aboutsummaryrefslogtreecommitdiffstats
path: root/community/nginx-naxsi
diff options
context:
space:
mode:
Diffstat (limited to 'community/nginx-naxsi')
-rw-r--r--community/nginx-naxsi/APKBUILD143
-rw-r--r--community/nginx-naxsi/anonymise.patch76
-rw-r--r--community/nginx-naxsi/ipv6.patch42
-rw-r--r--community/nginx-naxsi/nginx-naxsi.pre-install9
l---------community/nginx-naxsi/nginx-naxsi.pre-upgrade1
-rw-r--r--community/nginx-naxsi/nginx.initd42
-rw-r--r--community/nginx-naxsi/nginx.logrotate12
-rw-r--r--community/nginx-naxsi/sysguard.patch10
8 files changed, 335 insertions, 0 deletions
diff --git a/community/nginx-naxsi/APKBUILD b/community/nginx-naxsi/APKBUILD
new file mode 100644
index 0000000000..c2a265e572
--- /dev/null
+++ b/community/nginx-naxsi/APKBUILD
@@ -0,0 +1,143 @@
+# Maintainer: Stuart Cardall <developer@it-offshore.co.uk>
+# Contributor: Cameron Banta <cbanta@gmail.com>
+# Contributor: Jeff Bilyk <jbilyk@gmail.com>
+# Contributor: Bartłomiej Piotrowski <nospam@bpiotrowski.pl>
+
+pkgname=nginx-naxsi
+_pkgname=nginx
+pkgver=1.9.15
+_ngx_naxsi_ver=0.54
+_ngx_cache_purge_ver=2.3
+_ngx_upstream_fair_ver=0.1.0
+_ngx_http_sysguard_ver=2.1.0
+pkgrel=2
+pkgdesc="lightweight HTTP and reverse proxy server with Naxsi WAF support, see also 'nxapi'"
+url="http://www.nginx.org | https://github.com/nbs-system/naxsi"
+arch="all"
+license="custom"
+install="$pkgname.pre-install $pkgname.pre-upgrade"
+depends="!nginx"
+makedepends="pcre-dev openssl-dev zlib-dev paxmark linux-headers"
+subpackages="$pkgname-doc $pkgname-vim:vim"
+source="http://nginx.org/download/$_pkgname-$pkgver.tar.gz
+ naxsi-$_ngx_naxsi_ver.tar.gz::https://github.com/nbs-system/naxsi/archive/$_ngx_naxsi_ver.tar.gz
+ ngx_cache_purge-$_ngx_cache_purge_ver.tar.gz::https://github.com/FRiCKLE/ngx_cache_purge/archive/$_ngx_cache_purge_ver.tar.gz
+ upstream-fair-$_ngx_upstream_fair_ver.tar.gz::https://github.com/hnlq715/nginx-upstream-fair/archive/v$_ngx_upstream_fair_ver.tar.gz
+ sysguard-$_ngx_http_sysguard_ver.tar.gz::https://github.com/itoffshore/nginx-http-sysguard/archive/$_ngx_http_sysguard_ver.tar.gz
+
+ anonymise.patch
+ ipv6.patch
+ sysguard.patch
+
+ nginx.initd
+ nginx.logrotate
+ "
+
+_builddir="$srcdir"/$_pkgname-$pkgver
+
+prepare() {
+ local i
+ cd "$_builddir"
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
+}
+
+build() {
+ cd "$_builddir"
+ ./configure \
+ --add-module="$srcdir/naxsi-$_ngx_naxsi_ver/naxsi_src" \
+ --add-module="$srcdir/nginx-http-sysguard-$_ngx_http_sysguard_ver" \
+ --prefix=/usr \
+ --conf-path=/etc/$_pkgname/$_pkgname.conf \
+ --pid-path=/var/run/$_pkgname.pid \
+ --lock-path=/var/run/$_pkgname.lock \
+ --error-log-path=/var/log/$_pkgname/error.log \
+ --http-log-path=/var/log/$_pkgname/access.log \
