nginx-1.16.1-r1.ebuild 41.9 KB
Newer Older
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
1
# Copyright 1999-2019 Gentoo Authors
Root's avatar
Root committed
2 3
# Distributed under the terms of the GNU General Public License v2

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
4
EAPI="6"
Root's avatar
Root committed
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

# Maintainer notes:
# - http_rewrite-independent pcre-support makes sense for matching locations without an actual rewrite
# - any http-module activates the main http-functionality and overrides USE=-http
# - keep the following requirements in mind before adding external modules:
#	* alive upstream
#	* sane packaging
#	* builds cleanly
#	* does not need a patch for nginx core
# - TODO: test the google-perftools module (included in vanilla tarball)

# prevent perl-module from adding automagic perl DEPENDs
GENTOO_DEPEND_ON_PERL="no"

# devel_kit (https://github.com/simpl/ngx_devel_kit, BSD license)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
20 21
DEVEL_KIT_MODULE_PV="0.3.1"
DEVEL_KIT_MODULE_P="ngx_devel_kit-${DEVEL_KIT_MODULE_PV}"
Root's avatar
Root committed
22 23 24
DEVEL_KIT_MODULE_URI="https://github.com/simpl/ngx_devel_kit/archive/v${DEVEL_KIT_MODULE_PV}.tar.gz"
DEVEL_KIT_MODULE_WD="${WORKDIR}/ngx_devel_kit-${DEVEL_KIT_MODULE_PV}"

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
25
# ngx_brotli (https://github.com/eustas/ngx_brotli, BSD-2)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
26
HTTP_BROTLI_MODULE_PV="8104036af9cff4b1d34f22d00ba857e2a93a243c"
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
27
HTTP_BROTLI_MODULE_P="ngx_brotli-${HTTP_BROTLI_MODULE_PV}"
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
28
HTTP_BROTLI_MODULE_URI="https://github.com/eustas/ngx_brotli/archive/${HTTP_BROTLI_MODULE_PV}.tar.gz"
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
29 30
HTTP_BROTLI_MODULE_WD="${WORKDIR}/ngx_brotli-${HTTP_BROTLI_MODULE_PV}"

Root's avatar
Root committed
31
# http_uploadprogress (https://github.com/masterzen/nginx-upload-progress-module, BSD-2 license)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
32
HTTP_UPLOAD_PROGRESS_MODULE_PV="0.9.2"
Root's avatar
Root committed
33 34 35 36 37
HTTP_UPLOAD_PROGRESS_MODULE_P="ngx_http_upload_progress-${HTTP_UPLOAD_PROGRESS_MODULE_PV}-r1"
HTTP_UPLOAD_PROGRESS_MODULE_URI="https://github.com/masterzen/nginx-upload-progress-module/archive/v${HTTP_UPLOAD_PROGRESS_MODULE_PV}.tar.gz"
HTTP_UPLOAD_PROGRESS_MODULE_WD="${WORKDIR}/nginx-upload-progress-module-${HTTP_UPLOAD_PROGRESS_MODULE_PV}"

# http_headers_more (https://github.com/agentzh/headers-more-nginx-module, BSD license)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
38
HTTP_HEADERS_MORE_MODULE_PV="0.33"
Root's avatar
Root committed
39 40 41 42
HTTP_HEADERS_MORE_MODULE_P="ngx_http_headers_more-${HTTP_HEADERS_MORE_MODULE_PV}"
HTTP_HEADERS_MORE_MODULE_URI="https://github.com/agentzh/headers-more-nginx-module/archive/v${HTTP_HEADERS_MORE_MODULE_PV}.tar.gz"
HTTP_HEADERS_MORE_MODULE_WD="${WORKDIR}/headers-more-nginx-module-${HTTP_HEADERS_MORE_MODULE_PV}"

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
43
# http_cache_purge (http://labs.frickle.com/nginx_ngx_cache_purge/, https://github.com/FRiCKLE/ngx_cache_purge, BSD-2 license)
Root's avatar
Root committed
44 45 46 47 48 49 50 51 52 53 54 55
HTTP_CACHE_PURGE_MODULE_PV="2.3"
HTTP_CACHE_PURGE_MODULE_P="ngx_http_cache_purge-${HTTP_CACHE_PURGE_MODULE_PV}"
HTTP_CACHE_PURGE_MODULE_URI="http://labs.frickle.com/files/ngx_cache_purge-${HTTP_CACHE_PURGE_MODULE_PV}.tar.gz"
HTTP_CACHE_PURGE_MODULE_WD="${WORKDIR}/ngx_cache_purge-${HTTP_CACHE_PURGE_MODULE_PV}"

# http_slowfs_cache (http://labs.frickle.com/nginx_ngx_slowfs_cache/, BSD-2 license)
HTTP_SLOWFS_CACHE_MODULE_PV="1.10"
HTTP_SLOWFS_CACHE_MODULE_P="ngx_http_slowfs_cache-${HTTP_SLOWFS_CACHE_MODULE_PV}"
HTTP_SLOWFS_CACHE_MODULE_URI="http://labs.frickle.com/files/ngx_slowfs_cache-${HTTP_SLOWFS_CACHE_MODULE_PV}.tar.gz"
HTTP_SLOWFS_CACHE_MODULE_WD="${WORKDIR}/ngx_slowfs_cache-${HTTP_SLOWFS_CACHE_MODULE_PV}"

# http_fancyindex (https://github.com/aperezdc/ngx-fancyindex, BSD license)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
56
HTTP_FANCYINDEX_MODULE_PV="0.4.3"
Root's avatar
Root committed
57 58 59 60 61
HTTP_FANCYINDEX_MODULE_P="ngx_http_fancyindex-${HTTP_FANCYINDEX_MODULE_PV}"
HTTP_FANCYINDEX_MODULE_URI="https://github.com/aperezdc/ngx-fancyindex/archive/v${HTTP_FANCYINDEX_MODULE_PV}.tar.gz"
HTTP_FANCYINDEX_MODULE_WD="${WORKDIR}/ngx-fancyindex-${HTTP_FANCYINDEX_MODULE_PV}"

# http_lua (https://github.com/openresty/lua-nginx-module, BSD license)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
62
HTTP_LUA_MODULE_PV="0.10.15"
Root's avatar
Root committed
63 64 65 66 67
HTTP_LUA_MODULE_P="ngx_http_lua-${HTTP_LUA_MODULE_PV}"
HTTP_LUA_MODULE_URI="https://github.com/openresty/lua-nginx-module/archive/v${HTTP_LUA_MODULE_PV}.tar.gz"
HTTP_LUA_MODULE_WD="${WORKDIR}/lua-nginx-module-${HTTP_LUA_MODULE_PV}"

# http_auth_pam (https://github.com/stogh/ngx_http_auth_pam_module/, http://web.iti.upv.es/~sto/nginx/, BSD-2 license)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
68
HTTP_AUTH_PAM_MODULE_PV="1.5.1"
Root's avatar
Root committed
69 70 71 72 73
HTTP_AUTH_PAM_MODULE_P="ngx_http_auth_pam-${HTTP_AUTH_PAM_MODULE_PV}"
HTTP_AUTH_PAM_MODULE_URI="https://github.com/stogh/ngx_http_auth_pam_module/archive/v${HTTP_AUTH_PAM_MODULE_PV}.tar.gz"
HTTP_AUTH_PAM_MODULE_WD="${WORKDIR}/ngx_http_auth_pam_module-${HTTP_AUTH_PAM_MODULE_PV}"

# http_upstream_check (https://github.com/yaoweibin/nginx_upstream_check_module, BSD license)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
74
HTTP_UPSTREAM_CHECK_MODULE_PV="9aecf15ec379fe98f62355c57b60c0bc83296f04"
Root's avatar
Root committed
75
HTTP_UPSTREAM_CHECK_MODULE_P="ngx_http_upstream_check-${HTTP_UPSTREAM_CHECK_MODULE_PV}"
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
76 77
HTTP_UPSTREAM_CHECK_MODULE_URI="https://github.com/yaoweibin/nginx_upstream_check_module/archive/${HTTP_UPSTREAM_CHECK_MODULE_PV}.tar.gz"
HTTP_UPSTREAM_CHECK_MODULE_WD="${WORKDIR}/nginx_upstream_check_module-${HTTP_UPSTREAM_CHECK_MODULE_PV}"
Root's avatar
Root committed
78 79 80 81 82 83 84

