Compare commits

...

No commits in common. "c8-stream-1.16" and "c8s-stream-1.20" have entirely different histories.

7 changed files with 130 additions and 151 deletions

3
.gitignore vendored
View File

@ -1,2 +1 @@
SOURCES/nginx-1.16.1.tar.gz
SOURCES/poweredby.png
SOURCES/nginx-1.20.0.tar.gz

View File

@ -1,2 +1 @@
77ce4d26481b62f7a9d83e399454df0912f01a4b SOURCES/nginx-1.16.1.tar.gz
2ec82988cd0d9b1304c95a16b28eff70f0f69abc SOURCES/poweredby.png
71dc4916e9ac7e15b03f7ea71577f72e0dd5dff1 SOURCES/nginx-1.20.0.tar.gz

View File

@ -1,117 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
/*<![CDATA[*/
body {
background-color: #fff;
color: #000;
font-size: 0.9em;
font-family: sans-serif,helvetica;
margin: 0;
padding: 0;
}
:link {
color: #c00;
}
:visited {
color: #c00;
}
a:hover {
color: #f50;
}
h1 {
text-align: center;
margin: 0;
padding: 0.6em 2em 0.4em;
background-color: #900;
color: #fff;
font-weight: normal;
font-size: 1.75em;
border-bottom: 2px solid #000;
}
h1 strong {
font-weight: bold;
font-size: 1.5em;
}
h2 {
text-align: center;
background-color: #900;
font-size: 1.1em;
font-weight: bold;
color: #fff;
margin: 0;
padding: 0.5em;
border-bottom: 2px solid #000;
}
hr {
display: none;
}
.content {
padding: 1em 5em;
}
.alert {
border: 2px solid #000;
}
img {
border: 2px solid #fff;
padding: 2px;
margin: 2px;
}
a:hover img {
border: 2px solid #294172;
}
.logos {
margin: 1em;
text-align: center;
}
/*]]>*/
</style>
</head>
<body>
<h1>Welcome to <strong>nginx</strong> on Red Hat Enterprise Linux!</h1>
<div class="content">
<p>This page is used to test the proper operation of the
<strong>nginx</strong> HTTP server after it has been
installed. If you can read this page, it means that the
web server installed at this site is working
properly.</p>
<div class="alert">
<h2>Website Administrator</h2>
<div class="content">
<p>This is the default <tt>index.html</tt> page that
is distributed with <strong>nginx</strong> on
Red Hat Enterprise Linux. It is located in
<tt>/usr/share/nginx/html</tt>.</p>
<p>You should now put your content in a location of
your choice and edit the <tt>root</tt> configuration
directive in the <strong>nginx</strong>
configuration file
<tt>/etc/nginx/nginx.conf</tt>.</p>
<p>For information on Red Hat Enterprise Linux, please visit the <a href="http://www.redhat.com/">Red Hat, Inc. website</a>. The documentation for Red Hat Enterprise Linux is <a href="http://www.redhat.com/docs/manuals/enterprise/">available on the Red Hat, Inc. website</a>.</p>
</div>
</div>
<div class="logos">
<a href="http://nginx.net/"><img
src="nginx-logo.png"
alt="[ Powered by nginx ]"
width="121" height="32" /></a>
<a href="http://www.redhat.com/"><img
src="poweredby.png"
alt="[ Powered by Red Hat Enterprise Linux ]"
width="88" height="31" /></a>
</div>
</div>
</body>
</html>

View File

@ -0,0 +1,76 @@
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 0a2f260..606b6e2 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -616,6 +616,71 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
X509 *x509, *temp;
u_long n;
+ if (ngx_strncmp(cert->data, "engine:", sizeof("engine:") - 1) == 0) {
+
+#ifndef OPENSSL_NO_ENGINE
+
+ u_char *p, *last;
+ ENGINE *engine;
+
+ p = cert->data + sizeof("engine:") - 1;
+ last = (u_char *) ngx_strchr(p, ':');
+
+ if (last == NULL) {
+ *err = "invalid syntax";
+ return NULL;
+ }
+
+ *last = '\0';
+
+ engine = ENGINE_by_id((char *) p);
+
+ if (engine == NULL) {
+ *err = "ENGINE_by_id() failed";
+ return NULL;
+ }
+
+ if (!ENGINE_init(engine)) {
+ *err = "ENGINE_init() failed";
+ ENGINE_free(engine);
+ return NULL;
+ }
+
+ *last++ = ':';
+
+ struct {
+ const char *cert_id;
+ X509 *cert;
+ } params = { (char *) last, NULL };
+
+ if (!ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0, &params, NULL, 1)) {
+ *err = "ENGINE_ctrl_cmd() failed - Unable to get the certificate";
+ ENGINE_free(engine);
+ return NULL;
+ }
+
+ ENGINE_finish(engine);
+ ENGINE_free(engine);
+
+ /* set chain to null */
+
+ *chain = sk_X509_new_null();
+ if (*chain == NULL) {
+ *err = "sk_X509_new_null() failed";
+ X509_free(params.cert);
+ return NULL;
+ }
+
+ return params.cert;
+
+#else
+
+ *err = "loading \"engine:...\" certificate is not supported";
+ return NULL;
+
+#endif
+ }
+
if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) {
bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1,

