diff --git a/ingress-nginx-controller.yaml b/ingress-nginx-controller.yaml index f45c0b49e2d..ee3a4a18b73 100644 --- a/ingress-nginx-controller.yaml +++ b/ingress-nginx-controller.yaml @@ -1,7 +1,8 @@ +#nolint:valid-pipeline-fetch-digest package: name: ingress-nginx-controller version: 1.8.0 - epoch: 2 + epoch: 3 description: "Ingress-NGINX Controller for Kubernetes" copyright: - license: Apache-2.0 @@ -13,14 +14,112 @@ environment: packages: - wolfi-base - busybox - - ca-certificates-bundle - go - bash - curl + - curl-dev - git - openssh-client - libcap-utils - libcap + - scanelf + - ca-certificates-bundle + - brotli-dev + - gd-dev + - geoip-dev + - libmaxminddb-dev + - libxml2-dev + - libxslt-dev + - pkgconf + - zeromq-dev + - gcc + - clang-15 + - make + - automake + - openssl-dev + - pcre-dev + - zlib-dev + - linux-headers + - perl-dev + - libedit-dev + - mercurial + - findutils + - ca-certificates + - patch + - libaio-dev + - openssl + - cmake + - util-linux + - lmdb-tools + - wget + - libprotobuf + - flex + - bison + - doxygen + - yajl-dev + - lmdb-dev + - libtool + - autoconf + - libxml2 + - python3 + - libsrt + - opentracing-cpp + - jaeger-cpp + - msgpack + - datadog-cpp + - yaml-cpp + - zipkin-cpp + - ssdeep + - luajit + - luajit-dev + - lua-cjson + - lua-resty-balancer + - lua-resty-cache + - lua-resty-cookie + - lua-resty-core + - lua-resty-dns + - lua-resty-global-throttle + - lua-resty-http + - lua-resty-ipmatcher + - lua-resty-lock + - lua-resty-memcached + - lua-resty-redis + - lua-resty-string + - lua-resty-upload + +vars: + NGINX_VERSION: "1.21.6" + NGINX_SHA: "66dc7081488811e9f925719e34d1b4504c2801c81dee2920e5452a86b11405ae" + NDK_VERSION: "0.3.1" + NDK_VERSION_SHA: "0e971105e210d272a497567fa2e2c256f4e39b845a5ba80d373e26ba1abfbd85" + SETMISC_VERSION: "0.33" + SETMISC_VERSION_SHA: "cd5e2cc834bcfa30149e7511f2b5a2183baf0b70dc091af717a89a64e44a2985" + MORE_HEADERS_VERSION: "0.33" + MORE_HEADERS_VERSION_SHA: "a3dcbab117a9c103bc1ea5200fc00a7b7d2af97ff7fd525f16f8ac2632e30fbf" + NGINX_DIGEST_AUTH: "1.0.0" + NGINX_DIGEST_AUTH_SHA: "f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b" + NGINX_SUBSTITUTIONS: "b8a71eacc7f986ba091282ab8b1bbbc6ae1807e0" + NGINX_SUBSTITUTIONS_SHA: "a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f" + NGINX_OPENTRACING_VERSION: "0.19.0" + NGINX_OPENTRACING_VERSION_SHA: "6f97776ebdf019b105a755c7736b70bdbd7e575c7f0d39db5fe127873c7abf17" + MODSECURITY_NGINX_VERSION: "1.0.3" + MODSECURITY_NGINX_VERSION_SHA: "32a42256616cc674dca24c8654397390adff15b888b77eb74e0687f023c8751b" + MODSECURITY_LIB_VERSION: "e9a7ba4a60be48f761e0328c6dfcc668d70e35a0" + OWASP_MODSECURITY_CRS_VERSION: "v3.3.2" + LUA_RESTY_CORE: "0.1.23" + LUA_RESTY_CORE_SHA: "efd6b51520429e64b1bcc10f477d370ebed1631c190f7e4dc270d959a743ad7d" + LUA_NGX_VERSION: "0.10.21" + LUA_NGX_VERSION_SHA: "9db756000578efaecb43bea4fc6cf631aaa80988d86ffe5d3afeb9927895ffad" + LUA_STREAM_NGX_VERSION: "0.0.11" + LUA_STREAM_NGX_VERSION_SHA: "c7924f28cb014a99636e747ea907724dd55f60e180cb92cde6e8ed48d2278f27" + LUA_UPSTREAM_VERSION: "8aa93ead98ba2060d4efd594ae33a35d153589bf" + LUA_UPSTREAM_VERSION_SHA: "a92c9ee6682567605ece55d4eed5d1d54446ba6fba748cff0a2482aea5713d5f" + LUA_CJSON_VERSION: "4b350c531de3d71008c77ae94e59275b8371b4dc" + LUA_CJSON_VERSION_SHA: "8d602af2669fb386931760916a39f6c9034f2363c4965f215042c086b8215238" + GEOIP2_VERSION: "a26c6beed77e81553686852dceb6c7fdacc5970d" + GEOIP2_VERSION_SHA: "4c1933434572226942c65b2f2b26c8a536ab76aa771a3c7f6c2629faa764976b" + NGINX_AJP_VERSION: "fcbb2ccca4901d317ecd7a9dabb3fec9378ff40f" + NGINX_AJP_VERSION_SHA: "778fcca851bd69dabfb382dc827d2ee07662f7eca36b5e66e67d5512bad75ef8" pipeline: - uses: git-checkout @@ -31,10 +130,6 @@ pipeline: - name: Build ingress-nginx controller from source runs: | - set -o errexit - set -o nounset - set -o pipefail - export PKG="k8s.io/ingress-nginx" export COMMIT_SHA=$(git rev-parse --short HEAD) export REPO_INFO=$(git config --get remote.origin.url)$ @@ -43,21 +138,21 @@ pipeline: export CGO_ENABLED=0 - go build -v \ + go build -x -v \ -trimpath -ldflags="-buildid= -w -s \ -X ${PKG}/version.RELEASE=controller-v${{package.version}} \ -X ${PKG}/version.COMMIT=${COMMIT_SHA} \ -X ${PKG}/version.REPO=${REPO_INFO}" \ -o "${{targets.destdir}}/dbg" ${PKG}/cmd/dbg - go build -v \ + go build -x -v \ -trimpath -ldflags="-buildid= -w -s \ -X ${PKG}/version.RELEASE=controller-v${{package.version}} \ -X ${PKG}/version.COMMIT=${COMMIT_SHA} \ -X ${PKG}/version.REPO=${REPO_INFO}" \ -o "${{targets.destdir}}/waitshutdown" ${PKG}/cmd/waitshutdown - go build -v \ + go build -x -v \ -trimpath -ldflags="-buildid= -w -s \ -X ${PKG}/version.RELEASE=controller-v${{package.version}} \ -X ${PKG}/version.COMMIT=${COMMIT_SHA} \ @@ -67,6 +162,356 @@ pipeline: setcap cap_net_bind_service=+ep ${{targets.destdir}}/nginx-ingress-controller \ && setcap -v cap_net_bind_service=+ep ${{targets.destdir}}/nginx-ingress-controller + - uses: fetch + with: + uri: https://nginx.org/download/nginx-${{vars.NGINX_VERSION}}.tar.gz + expected-sha256: ${{vars.NGINX_SHA}} + strip-components: 0 + + - uses: fetch + with: + uri: https://github.com/simpl/ngx_devel_kit/archive/v${{vars.NDK_VERSION}}.tar.gz + expected-sha256: ${{vars.NDK_VERSION_SHA}} + strip-components: 0 + + - uses: fetch + with: + uri: https://github.com/openresty/set-misc-nginx-module/archive/v${{vars.SETMISC_VERSION}}.tar.gz + expected-sha256: ${{vars.SETMISC_VERSION_SHA}} + strip-components: 0 + + - runs: | + rm -rf v0.33.tar.gz + + - uses: fetch + with: + uri: https://github.com/openresty/headers-more-nginx-module/archive/v${{vars.MORE_HEADERS_VERSION}}.tar.gz + expected-sha256: ${{vars.MORE_HEADERS_VERSION_SHA}} + strip-components: 0 + + - uses: fetch + with: + uri: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/${{vars.NGINX_SUBSTITUTIONS}}.tar.gz + expected-sha256: ${{vars.NGINX_SUBSTITUTIONS_SHA}} + strip-components: 0 + + - uses: fetch + with: + uri: https://github.com/openresty/lua-nginx-module/archive/v${{vars.LUA_NGX_VERSION}}.tar.gz + expected-sha256: ${{vars.LUA_NGX_VERSION_SHA}} + strip-components: 0 + + - uses: fetch + with: + uri: https://github.com/openresty/stream-lua-nginx-module/archive/v${{vars.LUA_STREAM_NGX_VERSION}}.tar.gz + expected-sha256: ${{vars.LUA_STREAM_NGX_VERSION_SHA}} + strip-components: 0 + + - uses: fetch + with: + uri: https://github.com/openresty/lua-upstream-nginx-module/archive/${{vars.LUA_UPSTREAM_VERSION}}.tar.gz + expected-sha256: ${{vars.LUA_UPSTREAM_VERSION_SHA}} + strip-components: 0 + + - uses: fetch + with: + uri: https://github.com/yaoweibin/nginx_ajp_module/archive/${{vars.NGINX_AJP_VERSION}}.tar.gz + expected-sha256: ${{vars.NGINX_AJP_VERSION_SHA}} + strip-components: 0 + + - uses: fetch + with: + uri: https://github.com/atomx/nginx-http-auth-digest/archive/v${{vars.NGINX_DIGEST_AUTH}}.tar.gz + expected-sha256: ${{vars.NGINX_DIGEST_AUTH_SHA}} + strip-components: 0 + + - uses: fetch + with: + uri: https://github.com/opentracing-contrib/nginx-opentracing/archive/v${{vars.NGINX_OPENTRACING_VERSION}}.tar.gz + expected-sha256: ${{vars.NGINX_OPENTRACING_VERSION_SHA}} + strip-components: 0 + + - uses: fetch + with: + uri: https://github.com/SpiderLabs/ModSecurity-nginx/archive/v${{vars.MODSECURITY_NGINX_VERSION}}.tar.gz + expected-sha256: ${{vars.MODSECURITY_NGINX_VERSION_SHA}} + strip-components: 0 + + - uses: fetch + with: + uri: https://github.com/leev/ngx_http_geoip2_module/archive/${{vars.GEOIP2_VERSION}}.tar.gz + expected-sha256: ${{vars.GEOIP2_VERSION_SHA}} + strip-components: 0 + + - name: Build NGINX + runs: | + export BUILD_PATH="${PWD}" + echo "BUILD_PATH $BUILD_PATH" + echo "Arch: $(uname -m)" + # improve compilation times + CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1)) + + export LUAJIT_LIB="$(pkgconf --variable=libdir luajit)" + export LUAJIT_INC="$(pkgconf --variable=includedir luajit)" + export LUA_LIB_DIR="$LUAJIT_LIB/lua" + ln -s "$LUAJIT_INC" /usr/include/lua + export LUA_INCLUDE_DIR=/usr/include/luajit-2.1 + ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1 + ARCH=$(uname -m) + + ls -lah ${BUILD_PATH}/lua-nginx-module-${{vars.LUA_NGX_VERSION}} + echo /usr/local/lib >> /etc/ld.so.conf + ldconfig + cat /etc/ld.so.conf + + mkdir -p ${{targets.destdir}}/etc/nginx/ + cp -ar /etc/nginx/ ${{targets.destdir}}/etc/nginx/ + + # Get Brotli source and deps + echo "::::::::::::::::::::::::::::::::::::::" + echo ":::: ngx_brotl ::::" + echo "::::::::::::::::::::::::::::::::::::::" + cd "$BUILD_PATH" + git clone --depth=1 https://github.com/google/ngx_brotli.git + cd ngx_brotli + git submodule init + git submodule update + + cd "$BUILD_PATH" + git clone -n https://github.com/SpiderLabs/ModSecurity + cd ModSecurity/ + git branch + git checkout ${{vars.MODSECURITY_LIB_VERSION}} + git submodule init + git submodule update + + sh build.sh + + # https://github.com/SpiderLabs/ModSecurity/issues/1909#issuecomment-465926762 + sed -i '115i LUA_CFLAGS="${LUA_CFLAGS} -DWITH_LUA_JIT_2_1"' build/lua.m4 + sed -i '117i AC_SUBST(LUA_CFLAGS)' build/lua.m4 + + ./configure \ + --disable-doxygen-doc \ + --disable-doxygen-html \ + --disable-examples + + make -j$(nproc) + make install + + mkdir -p ${{targets.destdir}}/etc/nginx/modsecurity + cp modsecurity.conf-recommended ${{targets.destdir}}/etc/nginx/modsecurity/modsecurity.conf + cp unicode.mapping ${{targets.destdir}}/etc/nginx/modsecurity/unicode.mapping + + # Replace serial logging with concurrent + sed -i 's|SecAuditLogType Serial|SecAuditLogType Concurrent|g' ${{targets.destdir}}/etc/nginx/modsecurity/modsecurity.conf + + # Concurrent logging implies the log is stored in several files + echo "SecAuditLogStorageDir /var/log/audit/" >> ${{targets.destdir}}/etc/nginx/modsecurity/modsecurity.conf + + # Download owasp modsecurity crs + cd ${{targets.destdir}}/etc/nginx/ + + git clone -b ${{vars.OWASP_MODSECURITY_CRS_VERSION}} https://github.com/coreruleset/coreruleset owasp-modsecurity-crs + cd owasp-modsecurity-crs + + mv crs-setup.conf.example crs-setup.conf + mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf + mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf + + # OWASP CRS v3 rules + echo ' + Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf + Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf + ' > ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf + + + echo "::::::::::::::::::::::::::::::::::::::" + echo ":::: nginx-${{vars.NGINX_VERSION}} ::::" + echo "::::::::::::::::::::::::::::::::::::::" + + cd "$BUILD_PATH/nginx-${{vars.NGINX_VERSION}}" + # apply nginx patches + for PATCH in `ls $BUILD_PATH/patches`;do + echo "Patch: $PATCH" + if [[ "$PATCH" == *.txt ]]; then + patch -p0 < $BUILD_PATH/patches/$PATCH + else + patch -p1 < $BUILD_PATH/patches/$PATCH + fi + done + + WITH_FLAGS="--with-debug \ + --with-compat \ + --with-pcre-jit \ + --with-http_ssl_module \ + --with-http_stub_status_module \ + --with-http_realip_module \ + --with-http_auth_request_module \ + --with-http_addition_module \ + --with-http_geoip_module \ + --with-http_gzip_static_module \ + --with-http_sub_module \ + --with-http_v2_module \ + --with-stream \ + --with-stream_ssl_module \ + --with-stream_realip_module \ + --with-stream_ssl_preread_module \ + --with-threads \ + --with-http_secure_link_module \ + --with-http_gunzip_module" + + WITH_MODULES=" \ + --add-module=${BUILD_PATH}/ngx_devel_kit-${{vars.NDK_VERSION}} \ + --add-module=${BUILD_PATH}/set-misc-nginx-module-${{vars.SETMISC_VERSION}} \ + --add-module=${BUILD_PATH}/headers-more-nginx-module-${{vars.MORE_HEADERS_VERSION}} \ + --add-module=${BUILD_PATH}/ngx_http_substitutions_filter_module-${{vars.NGINX_SUBSTITUTIONS}} \ + --add-module=${BUILD_PATH}/lua-nginx-module-${{vars.LUA_NGX_VERSION}} \ + --add-module=${BUILD_PATH}/stream-lua-nginx-module-${{vars.LUA_STREAM_NGX_VERSION}} \ + --add-module=${BUILD_PATH}/lua-upstream-nginx-module-${{vars.LUA_UPSTREAM_VERSION}} \ + --add-module=${BUILD_PATH}/nginx_ajp_module-${{vars.NGINX_AJP_VERSION}} \ + --add-dynamic-module=${BUILD_PATH}/nginx-http-auth-digest-${{vars.NGINX_DIGEST_AUTH}} \ + --add-dynamic-module=${BUILD_PATH}/nginx-opentracing-${{vars.NGINX_OPENTRACING_VERSION}}/opentracing \ + --add-dynamic-module=${BUILD_PATH}/ModSecurity-nginx-${{vars.MODSECURITY_NGINX_VERSION}} \ + --add-dynamic-module=${BUILD_PATH}/ngx_http_geoip2_module-${{vars.GEOIP2_VERSION}} \ + --add-dynamic-module=${BUILD_PATH}/ngx_brotli" + + # "Combining -flto with -g is currently experimental and expected to produce unexpected results." + # https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html + CC_OPT="-g -O2 -fPIE -fstack-protector-strong \ + -Wformat \ + -Werror=format-security \ + -Wno-deprecated-declarations \ + -fno-strict-aliasing \ + -D_FORTIFY_SOURCE=2 \ + --param=ssp-buffer-size=4 \ + -DTCP_FASTOPEN=23 \ + -fPIC \ + -Wno-cast-function-type" + + LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now" + + if [[ ${ARCH} != "aarch64" ]]; then + WITH_FLAGS="${WITH_FLAGS} --with-file-aio" + fi + + if [[ ${ARCH} == "x86_64" ]]; then + CC_OPT="${CC_OPT} -m64 -mtune=generic" + fi + + echo "::::::::::::::::::::::::::::::::::::::::::::::::::::" + echo ":::: Configuring nginx-${{vars.NGINX_VERSION }} ::::" + echo "::::::::::::::::::::::::::::::::::::::::::::::::::" + + ./configure \ + --prefix=/usr/local/nginx \ + --conf-path=/etc/nginx/nginx.conf \ + --modules-path=/etc/nginx/modules \ + --http-log-path=/var/log/nginx/access.log \ + --error-log-path=/var/log/nginx/error.log \ + --lock-path=/var/lock/nginx.lock \ + --pid-path=/run/nginx.pid \ + --http-client-body-temp-path=/var/lib/nginx/body \ + --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ + --http-proxy-temp-path=/var/lib/nginx/proxy \ + --http-scgi-temp-path=/var/lib/nginx/scgi \ + --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \ + ${WITH_FLAGS} \ + --without-mail_pop3_module \ + --without-mail_smtp_module \ + --without-mail_imap_module \ + --without-http_uwsgi_module \ + --without-http_scgi_module \ + --with-cc-opt="${CC_OPT}" \ + --with-ld-opt="${LD_OPT}" \ + --user=www-data \ + --group=www-data \ + ${WITH_MODULES} + + echo "::::::::::::::::::::::::::::::::::::::::::::::" + echo ":::: MAKE nginx-${{vars.NGINX_VERSION }} ::::" + echo "::::::::::::::::::::::::::::::::::::::::::::" + make -j$(nproc) + + echo ":::::::::::::::::::::::::::::::::::::::::::::::::" + echo ":::: MODULES nginx-${{vars.NGINX_VERSION }} ::::" + echo ":::::::::::::::::::::::::::::::::::::::::::::::::" + make DESTDIR="${{targets.destdir}}" modules + + echo "::::::::::::::::::::::::::::::::::::::::::::::::" + echo ":::: INSTALL nginx-${{vars.NGINX_VERSION }} ::::" + echo "::::::::::::::::::::::::::::::::::::::::::::::" + make DESTDIR="${{targets.destdir}}" install + + echo "::::::::::::::::::::::::::::::::::::::::::" + echo ":::: SETCAP NGINX ::::" + echo "::::::::::::::::::::::::::::::::::::::::::" + + setcap cap_net_bind_service=+ep ${{targets.destdir}}/usr/local/nginx/sbin/nginx \ + && setcap -v cap_net_bind_service=+ep ${{targets.destdir}}/usr/local/nginx/sbin/nginx + + echo "::::::::::::::::::::::::::::::::::::::::::" + echo ":::: SETCAP DUMB INIT ::::" + echo "::::::::::::::::::::::::::::::::::::::::::" + + setcap cap_net_bind_service=+ep /usr/bin/dumb-init \ + && setcap -v cap_net_bind_service=+ep /usr/bin/dumb-init + + + echo "::::::::::::::::::::::::::::::::::::::::::::" + echo ":::::::::::::::: CLEANUP :::::::::::::::::::" + echo "::::::::::::::::::::::::::::::::::::::::::::" + + echo "Clean up owasp-modsecurity-crs" + rm -rf ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/.git + rm -rf ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/util/regression-tests + + + echo "Clean up everything else" + cd ${BUILD_PATH} + + rm -rf *.tar.gz ${BUILD_PATH}/ngx_devel_kit-"${{vars.NDK_VERSION}}" \ + ${BUILD_PATH}/set-misc-nginx-module-"${{vars.SETMISC_VERSION}}" \ + ${BUILD_PATH}/headers-more-nginx-module-"${{vars.MORE_HEADERS_VERSION}}" \ + ${BUILD_PATH}/ngx_http_substitutions_filter_module-"${{vars.NGINX_SUBSTITUTIONS}}" \ + ${BUILD_PATH}/lua-nginx-module-"${{vars.LUA_NGX_VERSION}}" \ + ${BUILD_PATH}/stream-lua-nginx-module-"${{vars.LUA_STREAM_NGX_VERSION}}" \ + ${BUILD_PATH}/lua-upstream-nginx-module-"${{vars.LUA_UPSTREAM_VERSION}}" \ + ${BUILD_PATH}/nginx_ajp_module-"${{vars.NGINX_AJP_VERSION}}" \ + ${BUILD_PATH}/nginx-http-auth-digest-"${{vars.NGINX_DIGEST_AUTH}}" \ + ${BUILD_PATH}/nginx-opentracing-"${{vars.NGINX_OPENTRACING_VERSION}}"/opentracing \ + ${BUILD_PATH}/ModSecurity-nginx-"${{vars.MODSECURITY_NGINX_VERSION}}" \ + ${BUILD_PATH}/ngx_http_geoip2_module-"${{vars.GEOIP2_VERSION}}" \ + ${BUILD_PATH}/ngx_brotli + update: enabled: true github: diff --git a/ingress-nginx.yaml b/ingress-nginx.yaml deleted file mode 100644 index bd21bae04de..00000000000 --- a/ingress-nginx.yaml +++ /dev/null @@ -1,445 +0,0 @@ -package: - name: ingress-nginx - version: 1.21.6 - epoch: 0 - description: "the nginx webserver built for ingress-nginx" - copyright: - - license: BSD-2 - dependencies: - runtime: - -environment: - contents: - packages: - - wolfi-base - - busybox - - build-base - - scanelf - - ca-certificates-bundle - - brotli-dev - - gd-dev - - geoip-dev - - libmaxminddb-dev - - libxml2-dev - - libxslt-dev - - pkgconf - - zeromq-dev - - bash - - gcc - - clang-15 - - make - - automake - - openssl-dev - - pcre-dev - - zlib-dev - - linux-headers - - libcap - - perl-dev - - libedit-dev - - mercurial - - findutils - - curl - - ca-certificates - - patch - - libaio-dev - - openssl - - libcap-utils - - cmake - - util-linux - - lmdb-tools - - wget - - curl-dev - - libprotobuf - - git - - flex - - bison - - doxygen - - yajl-dev - - lmdb-dev - - libtool - - autoconf - - libxml2 - - python3 - - libsrt - - opentracing-cpp - - msgpack - - datadog-cpp - - yaml-cpp - - zipkin-cpp - - modsecurity - - luajit - - luajit-dev - -vars: - NGINX_VERSION: "1.21.6" - NGINX_SHA: "66dc7081488811e9f925719e34d1b4504c2801c81dee2920e5452a86b11405ae" - NDK_VERSION: "0.3.1" - NDK_VERSION_SHA: "0e971105e210d272a497567fa2e2c256f4e39b845a5ba80d373e26ba1abfbd85" - SETMISC_VERSION: "0.33" - SETMISC_VERSION_SHA: "cd5e2cc834bcfa30149e7511f2b5a2183baf0b70dc091af717a89a64e44a2985" - MORE_HEADERS_VERSION: "0.33" - MORE_HEADERS_VERSION_SHA: "a3dcbab117a9c103bc1ea5200fc00a7b7d2af97ff7fd525f16f8ac2632e30fbf" - NGINX_DIGEST_AUTH: "1.0.0" - NGINX_DIGEST_AUTH_SHA: "f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b" - NGINX_SUBSTITUTIONS: "b8a71eacc7f986ba091282ab8b1bbbc6ae1807e0" - NGINX_SUBSTITUTIONS_SHA: "a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f" - NGINX_OPENTRACING_VERSION: "0.19.0" - NGINX_OPENTRACING_VERSION_SHA: "6f97776ebdf019b105a755c7736b70bdbd7e575c7f0d39db5fe127873c7abf17" - MODSECURITY_NGINX_VERSION: "1.0.3" - MODSECURITY_NGINX_VERSION_SHA: "32a42256616cc674dca24c8654397390adff15b888b77eb74e0687f023c8751b" - MODSECURITY_LIB_VERSION: "e9a7ba4a60be48f761e0328c6dfcc668d70e35a0" - OWASP_MODSECURITY_CRS_VERSION: "v3.3.2" - LUA_NGX_VERSION: "0.10.21" - LUA_NGX_VERSION_SHA: "9db756000578efaecb43bea4fc6cf631aaa80988d86ffe5d3afeb9927895ffad" - LUA_STREAM_NGX_VERSION: "0.0.11" - LUA_STREAM_NGX_VERSION_SHA: "c7924f28cb014a99636e747ea907724dd55f60e180cb92cde6e8ed48d2278f27" - LUA_UPSTREAM_VERSION: "8aa93ead98ba2060d4efd594ae33a35d153589bf" - LUA_UPSTREAM_VERSION_SHA: "a92c9ee6682567605ece55d4eed5d1d54446ba6fba748cff0a2482aea5713d5f" - LUA_CJSON_VERSION: "4b350c531de3d71008c77ae94e59275b8371b4dc" - LUA_CJSON_VERSION_SHA: "8d602af2669fb386931760916a39f6c9034f2363c4965f215042c086b8215238" - GEOIP2_VERSION: "a26c6beed77e81553686852dceb6c7fdacc5970d" - GEOIP2_VERSION_SHA: "4c1933434572226942c65b2f2b26c8a536ab76aa771a3c7f6c2629faa764976b" - NGINX_AJP_VERSION: "fcbb2ccca4901d317ecd7a9dabb3fec9378ff40f" - NGINX_AJP_VERSION_SHA: "78fcca851bd69dabfb382dc827d2ee07662f7eca36b5e66e67d5512bad75ef8" - -pipeline: - - uses: fetch - with: - uri: https://github.com/SpiderLabs/ModSecurity-nginx/archive/v1.0.3.tar.gz - expected-sha256: 32a42256616cc674dca24c8654397390adff15b888b77eb74e0687f023c8751b - strip-components: 0 - - - uses: fetch - with: - uri: https://github.com/simpl/ngx_devel_kit/archive/v0.3.1.tar.gz - expected-sha256: 0e971105e210d272a497567fa2e2c256f4e39b845a5ba80d373e26ba1abfbd85 - strip-components: 0 - - - uses: fetch - with: - uri: https://github.com/openresty/set-misc-nginx-module/archive/v0.33.tar.gz - expected-sha256: cd5e2cc834bcfa30149e7511f2b5a2183baf0b70dc091af717a89a64e44a2985 - strip-components: 0 - - - runs: | - rm -rf v0.33.tar.gz - - - uses: fetch - with: - uri: https://github.com/openresty/headers-more-nginx-module/archive/v0.33.tar.gz - expected-sha256: a3dcbab117a9c103bc1ea5200fc00a7b7d2af97ff7fd525f16f8ac2632e30fbf - strip-components: 0 - - - uses: fetch - with: - uri: https://github.com/atomx/nginx-http-auth-digest/archive/v1.0.0.tar.gz - expected-sha256: f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b - strip-components: 0 - - - uses: fetch - with: - uri: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/b8a71eacc7f986ba091282ab8b1bbbc6ae1807e0.tar.gz - expected-sha256: a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f - strip-components: 0 - - - uses: fetch - with: - uri: https://github.com/opentracing-contrib/nginx-opentracing/archive/v0.19.0.tar.gz - expected-sha256: 6f97776ebdf019b105a755c7736b70bdbd7e575c7f0d39db5fe127873c7abf17 - strip-components: 0 - - - uses: fetch - with: - uri: https://github.com/openresty/lua-nginx-module/archive/v0.10.21.tar.gz - expected-sha256: 9db756000578efaecb43bea4fc6cf631aaa80988d86ffe5d3afeb9927895ffad - strip-components: 0 - - - uses: fetch - with: - uri: https://github.com/openresty/stream-lua-nginx-module/archive/v0.0.11.tar.gz - expected-sha256: c7924f28cb014a99636e747ea907724dd55f60e180cb92cde6e8ed48d2278f27 - strip-components: 0 - - - uses: fetch - with: - uri: https://github.com/openresty/lua-upstream-nginx-module/archive/8aa93ead98ba2060d4efd594ae33a35d153589bf.tar.gz - expected-sha256: a92c9ee6682567605ece55d4eed5d1d54446ba6fba748cff0a2482aea5713d5f - strip-components: 0 - - - uses: fetch - with: - uri: https://github.com/leev/ngx_http_geoip2_module/archive/a26c6beed77e81553686852dceb6c7fdacc5970d.tar.gz - expected-sha256: 4c1933434572226942c65b2f2b26c8a536ab76aa771a3c7f6c2629faa764976b - strip-components: 0 - - - uses: fetch - with: - uri: https://github.com/yaoweibin/nginx_ajp_module/archive/fcbb2ccca4901d317ecd7a9dabb3fec9378ff40f.tar.gz - expected-sha256: 778fcca851bd69dabfb382dc827d2ee07662f7eca36b5e66e67d5512bad75ef8 - strip-components: 0 - - - uses: fetch - with: - uri: https://nginx.org/download/nginx-${{package.version}}.tar.gz - expected-sha256: 66dc7081488811e9f925719e34d1b4504c2801c81dee2920e5452a86b11405ae - strip-components: 0 - - - name: 'Configure nginx' - runs: | - export BUILD_PATH="${PWD}" - echo "BUILD_PATH $BUILD_PATH" - echo "Arch: $(uname -m)" - # improve compilation times - CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1)) - - export LUAJIT_LIB="$(pkgconf --variable=libdir luajit)" - export LUAJIT_INC="$(pkgconf --variable=includedir luajit)" - export LUA_LIB_DIR="$LUAJIT_LIB/lua" - ln -s /usr/bin/luajit /usr/bin/lua - ln -s "$LUAJIT_INC" /usr/include/lua - export LUA_INCLUDE_DIR=/usr/include/luajit-2.1 - ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1 - ARCH=$(uname -m) - - mkdir -p ${{targets.destdir}}/etc/nginx/ - cp -R etc/nginx/geoip/ ${{targets.destdir}}/etc/nginx/ - - # Get Brotli source and deps - echo "::::::::::::::::::::::::::::::::::::::" - echo ":::: ngx_brotl ::::" - echo "::::::::::::::::::::::::::::::::::::::" - cd "$BUILD_PATH" - git clone --depth=1 https://github.com/google/ngx_brotli.git - cd ngx_brotli - git submodule init - git submodule update - - - git clone -n https://github.com/SpiderLabs/ModSecurity - cd ModSecurity/ - git branch - git checkout ${{vars.MODSECURITY_LIB_VERSION}} - git submodule init - git submodule update - mkdir -p ${{targets.destdir}}/etc/nginx/modsecurity - cp modsecurity.conf-recommended ${{targets.destdir}}/etc/nginx/modsecurity/modsecurity.conf - cp unicode.mapping ${{targets.destdir}}/etc/nginx/modsecurity/unicode.mapping - - # Replace serial logging with concurrent - sed -i 's|SecAuditLogType Serial|SecAuditLogType Concurrent|g' ${{targets.destdir}}/etc/nginx/modsecurity/modsecurity.conf - - # Concurrent logging implies the log is stored in several files - echo "SecAuditLogStorageDir /var/log/audit/" >> ${{targets.destdir}}/etc/nginx/modsecurity/modsecurity.conf - - # Download owasp modsecurity crs - cd ${{targets.destdir}}/etc/nginx/ - - git clone -b ${{vars.OWASP_MODSECURITY_CRS_VERSION}} https://github.com/coreruleset/coreruleset owasp-modsecurity-crs - cd owasp-modsecurity-crs - - mv crs-setup.conf.example crs-setup.conf - mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf - mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf - - # OWASP CRS v3 rules - echo ' - Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf - Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf - ' > ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf - - - echo "::::::::::::::::::::::::::::::::::::::" - echo ":::: nginx-${{vars.NGINX_VERSION}} ::::" - echo "::::::::::::::::::::::::::::::::::::::" - - cd "$BUILD_PATH/nginx-${{vars.NGINX_VERSION}}" - # apply nginx patches - for PATCH in `ls $BUILD_PATH/patches`;do - echo "Patch: $PATCH" - if [[ "$PATCH" == *.txt ]]; then - patch -p0 < $BUILD_PATH/patches/$PATCH - else - patch -p1 < $BUILD_PATH/patches/$PATCH - fi - done - - WITH_FLAGS="--with-debug \ - --with-compat \ - --with-pcre-jit \ - --with-http_ssl_module \ - --with-http_stub_status_module \ - --with-http_realip_module \ - --with-http_auth_request_module \ - --with-http_addition_module \ - --with-http_geoip_module \ - --with-http_gzip_static_module \ - --with-http_sub_module \ - --with-http_v2_module \ - --with-stream \ - --with-stream_ssl_module \ - --with-stream_realip_module \ - --with-stream_ssl_preread_module \ - --with-threads \ - --with-http_secure_link_module \ - --with-http_gunzip_module" - - WITH_FLAGS="--with-debug \ - --with-compat \ - --with-pcre-jit \ - --with-http_ssl_module \ - --with-http_stub_status_module \ - --with-http_realip_module \ - --with-http_auth_request_module \ - --with-http_addition_module \ - --with-http_geoip_module \ - --with-http_gzip_static_module \ - --with-http_sub_module \ - --with-http_v2_module \ - --with-stream \ - --with-stream_ssl_module \ - --with-stream_realip_module \ - --with-stream_ssl_preread_module \ - --with-threads \ - --with-http_secure_link_module \ - --with-http_gunzip_module" - - WITH_MODULES=" \ - --add-module=${BUILD_PATH}/ngx_devel_kit-"${{vars.NDK_VERSION}}" \ - --add-module=${BUILD_PATH}/set-misc-nginx-module-"${{vars.SETMISC_VERSION}}" \ - --add-module=${BUILD_PATH}/headers-more-nginx-module-"${{vars.MORE_HEADERS_VERSION}}" \ - --add-module=${BUILD_PATH}/ngx_http_substitutions_filter_module-"${{vars.NGINX_SUBSTITUTIONS}}" \ - --add-module=${BUILD_PATH}/lua-nginx-module-"${{vars.LUA_NGX_VERSION}}" \ - --add-module=${BUILD_PATH}/stream-lua-nginx-module-"${{vars.LUA_STREAM_NGX_VERSION}}" \ - --add-module=${BUILD_PATH}/lua-upstream-nginx-module-"${{vars.LUA_UPSTREAM_VERSION}}" \ - --add-module=${BUILD_PATH}/nginx_ajp_module-"${{vars.NGINX_AJP_VERSION}}" \ - --add-dynamic-module=${BUILD_PATH}/nginx-http-auth-digest-"${{vars.NGINX_DIGEST_AUTH}}" \ - --add-dynamic-module=${BUILD_PATH}/nginx-opentracing-"${{vars.NGINX_OPENTRACING_VERSION}}"/opentracing \ - --add-dynamic-module=${BUILD_PATH}/ModSecurity-nginx-"${{vars.MODSECURITY_NGINX_VERSION}}" \ - --add-dynamic-module=${BUILD_PATH}/ngx_http_geoip2_module-"${{vars.GEOIP2_VERSION}}" \ - --add-dynamic-module=${BUILD_PATH}/ngx_brotli" - - # "Combining -flto with -g is currently experimental and expected to produce unexpected results." - # https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html - CC_OPT="-g -O2 -fPIE -fstack-protector-strong \ - -Wformat \ - -Werror=format-security \ - -Wno-deprecated-declarations \ - -fno-strict-aliasing \ - -D_FORTIFY_SOURCE=2 \ - --param=ssp-buffer-size=4 \ - -DTCP_FASTOPEN=23 \ - -fPIC \ - -Wno-cast-function-type" - - LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now" - - if [[ ${ARCH} != "aarch64" ]]; then - WITH_FLAGS="${WITH_FLAGS} --with-file-aio" - fi - - if [[ ${ARCH} == "x86_64" ]]; then - CC_OPT="${CC_OPT} -m64 -mtune=generic" - fi - - echo "::::::::::::::::::::::::::::::::::::::::::::::::" - echo ":::: Configuring nginx-${{vars.NGINX_VERSION }} ::::" - echo "::::::::::::::::::::::::::::::::::::::::::::::::" - ./configure \ - --prefix=/usr/local/nginx \ - --conf-path=/etc/nginx/nginx.conf \ - --modules-path=/etc/nginx/modules \ - --http-log-path=/var/log/nginx/access.log \ - --error-log-path=/var/log/nginx/error.log \ - --lock-path=/var/lock/nginx.lock \ - --pid-path=/run/nginx.pid \ - --http-client-body-temp-path=/var/lib/nginx/body \ - --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ - --http-proxy-temp-path=/var/lib/nginx/proxy \ - --http-scgi-temp-path=/var/lib/nginx/scgi \ - --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \ - ${WITH_FLAGS} \ - --without-mail_pop3_module \ - --without-mail_smtp_module \ - --without-mail_imap_module \ - --without-http_uwsgi_module \ - --without-http_scgi_module \ - --with-cc-opt="${CC_OPT}" \ - --with-ld-opt="${LD_OPT}" \ - --user=www-data \ - --group=www-data \ - ${WITH_MODULES} - - echo "::::::::::::::::::::::::::::::::::::::::::" - echo ":::: MAKE nginx-${{vars.NGINX_VERSION }} ::::" - echo "::::::::::::::::::::::::::::::::::::::::::" - make - - echo "::::::::::::::::::::::::::::::::::::::::::::" - echo ":::: MODULES nginx-${{vars.NGINX_VERSION }} ::::" - echo "::::::::::::::::::::::::::::::::::::::::::::" - make DESTDIR="${{targets.destdir}}" modules - - echo "::::::::::::::::::::::::::::::::::::::::::::" - echo ":::: INSTALL nginx-${{vars.NGINX_VERSION }} ::::" - echo "::::::::::::::::::::::::::::::::::::::::::::" - make DESTDIR="${{targets.destdir}}" install - - setcap cap_net_bind_service=+ep ${{targets.destdir}}/usr/local/nginx/sbin/nginx \ - && setcap -v cap_net_bind_service=+ep ${{targets.destdir}}/usr/local/nginx/sbin/nginx \ - - echo "::::::::::::::::::::::::::::::::::::::::::::" - echo ":::::::::::::::: CLEANUP :::::::::::::::::::" - echo "::::::::::::::::::::::::::::::::::::::::::::" - - echo "Clean up owasp-modsecurity-crs" - rm -rf ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/.git - rm -rf ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/util/regression-tests - - - echo "Clean up everything else" - cd ${BUILD_PATH} - - rm -rf *.tar.gz ${BUILD_PATH}/ngx_devel_kit-"${{vars.NDK_VERSION}}" \ - ${BUILD_PATH}/set-misc-nginx-module-"${{vars.SETMISC_VERSION}}" \ - ${BUILD_PATH}/headers-more-nginx-module-"${{vars.MORE_HEADERS_VERSION}}" \ - ${BUILD_PATH}/ngx_http_substitutions_filter_module-"${{vars.NGINX_SUBSTITUTIONS}}" \ - ${BUILD_PATH}/lua-nginx-module-"${{vars.LUA_NGX_VERSION}}" \ - ${BUILD_PATH}/stream-lua-nginx-module-"${{vars.LUA_STREAM_NGX_VERSION}}" \ - ${BUILD_PATH}/lua-upstream-nginx-module-"${{vars.LUA_UPSTREAM_VERSION}}" \ - ${BUILD_PATH}/nginx_ajp_module-"${{vars.NGINX_AJP_VERSION}}" \ - ${BUILD_PATH}/nginx-http-auth-digest-"${{vars.NGINX_DIGEST_AUTH}}" \ - ${BUILD_PATH}/nginx-opentracing-"${{vars.NGINX_OPENTRACING_VERSION}}"/opentracing \ - ${BUILD_PATH}/ModSecurity-nginx-"${{vars.MODSECURITY_NGINX_VERSION}}" \ - ${BUILD_PATH}/ngx_http_geoip2_module-"${{vars.GEOIP2_VERSION}}" \ - ${BUILD_PATH}/ngx_brotli - -update: - enabled: false diff --git a/ingress-nginx/etc/nginx/geoip/GeoIP.dat b/ingress-nginx/etc/nginx/geoip/GeoIP.dat deleted file mode 100644 index be8b031f7d1..00000000000 Binary files a/ingress-nginx/etc/nginx/geoip/GeoIP.dat and /dev/null differ diff --git a/ingress-nginx/etc/nginx/geoip/GeoIPASNum.dat b/ingress-nginx/etc/nginx/geoip/GeoIPASNum.dat deleted file mode 100644 index 85c2cb3296d..00000000000 Binary files a/ingress-nginx/etc/nginx/geoip/GeoIPASNum.dat and /dev/null differ diff --git a/ingress-nginx/etc/nginx/geoip/GeoLiteCity.dat b/ingress-nginx/etc/nginx/geoip/GeoLiteCity.dat deleted file mode 100644 index 1adb8c3c492..00000000000 Binary files a/ingress-nginx/etc/nginx/geoip/GeoLiteCity.dat and /dev/null differ diff --git a/ingress-nginx/patches/drop-alias-root.patch b/ingress-nginx/patches/drop-alias-root.patch deleted file mode 100644 index a92e08bd0a6..00000000000 --- a/ingress-nginx/patches/drop-alias-root.patch +++ /dev/null @@ -1,144 +0,0 @@ -:100644 100644 c7463dcd 00000000 M src/http/ngx_http_core_module.c -diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c -index c7463dcd..e2e45931 100644 ---- a/src/http/ngx_http_core_module.c -+++ b/src/http/ngx_http_core_module.c -@@ -55,7 +55,6 @@ static char *ngx_http_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, - void *conf); - static char *ngx_http_core_server_name(ngx_conf_t *cf, ngx_command_t *cmd, - void *conf); --static char *ngx_http_core_root(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); - static char *ngx_http_core_limit_except(ngx_conf_t *cf, ngx_command_t *cmd, - void *conf); - static char *ngx_http_core_set_aio(ngx_conf_t *cf, ngx_command_t *cmd, -@@ -323,21 +322,6 @@ static ngx_command_t ngx_http_core_commands[] = { - offsetof(ngx_http_core_loc_conf_t, default_type), - NULL }, - -- { ngx_string("root"), -- NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -- |NGX_CONF_TAKE1, -- ngx_http_core_root, -- NGX_HTTP_LOC_CONF_OFFSET, -- 0, -- NULL }, -- -- { ngx_string("alias"), -- NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, -- ngx_http_core_root, -- NGX_HTTP_LOC_CONF_OFFSET, -- 0, -- NULL }, -- - { ngx_string("limit_except"), - NGX_HTTP_LOC_CONF|NGX_CONF_BLOCK|NGX_CONF_1MORE, - ngx_http_core_limit_except, -@@ -4312,108 +4296,6 @@ ngx_http_core_server_name(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) - } - - --static char * --ngx_http_core_root(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) --{ -- ngx_http_core_loc_conf_t *clcf = conf; -- -- ngx_str_t *value; -- ngx_int_t alias; -- ngx_uint_t n; -- ngx_http_script_compile_t sc; -- -- alias = (cmd->name.len == sizeof("alias") - 1) ? 1 : 0; -- -- if (clcf->root.data) { -- -- if ((clcf->alias != 0) == alias) { -- return "is duplicate"; -- } -- -- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -- "\"%V\" directive is duplicate, " -- "\"%s\" directive was specified earlier", -- &cmd->name, clcf->alias ? "alias" : "root"); -- -- return NGX_CONF_ERROR; -- } -- -- if (clcf->named && alias) { -- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -- "the \"alias\" directive cannot be used " -- "inside the named location"); -- -- return NGX_CONF_ERROR; -- } -- -- value = cf->args->elts; -- -- if (ngx_strstr(value[1].data, "$document_root") -- || ngx_strstr(value[1].data, "${document_root}")) -- { -- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -- "the $document_root variable cannot be used " -- "in the \"%V\" directive", -- &cmd->name); -- -- return NGX_CONF_ERROR; -- } -- -- if (ngx_strstr(value[1].data, "$realpath_root") -- || ngx_strstr(value[1].data, "${realpath_root}")) -- { -- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -- "the $realpath_root variable cannot be used " -- "in the \"%V\" directive", -- &cmd->name); -- -- return NGX_CONF_ERROR; -- } -- -- clcf->alias = alias ? clcf->name.len : 0; -- clcf->root = value[1]; -- -- if (!alias && clcf->root.len > 0 -- && clcf->root.data[clcf->root.len - 1] == '/') -- { -- clcf->root.len--; -- } -- -- if (clcf->root.data[0] != '$') { -- if (ngx_conf_full_name(cf->cycle, &clcf->root, 0) != NGX_OK) { -- return NGX_CONF_ERROR; -- } -- } -- -- n = ngx_http_script_variables_count(&clcf->root); -- -- ngx_memzero(&sc, sizeof(ngx_http_script_compile_t)); -- sc.variables = n; -- --#if (NGX_PCRE) -- if (alias && clcf->regex) { -- clcf->alias = NGX_MAX_SIZE_T_VALUE; -- n = 1; -- } --#endif -- -- if (n) { -- sc.cf = cf; -- sc.source = &clcf->root; -- sc.lengths = &clcf->root_lengths; -- sc.values = &clcf->root_values; -- sc.complete_lengths = 1; -- sc.complete_values = 1; -- -- if (ngx_http_script_compile(&sc) != NGX_OK) { -- return