From 572f590f90a0bfe508246f858996b0a5eaa43af4 Mon Sep 17 00:00:00 2001 From: Marco Ebert Date: Mon, 25 Nov 2024 17:49:47 +0100 Subject: [PATCH] Images/NGINX: From scratch. --- images/nginx/Makefile | 48 +- images/nginx/README.md | 47 -- images/nginx/TAG | 2 +- images/nginx/cloudbuild.yaml | 30 +- images/nginx/rootfs/Dockerfile | 70 +- images/nginx/rootfs/build.sh | 619 ------------------ .../rootfs/patches/00_drop-alias-root.patch | 144 ---- .../01_nginx-1.25.3-win32_max_err_str.patch | 15 - ..._nginx-1.25.3-stream_balancer_export.patch | 53 -- ...stream_proxy_get_next_upstream_tries.patch | 31 - ...x-1.25.3-stream_proxy_timeout_fields.patch | 178 ----- ...nx-1.25.3-stream_ssl_preread_no_skip.patch | 13 - ...6_nginx-1.25.3-resolver_conf_parsing.patch | 263 -------- .../07_nginx-1.25.3-daemon_destroy_pool.patch | 12 - ...nginx-1.25.3-init_cycle_pool_release.patch | 59 -- ...09_nginx-1.25.3-balancer_status_code.patch | 72 -- ...0_nginx-1.25.3-delayed_posted_events.patch | 98 --- ...ginx-1.25.3-privileged_agent_process.patch | 203 ------ ...privileged_agent_process_connections.patch | 73 --- ...privileged_agent_process_thread_pool.patch | 12 - ...-1.25.3-single_process_graceful_exit.patch | 75 --- .../15_nginx-1.25.3-intercept_error_log.patch | 60 -- .../16_nginx-1.25.3-upstream_pipelining.patch | 23 - .../17_nginx-1.25.3-no_error_pages.patch | 91 --- .../patches/18_nginx-1.25.3-no_Werror.patch | 36 - ...19_nginx-1.25.3-log_escape_non_ascii.patch | 117 ---- ...20_nginx-1.25.3-proxy_host_port_vars.patch | 19 - .../21_nginx-1.25.3-cache_manager_exit.patch | 19 - ...22_nginx-1.25.3-larger_max_error_str.patch | 13 - .../23_nginx-1.25.3-pcre_conf_opt.patch | 26 - ....25.3-always_enable_cc_feature_tests.patch | 11 - .../25_nginx-1.25.3-ssl_cert_cb_yield.patch | 64 -- .../26_nginx-1.25.3-ssl_sess_cb_yield.patch | 41 -- ...inx-1.25.3-ssl_client_hello_cb_yield.patch | 38 -- ...nginx-1.25.3-upstream_timeout_fields.patch | 112 ---- ...inx-1.25.3-safe_resolver_ipv6_option.patch | 60 -- .../30_nginx-1.25.3-socket_cloexec.patch | 185 ------ ...nx-1.25.3-reuseport_close_unused_fds.patch | 38 -- 38 files changed, 43 insertions(+), 3027 deletions(-) delete mode 100644 images/nginx/README.md delete mode 100755 images/nginx/rootfs/build.sh delete mode 100644 images/nginx/rootfs/patches/00_drop-alias-root.patch delete mode 100644 images/nginx/rootfs/patches/01_nginx-1.25.3-win32_max_err_str.patch delete mode 100644 images/nginx/rootfs/patches/02_nginx-1.25.3-stream_balancer_export.patch delete mode 100644 images/nginx/rootfs/patches/03_nginx-1.25.3-stream_proxy_get_next_upstream_tries.patch delete mode 100644 images/nginx/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch delete mode 100644 images/nginx/rootfs/patches/05_nginx-1.25.3-stream_ssl_preread_no_skip.patch delete mode 100644 images/nginx/rootfs/patches/06_nginx-1.25.3-resolver_conf_parsing.patch delete mode 100644 images/nginx/rootfs/patches/07_nginx-1.25.3-daemon_destroy_pool.patch delete mode 100644 images/nginx/rootfs/patches/08_nginx-1.25.3-init_cycle_pool_release.patch delete mode 100644 images/nginx/rootfs/patches/09_nginx-1.25.3-balancer_status_code.patch delete mode 100644 images/nginx/rootfs/patches/10_nginx-1.25.3-delayed_posted_events.patch delete mode 100644 images/nginx/rootfs/patches/11_nginx-1.25.3-privileged_agent_process.patch delete mode 100644 images/nginx/rootfs/patches/12_nginx-1.25.3-privileged_agent_process_connections.patch delete mode 100644 images/nginx/rootfs/patches/13_nginx-1.25.3-privileged_agent_process_thread_pool.patch delete mode 100644 images/nginx/rootfs/patches/14_nginx-1.25.3-single_process_graceful_exit.patch delete mode 100644 images/nginx/rootfs/patches/15_nginx-1.25.3-intercept_error_log.patch delete mode 100644 images/nginx/rootfs/patches/16_nginx-1.25.3-upstream_pipelining.patch delete mode 100644 images/nginx/rootfs/patches/17_nginx-1.25.3-no_error_pages.patch delete mode 100644 images/nginx/rootfs/patches/18_nginx-1.25.3-no_Werror.patch delete mode 100644 images/nginx/rootfs/patches/19_nginx-1.25.3-log_escape_non_ascii.patch delete mode 100644 images/nginx/rootfs/patches/20_nginx-1.25.3-proxy_host_port_vars.patch delete mode 100644 images/nginx/rootfs/patches/21_nginx-1.25.3-cache_manager_exit.patch delete mode 100644 images/nginx/rootfs/patches/22_nginx-1.25.3-larger_max_error_str.patch delete mode 100644 images/nginx/rootfs/patches/23_nginx-1.25.3-pcre_conf_opt.patch delete mode 100644 images/nginx/rootfs/patches/24_nginx-1.25.3-always_enable_cc_feature_tests.patch delete mode 100644 images/nginx/rootfs/patches/25_nginx-1.25.3-ssl_cert_cb_yield.patch delete mode 100644 images/nginx/rootfs/patches/26_nginx-1.25.3-ssl_sess_cb_yield.patch delete mode 100644 images/nginx/rootfs/patches/27_nginx-1.25.3-ssl_client_hello_cb_yield.patch delete mode 100644 images/nginx/rootfs/patches/28_nginx-1.25.3-upstream_timeout_fields.patch delete mode 100644 images/nginx/rootfs/patches/29_nginx-1.25.3-safe_resolver_ipv6_option.patch delete mode 100644 images/nginx/rootfs/patches/30_nginx-1.25.3-socket_cloexec.patch delete mode 100644 images/nginx/rootfs/patches/31_nginx-1.25.3-reuseport_close_unused_fds.patch diff --git a/images/nginx/Makefile b/images/nginx/Makefile index 3ed502759a..cb1bfb222b 100644 --- a/images/nginx/Makefile +++ b/images/nginx/Makefile @@ -12,48 +12,14 @@ # See the License for the specific language governing permissions and # limitations under the License. -.DEFAULT_GOAL:=build - -# set default shell -SHELL=/bin/bash -o pipefail -o errexit - -DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) -INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh - -# 0.0.0 shouldn't clobber any released builds -SHORT_SHA ?=$(shell git rev-parse --short HEAD) -TAG ?=$(shell cat TAG) - +# Define registry, image and tag. REGISTRY ?= gcr.io/k8s-staging-ingress-nginx - IMAGE = $(REGISTRY)/nginx +TAG ?= $(shell cat TAG) -# required to enable buildx -export DOCKER_CLI_EXPERIMENTAL=enabled - -# build with buildx -PLATFORMS?=linux/amd64,linux/arm,linux/arm64 -OUTPUT= -PROGRESS=plain -build: ensure-buildx - docker buildx build \ - --platform=${PLATFORMS} $(OUTPUT) \ - --progress=$(PROGRESS) \ - --pull \ - --tag $(IMAGE):$(TAG) rootfs - -# push the cross built image -push: OUTPUT=--push -push: build - -# enable buildx -ensure-buildx: -# this is required for cloudbuild -ifeq ("$(wildcard $(INIT_BUILDX))","") - @curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash -else - @exec $(INIT_BUILDX) -endif - @echo "done" +# Define platforms. +PLATFORMS ?= linux/arm64 -.PHONY: build push ensure-buildx +.PHONY: build +build: + docker buildx build --platform ${PLATFORMS} --tag $(IMAGE):$(TAG) --progress plain rootfs diff --git a/images/nginx/README.md b/images/nginx/README.md deleted file mode 100644 index 768077215f..0000000000 --- a/images/nginx/README.md +++ /dev/null @@ -1,47 +0,0 @@ -NGINX base image - -### HTTP/3 Support - -**HTTP/3 support is experimental and under development** - -[HTTP/3](https://datatracker.ietf.org/doc/html/rfc9114)\ -[QUIC](https://datatracker.ietf.org/doc/html/rfc9000) - -[According to the documentation, NGINX 1.25.0 or higher supports HTTP/3:](https://nginx.org/en/docs/quic.html) - -> Support for QUIC and HTTP/3 protocols is available since 1.25.0. - -But this requires adding a new flag during the build: - -> When configuring nginx, it is possible to enable QUIC and HTTP/3 using the --with-http_v3_module configuration parameter. - -[We have added this flag](https://github.com/kubernetes/ingress-nginx/pull/11470), but it is not enough to use HTTP/3 in ingress-nginx, this is the first step. - -The next steps will be: - -1. **Waiting for OpenSSL 3.4.**\ - The main problem is, that we still use OpenSSL (3.x) and it does not support the important mechanism of TLS 1.3 - [early_data](https://datatracker.ietf.org/doc/html/rfc8446#section-2.3): - - > Otherwise, the OpenSSL compatibility layer will be used that does not support early data. - - [And although another part of the documentation says that the directive is supported with OpenSSL:](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data) - - > The directive is supported when using OpenSSL 1.1.1 or higher. - - But this is incomplete support, because OpenSSL does not support this feature, and [it has only client side support:](https://github.com/openssl/openssl) - - > ... the QUIC (currently client side only) version 1 protocol - - [And also there are some issues even with client side](https://github.com/openssl/openssl/discussions/23339) - - Due to this, we currently have incomplete HTTP/3 support, without important security and performance features.\ - But the good news is that [OpenSSL plans to add server-side support in 3.4](https://github.com/openssl/web/blob/master/roadmap.md): - - > Server-side QUIC support - - [Overview of SSL libraries(HAProxy Documentation)](https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status#tldr) - -2. **Adding [parameters](https://nginx.org/en/docs/http/ngx_http_v3_module.html) to the configmap to configure HTTP/3 and quic(enableHTTP3, enableHTTP/0.9, maxCurrentStream, and so on).** -3. **Adding options to the nginx config template(`listen 443 quic` to server blocks and `add_header Alt-Svc 'h3=":8443"; ma=86400';` to location blocks).** -4. **Opening the https port for UDP in the container(because QUIC uses UDP).** -5. **Adding tests.** diff --git a/images/nginx/TAG b/images/nginx/TAG index 0ec25f7505..38f8e886e1 100644 --- a/images/nginx/TAG +++ b/images/nginx/TAG @@ -1 +1 @@ -v1.0.0 +dev diff --git a/images/nginx/cloudbuild.yaml b/images/nginx/cloudbuild.yaml index 7f4448310f..9afe173017 100644 --- a/images/nginx/cloudbuild.yaml +++ b/images/nginx/cloudbuild.yaml @@ -1,14 +1,24 @@ options: - # Increase machine type for multi-arch builds. - machineType: E2_HIGHCPU_32 # Ignore Prow provided substitutions. substitution_option: ALLOW_LOOSE steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241110-72bb0b1665 - env: - - REGISTRY=gcr.io/k8s-staging-ingress-nginx - entrypoint: bash - args: - - -c - - gcloud auth configure-docker && cd images/nginx && make push -timeout: 7200s +- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241111-71c32dbdcc + entrypoint: docker + args: + - run + - --privileged + - --rm + - tonistiigi/binfmt:qemu-v8.1.5 + - --install + - all +- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241111-71c32dbdcc + entrypoint: docker + args: + - buildx + - create + - --use +- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241111-71c32dbdcc + dir: images/nginx + entrypoint: make + args: + - build diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile index 1d2b6b6230..649e5e7c9f 100644 --- a/images/nginx/rootfs/Dockerfile +++ b/images/nginx/rootfs/Dockerfile @@ -11,64 +11,24 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.20 as builder -COPY . / +# Start from Alpine 3.20.3. +FROM alpine:3.20.3 -RUN apk update \ - && apk upgrade \ - && apk add -U bash --no-cache \ - && /build.sh +# Install dependencies. +RUN apk add \ + libc-dev \ + make \ + gcc -# Use a multi-stage build -FROM alpine:3.20 +# Change working directory. +WORKDIR /build/luajit2 -ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin +# Download LuaJIT. +ADD https://github.com/openresty/luajit2/archive/v2.1-20241113.tar.gz luajit2.tar.gz -ENV LUA_PATH="/usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/lib/lua/?.lua;;" -ENV LUA_CPATH="/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;" +# Extract LuaJIT. +RUN tar --extract --file luajit2.tar.gz --strip-components 1 -COPY --from=builder /usr/local /usr/local -COPY --from=builder /usr/lib/libopentelemetry* /usr/local/lib -COPY --from=builder /opt /opt -COPY --from=builder /etc/nginx /etc/nginx - -RUN apk update \ - && apk upgrade \ - && apk add -U --no-cache \ - bash \ - openssl \ - pcre \ - zlib \ - ca-certificates \ - patch \ - yajl \ - lmdb \ - libxml2 \ - libmaxminddb \ - yaml-cpp \ - dumb-init \ - tzdata \ - grpc-cpp \ - libprotobuf \ - && ln -s /usr/local/nginx/sbin/nginx /sbin/nginx \ - && adduser -S -D -H -u 101 -h /usr/local/nginx \ - -s /sbin/nologin -G www-data -g www-data www-data \ - && bash -eu -c ' \ - writeDirs=( \ - /var/log/nginx \ - /var/lib/nginx/body \ - /var/lib/nginx/fastcgi \ - /var/lib/nginx/proxy \ - /var/lib/nginx/scgi \ - /var/lib/nginx/uwsgi \ - /var/log/audit \ - ); \ - for dir in "${writeDirs[@]}"; do \ - mkdir -p ${dir}; \ - chown -R www-data.www-data ${dir}; \ - done' - -EXPOSE 80 443 - -CMD ["nginx", "-g", "daemon off;"] +# Install LuaJIT. +RUN make install diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh deleted file mode 100755 index 3baf775fca..0000000000 --- a/images/nginx/rootfs/build.sh +++ /dev/null @@ -1,619 +0,0 @@ -#!