nginx: configuration update

Restructure the main configuration file to simplify custom configuration: * support inclusion of configuration fragments from subdirectories: - /etc/nginx/modules-enabled/*.conf - /etc/nginx/conf.d/*.conf - /etc/nginx/sites-enabled/* * default site (port 80): - move into /etc/nginx/sites-available/default_server and enable via symlink in /etc/nginx/sites-enabled/ - listen on IPv6 - drop unneeded example fragments * configure and enable gzip * update TLS settings to drop SSLv3 and enable TLSv1.3 for some safer defaults * update remaining bits to follow Debian standard configuration https://salsa.debian.org/nginx-team/nginx/blob/62a54a8ba66ee6cc1b4f8a33dab9a6f27a3fdac4/debian/conf/nginx.conf * drop unneeded example configuration bits from /etc/nginx/*.default These changes, in particular the configuration fragment support allow to easily customise nginx based on individual requirements. In addition, it is now possible for other recipes / packages to drop fragments into the respective directories in /etc/nginx without having to meddle with /etc/nginx/nginx.conf Signed-off-by: André Draszik <andre.draszik@jci.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: André Draszik <andre.draszik@jci.com> 2019-01-18 14:26:11 +0000
committer: Khem Raj <raj.khem@gmail.com> 2019-01-19 10:06:20 -0800
commit: 22e17bb10c589775b3196b07bde4912658a5dcbd (patch)
tree: 18e5216e96712f01c52a90f2a9f155a938e3952d /meta-webserver/recipes-httpd
parent: a0eadda9106a22b1d7a7c98c4a97c8329171540f (diff)
download: meta-openembedded-22e17bb10c589775b3196b07bde4912658a5dcbd.tar.gz
3 files changed, 62 insertions, 105 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/files/default_server.site b/meta-webserver/recipes-httpd/nginx/files/default_server.site
new file mode 100644
index 000000000..7a8a215cf
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/files/default_server.site
@@ -0,0 +1,14 @@
+# Default server configuration
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    root /var/www/localhost/html;
+    index index.html index.htm;
+    server_name _;
+    # redirect server error pages to the static page /50x.html
+    error_page 500 502 503 504 /50x.html;
+}
diff --git a/meta-webserver/recipes-httpd/nginx/files/nginx.conf b/meta-webserver/recipes-httpd/nginx/files/nginx.conf
index 69d3a2adc..6d219422b 100644
--- a/meta-webserver/recipes-httpd/nginx/files/nginx.conf
+++ b/meta-webserver/recipes-httpd/nginx/files/nginx.conf
@@ -1,118 +1,47 @@
 user  www;
-worker_processes  1;
+worker_processes 1;
+pid /run/nginx/nginx.pid;
-error_log  /var/log/nginx/error.log;
+include /etc/nginx/modules-enabled/*.conf;
-#error_log  logs/error.log  notice;
-#error_log  logs/error.log  info;
-pid        /run/nginx/nginx.pid;
 events {
-    worker_connections  1024;
+    worker_connections 768;
+    # multi_accept on;
 }
 http {
-    include       mime.types;
+    # Basic Settings
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    # server_tokens off;
+    # server_names_hash_bucket_size 64;
+    # server_name_in_redirect off;
+    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    # SSL Settings
-                      '$status $body_bytes_sent "$http_referer" '
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
-                      '"$http_user_agent" "$http_x_forwarded_for"';
+    ssl_prefer_server_ciphers on;
-    access_log  /var/log/nginx/access.log  main;
-    sendfile        on;
-    #tcp_nopush     on;
-    #keepalive_timeout  0;
-    keepalive_timeout  65;
-    #gzip  on;
-    server {
-        listen       80;
-        server_name  localhost;
-        #charset koi8-r;
-        #access_log  logs/host.access.log  main;
-        location / {
-            root   /var/www/localhost/html;
-            index  index.html index.htm;
-        }
-        #error_page  404              /404.html;
-        # redirect server error pages to the static page /50x.html
-        #