# http_metrics (https://github.com/zenops/ngx_metrics, BSD license)
HTTP_METRICS_MODULE_PV="0.1.1"
HTTP_METRICS_MODULE_P="ngx_metrics-${HTTP_METRICS_MODULE_PV}"
HTTP_METRICS_MODULE_URI="https://github.com/madvertise/ngx_metrics/archive/v${HTTP_METRICS_MODULE_PV}.tar.gz"
HTTP_METRICS_MODULE_WD="${WORKDIR}/ngx_metrics-${HTTP_METRICS_MODULE_PV}"

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
85
# http_vhost_traffic_status (https://github.com/vozlt/nginx-module-vts, BSD license)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
86
HTTP_VHOST_TRAFFIC_STATUS_MODULE_PV="46d85558e344dfe2b078ce757fd36c69a1ec2dd3"
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
87
HTTP_VHOST_TRAFFIC_STATUS_MODULE_P="ngx_http_vhost_traffic_status-${HTTP_VHOST_TRAFFIC_STATUS_MODULE_PV}"
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
88
HTTP_VHOST_TRAFFIC_STATUS_MODULE_URI="https://github.com/vozlt/nginx-module-vts/archive/${HTTP_VHOST_TRAFFIC_STATUS_MODULE_PV}.tar.gz"
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
89 90
HTTP_VHOST_TRAFFIC_STATUS_MODULE_WD="${WORKDIR}/nginx-module-vts-${HTTP_VHOST_TRAFFIC_STATUS_MODULE_PV}"

Root's avatar
Root committed
91
# naxsi-core (https://github.com/nbs-system/naxsi, GPLv2+)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
92
HTTP_NAXSI_MODULE_PV="0.56"
Root's avatar
Root committed
93 94 95 96 97
HTTP_NAXSI_MODULE_P="ngx_http_naxsi-${HTTP_NAXSI_MODULE_PV}"
HTTP_NAXSI_MODULE_URI="https://github.com/nbs-system/naxsi/archive/${HTTP_NAXSI_MODULE_PV}.tar.gz"
HTTP_NAXSI_MODULE_WD="${WORKDIR}/naxsi-${HTTP_NAXSI_MODULE_PV}/naxsi_src"

# nginx-rtmp-module (https://github.com/arut/nginx-rtmp-module, BSD license)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
98
RTMP_MODULE_PV="1.2.1"
Root's avatar
Root committed
99 100 101 102 103
RTMP_MODULE_P="ngx_rtmp-${RTMP_MODULE_PV}"
RTMP_MODULE_URI="https://github.com/arut/nginx-rtmp-module/archive/v${RTMP_MODULE_PV}.tar.gz"
RTMP_MODULE_WD="${WORKDIR}/nginx-rtmp-module-${RTMP_MODULE_PV}"

# nginx-dav-ext-module (https://github.com/arut/nginx-dav-ext-module, BSD license)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
104
HTTP_DAV_EXT_MODULE_PV="3.0.0"
Root's avatar
Root committed
105 106 107 108
HTTP_DAV_EXT_MODULE_P="ngx_http_dav_ext-${HTTP_DAV_EXT_MODULE_PV}"
HTTP_DAV_EXT_MODULE_URI="https://github.com/arut/nginx-dav-ext-module/archive/v${HTTP_DAV_EXT_MODULE_PV}.tar.gz"
HTTP_DAV_EXT_MODULE_WD="${WORKDIR}/nginx-dav-ext-module-${HTTP_DAV_EXT_MODULE_PV}"

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
109
# echo-nginx-module (https://github.com/openresty/echo-nginx-module, BSD license)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
110
HTTP_ECHO_MODULE_PV="0.61"
Root's avatar
Root committed
111
HTTP_ECHO_MODULE_P="ngx_http_echo-${HTTP_ECHO_MODULE_PV}"
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
112
HTTP_ECHO_MODULE_URI="https://github.com/openresty/echo-nginx-module/archive/v${HTTP_ECHO_MODULE_PV}.tar.gz"
Root's avatar
Root committed
113 114 115 116
HTTP_ECHO_MODULE_WD="${WORKDIR}/echo-nginx-module-${HTTP_ECHO_MODULE_PV}"

# mod_security for nginx (https://modsecurity.org/, Apache-2.0)
# keep the MODULE_P here consistent with upstream to avoid tarball duplication
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
117
HTTP_SECURITY_MODULE_PV="2.9.3"
Root's avatar
Root committed
118 119 120 121 122
HTTP_SECURITY_MODULE_P="modsecurity-${HTTP_SECURITY_MODULE_PV}"
HTTP_SECURITY_MODULE_URI="https://www.modsecurity.org/tarball/${HTTP_SECURITY_MODULE_PV}/${HTTP_SECURITY_MODULE_P}.tar.gz"
HTTP_SECURITY_MODULE_WD="${WORKDIR}/${HTTP_SECURITY_MODULE_P}"

# push-stream-module (http://www.nginxpushstream.com, https://github.com/wandenberg/nginx-push-stream-module, GPL-3)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
123
HTTP_PUSH_STREAM_MODULE_PV="0.5.4"
Root's avatar
Root committed
124 125 126 127 128
HTTP_PUSH_STREAM_MODULE_P="ngx_http_push_stream-${HTTP_PUSH_STREAM_MODULE_PV}"
HTTP_PUSH_STREAM_MODULE_URI="https://github.com/wandenberg/nginx-push-stream-module/archive/${HTTP_PUSH_STREAM_MODULE_PV}.tar.gz"
HTTP_PUSH_STREAM_MODULE_WD="${WORKDIR}/nginx-push-stream-module-${HTTP_PUSH_STREAM_MODULE_PV}"

# sticky-module (https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng, BSD-2)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
129
HTTP_STICKY_MODULE_PV="1.2.6-10-g08a395c66e42"
Root's avatar
Root committed
130 131
HTTP_STICKY_MODULE_P="nginx_http_sticky_module_ng-${HTTP_STICKY_MODULE_PV}"
HTTP_STICKY_MODULE_URI="https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/get/${HTTP_STICKY_MODULE_PV}.tar.bz2"
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
132
HTTP_STICKY_MODULE_WD="${WORKDIR}/nginx-goodies-nginx-sticky-module-ng-08a395c66e42"
Root's avatar
Root committed
133

Root's avatar
Root committed
134
# mogilefs-module (https://github.com/vkholodkov/nginx-mogilefs-module, BSD-2)
Root's avatar
Root committed
135 136
HTTP_MOGILEFS_MODULE_PV="1.0.4"
HTTP_MOGILEFS_MODULE_P="ngx_mogilefs_module-${HTTP_MOGILEFS_MODULE_PV}"
Root's avatar
Root committed
137
HTTP_MOGILEFS_MODULE_URI="https://github.com/vkholodkov/nginx-mogilefs-module/archive/${HTTP_MOGILEFS_MODULE_PV}.tar.gz"
Root's avatar
Root committed
138 139 140
HTTP_MOGILEFS_MODULE_WD="${WORKDIR}/nginx_mogilefs_module-${HTTP_MOGILEFS_MODULE_PV}"

# memc-module (https://github.com/openresty/memc-nginx-module, BSD-2)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
141
HTTP_MEMC_MODULE_PV="0.19"
Root's avatar
Root committed
142 143 144 145
HTTP_MEMC_MODULE_P="ngx_memc_module-${HTTP_MEMC_MODULE_PV}"
HTTP_MEMC_MODULE_URI="https://github.com/openresty/memc-nginx-module/archive/v${HTTP_MEMC_MODULE_PV}.tar.gz"
HTTP_MEMC_MODULE_WD="${WORKDIR}/memc-nginx-module-${HTTP_MEMC_MODULE_PV}"

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
146
# nginx-ldap-auth-module (https://github.com/kvspb/nginx-auth-ldap, BSD-2)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
147
HTTP_LDAP_MODULE_PV="42d195d7a7575ebab1c369ad3fc5d78dc2c2669c"
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
148 149 150 151
HTTP_LDAP_MODULE_P="nginx-auth-ldap-${HTTP_LDAP_MODULE_PV}"
HTTP_LDAP_MODULE_URI="https://github.com/kvspb/nginx-auth-ldap/archive/${HTTP_LDAP_MODULE_PV}.tar.gz"
HTTP_LDAP_MODULE_WD="${WORKDIR}/nginx-auth-ldap-${HTTP_LDAP_MODULE_PV}"