/bin/bash - -# Copyright 2023 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -o errexit -set -o nounset -set -o pipefail - -export NGINX_VERSION=1.25.5 - -# Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.3...master -export NDK_VERSION=v0.3.3 - -# Check for recent changes: https://github.com/openresty/set-misc-nginx-module/compare/v0.33...master -export SETMISC_VERSION=796f5a3e518748eb29a93bd450324e0ad45b704e - -# Check for recent changes: https://github.com/openresty/headers-more-nginx-module/compare/v0.37...master -export MORE_HEADERS_VERSION=v0.37 - -# Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...atomx:master -export NGINX_DIGEST_AUTH=v1.0.0 - -# Check for recent changes: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/compare/v0.6.4...master -export NGINX_SUBSTITUTIONS=e12e965ac1837ca709709f9a26f572a54d83430e - -# Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.3...master -export MODSECURITY_VERSION=v1.0.3 - -# Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.8...v3/master -export MODSECURITY_LIB_VERSION=v3.0.12 - -# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.5...v4.0/main -export OWASP_MODSECURITY_CRS_VERSION=v4.4.0 - -# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.26``...master -export LUA_NGX_VERSION=v0.10.26 - -# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/bea8a0c0de94cede71554f53818ac0267d675d63...master -export LUA_STREAM_NGX_VERSION=bea8a0c0de94cede71554f53818ac0267d675d63 - -# Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/8aa93ead98ba2060d4efd594ae33a35d153589bf...master -export LUA_UPSTREAM_VERSION=542be0893543a4e42d89f6dd85372972f5ff2a36 - -# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.13...openresty:master -export LUA_CJSON_VERSION=2.1.0.13 - -# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/a607a41a8115fecfc05b5c283c81532a3d605425...master -export GEOIP2_VERSION=a607a41a8115fecfc05b5c283c81532a3d605425 - -# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20240314...v2.1-agentzh -export LUAJIT_VERSION=v2.1-20240314 - -# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/1cd4363c0a239afe4765ec607dcfbbb4e5900eea...master -export LUA_RESTY_BALANCER=1cd4363c0a239afe4765ec607dcfbbb4e5900eea - -# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/99e7578465b40f36f596d099b82eab404f2b42ed...master -export LUA_RESTY_CACHE=99e7578465b40f36f596d099b82eab404f2b42ed - -# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.27...master -export LUA_RESTY_CORE=v0.1.28 - -# Check for recent changes: https://github.com/cloudflare/lua-resty-cookie/compare/f418d77082eaef48331302e84330488fdc810ef4...master -export LUA_RESTY_COOKIE_VERSION=f418d77082eaef48331302e84330488fdc810ef4 - -# Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/8bb53516e2933e61c317db740a9b7c2048847c2f...master -export LUA_RESTY_DNS=8bb53516e2933e61c317db740a9b7c2048847c2f - -# Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.17.1...master -export LUA_RESTY_HTTP=v0.17.1 - -# Check for recent changes: https://github.com/openresty/lua-resty-lock/compare/v0.09...master -export LUA_RESTY_LOCK=405d0bf4cbfa74d742c6ed3158d442221e6212a9 - -# Check for recent changes: https://github.com/openresty/lua-resty-upload/compare/v0.11...master -export LUA_RESTY_UPLOAD_VERSION=979372cce011f3176af3c9aff53fd0e992c4bfd3 - -# Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.15...master -export LUA_RESTY_STRING_VERSION=6f1bc21d86daef804df3cc34d6427ef68da26844 - -# Check for recent changes: https://github.com/openresty/lua-resty-memcached/compare/v0.17...master -export LUA_RESTY_MEMCACHED_VERSION=2f02b68bf65fa2332cce070674a93a69a6c7239b - -# Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.30...master -export LUA_RESTY_REDIS_VERSION=8641b9f1b6f75cca50c90cf8ca5c502ad8950aa8 - -# Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/v0.6.1...master -export LUA_RESTY_IPMATCHER_VERSION=3e93c53eb8c9884efe939ef070486a0e507cc5be - -# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.1.7...master -export MIMALOC_VERSION=v2.1.7 - -# Check on https://github.com/open-telemetry/opentelemetry-cpp -export OPENTELEMETRY_CPP_VERSION="v1.11.0" -# Check on https://github.com/open-telemetry/opentelemetry-proto -export OPENTELEMETRY_PROTO_VERSION="v1.1.0" - -export BUILD_PATH=/tmp/build - -ARCH=$(uname -m) - -get_src() -{ - hash="$1" - url="$2" - dest="${3-}" - ARGS="" - f=$(basename "$url") - - echo "Downloading $url" - - curl -sSL "$url" -o "$f" - # TODO: Reenable checksum verification but make it smarter - # echo "$hash $f" | sha256sum -c - || exit 10 - if [ ! -z "$dest" ]; then - mkdir ${BUILD_PATH}/${dest} - ARGS="-C ${BUILD_PATH}/${dest} --strip-components=1" - fi - tar xvzf "$f" $ARGS - rm -rf "$f" -} - -# install required packages to build -# Dependencies from "ninja" and below are OTEL dependencies -apk add \ - bash \ - gcc \ - clang \ - libc-dev \ - make \ - automake \ - openssl-dev \ - pcre-dev \ - zlib-dev \ - linux-headers \ - libxslt-dev \ - gd-dev \ - perl-dev \ - libedit-dev \ - mercurial \ - alpine-sdk \ - findutils \ - curl \ - ca-certificates \ - patch \ - libaio-dev \ - openssl \ - cmake \ - util-linux \ - lmdb-tools \ - wget \ - curl-dev \ - libprotobuf \ - git g++ pkgconf flex bison doxygen yajl-dev lmdb-dev libtool autoconf libxml2 libxml2-dev \ - python3 \ - libmaxminddb-dev \ - bc \ - unzip \ - dos2unix \ - yaml-cpp \ - coreutils \ - ninja \ - gtest-dev \ - git \ - build-base \ - pkgconfig \ - c-ares-dev \ - re2-dev \ - grpc-dev \ - protobuf-dev - -# apk add -X http://dl-cdn.alpinelinux.org/alpine/edge/testing opentelemetry-cpp-dev - -# There is some bug with some platforms and git, so force HTTP/1.1 -git config --global http.version HTTP/1.1 -git config --global http.postBuffer 157286400 - -mkdir -p /etc/nginx - -mkdir --verbose -p "$BUILD_PATH" -cd "$BUILD_PATH" - -# download, verify and extract the source files -get_src 66dc7081488811e9f925719e34d1b4504c2801c81dee2920e5452a86b11405ae \ - "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz" - -get_src aa961eafb8317e0eb8da37eb6e2c9ff42267edd18b56947384e719b85188f58b \ - "https://github.com/vision5/ngx_devel_kit/archive/$NDK_VERSION.tar.gz" "ngx_devel_kit" - -get_src abc123 \ - "https://github.com/open-telemetry/opentelemetry-cpp/archive/$OPENTELEMETRY_CPP_VERSION.tar.gz" "opentelemetry-cpp" - -get_src abc123 \ - "https://github.com/open-telemetry/opentelemetry-proto/archive/$OPENTELEMETRY_PROTO_VERSION.tar.gz" "opentelemetry-proto" - -get_src cd5e2cc834bcfa30149e7511f2b5a2183baf0b70dc091af717a89a64e44a2985 \ - "https://github.com/openresty/set-misc-nginx-module/archive/$SETMISC_VERSION.tar.gz" "set-misc-nginx-module" - -get_src 0c0d2ced2ce895b3f45eb2b230cd90508ab2a773299f153de14a43e44c1209b3 \ - "https://github.com/openresty/headers-more-nginx-module/archive/$MORE_HEADERS_VERSION.tar.gz" "headers-more-nginx-module" - -get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \ - "https://github.com/atomx/nginx-http-auth-digest/archive/$NGINX_DIGEST_AUTH.tar.gz" "nginx-http-auth-digest" - -get_src a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f \ - "https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz" "ngx_http_substitutions_filter_module" - -get_src 32a42256616cc674dca24c8654397390adff15b888b77eb74e0687f023c8751b \ - "https://github.com/SpiderLabs/ModSecurity-nginx/archive/$MODSECURITY_VERSION.tar.gz" "ModSecurity-nginx" - -get_src bc764db42830aeaf74755754b900253c233ad57498debe7a441cee2c6f4b07c2 \ - "https://github.com/openresty/lua-nginx-module/archive/$LUA_NGX_VERSION.tar.gz" "lua-nginx-module" - -get_src 01b715754a8248cc7228e0c8f97f7488ae429d90208de0481394e35d24cef32f \ - "https://github.com/openresty/stream-lua-nginx-module/archive/$LUA_STREAM_NGX_VERSION.tar.gz" "stream-lua-nginx-module" - -get_src a92c9ee6682567605ece55d4eed5d1d54446ba6fba748cff0a2482aea5713d5f \ - "https://github.com/openresty/lua-upstream-nginx-module/archive/$LUA_UPSTREAM_VERSION.tar.gz" "lua-upstream-nginx-module" - -get_src 77bbcbb24c3c78f51560017288f3118d995fe71240aa379f5818ff6b166712ff \ - "https://github.com/openresty/luajit2/archive/$LUAJIT_VERSION.tar.gz" "luajit2" - -get_src b6c9c09fd43eb34a71e706ad780b2ead26549a9a9f59280fe558f5b7b980b7c6 \ - "https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz" "ngx_http_geoip2_module" - -get_src deb4ab1ffb9f3d962c4b4a2c4bdff692b86a209e3835ae71ebdf3b97189e40a9 \ - "https://github.com/openresty/lua-resty-upload/archive/$LUA_RESTY_UPLOAD_VERSION.tar.gz" "lua-resty-upload" - -get_src bdbf271003d95aa91cab0a92f24dca129e99b33f79c13ebfcdbbcbb558129491 \ - "https://github.com/openresty/lua-resty-string/archive/$LUA_RESTY_STRING_VERSION.tar.gz" "lua-resty-string" - -get_src 16d72ed133f0c6df376a327386c3ef4e9406cf51003a700737c3805770ade7c5 \ - "https://github.com/openresty/lua-resty-balancer/archive/$LUA_RESTY_BALANCER.tar.gz" "lua-resty-balancer" - -get_src 39baab9e2b31cc48cecf896cea40ef6e80559054fd8a6e440cc804a858ea84d4 \ - "https://github.com/openresty/lua-resty-core/archive/$LUA_RESTY_CORE.tar.gz" "lua-resty-core" - -get_src a77b9de160d81712f2f442e1de8b78a5a7ef0d08f13430ff619f79235db974d4 \ - "https://github.com/openresty/lua-cjson/archive/$LUA_CJSON_VERSION.tar.gz" "lua-cjson" - -get_src 5ed48c36231e2622b001308622d46a0077525ac2f751e8cc0c9905914254baa4 \ - "https://github.com/cloudflare/lua-resty-cookie/archive/$LUA_RESTY_COOKIE_VERSION.tar.gz" "lua-resty-cookie" - -get_src 573184006b98ccee2594b0d134fa4d05e5d2afd5141cbad315051ccf7e9b6403 \ - "https://github.com/openresty/lua-resty-lrucache/archive/$LUA_RESTY_CACHE.tar.gz" "lua-resty-lrucache" - -get_src b4ddcd47db347e9adf5c1e1491a6279a6ae2a3aff3155ef77ea0a65c998a69c1 \ - "https://github.com/openresty/lua-resty-lock/archive/$LUA_RESTY_LOCK.tar.gz" "lua-resty-lock" - -get_src 70e9a01eb32ccade0d5116a25bcffde0445b94ad35035ce06b94ccd260ad1bf0 \ - "https://github.com/openresty/lua-resty-dns/archive/$LUA_RESTY_DNS.tar.gz" "lua-resty-dns" - -get_src 9fcb6db95bc37b6fce77d3b3dc740d593f9d90dce0369b405eb04844d56ac43f \ - "https://github.com/ledgetech/lua-resty-http/archive/$LUA_RESTY_HTTP.tar.gz" "lua-resty-http" - -get_src 02733575c4aed15f6cab662378e4b071c0a4a4d07940c4ef19a7319e9be943d4 \ - "https://github.com/openresty/lua-resty-memcached/archive/$LUA_RESTY_MEMCACHED_VERSION.tar.gz" "lua-resty-memcached" - -get_src c15aed1a01c88a3a6387d9af67a957dff670357f5fdb4ee182beb44635eef3f1 \ - "https://github.com/openresty/lua-resty-redis/archive/$LUA_RESTY_REDIS_VERSION.tar.gz" "lua-resty-redis" - -get_src efb767487ea3f6031577b9b224467ddbda2ad51a41c5867a47582d4ad85d609e \ - "https://github.com/api7/lua-resty-ipmatcher/archive/$LUA_RESTY_IPMATCHER_VERSION.tar.gz" "lua-resty-ipmatcher" - -get_src d74f86ada2329016068bc5a243268f1f555edd620b6a7d6ce89295e7d6cf18da \ - "https://github.com/microsoft/mimalloc/archive/${MIMALOC_VERSION}.tar.gz" "mimalloc" - -# improve compilation times -CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1)) - -export MAKEFLAGS=-j${CORES} -export CTEST_BUILD_FLAGS=${MAKEFLAGS} - -# Install luajit from openresty fork -export LUAJIT_LIB=/usr/local/lib -export LUA_LIB_DIR="$LUAJIT_LIB/lua" -export LUAJIT_INC=/usr/local/include/luajit-2.1 - -cd "$BUILD_PATH/luajit2" -make CCDEBUG=-g -make install - -ln -s /usr/local/bin/luajit /usr/local/bin/lua -ln -s "$LUAJIT_INC" /usr/local/include/lua - -cd "$BUILD_PATH/opentelemetry-cpp" -export CXXFLAGS="-DBENCHMARK_HAS_NO_INLINE_ASSEMBLY" -cmake -B build -G Ninja -Wno-dev \ - -DOTELCPP_PROTO_PATH="${BUILD_PATH}/opentelemetry-proto/" \ - -DCMAKE_INSTALL_PREFIX=/usr \ - -DBUILD_SHARED_LIBS=ON \ - -DBUILD_TESTING="OFF" \ - -DBUILD_W3CTRACECONTEXT_TEST="OFF" \ - -DCMAKE_BUILD_TYPE=None \ - -DWITH_ABSEIL=ON \ - -DWITH_STL=ON \ - -DWITH_EXAMPLES=OFF \ - -DWITH_ZPAGES=OFF \ - -DWITH_OTLP_GRPC=ON \ - -DWITH_OTLP_HTTP=ON \ - -DWITH_ZIPKIN=ON \ - -DWITH_PROMETHEUS=OFF \ - -DWITH_ASYNC_EXPORT_PREVIEW=OFF \ - -DWITH_METRICS_EXEMPLAR_PREVIEW=OFF - cmake --build build - cmake --install build - -# Git tuning -git config --global --add core.compression -1 - -# Get Brotli source and deps -cd "$BUILD_PATH" -git clone --depth=100 https://github.com/google/ngx_brotli.git -cd ngx_brotli -# https://github.com/google/ngx_brotli/issues/156 -git reset --hard 63ca02abdcf79c9e788d2eedcc388d2335902e52 -git submodule init -git submodule update - -cd "$BUILD_PATH" -git clone --depth=1 https://github.com/ssdeep-project/ssdeep -cd ssdeep/ - -./bootstrap -./configure - -make -make install - -# build modsecurity library -cd "$BUILD_PATH" -git clone -n https://github.com/SpiderLabs/ModSecurity -cd ModSecurity/ -git checkout $MODSECURITY_LIB_VERSION -git submodule init -git submodule update - -sh build.sh - -# https://github.com/SpiderLabs/ModSecurity/issues/1909#issuecomment-465926762 -sed -i '115i LUA_CFLAGS="${LUA_CFLAGS} -DWITH_LUA_JIT_2_1"' build/lua.m4 -sed -i '117i AC_SUBST(LUA_CFLAGS)' build/lua.m4 - -./configure \ - --disable-doxygen-doc \ - --disable-doxygen-html \ - --disable-examples - -make -make install - -mkdir -p /etc/nginx/modsecurity -cp modsecurity.conf-recommended /etc/nginx/modsecurity/modsecurity.conf -cp unicode.mapping /etc/nginx/modsecurity/unicode.mapping - -# Replace serial logging with concurrent -sed -i 's|SecAuditLogType Serial|SecAuditLogType Concurrent|g' /etc/nginx/modsecurity/modsecurity.conf - -# Concurrent logging implies the log is stored in several files -echo "SecAuditLogStorageDir /var/log/audit/" >> /etc/nginx/modsecurity/modsecurity.conf - -# Download owasp modsecurity crs -cd /etc/nginx/ - -git clone -b $OWASP_MODSECURITY_CRS_VERSION https://github.com/coreruleset/coreruleset -mv coreruleset owasp-modsecurity-crs -cd owasp-modsecurity-crs - -mv crs-setup.conf.example crs-setup.conf -mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf -mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf -cd .. - -# OWASP CRS v4 rules -echo " -Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-922-MULTIPART-ATTACK.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-955-WEB-SHELLS.