diff --git a/SOURCES/0004-Set-proper-compiler-optimalization-level-O2-for-perl.patch b/SOURCES/0004-Set-proper-compiler-optimalization-level-O2-for-perl.patch new file mode 100644 index 0000000..e59dd58 --- /dev/null +++ b/SOURCES/0004-Set-proper-compiler-optimalization-level-O2-for-perl.patch @@ -0,0 +1,26 @@ +From 80c0ee172cceaef933ff5a451ec2a16213e03996 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Wed, 22 Sep 2021 15:55:39 +0200 +Subject: [PATCH] Set proper compiler optimalization level (O2) for perl + module. + +--- + src/http/modules/perl/Makefile.PL | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/http/modules/perl/Makefile.PL b/src/http/modules/perl/Makefile.PL +index 7edadcb..2ebb7c4 100644 +--- a/src/http/modules/perl/Makefile.PL ++++ b/src/http/modules/perl/Makefile.PL +@@ -14,7 +14,7 @@ WriteMakefile( + AUTHOR => 'Igor Sysoev', + + CCFLAGS => "$ENV{NGX_PM_CFLAGS}", +- OPTIMIZE => '-O', ++ OPTIMIZE => '-O2', + + LDDLFLAGS => "$ENV{NGX_PM_LDFLAGS}", + +-- +2.31.1 + diff --git a/SOURCES/0005-Init-openssl-engine-properly.patch b/SOURCES/0005-Init-openssl-engine-properly.patch new file mode 100644 index 0000000..99dc0a9 --- /dev/null +++ b/SOURCES/0005-Init-openssl-engine-properly.patch @@ -0,0 +1,41 @@ +From a769a35a6197c76390e1dd8f5054d426fbbbda05 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Wed, 22 Sep 2021 16:12:58 +0200 +Subject: [PATCH] Init openssl engine properly + +--- + src/event/ngx_event_openssl.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +index 270b200..f813458 100644 +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -798,16 +798,24 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, + return NULL; + } + ++ if (!ENGINE_init(engine)) { ++ *err = "ENGINE_init() failed"; ++ ENGINE_free(engine); ++ return NULL; ++ } ++ + *last++ = ':'; + + pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); + + if (pkey == NULL) { + *err = "ENGINE_load_private_key() failed"; ++ ENGINE_finish(engine); + ENGINE_free(engine); + return NULL; + } + ++ ENGINE_finish(engine); + ENGINE_free(engine); + + return pkey; +-- +2.31.1 + diff --git a/SOURCES/404.html b/SOURCES/404.html index 71fa16c..c6014a7 100644 --- a/SOURCES/404.html +++ b/SOURCES/404.html @@ -27,7 +27,7 @@ text-align: center; margin: 0; padding: 0.6em 2em 0.4em; - background-color: #294172; + background-color: #900; color: #fff; font-weight: normal; font-size: 1.75em; @@ -39,13 +39,13 @@ } h2 { text-align: center; - background-color: #3C6EB4; + background-color: #900; font-size: 1.1em; font-weight: bold; color: #fff; margin: 0; padding: 0.5em; - border-bottom: 2px solid #294172; + border-bottom: 2px solid #000; } h3 { text-align: center; @@ -92,7 +92,7 @@

Something has triggered missing webpage on your website. This is the default 404 error page for nginx that is distributed with - Fedora. It is located + Red Hat Enterprise Linux. It is located /usr/share/nginx/html/404.html

You should customize this error page for your own @@ -100,18 +100,19 @@ the nginx configuration file /etc/nginx/nginx.conf.

+

For information on Red Hat Enterprise Linux, please visit the Red Hat, Inc. website. The documentation for Red Hat Enterprise Linux is available on the Red Hat, Inc. website.

