1 # Copyright 1999-2020 Gentoo Authors
2 # Distributed under the terms of the GNU General Public License v2
7 # - http_rewrite-independent pcre-support makes sense for matching locations without an actual rewrite
8 # - any http-module activates the main http-functionality and overrides USE=-http
9 # - keep the following requirements in mind before adding external modules:
13 # * does not need a patch for nginx core
14 # - TODO: test the google-perftools module (included in vanilla tarball)
16 # prevent perl-module from adding automagic perl DEPENDs
17 GENTOO_DEPEND_ON_PERL="no"
19 # devel_kit (https://github.com/simpl/ngx_devel_kit, BSD license)
20 DEVEL_KIT_MODULE_PV="0.3.1"
21 DEVEL_KIT_MODULE_P="ngx_devel_kit-${DEVEL_KIT_MODULE_PV}"
22 DEVEL_KIT_MODULE_URI="https://github.com/simpl/ngx_devel_kit/archive/v${DEVEL_KIT_MODULE_PV}.tar.gz"
23 DEVEL_KIT_MODULE_WD="${WORKDIR}/ngx_devel_kit-${DEVEL_KIT_MODULE_PV}"
25 # ngx_brotli (https://github.com/eustas/ngx_brotli, BSD-2)
26 HTTP_BROTLI_MODULE_PV="8104036af9cff4b1d34f22d00ba857e2a93a243c"
27 HTTP_BROTLI_MODULE_P="ngx_brotli-${HTTP_BROTLI_MODULE_PV}"
28 HTTP_BROTLI_MODULE_URI="https://github.com/eustas/ngx_brotli/archive/${HTTP_BROTLI_MODULE_PV}.tar.gz"
29 HTTP_BROTLI_MODULE_WD="${WORKDIR}/ngx_brotli-${HTTP_BROTLI_MODULE_PV}"
31 # http_uploadprogress (https://github.com/masterzen/nginx-upload-progress-module, BSD-2 license)
32 HTTP_UPLOAD_PROGRESS_MODULE_PV="0.9.2"
33 HTTP_UPLOAD_PROGRESS_MODULE_P="ngx_http_upload_progress-${HTTP_UPLOAD_PROGRESS_MODULE_PV}-r1"
34 HTTP_UPLOAD_PROGRESS_MODULE_URI="https://github.com/masterzen/nginx-upload-progress-module/archive/v${HTTP_UPLOAD_PROGRESS_MODULE_PV}.tar.gz"
35 HTTP_UPLOAD_PROGRESS_MODULE_WD="${WORKDIR}/nginx-upload-progress-module-${HTTP_UPLOAD_PROGRESS_MODULE_PV}"
37 # http_headers_more (https://github.com/agentzh/headers-more-nginx-module, BSD license)
38 HTTP_HEADERS_MORE_MODULE_PV="0.33"
39 HTTP_HEADERS_MORE_MODULE_P="ngx_http_headers_more-${HTTP_HEADERS_MORE_MODULE_PV}"
40 HTTP_HEADERS_MORE_MODULE_URI="https://github.com/agentzh/headers-more-nginx-module/archive/v${HTTP_HEADERS_MORE_MODULE_PV}.tar.gz"
41 HTTP_HEADERS_MORE_MODULE_WD="${WORKDIR}/headers-more-nginx-module-${HTTP_HEADERS_MORE_MODULE_PV}"
43 # http_cache_purge (http://labs.frickle.com/nginx_ngx_cache_purge/, https://github.com/FRiCKLE/ngx_cache_purge, BSD-2 license)
44 HTTP_CACHE_PURGE_MODULE_PV="2.3"
45 HTTP_CACHE_PURGE_MODULE_P="ngx_http_cache_purge-${HTTP_CACHE_PURGE_MODULE_PV}"
46 HTTP_CACHE_PURGE_MODULE_URI="http://labs.frickle.com/files/ngx_cache_purge-${HTTP_CACHE_PURGE_MODULE_PV}.tar.gz"
47 HTTP_CACHE_PURGE_MODULE_WD="${WORKDIR}/ngx_cache_purge-${HTTP_CACHE_PURGE_MODULE_PV}"
49 # http_slowfs_cache (http://labs.frickle.com/nginx_ngx_slowfs_cache/, BSD-2 license)
50 HTTP_SLOWFS_CACHE_MODULE_PV="1.10"
51 HTTP_SLOWFS_CACHE_MODULE_P="ngx_http_slowfs_cache-${HTTP_SLOWFS_CACHE_MODULE_PV}"
52 HTTP_SLOWFS_CACHE_MODULE_URI="http://labs.frickle.com/files/ngx_slowfs_cache-${HTTP_SLOWFS_CACHE_MODULE_PV}.tar.gz"
53 HTTP_SLOWFS_CACHE_MODULE_WD="${WORKDIR}/ngx_slowfs_cache-${HTTP_SLOWFS_CACHE_MODULE_PV}"
55 # http_fancyindex (https://github.com/aperezdc/ngx-fancyindex, BSD license)
56 HTTP_FANCYINDEX_MODULE_PV="0.4.4"
57 HTTP_FANCYINDEX_MODULE_P="ngx_http_fancyindex-${HTTP_FANCYINDEX_MODULE_PV}"
58 HTTP_FANCYINDEX_MODULE_URI="https://github.com/aperezdc/ngx-fancyindex/archive/v${HTTP_FANCYINDEX_MODULE_PV}.tar.gz"
59 HTTP_FANCYINDEX_MODULE_WD="${WORKDIR}/ngx-fancyindex-${HTTP_FANCYINDEX_MODULE_PV}"
61 # http_lua (https://github.com/openresty/lua-nginx-module, BSD license)
62 HTTP_LUA_MODULE_PV="0.10.15"
63 HTTP_LUA_MODULE_P="ngx_http_lua-${HTTP_LUA_MODULE_PV}"
64 HTTP_LUA_MODULE_URI="https://github.com/openresty/lua-nginx-module/archive/v${HTTP_LUA_MODULE_PV}.tar.gz"
65 HTTP_LUA_MODULE_WD="${WORKDIR}/lua-nginx-module-${HTTP_LUA_MODULE_PV}"
67 # http_auth_pam (https://github.com/stogh/ngx_http_auth_pam_module/, http://web.iti.upv.es/~sto/nginx/, BSD-2 license)
68 HTTP_AUTH_PAM_MODULE_PV="1.5.1"
69 HTTP_AUTH_PAM_MODULE_P="ngx_http_auth_pam-${HTTP_AUTH_PAM_MODULE_PV}"
70 HTTP_AUTH_PAM_MODULE_URI="https://github.com/stogh/ngx_http_auth_pam_module/archive/v${HTTP_AUTH_PAM_MODULE_PV}.tar.gz"
71 HTTP_AUTH_PAM_MODULE_WD="${WORKDIR}/ngx_http_auth_pam_module-${HTTP_AUTH_PAM_MODULE_PV}"
