diff --git a/0001-remove-Werror-in-upstream-build-scripts.patch b/0001-remove-Werror-in-upstream-build-scripts.patch index b23f719..2695031 100644 --- a/0001-remove-Werror-in-upstream-build-scripts.patch +++ b/0001-remove-Werror-in-upstream-build-scripts.patch @@ -1,7 +1,7 @@ From 00cab63102084b89de0a3494a1d023c4b1d4982b Mon Sep 17 00:00:00 2001 From: Felix Kaechele Date: Sun, 7 Jun 2020 12:14:02 -0400 -Subject: [PATCH 1/3] remove Werror in upstream build scripts +Subject: [PATCH 1/2] remove Werror in upstream build scripts removes -Werror in upstream build scripts. -Werror conflicts with -D_FORTIFY_SOURCE=2 causing warnings to turn into errors. diff --git a/0002-change-logs-permissions-to-664.patch b/0002-change-logs-permissions-to-664.patch deleted file mode 100644 index d6b9017..0000000 --- a/0002-change-logs-permissions-to-664.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 4efd7b508fa018ca9def7f42c5887cf85bf2c23d Mon Sep 17 00:00:00 2001 -From: Felix Kaechele -Date: Sun, 7 Jun 2020 12:14:54 -0400 -Subject: [PATCH 2/3] change logs permissions to 664 - -This patch is carried downstream only. - -Signed-off-by: Felix Kaechele ---- - src/core/ngx_cycle.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/core/ngx_cycle.c b/src/core/ngx_cycle.c -index 6978c3e..1e2071c 100644 ---- a/src/core/ngx_cycle.c -+++ b/src/core/ngx_cycle.c -@@ -1195,7 +1195,7 @@ ngx_reopen_files(ngx_cycle_t *cycle, ngx_uid_t user) - } - - fd = ngx_open_file(file[i].name.data, NGX_FILE_APPEND, -- NGX_FILE_CREATE_OR_OPEN, NGX_FILE_DEFAULT_ACCESS); -+ NGX_FILE_CREATE_OR_OPEN, NGX_FILE_DEFAULT_ACCESS | 0220); - - ngx_log_debug3(NGX_LOG_DEBUG_EVENT, cycle->log, 0, - "reopen file \"%s\", old:%d new:%d", --- -2.31.1 - diff --git a/0002-fix-PIDFile-handling.patch b/0002-fix-PIDFile-handling.patch new file mode 100644 index 0000000..5748b63 --- /dev/null +++ b/0002-fix-PIDFile-handling.patch @@ -0,0 +1,108 @@ +From 62470498cca9a209aa9904668c1949f5229123af Mon Sep 17 00:00:00 2001 +From: Felix Kaechele +Date: Tue, 20 Apr 2021 21:28:18 -0400 +Subject: [PATCH 2/2] fix PIDFile handling + +Corresponding RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1869026 + +Rejected upstream: https://trac.nginx.org/nginx/ticket/1897 + +Taken from: https://git.launchpad.net/ubuntu/+source/nginx/tree/debian/patches/nginx-fix-pidfile.patch + +From original patch: +Author: Tj +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1581864 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876365 +iLast-Update: 2020-06-24 + +Signed-off-by: Felix Kaechele +--- + src/core/nginx.c | 24 +++++++++++++++++++++--- + src/os/unix/ngx_daemon.c | 8 ++++++-- + 2 files changed, 27 insertions(+), 5 deletions(-) + +diff --git a/src/core/nginx.c b/src/core/nginx.c +index 48a20e9..32c0afe 100644 +--- a/src/core/nginx.c ++++ b/src/core/nginx.c +@@ -339,14 +339,21 @@ main(int argc, char *const *argv) + ngx_process = NGX_PROCESS_MASTER; + } + ++ /* tell-tale to detect if this is parent or child process */ ++ ngx_int_t child_pid = NGX_BUSY; ++ + #if !