* [meta-webserver][PATCH 1/2] nginx: update systemd unit using nginx recommendation
@ 2019-01-18 14:26 André Draszik
2019-01-18 14:26 ` [meta-webserver][PATCH 2/2] nginx: configuration update André Draszik
0 siblings, 1 reply; 2+ messages in thread
From: André Draszik @ 2019-01-18 14:26 UTC (permalink / raw)
To: openembedded-devel
From: André Draszik <andre.draszik@jci.com>
Our systemd unit doesn't follow the official
recommendation, see
https://www.nginx.com/resources/wiki/start/topics/examples/systemd/
Most importantly:
* it should start after some additional specific
targets/units
* using PrivateTmp is a useful security feature, in
particular to avoid cross domain scripting via the
temp folder
* using systemd's $MAINPID, we can distinguish between
multiple running nginx instances correctly
Signed-off-by: André Draszik <andre.draszik@jci.com>
---
meta-webserver/recipes-httpd/nginx/files/nginx.service | 10 +++++++---
meta-webserver/recipes-httpd/nginx/nginx.inc | 1 +
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/meta-webserver/recipes-httpd/nginx/files/nginx.service b/meta-webserver/recipes-httpd/nginx/files/nginx.service
index ce9906171..c6fc0495f 100644
--- a/meta-webserver/recipes-httpd/nginx/files/nginx.service
+++ b/meta-webserver/recipes-httpd/nginx/files/nginx.service
@@ -1,11 +1,15 @@
[Unit]
-Description=Nginx Server
-After=network.target
+Description=The NGINX HTTP and reverse proxy server
+After=syslog.target network.target remote-fs.target nss-lookup.target
+
[Service]
Type=forking
PIDFile=/run/nginx/nginx.pid
+ExecStartPre=@SBINDIR@/nginx -t
ExecStart=@SBINDIR@/nginx
-ExecStop=@SBINDIR@/nginx -s stop
ExecReload=@SBINDIR@/nginx -s reload
+ExecStop=@BINDIR@/kill -s QUIT $MAINPID
+PrivateTmp=true
+
[Install]
WantedBy=multi-user.target
diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc
index 24c2cedf5..ea1c1f782 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx.inc
+++ b/meta-webserver/recipes-httpd/nginx/nginx.inc
@@ -117,6 +117,7 @@ do_install () {
sed -i -e 's,@SYSCONFDIR@,${sysconfdir},g' \
-e 's,@LOCALSTATEDIR@,${localstatedir},g' \
-e 's,@SBINDIR@,${sbindir},g' \
+ -e 's,@BINDIR@,${bindir},g' \
${D}${systemd_unitdir}/system/nginx.service
fi
}
--
2.20.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [meta-webserver][PATCH 2/2] nginx: configuration update
2019-01-18 14:26 [meta-webserver][PATCH 1/2] nginx: update systemd unit using nginx recommendation André Draszik
@ 2019-01-18 14:26 ` André Draszik
0 siblings, 0 replies; 2+ messages in thread
From: André Draszik @ 2019-01-18 14:26 UTC (permalink / raw)
To: openembedded-devel
From: André Draszik <andre.draszik@jci.com>
Restructure the main configuration file to simplify custom configuration:
* support inclusion of configuration fragments from subdirectories:
- /etc/nginx/modules-enabled/*.conf
- /etc/nginx/conf.d/*.conf
- /etc/nginx/sites-enabled/*
* default site (port 80):
- move into /etc/nginx/sites-available/default_server
and enable via symlink in /etc/nginx/sites-enabled/
- listen on IPv6
- drop unneeded example fragments
* configure and enable gzip
* update TLS settings to drop SSLv3 and enable TLSv1.3 for some safer
defaults
* update remaining bits to follow Debian standard configuration
https://salsa.debian.org/nginx-team/nginx/blob/62a54a8ba66ee6cc1b4f8a33dab9a6f27a3fdac4/debian/conf/nginx.conf
* drop unneeded example configuration bits from /etc/nginx/*.default
These changes, in particular the configuration fragment
support allow to easily customise nginx based on individual
requirements.