-        error_page   500 502 503 504  /50x.html;
-        location = /50x.html {
-            root   /var/www/localhost/html;
-        }
-        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
-        #
-        #location ~ \.php$ {
-        #    proxy_pass   http://127.0.0.1;
-        #}
-        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
-        #
-        #location ~ \.php$ {
-        #    root           html;
-        #    fastcgi_pass   127.0.0.1:9000;
-        #    fastcgi_index  index.php;
-        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
-        #    include        fastcgi_params;
-        #}
-        # deny access to .htaccess files, if Apache's document root
-        # concurs with nginx's one
-        #
-        #location ~ /\.ht {
-        #    deny  all;
-        #}
-    }
-    # another virtual host using mix of IP-, name-, and port-based configuration
-    #
-    #server {
-    #    listen       8000;
-    #    listen       somename:8080;
-    #    server_name  somename  alias  another.alias;
-    #    location / {
-    #        root   html;
-    #        index  index.html index.htm;
-    #    }
-    #}
-    # HTTPS server
-    #
-    #server {
-    #    listen       443;
-    #    server_name  localhost;
-    #    ssl                  on;
-    #    ssl_certificate      cert.pem;
-    #    ssl_certificate_key  cert.key;
-    #    ssl_session_timeout  5m;
+    ## Logging
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
-    #    ssl_protocols  SSLv2 SSLv3 TLSv1;
+    ## Gzip settings
-    #    ssl_ciphers  HIGH:!aNULL:!MD5;
+    gzip  on;
-    #    ssl_prefer_server_ciphers   on;
-    #    location / {
+    gzip_vary on;
-    #        root   html;
+    gzip_proxied any;
-    #        index  index.html index.htm;
+    gzip_comp_level 6;
-    #    }
+    gzip_buffers 16 8k;
-    #}
+    gzip_http_version 1.1;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+    ## Virtual Host Configs
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
 }
diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc
index ea1c1f782..522942504 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx.inc
+++ b/meta-webserver/recipes-httpd/nginx/nginx.inc
@@ -16,6 +16,7 @@ SRC_URI = " \
    file://nginx-cross.patch \
    file://0001-Allow-the-overriding-of-the-endianness-via-the-confi.patch \
    file://nginx.conf \
+    file://default_server.site \
    file://nginx.init \
    file://nginx-volatile.conf \
    file://nginx.service \
@@ -102,15 +103,28 @@ do_install () {
    install -d ${D}${sysconfdir}/nginx
    install -m 0644 ${WORKDIR}/nginx.conf ${D}${sysconfdir}/nginx/nginx.conf
+    sed -i 's,/etc/,${sysconfdir}/,g' ${D}${sysconfdir}/nginx/nginx.conf
    sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/nginx/nginx.conf
    sed -i 's/^user.*/user ${NGINX_USER};/g' ${D}${sysconfdir}/nginx/nginx.conf
+    install -Dm 0644 ${WORKDIR}/default_server.site ${D}${sysconfdir}/nginx/sites-available/default_server
+    sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/nginx/sites-available/default_server
    install -d ${D}${sysconfdir}/nginx/sites-enabled
+    ln -s ../sites-available/default_server ${D}${sysconfdir}/nginx/sites-enabled/
    install -d ${D}${sysconfdir}/default/volatiles
    install -m 0644 ${WORKDIR}/nginx-volatile.conf ${D}${sysconfdir}/default/volatiles/99_nginx
    sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/default/volatiles/99_nginx
    sed -i 's,@NGINX_USER@,${NGINX_USER},g' ${D}${sysconfdir}/default/volatiles/99_nginx
+    # cleanup configuration folder
+    rm ${D}${sysconfdir}/nginx/*.default
+    # add additional configuration folders
+    install -d ${D}${sysconfdir}/nginx/modules-available
+    install -d ${D}${sysconfdir}/nginx/modules-enabled
+    install -d ${D}${sysconfdir}/nginx/server-conf.d
+    install -d ${D}${sysconfdir}/nginx/conf.d
    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
