From e07695e1581744e63bd459f7fa827f51c4d8dbf7 Mon Sep 17 00:00:00 2001
From: Valery Kartel <valery.kartel@gmail.com>
Date: Fri, 17 Mar 2017 12:05:44 +0200
Subject: main/nginx: add all modules from testing/nginx-naxsi

- added modules: naxsi, cache_purge, upstream-fair, sysguard

- remade dynamic modules definition
- upgrade modules
    nchan to 1.1.2
    rtmp to 1.1.11
    naxsi to 0.55.3
- add checkconfig to init script
- cleaned and improved APKBUILD
---
 main/nginx/APKBUILD           | 336 +++++++++++++++++++++---------------------
 main/nginx/naxsi.conf         |  24 +++
 main/nginx/nginx.initd        |  28 +++-
 main/nginx/nginx.post-upgrade |  23 ---
 main/nginx/sysguard.patch     |  10 ++
 5 files changed, 218 insertions(+), 203 deletions(-)
 create mode 100644 main/nginx/naxsi.conf
 delete mode 100644 main/nginx/nginx.post-upgrade
 create mode 100644 main/nginx/sysguard.patch

(limited to 'main/nginx')

diff --git a/main/nginx/APKBUILD b/main/nginx/APKBUILD
index 8bacade21d..e325eafdb4 100644
--- a/main/nginx/APKBUILD
+++ b/main/nginx/APKBUILD
@@ -2,103 +2,119 @@
 # Contributor: Jeff Bilyk <jbilyk@gmail.com>
 # Contributor: Bartłomiej Piotrowski <nospam@bpiotrowski.pl>
 # Contributor: Jakub Jirutka <jakub@jirutka.cz>
+# Contributor: Valery Kartel <valery.kartel@gmail.com>
 