+ --http-client-body-temp-path=/tmp/$_pkgname/client-body \
+ --http-proxy-temp-path=/tmp/$_pkgname/proxy \
+ --http-fastcgi-temp-path=/tmp/$_pkgname/fastcgi \
+ --user=nginx \
+ --group=nginx \
+ --with-ipv6 \
+ --with-threads \
+ --with-file-aio \
+ --with-pcre-jit \
+ --with-http_ssl_module \
+ --with-http_gzip_static_module \
+ --with-http_v2_module \
+ --with-mail \
+ --with-mail_ssl_module \
+ --with-http_realip_module \
+ --with-http_stub_status_module \
+ --with-http_auth_request_module \
+ --with-stream \
+ --with-stream_ssl_module \
+ --without-http_uwsgi_module \
+ --without-http_scgi_module \
+ --add-module="$srcdir/ngx_cache_purge-$_ngx_cache_purge_ver" \
+ --add-module="$srcdir/nginx-upstream-fair-$_ngx_upstream_fair_ver" \
+ || return 1
+ make || return 1
+}
+
+package() {
+ cd "$_builddir"
+ make DESTDIR="$pkgdir" install
+
+ local paxflags="-m"
+ [ "$CARCH" = "x86" ] && paxflags="-msp"
+ paxmark "$paxflags" "$pkgdir"/usr/sbin/nginx || return 1
+
+ install -m755 -D "$srcdir"/$_pkgname.initd "$pkgdir"/etc/init.d/$_pkgname
+ install -m644 -D "$srcdir"/$_pkgname.logrotate "$pkgdir"/etc/logrotate.d/$_pkgname
+
+ install -m644 -D LICENSE "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
+ install -m644 -D "$srcdir"/naxsi-$_ngx_naxsi_ver/naxsi_config/naxsi_core.rules "$pkgdir"/etc/nginx/naxsi_core.rules
+}
+
+vim() {
+ local t
+
+ depends=""
+ pkgdesc="Vim syntax for Nginx"
+ arch="noarch"
+
+ for t in ftdetect syntax indent; do
+ install -Dm644 "$_builddir"/contrib/vim/$t/$_pkgname.vim \
+ "$subpkgdir"/usr/share/vim/vimfiles/$t/$_pkgname.vim
+ done
+}
+
+md5sums="13cd38e9da3789035750dd45882c4a26 nginx-1.9.15.tar.gz
+1bc31058991268e4cfdb44e9b6d8b3b3 naxsi-0.54.tar.gz
+dc4c0688ed03ca7f5563097c2a8a76ca ngx_cache_purge-2.3.tar.gz
+f3562ef6573f616e254d382d6f86b8e1 upstream-fair-0.1.0.tar.gz
+fdb072dc8d67b573a0ea7983530a7d2b sysguard-2.1.0.tar.gz
+31d29937da95b31714faa399aeb07407 anonymise.patch
+801a87f7f9d27f8ad85b41a78b4c4461 ipv6.patch
+50357b75049d878c0bcce10d0c60f9ed sysguard.patch
+609ea97ab6c3c30f9e8329968aadc4f3 nginx.initd
+8823274a834332d3db4f62bf7dd1fb7d nginx.logrotate"
+sha256sums="cc89b277cc03f403c0b746d60aa5943cdecf59ae48278f8cb7e2df0cbdb6dac3 nginx-1.9.15.tar.gz
+9cc2c09405bc71f78ef26a8b6d70afcea3fccbe8125df70cb0cfc480133daba5 naxsi-0.54.tar.gz
+cb7d5f22919c613f1f03341a1aeb960965269302e9eb23425ccaabd2f5dcbbec ngx_cache_purge-2.3.tar.gz
+dd0bfb79d2489f48ea63ac004d91890cd471eb4020500ce9179c3612cb13246c upstream-fair-0.1.0.tar.gz
+97e0cc9a36fcce375c5b0667b002d2f7acd580e968a2318e3276fbdc1b99f8e4 sysguard-2.1.0.tar.gz
+28adf3605875197d5822fa382f5fd3c9c80f7d3a561e904fee223fa051f98810 anonymise.patch
+a24ef5843ae0afa538b00c37eb7da7870f9d7f146f52a9668678f7296cf71d9b ipv6.patch
+18090329435c32d91621a5943acc5b8bbe89aaa3c2fa334c3a4cdeb00efb6226 sysguard.patch