        install -d ${D}${systemd_unitdir}/system
        install -m 0644 ${WORKDIR}/nginx.service ${D}${systemd_unitdir}/system/
author	André Draszik <andre.draszik@jci.com>	2019-01-18 14:26:11 +0000
committer	Khem Raj <raj.khem@gmail.com>	2019-01-19 10:06:20 -0800
commit	22e17bb10c589775b3196b07bde4912658a5dcbd (patch)
tree	18e5216e96712f01c52a90f2a9f155a938e3952d /meta-webserver/recipes-httpd
parent	a0eadda9106a22b1d7a7c98c4a97c8329171540f (diff)
download	meta-openembedded-22e17bb10c589775b3196b07bde4912658a5dcbd.tar.gz

diff --git a/meta-webserver/recipes-httpd/nginx/files/default_server.site b/meta-webserver/recipes-httpd/nginx/files/default_server.site new file mode 100644 index 000000000..7a8a215cf --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/default_server.site
@@ -0,0 +1,14 @@
		1	# Default server configuration
		2	server {
		3	listen 80 default_server;
		4	listen [::]:80 default_server;
		5
		6	root /var/www/localhost/html;
		7
		8	index index.html index.htm;
		9
		10	server_name _;
		11
		12	# redirect server error pages to the static page /50x.html
		13	error_page 500 502 503 504 /50x.html;
		14	}


diff --git a/meta-webserver/recipes-httpd/nginx/files/nginx.conf b/meta-webserver/recipes-httpd/nginx/files/nginx.conf index 69d3a2adc..6d219422b 100644 --- a/meta-webserver/recipes-httpd/nginx/files/nginx.conf +++ b/meta-webserver/recipes-httpd/nginx/files/nginx.conf
@@ -1,118 +1,47 @@
1
2	user www;	1	user www;
3	worker_processes 1;	2	worker_processes 1;
4		3	pid /run/nginx/nginx.pid;
5	error_log /var/log/nginx/error.log;	4	include /etc/nginx/modules-enabled/*.conf;
6	#error_log logs/error.log notice;
7	#error_log logs/error.log info;
8
9	pid /run/nginx/nginx.pid;
10
11		5
12	events {	6	events {
13	worker_connections 1024;	7	worker_connections 768;
		8	# multi_accept on;
14	}	9	}
15		10
16
17	http {	11	http {
18	include mime.types;	12	# Basic Settings
		13	sendfile on;
		14	tcp_nopush on;
		15	tcp_nodelay on;
		16	keepalive_timeout 65;
		17	types_hash_max_size 2048;
		18	# server_tokens off;
		19
		20	# server_names_hash_bucket_size 64;
		21	# server_name_in_redirect off;
		22
		23	include /etc/nginx/mime.types;
19	default_type application/octet-stream;	24	default_type application/octet-stream;
20		25
21	log_format main '$remote_addr - $remote_user [$time_local] "$request" '	26	# SSL Settings
22	'$status $body_bytes_sent "$http_referer" '	27	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
23	'"$http_user_agent" "$http_x_forwarded_for"';	28	ssl_prefer_server_ciphers on;
24
25	access_log /var/log/nginx/access.log main;
26
27	sendfile on;
28	#tcp_nopush on;
29
30	#keepalive_timeout 0;
31	keepalive_timeout 65;
32
33	#gzip on;
34
35	server {
36	listen 80;
37	server_name localhost;
38
39	#charset koi8-r;
40
41	#access_log logs/host.access.log main;
42
43	location / {
44	root /var/www/localhost/html;
45	index index.html index.htm;
46	}
47
48	#error_page 404 /404.html;
49
50	# redirect server error pages to the static page /50x.html
51	#
52	error_page 500 502 503 504 /50x.html;
53	location = /50x.html {
54	root /var/www/localhost/html;
55	}
56
57	# proxy the PHP scripts to Apache listening on 127.0.0.1:80
58	#
59	#location ~ \.php$ {
60	# proxy_pass http://127.0.0.1;
61	#}
62
63	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
64	#
65	#location ~ \.php$ {
66	# root html;
67	# fastcgi_pass 127.0.0.1:9000;
68	# fastcgi_index index.php;
69	# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
70	# include fastcgi_params;
71	#}
72
73	# deny access to .htaccess files, if Apache's document root
74	# concurs with nginx's one
75	#
76	#location ~ /\.ht {
77	# deny all;
78	#}
79	}
80
81
82	# another virtual host using mix of IP-, name-, and port-based configuration
83	#
84	#server {
85	# listen 8000;
86	# listen somename:8080;
87	# server_name somename alias another.alias;
88
89	# location / {
90	# root html;
91	# index index.html index.htm;
92	# }
93	#}
94
95
96	# HTTPS server