 pkgname=nginx
 pkgver=1.10.3
-pkgrel=0
+pkgrel=1
 pkgdesc="HTTP and reverse proxy server"
 url="http://www.nginx.org/en"
 arch="all"
+options="!check"
 license="custom"
-
-# Modules
-_devel_kit_name=ngx_devel_kit
-_devel_kit_ver=0.3.0
-_devel_kit_dir="$srcdir/$_devel_kit_name-$_devel_kit_ver"
-_devel_kit_so="ndk_http_module.so"
-
-_http_echo_name=echo-nginx-module
-_http_echo_ver=0.60
-_http_echo_dir="$srcdir/$_http_echo_name-$_http_echo_ver"
-
-_http_fancyindex_name=ngx-fancyindex
-_http_fancyindex_ver=0.4.1
-_http_fancyindex_dir="$srcdir/$_http_fancyindex_name-$_http_fancyindex_ver"
-
-_http_headers_more_name=headers-more-nginx-module
-_http_headers_more_ver=0.32
-_http_headers_more_dir="$srcdir/$_http_headers_more_name-$_http_headers_more_ver"
-_http_headers_more_so="ngx_http_headers_more_filter_module.so"
-
-_http_lua_name=lua-nginx-module
-_http_lua_ver=0.10.7
-_http_lua_dir="$srcdir/$_http_lua_name-$_http_lua_ver"
-_http_lua_depends="$pkgname-mod-devel-kit"
-_http_lua_provides="$pkgname-lua"  # for backward compatibility
-
-_http_nchan_name=nchan
-_http_nchan_ver=1.1.0
-_http_nchan_dir="$srcdir/$_http_nchan_name-$_http_nchan_ver"
-_http_nchan_so="ngx_nchan_module.so"
-
-_http_upload_progress_name=nginx-upload-progress-module
-_http_upload_progress_ver=0.9.2
-_http_upload_progress_dir="$srcdir/$_http_upload_progress_name-$_http_upload_progress_ver"
-_http_upload_progress_so="ngx_http_uploadprogress_module.so"
-
-_rtmp_name=nginx-rtmp-module
-_rtmp_ver=1.1.10
-_rtmp_dir="$srcdir/$_rtmp_name-$_rtmp_ver"
-_rtmp_provides="$pkgname-rtmp"  # for backward compatibility
-
 depends=""
 [ "$CARCH" = "s390x" ] && _lua_dep="lua5.1-dev" || _lua_dep="luajit-dev"
 makedepends="linux-headers gd-dev geoip-dev libxml2-dev libxslt-dev $_lua_dep
 	libressl-dev paxmark pcre-dev perl-dev pkgconf zlib-dev"
-pkgusers="nginx"
-_grp_ngx="nginx"
-_grp_www="www-data"
-pkggroups="$_grp_ngx $_grp_www"
-install="$pkgname.pre-install $pkgname.post-upgrade"
-subpackages="$pkgname-doc $pkgname-vim::noarch"
-replaces="$pkgname-common $pkgname-initscripts $pkgname-lua $pkgname-rtmp"
+pkgusers="$pkgname"
+pkggroups="$pkgname www-data"
+install="$pkgname.pre-install"
+subpackages="$pkgname-doc $pkgname-vim::noarch $pkgname-mod-http-perl:_perl"
+
+# Modules with external sources
+_dkmod=ngx_devel_kit
+_dkver=0.3.0
+_modsub="$_modsub devel-kit:ndk_http_module"
+_modcfg="$_modcfg --add-dynamic-module=${_dksrc:=$srcdir/$_dkmod-$_dkver}"
+_modsrc="$_modsrc $_dkmod-$_dkver.tar.gz::https://github.com/simpl/$_dkmod/archive/v$_dkver.tar.gz"
+
+_ecmod=echo-nginx-module
+_ecver=0.60
+_modsub="$_modsub http-echo"
+_modcfg="$_modcfg --add-dynamic-module=${_ecsrc:=$srcdir/$_ecmod-$_ecver}"
+_modsrc="$_modsrc $_ecmod-$_ecver.tar.gz::https://github.com/openresty/$_ecmod/archive/v$_ecver.tar.gz"
+
+_fimod=ngx-fancyindex
+_fiver=0.4.1
+_modsub="$_modsub http-fancyindex"
+_modcfg="$_modcfg --add-dynamic-module=${_fisrc:=$srcdir/$_fimod-$_fiver}"
+_modsrc="$_modsrc $_fimod-$_fiver.tar.gz::https://github.com/aperezdc/$_fimod/archive/v$_fiver.tar.gz"
+
+_hmmod=headers-more-nginx-module
+_hmver=0.32
+_modsub="$_modsub http-headers-more:ngx_http_headers_more_filter_module"
+_modcfg="$_modcfg --add-dynamic-module=${_hmsrc:=$srcdir/$_hmmod-$_hmver}"
+_modsrc="$_modsrc $_hmmod-$_hmver.tar.gz::https://github.com/openresty/$_hmmod/archive/v$_hmver.tar.gz"
+
+_lumod=lua-nginx-module
+_luver=0.10.7
+_modsub="$_modsub http-lua"
+_modcfg="$_modcfg --add-dynamic-module=${_lusrc:=$srcdir/$_lumod-$_luver}"
+_modsrc="$_modsrc $_lumod-$_luver.tar.gz::https://github.com/openresty/$_lumod/archive/v$_luver.tar.gz"
+_http_lua_depends="$pkgname-mod-devel-kit"
+
+_ncmod=nchan
+_ncver=1.1.2
+_modsub="$_modsub http-nchan:ngx_nchan_module"
+_modcfg="$_modcfg --add-dynamic-module=${_ncsrc:=$srcdir/$_ncmod-$_ncver}"
+_modsrc="$_modsrc $_ncmod-$_ncver.tar.gz::https://github.com/slact/$_ncmod/archive/v$_ncver.tar.gz"
+
+_upmod=nginx-upload-progress-module
+_upver=0.9.2
+_modsub="$_modsub http-upload-progress:ngx_http_uploadprogress_module"
+_modcfg="$_modcfg --add-dynamic-module=${_upsrc:=$srcdir/$_upmod-$_upver}"
+_modsrc="$_modsrc $_upmod-$_upver.tar.gz::https://github.com/masterzen/$_upmod/archive/v$_upver.tar.gz"
+
+_rtmod=nginx-rtmp-module
+_rtver=1.1.11
+_modsub="$_modsub rtmp"
+_modcfg="$_modcfg --add-dynamic-module=${_rtsrc:=$srcdir/$_rtmod-$_rtver}"
+_modsrc="$_modsrc $_rtmod-$_rtver.tar.gz::https://github.com/arut/$_rtmod/archive/v$_rtver.tar.gz"
+
+_nxmod=naxsi
+_nxver=0.55.3
+_modsub="$_modsub http-naxsi"
+_modcfg="$_modcfg --add-dynamic-module=${_nxsrc:=$srcdir/$_nxmod-$_nxver/naxsi_src}"
+_modsrc="$_modsrc $_nxmod-$_nxver.tar.gz::https://github.com/nbs-system/$_nxmod/archive/$_nxver.tar.gz
+	$_nxmod.conf"
+_http_naxsi_conf="$srcdir/$_nxmod.conf:/etc/$pkgname/conf.d/$_nxmod.conf
+	$srcdir/$_nxmod-$_nxver/naxsi_config/naxsi_core.rules:/etc/$pkgname/naxsi_core.rules"
+
+_cpmod=ngx_cache_purge
+_cpver=2.3.0.1
+_modsub="$_modsub http-cache-purge"
+_modcfg="$_modcfg --add-dynamic-module=${_cpsrc:=$srcdir/$_cpmod-$_cpver}"
+_modsrc="$_modsrc $_cpmod-$_cpver.tar.gz::https://github.com/itoffshore/$_cpmod/archive/v$_cpver.tar.gz"
+
+_ufmod=nginx-upstream-fair
+_ufver=0.1.1
+_modsub="$_modsub http-upstream-fair"
+_modcfg="$_modcfg --add-dynamic-module=${_ufsrc:=$srcdir/$_ufmod-$_ufver}"
+_modsrc="$_modsrc $_ufmod-$_ufver.tar.gz::https://github.com/itoffshore/$_ufmod/archive/v$_ufver.tar.gz"
+
+_sgmod=tengine-http-sysguard
+_sgver=2.2.0
+_modsub="$_modsub http-sysguard"
+_modcfg="$_modcfg --add-dynamic-module=${_sgsrc:=$srcdir/$_sgmod-$_sgver}"
+_modsrc="$_modsrc $_sgmod-$_sgver.tar.gz::https://github.com/itoffshore/$_sgmod/archive/v$_sgver.tar.gz
+	sysguard.patch"
+
 source="http://nginx.org/download/$pkgname-$pkgver.tar.gz
-	$_devel_kit_name-$_devel_kit_ver.tar.gz::https://github.com/simpl/$_devel_kit_name/archive/v$_devel_kit_ver.tar.gz
-	$_http_echo_name-$_http_echo_ver.tar.gz::https://github.com/openresty/$_http_echo_name/archive/v$_http_echo_ver.tar.gz
-	$_http_fancyindex_name-$_http_fancyindex_ver.tar.gz::https://github.com/aperezdc/$_http_fancyindex_name/archive/v$_http_fancyindex_ver.tar.gz
-	$_http_headers_more_name-$_http_headers_more_ver.tar.gz::https://github.com/openresty/$_http_headers_more_name/archive/v$_http_headers_more_ver.tar.gz
-	$_http_lua_name-$_http_lua_ver.tar.gz::https://github.com/openresty/$_http_lua_name/archive/v$_http_lua_ver.tar.gz
-	$_http_nchan_name-$_http_nchan_ver.tar.gz::https://github.com/slact/$_http_nchan_name/archive/v$_http_nchan_ver.tar.gz
-	$_http_upload_progress_name-$_http_upload_progress_ver.tar.gz::https://github.com/masterzen/$_http_upload_progress_name/archive/v$_http_upload_progress_ver.tar.gz
-	$_rtmp_name-$_rtmp_ver.tar.gz::https://github.com/arut/$_rtmp_name/archive/v$_rtmp_ver.tar.gz
 	nginx.conf
 	default.conf
 	$pkgname.logrotate
 	$pkgname.initd
 	ipv6.patch
+	$_modsrc
 	"
-builddir="$srcdir/$pkgname-$pkgver"
-
-_modules_dir="usr/lib/$pkgname/modules"
-_modules="
-	http-geoip
-	http-image-filter
-	http-perl
-	http-xslt-filter
-	mail
-	stream
-	devel-kit
-	http-echo
-	http-fancyindex
-	http-headers-more
-	http-lua
-	http-nchan
-	http-upload-progress
-	rtmp"
-for _m in $_modules; do
-	subpackages="$subpackages $pkgname-mod-$_m:_module"
+_module_dir=usr/lib/$pkgname
+_module_conf=/etc/$pkgname/modules
+for _module in http-geoip http-image-filter http-xslt-filter mail stream $_modsub; do
+	_modvar=${_module//-/_}
+	[ -z "${_module##*:*}" ] && eval _so_${_modvar%:*}=${_module#*:}
+	subpackages="$subpackages $pkgname-mod-${_module%:*}:_module"
 done
-
+builddir="$srcdir/$pkgname-$pkgver"
 