NGX_CONF_ERROR; -- } -- } -- -- return NGX_CONF_OK; --} -- -- - static ngx_http_method_name_t ngx_methods_names[] = { - { (u_char *) "GET", (uint32_t) ~NGX_HTTP_GET }, - { (u_char *) "HEAD", (uint32_t) ~NGX_HTTP_HEAD }, diff --git a/ingress-nginx/patches/nginx-1.21.4-balancer_status_code.patch b/ingress-nginx/patches/nginx-1.21.4-balancer_status_code.patch deleted file mode 100644 index c4d87e2fb23..00000000000 --- a/ingress-nginx/patches/nginx-1.21.4-balancer_status_code.patch +++ /dev/null @@ -1,72 +0,0 @@ -diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c -index f8d5707d..6efe0047 100644 ---- a/src/http/ngx_http_upstream.c -+++ b/src/http/ngx_http_upstream.c -@@ -1515,6 +1515,11 @@ ngx_http_upstream_connect(ngx_http_request_t *r, ngx_http_upstream_t *u) - return; - } - -+ if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { -+ ngx_http_upstream_finalize_request(r, u, rc); -+ return; -+ } -+ - u->state->peer = u->peer.name; - - if (rc == NGX_BUSY) { -diff --git a/src/http/ngx_http_upstream.h b/src/http/ngx_http_upstream.h -index 3e714e5b..dfbb25e0 100644 ---- a/src/http/ngx_http_upstream.h -+++ b/src/http/ngx_http_upstream.h -@@ -427,4 +427,9 @@ extern ngx_conf_bitmask_t ngx_http_upstream_cache_method_mask[]; - extern ngx_conf_bitmask_t ngx_http_upstream_ignore_headers_masks[]; - - -+#ifndef HAVE_BALANCER_STATUS_CODE_PATCH -+#define HAVE_BALANCER_STATUS_CODE_PATCH -+#endif -+ -+ - #endif /* _NGX_HTTP_UPSTREAM_H_INCLUDED_ */ -diff --git a/src/stream/ngx_stream.h b/src/stream/ngx_stream.h -index 09d24593..d8b4b584 100644 ---- a/src/stream/ngx_stream.h -+++ b/src/stream/ngx_stream.h -@@ -27,6 +27,7 @@ typedef struct ngx_stream_session_s ngx_stream_session_t; - - - #define NGX_STREAM_OK 200 -+#define NGX_STREAM_SPECIAL_RESPONSE 300 - #define NGX_STREAM_BAD_REQUEST 400 - #define NGX_STREAM_FORBIDDEN 403 - #define NGX_STREAM_INTERNAL_SERVER_ERROR 500 -diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c -index 818d7329..329dcdc6 100644 ---- a/src/stream/ngx_stream_proxy_module.c -+++ b/src/stream/ngx_stream_proxy_module.c -@@ -691,6 +691,11 @@ ngx_stream_proxy_connect(ngx_stream_session_t *s) - return; - } - -+ if (rc >= NGX_STREAM_SPECIAL_RESPONSE) { -+ ngx_stream_proxy_finalize(s, rc); -+ return; -+ } -+ - u->state->peer = u->peer.name; - - if (rc == NGX_BUSY) { -diff --git a/src/stream/ngx_stream_upstream.h b/src/stream/ngx_stream_upstream.h -index 73947f46..21bc0ad7 100644 ---- a/src/stream/ngx_stream_upstream.h -+++ b/src/stream/ngx_stream_upstream.h -@@ -151,4 +151,9 @@ ngx_stream_upstream_srv_conf_t *ngx_stream_upstream_add(ngx_conf_t *cf, - extern ngx_module_t ngx_stream_upstream_module; - - -+#ifndef HAVE_BALANCER_STATUS_CODE_PATCH -+#define HAVE_BALANCER_STATUS_CODE_PATCH -+#endif -+ -+ - #endif /* _NGX_STREAM_UPSTREAM_H_INCLUDED_ */ diff --git a/ingress-nginx/patches/nginx-1.21.4-cache_manager_exit.patch b/ingress-nginx/patches/nginx-1.21.4-cache_manager_exit.patch deleted file mode 100644 index 91ee63a2625..00000000000 --- a/ingress-nginx/patches/nginx-1.21.4-cache_manager_exit.patch +++ /dev/null @@ -1,19 +0,0 @@ -# HG changeset patch -# User Yichun Zhang -# Date 1383598130 28800 -# Node ID f64218e1ac963337d84092536f588b8e0d99bbaa -# Parent dea321e5c0216efccbb23e84bbce7cf3e28f130c -Cache: gracefully exit the cache manager process. - -diff -r dea321e5c021 -r f64218e1ac96 src/os/unix/ngx_process_cycle.c ---- a/src/os/unix/ngx_process_cycle.c Thu Oct 31 18:23:49 2013 +0400 -+++ b/src/os/unix/ngx_process_cycle.c Mon Nov 04 12:48:50 2013 -0800 -@@ -1134,7 +1134,7 @@ - - if (ngx_terminate || ngx_quit) { - ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting"); -- exit(0); -+ ngx_worker_process_exit(cycle); - } - - if (ngx_reopen) { diff --git a/ingress-nginx/patches/nginx-1.21.4-delayed_posted_events.patch b/ingress-nginx/patches/nginx-1.21.4-delayed_posted_events.patch deleted file mode 100644 index 6875843245a..00000000000 --- a/ingress-nginx/patches/nginx-1.21.4-delayed_posted_events.patch +++ /dev/null @@ -1,98 +0,0 @@ -diff --git a/src/event/ngx_event.c b/src/event/ngx_event.c -index 57af8132..4853945f 100644 ---- a/src/event/ngx_event.c -+++ b/src/event/ngx_event.c -@@ -196,6 +196,9 @@ ngx_process_events_and_timers(ngx_cycle_t *cycle) - ngx_uint_t flags; - ngx_msec_t timer, delta; - -+ ngx_queue_t *q; -+ ngx_event_t *ev; -+ - if (ngx_timer_resolution) { - timer = NGX_TIMER_INFINITE; - flags = 0; -@@ -215,6 +218,13 @@ ngx_process_events_and_timers(ngx_cycle_t *cycle) - #endif - } - -+ if (!ngx_queue_empty(&ngx_posted_delayed_events)) { -+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, cycle->log, 0, -+ "posted delayed event queue not empty" -+ " making poll timeout 0"); -+ timer = 0; -+ } -+ - if (ngx_use_accept_mutex) { - if (ngx_accept_disabled > 0) { - ngx_accept_disabled--; -@@ -257,6 +267,35 @@ ngx_process_events_and_timers(ngx_cycle_t *cycle) - } - - ngx_event_process_posted(cycle, &ngx_posted_events); -+ -+ while (!ngx_queue_empty(&ngx_posted_delayed_events)) { -+ q = ngx_queue_head(&ngx_posted_delayed_events); -+ -+ ev = ngx_queue_data(q, ngx_event_t, queue); -+ if (ev->delayed) { -+ /* start of newly inserted nodes */ -+ for (/* void */; -+ q != ngx_queue_sentinel(&ngx_posted_delayed_events); -+ q = ngx_queue_next(q)) -+ { -+ ev = ngx_queue_data(q, ngx_event_t, queue); -+ ev->delayed = 0; -+ -+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, cycle->log, 0, -+ "skipping delayed posted event %p," -+ " till next iteration", ev); -+ } -+ -+ break; -+ } -+ -+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, cycle->log, 0, -+ "delayed posted event %p", ev); -+ -+ ngx_delete_posted_event(ev); -+ -+ ev->handler(ev); -+ } - } - - -@@ -600,6 +639,7 @@ ngx_event_process_init(ngx_cycle_t *cycle) - - ngx_queue_init(&ngx_posted_accept_events); - ngx_queue_init(&ngx_posted_events); -+ ngx_queue_init(&ngx_posted_delayed_events); - - if (ngx_event_timer_init(cycle->log) == NGX_ERROR) { - return NGX_ERROR; -diff --git a/src/event/ngx_event_posted.c