97	#
98	#server {
99	# listen 443;
100	# server_name localhost;
101
102	# ssl on;
103	# ssl_certificate cert.pem;
104	# ssl_certificate_key cert.key;
105		29
106	# ssl_session_timeout 5m;	30	## Logging
		31	access_log /var/log/nginx/access.log;
		32	error_log /var/log/nginx/error.log;
107		33
108	# ssl_protocols SSLv2 SSLv3 TLSv1;	34	## Gzip settings
109	# ssl_ciphers HIGH:!aNULL:!MD5;	35	gzip on;
110	# ssl_prefer_server_ciphers on;
111		36
112	# location / {	37	gzip_vary on;
113	# root html;	38	gzip_proxied any;
114	# index index.html index.htm;	39	gzip_comp_level 6;
115	# }	40	gzip_buffers 16 8k;
116	#}	41	gzip_http_version 1.1;
		42	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
117		43
		44	## Virtual Host Configs
		45	include /etc/nginx/conf.d/*.conf;
		46	include /etc/nginx/sites-enabled/*;
118	}	47	}


diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc index ea1c1f782..522942504 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx.inc +++ b/meta-webserver/recipes-httpd/nginx/nginx.inc
@@ -16,6 +16,7 @@ SRC_URI = " \
16	file://nginx-cross.patch \	16	file://nginx-cross.patch \
17	file://0001-Allow-the-overriding-of-the-endianness-via-the-confi.patch \	17	file://0001-Allow-the-overriding-of-the-endianness-via-the-confi.patch \
18	file://nginx.conf \	18	file://nginx.conf \
		19	file://default_server.site \
19	file://nginx.init \	20	file://nginx.init \
20	file://nginx-volatile.conf \	21	file://nginx-volatile.conf \
21	file://nginx.service \	22	file://nginx.service \
@@ -102,15 +103,28 @@ do_install () {
102		103
103	install -d ${D}${sysconfdir}/nginx	104	install -d ${D}${sysconfdir}/nginx
104	install -m 0644 ${WORKDIR}/nginx.conf ${D}${sysconfdir}/nginx/nginx.conf	105	install -m 0644 ${WORKDIR}/nginx.conf ${D}${sysconfdir}/nginx/nginx.conf
		106	sed -i 's,/etc/,${sysconfdir}/,g' ${D}${sysconfdir}/nginx/nginx.conf
105	sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/nginx/nginx.conf	107	sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/nginx/nginx.conf
106	sed -i 's/^user.*/user ${NGINX_USER};/g' ${D}${sysconfdir}/nginx/nginx.conf	108	sed -i 's/^user.*/user ${NGINX_USER};/g' ${D}${sysconfdir}/nginx/nginx.conf
		109	install -Dm 0644 ${WORKDIR}/default_server.site ${D}${sysconfdir}/nginx/sites-available/default_server
		110	sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/nginx/sites-available/default_server
107	install -d ${D}${sysconfdir}/nginx/sites-enabled	111	install -d ${D}${sysconfdir}/nginx/sites-enabled
		112	ln -s ../sites-available/default_server ${D}${sysconfdir}/nginx/sites-enabled/
108		113
109	install -d ${D}${sysconfdir}/default/volatiles	114	install -d ${D}${sysconfdir}/default/volatiles
110	install -m 0644 ${WORKDIR}/nginx-volatile.conf ${D}${sysconfdir}/default/volatiles/99_nginx	115	install -m 0644 ${WORKDIR}/nginx-volatile.conf ${D}${sysconfdir}/default/volatiles/99_nginx
111	sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/default/volatiles/99_nginx	116	sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/default/volatiles/99_nginx
112	sed -i 's,@NGINX_USER@,${NGINX_USER},g' ${D}${sysconfdir}/default/volatiles/99_nginx	117	sed -i 's,@NGINX_USER@,${NGINX_USER},g' ${D}${sysconfdir}/default/volatiles/99_nginx
113		118
		119	# cleanup configuration folder
		120	rm ${D}${sysconfdir}/nginx/*.default
		121
		122	# add additional configuration folders
		123	install -d ${D}${sysconfdir}/nginx/modules-available
		124	install -d ${D}${sysconfdir}/nginx/modules-enabled
		125	install -d ${D}${sysconfdir}/nginx/server-conf.d
		126	install -d ${D}${sysconfdir}/nginx/conf.d
		127
114	if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then	128	if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
115	install -d ${D}${systemd_unitdir}/system	129	install -d ${D}${systemd_unitdir}/system
116	install -m 0644 ${WORKDIR}/nginx.service ${D}${systemd_unitdir}/system/	130	install -m 0644 ${WORKDIR}/nginx.service ${D}${systemd_unitdir}/system/