Root's avatar
Root committed
152
# spnego-http-auth-nginx-module (https://github.com/stnoonan/spnego-http-auth-nginx-module)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
153
HTTP_AUTH_SPNEGO_MODULE_PV="0ea80a9f53b2830803eee0ef6becd2a10cd3f5fe"
Root's avatar
Root committed
154
HTTP_AUTH_SPNEGO_MODULE_P="ngx_auth_spnego_module-${HTTP_AUTH_SPNEGO_MODULE_PV}"
Root's avatar
Root committed
155
HTTP_AUTH_SPNEGO_MODULE_URI="https://github.com/jkolo/spnego-http-auth-nginx-module/archive/${HTTP_AUTH_SPNEGO_MODULE_PV}.tar.gz"
Root's avatar
Root committed
156 157 158 159 160 161 162 163
HTTP_AUTH_SPNEGO_MODULE_WD="${WORKDIR}/spnego-http-auth-nginx-module-${HTTP_AUTH_SPNEGO_MODULE_PV}"

# ajp-module
HTTP_AJP_MODULE_PV="b6993cc5befd6b9d4d6aefc91c689c20aabacbd2"
HTTP_AJP_MODULE_P="ngx_ajp_module-${HTTP_AJP_MODULE_PV}"
HTTP_AJP_MODULE_URI="https://github.com/sklochkov/nginx_ajp_module/archive/${HTTP_AJP_MODULE_PV}.tar.gz"
HTTP_AJP_MODULE_WD="${WORKDIR}/nginx_ajp_module-${HTTP_AJP_MODULE_PV}"

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
164 165 166 167 168
# ct-module
HTTP_CT_MODULE_PV="1.3.2"
HTTP_CT_MODULE_P="nginx-ct-${HTTP_CT_MODULE_PV}"
HTTP_CT_MODULE_URI="https://github.com/grahamedgecombe/nginx-ct/archive/v${HTTP_CT_MODULE_PV}.tar.gz"
HTTP_CT_MODULE_WD="${WORKDIR}/nginx-ct-${HTTP_CT_MODULE_PV}"
Root's avatar
Root committed
169

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
170
# geoip2 (https://github.com/leev/ngx_http_geoip2_module, BSD-2)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
171
GEOIP2_MODULE_PV="3.2"
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
172 173 174 175
GEOIP2_MODULE_P="ngx_http_geoip2_module-${GEOIP2_MODULE_PV}"
GEOIP2_MODULE_URI="https://github.com/leev/ngx_http_geoip2_module/archive/${GEOIP2_MODULE_PV}.tar.gz"
GEOIP2_MODULE_WD="${WORKDIR}/ngx_http_geoip2_module-${GEOIP2_MODULE_PV}"

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
176
# njs-module (https://github.com/nginx/njs, as-is)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
177
NJS_MODULE_PV="0.3.5"
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
178 179 180 181
NJS_MODULE_P="njs-${NJS_MODULE_PV}"
NJS_MODULE_URI="https://github.com/nginx/njs/archive/${NJS_MODULE_PV}.tar.gz"
NJS_MODULE_WD="${WORKDIR}/njs-${NJS_MODULE_PV}"

Root's avatar
Root committed
182 183
# We handle deps below ourselves
SSL_DEPS_SKIP=1
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
184
AUTOTOOLS_AUTO_DEPEND="no"
Root's avatar
Root committed
185

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
186
inherit autotools ssl-cert toolchain-funcs perl-module flag-o-matic user systemd versionator multilib pax-utils
Root's avatar
Root committed
187 188

DESCRIPTION="Robust, small and high performance http and reverse proxy server"
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
189 190
HOMEPAGE="https://nginx.org"
SRC_URI="https://nginx.org/download/${P}.tar.gz
Root's avatar
Root committed
191
	${DEVEL_KIT_MODULE_URI} -> ${DEVEL_KIT_MODULE_P}.tar.gz
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
192 193 194 195 196
	nginx_modules_http_ajp? ( ${HTTP_AJP_MODULE_URI} -> ${HTTP_AJP_MODULE_P}.tar.gz )
	nginx_modules_http_auth_ldap? ( ${HTTP_LDAP_MODULE_URI} -> ${HTTP_LDAP_MODULE_P}.tar.gz )
	nginx_modules_http_auth_pam? ( ${HTTP_AUTH_PAM_MODULE_URI} -> ${HTTP_AUTH_PAM_MODULE_P}.tar.gz )
	nginx_modules_http_auth_spnego? ( ${HTTP_AUTH_SPNEGO_MODULE_URI} -> ${HTTP_AUTH_SPNEGO_MODULE_P}.tar.gz )
	nginx_modules_http_brotli? ( ${HTTP_BROTLI_MODULE_URI} -> ${HTTP_BROTLI_MODULE_P}.tar.gz )
Root's avatar
Root committed
197
	nginx_modules_http_cache_purge? ( ${HTTP_CACHE_PURGE_MODULE_URI} -> ${HTTP_CACHE_PURGE_MODULE_P}.tar.gz )
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
198 199 200
	nginx_modules_http_ct? ( ${HTTP_CT_MODULE_URI} -> ${HTTP_CT_MODULE_P}.tar.gz )
	nginx_modules_http_dav_ext? ( ${HTTP_DAV_EXT_MODULE_URI} -> ${HTTP_DAV_EXT_MODULE_P}.tar.gz )
	nginx_modules_http_echo? ( ${HTTP_ECHO_MODULE_URI} -> ${HTTP_ECHO_MODULE_P}.tar.gz )
Root's avatar
Root committed
201
	nginx_modules_http_fancyindex? ( ${HTTP_FANCYINDEX_MODULE_URI} -> ${HTTP_FANCYINDEX_MODULE_P}.tar.gz )
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
202
	nginx_modules_http_geoip2? ( ${GEOIP2_MODULE_URI} -> ${GEOIP2_MODULE_P}.tar.gz )
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
203 204
	nginx_modules_http_headers_more? ( ${HTTP_HEADERS_MORE_MODULE_URI} -> ${HTTP_HEADERS_MORE_MODULE_P}.tar.gz )
	nginx_modules_http_javascript? ( ${NJS_MODULE_URI} -> ${NJS_MODULE_P}.tar.gz )
Root's avatar
Root committed
205
	nginx_modules_http_lua? ( ${HTTP_LUA_MODULE_URI} -> ${HTTP_LUA_MODULE_P}.tar.gz )
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
206
	nginx_modules_http_memc? ( ${HTTP_MEMC_MODULE_URI} -> ${HTTP_MEMC_MODULE_P}.tar.gz )
Root's avatar
Root committed
207
	nginx_modules_http_metrics? ( ${HTTP_METRICS_MODULE_URI} -> ${HTTP_METRICS_MODULE_P}.tar.gz )
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
208
	nginx_modules_http_mogilefs? ( ${HTTP_MOGILEFS_MODULE_URI} -> ${HTTP_MOGILEFS_MODULE_P}.tar.gz )
Root's avatar
Root committed
209 210
	nginx_modules_http_naxsi? ( ${HTTP_NAXSI_MODULE_URI} -> ${HTTP_NAXSI_MODULE_P}.tar.gz )
	nginx_modules_http_push_stream? ( ${HTTP_PUSH_STREAM_MODULE_URI} -> ${HTTP_PUSH_STREAM_MODULE_P}.tar.gz )
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
211 212
	nginx_modules_http_security? ( ${HTTP_SECURITY_MODULE_URI} -> ${HTTP_SECURITY_MODULE_P}.tar.gz )
	nginx_modules_http_slowfs_cache? ( ${HTTP_SLOWFS_CACHE_MODULE_URI} -> ${HTTP_SLOWFS_CACHE_MODULE_P}.tar.gz )
Root's avatar
Root committed
213
	nginx_modules_http_sticky? ( ${HTTP_STICKY_MODULE_URI} -> ${HTTP_STICKY_MODULE_P}.tar.bz2 )
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
214 215 216
	nginx_modules_http_upload_progress? ( ${HTTP_UPLOAD_PROGRESS_MODULE_URI} -> ${HTTP_UPLOAD_PROGRESS_MODULE_P}.tar.gz )
	nginx_modules_http_upstream_check? ( ${HTTP_UPSTREAM_CHECK_MODULE_URI} -> ${HTTP_UPSTREAM_CHECK_MODULE_P}.tar.gz )
	nginx_modules_http_vhost_traffic_status? ( ${HTTP_VHOST_TRAFFIC_STATUS_MODULE_URI} -> ${HTTP_VHOST_TRAFFIC_STATUS_MODULE_P}.tar.gz )
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
217
	nginx_modules_stream_geoip2? ( ${GEOIP2_MODULE_URI} -> ${GEOIP2_MODULE_P}.tar.gz )
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
218 219
	nginx_modules_stream_javascript? ( ${NJS_MODULE_URI} -> ${NJS_MODULE_P}.tar.gz )
	rtmp? ( ${RTMP_MODULE_URI} -> ${RTMP_MODULE_P}.tar.gz )"
Root's avatar
Root committed
220 221 222 223 224