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf -" > /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf - -# build nginx -cd "$BUILD_PATH/nginx-$NGINX_VERSION" - -# apply nginx patches -for PATCH in `ls /patches`;do - echo "Patch: $PATCH" - if [[ "$PATCH" == *.txt ]]; then - patch -p0 < /patches/$PATCH - else - patch -p1 < /patches/$PATCH - fi -done - -WITH_FLAGS="--with-debug \ - --with-compat \ - --with-pcre-jit \ - --with-http_ssl_module \ - --with-http_stub_status_module \ - --with-http_realip_module \ - --with-http_auth_request_module \ - --with-http_addition_module \ - --with-http_gzip_static_module \ - --with-http_sub_module \ - --with-http_v2_module \ - --with-http_v3_module \ - --with-stream \ - --with-stream_ssl_module \ - --with-stream_realip_module \ - --with-stream_ssl_preread_module \ - --with-threads \ - --with-http_secure_link_module \ - --with-http_gunzip_module" - -# "Combining -flto with -g is currently experimental and expected to produce unexpected results." -# https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html -CC_OPT="-g -O2 -fPIE -fstack-protector-strong \ - -Wformat \ - -Werror=format-security \ - -Wno-deprecated-declarations \ - -fno-strict-aliasing \ - -D_FORTIFY_SOURCE=2 \ - --param=ssp-buffer-size=4 \ - -DTCP_FASTOPEN=23 \ - -fPIC \ - -Wno-cast-function-type" - -LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now" - -if [[ ${ARCH} != "aarch64" ]]; then - WITH_FLAGS+=" --with-file-aio" -fi - -if [[ ${ARCH} == "x86_64" ]]; then - CC_OPT+=' -m64 -mtune=generic' -fi - -WITH_MODULES=" \ - --add-module=$BUILD_PATH/ngx_devel_kit \ - --add-module=$BUILD_PATH/set-misc-nginx-module \ - --add-module=$BUILD_PATH/headers-more-nginx-module \ - --add-module=$BUILD_PATH/ngx_http_substitutions_filter_module \ - --add-module=$BUILD_PATH/lua-nginx-module \ - --add-module=$BUILD_PATH/stream-lua-nginx-module \ - --add-module=$BUILD_PATH/lua-upstream-nginx-module \ - --add-dynamic-module=$BUILD_PATH/nginx-http-auth-digest \ - --add-dynamic-module=$BUILD_PATH/ModSecurity-nginx \ - --add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module \ - --add-dynamic-module=$BUILD_PATH/ngx_brotli" - -./configure \ - --prefix=/usr/local/nginx \ - --conf-path=/etc/nginx/nginx.conf \ - --modules-path=/etc/nginx/modules \ - --http-log-path=/var/log/nginx/access.log \ - --error-log-path=/var/log/nginx/error.log \ - --lock-path=/var/lock/nginx.lock \ - --pid-path=/run/nginx.pid \ - --http-client-body-temp-path=/var/lib/nginx/body \ - --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ - --http-proxy-temp-path=/var/lib/nginx/proxy \ - --http-scgi-temp-path=/var/lib/nginx/scgi \ - --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \ - ${WITH_FLAGS} \ - --without-mail_pop3_module \ - --without-mail_smtp_module \ - --without-mail_imap_module \ - --without-http_uwsgi_module \ - --without-http_scgi_module \ - --with-cc-opt="${CC_OPT}" \ - --with-ld-opt="${LD_OPT}" \ - --user=www-data \ - --group=www-data \ - ${WITH_MODULES} - -make -make modules -make install - -export OPENTELEMETRY_CONTRIB_COMMIT=e11348bb400d5472bf1da5d6128bead66fa111ff -cd "$BUILD_PATH" - -git clone https://github.com/open-telemetry/opentelemetry-cpp-contrib.git opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT} - -cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT} -git reset --hard ${OPENTELEMETRY_CONTRIB_COMMIT} - -export OTEL_TEMP_INSTALL=/tmp/otel -mkdir -p ${OTEL_TEMP_INSTALL} - -cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT}/instrumentation/nginx -mkdir -p build -cd build -cmake -DCMAKE_BUILD_TYPE=Release \ - -G Ninja \ - -DCMAKE_CXX_STANDARD=17 \ - -DCMAKE_INSTALL_PREFIX=${OTEL_TEMP_INSTALL} \ - -DBUILD_SHARED_LIBS=ON \ - -DNGINX_VERSION=${NGINX_VERSION} \ - .. -cmake --build . -j ${CORES} --target install - -mkdir -p /etc/nginx/modules -cp ${OTEL_TEMP_INSTALL}/otel_ngx_module.so /etc/nginx/modules/otel_ngx_module.so - - -cd "$BUILD_PATH/lua-resty-core" -make install - -cd "$BUILD_PATH/lua-resty-balancer" -make all -make install - -export LUA_INCLUDE_DIR=/usr/local/include/luajit-2.1 -ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1 - -cd "$BUILD_PATH/lua-cjson" -make all -make install - -cd "$BUILD_PATH/lua-resty-cookie" -make all -make install - -cd "$BUILD_PATH/lua-resty-lrucache" -make install - -cd "$BUILD_PATH/lua-resty-dns" -make install - -cd "$BUILD_PATH/lua-resty-lock" -make install - -# required for OCSP verification -cd "$BUILD_PATH/lua-resty-http" -make install - -cd "$BUILD_PATH/lua-resty-upload" -make install - -cd "$BUILD_PATH/lua-resty-string" -make install - -cd "$BUILD_PATH/lua-resty-memcached" -make install - -cd "$BUILD_PATH/lua-resty-redis" -make install - -cd "$BUILD_PATH/lua-resty-ipmatcher" -INST_LUADIR=/usr/local/lib/lua make install - -cd "$BUILD_PATH/mimalloc" -mkdir -p out/release -cd out/release - -cmake ../.. - -make -make install - -# update image permissions -writeDirs=( \ - /etc/nginx \ - /usr/local/nginx \ - /opt/modsecurity/var/log \ - /opt/modsecurity/var/upload \ - /opt/modsecurity/var/audit \ - /var/log/audit \ - /var/log/nginx \ -); - -adduser -S -D -H -u 101 -h /usr/local/nginx -s /sbin/nologin -G www-data -g www-data www-data - -for dir in "${writeDirs[@]}"; do - mkdir -p ${dir}; - chown -R www-data.www-data ${dir}; -done - -rm -rf /etc/nginx/owasp-modsecurity-crs/.git -rm -rf /etc/nginx/owasp-modsecurity-crs/tests - -# remove .a files -find /usr/local -name "*.a" -print | xargs /bin/rm diff --git a/images/nginx/rootfs/patches/00_drop-alias-root.patch b/images/nginx/rootfs/patches/00_drop-alias-root.patch deleted file mode 100644 index a92e08bd0a..0000000000 --- a/images/nginx/rootfs/patches/00_drop-alias-root.patch +++ /dev/null @@ -1,144 +0,0 @@ -:100644 100644 c7463dcd 00000000 M src/http/ngx_http_core_module.c -diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c -index c7463dcd..e2e45931 100644 ---- a/src/http/ngx_http_core_module.c -+++ b/src/http/ngx_http_core_module.c -@@ -55,7 +55,6 @@ static char *ngx_http_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, - void *conf); - static char *ngx_http_core_server_name(ngx_conf_t *cf, ngx_command_t *cmd, - void *conf); --static char *ngx_http_core_root(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); - static char *ngx_http_core_limit_except(ngx_conf_t *cf, ngx_command_t *cmd, - void *conf); - static char *ngx_http_core_set_aio(ngx_conf_t *cf, ngx_command_t *cmd, -@@ -323,21 +322,6 @@ static ngx_command_t ngx_http_core_commands[] = { - offsetof(ngx_http_core_loc_conf_t, default_type), - NULL }, - -- { ngx_string("root"), -- NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -- |NGX_CONF_TAKE1, -- ngx_http_core_root, -- NGX_HTTP_LOC_CONF_OFFSET, -- 0, -- NULL }, -- -- { ngx_string("alias"), -- NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, -- ngx_http_core_root, -- NGX_HTTP_LOC_CONF_OFFSET, -- 0, -- NULL }, -- - { ngx_string("limit_except"), - NGX_HTTP_LOC_CONF|NGX_CONF_BLOCK|NGX_CONF_1MORE, - ngx_http_core_limit_except, -@@ -4312,108 +4296,6 @@ ngx_http_core_server_name(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) - } - - --static char * --ngx_http_core_root(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) --{ -- ngx_http_core_loc_conf_t *clcf = conf; -- -- ngx_str_t *value; -- ngx_int_t alias; -- ngx_uint_t n; -- ngx_http_script_compile_t sc; -- -- alias = (cmd->name.len == sizeof("alias") - 1) ? 1 : 0; -- -- if (clcf->root.data) { -- -- if ((clcf->alias != 0) == alias) { -- return "is duplicate"; -- } -- -- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -- "\"%V\" directive is duplicate, " -- "\"%s\" directive was specified earlier", -- &cmd->name, clcf->alias ? "alias" : "root"); -- -- return NGX_CONF_ERROR; -- } -- -- if (clcf->named && alias) { -- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -- "the \"alias\" directive cannot be used " -- "inside the named location"); -- -- return NGX_CONF_ERROR; -- } -- -- value = cf->args->elts; -- -- if (ngx_strstr(value[1].data, "$document_root") -- || ngx_strstr(value[1].data, "${document_root}")) -- { -- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -- "the $document_root variable cannot be used " -- "in the \"%V\" directive", -- &cmd->name); -- -- return NGX_CONF_ERROR; -- } -- -- if (ngx_strstr(value[1].data, "$realpath_root") -- || ngx_strstr(value[1].data, "${realpath_root}")) -- { -- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -- "the $realpath_root variable cannot be used " -- "in the \"%V\" directive", -- &cmd->name); -- -- return NGX_CONF_ERROR; -- } -- -- clcf->alias = alias ? clcf->name.len : 0; -- clcf->root = value[1]; -- -- if (!alias && clcf->root.len > 0 -- && clcf->root.data[clcf->root.len - 1] == '/') -- { -- clcf->root.len--; -- } -- -- if (clcf->root.data[0] != '$') { -- if (ngx_conf_full_name(cf->cycle, &clcf->root, 0) != NGX_OK) { -- return NGX_CONF_ERROR; -- } -- } -- -- n = ngx_http_script_variables_count(&clcf->root); -- -- ngx_memzero(&sc, sizeof(ngx_http_script_compile_t)); -- sc.variables = n; -- --#if (NGX_PCRE) -- if (alias && clcf->regex) { -- clcf->alias = NGX_MAX_SIZE_T_VALUE; -- n = 1; -- } --#endif -- -- if (n) { -- sc.cf = cf; -- sc.source = &clcf->root; -- sc.lengths = &clcf->root_lengths; -- sc.values = &clcf->root_values; -- sc.complete_lengths = 1; -- sc.complete_values = 1; -- -- if (ngx_http_script_compile(&sc) != NGX_OK) { -- return NGX_CONF_ERROR; -- } -- } -- -- return NGX_CONF_OK; --} -- -- - static ngx_http_method_name_t ngx_methods_names[] = { - { (u_char *) "GET", (uint32_t) ~NGX_HTTP_GET }, - { (u_char *) "HEAD", (uint32_t) ~NGX_HTTP_HEAD }, diff --git a/images/nginx/rootfs/patches/01_nginx-1.25.3-win32_max_err_str.patch b/images/nginx/rootfs/patches/01_nginx-1.25.3-win32_max_err_str.patch deleted file mode 100644 index 8c3ba27915..0000000000 --- a/images/nginx/rootfs/patches/01_nginx-1.25.3-win32_max_err_str.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/src/os/win32/ngx_event_log.c b/src/os/win32/ngx_event_log.c -index e11ed1e8..dce8eddd 100644 ---- a/src/os/win32/ngx_event_log.c -+++ b/src/os/win32/ngx_event_log.c -@@ -8,7 +8,9 @@ - #include - - --#define NGX_MAX_ERROR_STR 2048 -+#ifndef NGX_MAX_ERROR_STR -+#define NGX_MAX_ERROR_STR 4096 -+#endif - - - void ngx_cdecl diff --git a/images/nginx/rootfs/patches/02_nginx-1.25.3-stream_balancer_export.patch b/images/nginx/rootfs/patches/02_nginx-1.25.3-stream_balancer_export.patch deleted file mode 100644 index f56bc52575..0000000000 --- a/images/nginx/rootfs/patches/02_nginx-1.25.3-stream_balancer_export.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff --git a/src/stream/ngx_stream_upstream_round_robin.c b/src/stream/ngx_stream_upstream_round_robin.c -index 526de3a..b531ce1 100644 ---- a/src/stream/ngx_stream_upstream_round_robin.c -+++ b/src/stream/ngx_stream_upstream_round_robin.c -@@ -21,10 +21,6 @@ static void ngx_stream_upstream_notify_round_robin_peer( - - #if (NGX_STREAM_SSL) - --static ngx_int_t ngx_stream_upstream_set_round_robin_peer_session( -- ngx_peer_connection_t *pc, void *data); --static void ngx_stream_upstream_save_round_robin_peer_session( -- ngx_peer_connection_t *pc, void *data); - static ngx_int_t ngx_stream_upstream_empty_set_session( - ngx_peer_connection_t *pc, void *data); - static void ngx_stream_upstream_empty_save_session(ngx_peer_connection_t *pc, -@@ -690,7 +686,7 @@ ngx_stream_upstream_notify_round_robin_peer(ngx_peer_connection_t *pc, - - #if (NGX_STREAM_SSL) - --static ngx_int_t -+ngx_int_t - ngx_stream_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc, - void *data) - { -@@ -756,7 +752,7 @@ ngx_stream_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc, - } - - --static void -+void - ngx_stream_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc, - void *data) - { -diff --git a/src/stream/ngx_stream_upstream_round_robin.h b/src/stream/ngx_stream_upstream_round_robin.h -index 35d9fce..75f3e31 100644 ---- a/src/stream/ngx_stream_upstream_round_robin.h -+++ b/src/stream/ngx_stream_upstream_round_robin.h -@@ -142,5 +142,15 @@ ngx_int_t ngx_stream_upstream_get_round_robin_peer(ngx_peer_connection_t *pc, - void ngx_stream_upstream_free_round_robin_peer(ngx_peer_connection_t *pc, - void *data, ngx_uint_t state); - -+#if (NGX_STREAM_SSL) -+ngx_int_t ngx_stream_upstream_set_round_robin_peer_session( -+ ngx_peer_connection_t *pc, void *data); -+void ngx_stream_upstream_save_round_robin_peer_session( -+ ngx_peer_connection_t *pc, void *data); -+#endif -+ -+ -+#define HAVE_NGX_STREAM_BALANCER_EXPORT_PATCH 1 -+ - - #endif /* _NGX_STREAM_UPSTREAM_ROUND_ROBIN_H_INCLUDED_ */ diff --git a/images/nginx/rootfs/patches/03_nginx-1.25.3-stream_proxy_get_next_upstream_tries.patch b/images/nginx/rootfs/patches/03_nginx-1.25.3-stream_proxy_get_next_upstream_tries.patch deleted file mode 100644 index cb881f070c..0000000000 --- a/images/nginx/rootfs/patches/03_nginx-1.25.3-stream_proxy_get_next_upstream_tries.