(NGX_WIN32) + + if (ngx_init_signals(cycle->log) != NGX_OK) { + return 1; + } + ++ /* tell-tale that this code has been executed */ ++ child_pid--; ++ + if (!ngx_inherited && ccf->daemon) { +- if (ngx_daemon(cycle->log) != NGX_OK) { ++ child_pid = ngx_daemon(cycle->log); ++ if (child_pid == NGX_ERROR) { + return 1; + } + +@@ -359,8 +366,19 @@ main(int argc, char *const *argv) + + #endif + +- if (ngx_create_pidfile(&ccf->pid, cycle->log) != NGX_OK) { +- return 1; ++ /* If ngx_daemon() returned the child's PID in the parent process ++ * after the fork() set ngx_pid to the child_pid, which gets ++ * written to the PID file, then exit. ++ * For NGX_WIN32 always write the PID file ++ * For others, only write it from the parent process */ ++ if (child_pid < NGX_OK || child_pid > NGX_OK) { ++ ngx_pid = child_pid > NGX_OK ? child_pid : ngx_pid; ++ if (ngx_create_pidfile(&ccf->pid, cycle->log) != NGX_OK) { ++ return 1; ++ } ++ } ++ if (child_pid > NGX_OK) { ++ exit(0); + } + + if (ngx_log_redirect_stderr(cycle) != NGX_OK) { +diff --git a/src/os/unix/ngx_daemon.c b/src/os/unix/ngx_daemon.c +index 385c49b..3719854 100644 +--- a/src/os/unix/ngx_daemon.c ++++ b/src/os/unix/ngx_daemon.c +@@ -7,14 +7,17 @@ + + #include + #include ++#include + + + ngx_int_t + ngx_daemon(ngx_log_t *log) + { + int fd; ++ /* retain the return value for passing back to caller */ ++ pid_t pid_child = fork(); + +- switch (fork()) { ++ switch (pid_child) { + case -1: + ngx_log_error(NGX_LOG_EMERG, log, ngx_errno, "fork() failed"); + return NGX_ERROR; +@@ -23,7 +26,8 @@ ngx_daemon(ngx_log_t *log) + break; + + default: +- exit(0); ++ /* let caller do the exit() */ ++ return pid_child; + } + + ngx_parent = ngx_pid; +-- +2.31.1 + diff --git a/0003-fix-PIDFile-handling.patch b/0003-fix-PIDFile-handling.patch deleted file mode 100644 index 7690dbc..0000000 --- a/0003-fix-PIDFile-handling.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 5cfdf8607de1113d1dbbe1018030dc58aa7bbc0a Mon Sep 17 00:00:00 2001 -From: Felix Kaechele -Date: Tue, 20 Apr 2021 21:28:18 -0400 -Subject: [PATCH 3/3] fix PIDFile handling - -Corresponding RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1869026 - -Rejected upstream: https://trac.nginx.org/nginx/ticket/1897 - -Taken from: https://git.launchpad.net/ubuntu/+source/nginx/tree/debian/patches/nginx-fix-pidfile.patch - -From original patch: -Author: Tj -Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1581864 -Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876365 -iLast-Update: 2020-06-24 - -Signed-off-by: Felix Kaechele ---- - src/core/nginx.c | 24 +++++++++++++++++++++--- - src/os/unix/ngx_daemon.c | 8 ++++++-- - 2 files changed, 27 insertions(+), 5 deletions(-) - -diff --git a/src/core/nginx.c b/src/core/nginx.c -index 48a20e9..32c0afe 100644 ---- a/src/core/nginx.c -+++ b/src/core/nginx.c -@@ -339,14 +339,21 @@ main(int argc, char *const *argv) - ngx_process = NGX_PROCESS_MASTER; - } - -+ /* tell-tale to detect if this is parent or child process */ -+ ngx_int_t child_pid = NGX_BUSY; -+ - #if !