73 # http_upstream_check (https://github.com/yaoweibin/nginx_upstream_check_module, BSD license)
74 HTTP_UPSTREAM_CHECK_MODULE_PV="9aecf15ec379fe98f62355c57b60c0bc83296f04"
75 HTTP_UPSTREAM_CHECK_MODULE_P="ngx_http_upstream_check-${HTTP_UPSTREAM_CHECK_MODULE_PV}"
76 HTTP_UPSTREAM_CHECK_MODULE_URI="https://github.com/yaoweibin/nginx_upstream_check_module/archive/${HTTP_UPSTREAM_CHECK_MODULE_PV}.tar.gz"
77 HTTP_UPSTREAM_CHECK_MODULE_WD="${WORKDIR}/nginx_upstream_check_module-${HTTP_UPSTREAM_CHECK_MODULE_PV}"
79 # http_metrics (https://github.com/zenops/ngx_metrics, BSD license)
80 HTTP_METRICS_MODULE_PV="0.1.1"
81 HTTP_METRICS_MODULE_P="ngx_metrics-${HTTP_METRICS_MODULE_PV}"
82 HTTP_METRICS_MODULE_URI="https://github.com/madvertise/ngx_metrics/archive/v${HTTP_METRICS_MODULE_PV}.tar.gz"
83 HTTP_METRICS_MODULE_WD="${WORKDIR}/ngx_metrics-${HTTP_METRICS_MODULE_PV}"
85 # http_vhost_traffic_status (https://github.com/vozlt/nginx-module-vts, BSD license)
86 HTTP_VHOST_TRAFFIC_STATUS_MODULE_PV="46d85558e344dfe2b078ce757fd36c69a1ec2dd3"
87 HTTP_VHOST_TRAFFIC_STATUS_MODULE_P="ngx_http_vhost_traffic_status-${HTTP_VHOST_TRAFFIC_STATUS_MODULE_PV}"
88 HTTP_VHOST_TRAFFIC_STATUS_MODULE_URI="https://github.com/vozlt/nginx-module-vts/archive/${HTTP_VHOST_TRAFFIC_STATUS_MODULE_PV}.tar.gz"
89 HTTP_VHOST_TRAFFIC_STATUS_MODULE_WD="${WORKDIR}/nginx-module-vts-${HTTP_VHOST_TRAFFIC_STATUS_MODULE_PV}"
91 # naxsi-core (https://github.com/nbs-system/naxsi, GPLv2+)
92 HTTP_NAXSI_MODULE_PV="0.56"
93 HTTP_NAXSI_MODULE_P="ngx_http_naxsi-${HTTP_NAXSI_MODULE_PV}"
94 HTTP_NAXSI_MODULE_URI="https://github.com/nbs-system/naxsi/archive/${HTTP_NAXSI_MODULE_PV}.tar.gz"
95 HTTP_NAXSI_MODULE_WD="${WORKDIR}/naxsi-${HTTP_NAXSI_MODULE_PV}/naxsi_src"
97 # nginx-rtmp-module (https://github.com/arut/nginx-rtmp-module, BSD license)
98 RTMP_MODULE_PV="1.2.1"
99 RTMP_MODULE_P="ngx_rtmp-${RTMP_MODULE_PV}"
100 RTMP_MODULE_URI="https://github.com/arut/nginx-rtmp-module/archive/v${RTMP_MODULE_PV}.tar.gz"
101 RTMP_MODULE_WD="${WORKDIR}/nginx-rtmp-module-${RTMP_MODULE_PV}"
103 # nginx-dav-ext-module (https://github.com/arut/nginx-dav-ext-module, BSD license)
104 HTTP_DAV_EXT_MODULE_PV="3.0.0"
105 HTTP_DAV_EXT_MODULE_P="ngx_http_dav_ext-${HTTP_DAV_EXT_MODULE_PV}"
106 HTTP_DAV_EXT_MODULE_URI="https://github.com/arut/nginx-dav-ext-module/archive/v${HTTP_DAV_EXT_MODULE_PV}.tar.gz"
107 HTTP_DAV_EXT_MODULE_WD="${WORKDIR}/nginx-dav-ext-module-${HTTP_DAV_EXT_MODULE_PV}"
109 # echo-nginx-module (https://github.com/openresty/echo-nginx-module, BSD license)
110 HTTP_ECHO_MODULE_PV="0.62rc1"
111 HTTP_ECHO_MODULE_P="ngx_http_echo-${HTTP_ECHO_MODULE_PV}"
112 HTTP_ECHO_MODULE_URI="https://github.com/openresty/echo-nginx-module/archive/v${HTTP_ECHO_MODULE_PV}.tar.gz"
113 HTTP_ECHO_MODULE_WD="${WORKDIR}/echo-nginx-module-${HTTP_ECHO_MODULE_PV}"
115 # mod_security for nginx (https://modsecurity.org/, Apache-2.0)
116 # keep the MODULE_P here consistent with upstream to avoid tarball duplication
117 HTTP_SECURITY_MODULE_PV="2.9.3"
118 HTTP_SECURITY_MODULE_P="modsecurity-${HTTP_SECURITY_MODULE_PV}"
119 HTTP_SECURITY_MODULE_URI="https://www.modsecurity.org/tarball/${HTTP_SECURITY_MODULE_PV}/${HTTP_SECURITY_MODULE_P}.tar.gz"
120 HTTP_SECURITY_MODULE_WD="${WORKDIR}/${HTTP_SECURITY_MODULE_P}"
122 # push-stream-module (http://www.nginxpushstream.com, https://github.com/wandenberg/nginx-push-stream-module, GPL-3)
123 HTTP_PUSH_STREAM_MODULE_PV="0.5.4"
124 HTTP_PUSH_STREAM_MODULE_P="ngx_http_push_stream-${HTTP_PUSH_STREAM_MODULE_PV}"
125 HTTP_PUSH_STREAM_MODULE_URI="https://github.com/wandenberg/nginx-push-stream-module/archive/${HTTP_PUSH_STREAM_MODULE_PV}.tar.gz"
126 HTTP_PUSH_STREAM_MODULE_WD="${WORKDIR}/nginx-push-stream-module-${HTTP_PUSH_STREAM_MODULE_PV}"
128 # sticky-module (https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng, BSD-2)
129 HTTP_STICKY_MODULE_PV="1.2.6-10-g08a395c66e42"
130 HTTP_STICKY_MODULE_P="nginx_http_sticky_module_ng-${HTTP_STICKY_MODULE_PV}"
131 HTTP_STICKY_MODULE_URI="https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/get/${HTTP_STICKY_MODULE_PV}.tar.bz2"
132 HTTP_STICKY_MODULE_WD="${WORKDIR}/nginx-goodies-nginx-sticky-module-ng-08a395c66e42"
134 # mogilefs-module (https://github.com/vkholodkov/nginx-mogilefs-module, BSD-2)
135 HTTP_MOGILEFS_MODULE_PV="1.0.4"
136 HTTP_MOGILEFS_MODULE_P="ngx_mogilefs_module-${HTTP_MOGILEFS_MODULE_PV}"