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff --git a/src/stream/ngx_stream.h b/src/stream/ngx_stream.h -index 09d2459..de92724 100644 ---- a/src/stream/ngx_stream.h -+++ b/src/stream/ngx_stream.h -@@ -303,4 +303,7 @@ typedef ngx_int_t (*ngx_stream_filter_pt)(ngx_stream_session_t *s, - extern ngx_stream_filter_pt ngx_stream_top_filter; - - -+#define HAS_NGX_STREAM_PROXY_GET_NEXT_UPSTREAM_TRIES_PATCH 1 -+ -+ - #endif /* _NGX_STREAM_H_INCLUDED_ */ -diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c -index 0afde1c..3254ce1 100644 ---- a/src/stream/ngx_stream_proxy_module.c -+++ b/src/stream/ngx_stream_proxy_module.c -@@ -2156,3 +2156,14 @@ ngx_stream_proxy_bind(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) - - return NGX_CONF_OK; - } -+ -+ -+ngx_uint_t -+ngx_stream_proxy_get_next_upstream_tries(ngx_stream_session_t *s) -+{ -+ ngx_stream_proxy_srv_conf_t *pscf; -+ -+ pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module); -+ -+ return pscf->next_upstream_tries; -+} diff --git a/images/nginx/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch b/images/nginx/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch deleted file mode 100644 index 39c59e206d..0000000000 --- a/images/nginx/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch +++ /dev/null @@ -1,178 +0,0 @@ -diff -u -r -p -Naur nginx-1.25.3/src/stream/ngx_stream.h nginx-1.25.3-patched/src/stream/ngx_stream.h ---- nginx-1.25.3/src/stream/ngx_stream.h 2021-11-04 21:27:55.288708527 +0800 -+++ nginx-1.25.3-patched/src/stream/ngx_stream.h 2021-11-04 21:28:50.768035209 +0800 -@@ -254,6 +254,15 @@ typedef struct { - } ngx_stream_module_t; - - -+typedef struct { -+ ngx_msec_t connect_timeout; -+ ngx_msec_t timeout; -+} ngx_stream_proxy_ctx_t; -+ -+ -+#define NGX_STREAM_HAVE_PROXY_TIMEOUT_FIELDS_PATCH 1 -+ -+ - #define NGX_STREAM_MODULE 0x4d525453 /* "STRM" */ - - #define NGX_STREAM_MAIN_CONF 0x02000000 -@@ -307,6 +316,7 @@ void ngx_stream_finalize_session(ngx_str - extern ngx_module_t ngx_stream_module; - extern ngx_uint_t ngx_stream_max_module; - extern ngx_module_t ngx_stream_core_module; -+extern ngx_module_t ngx_stream_proxy_module; - - - typedef ngx_int_t (*ngx_stream_filter_pt)(ngx_stream_session_t *s, -diff -u -r -p -Naur nginx-1.25.3/src/stream/ngx_stream_proxy_module.c nginx-1.25.3-patched/src/stream/ngx_stream_proxy_module.c ---- nginx-1.25.3/src/stream/ngx_stream_proxy_module.c 2021-11-04 21:27:55.289708533 +0800 -+++ nginx-1.25.3-patched/src/stream/ngx_stream_proxy_module.c 2021-11-04 21:37:03.578936990 +0800 -@@ -400,6 +400,7 @@ ngx_stream_proxy_handler(ngx_stream_sess - ngx_stream_proxy_srv_conf_t *pscf; - ngx_stream_upstream_srv_conf_t *uscf, **uscfp; - ngx_stream_upstream_main_conf_t *umcf; -+ ngx_stream_proxy_ctx_t *pctx; - - c = s->connection; - -@@ -408,6 +409,17 @@ ngx_stream_proxy_handler(ngx_stream_sess - ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0, - "proxy connection handler"); - -+ pctx = ngx_palloc(c->pool, sizeof(ngx_stream_proxy_ctx_t)); -+ if (pctx == NULL) { -+ ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR); -+ return; -+ } -+ -+ pctx->connect_timeout = pscf->connect_timeout; -+ pctx->timeout = pscf->timeout; -+ -+ ngx_stream_set_ctx(s, pctx, ngx_stream_proxy_module); -+ - u = ngx_pcalloc(c->pool, sizeof(ngx_stream_upstream_t)); - if (u == NULL) { - ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR); -@@ -699,6 +711,7 @@ ngx_stream_proxy_connect(ngx_stream_sess - ngx_connection_t *c, *pc; - ngx_stream_upstream_t *u; - ngx_stream_proxy_srv_conf_t *pscf; -+ ngx_stream_proxy_ctx_t *ctx; - - c = s->connection; - -@@ -706,6 +719,8 @@ ngx_stream_proxy_connect(ngx_stream_sess - - pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module); - -+ ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module); -+ - u = s->upstream; - - u->connected = 0; -@@ -774,7 +789,7 @@ ngx_stream_proxy_connect(ngx_stream_sess - pc->read->handler = ngx_stream_proxy_connect_handler; - pc->write->handler = ngx_stream_proxy_connect_handler; - -- ngx_add_timer(pc->write, pscf->connect_timeout); -+ ngx_add_timer(pc->write, ctx->connect_timeout); - } - - -@@ -957,12 +957,14 @@ ngx_stream_proxy_init_upstream(ngx_stream_session_t *s) - static ngx_int_t - ngx_stream_proxy_send_proxy_protocol(ngx_stream_session_t *s) - { -- u_char *p; -- ssize_t n, size; -- ngx_connection_t *c, *pc; -- ngx_stream_upstream_t *u; -- ngx_stream_proxy_srv_conf_t *pscf; -- u_char buf[NGX_PROXY_PROTOCOL_V1_MAX_HEADER]; -+ u_char *p; -+ u_char buf[NGX_PROXY_PROTOCOL_V1_MAX_HEADER]; -+ ssize_t n, size; -+ ngx_connection_t *c, *pc; -+ ngx_stream_upstream_t *u; -+ ngx_stream_proxy_ctx_t *ctx; -+ -+ ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module); - - c = s->connection; - -@@ -976,9 +993,7 @@ ngx_stream_proxy_send_proxy_protocol(ngx - return NGX_ERROR; - } - -- pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module); -- -- ngx_add_timer(pc->write, pscf->timeout); -+ ngx_add_timer(pc->write, ctx->timeout); - - pc->write->handler = ngx_stream_proxy_connect_handler; - -@@ -1053,6 +1068,9 @@ ngx_stream_proxy_ssl_init_connection(ngx - ngx_connection_t *pc; - ngx_stream_upstream_t *u; - ngx_stream_proxy_srv_conf_t *pscf; -+ ngx_stream_proxy_ctx_t *ctx; -+ -+ ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module); - - u = s->upstream; - -@@ -1099,7 +1117,7 @@ ngx_stream_proxy_ssl_init_connection(ngx - if (rc == NGX_AGAIN) { - - if (!pc->write->timer_set) { -- ngx_add_timer(pc->write, pscf->connect_timeout); -+ ngx_add_timer(pc->write, ctx->connect_timeout); - } - - pc->ssl->handler = ngx_stream_proxy_ssl_handshake; -@@ -1408,6 +1426,7 @@ ngx_stream_proxy_process_connection(ngx_ - ngx_stream_session_t *s; - ngx_stream_upstream_t *u; - ngx_stream_proxy_srv_conf_t *pscf; -+ ngx_stream_proxy_ctx_t *ctx; - - c = ev->data; - s = c->data; -@@ -1419,6 +1438,8 @@ ngx_stream_proxy_process_connection(ngx_ - return; - } - -+ ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module); -+ - c = s->connection; - pc = u->peer.connection; - -@@ -1438,7 +1459,7 @@ ngx_stream_proxy_process_connection(ngx_ - } - - if (u->connected && !c->read->delayed && !pc->read->delayed) { -- ngx_add_timer(c->write, pscf->timeout); -+ ngx_add_timer(c->write, ctx->timeout); - } - - return; -@@ -1600,6 +1621,9 @@ ngx_stream_proxy_process(ngx_stream_sess - ngx_log_handler_pt handler; - ngx_stream_upstream_t *u; - ngx_stream_proxy_srv_conf_t *pscf; -+ ngx_stream_proxy_ctx_t *ctx; -+ -+ ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module); - - u = s->upstream; - -@@ -1807,7 +1831,7 @@ ngx_stream_proxy_process(ngx_stream_sess - } - - if (!c->read->delayed && !pc->read->delayed) { -- ngx_add_timer(c->write, pscf->timeout); -+ ngx_add_timer(c->write, ctx->timeout); - - } else if (c->write->timer_set) { - ngx_del_timer(c->write); diff --git a/images/nginx/rootfs/patches/05_nginx-1.25.3-stream_ssl_preread_no_skip.patch b/images/nginx/rootfs/patches/05_nginx-1.25.3-stream_ssl_preread_no_skip.patch deleted file mode 100644 index e45e9f69a7..0000000000 --- a/images/nginx/rootfs/patches/05_nginx-1.25.3-stream_ssl_preread_no_skip.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/stream/ngx_stream_ssl_preread_module.c b/src/stream/ngx_stream_ssl_preread_module.c -index e3d11fd9..3717b5fe 100644 ---- a/src/stream/ngx_stream_ssl_preread_module.c -+++ b/src/stream/ngx_stream_ssl_preread_module.c -@@ -159,7 +159,7 @@ ngx_stream_ssl_preread_handler(ngx_stream_session_t *s) - - rc = ngx_stream_ssl_preread_parse_record(ctx, p, p + len); - if (rc != NGX_AGAIN) { -- return rc; -+ return rc == NGX_OK ? NGX_DECLINED : rc; - } - - p += len; diff --git a/images/nginx/rootfs/patches/06_nginx-1.25.3-resolver_conf_parsing.patch b/images/nginx/rootfs/patches/06_nginx-1.25.3-resolver_conf_parsing.patch deleted file mode 100644 index 8638cdf2a8..0000000000 --- a/images/nginx/rootfs/patches/06_nginx-1.25.3-resolver_conf_parsing.patch +++ /dev/null @@ -1,263 +0,0 @@ -diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c -index cd55520c..dade1846 100644 ---- a/src/core/ngx_resolver.c -+++ b/src/core/ngx_resolver.c -@@ -9,12 +9,26 @@ - #include - #include - -+#if !(NGX_WIN32) -+#include -+#endif -+ - - #define NGX_RESOLVER_UDP_SIZE 4096 - - #define NGX_RESOLVER_TCP_RSIZE (2 + 65535) - #define NGX_RESOLVER_TCP_WSIZE 8192 - -+#if !(NGX_WIN32) -+/* -+ * note that 2KB should be more than enough for majority of the -+ * resolv.conf files out there. it also acts as a safety guard to prevent -+ * abuse. -+ */ -+#define NGX_RESOLVER_FILE_BUF_SIZE 2048 -+#define NGX_RESOLVER_FILE_NAME "/etc/resolv.conf" -+#endif -+ - - typedef struct { - u_char ident_hi; -@@ -131,6 +145,191 @@ static ngx_resolver_node_t *ngx_resolver_lookup_addr6(ngx_resolver_t *r, - #endif - - -+#if !(NGX_WIN32) -+static ngx_int_t -+ngx_resolver_read_resolv_conf(ngx_conf_t *cf, ngx_resolver_t *r, u_char *path, -+ size_t path_len) -+{ -+ ngx_url_t u; -+ ngx_resolver_connection_t *rec; -+ ngx_fd_t fd; -+ ngx_file_t file; -+ u_char buf[NGX_RESOLVER_FILE_BUF_SIZE]; -+ u_char ipv6_buf[NGX_INET6_ADDRSTRLEN]; -+ ngx_uint_t address = 0, j, total = 0; -+ ssize_t n, i; -+ enum { -+ sw_nameserver, -+ sw_spaces, -+ sw_address, -+ sw_skip -+ } state; -+ -+ file.name.data = path; -+ file.name.len = path_len; -+ -+ if (ngx_conf_full_name(cf->cycle, &file.name, 1) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY, -+ NGX_FILE_OPEN, 0); -+ -+ if (fd == NGX_INVALID_FILE) { -+ ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, -+ ngx_open_file_n " \"%s\" failed", file.name.data); -+ -+ return NGX_ERROR; -+ } -+ -+ ngx_memzero(&file, sizeof(ngx_file_t)); -+ -+ file.fd = fd; -+ file.log = cf->log; -+ -+ state = sw_nameserver; -+ -+ n = ngx_read_file(&file, buf, NGX_RESOLVER_FILE_BUF_SIZE, 0); -+ -+ if (n == NGX_ERROR) { -+ ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno, -+ ngx_read_file_n " \"%s\" failed", file.name.data); -+ } -+ -+ if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { -+ ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno, -+ ngx_close_file_n " \"%s\" failed", file.name.data); -+ } -+ -+ if (n == NGX_ERROR) { -+ return NGX_ERROR; -+ } -+ -+ if (n == 0) { -+ return NGX_OK; -+ } -+ -+ for (i = 0; i < n && total < MAXNS; /* void */) { -+ if (buf[i] == '#' || buf[i] == ';') { -+ state = sw_skip; -+ } -+ -+ switch (state) { -+ -+ case sw_nameserver: -+ -+ if ((size_t) n - i >= sizeof("nameserver") - 1 -+ && ngx_memcmp(buf + i, "nameserver", -+ sizeof("nameserver") - 1) == 0) -+ { -+ state = sw_spaces; -+ i += sizeof("nameserver") - 1; -+ -+ continue; -+ } -+ -+ break; -+ -+ case sw_spaces: -+ if (buf[i] != '\t' && buf[i] != ' ') { -+ address = i; -+ state = sw_address; -+ } -+ -+ break; -+ -+ case sw_address: -+ -+ if (buf[i] == CR || buf[i] == LF || i == n - 1) { -+ ngx_memzero(&u, sizeof(ngx_url_t)); -+ -+ u.url.data = buf + address; -+ -+ if (i == n - 1 && buf[i] != CR && buf[i] != LF) { -+ u.url.len = n - address; -+ -+ } else { -+ u.url.len = i - address; -+ } -+ -+ u.default_port = 53; -+ -+ /* IPv6? */ -+ if (ngx_strlchr(u.url.data, u.url.data + u.url.len, -+ ':') != NULL) -+ { -+ if (u.url.len + 2 > sizeof(ipv6_buf)) { -+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -+ "IPv6 resolver address is too long:" -+ " \"%V\"", &u.url); -+ -+ return NGX_ERROR; -+ } -+ -+ ipv6_buf[0] = '['; -+ ngx_memcpy(ipv6_buf + 1, u.url.data, u.url.len); -+ ipv6_buf[u.url.len + 1] = ']'; -+ -+ u.url.data = ipv6_buf; -+ u.url.len = u.url.len + 2; -+ } -+ -+ if (ngx_parse_url(cf->pool, &u) != NGX_OK) { -+ if (u.err) { -+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -+ "%s in resolver \"%V\"", -+ u.err, &u.url); -+ } -+ -+ return NGX_ERROR; -+ } -+ -+ rec = ngx_array_push_n(&r->connections, u.naddrs); -+ if (rec == NULL) { -+ return NGX_ERROR; -+ } -+ -+ ngx_memzero(rec, u.naddrs * sizeof(ngx_resolver_connection_t)); -+ -+ for (j = 0; j < u.naddrs; j++) { -+ rec[j].sockaddr = u.addrs[j].sockaddr; -+ rec[j].socklen = u.addrs[j].socklen; -+ rec[j].server = u.addrs[j].name; -+ rec[j].resolver = r; -+ } -+ -+ total++; -+ -+#if (NGX_DEBUG) -+ /* -+ * logs with level below NGX_LOG_NOTICE will not be printed -+ * in this early phase -+ */ -+ ngx_conf_log_error(NGX_LOG_NOTICE, cf, 0, -+ "parsed a resolver: \"%V\"", &u.url); -+#endif -+ -+ state = sw_nameserver; -+ } -+ -+ break; -+ -+ case sw_skip: -+ if (buf[i] == CR || buf[i] == LF) { -+ state = sw_nameserver; -+ } -+ -+ break; -+ } -+ -+ i++; -+ } -+ -+ return NGX_OK; -+} -+#endif -+ -+ - ngx_resolver_t * - ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n) - { -@@ -246,6 +445,39 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n) - } - #endif - -+#if !(NGX_WIN32) -+ if (ngx_strncmp(names[i].data, "local=", 6) == 0) { -+ -+ if (ngx_strcmp(&names[i].data[6], "on") == 0) { -+ if (ngx_resolver_read_resolv_conf(cf, r, -+ (u_char *) -+ NGX_RESOLVER_FILE_NAME, -+ sizeof(NGX_RESOLVER_FILE_NAME) -+ - 1) -+ != NGX_OK) -+ { -+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -+ "unable to parse local resolver"); -+ return NULL; -+ } -+ -+ } else if (ngx_strcmp(&names[i].data[6], "off") != 0) { -+ if (ngx_resolver_read_resolv_conf(cf, r, -+ &names[i].data[6], -+ names[i].len - 6) -+ != NGX_OK) -+ { -+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -+ "unable to parse local resolver"); -+ return NULL; -+ } -+ -+ } -+ -+ continue; -+ } -+#endif -+ - ngx_memzero(&u, sizeof(ngx_url_t)); - - u.url = names[i]; diff --git a/images/nginx/rootfs/patches/07_nginx-1.25.3-daemon_destroy_pool.patch b/images/nginx/rootfs/patches/07_nginx-1.25.3-daemon_destroy_pool.patch deleted file mode 100644 index 5690b88f08..0000000000 --- a/images/nginx/rootfs/patches/07_nginx-1.25.3-daemon_destroy_pool.