Commit graph

296 commits

Author SHA1 Message Date
ajs124
91b55655ed nginxMainline: 1.19.3 -> 1.19.4 2020-10-27 20:05:34 +01:00
ajs124
3b8220c74c nginxMainline: 1.19.2 -> 1.19.3 2020-09-30 20:18:47 +02:00
Izorkin
79906c4908
nginxModules.aws-auth: fix warning message 2020-09-12 16:26:08 +03:00
Izorkin
96311ca1c3
nginxModules.shibboleth: 2020.08.12 -> 2020.09.04 2020-09-12 16:26:08 +03:00
Izorkin
6f32af17e9
nginxModules.opentracing: v0.9.0 -> v0.10.0 2020-09-12 16:26:08 +03:00
Izorkin
9092c6140f
nginxModules.naxsi: 2020.08.15 -> 2020.09.10 2020-09-12 16:26:07 +03:00
Izorkin
5c70c5eeaa nginxModules: renamed module ngx_aws_auth to aws-auth 2020-08-17 10:42:54 +03:00
Izorkin
772f5d5401 nginxModules: rename source to module name 2020-08-17 10:42:04 +03:00
Izorkin
15b3330747 nginxModules.statsd: change mirror 2020-08-17 10:42:04 +03:00
Izorkin
b5c1848625 nginxModules.upstream-check: 2018.08.12 -> 2019.11.03 2020-08-17 10:42:04 +03:00
Izorkin
e40dd8d4b9 nginxModules.subsFilter: 2016.04.13 -> 2019.08.06 2020-08-17 10:42:04 +03:00
Izorkin
d3fdff5cbf nginxModules.shibboleth: 2017.04.06 -> 2020.08.12 2020-08-17 10:42:03 +03:00
Izorkin
fdc7f541cf nginxModules.push-stream: 0.5.4 -> 2020.05.03 2020-08-17 10:42:03 +03:00
Izorkin
a27273294f nginxModules.pam: v1.5.1 -> v1.5.2 2020-08-17 10:42:03 +03:00
Izorkin
cb62b1d1a8 nginxModules.opentracing: v0.7.0 -> v0.9.0 2020-08-17 10:42:03 +03:00
Izorkin
b590894e58 nginxModules.naxsi: 0.56 -> 2020.08.15 2020-08-17 10:42:03 +03:00
Izorkin
9c588fce29 nginxModules.modsecurity-nginx: v1.0.0 -> v1.0.1 2020-08-17 10:42:03 +03:00
Izorkin
4460a3700b nginxModules.http_proxy_connect_module: 2019.05.06 -> 2020.07.24 2020-08-17 10:42:03 +03:00
Izorkin
36c95f331d nginxModules.cache-purge: 2.5 -> 2.5.1 2020-08-17 10:42:01 +03:00
Izorkin
980d487480 nginxModules.echo: v0.61 -> v0.62 2020-08-16 12:03:59 +03:00
Izorkin
42cde0d357 nginxModules.develkit: v0.3.1rc1 -> v0.3.1 2020-08-16 12:03:59 +03:00
Izorkin
4bc560d205 nginxModules.brotli: 2019.09.09 -> 2020.04.23 2020-08-16 12:03:50 +03:00
Izorkin
c5d3a46c5f nginxMainline: 1.19.0 -> 1.19.2 2020-08-16 09:59:10 +03:00
Michael Raskin
132ace5fe6
Merge pull request #89344 from JJJollyjim/openresty-no-perl
openresty: disable perl module by default
2020-06-20 18:45:44 +00:00
Jamie McClymont
dca001e923 nginx: change how the perl module is configured
Previously, http_perl_module was disabled by overriding perl=null -- this means
it is impossible to disable http_perl_module in openresty, since openresty
requires perl for its configure scripts.
2020-06-20 14:22:34 +12:00
Doron Behar
01d4e2fe33 treewide: use ffmpeg_3 explicitly if not wanted otherwise
After making `ffmpeg` point to the latest `ffmpeg_4`, all packages that
used `ffmpeg` without requiring a specific version now use ffmpeg_3
explicitly so they shouldn't change.
2020-06-12 11:55:31 -07:00
Izorkin
70b11a0f50 nginxMainline: 1.18.0 -> 1.19.0 2020-05-31 09:46:48 +03:00
ajs124
deadc23034 nginxModules.fancyindex: 0.4.3 -> 0.4.4 2020-05-13 13:23:20 +02:00
Izorkin
aa12fb8adb nginxModules: add option allowMemoryWriteExecute
The allowMemoryWriteExecute option is required to checking enabled nginxModules
and disable the nginx sandbox mode MemoryDenyWriteExecute.
2020-05-12 20:03:29 +03:00
Izorkin
a19800fb48 nginx: change logs path 2020-05-04 16:36:38 +03:00
Izorkin
cbfe203da7 nginxMainline: 1.17.9 -> 1.18.0 2020-04-23 14:34:21 +03:00
Izorkin
2e6cd807d7 nginxStable: 1.16.1 -> 1.18.0 2020-04-23 14:34:13 +03:00
Milan
3847ec0e35
nginxMainline: 1.17.8 -> 1.17.9 (#84743) 2020-04-08 21:19:35 +02:00
aszlig
e1d63ada02
nginx: Fix ETag patch to ignore realpath(3) error
While our ETag patch works pretty fine if it comes to serving data off
store paths, it unfortunately broke something that might be a bit more
common, namely when using regexes to extract path components of
location directives for example.