 build() {
 	cd "$builddir"
@@ -108,7 +124,7 @@ build() {
 	./configure \
 		--prefix=/var/lib/$pkgname \
 		--sbin-path=/usr/sbin/$pkgname \
-		--modules-path=/$_modules_dir \
+		--modules-path=/$_module_dir \
 		--conf-path=/etc/$pkgname/$pkgname.conf \
 		--pid-path=/run/$pkgname/$pkgname.pid \
 		--lock-path=/run/$pkgname/$pkgname.lock \
@@ -119,8 +135,8 @@ build() {
 		--http-scgi-temp-path=/var/lib/$pkgname/tmp/scgi \
 		--with-perl_modules_path=/usr/lib/perl5/vendor_perl \
 		\
-		--user=$pkgusers \
-		--group=$_grp_ngx \
+		--user=$pkgname \
+		--group=$pkgname \
 		--with-threads \
 		--with-file-aio \
 		--with-ipv6 \
@@ -149,131 +165,107 @@ build() {
 		--with-mail_ssl_module \
 		--with-stream=dynamic \
 		--with-stream_ssl_module \
-		\
-		--add-dynamic-module="$_devel_kit_dir" \
-		--add-dynamic-module="$_http_echo_dir" \
-		--add-dynamic-module="$_http_fancyindex_dir" \
-		--add-dynamic-module="$_http_headers_more_dir" \
-		--add-dynamic-module="$_http_lua_dir" \
-		--add-dynamic-module="$_http_nchan_dir" \
-		--add-dynamic-module="$_http_upload_progress_dir" \
-		--add-dynamic-module="$_rtmp_dir" \
-		|| return 1
-
-	make || return 1
+		$_modcfg || return 1
+	make
 }
 