View File

@ -1,8 +1,8 @@
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 345914f..d23967f 100644
index 2b0c5e6..9278087 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -252,6 +252,8 @@ ngx_ssl_init(ngx_log_t *log)
@@ -258,6 +258,8 @@ ngx_ssl_init(ngx_log_t *log)
ngx_int_t
ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
{
@ -11,7 +11,7 @@ index 345914f..d23967f 100644
ssl->ctx = SSL_CTX_new(SSLv23_method());
if (ssl->ctx == NULL) {
@@ -316,49 +318,54 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
@@ -322,49 +324,54 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
@ -102,10 +102,10 @@ index 345914f..d23967f 100644
#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index 61da0c5..fa7ac41 100644
index 329760d..5cee113 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -145,6 +145,7 @@ typedef struct {
@@ -152,6 +152,7 @@ typedef struct {
#endif
@ -114,11 +114,11 @@ index 61da0c5..fa7ac41 100644
#define NGX_SSL_SSLv3 0x0004
#define NGX_SSL_TLSv1 0x0008
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index b3f8f47..8340a12 100644
index a47d696..94f30db 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -613,8 +613,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_value(conf->early_data, prev->early_data, 0);
@@ -671,8 +671,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
@ -128,10 +128,10 @@ index b3f8f47..8340a12 100644
ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
NGX_SSL_BUFSIZE);
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
index 5544f75..3316a4b 100644
index 7eae83e..8328560 100644
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -291,8 +291,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
@@ -306,8 +306,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
prev->prefer_server_ciphers, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
@ -142,10 +142,10 @@ index 5544f75..3316a4b 100644
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
index ec9524e..37af046 100644
index d8c0471..cef590d 100644
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -625,8 +625,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
@@ -641,8 +641,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
prev->prefer_server_ciphers, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,

View File

@ -25,7 +25,7 @@ http {
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
@ -36,17 +36,14 @@ http {
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 80;
listen [::]:80;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
@ -59,8 +56,8 @@ http {
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# server_name _;
# root /usr/share/nginx/html;
#
@ -74,9 +71,6 @@ http {
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }

View File

@ -18,7 +18,7 @@
Name: nginx
Epoch: 1
Version: 1.16.1
Version: 1.20.0
Release: 1%{?dist}
Summary: A high performance web server and reverse proxy server
@ -34,8 +34,6 @@ Source11: nginx.logrotate
Source12: nginx.conf
Source13: nginx-upgrade
Source14: nginx-upgrade.8
Source100: index.html
Source101: poweredby.png
Source102: nginx-logo.png
Source103: 404.html
Source104: 50x.html
@ -57,7 +55,10 @@ Patch2: nginx-1.16.0-pkcs11.patch
Patch3: nginx-1.14.1-perl-module-hardening.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1643647
Patch4: nginx-1.16.0-enable-tls1v3-by-default.patch
Patch4: nginx-1.20.0-enable-tls1v3-by-default.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1668717
Patch5: nginx-1.18.0-pkcs11-cert.patch
%if 0%{?with_gperftools}
BuildRequires: gperftools-devel
@ -67,6 +68,7 @@ BuildRequires: pcre-devel
BuildRequires: zlib-devel
Requires: nginx-filesystem = %{epoch}:%{version}-%{release}
Requires: system-logos-httpd >= 82.0
%if 0%{?rhel} > 0 && 0%{?rhel} < 8
# Introduced at 1:1.10.0-1 to ease upgrade path. To be removed later.
@ -189,6 +191,7 @@ Requires: nginx
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} .
@ -292,10 +295,19 @@ install -p -d -m 0755 %{buildroot}%{_libdir}/nginx/modules
install -p -m 0644 ./nginx.conf \
%{buildroot}%{_sysconfdir}/nginx
install -p -m 0644 %{SOURCE100} \
%{buildroot}%{_datadir}/nginx/html
install -p -m 0644 %{SOURCE101} %{SOURCE102} \
rm -f %{buildroot}%{_datadir}/nginx/html/index.html
ln -s ../../testpage/index.html \
%{buildroot}%{_datadir}/nginx/html/index.html
install -p -m 0644 %{SOURCE102} \
%{buildroot}%{_datadir}/nginx/html
ln -s nginx-logo.png %{buildroot}%{_datadir}/nginx/html/poweredby.png
mkdir -p %{buildroot}%{_datadir}/nginx/html/icons
# Symlink for the powered-by-$DISTRO image:
ln -s ../../../pixmaps/poweredby.png \
%{buildroot}%{_datadir}/nginx/html/icons/poweredby.png
install -p -m 0644 %{SOURCE103} %{SOURCE104} \
%{buildroot}%{_datadir}/nginx/html
@ -461,6 +473,22 @@ fi
%changelog
* Wed May 05 2021 Lubos Uhliarik <luhliari@redhat.com> - 1:1.20.0-1
- new version 1.20.0
- Resolves: #1945671 - RFE: add nginx:1.20 module stream
* Thu Nov 12 2020 Lubos Uhliarik <luhliari@redhat.com> - 1:1.18.0-3
- Resolves: #1651377 - centralizing default index.html on nginx
- Resolves: #1825683 - Outdated Red Hat branding used in nginx default pages
* Wed Apr 22 2020 Lubos Uhliarik <luhliari@redhat.com> - 1:1.18.0-2
- new version 1.18.0
- Resolves: #1668717 - [RFE] Support loading certificates from hardware token
(PKCS#11)
- Increased types_hash_max_size to 4096 in default config
- Drop location / from default config (rhbz#1564768)
- Drop default_sever from default config (rhbz#1373822)
* Thu Aug 29 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.1-1
- update to 1.16.1
- Resolves: #1745697 - CVE-2019-9511 nginx:1.16/nginx: HTTP/2: large amount