+8cbef405295eac299dfc3b9b119c02bda354a9b335923bed6ff6992c1fd8f493 nginx.initd
+cea0c6f8de55a4c3a3eccc57910de1c3116634082c8e5b660630fb927a29f38d nginx.logrotate"
+sha512sums="563cec7828d1e398ded83579c3c4afcd83fd809662e64a0212e25a34ce1b599135558e9fd8cee3e07ba028ee4b308e40ce9910a5071a3d8e3b7ec9f9bdef95f0 nginx-1.9.15.tar.gz
+91934bfd41495715269cc6e549d17f6da66f2bdd0c9a6821fa9096b694dd3927109c4aad2f8b327620ae7c34f76a0839ac16669cd8c65081bc01fa7f829c1d43 naxsi-0.54.tar.gz
+81929ca57ce5c2e1af6ec43882a54ff1da8dc77786bfb7505ff94fbcf970ae8870b419dc5c0bc7b80794d75a359e0100f360c1cf458a300f802b1d8bd7053811 ngx_cache_purge-2.3.tar.gz
+2ff9894986c5cd483ecee97d8818675ef6d063e5f45bb66e8cf56c78bbd043b9c0c37eb3cf650b7cfb6d40da9f7a4ba0e030fe39de5ef1f715cbcd6560248428 upstream-fair-0.1.0.tar.gz
+f9587b8aa7a2b09be016dc6f7a07fe3fee154d16172194e899bf3c78a3f4e373c78f79932794cd9ac75793514c606ab878f88be9400b70e37528d263f1541b34 sysguard-2.1.0.tar.gz
+f8e46dafcf553edd35699dc2a47a54756e0a4c690fc13f81436ad9db1026739ba331ad99d3d05d8a7c089a5c067bf45f4aca3a98fdd9483b7b0123a837e695be anonymise.patch
+68d64a84568ec2df0366925ab282a05ebe21a85044b6c7844a47573cfd8cc8ed119cc772358bc3fff36e2d4fdf583a730592825f5f98632993ca86d1f8438d5f ipv6.patch
+2dca2ac74fb92e330fde7b6b6120b2fd2565c377a629c9536cf77beebe41aa4b092d4229d5b487b0fb02be4f2cc5b897c429c87bbbbc7b0d31e1cbb94231ddce sysguard.patch
+6e9a37176c0ca5a463a2745401bc5a6f9c002a236244b615a2803ec04404cc768678a1fa27ee047f81f4ccf002f7bea4b803522049f4ef839c61bb83577b9d65 nginx.initd
+01b77cff16f6e8bfd7fa1d4d20f625bbcddd08f0509173452d060c342c93dc315a7b0560f4734323a5d29ea294de0491f2e3f32e5337574e1a28ebc005eceea8 nginx.logrotate"
diff --git a/community/nginx-naxsi/anonymise.patch b/community/nginx-naxsi/anonymise.patch
new file mode 100644
index 0000000000..17bca99b51
--- /dev/null
+++ b/community/nginx-naxsi/anonymise.patch
@@ -0,0 +1,76 @@
+--- nginx-1.6.1/src/http/ngx_http_header_filter_module.c
++++ nginx-1.6.1/src/http/ngx_http_header_filter_module.c
+@@ -46,8 +46,8 @@
+ };
+
+
+-static char ngx_http_server_string[] = "Server: nginx" CRLF;
+-static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
++static char ngx_http_server_string[] = "";
++static char ngx_http_server_full_string[] = "";
+
+
+ static ngx_str_t ngx_http_status_lines[] = {
+@@ -278,8 +278,8 @@
+ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
+
+ if (r->headers_out.server == NULL) {
+- len += clcf->server_tokens ? sizeof(ngx_http_server_full_string) - 1:
+- sizeof(ngx_http_server_string) - 1;
++ len += clcf->server_tokens ? sizeof(ngx_http_server_full_string) - 0:
++ sizeof(ngx_http_server_string) - 0;
+ }
+
+ if (r->headers_out.date == NULL) {
+--- nginx-1.6.1/src/http/ngx_http_special_response.c