Recently, @devhell has reported a bug with a nginx location directive
like this:

  location ~^/\~([a-z0-9_]+)(/.*)?$" {
    alias /home/$1/public_html$2;
  }

While this might look harmless at first glance, it does however cause
issues with our ETag patch. The alias directive gets broken up by nginx
like this:

  *2 http script copy: "/home/"
  *2 http script capture: "foo"
  *2 http script copy: "/public_html/"
  *2 http script capture: "bar.txt"

In our patch however, we use realpath(3) to get the canonicalised path
from ngx_http_core_loc_conf_s.root, which returns the *configured* value
from the root or alias directive. So in the example above, realpath(3)
boils down to the following syscalls:

  lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
  lstat("/home/$1", 0x7ffd08da6f60) = -1 ENOENT (No such file or directory)

During my review[1] of the initial patch, I didn't actually notice that
what we're doing here is returning NGX_ERROR if the realpath(3) call
fails, which in turn causes an HTTP 500 error.

Since our patch actually made the canonicalisation (and thus additional
syscalls) necessary, we really shouldn't introduce an additional error
so let's - at least for now - silently skip return value if realpath(3)
has failed.

However since we're using the unaltered root from the config we have
another issue, consider this root:

  /nix/store/...-abcde/$1

Calling realpath(3) on this path will fail (except if there's a file
called "$1" of course), so even this fix is not enough because it
results in the ETag not being set to the store path hash.

While this is very ugly and we should fix this very soon, it's not as
serious as getting HTTP 500 errors for serving static files.

I added a small NixOS VM test, which uses the example above as a
regression test.

It seems that my memory is failing these days, since apparently I *knew*
about this issue since digging for existing issues in nixpkgs, I found
this similar pull request which I even reviewed:

https://github.com/NixOS/nixpkgs/pull/66532

However, since the comments weren't addressed and the author hasn't
responded to the pull request, I decided to keep this very commit and do
a follow-up pull request.

[1]: https://github.com/NixOS/nixpkgs/pull/48337

Signed-off-by: aszlig <aszlig@nix.build>
Reported-by: @devhell
Acked-by: @7c6f434c
Acked-by: @yorickvP
Merges: https://github.com/NixOS/nixpkgs/pull/80671
Fixes: https://github.com/NixOS/nixpkgs/pull/66532
2020-03-28 02:57:21 +01:00
ajs124
0aec2cdd08 nginxModules.fastcgi-cache-purge: 2.3 -> 2.5
switch to a fork that seems sort of alive
2020-03-10 23:35:15 +01:00
Emily
6d046e1079 openresty: rebase on top of nginx package
The primary motivation of this change was to allow third-party modules
to be used with OpenResty, but it also results in a significant
reduction of code duplication.
2020-02-04 19:30:40 -06:00
Emily
db3182a65d nginxModules.brotli: v0.1.2 -> unstable
The fork was merged back upstream but has yet to see a formal release.
2020-02-04 19:30:40 -06:00
Will Dietz
92d29418b3
nginxMainline: 1.17.3 -> 1.17.8
http://nginx.org/en/CHANGES
2020-01-21 11:02:11 -06:00
Ryan Mulligan
6de8b8f144
Merge pull request #61722 from Izorkin/pinba-nginx
nginxModules.pinba: init at 13.05.2019
2020-01-04 07:58:18 -08:00
Frederik Rietdijk
7aa2b0215b Merge master into staging-next 2020-01-03 10:25:14 +01:00
Robin Gloster
6ca6ac796b
treewide: configureFlags is a flat list 2019-12-31 01:37:49 +01:00
Robin Gloster
5f2b92e3ec
treewide: NIX_*_COMPILE -> string 2019-12-31 00:13:29 +01:00
aszlig
ccf55bead1
nginx: Clear Last-Modified if ETag is from store
This is what I've suspected a while ago[1]:

> Heads-up everyone: After testing this in a few production instances,
> it seems that some browsers still get cache hits for new store paths
> (and changed contents) for some reason. I highly suspect that it might
> be due to the last-modified header (as mentioned in [2]).
>
> Going to test this with last-modified disabled for a little while and
> if this is the case I think we should improve that patch by disabling
> last-modified if serving from a store path.

Much earlier[2] when I reviewed the patch, I wrote this:

> Other than that, it looks good to me.
>
> However, I'm not sure what we should do with Last-Modified header.
> From RFC 2616, section 13.3.4:
>
> - If both an entity tag and a Last-Modified value have been
>   provided by the origin server, SHOULD use both validators in
>   cache-conditional requests. This allows both HTTP/1.0 and
>   HTTP/1.1 caches to respond appropriately.
>
> I'm a bit nervous about the SHOULD here, as user agents in the wild
> could possibly just use Last-Modified and use the cached content
> instead.

Unfortunately, I didn't pursue this any further back then because
@pbogdan noted[3] the following:

> Hmm, could they (assuming they are conforming):
>
>  * If an entity tag has been provided by the origin server, MUST
>    use that entity tag in any cache-conditional request (using If-
>    Match or If-None-Match).

Since running with this patch in some deployments, I found that both
Firefox and Chrome/Chromium do NOT re-validate against the ETag if the
Last-Modified header is still the same.

So I wrote a small NixOS VM test with Geckodriver to have a test case
which is closer to the real world and I indeed was able to reproduce
this.

Whether this is actually a bug in Chrome or Firefox is an entirely
different issue and even IF it is the fault of the browsers and it is
fixed at some point, we'd still need to handle this for older browser
versions.

Apart from clearing the header, I also recreated the patch by using a
plain "git diff" with a small description on top. This should make it
easier for future authors to work on that patch.

[1]: https://github.com/NixOS/nixpkgs/pull/48337#issuecomment-495072764
[2]: https://github.com/NixOS/nixpkgs/pull/48337#issuecomment-451644084
[3]: https://github.com/NixOS/nixpkgs/pull/48337#issuecomment-451646135

Signed-off-by: aszlig <aszlig@nix.build>
2019-12-30 14:30:36 +01:00
Izorkin
edddf0ac47 nginxModules.pinba: init at 13.05.2019 2019-12-11 10:06:55 +03:00
Jörg Thalheim
571ed9d22e
nginx: reference tests 2019-11-29 12:27:55 +00:00
tekeri
a5f26644d4 Add nginx perl modules (#73198)
* nginx: enable perl_module if perl is given

* nginx: move `perl = null` to toplevel
2019-11-27 17:08:56 +00:00
Franz Pletz
de85797565
Merge remote-tracking branch 'origin/master' into gcc-8 2019-09-03 22:15:07 +02:00
Robin Gloster
616b8343c4
Merge remote-tracking branch 'upstream/master' into gcc-8 2019-08-25 18:55:46 +02:00
Vladimír Čunát
2e6bf42a22
Merge branch 'master' into staging-next
There ver very many conflicts, basically all due to
name -> pname+version.  Fortunately, almost everything was auto-resolved
by kdiff3, and for now I just fixed up a couple evaluation problems,
as verified by the tarball job.  There might be some fallback to these
conflicts, but I believe it should be minimal.

Hydra nixpkgs: ?compare=1538299
2019-08-24 08:55:37 +02:00
Robin Gloster
4e60b0efae
treewide: update globin's maintained drvs 2019-08-20 19:36:05 +02:00