All of lore.kernel.org
 help / color / mirror / Atom feed
* [meta-webserver][PATCH 1/2] nginx: update systemd unit using nginx recommendation
@ 2019-01-18 14:26 André Draszik
  2019-01-18 14:26 ` [meta-webserver][PATCH 2/2] nginx: configuration update André Draszik
  0 siblings, 1 reply; 2+ messages in thread
From: André Draszik @ 2019-01-18 14:26 UTC (permalink / raw)
  To: openembedded-devel

From: André Draszik <andre.draszik@jci.com>

Our systemd unit doesn't follow the official
recommendation, see
    https://www.nginx.com/resources/wiki/start/topics/examples/systemd/

Most importantly:
* it should start after some additional specific
  targets/units
* using PrivateTmp is a useful security feature, in
  particular to avoid cross domain scripting via the
  temp folder
* using systemd's $MAINPID, we can distinguish between
  multiple running nginx instances correctly

Signed-off-by: André Draszik <andre.draszik@jci.com>
---
 meta-webserver/recipes-httpd/nginx/files/nginx.service | 10 +++++++---
 meta-webserver/recipes-httpd/nginx/nginx.inc           |  1 +
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/meta-webserver/recipes-httpd/nginx/files/nginx.service b/meta-webserver/recipes-httpd/nginx/files/nginx.service
index ce9906171..c6fc0495f 100644
--- a/meta-webserver/recipes-httpd/nginx/files/nginx.service
+++ b/meta-webserver/recipes-httpd/nginx/files/nginx.service
@@ -1,11 +1,15 @@
 [Unit]
-Description=Nginx Server
-After=network.target
+Description=The NGINX HTTP and reverse proxy server
+After=syslog.target network.target remote-fs.target nss-lookup.target
+
 [Service]
 Type=forking
 PIDFile=/run/nginx/nginx.pid
+ExecStartPre=@SBINDIR@/nginx -t
 ExecStart=@SBINDIR@/nginx
-ExecStop=@SBINDIR@/nginx -s stop
 ExecReload=@SBINDIR@/nginx -s reload
+ExecStop=@BINDIR@/kill -s QUIT $MAINPID
+PrivateTmp=true
+
 [Install]
 WantedBy=multi-user.target
diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc
index 24c2cedf5..ea1c1f782 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx.inc
+++ b/meta-webserver/recipes-httpd/nginx/nginx.inc
@@ -117,6 +117,7 @@ do_install () {
         sed -i -e 's,@SYSCONFDIR@,${sysconfdir},g' \
             -e 's,@LOCALSTATEDIR@,${localstatedir},g' \
             -e 's,@SBINDIR@,${sbindir},g' \
+            -e 's,@BINDIR@,${bindir},g' \
             ${D}${systemd_unitdir}/system/nginx.service
     fi
 }
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [meta-webserver][PATCH 2/2] nginx: configuration update
  2019-01-18 14:26 [meta-webserver][PATCH 1/2] nginx: update systemd unit using nginx recommendation André Draszik
@ 2019-01-18 14:26 ` André Draszik
  0 siblings, 0 replies; 2+ messages in thread
From: André Draszik @ 2019-01-18 14:26 UTC (permalink / raw)
  To: openembedded-devel

From: André Draszik <andre.draszik@jci.com>

Restructure the main configuration file to simplify custom configuration:
* support inclusion of configuration fragments from subdirectories:
  - /etc/nginx/modules-enabled/*.conf
  - /etc/nginx/conf.d/*.conf
  - /etc/nginx/sites-enabled/*
* default site (port 80):
  - move into /etc/nginx/sites-available/default_server
    and enable via symlink in /etc/nginx/sites-enabled/
  - listen on IPv6
  - drop unneeded example fragments
* configure and enable gzip
* update TLS settings to drop SSLv3 and enable TLSv1.3 for some safer
  defaults
* update remaining bits to follow Debian standard configuration
  https://salsa.debian.org/nginx-team/nginx/blob/62a54a8ba66ee6cc1b4f8a33dab9a6f27a3fdac4/debian/conf/nginx.conf
* drop unneeded example configuration bits from /etc/nginx/*.default

These changes, in particular the configuration fragment
support allow to easily customise nginx based on individual
requirements.
In addition, it is now possible for other recipes / packages
to drop fragments into the respective directories in /etc/nginx
without having to meddle with /etc/nginx/nginx.conf

Signed-off-by: André Draszik <andre.draszik@jci.com>
---
 .../nginx/files/default_server.site           |  14 ++
 .../recipes-httpd/nginx/files/nginx.conf      | 139 +++++-------------
 meta-webserver/recipes-httpd/nginx/nginx.inc  |  14 ++
 3 files changed, 62 insertions(+), 105 deletions(-)
 create mode 100644 meta-webserver/recipes-httpd/nginx/files/default_server.site

diff --git a/meta-webserver/recipes-httpd/nginx/files/default_server.site b/meta-webserver/recipes-httpd/nginx/files/default_server.site
new file mode 100644
index 000000000..7a8a215cf
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/files/default_server.site
@@ -0,0 +1,14 @@
+# Default server configuration
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    root /var/www/localhost/html;
+
+    index index.html index.htm;
+
+    server_name _;
+
+    # redirect server error pages to the static page /50x.html
+    error_page 500 502 503 504 /50x.html;
+}
diff --git a/meta-webserver/recipes-httpd/nginx/files/nginx.conf b/meta-webserver/recipes-httpd/nginx/files/nginx.conf
index 69d3a2adc..6d219422b 100644
--- a/meta-webserver/recipes-httpd/nginx/files/nginx.conf
+++ b/meta-webserver/recipes-httpd/nginx/files/nginx.conf
@@ -1,118 +1,47 @@
-
 user  www;
-worker_processes  1;
-
-error_log  /var/log/nginx/error.log;
-#error_log  logs/error.log  notice;
-#error_log  logs/error.log  info;
-
-pid        /run/nginx/nginx.pid;
-
+worker_processes 1;
+pid /run/nginx/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
 
 events {
-    worker_connections  1024;
+    worker_connections 768;
+    # multi_accept on;
 }
 