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/src/os/unix/ngx_daemon.c b/src/os/unix/ngx_daemon.c -index ab672110..f259af31 100644 ---- a/src/os/unix/ngx_daemon.c -+++ b/src/os/unix/ngx_daemon.c -@@ -23,6 +23,8 @@ ngx_daemon(ngx_log_t *log) - break; - - default: -+ /* just to make it ASAN or Valgrind clean */ -+ ngx_destroy_pool(ngx_cycle->pool); - exit(0); - } diff --git a/images/nginx/rootfs/patches/08_nginx-1.25.3-init_cycle_pool_release.patch b/images/nginx/rootfs/patches/08_nginx-1.25.3-init_cycle_pool_release.patch deleted file mode 100644 index bd2e9a7d92..0000000000 --- a/images/nginx/rootfs/patches/08_nginx-1.25.3-init_cycle_pool_release.patch +++ /dev/null @@ -1,59 +0,0 @@ -diff -rup nginx-1.25.3/src/core/nginx.c nginx-1.25.3-patched/src/core/nginx.c ---- nginx-1.25.3/src/core/nginx.c 2017-12-17 00:00:38.136470108 -0800 -+++ nginx-1.25.3-patched/src/core/nginx.c 2017-12-16 23:59:51.680958322 -0800 -@@ -186,6 +186,7 @@ static u_char *ngx_prefix; - static u_char *ngx_conf_file; - static u_char *ngx_conf_params; - static char *ngx_signal; -+ngx_pool_t *saved_init_cycle_pool = NULL; - - - static char **ngx_os_environ; -@@ -253,6 +254,8 @@ main(int argc, char *const *argv) - return 1; - } - -+ saved_init_cycle_pool = init_cycle.pool; -+ - if (ngx_save_argv(&init_cycle, argc, argv) != NGX_OK) { - return 1; - } -diff -rup nginx-1.25.3/src/core/ngx_core.h nginx-1.25.3-patched/src/core/ngx_core.h ---- nginx-1.25.3/src/core/ngx_core.h 2017-10-10 08:22:51.000000000 -0700 -+++ nginx-1.25.3-patched/src/core/ngx_core.h 2017-12-16 23:59:51.679958370 -0800 -@@ -108,4 +108,6 @@ void ngx_cpuinfo(void); - #define NGX_DISABLE_SYMLINKS_NOTOWNER 2 - #endif - -+extern ngx_pool_t *saved_init_cycle_pool; -+ - #endif /* _NGX_CORE_H_INCLUDED_ */ -diff -rup nginx-1.25.3/src/core/ngx_cycle.c nginx-1.25.3-patched/src/core/ngx_cycle.c ---- nginx-1.25.3/src/core/ngx_cycle.c 2017-10-10 08:22:51.000000000 -0700 -+++ nginx-1.25.3-patched/src/core/ngx_cycle.c 2017-12-16 23:59:51.678958419 -0800 -@@ -748,6 +748,10 @@ old_shm_zone_done: - - if (ngx_process == NGX_PROCESS_MASTER || ngx_is_init_cycle(old_cycle)) { - -+ if (ngx_is_init_cycle(old_cycle)) { -+ saved_init_cycle_pool = NULL; -+ } -+ - ngx_destroy_pool(old_cycle->pool); - cycle->old_cycle = NULL; - -diff -rup nginx-1.25.3/src/os/unix/ngx_process_cycle.c nginx-1.25.3-patched/src/os/unix/ngx_process_cycle.c ---- nginx-1.25.3/src/os/unix/ngx_process_cycle.c 2017-12-17 00:00:38.142469762 -0800 -+++ nginx-1.25.3-patched/src/os/unix/ngx_process_cycle.c 2017-12-16 23:59:51.691957791 -0800 -@@ -687,6 +692,11 @@ ngx_master_process_exit(ngx_cycle_t *cyc - ngx_exit_cycle.files_n = ngx_cycle->files_n; - ngx_cycle = &ngx_exit_cycle; - -+ if (saved_init_cycle_pool != NULL && saved_init_cycle_pool != cycle->pool) { -+ ngx_destroy_pool(saved_init_cycle_pool); -+ saved_init_cycle_pool = NULL; -+ } -+ - ngx_destroy_pool(cycle->pool); - - exit(0); diff --git a/images/nginx/rootfs/patches/09_nginx-1.25.3-balancer_status_code.patch b/images/nginx/rootfs/patches/09_nginx-1.25.3-balancer_status_code.patch deleted file mode 100644 index c4d87e2fb2..0000000000 --- a/images/nginx/rootfs/patches/09_nginx-1.25.3-balancer_status_code.patch +++ /dev/null @@ -1,72 +0,0 @@ -diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c -index f8d5707d..6efe0047 100644 ---- a/src/http/ngx_http_upstream.c -+++ b/src/http/ngx_http_upstream.c -@@ -1515,6 +1515,11 @@ ngx_http_upstream_connect(ngx_http_request_t *r, ngx_http_upstream_t *u) - return; - } - -+ if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { -+ ngx_http_upstream_finalize_request(r, u, rc); -+ return; -+ } -+ - u->state->peer = u->peer.name; - - if (rc == NGX_BUSY) { -diff --git a/src/http/ngx_http_upstream.h b/src/http/ngx_http_upstream.h -index 3e714e5b..dfbb25e0 100644 ---- a/src/http/ngx_http_upstream.h -+++ b/src/http/ngx_http_upstream.h -@@ -427,4 +427,9 @@ extern ngx_conf_bitmask_t ngx_http_upstream_cache_method_mask[]; - extern ngx_conf_bitmask_t ngx_http_upstream_ignore_headers_masks[]; - - -+#ifndef HAVE_BALANCER_STATUS_CODE_PATCH -+#define HAVE_BALANCER_STATUS_CODE_PATCH -+#endif -+ -+ - #endif /* _NGX_HTTP_UPSTREAM_H_INCLUDED_ */ -diff --git a/src/stream/ngx_stream.h b/src/stream/ngx_stream.h -index 09d24593..d8b4b584 100644 ---- a/src/stream/ngx_stream.h -+++ b/src/stream/ngx_stream.h -@@ -27,6 +27,7 @@ typedef struct ngx_stream_session_s ngx_stream_session_t; - - - #define NGX_STREAM_OK 200 -+#define NGX_STREAM_SPECIAL_RESPONSE 300 - #define NGX_STREAM_BAD_REQUEST 400 - #define NGX_STREAM_FORBIDDEN 403 - #define NGX_STREAM_INTERNAL_SERVER_ERROR 500 -diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c -index 818d7329..329dcdc6 100644 ---- a/src/stream/ngx_stream_proxy_module.c -+++ b/src/stream/ngx_stream_proxy_module.c -@@ -691,6 +691,11 @@ ngx_stream_proxy_connect(ngx_stream_session_t *s) - return; - } - -+ if (rc >= NGX_STREAM_SPECIAL_RESPONSE) { -+ ngx_stream_proxy_finalize(s, rc); -+ return; -+ } -+ - u->state->peer = u->peer.name; - - if (rc == NGX_BUSY) { -diff --git a/src/stream/ngx_stream_upstream.h b/src/stream/ngx_stream_upstream.h -index 73947f46..21bc0ad7 100644 ---- a/src/stream/ngx_stream_upstream.h -+++ b/src/stream/ngx_stream_upstream.h -@@ -151,4 +151,9 @@ ngx_stream_upstream_srv_conf_t *ngx_stream_upstream_add(ngx_conf_t *cf, - extern ngx_module_t ngx_stream_upstream_module; - - -+#ifndef HAVE_BALANCER_STATUS_CODE_PATCH -+#define HAVE_BALANCER_STATUS_CODE_PATCH -+#endif -+ -+ - #endif /* _NGX_STREAM_UPSTREAM_H_INCLUDED_ */ diff --git a/images/nginx/rootfs/patches/10_nginx-1.25.3-delayed_posted_events.patch b/images/nginx/rootfs/patches/10_nginx-1.25.3-delayed_posted_events.patch deleted file mode 100644 index 6875843245..0000000000 --- a/images/nginx/rootfs/patches/10_nginx-1.25.3-delayed_posted_events.patch +++ /dev/null @@ -1,98 +0,0 @@ -diff --git a/src/event/ngx_event.c b/src/event/ngx_event.c -index 57af8132..4853945f 100644 ---- a/src/event/ngx_event.c -+++ b/src/event/ngx_event.c -@@ -196,6 +196,9 @@ ngx_process_events_and_timers(ngx_cycle_t *cycle) - ngx_uint_t flags; - ngx_msec_t timer, delta; - -+ ngx_queue_t *q; -+ ngx_event_t *ev; -+ - if (ngx_timer_resolution) { - timer = NGX_TIMER_INFINITE; - flags = 0; -@@ -215,6 +218,13 @@ ngx_process_events_and_timers(ngx_cycle_t *cycle) - #endif - } - -+ if (!ngx_queue_empty(&ngx_posted_delayed_events)) { -+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, cycle->log, 0, -+ "posted delayed event queue not empty" -+ " making poll timeout 0"); -+ timer = 0; -+ } -+ - if (ngx_use_accept_mutex) { - if (ngx_accept_disabled > 0) { - ngx_accept_disabled--; -@@ -257,6 +267,35 @@ ngx_process_events_and_timers(ngx_cycle_t *cycle) - } - - ngx_event_process_posted(cycle, &ngx_posted_events); -+ -+ while (!ngx_queue_empty(&ngx_posted_delayed_events)) { -+ q = ngx_queue_head(&ngx_posted_delayed_events); -+ -+ ev = ngx_queue_data(q, ngx_event_t, queue); -+ if (ev->delayed) { -+ /* start of newly inserted nodes */ -+ for (/* void */; -+ q != ngx_queue_sentinel(&ngx_posted_delayed_events); -+ q = ngx_queue_next(q)) -+ { -+ ev = ngx_queue_data(q, ngx_event_t, queue); -+ ev->delayed = 0; -+ -+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, cycle->log, 0, -+ "skipping delayed posted event %p," -+ " till next iteration", ev); -+ } -+ -+ break; -+ } -+ -+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, cycle->log, 0, -+ "delayed posted event %p", ev); -+ -+ ngx_delete_posted_event(ev); -+ -+ ev->handler(ev); -+ } - } - - -@@ -600,6 +639,7 @@ ngx_event_process_init(ngx_cycle_t *cycle) - - ngx_queue_init(&ngx_posted_accept_events); - ngx_queue_init(&ngx_posted_events); -+ ngx_queue_init(&ngx_posted_delayed_events); - - if (ngx_event_timer_init(cycle->log) == NGX_ERROR) { - return NGX_ERROR; -diff --git a/src/event/ngx_event_posted.c b/src/event/ngx_event_posted.c -index d851f3d1..b6cea009 100644 ---- a/src/event/ngx_event_posted.c -+++ b/src/event/ngx_event_posted.c -@@ -12,6 +12,7 @@ - - ngx_queue_t ngx_posted_accept_events; - ngx_queue_t ngx_posted_events; -+ngx_queue_t ngx_posted_delayed_events; - - - void -diff --git a/src/event/ngx_event_posted.h b/src/event/ngx_event_posted.h -index 145d30fe..6c388553 100644 ---- a/src/event/ngx_event_posted.h -+++ b/src/event/ngx_event_posted.h -@@ -43,6 +43,9 @@ void ngx_event_process_posted(ngx_cycle_t *cycle, ngx_queue_t *posted); - - extern ngx_queue_t ngx_posted_accept_events; - extern ngx_queue_t ngx_posted_events; -+extern ngx_queue_t ngx_posted_delayed_events; -+ -+#define HAVE_POSTED_DELAYED_EVENTS_PATCH - - - #endif /* _NGX_EVENT_POSTED_H_INCLUDED_ */ diff --git a/images/nginx/rootfs/patches/11_nginx-1.25.3-privileged_agent_process.patch b/images/nginx/rootfs/patches/11_nginx-1.25.3-privileged_agent_process.patch deleted file mode 100644 index 164004eba9..0000000000 --- a/images/nginx/rootfs/patches/11_nginx-1.25.3-privileged_agent_process.patch +++ /dev/null @@ -1,203 +0,0 @@ -diff --git a/src/core/nginx.c b/src/core/nginx.c -index 60f8fe7..4bd244b 100644 ---- a/src/core/nginx.c -+++ b/src/core/nginx.c -@@ -981,6 +981,7 @@ ngx_core_module_create_conf(ngx_cycle_t *cycle) - - ccf->daemon = NGX_CONF_UNSET; - ccf->master = NGX_CONF_UNSET; -+ ccf->privileged_agent = NGX_CONF_UNSET; - ccf->timer_resolution = NGX_CONF_UNSET_MSEC; - - ccf->worker_processes = NGX_CONF_UNSET; -@@ -1009,6 +1010,7 @@ ngx_core_module_init_conf(ngx_cycle_t *cycle, void *conf) - - ngx_conf_init_value(ccf->daemon, 1); - ngx_conf_init_value(ccf->master, 1); -+ ngx_conf_init_value(ccf->privileged_agent, 0); - ngx_conf_init_msec_value(ccf->timer_resolution, 0); - - ngx_conf_init_value(ccf->worker_processes, 1); -diff --git a/src/core/ngx_cycle.h b/src/core/ngx_cycle.h -index c51b7ff..3261f90 100644 ---- a/src/core/ngx_cycle.h -+++ b/src/core/ngx_cycle.h -@@ -22,6 +22,9 @@ - #define NGX_DEBUG_POINTS_ABORT 2 - - -+#define HAVE_PRIVILEGED_PROCESS_PATCH 1 -+ -+ - typedef struct ngx_shm_zone_s ngx_shm_zone_t; - - typedef ngx_int_t (*ngx_shm_zone_init_pt) (ngx_shm_zone_t *zone, void *data); -@@ -81,6 +84,7 @@ struct ngx_cycle_s { - typedef struct { - ngx_flag_t daemon; - ngx_flag_t master; -+ ngx_flag_t privileged_agent; - - ngx_msec_t timer_resolution; - -diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c -index 7cee1c5..c4f70d6 100644 ---- a/src/os/unix/ngx_process_cycle.c -+++ b/src/os/unix/ngx_process_cycle.c -@@ -15,6 +15,8 @@ static void ngx_start_worker_processes(ngx_cycle_t *cycle, ngx_int_t n, - ngx_int_t type); - static void ngx_start_cache_manager_processes(ngx_cycle_t *cycle, - ngx_uint_t respawn); -+static void ngx_start_privileged_agent_processes(ngx_cycle_t *cycle, -+ ngx_uint_t respawn); - static void ngx_pass_open_channel(ngx_cycle_t *cycle); - static void ngx_signal_worker_processes(ngx_cycle_t *cycle, int signo); - static ngx_uint_t ngx_reap_children(ngx_cycle_t *cycle); -@@ -24,6 +26,7 @@ static void ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker); - static void ngx_worker_process_exit(ngx_cycle_t *cycle); - static void ngx_channel_handler(ngx_event_t *ev); - static void ngx_cache_manager_process_cycle(ngx_cycle_t *cycle, void *data); -+static void ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data); - static void ngx_cache_manager_process_handler(ngx_event_t *ev); - static void ngx_cache_loader_process_handler(ngx_event_t *ev); - -@@ -51,6 +54,8 @@ sig_atomic_t ngx_noaccept; - ngx_uint_t ngx_noaccepting; - ngx_uint_t ngx_restart; - -+ngx_uint_t ngx_is_privileged_agent; -+ - - static u_char master_process[] = "master process"; - -@@ -130,6 +135,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle) - ngx_start_worker_processes(cycle, ccf->worker_processes, - NGX_PROCESS_RESPAWN); - ngx_start_cache_manager_processes(cycle, 0); -+ ngx_start_privileged_agent_processes(cycle, 0); - - ngx_new_binary = 0; - delay = 0; -@@ -215,6 +221,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle) - ngx_start_worker_processes(cycle, ccf->worker_processes, - NGX_PROCESS_RESPAWN); - ngx_start_cache_manager_processes(cycle, 0); -+ ngx_start_privileged_agent_processes(cycle, 0); - ngx_noaccepting = 0; - - continue; -@@ -234,6 +241,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle) - ngx_start_worker_processes(cycle, ccf->worker_processes, - NGX_PROCESS_JUST_RESPAWN); - ngx_start_cache_manager_processes(cycle, 1); -+ ngx_start_privileged_agent_processes(cycle, 1); - - /* allow new processes to start */ - ngx_msleep(100); -@@ -248,6 +256,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle) - ngx_start_worker_processes(cycle, ccf->worker_processes, - NGX_PROCESS_RESPAWN); - ngx_start_cache_manager_processes(cycle, 0); -+ ngx_start_privileged_agent_processes(cycle, 0); - live = 1; - } - -@@ -393,6 +431,26 @@ ngx_start_cache_manager_processes(ngx_cycle_t *cycle, ngx_uint_t respawn) - - - static void -+ngx_start_privileged_agent_processes(ngx_cycle_t *cycle, ngx_uint_t respawn) -+{ -+ ngx_core_conf_t *ccf; -+ -+ ccf = (ngx_core_conf_t *) ngx_get_conf(cycle->conf_ctx, -+ ngx_core_module); -+ -+ if (!ccf->privileged_agent) { -+ return; -+ } -+ -+ ngx_spawn_process(cycle, ngx_privileged_agent_process_cycle, -+ "privileged agent process", "privileged agent process", -+ respawn ? NGX_PROCESS_JUST_RESPAWN : NGX_PROCESS_RESPAWN); -+ -+ ngx_pass_open_channel(cycle); -+} -+ -+ -+static void - ngx_pass_open_channel(ngx_cycle_t *cycle) - { - ngx_int_t i; -@@ -794,7 +860,10 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker) - } - } - -- if (geteuid() == 0) { -+ /* -+ * privileged agent process has the same permission as master process -+ */ -+ if (!ngx_is_privileged_agent && geteuid() == 0) { - if (setgid(ccf->group) == -1) { - ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, - "setgid(%d) failed", ccf->group); -@@ -1149,6 +1216,47 @@ ngx_cache_manager_process_cycle(ngx_cycle_t *cycle, void *data) - - - static void -+ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data) -+{ -+ char *name = data; -+ -+ /* -+ * Set correct process type since closing listening Unix domain socket -+ * in a master process also removes the Unix domain socket file. -+ */ -+ ngx_process = NGX_PROCESS_HELPER; -+ ngx_is_privileged_agent = 1; -+ -+ ngx_close_listening_sockets(cycle); -+ -+ /* Set a moderate number of connections for a helper process. */ -+ cycle->connection_n = 512; -+ -+ ngx_worker_process_init(cycle, -1); -+ -+ ngx_use_accept_mutex = 0; -+ -+ ngx_setproctitle(name); -+ -+ for ( ;; ) { -+ -+ if (ngx_terminate || ngx_quit) { -+ ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting"); -+ ngx_worker_process_exit(cycle); -+ } -+ -+ if (ngx_reopen) { -+ ngx_reopen = 0; -+ ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "reopening logs"); -+ ngx_reopen_files(cycle, -1); -+ } -+ -+ ngx_process_events_and_timers(cycle); -+ } -+} -+ -+ -+static void - ngx_cache_manager_process_handler(ngx_event_t *ev) - { - time_t next, n; -diff --git a/src/os/unix/ngx_process_cycle.h b/src/os/unix/ngx_process_cycle.h -index 69495d5..5149396 100644 ---- a/src/os/unix/ngx_process_cycle.h -+++ b/src/os/unix/ngx_process_cycle.h -@@ -45,6 +45,7 @@ extern ngx_pid_t ngx_new_binary; - extern ngx_uint_t ngx_inherited; - extern ngx_uint_t ngx_daemonized; - extern ngx_uint_t ngx_exiting; -+extern ngx_uint_t ngx_is_privileged_agent; - - extern sig_atomic_t ngx_reap; - extern sig_atomic_t ngx_sigio; diff --git a/images/nginx/rootfs/patches/12_nginx-1.25.3-privileged_agent_process_connections.patch b/images/nginx/rootfs/patches/12_nginx-1.25.3-privileged_agent_process_connections.patch deleted file mode 100644 index 5c38929cfa..0000000000 --- a/images/nginx/rootfs/patches/12_nginx-1.25.3-privileged_agent_process_connections.patch +++ /dev/null @@ -1,73 +0,0 @@ -diff --git a/src/core/nginx.c b/src/core/nginx.c -index 269ff84..48329bd 100644 ---- a/src/core/nginx.c -+++ b/src/core/nginx.c -@@ -1062,6 +1062,7 @@ ngx_core_module_create_conf(ngx_cycle_t *cycle) - ccf->daemon = NGX_CONF_UNSET; - ccf->master = NGX_CONF_UNSET; - ccf->privileged_agent = NGX_CONF_UNSET; -+ ccf->privileged_agent_connections = NGX_CONF_UNSET_UINT; - ccf->timer_resolution = NGX_CONF_UNSET_MSEC; - ccf->shutdown_timeout = NGX_CONF_UNSET_MSEC; - -@@ -1092,6 +1093,7 @@ ngx_core_module_init_conf(ngx_cycle_t *cycle, void *conf) - ngx_conf_init_value(ccf->daemon, 1); - ngx_conf_init_value(ccf->master, 1); - ngx_conf_init_value(ccf->privileged_agent, 0); -+ ngx_conf_init_uint_value(ccf->privileged_agent_connections, 512); - ngx_conf_init_msec_value(ccf->timer_resolution, 0); - ngx_conf_init_msec_value(ccf->shutdown_timeout, 0); - -diff --git a/src/core/ngx_cycle.h b/src/core/ngx_cycle.h -index 6a9583e..4469390 100644 ---- a/src/core/ngx_cycle.h -+++ b/src/core/ngx_cycle.h -@@ -93,6 +93,7 @@ typedef struct { - ngx_flag_t daemon; - ngx_flag_t master; - ngx_flag_t privileged_agent; -+ ngx_uint_t privileged_agent_connections; - - ngx_msec_t timer_resolution; - ngx_msec_t shutdown_timeout; -diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c -index df25f9d..bd259c1 100644 ---- a/src/os/unix/ngx_process_cycle.c -+++ b/src/os/unix/ngx_process_cycle.c -@@ -1179,6 +1179,7 @@ static void - ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data) - { - char *name = data; -+ ngx_core_conf_t *ccf = (ngx_core_conf_t *) ngx_get_conf(cycle->conf_ctx, ngx_core_module); - - /* - * Set correct process type since closing listening Unix domain socket -@@ -1190,7 +1191,7 @@ ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data) - ngx_close_listening_sockets(cycle); - - /* Set a moderate number of connections for a helper process. */ -- cycle->connection_n = 512; -+ cycle->connection_n = ccf->privileged_agent_connections; - - ngx_worker_process_init(cycle, -1); - -diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c -index df25f9d..bd259c1 100644 ---- a/src/os/unix/ngx_process_cycle.c -+++ b/src/os/unix/ngx_process_cycle.c -@@ -442,6 +442,15 @@ - return; - } - -+ /* 0 is an illegal value and may result in a core dump later */ -+ if (ccf->privileged_agent_connections == 0) { -+ ngx_log_error(NGX_LOG_ALERT, cycle->log, 0, -+ "%ui worker_connection is not enough, " -+ "privileged agent process cannot be spawned", -+ ccf->privileged_agent_connections); -+ return; -+ } -+ - ngx_spawn_process(cycle, ngx_privileged_agent_process_cycle, - "privileged agent process", "privileged agent process", - respawn ? NGX_PROCESS_JUST_RESPAWN : NGX_PROCESS_RESPAWN); diff --git a/images/nginx/rootfs/patches/13_nginx-1.25.3-privileged_agent_process_thread_pool.patch b/images/nginx/rootfs/patches/13_nginx-1.25.3-privileged_agent_process_thread_pool.patch deleted file mode 100644 index 829f214603..0000000000 --- a/images/nginx/rootfs/patches/13_nginx-1.25.3-privileged_agent_process_thread_pool.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- a/src/core/ngx_thread_pool.c -+++ b/src/core/ngx_thread_pool.c -@@ -587,7 +587,8 @@ - ngx_thread_pool_conf_t *tcf; - - if (ngx_process != NGX_PROCESS_WORKER -- && ngx_process != NGX_PROCESS_SINGLE) -+ && ngx_process != NGX_PROCESS_SINGLE -+ && !ngx_is_privileged_agent) - { - return NGX_OK; - } diff --git a/images/nginx/rootfs/patches/14_nginx-1.25.3-single_process_graceful_exit.patch b/images/nginx/rootfs/patches/14_nginx-1.25.3-single_process_graceful_exit.patch deleted file mode 100644 index 2754fc2fe7..0000000000 --- a/images/nginx/rootfs/patches/14_nginx-1.25.3-single_process_graceful_exit.patch +++ /dev/null @@ -1,75 +0,0 @@ -diff --git a/src/os/unix/ngx_process.c b/src/os/unix/ngx_process.c -index 15680237..12a8c687 100644 ---- a/src/os/unix/ngx_process.c -+++ b/src/os/unix/ngx_process.c -@@ -362,8 +362,15 @@ ngx_signal_handler(int signo, siginfo_t *siginfo, void *ucontext) - break; - - case ngx_signal_value(NGX_RECONFIGURE_SIGNAL): -- ngx_reconfigure = 1; -- action = ", reconfiguring"; -+ if (ngx_process == NGX_PROCESS_SINGLE) { -+ ngx_terminate = 1; -+ action = ", exiting"; -+ -+ } else { -+ ngx_reconfigure = 1; -+ action = ", reconfiguring"; -+ } -+ - break; - - case ngx_signal_value(NGX_REOPEN_SIGNAL): -diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c -index 5817a2c2..f3d58e97 100644 ---- a/src/os/unix/ngx_process_cycle.c -+++ b/src/os/unix/ngx_process_cycle.c -@@ -305,11 +305,26 @@ ngx_single_process_cycle(ngx_cycle_t *cycle) - } - - for ( ;; ) { -+ if (ngx_exiting) { -+ if (ngx_event_no_timers_left() == NGX_OK) { -+ ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting"); -+ -+ for (i = 0; cycle->modules[i]; i++) { -+ if (cycle->modules[i]->exit_process) { -+ cycle->modules[i]->exit_process(cycle); -+ } -+ } -+ -+ ngx_master_process_exit(cycle); -+ } -+ } -+ - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, cycle->log, 0, "worker cycle"); - - ngx_process_events_and_timers(cycle); - -- if (ngx_terminate || ngx_quit) { -+ if (ngx_terminate) { -+ ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting"); - - for (i = 0; cycle->modules[i]; i++) { - if (cycle->modules[i]->exit_process) { -@@ -320,6 +335,20 @@ ngx_single_process_cycle(ngx_cycle_t *cycle) - ngx_master_process_exit(cycle); - } - -+ if (ngx_quit) { -+ ngx_quit = 0; -+ ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, -+ "gracefully shutting down"); -+ ngx_setproctitle("process is shutting down"); -+ -+ if (!ngx_exiting) { -+ ngx_exiting = 1; -+ ngx_set_shutdown_timer(cycle); -+ ngx_close_listening_sockets(cycle); -+ ngx_close_idle_connections(cycle); -+ } -+ } -+ - if (ngx_reconfigure) { - ngx_reconfigure = 0; - ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "reconfiguring"); diff --git a/images/nginx/rootfs/patches/15_nginx-1.25.3-intercept_error_log.patch b/images/nginx/rootfs/patches/15_nginx-1.25.3-intercept_error_log.patch deleted file mode 100644 index 5de7695173..0000000000 --- a/images/nginx/rootfs/patches/15_nginx-1.25.3-intercept_error_log.patch +++ /dev/null @@ -1,60 +0,0 @@ -diff --git a/src/core/ngx_cycle.h b/src/core/ngx_cycle.h -index c51b7ff..4c335b9 100644 ---- a/src/core/ngx_cycle.h -+++ b/src/core/ngx_cycle.h -@@ -22,9 +22,14 @@ - #define NGX_DEBUG_POINTS_ABORT 2 - - -+#define HAVE_INTERCEPT_ERROR_LOG_PATCH -+ -+ - typedef struct ngx_shm_zone_s ngx_shm_zone_t; - - typedef ngx_int_t (*ngx_shm_zone_init_pt) (ngx_shm_zone_t *zone, void *data); -+typedef ngx_int_t (*ngx_log_intercept_pt) (ngx_log_t *log, ngx_uint_t level, -+ u_char *buf, size_t len); - - struct ngx_shm_zone_s { - void *data; -@@ -75,6 +80,10 @@ struct ngx_cycle_s { - ngx_str_t prefix; - ngx_str_t lock_file; - ngx_str_t hostname; -+ -+ ngx_log_intercept_pt intercept_error_log_handler; -+ void *intercept_error_log_data; -+ unsigned entered_logger; /* :1 */ - }; - - -diff --git a/src/core/ngx_log.c b/src/core/ngx_log.c -index 8e9408d..ed9b11b 100644 ---- a/src/core/ngx_log.c -+++ b/src/core/ngx_log.c -@@ -112,6 +112,8 @@ ngx_log_error_core(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, - ngx_uint_t wrote_stderr, debug_connection; - u_char errstr[NGX_MAX_ERROR_STR]; - -+ ngx_log_intercept_pt log_intercept = NULL; -+ - last = errstr + NGX_MAX_ERROR_STR; - - p = ngx_cpymem(errstr, ngx_cached_err_log_time.data, -@@ -153,6 +155,16 @@ ngx_log_error_core(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, - p = last - NGX_LINEFEED_SIZE; - } - -+ if (ngx_cycle) { -+ log_intercept = ngx_cycle->intercept_error_log_handler; -+ } -+ -+ if (log_intercept && !ngx_cycle->entered_logger) { -+ ngx_cycle->entered_logger = 1; -+ log_intercept(log, level, errstr, p - errstr); -+ ngx_cycle->entered_logger = 0; -+ } -+ - ngx_linefeed(p); - - wrote_stderr = 0; diff --git a/images/nginx/rootfs/patches/16_nginx-1.25.3-upstream_pipelining.patch b/images/nginx/rootfs/patches/16_nginx-1.25.3-upstream_pipelining.patch deleted file mode 100644 index aed80365ad..0000000000 --- a/images/nginx/rootfs/patches/16_nginx-1.25.3-upstream_pipelining.patch +++ /dev/null @@ -1,23 +0,0 @@ -commit f9907b72a76a21ac5413187b83177a919475c75f -Author: Yichun Zhang (agentzh) -Date: Wed Feb 10 16:05:08 2016 -0800 - - bugfix: upstream: keep sending request data after the first write attempt. - - See - http://mailman.nginx.org/pipermail/nginx-devel/2012-March/002040.html - for more details on the issue. - -diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c -index 69019417..92b7c97f 100644 ---- a/src/http/ngx_http_upstream.c -+++ b/src/http/ngx_http_upstream.c -@@ -2239,7 +2239,7 @@ ngx_http_upstream_send_request_handler(ngx_http_request_t *r, - - #endif - -- if (u->header_sent && !u->conf->preserve_output) { -+ if (u->request_body_sent && !u->conf->preserve_output) { - u->write_event_handler = ngx_http_upstream_dummy_handler; - - (void) ngx_handle_write_event(c->write, 0); diff --git a/images/nginx/rootfs/patches/17_nginx-1.25.3-no_error_pages.patch b/images/nginx/rootfs/patches/17_nginx-1.25.3-no_error_pages.patch deleted file mode 100644 index aceb2e9884..0000000000 --- a/images/nginx/rootfs/patches/17_nginx-1.25.3-no_error_pages.patch +++ /dev/null @@ -1,91 +0,0 @@ -diff -upr nginx-1.25.3/src/http/ngx_http_core_module.c nginx-1.25.3-patched/src/http/ngx_http_core_module.c ---- nginx-1.25.3/src/http/ngx_http_core_module.c 2017-08-31 18:14:41.000000000 -0700 -+++ nginx-1.25.3-patched/src/http/ngx_http_core_module.c 2017-08-31 18:21:31.638098196 -0700 -@@ -64,6 +64,8 @@ static char *ngx_http_core_directio(ngx_conf_t *cf, ngx_command_t *cmd, - void *conf); - static char *ngx_http_core_error_page(ngx_conf_t *cf, ngx_command_t *cmd, - void *conf); -+static char *ngx_http_core_no_error_pages(ngx_conf_t *cf, ngx_command_t *cmd, -+ void *conf); - static char *ngx_http_core_open_file_cache(ngx_conf_t *cf, ngx_command_t *cmd, - void *conf); - static char *ngx_http_core_error_log(ngx_conf_t *cf, ngx_command_t *cmd, -@@ -671,6 +673,14 @@ static ngx_command_t ngx_http_core_commands[] = { - 0, - NULL }, - -+ { ngx_string("no_error_pages"), -+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -+ |NGX_CONF_NOARGS, -+ ngx_http_core_no_error_pages, -+ NGX_HTTP_LOC_CONF_OFFSET, -+ 0, -+ NULL }, -+ - { ngx_string("post_action"), - NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF - |NGX_CONF_TAKE1, -@@ -3564,7 +3574,6 @@ ngx_http_core_create_loc_conf(ngx_conf_t *cf) - * clcf->types = NULL; - * clcf->default_type = { 0, NULL }; - * clcf->error_log = NULL; -- * clcf->error_pages = NULL; - * clcf->client_body_path = NULL; - * clcf->regex = NULL; - * clcf->exact_match = 0; -@@ -3574,6 +3583,7 @@ ngx_http_core_create_loc_conf(ngx_conf_t *cf) - * clcf->keepalive_disable = 0; - */ - -+ clcf->error_pages = NGX_CONF_UNSET_PTR; - clcf->client_max_body_size = NGX_CONF_UNSET; - clcf->client_body_buffer_size = NGX_CONF_UNSET_SIZE; - clcf->client_body_timeout = NGX_CONF_UNSET_MSEC; -@@ -3776,9 +3786,7 @@ ngx_http_core_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) - } - } - -- if (conf->error_pages == NULL && prev->error_pages) { -- conf->error_pages = prev->error_pages; -- } -+ ngx_conf_merge_ptr_value(conf->error_pages, prev->error_pages, NULL); - - ngx_conf_merge_str_value(conf->default_type, - prev->default_type, "text/plain"); -@@ -4815,6 +4823,10 @@ ngx_http_core_error_page(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) - ngx_http_compile_complex_value_t ccv; - - if (clcf->error_pages == NULL) { -+ return "conflicts with \"no_error_pages\""; -+ } -+ -+ if (clcf->error_pages == NGX_CONF_UNSET_PTR) { - clcf->error_pages = ngx_array_create(cf->pool, 4, - sizeof(ngx_http_err_page_t)); - if (clcf->error_pages == NULL) { -@@ -4920,6 +4932,25 @@ ngx_http_core_error_page(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) - } - - -+static char * -+ngx_http_core_no_error_pages(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) -+{ -+ ngx_http_core_loc_conf_t *clcf = conf; -+ -+ if (clcf->error_pages == NULL) { -+ return "is duplicate"; -+ } -+ -+ if (clcf->error_pages != NGX_CONF_UNSET_PTR) { -+ return "conflicts with \"error_page\""; -+ } -+ -+ clcf->error_pages = NULL; -+ -+ return NGX_CONF_OK; -+} -+ -+ - static char * - ngx_http_core_open_file_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) - { diff --git a/images/nginx/rootfs/patches/18_nginx-1.25.3-no_Werror.patch b/images/nginx/rootfs/patches/18_nginx-1.25.3-no_Werror.patch deleted file mode 100644 index f7176faffb..0000000000 --- a/images/nginx/rootfs/patches/18_nginx-1.25.3-no_Werror.