(NGX_WIN32) - - if (ngx_init_signals(cycle->log) != NGX_OK) { - return 1; - } - -+ /* tell-tale that this code has been executed */ -+ child_pid--; -+ - if (!ngx_inherited && ccf->daemon) { -- if (ngx_daemon(cycle->log) != NGX_OK) { -+ child_pid = ngx_daemon(cycle->log); -+ if (child_pid == NGX_ERROR) { - return 1; - } - -@@ -359,8 +366,19 @@ main(int argc, char *const *argv) - - #endif - -- if (ngx_create_pidfile(&ccf->pid, cycle->log) != NGX_OK) { -- return 1; -+ /* If ngx_daemon() returned the child's PID in the parent process -+ * after the fork() set ngx_pid to the child_pid, which gets -+ * written to the PID file, then exit. -+ * For NGX_WIN32 always write the PID file -+ * For others, only write it from the parent process */ -+ if (child_pid < NGX_OK || child_pid > NGX_OK) { -+ ngx_pid = child_pid > NGX_OK ? child_pid : ngx_pid; -+ if (ngx_create_pidfile(&ccf->pid, cycle->log) != NGX_OK) { -+ return 1; -+ } -+ } -+ if (child_pid > NGX_OK) { -+ exit(0); - } - - if (ngx_log_redirect_stderr(cycle) != NGX_OK) { -diff --git a/src/os/unix/ngx_daemon.c b/src/os/unix/ngx_daemon.c -index 385c49b..3719854 100644 ---- a/src/os/unix/ngx_daemon.c -+++ b/src/os/unix/ngx_daemon.c -@@ -7,14 +7,17 @@ - - #include - #include -+#include - - - ngx_int_t - ngx_daemon(ngx_log_t *log) - { - int fd; -+ /* retain the return value for passing back to caller */ -+ pid_t pid_child = fork(); - -- switch (fork()) { -+ switch (pid_child) { - case -1: - ngx_log_error(NGX_LOG_EMERG, log, ngx_errno, "fork() failed"); - return NGX_ERROR; -@@ -23,7 +26,8 @@ ngx_daemon(ngx_log_t *log) - break; - - default: -- exit(0); -+ /* let caller do the exit() */ -+ return pid_child; - } - - ngx_parent = ngx_pid; --- -2.31.1 - diff --git a/nginx.conf b/nginx.conf index f85920a..3cfe698 100644 --- a/nginx.conf +++ b/nginx.conf @@ -45,11 +45,11 @@ http { include /etc/nginx/default.d/*.conf; error_page 404 /404.html; - location = /40x.html { + location = /404.html { } error_page 500 502 503 504 /50x.html; - location = /50x.html { + location = /50x.html { } } diff --git a/nginx.logrotate b/nginx.logrotate index 353da6e..7f8b0a9 100644 --- a/nginx.logrotate +++ b/nginx.logrotate @@ -1,5 +1,4 @@ /var/log/nginx/*log { - create 0664 nginx root daily rotate 10 missingok diff --git a/nginx.service b/nginx.service index 6f5792e..b8e73a5 100644 --- a/nginx.service +++ b/nginx.service @@ -12,7 +12,7 @@ PIDFile=/run/nginx.pid ExecStartPre=/usr/bin/rm -f /run/nginx.pid ExecStartPre=/usr/sbin/nginx -t ExecStart=/usr/sbin/nginx -ExecReload=/bin/kill -s HUP $MAINPID +ExecReload=/usr/sbin/nginx -s reload KillSignal=SIGQUIT TimeoutStopSec=5 KillMode=mixed diff --git a/nginx.spec b/nginx.spec index 59bb9b3..5156f2b 100644 --- a/nginx.spec +++ b/nginx.spec @@ -29,7 +29,7 @@ Name: nginx Epoch: 1 Version: 1.20.