137 HTTP_MOGILEFS_MODULE_URI="https://github.com/vkholodkov/nginx-mogilefs-module/archive/${HTTP_MOGILEFS_MODULE_PV}.tar.gz"
138 HTTP_MOGILEFS_MODULE_WD="${WORKDIR}/nginx_mogilefs_module-${HTTP_MOGILEFS_MODULE_PV}"
140 # memc-module (https://github.com/openresty/memc-nginx-module, BSD-2)
141 HTTP_MEMC_MODULE_PV="0.19"
142 HTTP_MEMC_MODULE_P="ngx_memc_module-${HTTP_MEMC_MODULE_PV}"
143 HTTP_MEMC_MODULE_URI="https://github.com/openresty/memc-nginx-module/archive/v${HTTP_MEMC_MODULE_PV}.tar.gz"
144 HTTP_MEMC_MODULE_WD="${WORKDIR}/memc-nginx-module-${HTTP_MEMC_MODULE_PV}"
146 # nginx-ldap-auth-module (https://github.com/kvspb/nginx-auth-ldap, BSD-2)
147 HTTP_LDAP_MODULE_PV="42d195d7a7575ebab1c369ad3fc5d78dc2c2669c"
148 HTTP_LDAP_MODULE_P="nginx-auth-ldap-${HTTP_LDAP_MODULE_PV}"
149 HTTP_LDAP_MODULE_URI="https://github.com/kvspb/nginx-auth-ldap/archive/${HTTP_LDAP_MODULE_PV}.tar.gz"
150 HTTP_LDAP_MODULE_WD="${WORKDIR}/nginx-auth-ldap-${HTTP_LDAP_MODULE_PV}"
152 # geoip2 (https://github.com/leev/ngx_http_geoip2_module, BSD-2)
153 GEOIP2_MODULE_PV="3.3"
154 GEOIP2_MODULE_P="ngx_http_geoip2_module-${GEOIP2_MODULE_PV}"
155 GEOIP2_MODULE_URI="https://github.com/leev/ngx_http_geoip2_module/archive/${GEOIP2_MODULE_PV}.tar.gz"
156 GEOIP2_MODULE_WD="${WORKDIR}/ngx_http_geoip2_module-${GEOIP2_MODULE_PV}"
158 # njs-module (https://github.com/nginx/njs, as-is)
159 NJS_MODULE_PV="0.4.1"
160 NJS_MODULE_P="njs-${NJS_MODULE_PV}"
161 NJS_MODULE_URI="https://github.com/nginx/njs/archive/${NJS_MODULE_PV}.tar.gz"
162 NJS_MODULE_WD="${WORKDIR}/njs-${NJS_MODULE_PV}"
164 # We handle deps below ourselves
166 AUTOTOOLS_AUTO_DEPEND="no"
168 inherit autotools ssl-cert toolchain-funcs perl-module flag-o-matic user systemd versionator multilib pax-utils
170 DESCRIPTION="Robust, small and high performance http and reverse proxy server"
171 HOMEPAGE="https://nginx.org"
172 SRC_URI="https://nginx.org/download/${P}.tar.gz
173 ${DEVEL_KIT_MODULE_URI} -> ${DEVEL_KIT_MODULE_P}.tar.gz
174 nginx_modules_http_auth_ldap? ( ${HTTP_LDAP_MODULE_URI} -> ${HTTP_LDAP_MODULE_P}.tar.gz )
175 nginx_modules_http_auth_pam? ( ${HTTP_AUTH_PAM_MODULE_URI} -> ${HTTP_AUTH_PAM_MODULE_P}.tar.gz )
176 nginx_modules_http_brotli? ( ${HTTP_BROTLI_MODULE_URI} -> ${HTTP_BROTLI_MODULE_P}.tar.gz )
177 nginx_modules_http_cache_purge? ( ${HTTP_CACHE_PURGE_MODULE_URI} -> ${HTTP_CACHE_PURGE_MODULE_P}.tar.gz )
178 nginx_modules_http_dav_ext? ( ${HTTP_DAV_EXT_MODULE_URI} -> ${HTTP_DAV_EXT_MODULE_P}.tar.gz )
179 nginx_modules_http_echo? ( ${HTTP_ECHO_MODULE_URI} -> ${HTTP_ECHO_MODULE_P}.tar.gz )
180 nginx_modules_http_fancyindex? ( ${HTTP_FANCYINDEX_MODULE_URI} -> ${HTTP_FANCYINDEX_MODULE_P}.tar.gz )
181 nginx_modules_http_geoip2? ( ${GEOIP2_MODULE_URI} -> ${GEOIP2_MODULE_P}.tar.gz )
182 nginx_modules_http_headers_more? ( ${HTTP_HEADERS_MORE_MODULE_URI} -> ${HTTP_HEADERS_MORE_MODULE_P}.tar.gz )
183 nginx_modules_http_javascript? ( ${NJS_MODULE_URI} -> ${NJS_MODULE_P}.tar.gz )
184 nginx_modules_http_lua? ( ${HTTP_LUA_MODULE_URI} -> ${HTTP_LUA_MODULE_P}.tar.gz )
185 nginx_modules_http_memc? ( ${HTTP_MEMC_MODULE_URI} -> ${HTTP_MEMC_MODULE_P}.tar.gz )
186 nginx_modules_http_metrics? ( ${HTTP_METRICS_MODULE_URI} -> ${HTTP_METRICS_MODULE_P}.tar.gz )
187 nginx_modules_http_mogilefs? ( ${HTTP_MOGILEFS_MODULE_URI} -> ${HTTP_MOGILEFS_MODULE_P}.tar.gz )
188 nginx_modules_http_naxsi? ( ${HTTP_NAXSI_MODULE_URI} -> ${HTTP_NAXSI_MODULE_P}.tar.gz )
189 nginx_modules_http_push_stream? ( ${HTTP_PUSH_STREAM_MODULE_URI} -> ${HTTP_PUSH_STREAM_MODULE_P}.tar.gz )
190 nginx_modules_http_security? ( ${HTTP_SECURITY_MODULE_URI} -> ${HTTP_SECURITY_MODULE_P}.tar.gz )
191 nginx_modules_http_slowfs_cache? ( ${HTTP_SLOWFS_CACHE_MODULE_URI} -> ${HTTP_SLOWFS_CACHE_MODULE_P}.tar.gz )
192 nginx_modules_http_sticky? ( ${HTTP_STICKY_MODULE_URI} -> ${HTTP_STICKY_MODULE_P}.tar.bz2 )
193 nginx_modules_http_upload_progress? ( ${HTTP_UPLOAD_PROGRESS_MODULE_URI} -> ${HTTP_UPLOAD_PROGRESS_MODULE_P}.tar.gz )
194 nginx_modules_http_upstream_check? ( ${HTTP_UPSTREAM_CHECK_MODULE_URI} -> ${HTTP_UPSTREAM_CHECK_MODULE_P}.tar.gz )
195 nginx_modules_http_vhost_traffic_status? ( ${HTTP_VHOST_TRAFFIC_STATUS_MODULE_URI} -> ${HTTP_VHOST_TRAFFIC_STATUS_MODULE_P}.tar.gz )
196 nginx_modules_stream_geoip2? ( ${GEOIP2_MODULE_URI} -> ${GEOIP2_MODULE_P}.tar.gz )
197 nginx_modules_stream_javascript? ( ${NJS_MODULE_URI} -> ${NJS_MODULE_P}.tar.gz )