++++ nginx-1.6.1/src/http/ngx_http_special_response.c
+@@ -19,14 +19,14 @@
+
+
+ static u_char ngx_http_error_full_tail[] =
+-"<hr><center>" NGINX_VER "</center>" CRLF
++"<hr><center>127.0.0.1</center>" CRLF
+ "</body>" CRLF
+ "</html>" CRLF
+ ;
+
+
+ static u_char ngx_http_error_tail[] =
+-"<hr><center>nginx</center>" CRLF
++"<hr><center>localhost</center>" CRLF
+ "</body>" CRLF
+ "</html>" CRLF
+ ;
+--- nginx-1.9.12/src/http/v2/ngx_http_v2_filter_module.c
++++ nginx-1.9.12/src/http/v2/ngx_http_v2_filter_module.c.new
+@@ -229,9 +229,9 @@
+
+ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
+
+- if (r->headers_out.server == NULL) {
++/* if (r->headers_out.server == NULL) {
+ len += 1 + (clcf->server_tokens ? nginx_ver_len : sizeof(nginx));
+- }
++ } */
+
+ if (r->headers_out.date == NULL) {
+ len += 1 + ngx_http_v2_literal_size("Wed, 31 Dec 1986 18:00:00 GMT");
+@@ -434,7 +434,7 @@
+ pos = ngx_sprintf(pos, "%03ui", r->headers_out.status);
+ }
+
+- if (r->headers_out.server == NULL) {
++/* if (r->headers_out.server == NULL) {
+ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, fc->log, 0,
+ "http2 output header: \"server: %s\"",
+ clcf->server_tokens ? NGINX_VER : "nginx");
+@@ -453,7 +453,7 @@
+ } else {
+ pos = ngx_cpymem(pos, nginx, sizeof(nginx));
+ }
+- }
++ } */
+
+ if (r->headers_out.date == NULL) {
+ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, fc->log, 0,
+
diff --git a/community/nginx-naxsi/ipv6.patch b/community/nginx-naxsi/ipv6.patch
new file mode 100644
index 0000000000..9b05f8ff83
--- /dev/null
+++ b/community/nginx-naxsi/ipv6.patch
@@ -0,0 +1,42 @@
+--- a/src/http/ngx_http_core_module.c
++++ b/src/http/ngx_http_core_module.c
+@@ -2442,7 +2442,11 @@
+ ngx_uint_t i;
+ ngx_conf_t pcf;
+ ngx_http_module_t *module;
++#if (NGX_HAVE_INET6)
++ struct sockaddr_in6 *sin6;
++#else
+ struct sockaddr_in *sin;
++#endif
+ ngx_http_conf_ctx_t *ctx, *http_ctx;
+ ngx_http_listen_opt_t lsopt;
+ ngx_http_core_srv_conf_t *cscf, **cscfp;
+@@ -2526,6 +2530,19 @@
+ if (rv == NGX_CONF_OK && !cscf->listen) {
+ ngx_memzero(&lsopt, sizeof(ngx_http_listen_opt_t));
+
++#if (NGX_HAVE_INET6)
++ sin6 = &lsopt.u.sockaddr_in6;
++
++ sin6->sin6_family = AF_INET6;
++#if (NGX_WIN32)
++ sin6->sin6_port = htons(80);
++#else
++ sin6->sin6_port = htons((getuid() == 0) ? 80 : 8000);
++#endif
++ sin6->sin6_addr = in6addr_any;
++
++ lsopt.socklen = sizeof(struct sockaddr_in6);
++#else
+ sin = &lsopt.u.sockaddr_in;
+
+ sin->sin_family = AF_INET;
+@@ -2537,6 +2554,7 @@
+ sin->sin_addr.s_addr = INADDR_ANY;
+
+ lsopt.socklen = sizeof(struct sockaddr_in);
++#endif
+
+ lsopt.backlog = NGX_LISTEN_BACKLOG;
+ lsopt.rcvbuf = -1;
diff --git a/community/nginx-naxsi/nginx-naxsi.pre-install b/community/nginx-naxsi/nginx-naxsi.pre-install
new file mode 100644