LICENSE="BSD-2 BSD SSLeay MIT GPL-2 GPL-2+
	nginx_modules_http_security? ( Apache-2.0 )
	nginx_modules_http_push_stream? ( GPL-3 )"

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
225
SLOT="0"
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
226
KEYWORDS="amd64 ~arm ~arm64 ~ppc ~ppc64 x86 ~x86-fbsd ~amd64-linux ~x86-linux"
Root's avatar
Root committed
227

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
228 229 230
# Package doesn't provide a real test suite
RESTRICT="test"

Root's avatar
Root committed
231
NGINX_MODULES_STD="access auth_basic autoindex browser charset empty_gif
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
232 233
	fastcgi geo grpc gzip limit_req limit_conn map memcached mirror
	proxy referer rewrite scgi ssi split_clients upstream_hash
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
234 235
	upstream_ip_hash upstream_keepalive upstream_least_conn
	upstream_zone userid uwsgi"
Root's avatar
Root committed
236 237 238
NGINX_MODULES_OPT="addition auth_request dav degradation flv geoip gunzip
	gzip_static image_filter mp4 perl random_index realip secure_link
	slice stub_status sub xslt"
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
239 240
NGINX_MODULES_STREAM_STD="access geo limit_conn map return split_clients
	upstream_hash upstream_least_conn upstream_zone"
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
241
NGINX_MODULES_STREAM_OPT="geoip realip ssl_preread"
Root's avatar
Root committed
242 243
NGINX_MODULES_MAIL="imap pop3 smtp"
NGINX_MODULES_3RD="
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
244 245 246 247 248
	http_ajp
	http_auth_ldap
	http_auth_pam
	http_auth_spnego
	http_brotli
Root's avatar
Root committed
249
	http_cache_purge
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
250 251 252
	http_ct
	http_dav_ext
	http_echo
Root's avatar
Root committed
253
	http_fancyindex
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
254
	http_geoip2
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
255 256
	http_headers_more
	http_javascript
Root's avatar
Root committed
257
	http_lua
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
258
	http_memc
Root's avatar
Root committed
259
	http_metrics
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
260
	http_mogilefs
Root's avatar
Root committed
261 262
	http_naxsi
	http_push_stream
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
263 264
	http_security
	http_slowfs_cache
Root's avatar
Root committed
265
	http_sticky
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
266 267 268
	http_upload_progress
	http_upstream_check
	http_vhost_traffic_status
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
269
	stream_geoip2
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
270 271
	stream_javascript
"
Root's avatar
Root committed
272

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
273
IUSE="aio debug +http +http2 +http-cache +ipv6 libatomic libressl luajit +pcre
Root's avatar
Root committed
274
	pcre-jit rtmp selinux ssl threads userland_GNU vim-syntax"
Root's avatar
Root committed
275 276 277 278 279 280 281 282 283

for mod in $NGINX_MODULES_STD; do
	IUSE="${IUSE} +nginx_modules_http_${mod}"
done

for mod in $NGINX_MODULES_OPT; do
	IUSE="${IUSE} nginx_modules_http_${mod}"
done

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
284 285 286 287 288
for mod in $NGINX_MODULES_STREAM_STD; do
	IUSE="${IUSE} nginx_modules_stream_${mod}"
done

for mod in $NGINX_MODULES_STREAM_OPT; do
Root's avatar
Root committed
289 290 291
	IUSE="${IUSE} nginx_modules_stream_${mod}"
done

Root's avatar
Root committed
292 293 294 295 296 297 298 299 300
for mod in $NGINX_MODULES_MAIL; do
	IUSE="${IUSE} nginx_modules_mail_${mod}"
done

for mod in $NGINX_MODULES_3RD; do
	IUSE="${IUSE} nginx_modules_${mod}"
done

# Add so we can warn users updating about config changes
Root's avatar
Root committed
301
# @TODO: jbergstroem: remove on next release series
Root's avatar
Root committed
302 303 304
IUSE="${IUSE} nginx_modules_http_spdy"

CDEPEND="
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
305 306
	pcre? ( dev-libs/libpcre:= )
	pcre-jit? ( dev-libs/libpcre:=[jit] )
Root's avatar
Root committed
307 308 309 310 311 312 313 314 315 316 317 318 319 320
	ssl? (
		!libressl? ( dev-libs/openssl:0= )
		libressl? ( dev-libs/libressl:= )
	)
	http2? (
		!libressl? ( >=dev-libs/openssl-1.0.1c:0= )
		libressl? ( dev-libs/libressl:= )
	)
	http-cache? (
		userland_GNU? (
			!libressl? ( dev-libs/openssl:0= )
			libressl? ( dev-libs/libressl:= )
		)
	)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
321
	nginx_modules_http_brotli? ( app-arch/brotli:= )
Root's avatar
Root committed
322
	nginx_modules_http_geoip? ( dev-libs/geoip )
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
323
	nginx_modules_http_geoip2? ( dev-libs/libmaxminddb:= )
Root's avatar
Root committed
324 325 326
	nginx_modules_http_gunzip? ( sys-libs/zlib )
	nginx_modules_http_gzip? ( sys-libs/zlib )
	nginx_modules_http_gzip_static? ( sys-libs/zlib )
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
327 328 329
	nginx_modules_http_image_filter? ( media-libs/gd:=[jpeg,png] )
	nginx_modules_http_perl? ( >=dev-lang/perl-5.8:= )
	nginx_modules_http_rewrite? ( dev-libs/libpcre:= )
Root's avatar
Root committed
330 331 332 333 334 335
	nginx_modules_http_secure_link? (
		userland_GNU? (
			!libressl? ( dev-libs/openssl:0= )
			libressl? ( dev-libs/libressl:= )
		)
	)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
336
	nginx_modules_http_xslt? ( dev-libs/libxml2:= dev-libs/libxslt )
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
337
	nginx_modules_http_lua? ( dev-lang/luajit:2= )
Root's avatar
Root committed
338
	nginx_modules_http_auth_pam? ( virtual/pam )
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
339
	nginx_modules_http_metrics? ( dev-libs/yajl:= )
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
340
	nginx_modules_http_dav_ext? ( dev-libs/libxml2 )
Root's avatar
Root committed
341
	nginx_modules_http_auth_spnego? ( virtual/krb5 )
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
342 343 344 345 346 347 348
	nginx_modules_http_security? (
		dev-libs/apr:=
		dev-libs/apr-util:=
		dev-libs/libxml2:=
		net-misc/curl
		www-servers/apache
	)
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
349 350 351
	nginx_modules_http_auth_ldap? ( net-nds/openldap[ssl?] )
	nginx_modules_stream_geoip? ( dev-libs/geoip )
	nginx_modules_stream_geoip2? ( dev-libs/libmaxminddb:= )"
Root's avatar
Root committed
352 353
RDEPEND="${CDEPEND}
	selinux? ( sec-policy/selinux-nginx )
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
354
	!www-servers/nginx:mainline"
Root's avatar
Root committed
355
DEPEND="${CDEPEND}
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
356
	nginx_modules_http_brotli? ( virtual/pkgconfig )
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
357
	nginx_modules_http_security? ( ${AUTOTOOLS_DEPEND} )
Root's avatar
Root committed
358 359 360 361 362
	arm? ( dev-libs/libatomic_ops )
	libatomic? ( dev-libs/libatomic_ops )"
PDEPEND="vim-syntax? ( app-vim/nginx-syntax )"

