18,8 +18,8 @@
 
 Name:              nginx
 Epoch:             1
-Version:           1.16.1
-Release:           1%{?dist}
+Version:           1.18.0
+Release:           2%{?dist}
 
 Summary:           A high performance web server and reverse proxy server
 Group:             System Environment/Daemons
@@ -59,6 +59,9 @@ Patch3:            nginx-1.14.1-perl-module-hardening.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1643647
 Patch4:            nginx-1.16.0-enable-tls1v3-by-default.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1668717
+Patch5:            nginx-1.18.0-pkcs11-cert.patch
+
 %if 0%{?with_gperftools}
 BuildRequires:     gperftools-devel
 %endif
@@ -189,6 +192,7 @@ Requires:          nginx
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 
 cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} .
 
@@ -461,6 +465,14 @@ fi
 
 
 %changelog
+* Wed Apr 22 2020 Lubos Uhliarik <luhliari@redhat.com> - 1:1.18.0-2
+- new version 1.18.0
+- Resolves: #1668717 - [RFE] Support loading certificates from hardware token
+  (PKCS#11)
+- Increased types_hash_max_size to 4096 in default config
+- Drop location / from default config (rhbz#1564768)
+- Drop default_sever from default config (rhbz#1373822)
+
 * Thu Aug 29 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.1-1
 - update to 1.16.1
 - Resolves: #1745697 - CVE-2019-9511 nginx:1.16/nginx: HTTP/2: large amount