+
[ Powered by nginx ] - - [ Powered by Fedora ][ Powered by Red Hat Enterprise Linux ]
diff --git a/SOURCES/50x.html b/SOURCES/50x.html index c296c61..5d8d957 100644 --- a/SOURCES/50x.html +++ b/SOURCES/50x.html @@ -27,7 +27,7 @@ text-align: center; margin: 0; padding: 0.6em 2em 0.4em; - background-color: #294172; + background-color: #900; color: #fff; font-weight: normal; font-size: 1.75em; @@ -39,13 +39,13 @@ } h2 { text-align: center; - background-color: #3C6EB4; + background-color: #900; font-size: 1.1em; font-weight: bold; color: #fff; margin: 0; padding: 0.5em; - border-bottom: 2px solid #294172; + border-bottom: 2px solid #000; } h3 { text-align: center; @@ -89,10 +89,10 @@

Website Administrator

-

Something has triggered an error on your - website. This is the default error page for +

Something has triggered missing webpage on your + website. This is the default error page for nginx that is distributed with - Fedora. It is located + Red Hat Enterprise Linux. It is located /usr/share/nginx/html/50x.html

You should customize this error page for your own @@ -100,18 +100,19 @@ the nginx configuration file /etc/nginx/nginx.conf.

+

For information on Red Hat Enterprise Linux, please visit the Red Hat, Inc. website. The documentation for Red Hat Enterprise Linux is available on the Red Hat, Inc. website.