-
 http {
-    include       mime.types;
+    # Basic Settings
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    # server_tokens off;
+
+    # server_names_hash_bucket_size 64;
+    # server_name_in_redirect off;
+
+    include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-
-    access_log  /var/log/nginx/access.log  main;
-
-    sendfile        on;
-    #tcp_nopush     on;
-
-    #keepalive_timeout  0;
-    keepalive_timeout  65;
-
-    #gzip  on;
-
-    server {
-        listen       80;
-        server_name  localhost;
-
-        #charset koi8-r;
-
-        #access_log  logs/host.access.log  main;
-
-        location / {
-            root   /var/www/localhost/html;
-            index  index.html index.htm;
-        }
-
-        #error_page  404              /404.html;
-
-        # redirect server error pages to the static page /50x.html
-        #
-        error_page   500 502 503 504  /50x.html;
-        location = /50x.html {
-            root   /var/www/localhost/html;
-        }
-
-        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
-        #
-        #location ~ \.php$ {
-        #    proxy_pass   http://127.0.0.1;
-        #}
-
-        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
-        #
-        #location ~ \.php$ {
-        #    root           html;
-        #    fastcgi_pass   127.0.0.1:9000;
-        #    fastcgi_index  index.php;
-        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
-        #    include        fastcgi_params;
-        #}
-
-        # deny access to .htaccess files, if Apache's document root
-        # concurs with nginx's one
-        #
-        #location ~ /\.ht {
-        #    deny  all;
-        #}
-    }
-
-
-    # another virtual host using mix of IP-, name-, and port-based configuration
-    #
-    #server {
-    #    listen       8000;
-    #    listen       somename:8080;
-    #    server_name  somename  alias  another.alias;
-
-    #    location / {
-    #        root   html;
-    #        index  index.html index.htm;
-    #    }
-    #}
-
-
-    # HTTPS server
-    #
-    #server {
-    #    listen       443;
-    #    server_name  localhost;
-
-    #    ssl                  on;
-    #    ssl_certificate      cert.pem;
-    #    ssl_certificate_key  cert.key;
+    # SSL Settings
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+    ssl_prefer_server_ciphers on;
 
-    #    ssl_session_timeout  5m;
+    ## Logging
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
 
-    #    ssl_protocols  SSLv2 SSLv3 TLSv1;
-    #    ssl_ciphers  HIGH:!aNULL:!MD5;
-    #    ssl_prefer_server_ciphers   on;
+    ## Gzip settings
+    gzip  on;
 
-    #    location / {
-    #        root   html;
-    #        index  index.html index.htm;
-    #    }
-    #}
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
+    gzip_http_version 1.1;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
 
+    ## Virtual Host Configs
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
 }
diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc
index ea1c1f782..522942504 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx.inc
+++ b/meta-webserver/recipes-httpd/nginx/nginx.inc
@@ -16,6 +16,7 @@ SRC_URI = " \
     file://nginx-cross.patch \
     file://0001-Allow-the-overriding-of-the-endianness-via-the-confi.patch \
     file://nginx.conf \
+    file://default_server.site \
     file://nginx.init \
     file://nginx-volatile.conf \
     file://nginx.service \
@@ -102,15 +103,28 @@ do_install () {
 
     install -d ${D}${sysconfdir}/nginx
     install -m 0644 ${WORKDIR}/nginx.conf ${D}${sysconfdir}/nginx/nginx.conf
+    sed -i 's,/etc/,${sysconfdir}/,g' ${D}${sysconfdir}/nginx/nginx.conf
     sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/nginx/nginx.conf
     sed -i 's/^user.*/user ${NGINX_USER};/g' ${D}${sysconfdir}/nginx/nginx.conf
+    install -Dm 0644 ${WORKDIR}/default_server.site ${D}${sysconfdir}/nginx/sites-available/default_server
+    sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/nginx/sites-available/default_server
     install -d ${D}${sysconfdir}/nginx/sites-enabled
+    ln -s ../sites-available/default_server ${D}${sysconfdir}/nginx/sites-enabled/
 
     install -d ${D}${sysconfdir}/default/volatiles
     install -m 0644 ${WORKDIR}/nginx-volatile.conf ${D}${sysconfdir}/default/volatiles/99_nginx
     sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/default/volatiles/99_nginx
     sed -i 's,@NGINX_USER@,${NGINX_USER},g' ${D}${sysconfdir}/default/volatiles/99_nginx
 
+    # cleanup configuration folder
+    rm ${D}${sysconfdir}/nginx/*.default
+
+    # add additional configuration folders
+    install -d ${D}${sysconfdir}/nginx/modules-available
+    install -d ${D}${sysconfdir}/nginx/modules-enabled
+    install -d ${D}${sysconfdir}/nginx/server-conf.d
+    install -d ${D}${sysconfdir}/nginx/conf.d
+
     if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
         install -d ${D}${systemd_unitdir}/system
         install -m 0644 ${WORKDIR}/nginx.service ${D}${systemd_unitdir}/system/
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-01-18 14:26 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-18 14:26 [meta-webserver][PATCH 1/2] nginx: update systemd unit using nginx recommendation André Draszik
2019-01-18 14:26 ` [meta-webserver][PATCH 2/2] nginx: configuration update André Draszik

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.