198 rtmp? ( ${RTMP_MODULE_URI} -> ${RTMP_MODULE_P}.tar.gz )"
200 LICENSE="BSD-2 BSD SSLeay MIT GPL-2 GPL-2+
201 nginx_modules_http_security? ( Apache-2.0 )
202 nginx_modules_http_push_stream? ( GPL-3 )"
205 KEYWORDS="amd64 ~arm ~arm64 ~ppc ~ppc64 x86 ~amd64-linux ~x86-linux"
207 # Package doesn't provide a real test suite
210 NGINX_MODULES_STD="access auth_basic autoindex browser charset empty_gif
211 fastcgi geo grpc gzip limit_req limit_conn map memcached mirror
212 proxy referer rewrite scgi ssi split_clients upstream_hash
213 upstream_ip_hash upstream_keepalive upstream_least_conn
214 upstream_zone userid uwsgi"
215 NGINX_MODULES_OPT="addition auth_request dav degradation flv geoip gunzip
216 gzip_static image_filter mp4 perl random_index realip secure_link
217 slice stub_status sub xslt"
218 NGINX_MODULES_STREAM_STD="access geo limit_conn map return split_clients
219 upstream_hash upstream_least_conn upstream_zone"
220 NGINX_MODULES_STREAM_OPT="geoip realip ssl_preread"
221 NGINX_MODULES_MAIL="imap pop3 smtp"
244 http_vhost_traffic_status
249 IUSE="aio debug +http +http2 +http-cache +ipv6 libatomic libressl luajit +pcre
250 pcre-jit rtmp selinux ssl threads userland_GNU vim-syntax"
252 for mod in $NGINX_MODULES_STD; do
253 IUSE="${IUSE} +nginx_modules_http_${mod}"
256 for mod in $NGINX_MODULES_OPT; do
257 IUSE="${IUSE} nginx_modules_http_${mod}"
260 for mod in $NGINX_MODULES_STREAM_STD; do
261 IUSE="${IUSE} nginx_modules_stream_${mod}"
264 for mod in $NGINX_MODULES_STREAM_OPT; do
265 IUSE="${IUSE} nginx_modules_stream_${mod}"
268 for mod in $NGINX_MODULES_MAIL; do
269 IUSE="${IUSE} nginx_modules_mail_${mod}"
272 for mod in $NGINX_MODULES_3RD; do
273 IUSE="${IUSE} nginx_modules_${mod}"
276 # Add so we can warn users updating about config changes
277 # @TODO: jbergstroem: remove on next release series
278 IUSE="${IUSE} nginx_modules_http_spdy"
281 pcre? ( dev-libs/libpcre:= )
282 pcre-jit? ( dev-libs/libpcre:=[jit] )
284 !libressl? ( dev-libs/openssl:0= )
285 libressl? ( dev-libs/libressl:= )
288 !libressl? ( >=dev-libs/openssl-1.0.1c:0= )
289 libressl? ( dev-libs/libressl:= )
293 !libressl? ( dev-libs/openssl:0= )
294 libressl? ( dev-libs/libressl:= )
297 nginx_modules_http_brotli? ( app-arch/brotli:= )
298 nginx_modules_http_geoip? ( dev-libs/geoip )
299 nginx_modules_http_geoip2? ( dev-libs/libmaxminddb:= )
300 nginx_modules_http_gunzip? ( sys-libs/zlib )
301 nginx_modules_http_gzip? ( sys-libs/zlib )
302 nginx_modules_http_gzip_static? ( sys-libs/zlib )
303 nginx_modules_http_image_filter? ( media-libs/gd:=[jpeg,png] )
304 nginx_modules_http_perl? ( >=dev-lang/perl-5.8:= )
305 nginx_modules_http_rewrite? ( dev-libs/libpcre:= )
306 nginx_modules_http_secure_link? (
308 !libressl? ( dev-libs/openssl:0= )
309 libressl? ( dev-libs/libressl:= )
312 nginx_modules_http_xslt? ( dev-libs/libxml2:= dev-libs/libxslt )
313 nginx_modules_http_lua? ( dev-lang/luajit:2= )
314 nginx_modules_http_auth_pam? ( sys-libs/pam )
315 nginx_modules_http_metrics? ( dev-libs/yajl:= )
316 nginx_modules_http_dav_ext? ( dev-libs/libxml2 )
317 nginx_modules_http_security? (
324 nginx_modules_http_auth_ldap? ( net-nds/openldap[ssl?] )
325 nginx_modules_stream_geoip? ( dev-libs/geoip )
326 nginx_modules_stream_geoip2? ( dev-libs/libmaxminddb:= )"
328 selinux? ( sec-policy/selinux-nginx )
329 !www-servers/nginx:mainline"
331 nginx_modules_http_brotli? ( virtual/pkgconfig )
332 nginx_modules_http_security? ( ${AUTOTOOLS_DEPEND} )
333 arm? ( dev-libs/libatomic_ops )
334 libatomic? ( dev-libs/libatomic_ops )"
335 PDEPEND="vim-syntax? ( app-vim/nginx-syntax )"
337 REQUIRED_USE="pcre-jit? ( pcre )
338 nginx_modules_http_fancyindex? ( nginx_modules_http_addition )
339 nginx_modules_http_grpc? ( http2 )
340 nginx_modules_http_lua? (
342 nginx_modules_http_rewrite
344 nginx_modules_http_naxsi? ( pcre )
345 nginx_modules_http_dav_ext? ( nginx_modules_http_dav nginx_modules_http_xslt )
346 nginx_modules_http_metrics? ( nginx_modules_http_stub_status )
347 nginx_modules_http_security? ( pcre )
348 nginx_modules_http_push_stream? ( ssl )"
351 NGINX_HOME="/var/lib/nginx"
352 NGINX_HOME_TMP="${NGINX_HOME}/tmp"
354 ebegin "Creating nginx user and group"
356 enewuser ${PN} -1 -1 "${NGINX_HOME}" ${PN}
359 if use libatomic; then
360 ewarn "GCC 4.1+ features built-in atomic operations."