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A high performance web server and reverse proxy server # BSD License (two clause) @@ -58,13 +58,9 @@ Source210: UPGRADE-NOTES-1.6-to-1.10 # -D_FORTIFY_SOURCE=2 causing warnings to turn into errors. Patch0: 0001-remove-Werror-in-upstream-build-scripts.patch -# downstream patch - changing logs permissions to 664 instead -# previous 644 -Patch1: 0002-change-logs-permissions-to-664.patch - # downstream patch - fix PIDFile race condition (rhbz#1869026) # rejected upstream: https://trac.nginx.org/nginx/ticket/1897 -Patch2: 0003-fix-PIDFile-handling.patch +Patch1: 0002-fix-PIDFile-handling.patch BuildRequires: make BuildRequires: gcc @@ -72,8 +68,12 @@ BuildRequires: gnupg2 %if 0%{?with_gperftools} BuildRequires: gperftools-devel %endif +%if 0%{?fedora} || 0%{?rhel} >= 8 BuildRequires: openssl-devel -BuildRequires: pcre2-devel +%else +BuildRequires: openssl11-devel +%endif +BuildRequires: pcre-devel BuildRequires: zlib-devel Requires: nginx-filesystem = %{epoch}:%{version}-%{release} @@ -88,11 +88,6 @@ Obsoletes: nginx-mod-http-geoip <= 1:1.16 Requires: system-logos-httpd %endif -%if 0%{?rhel} > 0 && 0%{?rhel} < 8 -# Introduced at 1:1.10.0-1 to ease upgrade path. To be removed later. -Requires: nginx-all-modules = %{epoch}:%{version}-%{release} -%endif - Requires: openssl Requires: pcre Requires(pre): nginx-filesystem @@ -100,7 +95,9 @@ Requires(pre): nginx-filesystem Requires: nginx-mimetypes %endif Provides: webserver +%if 0%{?fedora} || 0%{?rhel} >= 8 Recommends: logrotate +%endif BuildRequires: systemd Requires(post): systemd @@ -207,6 +204,13 @@ sed -i -e 's#KillMode=.*#KillMode=process#g' nginx.service sed -i -e 's#PROFILE=SYSTEM#HIGH:!aNULL:!MD5#' nginx.conf %endif +%if 0%{?rhel} == 7 +sed \ + -e 's|\(ngx_feature_path=\)$|\1%{_includedir}/openssl11|' \ + -e 's|\(ngx_feature_libs="\)|\1-L%{_libdir}/openssl11 |' \ + -i auto/lib/openssl/conf +%endif + %build # nginx does not utilize a standard configure script. It has its own @@ -262,7 +266,6 @@ if ! ./configure \ --with-http_sub_module \ --with-http_v2_module \ --with-http_xslt_module=dynamic \ - --with-ipv6 \ --with-mail=dynamic \ --with-mail_ssl_module \ --with-pcre \ @@ -453,7 +456,7 @@ fi %config(noreplace) %{_sysconfdir}/logrotate.d/nginx %attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx %attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx/tmp -%attr(770,%{nginx_user},root) %dir %{_localstatedir}/log/nginx +%dir %{_localstatedir}/log/nginx %dir %{_libdir}/nginx/modules %files all-modules @@ -498,6 +501,15 @@ fi %changelog +* Wed Apr 21 2021 Felix Kaechele - 1:1.20.0-2 +- sync rawhide and EPEL7 spec files again +- systemd service reload now checks config file (rhbz#1565377) +- drop nginx requirement on nginx-all-modules (rhbz#1708799) +- let nginx handle log creation on logrotate (rhbz#1683388) +- have log directory owned by root (rhbz#1390183, CVE-2016-1247) +- remove obsolete --with-ipv6 (src PR#8) +- correction: pcre2 is actually not supported by nginx, reintroduce pcre + * Wed Apr 21 2021 Felix Kaechele - 1:1.20.0-1 - update to 1.20.0 - sync with mainline spec file