REQUIRED_USE="pcre-jit? ( pcre )
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
363
	nginx_modules_http_grpc? ( http2 )
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
364 365 366 367
	nginx_modules_http_lua? (
		luajit
		nginx_modules_http_rewrite
	)
Root's avatar
Root committed
368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408
	nginx_modules_http_naxsi? ( pcre )
	nginx_modules_http_dav_ext? ( nginx_modules_http_dav )
	nginx_modules_http_metrics? ( nginx_modules_http_stub_status )
	nginx_modules_http_security? ( pcre )
	nginx_modules_http_push_stream? ( ssl )"

pkg_setup() {
	NGINX_HOME="/var/lib/nginx"
	NGINX_HOME_TMP="${NGINX_HOME}/tmp"

	ebegin "Creating nginx user and group"
	enewgroup ${PN}
	enewuser ${PN} -1 -1 "${NGINX_HOME}" ${PN}
	eend $?

	if use libatomic; then
		ewarn "GCC 4.1+ features built-in atomic operations."
		ewarn "Using libatomic_ops is only needed if using"
		ewarn "a different compiler or a GCC prior to 4.1"
	fi

	if [[ -n $NGINX_ADD_MODULES ]]; then
		ewarn "You are building custom modules via \$NGINX_ADD_MODULES!"
		ewarn "This nginx installation is not supported!"
		ewarn "Make sure you can reproduce the bug without those modules"
		ewarn "_before_ reporting bugs."
	fi

	if use !http; then
		ewarn "To actually disable all http-functionality you also have to disable"
		ewarn "all nginx http modules."
	fi

	if use nginx_modules_http_mogilefs && use threads; then
		eerror "mogilefs won't compile with threads support."
		eerror "Please disable either flag and try again."
		die "Can't compile mogilefs with threads support"
	fi
}

src_prepare() {
Root's avatar
Root committed
409
	eapply "${FILESDIR}/${PN}-1.4.1-fix-perl-install-path.patch"
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
410
	eapply "${FILESDIR}/${PN}-httpoxy-mitigation-r1.patch"
Root's avatar
Root committed
411

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
412 413 414 415 416 417
	if use nginx_modules_http_auth_pam; then
		cd "${HTTP_AUTH_PAM_MODULE_WD}" || die
		eapply "${FILESDIR}"/http_auth_pam-1.5.1-adjust-loglevel-for-authentication-failures.patch
		cd "${S}" || die
	fi

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
418 419
	if use nginx_modules_http_brotli; then
		cd "${HTTP_BROTLI_MODULE_WD}" || die
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
420
		eapply "${FILESDIR}"/http_brotli-detect-brotli-r2.patch
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
421 422 423
		cd "${S}" || die
	fi

Root's avatar
Root committed
424
	if use nginx_modules_http_upstream_check; then
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
425
		eapply -p0 "${FILESDIR}"/http_upstream_check-nginx-1.11.5+.patch
Root's avatar
Root committed
426 427
	fi

Root's avatar
Root committed
428
	if use nginx_modules_http_auth_spnego && has_version app-crypt/heimdal; then
Root's avatar
Root committed
429 430 431
		pushd ${HTTP_AUTH_SPNEGO_MODULE_WD}
		epatch "${FILESDIR}/spnego-http-auth-ld.patch"
		popd
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
432 433
 	fi

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
434 435 436 437 438 439
	if use nginx_modules_http_cache_purge; then
		cd "${HTTP_CACHE_PURGE_MODULE_WD}" || die
		eapply "${FILESDIR}"/http_cache_purge-1.11.6+.patch
		cd "${S}" || die
	fi

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459
	if use nginx_modules_http_security; then
		cd "${HTTP_SECURITY_MODULE_WD}" || die

		eautoreconf

		if use luajit ; then
			sed -i \
				-e 's|^\(LUA_PKGNAMES\)=.*|\1="luajit"|' \
				configure || die
		fi

		cd "${S}" || die
	fi

	if use nginx_modules_http_upload_progress; then
		cd "${HTTP_UPLOAD_PROGRESS_MODULE_WD}" || die
		eapply "${FILESDIR}"/http_uploadprogress-issue_50-r1.patch
		cd "${S}" || die
	fi

Root's avatar
Root committed
460 461 462 463 464 465 466 467 468 469 470 471 472
	find auto/ -type f -print0 | xargs -0 sed -i 's:\&\& make:\&\& \\$(MAKE):' || die
	# We have config protection, don't rename etc files
	sed -i 's:.default::' auto/install || die
	# remove useless files
	sed -i -e '/koi-/d' -e '/win-/d' auto/install || die

	# don't install to /etc/nginx/ if not in use
	local module
	for module in fastcgi scgi uwsgi ; do
		if ! use nginx_modules_http_${module}; then
			sed -i -e "/${module}/d" auto/install || die
		fi
	done
Root's avatar
Root committed
473 474

	eapply_user
Root's avatar
Root committed
475 476 477 478 479
}

src_configure() {
	# mod_security needs to generate nginx/modsecurity/config before including it
	if use nginx_modules_http_security; then
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
480
		cd "${HTTP_SECURITY_MODULE_WD}" || die
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
481

Root's avatar
Root committed
482 483
		./configure \
			--enable-standalone-module \
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
484 485
			--disable-mlogc \
			--with-ssdeep=no \
Root's avatar
Root committed
486 487 488
			$(use_enable pcre-jit) \
			$(use_with nginx_modules_http_lua lua) || die "configure failed for mod_security"

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
489 490
		cd "${S}" || die
	fi
Root's avatar
Root committed
491

Root's avatar
Root committed
492
	local myconf=() http_enabled= mail_enabled= stream_enabled=
Root's avatar
Root committed
493

Root's avatar
Root committed
494 495
	use aio       && myconf+=( --with-file-aio )
	use debug     && myconf+=( --with-debug )
Root's avatar
Root committed
496 497
	use http2     && myconf+=( --with-http_v2_module )
	use libatomic && myconf+=( --with-libatomic )
Root's avatar
Root committed
498
	use pcre      && myconf+=( --with-pcre )
Root's avatar
Root committed
499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549
	use pcre-jit  && myconf+=( --with-pcre-jit )
	use threads   && myconf+=( --with-threads )

	# HTTP modules
	for mod in $NGINX_MODULES_STD; do
		if use nginx_modules_http_${mod}; then
			http_enabled=1
		else
			myconf+=( --without-http_${mod}_module )
		fi
	done

	for mod in $NGINX_MODULES_OPT; do
		if use nginx_modules_http_${mod}; then
			http_enabled=1
			myconf+=( --with-http_${mod}_module )
		fi
	done

	if use nginx_modules_http_fastcgi; then
		myconf+=( --with-http_realip_module )
	fi

	# third-party modules
	if use nginx_modules_http_upload_progress; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_UPLOAD_PROGRESS_MODULE_WD} )
	fi

	if use nginx_modules_http_headers_more; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_HEADERS_MORE_MODULE_WD} )
	fi

	if use nginx_modules_http_cache_purge; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_CACHE_PURGE_MODULE_WD} )
	fi

	if use nginx_modules_http_slowfs_cache; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_SLOWFS_CACHE_MODULE_WD} )
	fi

	if use nginx_modules_http_fancyindex; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_FANCYINDEX_MODULE_WD} )
	fi

	if use nginx_modules_http_lua; then
		http_enabled=1
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
550 551
		export LUAJIT_LIB=$(pkg-config --variable libdir luajit)
		export LUAJIT_INC=$(pkg-config --variable includedir luajit)
Root's avatar
Root committed
552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615
		myconf+=( --add-module=${DEVEL_KIT_MODULE_WD} )
		myconf+=( --add-module=${HTTP_LUA_MODULE_WD} )
	fi

	if use nginx_modules_http_auth_pam; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_AUTH_PAM_MODULE_WD} )
	fi

	if use nginx_modules_http_upstream_check; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_UPSTREAM_CHECK_MODULE_WD} )
	fi

	if use nginx_modules_http_metrics; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_METRICS_MODULE_WD} )
	fi

	if use nginx_modules_http_naxsi ; then
		http_enabled=1
		myconf+=(  --add-module=${HTTP_NAXSI_MODULE_WD} )
	fi

	if use rtmp ; then
		http_enabled=1
		myconf+=( --add-module=${RTMP_MODULE_WD} )
	fi

	if use nginx_modules_http_dav_ext ; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_DAV_EXT_MODULE_WD} )
	fi

	if use nginx_modules_http_echo ; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_ECHO_MODULE_WD} )
	fi

	if use nginx_modules_http_security ; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_SECURITY_MODULE_WD}/nginx/modsecurity )
	fi

	if use nginx_modules_http_push_stream ; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_PUSH_STREAM_MODULE_WD} )
	fi

	if use nginx_modules_http_sticky ; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_STICKY_MODULE_WD} )
	fi

	if use nginx_modules_http_mogilefs ; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_MOGILEFS_MODULE_WD} )
	fi

	if use nginx_modules_http_memc ; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_MEMC_MODULE_WD} )
	fi