361 ewarn "Using libatomic_ops is only needed if using"
362 ewarn "a different compiler or a GCC prior to 4.1"
365 if [[ -n $NGINX_ADD_MODULES ]]; then
366 ewarn "You are building custom modules via \$NGINX_ADD_MODULES!"
367 ewarn "This nginx installation is not supported!"
368 ewarn "Make sure you can reproduce the bug without those modules"
369 ewarn "_before_ reporting bugs."
373 ewarn "To actually disable all http-functionality you also have to disable"
374 ewarn "all nginx http modules."
377 if use nginx_modules_http_mogilefs && use threads; then
378 eerror "mogilefs won't compile with threads support."
379 eerror "Please disable either flag and try again."
380 die "Can't compile mogilefs with threads support"
385 eapply "${FILESDIR}/${PN}-1.4.1-fix-perl-install-path.patch"
386 eapply "${FILESDIR}/${PN}-httpoxy-mitigation-r1.patch"
388 if use nginx_modules_http_auth_pam; then
389 cd "${HTTP_AUTH_PAM_MODULE_WD}" || die
390 eapply "${FILESDIR}"/http_auth_pam-1.5.1-adjust-loglevel-for-authentication-failures.patch
394 if use nginx_modules_http_brotli; then
395 cd "${HTTP_BROTLI_MODULE_WD}" || die
396 eapply "${FILESDIR}"/http_brotli-detect-brotli-r2.patch
400 if use nginx_modules_http_upstream_check; then
401 eapply -p0 "${FILESDIR}"/http_upstream_check-nginx-1.11.5+.patch
404 if use nginx_modules_http_cache_purge; then
405 cd "${HTTP_CACHE_PURGE_MODULE_WD}" || die
406 eapply "${FILESDIR}"/http_cache_purge-1.11.6+.patch
410 if use nginx_modules_http_security; then
411 cd "${HTTP_SECURITY_MODULE_WD}" || die
417 -e 's|^\(LUA_PKGNAMES\)=.*|\1="luajit"|' \
424 if use nginx_modules_http_upload_progress; then
425 cd "${HTTP_UPLOAD_PROGRESS_MODULE_WD}" || die
426 eapply "${FILESDIR}"/http_uploadprogress-issue_50-r1.patch
430 find auto/ -type f -print0 | xargs -0 sed -i 's:\&\& make:\&\& \\$(MAKE):' || die
431 # We have config protection, don't rename etc files
432 sed -i 's:.default::' auto/install || die
433 # remove useless files
434 sed -i -e '/koi-/d' -e '/win-/d' auto/install || die
436 # don't install to /etc/nginx/ if not in use
438 for module in fastcgi scgi uwsgi ; do
439 if ! use nginx_modules_http_${module}; then
440 sed -i -e "/${module}/d" auto/install || die
448 # mod_security needs to generate nginx/modsecurity/config before including it
449 if use nginx_modules_http_security; then
450 cd "${HTTP_SECURITY_MODULE_WD}" || die
453 --enable-standalone-module \
456 $(use_enable pcre-jit) \
457 $(use_with nginx_modules_http_lua lua) || die "configure failed for mod_security"
462 local myconf=() http_enabled= mail_enabled= stream_enabled=
464 use aio && myconf+=( --with-file-aio )
465 use debug && myconf+=( --with-debug )
466 use http2 && myconf+=( --with-http_v2_module )
467 use libatomic && myconf+=( --with-libatomic )
468 use pcre && myconf+=( --with-pcre )
469 use pcre-jit && myconf+=( --with-pcre-jit )
470 use threads && myconf+=( --with-threads )
473 for mod in $NGINX_MODULES_STD; do
474 if use nginx_modules_http_${mod}; then
477 myconf+=( --without-http_${mod}_module )
481 for mod in $NGINX_MODULES_OPT; do
482 if use nginx_modules_http_${mod}; then
484 myconf+=( --with-http_${mod}_module )
488 if use nginx_modules_http_fastcgi; then
489 myconf+=( --with-http_realip_module )
492 # third-party modules
493 if use nginx_modules_http_upload_progress; then
495 myconf+=( --add-module=${HTTP_UPLOAD_PROGRESS_MODULE_WD} )
498 if use nginx_modules_http_headers_more; then
500 myconf+=( --add-module=${HTTP_HEADERS_MORE_MODULE_WD} )
503 if use nginx_modules_http_cache_purge; then
505 myconf+=( --add-module=${HTTP_CACHE_PURGE_MODULE_WD} )
508 if use nginx_modules_http_slowfs_cache; then
510 myconf+=( --add-module=${HTTP_SLOWFS_CACHE_MODULE_WD} )
513 if use nginx_modules_http_fancyindex; then
515 myconf+=( --add-module=${HTTP_FANCYINDEX_MODULE_WD} )
518 if use nginx_modules_http_lua; then
520 export LUAJIT_LIB=$(pkg-config --variable libdir luajit)
521 export LUAJIT_INC=$(pkg-config --variable includedir luajit)
522 myconf+=( --add-module=${DEVEL_KIT_MODULE_WD} )
523 myconf+=( --add-module=${HTTP_LUA_MODULE_WD} )
526 if use nginx_modules_http_auth_pam; then
528 myconf+=( --add-module=${HTTP_AUTH_PAM_MODULE_WD} )
531 if use nginx_modules_http_upstream_check; then
533 myconf+=( --add-module=${HTTP_UPSTREAM_CHECK_MODULE_WD} )
536 if use nginx_modules_http_metrics; then
538 myconf+=( --add-module=${HTTP_METRICS_MODULE_WD} )
541 if use nginx_modules_http_naxsi ; then
543 myconf+=( --add-module=${HTTP_NAXSI_MODULE_WD} )
548 myconf+=( --add-module=${RTMP_MODULE_WD} )
551 if use nginx_modules_http_dav_ext ; then
553 myconf+=( --add-module=${HTTP_DAV_EXT_MODULE_WD} )
556 if use nginx_modules_http_echo ; then
558 myconf+=( --add-module=${HTTP_ECHO_MODULE_WD} )
561 if use nginx_modules_http_security ; then
563 myconf+=( --add-module=${HTTP_SECURITY_MODULE_WD}/nginx/modsecurity )
566 if use nginx_modules_http_push_stream ; then
568 myconf+=( --add-module=${HTTP_PUSH_STREAM_MODULE_WD} )
571 if use nginx_modules_http_sticky ; then
573 myconf+=( --add-module=${HTTP_STICKY_MODULE_WD} )
576 if use nginx_modules_http_mogilefs ; then
578 myconf+=( --add-module=${HTTP_MOGILEFS_MODULE_WD} )
581 if use nginx_modules_http_memc ; then
