testing/nginx-naxsi: new aport

NGINX with naxsi WAF support https://github.com/nbs-system/naxsi

Built with the same modules as Debian + SysGuard from Tengine.

Nginx patched to anonymise server strings.

With the WAF & SysGuard enabled nginx-naxsi benchmarked @ approx
600 connections / second (the same as the standard Alpine nginx pkg).
With the WAF disabled 640 connections / second (as the mail modules
are removed as per the naxsi author's recommendation).

1 files changed, 42 insertions, 0 deletions

diff --git a/testing/nginx-naxsi/ipv6.patch b/testing/nginx-naxsi/ipv6.patch
new file mode 100644
index 0000000000..9b05f8ff83
--- /dev/null
+++ b/testing/nginx-naxsi/ipv6.patch
@@ -0,0 +1,42 @@
+--- a/src/http/ngx_http_core_module.c
++++ b/src/http/ngx_http_core_module.c
+@@ -2442,7 +2442,11 @@
+     ngx_uint_t                   i;
+     ngx_conf_t                   pcf;
+     ngx_http_module_t           *module;
++#if (NGX_HAVE_INET6)
++    struct sockaddr_in6         *sin6;
++#else
+     struct sockaddr_in          *sin;
++#endif
+     ngx_http_conf_ctx_t         *ctx, *http_ctx;
+     ngx_http_listen_opt_t        lsopt;
+     ngx_http_core_srv_conf_t    *cscf, **cscfp;
+@@ -2526,6 +2530,19 @@
+     if (rv == NGX_CONF_OK && !cscf->listen) {
+         ngx_memzero(&lsopt, sizeof(ngx_http_listen_opt_t));
+
++#if (NGX_HAVE_INET6)
++        sin6 = &lsopt.u.sockaddr_in6;
++
++        sin6->sin6_family = AF_INET6;
++#if (NGX_WIN32)
++        sin6->sin6_port = htons(80);
++#else
++        sin6->sin6_port = htons((getuid() == 0) ? 80 : 8000);
++#endif
++        sin6->sin6_addr = in6addr_any;
++
++        lsopt.socklen = sizeof(struct sockaddr_in6);
++#else
+         sin = &lsopt.u.sockaddr_in;
+
+         sin->sin_family = AF_INET;
+@@ -2537,6 +2554,7 @@
+         sin->sin_addr.s_addr = INADDR_ANY;
+
+         lsopt.socklen = sizeof(struct sockaddr_in);
++#endif
+
+         lsopt.backlog = NGX_LISTEN_BACKLOG;
+         lsopt.rcvbuf = -1;