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
616 617 618 619 620
	if use nginx_modules_http_auth_ldap; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_LDAP_MODULE_WD} )
	fi

Root's avatar
Root committed
621 622 623 624 625 626 627 628 629 630
	if use nginx_modules_http_auth_spnego ; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_AUTH_SPNEGO_MODULE_WD} )
	fi

	if use nginx_modules_http_ajp ; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_AJP_MODULE_WD} )
	fi

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
631
	if use nginx_modules_http_ct ; then
Root's avatar
Root committed
632
		http_enabled=1
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
633
		myconf+=( --add-module=${HTTP_CT_MODULE_WD} )
Root's avatar
Root committed
634 635
	fi

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
636 637 638 639 640
	if use nginx_modules_http_vhost_traffic_status; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_VHOST_TRAFFIC_STATUS_MODULE_WD} )
	fi

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
641 642 643 644
	if use nginx_modules_http_geoip2 || use nginx_modules_stream_geoip2; then
		myconf+=( --add-module=${GEOIP2_MODULE_WD} )
	fi

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
645 646 647 648 649 650 651 652 653 654
	if use nginx_modules_http_javascript || use nginx_modules_stream_javascript; then
		myconf+=( --add-module="${NJS_MODULE_WD}/nginx" )
	fi

	if use nginx_modules_http_brotli; then
		http_enabled=1
		myconf+=( --add-module=${HTTP_BROTLI_MODULE_WD} )
	fi

	if use http || use http-cache || use http2 || use nginx_modules_http_javascript; then
Root's avatar
Root committed
655 656 657 658 659 660 661 662 663 664
		http_enabled=1
	fi

	if [ $http_enabled ]; then
		use http-cache || myconf+=( --without-http-cache )
		use ssl && myconf+=( --with-http_ssl_module )
	else
		myconf+=( --without-http --without-http-cache )
	fi

Root's avatar
Root committed
665
	# Stream modules
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
666
	for mod in $NGINX_MODULES_STREAM_STD; do
Root's avatar
Root committed
667 668 669
		if use nginx_modules_stream_${mod}; then
			stream_enabled=1
		else
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
670 671 672 673 674 675 676 677
			myconf+=( --without-stream_${mod}_module )
		fi
	done

	for mod in $NGINX_MODULES_STREAM_OPT; do
		if use nginx_modules_stream_${mod}; then
			stream_enabled=1
			myconf+=( --with-stream_${mod}_module )
Root's avatar
Root committed
678 679 680
		fi
	done

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
681
	if use nginx_modules_stream_geoip2 || use nginx_modules_stream_javascript; then
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
682 683 684
		stream_enabled=1
	fi

Root's avatar
Root committed
685 686 687 688 689
	if [ $stream_enabled ]; then
		myconf+=( --with-stream )
		use ssl && myconf+=( --with-stream_ssl_module )
	fi

Root's avatar
Root committed
690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713
	# MAIL modules
	for mod in $NGINX_MODULES_MAIL; do
		if use nginx_modules_mail_${mod}; then
			mail_enabled=1
		else
			myconf+=( --without-mail_${mod}_module )
		fi
	done

	if [ $mail_enabled ]; then
		myconf+=( --with-mail )
		use ssl && myconf+=( --with-mail_ssl_module )
	fi

	# custom modules
	for mod in $NGINX_ADD_MODULES; do
		myconf+=(  --add-module=${mod} )
	done

	# https://bugs.gentoo.org/286772
	export LANG=C LC_ALL=C
	tc-export CC

	if ! use prefix; then
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
714 715
		myconf+=( --user=${PN} )
		myconf+=( --group=${PN} )
Root's avatar
Root committed
716 717
	fi

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
718 719 720 721 722
	local WITHOUT_IPV6=
	if ! use ipv6; then
		WITHOUT_IPV6=" -DNGX_HAVE_INET6=0"
	fi

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
723 724 725 726 727
	if [[ -n "${EXTRA_ECONF}" ]]; then
		myconf+=( ${EXTRA_ECONF} )
		ewarn "EXTRA_ECONF applied. Now you are on your own, good luck!"
	fi

Root's avatar
Root committed
728 729 730 731 732 733
	./configure \
		--prefix="${EPREFIX}"/usr \
		--conf-path="${EPREFIX}"/etc/${PN}/${PN}.conf \
		--error-log-path="${EPREFIX}"/var/log/${PN}/error_log \
		--pid-path="${EPREFIX}"/run/${PN}.pid \
		--lock-path="${EPREFIX}"/run/lock/${PN}.lock \
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
734
		--with-cc-opt="-I${EROOT}usr/include${WITHOUT_IPV6}" \
Root's avatar
Root committed
735 736 737 738 739 740 741
		--with-ld-opt="-L${EROOT}usr/$(get_libdir)" \
		--http-log-path="${EPREFIX}"/var/log/${PN}/access_log \
		--http-client-body-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/client \
		--http-proxy-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/proxy \
		--http-fastcgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/fastcgi \
		--http-scgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/scgi \
		--http-uwsgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/uwsgi \
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
742
		--with-compat \
Root's avatar
Root committed
743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761
		"${myconf[@]}" || die "configure failed"

	# A purely cosmetic change that makes nginx -V more readable. This can be
	# good if people outside the gentoo community would troubleshoot and
	# question the users setup.
	sed -i -e "s|${WORKDIR}|external_module|g" objs/ngx_auto_config.h || die
}

src_compile() {
	use nginx_modules_http_security && emake -C "${HTTP_SECURITY_MODULE_WD}"

	# https://bugs.gentoo.org/286772
	export LANG=C LC_ALL=C
	emake LINK="${CC} ${LDFLAGS}" OTHERLDFLAGS="${LDFLAGS}"
}

src_install() {
	emake DESTDIR="${D%/}" install

Root's avatar
Root committed
762
	cp "${FILESDIR}"/nginx.conf-r2 "${ED}"etc/nginx/nginx.conf || die
Root's avatar
Root committed
763

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
764 765
	newinitd "${FILESDIR}"/nginx.initd-r4 nginx
	newconfd "${FILESDIR}"/nginx.confd nginx
Root's avatar
Root committed
766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789

	systemd_newunit "${FILESDIR}"/nginx.service-r1 nginx.service

	doman man/nginx.8
	dodoc CHANGES* README

	# just keepdir. do not copy the default htdocs files (bug #449136)
	keepdir /var/www/localhost
	rm -rf "${D}"usr/html || die

	# set up a list of directories to keep
	local keepdir_list="${NGINX_HOME_TMP}"/client
	local module
	for module in proxy fastcgi scgi uwsgi; do
		use nginx_modules_http_${module} && keepdir_list+=" ${NGINX_HOME_TMP}/${module}"
	done

	keepdir /var/log/nginx ${keepdir_list}

	# this solves a problem with SELinux where nginx doesn't see the directories
	# as root and tries to create them as nginx
	fperms 0750 "${NGINX_HOME_TMP}"
	fowners ${PN}:0 "${NGINX_HOME_TMP}"

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
790 791 792 793 794
	fperms 0700 ${keepdir_list}
	fowners ${PN}:${PN} ${keepdir_list}

	fperms 0710 /var/log/nginx
	fowners 0:${PN} /var/log/nginx
Root's avatar
Root committed
795 796 797 798 799

	# logrotate
	insinto /etc/logrotate.d
	newins "${FILESDIR}"/nginx.logrotate-r1 nginx

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
800 801 802 803
	if use luajit; then
		pax-mark m "${ED%/}/usr/sbin/nginx"
	fi