583 myconf+=( --add-module=${HTTP_MEMC_MODULE_WD} )
586 if use nginx_modules_http_auth_ldap; then
588 myconf+=( --add-module=${HTTP_LDAP_MODULE_WD} )
591 if use nginx_modules_http_vhost_traffic_status; then
593 myconf+=( --add-module=${HTTP_VHOST_TRAFFIC_STATUS_MODULE_WD} )
596 if use nginx_modules_http_geoip2 || use nginx_modules_stream_geoip2; then
597 myconf+=( --add-module=${GEOIP2_MODULE_WD} )
600 if use nginx_modules_http_javascript || use nginx_modules_stream_javascript; then
601 myconf+=( --add-module="${NJS_MODULE_WD}/nginx" )
604 if use nginx_modules_http_brotli; then
606 myconf+=( --add-module=${HTTP_BROTLI_MODULE_WD} )
609 if use http || use http-cache || use http2 || use nginx_modules_http_javascript; then
613 if [ $http_enabled ]; then
614 use http-cache || myconf+=( --without-http-cache )
615 use ssl && myconf+=( --with-http_ssl_module )
617 myconf+=( --without-http --without-http-cache )
621 for mod in $NGINX_MODULES_STREAM_STD; do
622 if use nginx_modules_stream_${mod}; then
625 myconf+=( --without-stream_${mod}_module )
629 for mod in $NGINX_MODULES_STREAM_OPT; do
630 if use nginx_modules_stream_${mod}; then
632 myconf+=( --with-stream_${mod}_module )
636 if use nginx_modules_stream_geoip2 || use nginx_modules_stream_javascript; then
640 if [ $stream_enabled ]; then
641 myconf+=( --with-stream )
642 use ssl && myconf+=( --with-stream_ssl_module )
646 for mod in $NGINX_MODULES_MAIL; do
647 if use nginx_modules_mail_${mod}; then
650 myconf+=( --without-mail_${mod}_module )
654 if [ $mail_enabled ]; then
655 myconf+=( --with-mail )
656 use ssl && myconf+=( --with-mail_ssl_module )
660 for mod in $NGINX_ADD_MODULES; do
661 myconf+=( --add-module=${mod} )
664 # https://bugs.gentoo.org/286772
665 export LANG=C LC_ALL=C
668 if ! use prefix; then
669 myconf+=( --user=${PN} )
670 myconf+=( --group=${PN} )
675 WITHOUT_IPV6=" -DNGX_HAVE_INET6=0"
678 if [[ -n "${EXTRA_ECONF}" ]]; then
679 myconf+=( ${EXTRA_ECONF} )
680 ewarn "EXTRA_ECONF applied. Now you are on your own, good luck!"
684 --prefix="${EPREFIX}"/usr \
685 --conf-path="${EPREFIX}"/etc/${PN}/${PN}.conf \
686 --error-log-path="${EPREFIX}"/var/log/${PN}/error_log \
687 --pid-path="${EPREFIX}"/run/${PN}.pid \
688 --lock-path="${EPREFIX}"/run/lock/${PN}.lock \
689 --with-cc-opt="-I${EROOT}usr/include${WITHOUT_IPV6}" \
690 --with-ld-opt="-L${EROOT}usr/$(get_libdir)" \
691 --http-log-path="${EPREFIX}"/var/log/${PN}/access_log \
692 --http-client-body-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/client \
693 --http-proxy-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/proxy \
694 --http-fastcgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/fastcgi \
695 --http-scgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/scgi \
696 --http-uwsgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/uwsgi \
698 "${myconf[@]}" || die "configure failed"
700 # A purely cosmetic change that makes nginx -V more readable. This can be
701 # good if people outside the gentoo community would troubleshoot and
702 # question the users setup.
703 sed -i -e "s|${WORKDIR}|external_module|g" objs/ngx_auto_config.h || die
707 use nginx_modules_http_security && emake -C "${HTTP_SECURITY_MODULE_WD}"
709 # https://bugs.gentoo.org/286772
710 export LANG=C LC_ALL=C
711 emake LINK="${CC} ${LDFLAGS}" OTHERLDFLAGS="${LDFLAGS}"
715 emake DESTDIR="${D%/}" install
717 cp "${FILESDIR}"/nginx.conf-r2 "${ED%/}"/etc/nginx/nginx.conf || die
719 newinitd "${FILESDIR}"/nginx.initd-r4 nginx
720 newconfd "${FILESDIR}"/nginx.confd nginx
722 systemd_newunit "${FILESDIR}"/nginx.service-r1 nginx.service
725 dodoc CHANGES* README
727 # just keepdir. do not copy the default htdocs files (bug #449136)
728 keepdir /var/www/localhost
729 rm -rf "${ED%/}"/usr/html || die
731 # set up a list of directories to keep
732 local keepdir_list="${NGINX_HOME_TMP}"/client
734 for module in proxy fastcgi scgi uwsgi; do
735 use nginx_modules_http_${module} && keepdir_list+=" ${NGINX_HOME_TMP}/${module}"
738 keepdir /var/log/nginx ${keepdir_list}
740 # this solves a problem with SELinux where nginx doesn't see the directories
741 # as root and tries to create them as nginx
742 fperms 0750 "${NGINX_HOME_TMP}"
743 fowners ${PN}:0 "${NGINX_HOME_TMP}"
745 fperms 0700 ${keepdir_list}
746 fowners ${PN}:${PN} ${keepdir_list}
748 fperms 0710 /var/log/nginx
749 fowners 0:${PN} /var/log/nginx
752 insinto /etc/logrotate.d
753 newins "${FILESDIR}"/nginx.logrotate-r1 nginx
756 rm -rf "${ED%/}"/run || die
759 pax-mark m "${ED%/}/usr/sbin/nginx"
762 if use nginx_modules_http_perl; then
763 cd "${S}"/objs/src/http/modules/perl/ || die
764 emake DESTDIR="${D}" INSTALLDIRS=vendor
769 if use nginx_modules_http_cache_purge; then
770 docinto ${HTTP_CACHE_PURGE_MODULE_P}
771 dodoc "${HTTP_CACHE_PURGE_MODULE_WD}"/{CHANGES,README.md,TODO.md}
774 if use nginx_modules_http_slowfs_cache; then
775 docinto ${HTTP_SLOWFS_CACHE_MODULE_P}
776 dodoc "${HTTP_SLOWFS_CACHE_MODULE_WD}"/{CHANGES,README.md}
779 if use nginx_modules_http_fancyindex; then
780 docinto ${HTTP_FANCYINDEX_MODULE_P}
781 dodoc "${HTTP_FANCYINDEX_MODULE_WD}"/README.rst
784 if use nginx_modules_http_lua; then
785 docinto ${HTTP_LUA_MODULE_P}
786 dodoc "${HTTP_LUA_MODULE_WD}"/README.markdown