 package() {
-	cd "$builddir"
-
-	make DESTDIR="$pkgdir" install || return 1
+	make -C "$builddir" DESTDIR="$pkgdir" install || return 1
 
 	# Disable some PaX protections; this is needed for Lua module.
 	local paxflags="-m"
 	[ "$CARCH" = "x86" ] && paxflags="-msp"
 	paxmark $paxflags "$pkgdir"/usr/sbin/nginx || return 1
 
-	install -Dm644 LICENSE "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
-	install -Dm644 README "$pkgdir"/usr/share/doc/$pkgname/README
-
-	install -Dm644 objs/$pkgname.8 \
+	install -Dm644 "$builddir"/LICENSE \
+		"$pkgdir"/usr/share/licenses/$pkgname/LICENSE || return 1
+	install -Dm644 "$builddir"/README \
+		"$pkgdir"/usr/share/doc/$pkgname/README || return 1
+	install -Dm644 "$builddir"/objs/$pkgname.8 \
 		"$pkgdir"/usr/share/man/man8/$pkgname.8 || return 1
 
-	cp -r "$_devel_kit_dir"/docs \
-		"$pkgdir"/usr/share/doc/$pkgname/$_devel_kit_name || return 1
-	cp -r "$_http_lua_dir"/doc \
-		"$pkgdir"/usr/share/doc/$pkgname/$_http_lua_name || return 1
-	cp -r "$_rtmp_dir"/doc \
-		"$pkgdir"/usr/share/doc/$pkgname/$_rtmp_name || return 1
+	cp -r "$_dksrc"/docs \
+		"$pkgdir"/usr/share/doc/$pkgname/$_dkmod || return 1
+	cp -r "$_lusrc"/doc \
+		"$pkgdir"/usr/share/doc/$pkgname/$_lumod || return 1
+	cp -r "$_rtsrc"/doc \
+		"$pkgdir"/usr/share/doc/$pkgname/$_rtmod || return 1
 
-	cd "$pkgdir"
+	mkdir -p "$pkgdir"/var/log \
+		"$pkgdir"/$_module_conf || return 1
 
-	install -Dm644 "$srcdir"/nginx.conf ./etc/$pkgname/nginx.conf
-	install -Dm644 "$srcdir"/default.conf ./etc/$pkgname/conf.d/default.conf
-	install -Dm755 "$srcdir"/$pkgname.initd ./etc/init.d/$pkgname
-	install -Dm644 "$srcdir"/$pkgname.logrotate ./etc/logrotate.d/$pkgname
+	install -Dm644 "$srcdir"/nginx.conf "$pkgdir"/etc/$pkgname/nginx.conf
+	install -Dm644 "$srcdir"/default.conf \
+		"$pkgdir"/etc/$pkgname/conf.d/default.conf || return 1
+	install -Dm755 "$srcdir"/$pkgname.initd \
+		"$pkgdir"/etc/init.d/$pkgname || return 1
+	install -Dm644 "$srcdir"/$pkgname.logrotate \
+		"$pkgdir"/etc/logrotate.d/$pkgname || return 1
 
-	install -dm755 ./etc/$pkgname/modules
-	install -dm750 -o $pkgusers -g $_grp_ngx ./var/lib/$pkgname
-	install -dm700 -o $pkgusers -g $_grp_ngx ./var/lib/$pkgname/tmp
-	install -dm755 -g $_grp_www ./var/www/localhost/htdocs
+	install -dm750 -o $pkgname -g $pkgname "$pkgdir"/var/lib/$pkgname || return 1
+	install -dm700 -o $pkgname -g $pkgname "$pkgdir"/var/lib/$pkgname/tmp || return 1
+	install -dm755 -g www-data "$pkgdir"/var/www/localhost/htdocs || return 1
 