Root's avatar
Root committed
804
	if use nginx_modules_http_perl; then
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
805
		cd "${S}"/objs/src/http/modules/perl/ || die
Root's avatar
Root committed
806 807
		emake DESTDIR="${D}" INSTALLDIRS=vendor
		perl_delete_localpod
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
808
		cd "${S}" || die
Root's avatar
Root committed
809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827
	fi

	if use nginx_modules_http_cache_purge; then
		docinto ${HTTP_CACHE_PURGE_MODULE_P}
		dodoc "${HTTP_CACHE_PURGE_MODULE_WD}"/{CHANGES,README.md,TODO.md}
	fi

	if use nginx_modules_http_slowfs_cache; then
		docinto ${HTTP_SLOWFS_CACHE_MODULE_P}
		dodoc "${HTTP_SLOWFS_CACHE_MODULE_WD}"/{CHANGES,README.md}
	fi

	if use nginx_modules_http_fancyindex; then
		docinto ${HTTP_FANCYINDEX_MODULE_P}
		dodoc "${HTTP_FANCYINDEX_MODULE_WD}"/README.rst
	fi

	if use nginx_modules_http_lua; then
		docinto ${HTTP_LUA_MODULE_P}
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
828
		dodoc "${HTTP_LUA_MODULE_WD}"/README.markdown
Root's avatar
Root committed
829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852
	fi

	if use nginx_modules_http_auth_pam; then
		docinto ${HTTP_AUTH_PAM_MODULE_P}
		dodoc "${HTTP_AUTH_PAM_MODULE_WD}"/{README.md,ChangeLog}
	fi

	if use nginx_modules_http_upstream_check; then
		docinto ${HTTP_UPSTREAM_CHECK_MODULE_P}
		dodoc "${HTTP_UPSTREAM_CHECK_MODULE_WD}"/{README,CHANGES}
	fi

	if use nginx_modules_http_naxsi; then
		insinto /etc/nginx
		doins "${HTTP_NAXSI_MODULE_WD}"/../naxsi_config/naxsi_core.rules
	fi

	if use rtmp; then
		docinto ${RTMP_MODULE_P}
		dodoc "${RTMP_MODULE_WD}"/{AUTHORS,README.md,stat.xsl}
	fi

	if use nginx_modules_http_dav_ext; then
		docinto ${HTTP_DAV_EXT_MODULE_P}
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
853
		dodoc "${HTTP_DAV_EXT_MODULE_WD}"/README.rst
Root's avatar
Root committed
854 855 856 857
	fi

	if use nginx_modules_http_echo; then
		docinto ${HTTP_ECHO_MODULE_P}
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
858
		dodoc "${HTTP_ECHO_MODULE_WD}"/README.markdown
Root's avatar
Root committed
859 860 861 862
	fi

	if use nginx_modules_http_security; then
		docinto ${HTTP_SECURITY_MODULE_P}
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
863
		dodoc "${HTTP_SECURITY_MODULE_WD}"/{CHANGES,README.md,authors.txt}
Root's avatar
Root committed
864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880
	fi

	if use nginx_modules_http_push_stream; then
		docinto ${HTTP_PUSH_STREAM_MODULE_P}
		dodoc "${HTTP_PUSH_STREAM_MODULE_WD}"/{AUTHORS,CHANGELOG.textile,README.textile}
	fi

	if use nginx_modules_http_sticky; then
		docinto ${HTTP_STICKY_MODULE_P}
		dodoc "${HTTP_STICKY_MODULE_WD}"/{README.md,Changelog.txt,docs/sticky.pdf}
	fi

	if use nginx_modules_http_memc; then
		docinto ${HTTP_MEMC_MODULE_P}
		dodoc "${HTTP_MEMC_MODULE_WD}"/README.markdown
	fi

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
881 882 883 884 885
	if use nginx_modules_http_auth_ldap; then
		docinto ${HTTP_LDAP_MODULE_P}
		dodoc "${HTTP_LDAP_MODULE_WD}"/example.conf
	fi

Root's avatar
Root committed
886 887 888 889 890 891 892 893 894
	if use nginx_modules_http_auth_spnego; then
		docinto ${HTTP_AUTH_SPNEGO_MODULE_P}
		dodoc "${HTTP_AUTH_SPNEGO_MODULE_WD}"/README.md
	fi

	if use nginx_modules_http_ajp; then
		docinto ${HTTP_AJP_MODULE_P}
		dodoc "${HTTP_AJP_MODULE_WD}"/{README.markdown,README,README.wiki}
	fi
Root's avatar
Root committed
895

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
896 897 898
	if use nginx_modules_http_ct; then
		docinto ${HTTP_CT_MODULE_P}
		dodoc "${HTTP_CT_MODULE_WD}"/{README.markdown,LICENSE,CHANGELOG.markdown}
Root's avatar
Root committed
899
	fi
Root's avatar
Root committed
900 901 902 903
}

pkg_postinst() {
	if use ssl; then
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
904
		if [[ ! -f "${EROOT}"etc/ssl/${PN}/${PN}.key ]]; then
Root's avatar
Root committed
905 906 907 908 909 910
			install_cert /etc/ssl/${PN}/${PN}
			use prefix || chown ${PN}:${PN} "${EROOT}"etc/ssl/${PN}/${PN}.{crt,csr,key,pem}
		fi
	fi

	if use nginx_modules_http_spdy; then
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
911
		ewarn ""
Root's avatar
Root committed
912 913 914 915
		ewarn "In nginx 1.9.5 the spdy module was superseded by http2."
		ewarn "Update your configs and package.use accordingly."
	fi

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
916 917 918 919 920 921 922 923
	if use nginx_modules_http_lua; then
		ewarn ""
		ewarn "While you can build lua 3rd party module against ${P}"
		ewarn "the author warns that >=${PN}-1.11.11 is still not an"
		ewarn "officially supported target yet. You are on your own."
		ewarn "Expect runtime failures, memory leaks and other problems!"
	fi

Root's avatar
Root committed
924
	if use nginx_modules_http_lua && use http2; then
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
925
		ewarn ""
Root's avatar
Root committed
926
		ewarn "Lua 3rd party module author warns against using ${P} with"
Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
927
		ewarn "NGINX_MODULES_HTTP=\"lua http2\". For more info, see https://git.io/OldLsg"
Root's avatar
Root committed
928 929
	fi

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010
	local _n_permission_layout_checks=0
	local _has_to_adjust_permissions=0
	local _has_to_show_permission_warning=0

	# Defaults to 1 to inform people doing a fresh installation
	# that we ship modified {scgi,uwsgi,fastcgi}_params files
	local _has_to_show_httpoxy_mitigation_notice=1

	local _replacing_version=
	for _replacing_version in ${REPLACING_VERSIONS}; do
		_n_permission_layout_checks=$((${_n_permission_layout_checks}+1))

		if [[ ${_n_permission_layout_checks} -gt 1 ]]; then
			# Should never happen:
			# Package is abusing slots but doesn't allow multiple parallel installations.
			# If we run into this situation it is unsafe to automatically adjust any
			# permission...
			_has_to_show_permission_warning=1

			ewarn "Replacing multiple ${PN}' versions is unsupported! " \
				"You will have to adjust permissions on your own."

			break
		fi

		local _replacing_version_branch=$(get_version_component_range 1-2 "${_replacing_version}")
		debug-print "Updating an existing installation (v${_replacing_version}; branch '${_replacing_version_branch}') ..."