789 if use nginx_modules_http_auth_pam; then
790 docinto ${HTTP_AUTH_PAM_MODULE_P}
791 dodoc "${HTTP_AUTH_PAM_MODULE_WD}"/{README.md,ChangeLog}
794 if use nginx_modules_http_upstream_check; then
795 docinto ${HTTP_UPSTREAM_CHECK_MODULE_P}
796 dodoc "${HTTP_UPSTREAM_CHECK_MODULE_WD}"/{README,CHANGES}
799 if use nginx_modules_http_naxsi; then
801 doins "${HTTP_NAXSI_MODULE_WD}"/../naxsi_config/naxsi_core.rules
805 docinto ${RTMP_MODULE_P}
806 dodoc "${RTMP_MODULE_WD}"/{AUTHORS,README.md,stat.xsl}
809 if use nginx_modules_http_dav_ext; then
810 docinto ${HTTP_DAV_EXT_MODULE_P}
811 dodoc "${HTTP_DAV_EXT_MODULE_WD}"/README.rst
814 if use nginx_modules_http_echo; then
815 docinto ${HTTP_ECHO_MODULE_P}
816 dodoc "${HTTP_ECHO_MODULE_WD}"/README.markdown
819 if use nginx_modules_http_security; then
820 docinto ${HTTP_SECURITY_MODULE_P}
821 dodoc "${HTTP_SECURITY_MODULE_WD}"/{CHANGES,README.md,authors.txt}
824 if use nginx_modules_http_push_stream; then
825 docinto ${HTTP_PUSH_STREAM_MODULE_P}
826 dodoc "${HTTP_PUSH_STREAM_MODULE_WD}"/{AUTHORS,CHANGELOG.textile,README.textile}
829 if use nginx_modules_http_sticky; then
830 docinto ${HTTP_STICKY_MODULE_P}
831 dodoc "${HTTP_STICKY_MODULE_WD}"/{README.md,Changelog.txt,docs/sticky.pdf}
834 if use nginx_modules_http_memc; then
835 docinto ${HTTP_MEMC_MODULE_P}
836 dodoc "${HTTP_MEMC_MODULE_WD}"/README.markdown
839 if use nginx_modules_http_auth_ldap; then
840 docinto ${HTTP_LDAP_MODULE_P}
841 dodoc "${HTTP_LDAP_MODULE_WD}"/example.conf
847 if [[ ! -f "${EROOT}"etc/ssl/${PN}/${PN}.key ]]; then
848 install_cert /etc/ssl/${PN}/${PN}
849 use prefix || chown ${PN}:${PN} "${EROOT}"etc/ssl/${PN}/${PN}.{crt,csr,key,pem}
853 if use nginx_modules_http_spdy; then
855 ewarn "In nginx 1.9.5 the spdy module was superseded by http2."
856 ewarn "Update your configs and package.use accordingly."
859 if use nginx_modules_http_lua; then
861 ewarn "While you can build lua 3rd party module against ${P}"
862 ewarn "the author warns that >=${PN}-1.11.11 is still not an"
863 ewarn "officially supported target yet. You are on your own."
864 ewarn "Expect runtime failures, memory leaks and other problems!"
867 if use nginx_modules_http_lua && use http2; then
869 ewarn "Lua 3rd party module author warns against using ${P} with"
870 ewarn "NGINX_MODULES_HTTP=\"lua http2\". For more info, see https://git.io/OldLsg"
873 local _n_permission_layout_checks=0
874 local _has_to_adjust_permissions=0
875 local _has_to_show_permission_warning=0
877 # Defaults to 1 to inform people doing a fresh installation
878 # that we ship modified {scgi,uwsgi,fastcgi}_params files
879 local _has_to_show_httpoxy_mitigation_notice=1
881 local _replacing_version=
882 for _replacing_version in ${REPLACING_VERSIONS}; do
883 _n_permission_layout_checks=$((${_n_permission_layout_checks}+1))
885 if [[ ${_n_permission_layout_checks} -gt 1 ]]; then
886 # Should never happen:
887 # Package is abusing slots but doesn't allow multiple parallel installations.
888 # If we run into this situation it is unsafe to automatically adjust any
890 _has_to_show_permission_warning=1
892 ewarn "Replacing multiple ${PN}' versions is unsupported! " \
893 "You will have to adjust permissions on your own."
898 local _replacing_version_branch=$(get_version_component_range 1-2 "${_replacing_version}")
899 debug-print "Updating an existing installation (v${_replacing_version}; branch '${_replacing_version_branch}') ..."
901 # Do we need to adjust permissions to fix CVE-2013-0337 (bug #458726, #469094)?
902 # This was before we introduced multiple nginx versions so we
903 # do not need to distinguish between stable and mainline
904 local _need_to_fix_CVE2013_0337=1
906 if version_is_at_least "1.4.1-r2" "${_replacing_version}"; then
907 # We are updating an installation which should already be fixed
908 _need_to_fix_CVE2013_0337=0
909 debug-print "Skipping CVE-2013-0337 ... existing installation should not be affected!"
911 _has_to_adjust_permissions=1
912 debug-print "Need to adjust permissions to fix CVE-2013-0337!"
915 # Do we need to inform about HTTPoxy mitigation?
916 # In repository since commit 8be44f76d4ac02cebcd1e0e6e6284bb72d054b0f
917 if ! version_is_at_least "1.10" "${_replacing_version_branch}"; then
918 # Updating from <1.10
919 _has_to_show_httpoxy_mitigation_notice=1
920 debug-print "Need to inform about HTTPoxy mitigation!"
922 # Updating from >=1.10
924 case "${_replacing_version_branch}" in
926 _fixed_in_pvr="1.10.1-r2"
929 _fixed_in_pvr="1.11.3-r1"
932 # This should be any future branch.
933 # If we run this code it is safe to assume that the user has
934 # already seen the HTTPoxy mitigation notice because he/she is doing
935 # an update from previous version where we have already shown
936 # the warning. Otherwise, we wouldn't hit this code path ...
940 if [[ -z "${_fixed_in_pvr}" ]] || version_is_at_least "${_fixed_in_pvr}" "${_replacing_version}"; then
941 # We are updating an installation where we already informed
942 # that we are mitigating HTTPoxy per default
943 _has_to_show_httpoxy_mitigation_notice=0
944 debug-print "No need to inform about HTTPoxy mitigation ... information was already shown for existing installation!"