-	install -dm755 ./var/log
-	mv ./var/lib/$pkgname/logs ./var/log/$pkgname || return 1
+	mv "$pkgdir"/var/lib/$pkgname/logs \
+		"$pkgdir"/var/log/$pkgname || return 1
 
-	ln -sf /$_modules_dir ./var/lib/$pkgname/modules
-	ln -sf /var/log/$pkgname ./var/lib/$pkgname/logs
-	ln -sf /run/$pkgname ./var/lib/$pkgname/run
+	ln -sf /$_module_dir "$pkgdir"/var/lib/$pkgname/modules
+	ln -sf /var/log/$pkgname "$pkgdir"/var/lib/$pkgname/logs
+	ln -sf /run/$pkgname "$pkgdir"/var/lib/$pkgname/run
 
-	rm -rf ./run ./etc/$pkgname/*.default
+	rm -rf "$pkgdir"/run "$pkgdir"/etc/$pkgname/*.default
 }
 
 vim() {
 	pkgdesc="$pkgdesc (vim syntax)"
-	depends=
-
-	mkdir -p "$subpkgdir"/usr/share/vim
-	cp -r "$builddir"/contrib/vim "$subpkgdir"/usr/share/vim/vimfiles
+	mkdir -p "$subpkgdir"/usr/share || return 1
+	cp -r "$builddir"/contrib/vim "$subpkgdir"/usr/share/vim
 }
 
 _module() {
-	local name="${subpkgname#$pkgname-mod-}"
-	name="${name//-/_}"
-	local soname="$(eval "echo \$_${name}_so")";
-	soname="${soname:-"ngx_${name}_module.so"}"
-
+	local name=${subpkgname#$pkgname-mod-}
+	name=${name//-/_}
+	local soname=$(eval echo \$_so_$name)
+	soname="${soname:-ngx_${name}_module}.so"
 	pkgdesc="$pkgdesc (module $name)"
-	depends="$pkgname $(eval "echo \$_${name}_depends")"
-	provides="$(eval "echo \$_${name}_provides")"
+	depends="$pkgname $(eval echo \$_${name}_depends)"
+	provides="$(eval echo \$_${name}_provides)"
 
-	mkdir -p "$subpkgdir"/$_modules_dir
-	cd "$subpkgdir"
+	mkdir -p "$subpkgdir"/$_module_dir \
+		"$subpkgdir"/$_module_conf || return 1
 
-	mv "$pkgdir"/$_modules_dir/$soname ./$_modules_dir/$soname || return 1
+	mv "$pkgdir"/$_module_dir/$soname \
+		"$subpkgdir"/$_module_dir/$soname || return 1
+	echo "load_module \"modules/$soname\";" > "$subpkgdir"/$_module_conf/$name.conf
 
-	mkdir -p "$subpkgdir"/etc/nginx/modules
-	echo "load_module \"modules/$soname\";" > ./etc/nginx/modules/$name.conf
+	local conf;
+	for conf in $(eval echo \$_${name}_conf); do
+		install -Dm644 ${conf%:*} "$subpkgdir"/${conf#*:}
+	done
+}
+
+_perl() {
+	_module || return 1
+	mv "$pkgdir"/usr/lib/perl5 "$subpkgdir"/usr/lib/
 }
 