In addition, it is now possible for other recipes / packages
to drop fragments into the respective directories in /etc/nginx
without having to meddle with /etc/nginx/nginx.conf
Signed-off-by: André Draszik <andre.draszik@jci.com>
---
.../nginx/files/default_server.site | 14 ++
.../recipes-httpd/nginx/files/nginx.conf | 139 +++++-------------
meta-webserver/recipes-httpd/nginx/nginx.inc | 14 ++
3 files changed, 62 insertions(+), 105 deletions(-)
create mode 100644 meta-webserver/recipes-httpd/nginx/files/default_server.site
diff --git a/meta-webserver/recipes-httpd/nginx/files/default_server.site b/meta-webserver/recipes-httpd/nginx/files/default_server.site
new file mode 100644
index 000000000..7a8a215cf
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/files/default_server.site
@@ -0,0 +1,14 @@
+# Default server configuration
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+
+ root /var/www/localhost/html;
+
+ index index.html index.htm;
+
+ server_name _;
+
+ # redirect server error pages to the static page /50x.html
+ error_page 500 502 503 504 /50x.html;
+}
diff --git a/meta-webserver/recipes-httpd/nginx/files/nginx.conf b/meta-webserver/recipes-httpd/nginx/files/nginx.conf
index 69d3a2adc..6d219422b 100644
--- a/meta-webserver/recipes-httpd/nginx/files/nginx.conf
+++ b/meta-webserver/recipes-httpd/nginx/files/nginx.conf
@@ -1,118 +1,47 @@
-
user www;
-worker_processes 1;
-
-error_log /var/log/nginx/error.log;
-#error_log logs/error.log notice;
-#error_log logs/error.log info;
-
-pid /run/nginx/nginx.pid;
-
+worker_processes 1;
+pid /run/nginx/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
events {
- worker_connections 1024;
+ worker_connections 768;
+ # multi_accept on;
}
-
http {
- include mime.types;
+ # Basic Settings
+ sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 65;
+ types_hash_max_size 2048;
+ # server_tokens off;
+
+ # server_names_hash_bucket_size 64;
+ # server_name_in_redirect off;
+
+ include /etc/nginx/mime.types;
default_type application/octet-stream;
- log_format main '$remote_addr - $remote_user [$time_local] "$request" '
- '$status $body_bytes_sent "$http_referer" '
- '"$http_user_agent" "$http_x_forwarded_for"';
-
- access_log /var/log/nginx/access.log main;
-
- sendfile on;
- #tcp_nopush on;
-
- #keepalive_timeout 0;
- keepalive_timeout 65;
-
- #gzip on;
-
- server {
- listen 80;
- server_name localhost;
-
- #charset koi8-r;
-
- #access_log logs/host.access.log main;
-
- location / {
- root /var/www/localhost/html;
- index index.html index.htm;
- }
-
- #error_page 404 /404.html;
-
- # redirect server error pages to the static page /50x.html
- #
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /var/www/localhost/html;
- }
-
- # proxy the PHP scripts to Apache listening on 127.0.0.1:80
- #
- #location ~ \.php$ {
- # proxy_pass http://127.0.0.1;
- #}
-
- # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
- #
- #location ~ \.php$ {
- # root html;
- # fastcgi_pass 127.0.0.1:9000;
- # fastcgi_index index.php;
- # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
- # include fastcgi_params;
- #}
-
- # deny access to .htaccess files, if Apache's document root
- # concurs with nginx's one
- #
- #location ~ /\.ht {
- # deny all;
- #}
- }
-
-
- # another virtual host using mix of IP-, name-, and port-based configuration
- #
- #server {
- # listen 8000;
- # listen somename:8080;
- # server_name somename alias another.alias;
-
- # location / {
- # root html;
- # index index.html index.htm;
- # }
- #}
-
-
- # HTTPS server
- #
- #server {
- # listen 443;
- # server_name localhost;
-
- # ssl on;
- # ssl_certificate cert.pem;
- # ssl_certificate_key cert.key;
+ # SSL Settings
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+ ssl_prefer_server_ciphers on;
- # ssl_session_timeout 5m;
+ ## Logging
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log;
- # ssl_protocols SSLv2 SSLv3 TLSv1;
- # ssl_ciphers HIGH:!aNULL:!MD5;
- # ssl_prefer_server_ciphers on;
+ ## Gzip settings
+ gzip on;
- # location / {
- # root html;
- # index index.html index.htm;
- # }
- #}
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 6;
+ gzip_buffers 16 8k;
+ gzip_http_version 1.1;
+ gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+ ## Virtual Host Configs
+ include /etc/nginx/conf.d/*.conf;
+ include /etc/nginx/sites-enabled/*;
}
diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc
index ea1c1f782..522942504 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx.inc
+++ b/meta-webserver/recipes-httpd/nginx/nginx.inc
@@ -16,6 +16,7 @@ SRC_URI = " \
file://nginx-cross.patch \
file://0001-Allow-the-overriding-of-the-endianness-via-the-confi.patch \
file://nginx.conf \
+ file://default_server.site \
file://nginx.init \
file://nginx-volatile.conf \
file://nginx.service \
@@ -102,15 +103,28 @@ do_install () {
install -d ${D}${sysconfdir}/nginx
install -m 0644 ${WORKDIR}/nginx.conf ${D}${sysconfdir}/nginx/nginx.conf
+ sed -i 's,/etc/,${sysconfdir}/,g' ${D}${sysconfdir}/nginx/nginx.conf
sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/nginx/nginx.conf
sed -i 's/^user.*/user ${NGINX_USER};/g' ${D}${sysconfdir}/nginx/nginx.conf
+ install -Dm 0644 ${WORKDIR}/default_server.site ${D}${sysconfdir}/nginx/sites-available/default_server
+ sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/nginx/sites-available/default_server
install -d ${D}${sysconfdir}/nginx/sites-enabled
+ ln -s ../sites-available/default_server ${D}${sysconfdir}/nginx/sites-enabled/
install -d ${D}${sysconfdir}/default/volatiles
install -m 0644 ${WORKDIR}/nginx-volatile.conf ${D}${sysconfdir}/default/volatiles/99_nginx
sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/default/volatiles/99_nginx
sed -i 's,@NGINX_USER@,${NGINX_USER},g' ${D}${sysconfdir}/default/volatiles/99_nginx
+ # cleanup configuration folder
+ rm ${D}${sysconfdir}/nginx/*.default
+
+ # add additional configuration folders
+ install -d ${D}${sysconfdir}/nginx/modules-available
+ install -d ${D}${sysconfdir}/nginx/modules-enabled
+ install -d ${D}${sysconfdir}/nginx/server-conf.d
+ install -d ${D}${sysconfdir}/nginx/conf.d
+
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
install -d ${D}${systemd_unitdir}/system
install -m 0644 ${WORKDIR}/nginx.service ${D}${systemd_unitdir}/system/
--
2.20.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-01-18 14:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-18 14:26 [meta-webserver][PATCH 1/2] nginx: update systemd unit using nginx recommendation André Draszik
2019-01-18 14:26 ` [meta-webserver][PATCH 2/2] nginx: configuration update André Draszik
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.