946 _has_to_show_httpoxy_mitigation_notice=1
947 debug-print "Need to inform about HTTPoxy mitigation!"
951 # Do we need to adjust permissions to fix CVE-2016-1247 (bug #605008)?
952 # All branches up to 1.11 are affected
953 local _need_to_fix_CVE2016_1247=1
955 if ! version_is_at_least "1.10" "${_replacing_version_branch}"; then
956 # Updating from <1.10
957 _has_to_adjust_permissions=1
958 debug-print "Need to adjust permissions to fix CVE-2016-1247!"
960 # Updating from >=1.10
962 case "${_replacing_version_branch}" in
964 _fixed_in_pvr="1.10.2-r3"
967 _fixed_in_pvr="1.11.6-r1"
970 # This should be any future branch.
971 # If we run this code it is safe to assume that we have already
972 # adjusted permissions or were never affected because user is
973 # doing an update from previous version which was safe or did
974 # the adjustments. Otherwise, we wouldn't hit this code path ...
978 if [[ -z "${_fixed_in_pvr}" ]] || version_is_at_least "${_fixed_in_pvr}" "${_replacing_version}"; then
979 # We are updating an installation which should already be adjusted
980 # or which was never affected
981 _need_to_fix_CVE2016_1247=0
982 debug-print "Skipping CVE-2016-1247 ... existing installation should not be affected!"
984 _has_to_adjust_permissions=1
985 debug-print "Need to adjust permissions to fix CVE-2016-1247!"
990 if [[ ${_has_to_adjust_permissions} -eq 1 ]]; then
991 # We do not DIE when chmod/chown commands are failing because
992 # package is already merged on user's system at this stage
993 # and we cannot retry without losing the information that
994 # the existing installation needs to adjust permissions.
995 # Instead we are going to a show a big warning ...
997 if [[ ${_has_to_show_permission_warning} -eq 0 ]] && [[ ${_need_to_fix_CVE2013_0337} -eq 1 ]]; then
999 ewarn "The world-readable bit (if set) has been removed from the"
1000 ewarn "following directories to mitigate a security bug"
1001 ewarn "(CVE-2013-0337, bug #458726):"
1003 ewarn " ${EPREFIX}/var/log/nginx"
1004 ewarn " ${EPREFIX}${NGINX_HOME_TMP}/{,client,proxy,fastcgi,scgi,uwsgi}"
1006 ewarn "Check if this is correct for your setup before restarting nginx!"
1007 ewarn "This is a one-time change and will not happen on subsequent updates."
1008 ewarn "Furthermore nginx' temp directories got moved to '${EPREFIX}${NGINX_HOME_TMP}'"
1010 "${EPREFIX}"/var/log/nginx \
1011 "${EPREFIX}"${NGINX_HOME_TMP}/{,client,proxy,fastcgi,scgi,uwsgi} || \
1012 _has_to_show_permission_warning=1
1015 if [[ ${_has_to_show_permission_warning} -eq 0 ]] && [[ ${_need_to_fix_CVE2016_1247} -eq 1 ]]; then
1017 ewarn "The permissions on the following directory have been reset in"
1018 ewarn "order to mitigate a security bug (CVE-2016-1247, bug #605008):"
1020 ewarn " ${EPREFIX}/var/log/nginx"
1022 ewarn "Check if this is correct for your setup before restarting nginx!"
1023 ewarn "Also ensure that no other log directory used by any of your"
1024 ewarn "vhost(s) is not writeable for nginx user. Any of your log files"
1025 ewarn "used by nginx can be abused to escalate privileges!"
1026 ewarn "This is a one-time change and will not happen on subsequent updates."
1027 chown 0:nginx "${EPREFIX}"/var/log/nginx || _has_to_show_permission_warning=1
1028 chmod 710 "${EPREFIX}"/var/log/nginx || _has_to_show_permission_warning=1
1031 if [[ ${_has_to_show_permission_warning} -eq 1 ]]; then
1032 # Should never happen ...
1034 ewarn "*************************************************************"
1035 ewarn "*************** W A R N I N G ***************"
1036 ewarn "*************************************************************"
1037 ewarn "The one-time only attempt to adjust permissions of the"
1038 ewarn "existing nginx installation failed. Be aware that we will not"
1039 ewarn "try to adjust the same permissions again because now you are"
1040 ewarn "using a nginx version where we expect that the permissions"
1041 ewarn "are already adjusted or that you know what you are doing and"
1042 ewarn "want to keep custom permissions."
1047 # Sanity check for CVE-2016-1247
1048 # Required to warn users who received the warning above and thought
1049 # they could fix it by unmerging and re-merging the package or have
1050 # unmerged a affected installation on purpose in the past leaving
1051 # /var/log/nginx on their system due to keepdir/non-empty folder
1052 # and are now installing the package again.
1053 local _sanity_check_testfile=$(mktemp --dry-run "${EPREFIX}"/var/log/nginx/.CVE-2016-1247.XXXXXXXXX)
1054 su -s /bin/sh -c "touch ${_sanity_check_testfile}" nginx >&/dev/null
1055 if [ $? -eq 0 ] ; then
1056 # Cleanup -- no reason to die here!
1057 rm -f "${_sanity_check_testfile}"
1060 ewarn "*************************************************************"
1061 ewarn "*************** W A R N I N G ***************"
1062 ewarn "*************************************************************"
1063 ewarn "Looks like your installation is vulnerable to CVE-2016-1247"
1064 ewarn "(bug #605008) because nginx user is able to create files in"
1066 ewarn " ${EPREFIX}/var/log/nginx"
1068 ewarn "Also ensure that no other log directory used by any of your"
1069 ewarn "vhost(s) is not writeable for nginx user. Any of your log files"
1070 ewarn "used by nginx can be abused to escalate privileges!"
1073 if [[ ${_has_to_show_httpoxy_mitigation_notice} -eq 1 ]]; then
1074 # HTTPoxy mitigation
1076 ewarn "This nginx installation comes with a mitigation for the HTTPoxy"
1077 ewarn "vulnerability for FastCGI, SCGI and uWSGI applications by setting"
1078 ewarn "the HTTP_PROXY parameter to an empty string per default when you"
1079 ewarn "are sourcing one of the default"
1081 ewarn " - 'fastcgi_params' or 'fastcgi.conf'"
1082 ewarn " - 'scgi_params'"
1083 ewarn " - 'uwsgi_params'"
1085 ewarn "files in your server block(s)."
1087 ewarn "If this is causing any problems for you make sure that you are sourcing the"
1088 ewarn "default parameters _before_ you set your own values."
1089 ewarn "If you are relying on user-supplied proxy values you have to remove the"
1090 ewarn "correlating lines from the file(s) mentioned above."