| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reduces the impact of HTTP/2 Stream Reset flooding in the nginx product
(CVE-2023-44487).
See: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
This patch only reduces the impact and does not completely mitigate the CVE
in question, the latter being due to a design flaw in the HTTP/2 protocol
itself. For transparancy reasons I therefore opted to not mark the
CVE as resolved, so that integrators can decide for themselves, wheither to
enable HTTP/2 support or allow HTTP/1.1 connections only.
Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
ngx_http_mp4_module
Upstream-Status: Backport from https://github.com/nginx/nginx/commit/6b022a5556af22b6e18532e547a6ae46b0d8c6ea
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixed an HTTP request smuggling with certain error_page configurations
which could have allowed unauthorized web page reads.
This issue affects nginx prior to 1.17.7, so only the recipe for 1.16.1
needs the patch applied.
Fix is taken directly from
https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: meta-openembedded.ort
MR: 112731
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/meta-openembedded/commit/meta-webserver/recipes-httpd/nginx?id=f92dbcc4c2723e6ff4e308c8a2e6dc228a6cd7d5
ChangeID: dd3295b606d73e01dd09291d85d529dea17a1a9e
Description:
Backport with no change a patch from version 1.21.0. This patch
was not cherry-picked by nginx to version 1.20.1.
Information about this CVE comes from
https://ubuntu.com/security/CVE-2021-3618.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f92dbcc4c2723e6ff4e308c8a2e6dc228a6cd7d5)
[refesh patch for Dunfell context]
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 82385049035a3a4a81b18af099d2131b46802965)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
fix below error:
nginx.service: failed to parse pid from file /run/nginx/nginx.pid:
invalid argument
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
| |
the kill utility is located in /bin/kill -> use base_bindir instead of bindir
Signed-off-by: Nicola Lunghi <nick83ola@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
As per Debian packaging - to use it, see
https://wiki.debian.org/Nginx/DirectoryStructure#Extra_Parameters
This file is most commonly included when Nginx is acting
as a reverse proxy:
include /etc/nginx/proxy_params;
proxy_pass http://localhost:8000;
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Restructure the main configuration file to simplify custom configuration:
* support inclusion of configuration fragments from subdirectories:
- /etc/nginx/modules-enabled/*.conf
- /etc/nginx/conf.d/*.conf
- /etc/nginx/sites-enabled/*
* default site (port 80):
- move into /etc/nginx/sites-available/default_server
and enable via symlink in /etc/nginx/sites-enabled/
- listen on IPv6
- drop unneeded example fragments
* configure and enable gzip
* update TLS settings to drop SSLv3 and enable TLSv1.3 for some safer
defaults
* update remaining bits to follow Debian standard configuration
https://salsa.debian.org/nginx-team/nginx/blob/62a54a8ba66ee6cc1b4f8a33dab9a6f27a3fdac4/debian/conf/nginx.conf
* drop unneeded example configuration bits from /etc/nginx/*.default
These changes, in particular the configuration fragment
support allow to easily customise nginx based on individual
requirements.
In addition, it is now possible for other recipes / packages
to drop fragments into the respective directories in /etc/nginx
without having to meddle with /etc/nginx/nginx.conf
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Our systemd unit doesn't follow the official
recommendation, see
https://www.nginx.com/resources/wiki/start/topics/examples/systemd/
Most importantly:
* it should start after some additional specific
targets/units
* using PrivateTmp is a useful security feature, in
particular to avoid cross domain scripting via the
temp folder
* using systemd's $MAINPID, we can distinguish between
multiple running nginx instances correctly
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
WARNING: nginx-1.12.2-r0 do_patch:
Some of the context lines in patches were ignored. This can lead to incorrectly applied patches.
The context lines in the patches can be updated with devtool:
devtool modify <recipe>
devtool finish --force-patch-refresh <recipe> <layer_path>
Then the updated patches and the source tree (in devtool's workspace)
should be reviewed to make sure the patches apply in the correct place
and don't introduce duplicate lines (which can, and does happen
when some of the context is ignored). Further information:
http://lists.openembedded.org/pipermail/openembedded-core/2018-March/148675.html
https://bugzilla.yoctoproject.org/show_bug.cgi?id=10450
Details:
Applying patch nginx-cross.patch
patching file auto/feature
patching file auto/options
Hunk #1 succeeded at 386 (offset 33 lines).
Hunk #2 succeeded at 580 (offset 35 lines).
Hunk #3 succeeded at 599 (offset 22 lines).
patching file auto/types/sizeof
patching file auto/unix
Hunk #1 succeeded at 587 (offset 194 lines).
Hunk #2 succeeded at 604 with fuzz 1 (offset 188 lines).
Hunk #3 succeeded at 620 with fuzz 2 (offset 188 lines).
Now at patch nginx-cross.patch
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
Add an inherit for siteinfo to get access to SITEINFO_ENDIANNESS
Add a patch to have nginx actually use the user provided --with-endian
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
The recipe and the systemd service file use /run/nginx/nginx.pid,
while the sys v init script used /var/run/nginx/nginx.pid
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
It gets replaces with the real NGINX_USER anyway, but it confuses people
that there is a different value by default. So just make it the same as the
default NGINX_USER
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
- Call the nginx binary directly, no need to wrap the SysV init file.
- Create /var/log/nginx with tmpfiles, like volatiles without systemd.
- Run nginx with ${NGINX_USER} (user ${NGINX_USER} in nginx.conf)
Signed-off-by: Gyorgy Szombathelyi <gyurco@freemail.hu>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
|
| |
The 1.8 version is now considered legacy and the stable versions 1.10.X
Updated the license checksum to reflect copyright date update to 2016
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
| |
systemd service file expects full path of the executatbles.
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
| |
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
|
|
| |
Adds support for systemd, creates a service for nginx and installs it if required
Signed-off-by: Alejandro Hernandez <alejandro.hernandez@linux.intel.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
|
Initial recipe created by Steve Arnold. Original build patch and 1.0.10
recipe graciously contributed by bencoh (in #oe on irc.freenode.net).
New recipe and init script contributed by this author. Built and
tested on master branches using author's fork of meta-raspberrypi.
Signed-off-by: stephen.arnold42 <stephen.arnold42@gmail.com>
Signed-off-by: Sébastien Mennetrier <s.mennetrier@innotis.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