		# Do we need to adjust permissions to fix CVE-2013-0337 (bug #458726, #469094)?
		# This was before we introduced multiple nginx versions so we
		# do not need to distinguish between stable and mainline
		local _need_to_fix_CVE2013_0337=1

		if version_is_at_least "1.4.1-r2" "${_replacing_version}"; then
			# We are updating an installation which should already be fixed
			_need_to_fix_CVE2013_0337=0
			debug-print "Skipping CVE-2013-0337 ... existing installation should not be affected!"
		else
			_has_to_adjust_permissions=1
			debug-print "Need to adjust permissions to fix CVE-2013-0337!"
		fi

		# Do we need to inform about HTTPoxy mitigation?
		# In repository since commit 8be44f76d4ac02cebcd1e0e6e6284bb72d054b0f
		if ! version_is_at_least "1.10" "${_replacing_version_branch}"; then
			# Updating from <1.10
			_has_to_show_httpoxy_mitigation_notice=1
			debug-print "Need to inform about HTTPoxy mitigation!"
		else
			# Updating from >=1.10
			local _fixed_in_pvr=
			case "${_replacing_version_branch}" in
				"1.10")
					_fixed_in_pvr="1.10.1-r2"
					;;
				"1.11")
					_fixed_in_pvr="1.11.3-r1"
					;;
				*)
					# This should be any future branch.
					# If we run this code it is safe to assume that the user has
					# already seen the HTTPoxy mitigation notice because he/she is doing
					# an update from previous version where we have already shown
					# the warning. Otherwise, we wouldn't hit this code path ...
					_fixed_in_pvr=
			esac

			if [[ -z "${_fixed_in_pvr}" ]] || version_is_at_least "${_fixed_in_pvr}" "${_replacing_version}"; then
				# We are updating an installation where we already informed
				# that we are mitigating HTTPoxy per default
				_has_to_show_httpoxy_mitigation_notice=0
				debug-print "No need to inform about HTTPoxy mitigation ... information was already shown for existing installation!"
			else
				_has_to_show_httpoxy_mitigation_notice=1
				debug-print "Need to inform about HTTPoxy mitigation!"
			fi
		fi

		# Do we need to adjust permissions to fix CVE-2016-1247 (bug #605008)?
		# All branches up to 1.11 are affected
		local _need_to_fix_CVE2016_1247=1
Root's avatar
Root committed
1011

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044
		if ! version_is_at_least "1.10" "${_replacing_version_branch}"; then
			# Updating from <1.10
			_has_to_adjust_permissions=1
			debug-print "Need to adjust permissions to fix CVE-2016-1247!"
		else
			# Updating from >=1.10
			local _fixed_in_pvr=
			case "${_replacing_version_branch}" in
				"1.10")
					_fixed_in_pvr="1.10.2-r3"
					;;
				"1.11")
					_fixed_in_pvr="1.11.6-r1"
					;;
				*)
					# This should be any future branch.
					# If we run this code it is safe to assume that we have already
					# adjusted permissions or were never affected because user is
					# doing an update from previous version which was safe or did
					# the adjustments. Otherwise, we wouldn't hit this code path ...
					_fixed_in_pvr=
			esac

			if [[ -z "${_fixed_in_pvr}" ]] || version_is_at_least "${_fixed_in_pvr}" "${_replacing_version}"; then
				# We are updating an installation which should already be adjusted
				# or which was never affected
				_need_to_fix_CVE2016_1247=0
				debug-print "Skipping CVE-2016-1247 ... existing installation should not be affected!"
			else
				_has_to_adjust_permissions=1
				debug-print "Need to adjust permissions to fix CVE-2016-1247!"
			fi
		fi
Root's avatar
Root committed
1045 1046
	done

Jerzy Kołosowski's avatar
Jerzy Kołosowski committed
1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149
	if [[ ${_has_to_adjust_permissions} -eq 1 ]]; then
		# We do not DIE when chmod/chown commands are failing because
		# package is already merged on user's system at this stage
		# and we cannot retry without losing the information that
		# the existing installation needs to adjust permissions.
		# Instead we are going to a show a big warning ...

		if [[ ${_has_to_show_permission_warning} -eq 0 ]] && [[ ${_need_to_fix_CVE2013_0337} -eq 1 ]]; then
			ewarn ""
			ewarn "The world-readable bit (if set) has been removed from the"
			ewarn "following directories to mitigate a security bug"
			ewarn "(CVE-2013-0337, bug #458726):"
			ewarn ""
			ewarn "  ${EPREFIX%/}/var/log/nginx"
			ewarn "  ${EPREFIX%/}${NGINX_HOME_TMP}/{,client,proxy,fastcgi,scgi,uwsgi}"
			ewarn ""
			ewarn "Check if this is correct for your setup before restarting nginx!"
			ewarn "This is a one-time change and will not happen on subsequent updates."
			ewarn "Furthermore nginx' temp directories got moved to '${EPREFIX%/}${NGINX_HOME_TMP}'"
			chmod o-rwx \
				"${EPREFIX%/}"/var/log/nginx \
				"${EPREFIX%/}"${NGINX_HOME_TMP}/{,client,proxy,fastcgi,scgi,uwsgi} || \
				_has_to_show_permission_warning=1
		fi

		if [[ ${_has_to_show_permission_warning} -eq 0 ]] && [[ ${_need_to_fix_CVE2016_1247} -eq 1 ]]; then
			ewarn ""
			ewarn "The permissions on the following directory have been reset in"
			ewarn "order to mitigate a security bug (CVE-2016-1247, bug #605008):"
			ewarn ""
			ewarn "  ${EPREFIX%/}/var/log/nginx"
			ewarn ""
			ewarn "Check if this is correct for your setup before restarting nginx!"
			ewarn "Also ensure that no other log directory used by any of your"
			ewarn "vhost(s) is not writeable for nginx user. Any of your log files"
			ewarn "used by nginx can be abused to escalate privileges!"
			ewarn "This is a one-time change and will not happen on subsequent updates."
			chown 0:nginx "${EPREFIX%/}"/var/log/nginx || _has_to_show_permission_warning=1
			chmod 710 "${EPREFIX%/}"/var/log/nginx || _has_to_show_permission_warning=1
		fi

		if [[ ${_has_to_show_permission_warning} -eq 1 ]]; then
			# Should never happen ...
			ewarn ""
			ewarn "*************************************************************"
			ewarn "***************         W A R N I N G         ***************"
			ewarn "*************************************************************"
			ewarn "The one-time only attempt to adjust permissions of the"
			ewarn "existing nginx installation failed. Be aware that we will not"
			ewarn "try to adjust the same permissions again because now you are"
			ewarn "using a nginx version where we expect that the permissions"
			ewarn "are already adjusted or that you know what you are doing and"
			ewarn "want to keep custom permissions."
			ewarn ""
		fi
	fi

	# Sanity check for CVE-2016-1247
	# Required to warn users who received the warning above and thought
	# they could fix it by unmerging and re-merging the package or have
	# unmerged a affected installation on purpose in the past leaving
	# /var/log/nginx on their system due to keepdir/non-empty folder
	# and are now installing the package again.
	local _sanity_check_testfile=$(mktemp --dry-run "${EPREFIX%/}"/var/log/nginx/.CVE-2016-1247.XXXXXXXXX)
	su -s /bin/sh -c "touch ${_sanity_check_testfile}" nginx >&/dev/null
	if [ $? -eq 0 ] ; then
		# Cleanup -- no reason to die here!
		rm -f "${_sanity_check_testfile}"

		ewarn ""
		ewarn "*************************************************************"
		ewarn "***************         W A R N I N G         ***************"
		ewarn "*************************************************************"
		ewarn "Looks like your installation is vulnerable to CVE-2016-1247"
		ewarn "(bug #605008) because nginx user is able to create files in"
		ewarn ""
		ewarn "  ${EPREFIX%/}/var/log/nginx"
		ewarn ""
		ewarn "Also ensure that no other log directory used by any of your"
		ewarn "vhost(s) is not writeable for nginx user. Any of your log files"
		ewarn "used by nginx can be abused to escalate privileges!"
	fi

	if [[ ${_has_to_show_httpoxy_mitigation_notice} -eq 1 ]]; then
		# HTTPoxy mitigation
		ewarn ""
		ewarn "This nginx installation comes with a mitigation for the HTTPoxy"
		ewarn "vulnerability for FastCGI, SCGI and uWSGI applications by setting"
		ewarn "the HTTP_PROXY parameter to an empty string per default when you"
		ewarn "are sourcing one of the default"
		ewarn ""
		ewarn "  - 'fastcgi_params' or 'fastcgi.conf'"
		ewarn "  - 'scgi_params'"
		ewarn "  - 'uwsgi_params'"
		ewarn ""
		ewarn "files in your server block(s)."
		ewarn ""
		ewarn "If this is causing any problems for you make sure that you are sourcing the"
		ewarn "default parameters _before_ you set your own values."
		ewarn "If you are relying on user-supplied proxy values you have to remove the"
		ewarn "correlating lines from the file(s) mentioned above."
		ewarn ""
	fi
Root's avatar
Root committed
1150
}