-md5sums="204a20cb4f0b0c9db746c630d89ff4ea  nginx-1.10.3.tar.gz
-76c503918c003fcc55005b7688f47add  ngx_devel_kit-0.3.0.tar.gz
-897338c2c4bc44f2d56ae06ab9820372  echo-nginx-module-0.60.tar.gz
-e1dd79f0ec82415bbf8a1cb938988955  ngx-fancyindex-0.4.1.tar.gz
-5ce112f12afe155749e2c504997861f7  headers-more-nginx-module-0.32.tar.gz
-6eb0161f495bb996af6bbb58f3cef764  lua-nginx-module-0.10.7.tar.gz
-fbe5a95878ff4365435fd3223256f830  nchan-1.1.0.tar.gz
-7c1a399d36a75bcfa874d98b5462fc09  nginx-upload-progress-module-0.9.2.tar.gz
-2e82501ed423a901ab64bfe2228a0666  nginx-rtmp-module-1.1.10.tar.gz
-256145c0f70d1d1d3b99f854553d48f0  nginx.conf
-c4759cd2812220ab542317f54fbbe755  default.conf
-db194cf3c6c4be12c70c757e0c9ad995  nginx.logrotate
-16dcac0d7a2b406807d3377841d9b480  nginx.initd
-801a87f7f9d27f8ad85b41a78b4c4461  ipv6.patch"
-sha256sums="75020f1364cac459cb733c4e1caed2d00376e40ea05588fb8793076a4c69dd90  nginx-1.10.3.tar.gz
-88e05a99a8a7419066f5ae75966fb1efc409bad4522d14986da074554ae61619  ngx_devel_kit-0.3.0.tar.gz
-1077da2229ac7d0a0215e9e6817e297c10697e095010d88f1adbd1add1ce9f4e  echo-nginx-module-0.60.tar.gz
-2b00d8e0ad2a67152a9cee7b7ee67990c742d501412df912baaf1eee9bb6dc71  ngx-fancyindex-0.4.1.tar.gz
-c6d9dab8ea1fc997031007e2e8f47cced01417e203cd88d53a9fe9f6ae138720  headers-more-nginx-module-0.32.tar.gz
-c21c8937dcdd6fc2b6a955f929e3f4d1388610f47180e60126e6dcab06786f77  lua-nginx-module-0.10.7.tar.gz
-5781349bb460cf96d43e835a7ad3109724fba9ccefdbd967552538edee79c722  nchan-1.1.0.tar.gz
-b286689355442657650421d8e8398bd4abf9dbbaade65947bb0cb74a349cc497  nginx-upload-progress-module-0.9.2.tar.gz
-f9491dd24390b0d5d70dfe3553edf3d14efeb7c7a81b4d4a20c5cfeaefc1141c  nginx-rtmp-module-1.1.10.tar.gz
-df873f301f947192c854994bb0e1bac46f73a5d3cf91df997f1b6a8ed26b5724  nginx.conf
-f53fd49af9b4bc308653abb85d9989879ce1fb48e43c508f5f45c84f74513865  default.conf
-b063611c6cb2d33bd43c4b17bf4135dda25f209bb77e4e66d1b156cffc37fbe6  nginx.logrotate
-3d8a90d2f75b7f24c4d74722b5b3ac11d85f416c2d7641b4280d7c126bfe8395  nginx.initd
-a24ef5843ae0afa538b00c37eb7da7870f9d7f146f52a9668678f7296cf71d9b  ipv6.patch"
 sha512sums="25cddbe5c419700aeca41bff3be5b7c3accfb38ad846ec8d91d81ab7c15f10db719f02d9263edf1fa12f59805ff7001b62864dc2885370b24afeea1d7d2afbbf  nginx-1.10.3.tar.gz
+ac7e3153ab698b4cde077f0d5d7ac0a58897927eb36cf3b58cb01268ca0296f1d589c0a5b4f889b96b5b4a57bef05b17c59be59a9d7c4d7a3d3be58f101f7f41  nginx.conf
+0907f69dc2d3dc1bad3a04fb6673f741f1a8be964e22b306ef9ae2f8e736e1f5733a8884bfe54f3553fff5132a0e5336716250f54272c3fec2177d6ba16986f3  default.conf
+09b110693e3f4377349ccea3c43cb8199c8579ee351eae34283299be99fdf764b0c1bddd552e13e4d671b194501618b29c822e1ad53b34101a73a63954363dbb  nginx.logrotate
+e325d30d431a45801c4072f87f7bce27765e96de27c8f7821b5b0ce0716e1a8657435c93a2e9174c4b8d353fb468e65a8bc20119525e04d3d46ae5ff08cb6f5d  nginx.initd
+68d64a84568ec2df0366925ab282a05ebe21a85044b6c7844a47573cfd8cc8ed119cc772358bc3fff36e2d4fdf583a730592825f5f98632993ca86d1f8438d5f  ipv6.patch
 558764c9be913a4f61d0e277d07bf3c272e1ce086b3fadb85b693a7e92805cd9fca4da7a8d29c96e53fc0d23b331327d3b2561ff61f19d2330e7d5d35ac7d614  ngx_devel_kit-0.3.0.tar.gz
 c455bee73cebd0752449472452d15614b9587ddd199263d366484ede890c4d108eacbbeaef31adc9dc7732b56ef2bfc73c0fef3366366db03a8ec3fdc27a985c  echo-nginx-module-0.60.tar.gz
 ce0043ad4a2b638c5d99244d6caaa65ad142cea78884084a9aeca5a9593c68dbe508c9e4dd85dc5722eb63ef386612bffc48d4b6fc1487df244fbcb7a73bffe1  ngx-fancyindex-0.4.1.tar.gz
 e42582b45c3111de3940bbeb67ce161aca2d55adcfb00c61c12256fa0e36221d38723013f36edbcf6d1b520f8dfb49d4657df8a956e66d36e68425afad382bd1  headers-more-nginx-module-0.32.tar.gz