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff -urp nginx-1.25.3/auto/cc/clang nginx-1.25.3-patched/auto/cc/clang ---- nginx-1.25.3/auto/cc/clang 2014-03-04 03:39:24.000000000 -0800 -+++ nginx-1.25.3-patched/auto/cc/clang 2014-03-13 20:54:26.241413360 -0700 -@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali - CFLAGS="$CFLAGS -Wno-unused-parameter" - - # stop on warning --CFLAGS="$CFLAGS -Werror" -+#CFLAGS="$CFLAGS -Werror" - - # debug - CFLAGS="$CFLAGS -g" -diff -urp nginx-1.25.3/auto/cc/gcc nginx-1.25.3-patched/auto/cc/gcc ---- nginx-1.25.3/auto/cc/gcc 2014-03-04 03:39:24.000000000 -0800 -+++ nginx-1.25.3-patched/auto/cc/gcc 2014-03-13 20:54:13.301355329 -0700 -@@ -168,7 +168,7 @@ esac - - - # stop on warning --CFLAGS="$CFLAGS -Werror" -+#CFLAGS="$CFLAGS -Werror" - - # debug - CFLAGS="$CFLAGS -g" -diff -urp nginx-1.25.3/auto/cc/icc nginx-1.25.3-patched/auto/cc/icc ---- nginx-1.25.3/auto/cc/icc 2014-03-04 03:39:24.000000000 -0800 -+++ nginx-1.25.3-patched/auto/cc/icc 2014-03-13 20:54:13.301355329 -0700 -@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in - esac - - # stop on warning --CFLAGS="$CFLAGS -Werror" -+#CFLAGS="$CFLAGS -Werror" - - # debug - CFLAGS="$CFLAGS -g" diff --git a/images/nginx/rootfs/patches/19_nginx-1.25.3-log_escape_non_ascii.patch b/images/nginx/rootfs/patches/19_nginx-1.25.3-log_escape_non_ascii.patch deleted file mode 100644 index bea6e52ee2..0000000000 --- a/images/nginx/rootfs/patches/19_nginx-1.25.3-log_escape_non_ascii.patch +++ /dev/null @@ -1,117 +0,0 @@ -diff --git a/src/http/modules/ngx_http_log_module.c b/src/http/modules/ngx_http_log_module.c -index 917ed55f..b769dfd3 100644 ---- a/src/http/modules/ngx_http_log_module.c -+++ b/src/http/modules/ngx_http_log_module.c -@@ -79,6 +79,8 @@ typedef struct { - time_t open_file_cache_valid; - ngx_uint_t open_file_cache_min_uses; - -+ ngx_flag_t escape_non_ascii; -+ - ngx_uint_t off; /* unsigned off:1 */ - } ngx_http_log_loc_conf_t; - -@@ -131,7 +133,8 @@ static size_t ngx_http_log_variable_getlen(ngx_http_request_t *r, - uintptr_t data); - static u_char *ngx_http_log_variable(ngx_http_request_t *r, u_char *buf, - ngx_http_log_op_t *op); --static uintptr_t ngx_http_log_escape(u_char *dst, u_char *src, size_t size); -+static uintptr_t ngx_http_log_escape(ngx_http_log_loc_conf_t *lcf, u_char *dst, -+ u_char *src, size_t size); - static size_t ngx_http_log_json_variable_getlen(ngx_http_request_t *r, - uintptr_t data); - static u_char *ngx_http_log_json_variable(ngx_http_request_t *r, u_char *buf, -@@ -177,6 +180,13 @@ static ngx_command_t ngx_http_log_commands[] = { - 0, - NULL }, - -+ { ngx_string("log_escape_non_ascii"), -+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG, -+ ngx_conf_set_flag_slot, -+ NGX_HTTP_LOC_CONF_OFFSET, -+ offsetof(ngx_http_log_loc_conf_t, escape_non_ascii), -+ NULL }, -+ - ngx_null_command - }; - -@@ -935,6 +945,7 @@ static size_t - ngx_http_log_variable_getlen(ngx_http_request_t *r, uintptr_t data) - { - uintptr_t len; -+ ngx_http_log_loc_conf_t *lcf; - ngx_http_variable_value_t *value; - - value = ngx_http_get_indexed_variable(r, data); -@@ -943,7 +954,9 @@ ngx_http_log_variable_getlen(ngx_http_request_t *r, uintptr_t data) - return 1; - } - -- len = ngx_http_log_escape(NULL, value->data, value->len); -+ lcf = ngx_http_get_module_loc_conf(r, ngx_http_log_module); -+ -+ len = ngx_http_log_escape(lcf, NULL, value->data, value->len); - - value->escape = len ? 1 : 0; - -@@ -954,6 +967,7 @@ ngx_http_log_variable_getlen(ngx_http_request_t *r, uintptr_t data) - static u_char * - ngx_http_log_variable(ngx_http_request_t *r, u_char *buf, ngx_http_log_op_t *op) - { -+ ngx_http_log_loc_conf_t *lcf; - ngx_http_variable_value_t *value; - - value = ngx_http_get_indexed_variable(r, op->data); -@@ -967,16 +981,18 @@ ngx_http_log_variable(ngx_http_request_t *r, u_char *buf, ngx_http_log_op_t *op) - return ngx_cpymem(buf, value->data, value->len); - - } else { -- return (u_char *) ngx_http_log_escape(buf, value->data, value->len); -+ lcf = ngx_http_get_module_loc_conf(r, ngx_http_log_module); -+ return (u_char *) ngx_http_log_escape(lcf, buf, value->data, value->len); - } - } - - - static uintptr_t --ngx_http_log_escape(u_char *dst, u_char *src, size_t size) -+ngx_http_log_escape(ngx_http_log_loc_conf_t *lcf, u_char *dst, u_char *src, -+ size_t size) - { -- ngx_uint_t n; -- static u_char hex[] = "0123456789ABCDEF"; -+ ngx_uint_t n; -+ static u_char hex[] = "0123456789ABCDEF"; - - static uint32_t escape[] = { - 0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */ -@@ -996,6 +1012,12 @@ ngx_http_log_escape(u_char *dst, u_char *src, size_t size) - 0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */ - }; - -+ if (lcf->escape_non_ascii) { -+ ngx_memset(&escape[4], 0xff, sizeof(uint32_t) * 4); -+ -+ } else { -+ ngx_memzero(&escape[4], sizeof(uint32_t) * 4); -+ } - - if (dst == NULL) { - -@@ -1120,6 +1142,7 @@ ngx_http_log_create_loc_conf(ngx_conf_t *cf) - } - - conf->open_file_cache = NGX_CONF_UNSET_PTR; -+ conf->escape_non_ascii = NGX_CONF_UNSET; - - return conf; - } -@@ -1135,6 +1158,8 @@ ngx_http_log_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) - ngx_http_log_fmt_t *fmt; - ngx_http_log_main_conf_t *lmcf; - -+ ngx_conf_merge_value(conf->escape_non_ascii, prev->escape_non_ascii, 1); -+ - if (conf->open_file_cache == NGX_CONF_UNSET_PTR) { - - conf->open_file_cache = prev->open_file_cache; diff --git a/images/nginx/rootfs/patches/20_nginx-1.25.3-proxy_host_port_vars.patch b/images/nginx/rootfs/patches/20_nginx-1.25.3-proxy_host_port_vars.patch deleted file mode 100644 index 82a3443242..0000000000 --- a/images/nginx/rootfs/patches/20_nginx-1.25.3-proxy_host_port_vars.patch +++ /dev/null @@ -1,19 +0,0 @@ ---- nginx-1.25.3/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800 -+++ nginx-1.25.3-patched/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800 -@@ -793,13 +793,13 @@ static ngx_keyval_t ngx_http_proxy_cach - static ngx_http_variable_t ngx_http_proxy_vars[] = { - - { ngx_string("proxy_host"), NULL, ngx_http_proxy_host_variable, 0, -- NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 }, -+ NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("proxy_port"), NULL, ngx_http_proxy_port_variable, 0, -- NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 }, -+ NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("proxy_add_x_forwarded_for"), NULL, -- ngx_http_proxy_add_x_forwarded_for_variable, 0, NGX_HTTP_VAR_NOHASH, 0 }, -+ ngx_http_proxy_add_x_forwarded_for_variable, 0, 0, 0 }, - - #if 0 - { ngx_string("proxy_add_via"), NULL, NULL, 0, NGX_HTTP_VAR_NOHASH, 0 }, diff --git a/images/nginx/rootfs/patches/21_nginx-1.25.3-cache_manager_exit.patch b/images/nginx/rootfs/patches/21_nginx-1.25.3-cache_manager_exit.patch deleted file mode 100644 index 91ee63a262..0000000000 --- a/images/nginx/rootfs/patches/21_nginx-1.25.3-cache_manager_exit.patch +++ /dev/null @@ -1,19 +0,0 @@ -# HG changeset patch -# User Yichun Zhang -# Date 1383598130 28800 -# Node ID f64218e1ac963337d84092536f588b8e0d99bbaa -# Parent dea321e5c0216efccbb23e84bbce7cf3e28f130c -Cache: gracefully exit the cache manager process. - -diff -r dea321e5c021 -r f64218e1ac96 src/os/unix/ngx_process_cycle.c ---- a/src/os/unix/ngx_process_cycle.c Thu Oct 31 18:23:49 2013 +0400 -+++ b/src/os/unix/ngx_process_cycle.c Mon Nov 04 12:48:50 2013 -0800 -@@ -1134,7 +1134,7 @@ - - if (ngx_terminate || ngx_quit) { - ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting"); -- exit(0); -+ ngx_worker_process_exit(cycle); - } - - if (ngx_reopen) { diff --git a/images/nginx/rootfs/patches/22_nginx-1.25.3-larger_max_error_str.patch b/images/nginx/rootfs/patches/22_nginx-1.25.3-larger_max_error_str.patch deleted file mode 100644 index e5cd07e678..0000000000 --- a/images/nginx/rootfs/patches/22_nginx-1.25.3-larger_max_error_str.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- nginx-1.25.3/src/core/ngx_log.h 2013-10-08 05:07:14.000000000 -0700 -+++ nginx-1.25.3-patched/src/core/ngx_log.h 2013-12-05 20:35:35.996236720 -0800 -@@ -64,7 +64,9 @@ struct ngx_log_s { - }; - - --#define NGX_MAX_ERROR_STR 2048 -+#ifndef NGX_MAX_ERROR_STR -+#define NGX_MAX_ERROR_STR 4096 -+#endif - - - /*********************************/ diff --git a/images/nginx/rootfs/patches/23_nginx-1.25.3-pcre_conf_opt.patch b/images/nginx/rootfs/patches/23_nginx-1.25.3-pcre_conf_opt.patch deleted file mode 100644 index eb17e06428..0000000000 --- a/images/nginx/rootfs/patches/23_nginx-1.25.3-pcre_conf_opt.patch +++ /dev/null @@ -1,26 +0,0 @@ -# HG changeset patch -# User Yichun Zhang -# Date 1386694955 28800 -# Node ID 9ba6b149669f1f02eeb4cdc0ebd364a949b5c469 -# Parent 30e806b8636af5fd3f03ec17df24801f390f7511 -Configure: added new option --with-pcre-conf-opt=OPTIONS. - -diff -r 30e806b8636a -r 9ba6b149669f auto/options ---- a/auto/options Mon Dec 09 10:16:44 2013 +0400 -+++ b/auto/options Tue Dec 10 09:02:35 2013 -0800 -@@ -286,6 +286,7 @@ - --with-pcre) USE_PCRE=YES ;; - --with-pcre=*) PCRE="$value" ;; - --with-pcre-opt=*) PCRE_OPT="$value" ;; -+ --with-pcre-conf-opt=*) PCRE_CONF_OPT="$value" ;; - --with-pcre-jit) PCRE_JIT=YES ;; - - --with-openssl=*) OPENSSL="$value" ;; -@@ -441,6 +442,7 @@ - --with-pcre force PCRE library usage - --with-pcre=DIR set path to PCRE library sources - --with-pcre-opt=OPTIONS set additional build options for PCRE -+ --with-pcre-conf-opt=OPTIONS set additional configure options for PCRE - --with-pcre-jit build PCRE with JIT compilation support - - --with-md5=DIR set path to md5 library sources diff --git a/images/nginx/rootfs/patches/24_nginx-1.25.3-always_enable_cc_feature_tests.patch b/images/nginx/rootfs/patches/24_nginx-1.25.3-always_enable_cc_feature_tests.patch deleted file mode 100644 index b381d9b07b..0000000000 --- a/images/nginx/rootfs/patches/24_nginx-1.25.3-always_enable_cc_feature_tests.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- nginx-1.25.3/auto/cc/conf 2015-10-30 22:47:50.000000000 +0800 -+++ nginx-1.25.3-patched/auto/cc/conf 2015-11-02 12:23:05.385156987 +0800 -@@ -144,7 +144,7 @@ fi - CFLAGS="$CFLAGS $NGX_CC_OPT" - NGX_TEST_LD_OPT="$NGX_LD_OPT" - --if [ "$NGX_PLATFORM" != win32 ]; then -+if [ 1 ]; then - - if test -n "$NGX_LD_OPT"; then - ngx_feature=--with-ld-opt=\"$NGX_LD_OPT\" diff --git a/images/nginx/rootfs/patches/25_nginx-1.25.3-ssl_cert_cb_yield.patch b/images/nginx/rootfs/patches/25_nginx-1.25.3-ssl_cert_cb_yield.patch deleted file mode 100644 index 89773c05ef..0000000000 --- a/images/nginx/rootfs/patches/25_nginx-1.25.3-ssl_cert_cb_yield.patch +++ /dev/null @@ -1,64 +0,0 @@ -# HG changeset patch -# User Yichun Zhang -# Date 1451762084 28800 -# Sat Jan 02 11:14:44 2016 -0800 -# Node ID 449f0461859c16e95bdb18e8be6b94401545d3dd -# Parent 78b4e10b4367b31367aad3c83c9c3acdd42397c4 -SSL: handled SSL_CTX_set_cert_cb() callback yielding. - -OpenSSL 1.0.2+ introduces SSL_CTX_set_cert_cb() to allow custom -callbacks to serve the SSL certificiates and private keys dynamically -and lazily. The callbacks may yield for nonblocking I/O or sleeping. -Here we added support for such usage in NGINX 3rd-party modules -(like ngx_lua) in NGINX's event handlers for downstream SSL -connections. - -diff -r 78b4e10b4367 -r 449f0461859c src/event/ngx_event_openssl.c ---- a/src/event/ngx_event_openssl.c Thu Dec 17 16:39:15 2015 +0300 -+++ b/src/event/ngx_event_openssl.c Sat Jan 02 11:14:44 2016 -0800 -@@ -1445,6 +1445,23 @@ ngx_ssl_handshake(ngx_connection_t *c) - return NGX_AGAIN; - } - -+#if OPENSSL_VERSION_NUMBER >= 0x10002000L -+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) { -+ c->read->handler = ngx_ssl_handshake_handler; -+ c->write->handler = ngx_ssl_handshake_handler; -+ -+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ return NGX_AGAIN; -+ } -+#endif -+ - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - - c->ssl->no_wait_shutdown = 1; -@@ -1558,6 +1575,21 @@ ngx_ssl_try_early_data(ngx_connection_t *c) - return NGX_AGAIN; - } - -+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) { -+ c->read->handler = ngx_ssl_handshake_handler; -+ c->write->handler = ngx_ssl_handshake_handler; -+ -+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ return NGX_AGAIN; -+ } -+ - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - - c->ssl->no_wait_shutdown = 1; diff --git a/images/nginx/rootfs/patches/26_nginx-1.25.3-ssl_sess_cb_yield.patch b/images/nginx/rootfs/patches/26_nginx-1.25.3-ssl_sess_cb_yield.patch deleted file mode 100644 index ac5fe65eb2..0000000000 --- a/images/nginx/rootfs/patches/26_nginx-1.25.3-ssl_sess_cb_yield.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c ---- a/src/event/ngx_event_openssl.c -+++ b/src/event/ngx_event_openssl.c -@@ -1446,7 +1446,12 @@ ngx_ssl_handshake(ngx_connection_t *c) - } - - #if OPENSSL_VERSION_NUMBER >= 0x10002000L -- if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) { -+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP -+# ifdef SSL_ERROR_PENDING_SESSION -+ || sslerr == SSL_ERROR_PENDING_SESSION -+# endif -+ ) -+ { - c->read->handler = ngx_ssl_handshake_handler; - c->write->handler = ngx_ssl_handshake_handler; - -@@ -1575,6 +1580,23 @@ ngx_ssl_try_early_data(ngx_connection_t *c) - return NGX_AGAIN; - } - -+#ifdef SSL_ERROR_PENDING_SESSION -+ if (sslerr == SSL_ERROR_PENDING_SESSION) { -+ c->read->handler = ngx_ssl_handshake_handler; -+ c->write->handler = ngx_ssl_handshake_handler; -+ -+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ return NGX_AGAIN; -+ } -+#endif -+ - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - - c->ssl->no_wait_shutdown = 1; diff --git a/images/nginx/rootfs/patches/27_nginx-1.25.3-ssl_client_hello_cb_yield.patch b/images/nginx/rootfs/patches/27_nginx-1.25.3-ssl_client_hello_cb_yield.patch deleted file mode 100644 index 0e97be9927..0000000000 --- a/images/nginx/rootfs/patches/27_nginx-1.25.3-ssl_client_hello_cb_yield.