+
[ Powered by nginx ] - - [ Powered by Fedora ][ Powered by Red Hat Enterprise Linux ]
diff --git a/SOURCES/macros.nginxmods.in b/SOURCES/macros.nginxmods.in new file mode 100644 index 0000000..9b612b2 --- /dev/null +++ b/SOURCES/macros.nginxmods.in @@ -0,0 +1,20 @@ +%_nginx_abiversion @@NGINX_ABIVERSION@@ +%_nginx_srcdir @@NGINX_SRCDIR@@ +%_nginx_buildsrcdir nginx-src +%_nginx_modsrcdir .. +%_nginx_modbuilddir ../%{_vpath_builddir} +%nginx_moddir @@NGINX_MODDIR@@ +%nginx_modconfdir @@NGINX_MODCONFDIR@@ + +%nginx_modrequires Requires: nginx(abi) = %{_nginx_abiversion} + +%nginx_modconfigure(:-:) \\\ + %undefine _strict_symbol_defs_build \ + cp -a "%{_nginx_srcdir}" "%{_nginx_buildsrcdir}" \ + cd "%{_nginx_buildsrcdir}" \ + nginx_ldopts="$RPM_LD_FLAGS -Wl,-E" \ + ./configure --with-compat --with-cc-opt="%{optflags} $(pcre-config --cflags)" --with-ld-opt="$nginx_ldopts" \\\ + --add-dynamic-module=$(realpath %{_nginx_modsrcdir}) --builddir=$(realpath %{_nginx_modbuilddir}) %{**} \ + cd - + +%nginx_modbuild %{__make} -C "%{_nginx_buildsrcdir}" %{_make_output_sync} %{?_smp_mflags} %{_make_verbose} modules diff --git a/SOURCES/nginxmods.attr b/SOURCES/nginxmods.attr new file mode 100644 index 0000000..102da1a --- /dev/null +++ b/SOURCES/nginxmods.attr @@ -0,0 +1,14 @@ +%__nginxmods_requires() %{lua: + -- Match buildroot paths of the form + -- /PATH/OF/BUILDROOT/usr/lib/nginx/modules/ and + -- /PATH/OF/BUILDROOT/usr/lib64/nginx/modules/ + -- generating a line of the form: + -- nginx(abi) = VERSION + local path = rpm.expand("%1") + if path:match("/usr/lib%d*/nginx/modules/.*") then + local requires = "nginx(abi) = " .. rpm.expand("%{_nginx_abiversion}") + print(requires) + end +} + +%__nginxmods_path ^%{_prefix}/lib(64)?/nginx/modules/.*\\.so$ diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index d93658b..0ae29de 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -26,10 +26,22 @@ %global with_mailcap_mimetypes 1 %endif +# Cf. https://www.nginx.com/blog/creating-installable-packages-dynamic-modules/ +%global nginx_abiversion %{version} + +%global nginx_moduledir %{_libdir}/nginx/modules +%global nginx_moduleconfdir %{_datadir}/nginx/modules +%global nginx_srcdir %{_usrsrc}/%{name}-%{version}-%{release} + +# Do not generate provides/requires from nginx sources +%global __provides_exclude_from ^%{nginx_srcdir}/.*$ +%global __requires_exclude_from ^%{nginx_srcdir}/.*$ + + Name: nginx Epoch: 1 Version: 1.20.1 -Release: 4%{?dist} +Release: 8%{?dist} Summary: A high performance web server and reverse proxy server # BSD License (two clause) @@ -48,6 +60,8 @@ Source11: nginx.logrotate Source12: nginx.conf Source13: nginx-upgrade Source14: nginx-upgrade.8 +Source15: macros.nginxmods.in +Source16: nginxmods.attr Source102: nginx-logo.png Source103: 404.html Source104: 50x.html @@ -65,6 +79,12 @@ Patch1: 0002-fix-PIDFile-handling.patch # downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=1955564 Patch2: 0003-Support-loading-cert-hardware-token-PKC.patch +# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2006822 +Patch3: 0004-Set-proper-compiler-optimalization-level-O2-for-perl.patch + +# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2006420 +Patch4: 0005-Init-openssl-engine-properly.patch + BuildRequires: make BuildRequires: gcc BuildRequires: gnupg2 @@ -106,6 +126,8 @@ BuildRequires: systemd Requires(post): systemd Requires(preun): systemd Requires(postun): systemd +# For external nginx modules +Provides: nginx(abi) = %{nginx_abiversion} %description Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and @@ -142,7 +164,7 @@ directories. %package mod-http-geoip Summary: Nginx HTTP geoip module BuildRequires: GeoIP-devel -Requires: nginx +Requires: nginx(abi) = %{nginx_abiversion} Requires: GeoIP %description mod-http-geoip @@ -152,7 +174,7 @@ Requires: GeoIP %package mod-http-image-filter Summary: Nginx HTTP image filter module BuildRequires: gd-devel -Requires: nginx +Requires: nginx(abi) = %{nginx_abiversion} Requires: gd %description mod-http-image-filter @@ -165,7 +187,7 @@ BuildRequires: perl-devel BuildRequires: perl-generators %endif BuildRequires: perl(ExtUtils::Embed) -Requires: nginx +Requires: nginx(abi) = %{nginx_abiversion} Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) Requires: perl(constant) @@ -175,25 +197,51 @@ Requires: perl(constant) %package mod-http-xslt-filter Summary: Nginx XSLT module BuildRequires: libxslt-devel -Requires: nginx +Requires: nginx(abi) = %{nginx_abiversion} %description mod-http-xslt-filter %{summary}. %package mod-mail Summary: Nginx mail modules -Requires: nginx +Requires: nginx(abi) = %{nginx_abiversion} %description mod-mail %{summary}. %package mod-stream Summary: Nginx stream modules -Requires: nginx +Requires: nginx(abi) = %{nginx_abiversion} %description mod-stream %{summary}. +%package mod-devel +Summary: Nginx module development files +Requires: nginx = %{epoch}:%{version}-%{release} +Requires: make +Requires: gcc +Requires: gd-devel +%if 0%{?with_gperftools} +Requires: gperftools-devel +%endif +%if %{with geoip} +Requires: GeoIP-devel +%endif +Requires: libxslt-devel +%if 0%{?fedora} || 0%{?rhel} >= 8 +Requires: openssl-devel +%else +Requires: openssl11-devel +%endif +Requires: pcre-devel +Requires: perl-devel +Requires: perl(ExtUtils::Embed) +Requires: zlib-devel + +%description mod-devel +%{summary}. + %prep # Combine all keys from upstream into one file @@ -214,6 +262,10 @@ sed \ -i auto/lib/openssl/conf %endif +# Prepare sources for installation +cp -a ../%{name}-%{version} ../%{name}-%{version}-%{release}-src +mv ../%{name}-%{version}-%{release}-src . + %build # nginx does not utilize a standard configure script. It has its own @@ -226,7 +278,7 @@ nginx_ldopts="$RPM_LD_FLAGS -Wl,-E" if ! ./configure \ --prefix=%{_datadir}/nginx \ --sbin-path=%{_sbindir}/nginx \ - --modules-path=%{_libdir}/nginx/modules \ + --modules-path=%{nginx_moduledir} \ --conf-path=%{_sysconfdir}/nginx/nginx.conf \ --error-log-path=%{_localstatedir}/log/nginx/error.log \ --http-log-path=%{_localstatedir}/log/nginx/access.log \ @@ -311,8 +363,9 @@ install -p -d -m 0700 %{buildroot}%{_localstatedir}/lib/nginx/tmp install -p -d -m 0700 %{buildroot}%{_localstatedir}/log/nginx install -p -d -m 0755 %{buildroot}%{_datadir}/nginx/html -install -p -d -m 0755 %{buildroot}%{_datadir}/nginx/modules -install -p -d -m 0755 %{buildroot}%{_libdir}/nginx/modules +install -p -d -m 0755 %{buildroot}%{nginx_moduleconfdir} +install -p -d -m 0755 %{buildroot}%{nginx_moduledir} + install -p -m 0644 ./nginx.conf \ %{buildroot}%{_sysconfdir}/nginx @@ -362,19 +415,35 @@ for i in ftdetect ftplugin indent syntax; do done %if %{with geoip} -echo 'load_module "%{_libdir}/nginx/modules/ngx_http_geoip_module.so";' \ - > %{buildroot}%{_datadir}/nginx/modules/mod-http-geoip.conf +echo 'load_module "%{nginx_moduledir}/ngx_http_geoip_module.so";' \ + > %{buildroot}%{nginx_moduleconfdir}/mod-http-geoip.conf %endif -echo 'load_module "%{_libdir}/nginx/modules/ngx_http_image_filter_module.so";' \ - > %{buildroot}%{_datadir}/nginx/modules/mod-http-image-filter.conf -echo 'load_module "%{_libdir}/nginx/modules/ngx_http_perl_module.so";' \ - > %{buildroot}%{_datadir}/nginx/modules/mod-http-perl.conf -echo 'load_module "%{_libdir}/nginx/modules/ngx_http_xslt_filter_module.so";' \ - > %{buildroot}%{_datadir}/nginx/modules/mod-http-xslt-filter.conf -echo 'load_module "%{_libdir}/nginx/modules/ngx_mail_module.so";' \ - > %{buildroot}%{_datadir}/nginx/modules/mod-mail.conf -echo 'load_module "%{_libdir}/nginx/modules/ngx_stream_module.so";' \ - > %{buildroot}%{_datadir}/nginx/modules/mod-stream.conf +echo 'load_module "%{nginx_moduledir}/ngx_http_image_filter_module.so";' \ + > %{buildroot}%{nginx_moduleconfdir}/mod-http-image-filter.conf +echo 'load_module "%{nginx_moduledir}/ngx_http_perl_module.so";' \ + > %{buildroot}%{nginx_moduleconfdir}/mod-http-perl.conf +echo 'load_module "%{nginx_moduledir}/ngx_http_xslt_filter_module.so";' \ + > %{buildroot}%{nginx_moduleconfdir}/mod-http-xslt-filter.conf +echo 'load_module "%{nginx_moduledir}/ngx_mail_module.so";' \ + > %{buildroot}%{nginx_moduleconfdir}/mod-mail.conf +echo 'load_module "%{nginx_moduledir}/ngx_stream_module.so";' \ + > %{buildroot}%{nginx_moduleconfdir}/mod-stream.conf + +# Install files for supporting nginx module builds +## Install source files +mkdir -p %{buildroot}%{_usrsrc} +mv %{name}-%{version}-%{release}-src %{buildroot}%{nginx_srcdir} +## Install rpm macros +mkdir -p %{buildroot}%{_rpmmacrodir} +sed -e "s|@@NGINX_ABIVERSION@@|%{nginx_abiversion}|g" \ + -e "s|@@NGINX_MODDIR@@|%{nginx_moduledir}|g" \ + -e "s|@@NGINX_MODCONFDIR@@|%{nginx_moduleconfdir}|g" \ + -e "s|@@NGINX_SRCDIR@@|%{nginx_srcdir}|g" \ + %{SOURCE15} > %{buildroot}%{_rpmmacrodir}/macros.nginxmods +## Install dependency generator +install -Dpm0644 -t %{buildroot}%{_fileattrsdir} %{SOURCE16} + + %pre filesystem getent group %{nginx_user} > /dev/null || groupadd -r %{nginx_user} @@ -465,7 +534,8 @@ fi %attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx %attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx/tmp %dir %{_localstatedir}/log/nginx -%dir %{_libdir}/nginx/modules +%dir %{nginx_moduledir} +%dir %{nginx_moduleconfdir} %files all-modules @@ -480,35 +550,53 @@ fi %if %{with geoip} %files mod-http-geoip -%{_datadir}/nginx/modules/mod-http-geoip.conf -%{_libdir}/nginx/modules/ngx_http_geoip_module.so +%{nginx_moduleconfdir}/mod-http-geoip.conf +%{nginx_moduledir}/ngx_http_geoip_module.so %endif %files mod-http-image-filter -%{_datadir}/nginx/modules/mod-http-image-filter.conf -%{_libdir}/nginx/modules/ngx_http_image_filter_module.so +%{nginx_moduleconfdir}/mod-http-image-filter.conf +%{nginx_moduledir}/ngx_http_image_filter_module.so %files mod-http-perl -%{_datadir}/nginx/modules/mod-http-perl.conf -%{_libdir}/nginx/modules/ngx_http_perl_module.so +%{nginx_moduleconfdir}/mod-http-perl.conf +%{nginx_moduledir}/ngx_http_perl_module.so %dir %{perl_vendorarch}/auto/nginx %{perl_vendorarch}/nginx.pm %{perl_vendorarch}/auto/nginx/nginx.so %files mod-http-xslt-filter -%{_datadir}/nginx/modules/mod-http-xslt-filter.conf -%{_libdir}/nginx/modules/ngx_http_xslt_filter_module.so +%{nginx_moduleconfdir}/mod-http-xslt-filter.conf +%{nginx_moduledir}/ngx_http_xslt_filter_module.so %files mod-mail -%{_datadir}/nginx/modules/mod-mail.conf -%{_libdir}/nginx/modules/ngx_mail_module.so +%{nginx_moduleconfdir}/mod-mail.conf +%{nginx_moduledir}/ngx_mail_module.so %files mod-stream -%{_datadir}/nginx/modules/mod-stream.conf -%{_libdir}/nginx/modules/ngx_stream_module.so +%{nginx_moduleconfdir}/mod-stream.conf +%{nginx_moduledir}/ngx_stream_module.so + +%files mod-devel +%{_rpmmacrodir}/macros.nginxmods +%{_fileattrsdir}/nginxmods.attr +%{nginx_srcdir}/ %changelog +* Wed Sep 22 2021 Luboš Uhliarik - 1:1.20.1-8 +- Resolves: #2007019 - use proper wording in error pages + +* Wed Sep 22 2021 Luboš Uhliarik - 1:1.20.1-7 +- Resolves: #2006420 - Broken loading certificates from hardware token (PKCS#11) + +* Wed Sep 22 2021 Luboš Uhliarik - 1:1.20.1-6 +- Resolves: #2006822 - Hardening tests fail for nginx + +* Tue Sep 21 2021 Luboš Uhliarik - 1:1.20.1-5 +- Add -mod-devel subpackage for building external nginx modules + Resolves: rhbz#1991720 (Neal Gompa) + * Mon Aug 09 2021 Mohan Boddu - 1:1.20.1-4 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688