 d060a13de4d01d77e6d6cd1635ecbb405330e4326b71b89341c1c128ee4182978a51d53355bc07c350e3c3a7df15325e3df380d9c3a98b2ff7d7efa18fa09b32  lua-nginx-module-0.10.7.tar.gz
-bb3a9aec5e4c9f1c376126b4b07c2e5c6cddae3659a9218bd7b0dcaa5b0e1772036eea2c7e45bbb46f61a3a9090f0092fc93e91dbb57fc5b4e65eef6ba14fc23  nchan-1.1.0.tar.gz
+14af65d57325afa961bc6606f2c938acff0206914248b8ca810293113fdab859c1db9c9abce9263b9da5c2371b299770682d9ec49fbf7a356da9fbfb3e15c3c7  nchan-1.1.2.tar.gz
 c31c46344d49704389722325a041b9cd170fa290acefe92cfc572c07f711cd3039de78f28df48ca7dcb79b2e4bbe442580aaaf4d92883fd3a14bf41d66dd9d8c  nginx-upload-progress-module-0.9.2.tar.gz
-bcc0aee3308af7c61bf01a5530fcf1dae938e6778306f6e3eb5995e6d0529f43d33b7ee2acb813d5a39acc92e4853d207a01e8e41b766a6e0dd07aade60cd98f  nginx-rtmp-module-1.1.10.tar.gz
-ac7e3153ab698b4cde077f0d5d7ac0a58897927eb36cf3b58cb01268ca0296f1d589c0a5b4f889b96b5b4a57bef05b17c59be59a9d7c4d7a3d3be58f101f7f41  nginx.conf
-0907f69dc2d3dc1bad3a04fb6673f741f1a8be964e22b306ef9ae2f8e736e1f5733a8884bfe54f3553fff5132a0e5336716250f54272c3fec2177d6ba16986f3  default.conf
-09b110693e3f4377349ccea3c43cb8199c8579ee351eae34283299be99fdf764b0c1bddd552e13e4d671b194501618b29c822e1ad53b34101a73a63954363dbb  nginx.logrotate
-1ea032cf88021ec8aa1401d284ea738364511cdb9f8c01670deb8e59aae570f5bbe17f0cbab73c0e08d6b342a621b6a9c014832168ed41f6028ecfa4211b60cf  nginx.initd
-68d64a84568ec2df0366925ab282a05ebe21a85044b6c7844a47573cfd8cc8ed119cc772358bc3fff36e2d4fdf583a730592825f5f98632993ca86d1f8438d5f  ipv6.patch"
+e7c897265d1e93b06f7e46a653b113e24d2451e2112a7a6da415f130928437444a0346832fd9c10042397fea6120e4e44acc2bccf649ec30ca5bffbf985672e2  nginx-rtmp-module-1.1.11.tar.gz
+9e8f41a5cd1342cc9b8aa334a603842d14a256aab1f4a21205bb1278aecbb0c49e39c889d8113a5b41aad2efeaa2ed9f11cba6929173f50add91f54c4c59c8a0  naxsi-0.55.3.tar.gz
+3f6cb5ae900d0d9938f0da9788efde5c1ff80522313dd91a7e170811976facb647a734a8a58924993d95f069ec5fadfde728655ac9b37a965cd7200a9785055d  naxsi.conf
+c49c81dbdb8bd507fccf31295e603cea8f0a964867c27eff0436dcea3b4a547c8ae2f11ecf49c4d82c693cf8138c17ebbed395738539d0d61254951e5f0db7e3  ngx_cache_purge-2.3.0.1.tar.gz
+fd305b859c868ef55171b05f64071a2836c12073bcd89d6197af4946a3d1177f77c6708d4d589d460c84967273dee87ca9de97ab0f0d47e6d65f86b465d70316  nginx-upstream-fair-0.1.1.tar.gz
+2743d9aea60bd4984b650213e571cf27e6ff5b3db708242ccb53b8fc669d1cc82ee224ba79aee2f6969b6e13821cfdd3df7b412541e1fdbb867ecc95326e07e1  tengine-http-sysguard-2.2.0.tar.gz
+2dca2ac74fb92e330fde7b6b6120b2fd2565c377a629c9536cf77beebe41aa4b092d4229d5b487b0fb02be4f2cc5b897c429c87bbbbc7b0d31e1cbb94231ddce  sysguard.patch"
diff --git a/main/nginx/naxsi.conf b/main/nginx/naxsi.conf
new file mode 100644
index 0000000000..e3d8d4afd3
--- /dev/null
+++ b/main/nginx/naxsi.conf
@@ -0,0 +1,24 @@
+include /etc/nginx/naxsi_core.rules;
+
+server {
+	listen 4242;
+	server_name localhost;
+	location / {
+		LearningMode;
+		SecRulesEnabled;
+		DeniedUrl "/50x.html";
+		CheckRule "$SQL >= 8" BLOCK;
+		CheckRule "$RFI >= 8" BLOCK;
+		CheckRule "$TRAVERSAL >= 4" BLOCK;
+		CheckRule "$EVADE >= 4" BLOCK;
+		CheckRule "$XSS >= 8" BLOCK;
+		error_log /var/log/nginx/naxsi_error.log debug;
+		access_log /var/log/nginx/naxsi_access.log;
+		root html;
+		index index.html index.htm;
+	}
+	error_page 500 502 503 504 /50x.html;
+	location = /50x.html {
+		root html;
+	}
+}
diff --git a/main/nginx/nginx.initd b/main/nginx/nginx.initd
index 992d5fd5b9..d01874e4f4 100644
--- a/main/nginx/nginx.initd
+++ b/main/nginx/nginx.initd
@@ -1,9 +1,15 @@
 #!/sbin/openrc-run
 