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c -index 8ba30e58..2b2db95c 100644 ---- a/src/event/ngx_event_openssl.c -+++ b/src/event/ngx_event_openssl.c -@@ -1712,6 +1712,9 @@ ngx_ssl_handshake(ngx_connection_t *c) - if (sslerr == SSL_ERROR_WANT_X509_LOOKUP - # ifdef SSL_ERROR_PENDING_SESSION - || sslerr == SSL_ERROR_PENDING_SESSION -+# endif -+# ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB -+ || sslerr == SSL_ERROR_WANT_CLIENT_HELLO_CB - # endif - ) - { -@@ -1889,6 +1892,23 @@ ngx_ssl_try_early_data(ngx_connection_t *c) - } - #endif - -+#ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB -+ if (sslerr == SSL_ERROR_WANT_CLIENT_HELLO_CB) { -+ c->read->handler = ngx_ssl_handshake_handler; -+ c->write->handler = ngx_ssl_handshake_handler; -+ -+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ return NGX_AGAIN; -+ } -+#endif -+ - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - - c->ssl->no_wait_shutdown = 1; diff --git a/images/nginx/rootfs/patches/28_nginx-1.25.3-upstream_timeout_fields.patch b/images/nginx/rootfs/patches/28_nginx-1.25.3-upstream_timeout_fields.patch deleted file mode 100644 index 2314ddf801..0000000000 --- a/images/nginx/rootfs/patches/28_nginx-1.25.3-upstream_timeout_fields.patch +++ /dev/null @@ -1,112 +0,0 @@ -diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c -index 69019417..2265d8f7 100644 ---- a/src/http/ngx_http_upstream.c -+++ b/src/http/ngx_http_upstream.c -@@ -509,12 +509,19 @@ void - ngx_http_upstream_init(ngx_http_request_t *r) - { - ngx_connection_t *c; -+ ngx_http_upstream_t *u; - - c = r->connection; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http init upstream, client timer: %d", c->read->timer_set); - -+ u = r->upstream; -+ -+ u->connect_timeout = u->conf->connect_timeout; -+ u->send_timeout = u->conf->send_timeout; -+ u->read_timeout = u->conf->read_timeout; -+ - #if (NGX_HTTP_V2) - if (r->stream) { - ngx_http_upstream_init_request(r); -@@ -1626,7 +1633,7 @@ ngx_http_upstream_connect(ngx_http_request_t *r, ngx_http_upstream_t *u) - u->request_body_blocked = 0; - - if (rc == NGX_AGAIN) { -- ngx_add_timer(c->write, u->conf->connect_timeout); -+ ngx_add_timer(c->write, u->connect_timeout); - return; - } - -@@ -1704,7 +1711,7 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r, - if (rc == NGX_AGAIN) { - - if (!c->write->timer_set) { -- ngx_add_timer(c->write, u->conf->connect_timeout); -+ ngx_add_timer(c->write, u->connect_timeout); - } - - c->ssl->handler = ngx_http_upstream_ssl_handshake_handler; -@@ -2022,7 +2029,7 @@ ngx_http_upstream_send_request(ngx_http_request_t *r, ngx_http_upstream_t *u, - - if (rc == NGX_AGAIN) { - if (!c->write->ready || u->request_body_blocked) { -- ngx_add_timer(c->write, u->conf->send_timeout); -+ ngx_add_timer(c->write, u->send_timeout); - - } else if (c->write->timer_set) { - ngx_del_timer(c->write); -@@ -2084,7 +2091,7 @@ ngx_http_upstream_send_request(ngx_http_request_t *r, ngx_http_upstream_t *u, - return; - } - -- ngx_add_timer(c->read, u->conf->read_timeout); -+ ngx_add_timer(c->read, u->read_timeout); - - if (c->read->ready) { - ngx_http_upstream_process_header(r, u); -@@ -3213,7 +3220,7 @@ ngx_http_upstream_send_response(ngx_http_request_t *r, ngx_http_upstream_t *u) - p->cyclic_temp_file = 0; - } - -- p->read_timeout = u->conf->read_timeout; -+ p->read_timeout = u->read_timeout; - p->send_timeout = clcf->send_timeout; - p->send_lowat = clcf->send_lowat; - -@@ -3458,7 +3465,7 @@ ngx_http_upstream_process_upgraded(ngx_http_request_t *r, - } - - if (upstream->write->active && !upstream->write->ready) { -- ngx_add_timer(upstream->write, u->conf->send_timeout); -+ ngx_add_timer(upstream->write, u->send_timeout); - - } else if (upstream->write->timer_set) { - ngx_del_timer(upstream->write); -@@ -3470,7 +3477,7 @@ ngx_http_upstream_process_upgraded(ngx_http_request_t *r, - } - - if (upstream->read->active && !upstream->read->ready) { -- ngx_add_timer(upstream->read, u->conf->read_timeout); -+ ngx_add_timer(upstream->read, u->read_timeout); - - } else if (upstream->read->timer_set) { - ngx_del_timer(upstream->read); -@@ -3664,7 +3671,7 @@ ngx_http_upstream_process_non_buffered_request(ngx_http_request_t *r, - } - - if (upstream->read->active && !upstream->read->ready) { -- ngx_add_timer(upstream->read, u->conf->read_timeout); -+ ngx_add_timer(upstream->read, u->read_timeout); - - } else if (upstream->read->timer_set) { - ngx_del_timer(upstream->read); -diff --git a/src/http/ngx_http_upstream.h b/src/http/ngx_http_upstream.h -index c2f4dc0b..b9eef118 100644 ---- a/src/http/ngx_http_upstream.h -+++ b/src/http/ngx_http_upstream.h -@@ -333,6 +333,11 @@ struct ngx_http_upstream_s { - ngx_array_t *caches; - #endif - -+#define HAVE_NGX_UPSTREAM_TIMEOUT_FIELDS 1 -+ ngx_msec_t connect_timeout; -+ ngx_msec_t send_timeout; -+ ngx_msec_t read_timeout; -+ - ngx_http_upstream_headers_in_t headers_in; - - ngx_http_upstream_resolved_t *resolved; diff --git a/images/nginx/rootfs/patches/29_nginx-1.25.3-safe_resolver_ipv6_option.patch b/images/nginx/rootfs/patches/29_nginx-1.25.3-safe_resolver_ipv6_option.patch deleted file mode 100644 index 6c54c6c4c3..0000000000 --- a/images/nginx/rootfs/patches/29_nginx-1.25.3-safe_resolver_ipv6_option.patch +++ /dev/null @@ -1,60 +0,0 @@ -# HG changeset patch -# User Thibault Charbonnier -# Date 1481847421 28800 -# Thu Dec 15 16:17:01 2016 -0800 -# Node ID 8bf038fe006fd8ae253d6b41fc6cf109a8912d3e -# Parent a3dc657f4e9530623683e6b85bd7492662e4dc47 -Resolver: ignore ipv6=off resolver option when no ipv6 support - -Makes the resolver directive more robust: we only error out when ipv6 -resolution is desired but not supported (ipv6=on). - -use case 1: some configurations are sometimes re-used between builds with and -without ipv6 support. This patch avoids the need to remove the "ipv6=off" flag. - -use case 2: currently, some tools rely on the --with-ipv6 configure option from -"nginx -V" to determine if ipv6 resolution should be disabled in some cases. -With this option disappearing in Nginx 1.11.5, this patch would allow such tools -to assume "ipv6=off" to be safe regardless of ipv6 support in the current -build. - -diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c -index dade1846..5a3f0aa4 100644 ---- a/src/core/ngx_resolver.c -+++ b/src/core/ngx_resolver.c -@@ -425,7 +425,6 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n) - continue; - } - --#if (NGX_HAVE_INET6) - if (ngx_strncmp(names[i].data, "ipv4=", 5) == 0) { - - if (ngx_strcmp(&names[i].data[5], "on") == 0) { -@@ -446,10 +445,19 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n) - if (ngx_strncmp(names[i].data, "ipv6=", 5) == 0) { - - if (ngx_strcmp(&names[i].data[5], "on") == 0) { -+#if (NGX_HAVE_INET6) - r->ipv6 = 1; -+#else -+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -+ "no ipv6 support but \"%V\" in resolver", -+ &names[i]); -+ return NULL; -+#endif - - } else if (ngx_strcmp(&names[i].data[5], "off") == 0) { -+#if (NGX_HAVE_INET6) - r->ipv6 = 0; -+#endif - - } else { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -@@ -459,7 +467,6 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n) - - continue; - } --#endif - - #if !(NGX_WIN32) - if (ngx_strncmp(names[i].data, "local=", 6) == 0) { diff --git a/images/nginx/rootfs/patches/30_nginx-1.25.3-socket_cloexec.patch b/images/nginx/rootfs/patches/30_nginx-1.25.3-socket_cloexec.patch deleted file mode 100644 index 8ffe4c1676..0000000000 --- a/images/nginx/rootfs/patches/30_nginx-1.25.3-socket_cloexec.patch +++ /dev/null @@ -1,185 +0,0 @@ -diff --git a/auto/unix b/auto/unix -index 10835f6c..b5b33bb3 100644 ---- a/auto/unix -+++ b/auto/unix -@@ -990,3 +990,27 @@ ngx_feature_test='struct addrinfo *res; - if (getaddrinfo("localhost", NULL, NULL, &res) != 0) return 1; - freeaddrinfo(res)' - . auto/feature -+ -+ngx_feature="SOCK_CLOEXEC support" -+ngx_feature_name="NGX_HAVE_SOCKET_CLOEXEC" -+ngx_feature_run=no -+ngx_feature_incs="#include -+ #include " -+ngx_feature_path= -+ngx_feature_libs= -+ngx_feature_test="int fd; -+ fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);" -+. auto/feature -+ -+ngx_feature="FD_CLOEXEC support" -+ngx_feature_name="NGX_HAVE_FD_CLOEXEC" -+ngx_feature_run=no -+ngx_feature_incs="#include -+ #include -+ #include " -+ngx_feature_path= -+ngx_feature_libs= -+ngx_feature_test="int fd; -+ fd = socket(AF_INET, SOCK_STREAM, 0); -+ fcntl(fd, F_SETFD, FD_CLOEXEC);" -+. auto/feature -diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c -index cd55520c..438e0806 100644 ---- a/src/core/ngx_resolver.c -+++ b/src/core/ngx_resolver.c -@@ -4466,8 +4466,14 @@ ngx_tcp_connect(ngx_resolver_connection_t *rec) - ngx_event_t *rev, *wev; - ngx_connection_t *c; - -+#if (NGX_HAVE_SOCKET_CLOEXEC) -+ s = ngx_socket(rec->sockaddr->sa_family, SOCK_STREAM | SOCK_CLOEXEC, 0); -+ -+#else - s = ngx_socket(rec->sockaddr->sa_family, SOCK_STREAM, 0); - -+#endif -+ - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, &rec->log, 0, "TCP socket %d", s); - - if (s == (ngx_socket_t) -1) { -@@ -4494,6 +4500,15 @@ ngx_tcp_connect(ngx_resolver_connection_t *rec) - goto failed; - } - -+#if (NGX_HAVE_FD_CLOEXEC) -+ if (ngx_cloexec(s) == -1) { -+ ngx_log_error(NGX_LOG_ALERT, &rec->log, ngx_socket_errno, -+ ngx_cloexec_n " failed"); -+ -+ goto failed; -+ } -+#endif -+ - rev = c->read; - wev = c->write; - -diff --git a/src/event/ngx_event.h b/src/event/ngx_event.h -index 19fec68..8c2f01a 100644 ---- a/src/event/ngx_event.h -+++ b/src/event/ngx_event.h -@@ -73,6 +73,9 @@ struct ngx_event_s { - /* to test on worker exit */ - unsigned channel:1; - unsigned resolver:1; -+#if (HAVE_SOCKET_CLOEXEC_PATCH) -+ unsigned skip_socket_leak_check:1; -+#endif - - unsigned cancelable:1; - -diff --git a/src/event/ngx_event_accept.c b/src/event/ngx_event_accept.c -index 77563709..5827b9d0 100644 ---- a/src/event/ngx_event_accept.c -+++ b/src/event/ngx_event_accept.c -@@ -62,7 +62,9 @@ ngx_event_accept(ngx_event_t *ev) - - #if (NGX_HAVE_ACCEPT4) - if (use_accept4) { -- s = accept4(lc->fd, &sa.sockaddr, &socklen, SOCK_NONBLOCK); -+ s = accept4(lc->fd, &sa.sockaddr, &socklen, -+ SOCK_NONBLOCK | SOCK_CLOEXEC); -+ - } else { - s = accept(lc->fd, &sa.sockaddr, &socklen); - } -@@ -202,6 +204,16 @@ ngx_event_accept(ngx_event_t *ev) - ngx_close_accepted_connection(c); - return; - } -+ -+#if (NGX_HAVE_FD_CLOEXEC) -+ if (ngx_cloexec(s) == -1) { -+ ngx_log_error(NGX_LOG_ALERT, ev->log, ngx_socket_errno, -+ ngx_cloexec_n " failed"); -+ ngx_close_accepted_connection(c); -+ return; -+ } -+#endif -+ - } - } - -diff --git a/src/event/ngx_event_connect.c b/src/event/ngx_event_connect.c -index c5bb8068..cf33b1d2 100644 ---- a/src/event/ngx_event_connect.c -+++ b/src/event/ngx_event_connect.c -@@ -38,8 +38,15 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc) - - type = (pc->type ? pc->type : SOCK_STREAM); - -+#if (NGX_HAVE_SOCKET_CLOEXEC) -+ s = ngx_socket(pc->sockaddr->sa_family, type | SOCK_CLOEXEC, 0); -+ -+#else - s = ngx_socket(pc->sockaddr->sa_family, type, 0); - -+#endif -+ -+ - ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pc->log, 0, "%s socket %d", - (type == SOCK_STREAM) ? "stream" : "dgram", s); - -@@ -80,6 +87,15 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc) - goto failed; - } - -+#if (NGX_HAVE_FD_CLOEXEC) -+ if (ngx_cloexec(s) == -1) { -+ ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno, -+ ngx_cloexec_n " failed"); -+ -+ goto failed; -+ } -+#endif -+ - if (pc->local) { - - #if (NGX_HAVE_TRANSPARENT_PROXY) -diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c -index c4376a5..48e8fa8 100644 ---- a/src/os/unix/ngx_process_cycle.c -+++ b/src/os/unix/ngx_process_cycle.c -@@ -960,6 +1029,9 @@ ngx_worker_process_exit(ngx_cycle_t *cycle) - for (i = 0; i < cycle->connection_n; i++) { - if (c[i].fd != -1 - && c[i].read -+#if (HAVE_SOCKET_CLOEXEC_PATCH) -+ && !c[i].read->skip_socket_leak_check -+#endif - && !c[i].read->accept - && !c[i].read->channel - && !c[i].read->resolver) -diff --git a/src/os/unix/ngx_socket.h b/src/os/unix/ngx_socket.h -index fcc51533..d1eebf47 100644 ---- a/src/os/unix/ngx_socket.h -+++ b/src/os/unix/ngx_socket.h -@@ -38,6 +38,17 @@ int ngx_blocking(ngx_socket_t s); - - #endif - -+#if (NGX_HAVE_FD_CLOEXEC) -+ -+#define ngx_cloexec(s) fcntl(s, F_SETFD, FD_CLOEXEC) -+#define ngx_cloexec_n "fcntl(FD_CLOEXEC)" -+ -+/* at least FD_CLOEXEC is required to ensure connection fd is closed -+ * after execve */ -+#define HAVE_SOCKET_CLOEXEC_PATCH 1 -+ -+#endif -+ - int ngx_tcp_nopush(ngx_socket_t s); - int ngx_tcp_push(ngx_socket_t s); - diff --git a/images/nginx/rootfs/patches/31_nginx-1.25.3-reuseport_close_unused_fds.patch b/images/nginx/rootfs/patches/31_nginx-1.25.3-reuseport_close_unused_fds.patch deleted file mode 100644 index ff4a36fd22..0000000000 --- a/images/nginx/rootfs/patches/31_nginx-1.25.3-reuseport_close_unused_fds.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff --git a/src/core/ngx_connection.c b/src/core/ngx_connection.c ---- a/src/core/ngx_connection.c -+++ b/src/core/ngx_connection.c -@@ -1118,6 +1118,12 @@ ngx_close_listening_sockets(ngx_cycle_t *cycle) - ls = cycle->listening.elts; - for (i = 0; i < cycle->listening.nelts; i++) { - -+#if (NGX_HAVE_REUSEPORT) -+ if (ls[i].fd == (ngx_socket_t) -1) { -+ continue; -+ } -+#endif -+ - c = ls[i].connection; - - if (c) { -diff --git a/src/event/ngx_event.c b/src/event/ngx_event.c ---- a/src/event/ngx_event.c -+++ b/src/event/ngx_event.c -@@ -775,6 +775,18 @@ ngx_event_process_init(ngx_cycle_t *cycle) - - #if (NGX_HAVE_REUSEPORT) - if (ls[i].reuseport && ls[i].worker != ngx_worker) { -+ ngx_log_debug2(NGX_LOG_DEBUG_CORE, cycle->log, 0, -+ "closing unused fd:%d listening on %V", -+ ls[i].fd, &ls[i].addr_text); -+ -+ if (ngx_close_socket(ls[i].fd) == -1) { -+ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_socket_errno, -+ ngx_close_socket_n " %V failed", -+ &ls[i].addr_text); -+ } -+ -+ ls[i].fd = (ngx_socket_t) -1; -+ - continue; - } - #endif