index 0000000000..8512f43dda
--- /dev/null
+++ b/community/nginx-naxsi/nginx-naxsi.pre-install
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+addgroup -S -g 82 www-data 2>/dev/null
+addgroup -S nginx 2>/dev/null
+adduser -S -D -H -h /var/www/localhost/htdocs -s /sbin/nologin -G nginx \
+ -g nginx nginx 2>/dev/null
+addgroup nginx www-data 2>/dev/null
+
+exit 0
diff --git a/community/nginx-naxsi/nginx-naxsi.pre-upgrade b/community/nginx-naxsi/nginx-naxsi.pre-upgrade
new file mode 120000
index 0000000000..364e0b943c
--- /dev/null
+++ b/community/nginx-naxsi/nginx-naxsi.pre-upgrade
@@ -0,0 +1 @@
+nginx-naxsi.pre-install \ No newline at end of file
diff --git a/community/nginx-naxsi/nginx.initd b/community/nginx-naxsi/nginx.initd
new file mode 100644
index 0000000000..bec20dddaa
--- /dev/null
+++ b/community/nginx-naxsi/nginx.initd
@@ -0,0 +1,42 @@
+#!/sbin/openrc-run
+
+extra_started_commands="reload"
+extra_commands="configtest"
+
+depend() {
+ need net
+ use dns logger netmount
+}
+
+CONFFILE=${CONFFILE:-/etc/nginx/${SVCNAME}.conf}
+PIDFILE=${PIDFILE:-/var/run/${SVCNAME}.pid}
+
+configtest() {
+ ebegin "Checking ${SVCNAME} configuration"
+ mkdir -p /tmp/nginx
+ /usr/sbin/nginx -c ${CONFFILE} -t
+ eend $? "failed, please correct errors above"
+}
+
+start() {
+ configtest || return 1
+ ebegin "Starting ${SVCNAME}"
+ start-stop-daemon --start --pidfile "${PIDFILE}" \
+ --exec /usr/sbin/nginx -- -c ${CONFFILE} -g "pid ${PIDFILE};"
+ eend $? "Failed to start ${SVCNAME}"
+}
+
+stop() {
+ configtest || return 1
+ ebegin "Stopping ${SVCNAME}"
+ start-stop-daemon --stop --pidfile "${PIDFILE}"
+ eend $? "Failed to stop ${SVCNAME}"
+ rm -f "${PIDFILE}"
+}
+
+reload() {
+ configtest || return 1
+ ebegin "Refreshing ${SVCNAME} configuration"
+ kill -HUP $(cat "${PIDFILE}") &>/dev/null
+ eend $? "Failed to reload nginx"
+}
diff --git a/community/nginx-naxsi/nginx.logrotate b/community/nginx-naxsi/nginx.logrotate
new file mode 100644
index 0000000000..7778b1108b
--- /dev/null
+++ b/community/nginx-naxsi/nginx.logrotate
@@ -0,0 +1,12 @@
+# Copyright 1999-2010 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/www-servers/nginx/files/nginx.logrotate,v 1.1 2010/01/03 20:29:40 djc Exp $
+
+/var/log/nginx/*.log {
+ missingok
+ sharedscripts
+ postrotate
+ kill -USR1 `cat /var/run/nginx.pid`
+ endscript
+}
+
diff --git a/community/nginx-naxsi/sysguard.patch b/community/nginx-naxsi/sysguard.patch
new file mode 100644
index 0000000000..be8b0d2ee4
--- /dev/null
+++ b/community/nginx-naxsi/sysguard.patch
@@ -0,0 +1,10 @@
+--- a/src/http/ngx_http_request.h
++++ b/src/http/ngx_http_request.h
+@@ -498,6 +498,7 @@
+ */
+ unsigned limit_conn_set:1;
+ unsigned limit_req_set:1;
++ unsigned sysguard_set:1;
+
+ #if 0
+ unsigned cacheable:1;