 description="Nginx http and reverse proxy server"
+description_checkconfig="Verify configuration"
+description_upgrade="Upgrade running binary"
+description_reload="Reload configuration"
+description_reopen="Reopen log files"
+
+extra_commands="checkconfig"
 extra_started_commands="reload reopen upgrade"
 
-cfgfile=${cfgfile:-/etc/nginx/nginx.conf}
+cfgfile=${NGINX_CONFIG:-/etc/nginx/nginx.conf}
 pidfile=/run/nginx/nginx.pid
 command=/usr/sbin/nginx
 command_args="-c $cfgfile"
@@ -14,29 +20,35 @@ depend() {
 	use dns logger netmount
 }
 
+checkconfig() {
+	ebegin "Checking $RC_SVCNAME config"
+	$command $command_args -t
+	eend $?
+}
+
 start_pre() {
 	ebegin
-	checkpath --directory --owner nginx:nginx ${pidfile%/*}
-	$command $command_args -t -q
+	checkpath -d -o ${NGINX_OWNER:-nginx:nginx} ${pidfile%/*}
+	checkconfig >/dev/null 2>&1
 	eend $?
 }
 
 reload() {
-	ebegin "Reloading ${SVCNAME} configuration"
-	start_pre && start-stop-daemon --signal HUP --pidfile $pidfile
+	ebegin "Reloading $RC_SVCNAME configuration"
+	checkconfig >/dev/null 2>&1 && start-stop-daemon --signal HUP --pidfile $pidfile
 	eend $?
 }
 
 reopen() {
-	ebegin "Reopening ${SVCNAME} log files"
+	ebegin "Reopening $RC_SVCNAME log files"
 	start-stop-daemon --signal USR1 --pidfile $pidfile
 	eend $?
 }
 
 upgrade() {
-	start_pre || return 1
+	checkconfig || return $?
 
-	ebegin "Upgrading ${SVCNAME} binary"
+	ebegin "Upgrading $RC_SVCNAME binary"
 
 	einfo "Sending USR2 to old binary"
 	start-stop-daemon --signal USR2 --pidfile $pidfile
diff --git a/main/nginx/nginx.post-upgrade b/main/nginx/nginx.post-upgrade
deleted file mode 100644
index 6d9e698dc7..0000000000
--- a/main/nginx/nginx.post-upgrade
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/bin/sh
-
-ver_new="$1"
-ver_old="$2"
-
-if [ "$(apk version -t "$ver_old" "1.10.1-r3")" = "<" ]; then
-	cat 1>&2 <<-EOF
-	*
-	* The nginx package has been modified to use dynamic modules. Now there's
-	* just single package providing nginx executable and bunch of nginx-mod-*
-	* subpackages.
-	*
-	* Lua support is now provided by package nginx-mod-http-lua, RTMP support
-	* is provided by nginx-mod-rtmp.
-	*
-	* Modules mail and stream are dynamic modules too and so not included
-	* by default anymore. If you use them, install nginx-mod-mail and
-	* nginx-mod-stream.
-	* 
-	EOF
-fi
-
-exit 0
diff --git a/main/nginx/sysguard.patch b/main/nginx/sysguard.patch
new file mode 100644
index 0000000000..be8b0d2ee4
--- /dev/null
+++ b/main/nginx/sysguard.patch
@@ -0,0 +1,10 @@
+--- a/src/http/ngx_http_request.h
++++ b/src/http/ngx_http_request.h
+@@ -498,6 +498,7 @@
+      */
+     unsigned                          limit_conn_set:1;
+     unsigned                          limit_req_set:1;
++    unsigned                          sysguard_set:1;
+ 
+ #if 0
+     unsigned                          cacheable:1;
-- 
cgit v1.2.3