b/src/event/ngx_event_posted.c -index d851f3d1..b6cea009 100644 ---- a/src/event/ngx_event_posted.c -+++ b/src/event/ngx_event_posted.c -@@ -12,6 +12,7 @@ - - ngx_queue_t ngx_posted_accept_events; - ngx_queue_t ngx_posted_events; -+ngx_queue_t ngx_posted_delayed_events; - - - void -diff --git a/src/event/ngx_event_posted.h b/src/event/ngx_event_posted.h -index 145d30fe..6c388553 100644 ---- a/src/event/ngx_event_posted.h -+++ b/src/event/ngx_event_posted.h -@@ -43,6 +43,9 @@ void ngx_event_process_posted(ngx_cycle_t *cycle, ngx_queue_t *posted); - - extern ngx_queue_t ngx_posted_accept_events; - extern ngx_queue_t ngx_posted_events; -+extern ngx_queue_t ngx_posted_delayed_events; -+ -+#define HAVE_POSTED_DELAYED_EVENTS_PATCH - - - #endif /* _NGX_EVENT_POSTED_H_INCLUDED_ */ diff --git a/ingress-nginx/patches/nginx-1.21.4-hash_overflow.patch b/ingress-nginx/patches/nginx-1.21.4-hash_overflow.patch deleted file mode 100644 index 449d214babe..00000000000 --- a/ingress-nginx/patches/nginx-1.21.4-hash_overflow.patch +++ /dev/null @@ -1,20 +0,0 @@ -# HG changeset patch -# User Yichun Zhang -# Date 1412276417 25200 -# Thu Oct 02 12:00:17 2014 -0700 -# Node ID 4032b992f23b054c1a2cfb0be879330d2c6708e5 -# Parent 1ff0f68d9376e3d184d65814a6372856bf65cfcd -Hash: buffer overflow might happen when exceeding the pre-configured limits. - -diff -r 1ff0f68d9376 -r 4032b992f23b src/core/ngx_hash.c ---- a/src/core/ngx_hash.c Tue Sep 30 15:50:28 2014 -0700 -+++ b/src/core/ngx_hash.c Thu Oct 02 12:00:17 2014 -0700 -@@ -312,6 +312,8 @@ ngx_hash_init(ngx_hash_init_t *hinit, ng - continue; - } - -+ size--; -+ - ngx_log_error(NGX_LOG_WARN, hinit->pool->log, 0, - "could not build optimal %s, you should increase " - "either %s_max_size: %i or %s_bucket_size: %i; " diff --git a/ingress-nginx/patches/nginx-1.21.4-init_cycle_pool_release.patch b/ingress-nginx/patches/nginx-1.21.4-init_cycle_pool_release.patch deleted file mode 100644 index 9cfa4f7cb94..00000000000 --- a/ingress-nginx/patches/nginx-1.21.4-init_cycle_pool_release.patch +++ /dev/null @@ -1,59 +0,0 @@ -diff -rup nginx-1.21.4/src/core/nginx.c nginx-1.21.4-patched/src/core/nginx.c ---- nginx-1.21.4/src/core/nginx.c 2017-12-17 00:00:38.136470108 -0800 -+++ nginx-1.21.4-patched/src/core/nginx.c 2017-12-16 23:59:51.680958322 -0800 -@@ -186,6 +186,7 @@ static u_char *ngx_prefix; - static u_char *ngx_conf_file; - static u_char *ngx_conf_params; - static char *ngx_signal; -+ngx_pool_t *saved_init_cycle_pool = NULL; - - - static char **ngx_os_environ; -@@ -253,6 +254,8 @@ main(int argc, char *const *argv) - return 1; - } - -+ saved_init_cycle_pool = init_cycle.pool; -+ - if (ngx_save_argv(&init_cycle, argc, argv) != NGX_OK) { - return 1; - } -diff -rup nginx-1.21.4/src/core/ngx_core.h nginx-1.21.4-patched/src/core/ngx_core.h ---- nginx-1.21.4/src/core/ngx_core.h 2017-10-10 08:22:51.000000000 -0700 -+++ nginx-1.21.4-patched/src/core/ngx_core.h 2017-12-16 23:59:51.679958370 -0800 -@@ -108,4 +108,6 @@ void ngx_cpuinfo(void); - #define NGX_DISABLE_SYMLINKS_NOTOWNER 2 - #endif - -+extern ngx_pool_t *saved_init_cycle_pool; -+ - #endif /* _NGX_CORE_H_INCLUDED_ */ -diff -rup nginx-1.21.4/src/core/ngx_cycle.c nginx-1.21.4-patched/src/core/ngx_cycle.c ---- nginx-1.21.4/src/core/ngx_cycle.c 2017-10-10 08:22:51.000000000 -0700 -+++ nginx-1.21.4-patched/src/core/ngx_cycle.c 2017-12-16 23:59:51.678958419 -0800 -@@ -748,6 +748,10 @@ old_shm_zone_done: - - if (ngx_process == NGX_PROCESS_MASTER || ngx_is_init_cycle(old_cycle)) { - -+ if (ngx_is_init_cycle(old_cycle)) { -+ saved_init_cycle_pool = NULL; -+ } -+ - ngx_destroy_pool(old_cycle->pool); - cycle->old_cycle = NULL; - -diff -rup nginx-1.21.4/src/os/unix/ngx_process_cycle.c nginx-1.21.4-patched/src/os/unix/ngx_process_cycle.c ---- nginx-1.21.4/src/os/unix/ngx_process_cycle.c 2017-12-17 00:00:38.142469762 -0800 -+++ nginx-1.21.4-patched/src/os/unix/ngx_process_cycle.c 2017-12-16 23:59:51.691957791 -0800 -@@ -687,6 +692,11 @@ ngx_master_process_exit(ngx_cycle_t *cyc - ngx_exit_cycle.files_n = ngx_cycle->files_n; - ngx_cycle = &ngx_exit_cycle; - -+ if (saved_init_cycle_pool != NULL && saved_init_cycle_pool != cycle->pool) { -+ ngx_destroy_pool(saved_init_cycle_pool); -+ saved_init_cycle_pool = NULL; -+ } -+ - ngx_destroy_pool(cycle->pool); - - exit(0); diff --git a/ingress-nginx/patches/nginx-1.21.4-larger_max_error_str.patch b/ingress-nginx/patches/nginx-1.21.4-larger_max_error_str.patch deleted file mode 100644 index c89032c9f40..00000000000 --- a/ingress-nginx/patches/nginx-1.21.4-larger_max_error_str.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- nginx-1.21.4/src/core/ngx_log.h 2013-10-08 05:07:14.000000000 -0700 -+++ nginx-1.21.4-patched/src/core/ngx_log.h 2013-12-05 20:35:35.996236720 -0800 -@@ -64,7 +64,9 @@ struct ngx_log_s { - }; - - --#define NGX_MAX_ERROR_STR 2048 -+#ifndef NGX_MAX_ERROR_STR -+#define NGX_MAX_ERROR_STR 4096 -+#endif - - - /*********************************/ diff --git a/ingress-nginx/patches/nginx-1.21.4-no_Werror.patch b/ingress-nginx/patches/nginx-1.21.4-no_Werror.patch deleted file mode 100644 index f4d6fd0e5c9..00000000000 --- a/ingress-nginx/patches/nginx-1.21.4-no_Werror.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff -urp nginx-1.21.4/auto/cc/clang nginx-1.21.4-patched/auto/cc/clang ---- nginx-1.21.4/auto/cc/clang 2014-03-04 03:39:24.000000000 -0800 -+++ nginx-1.21.4-patched/auto/cc/clang 2014-03-13 20:54:26.241413360 -0700 -@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali - CFLAGS="$CFLAGS -Wno-unused-parameter" - - # stop on warning --CFLAGS="$CFLAGS -Werror" -+#CFLAGS="$CFLAGS -Werror" - - # debug - CFLAGS="$CFLAGS -g" -diff -urp nginx-1.21.4/auto/cc/gcc nginx-1.21.4-patched/auto/cc/gcc ---- nginx-1.21.4/auto/cc/gcc 2014-03-04 03:39:24.000000000 -0800 -+++ nginx-1.21.4-patched/auto/cc/gcc 2014-03-13 20:54:13.301355329 -0700 -@@ -168,7 +168,7 @@ esac - - - # stop on warning --CFLAGS="$CFLAGS -Werror" -+#CFLAGS="$CFLAGS -Werror" - - # debug - CFLAGS="$CFLAGS -g" -diff -urp nginx-1.21.4/auto/cc/icc nginx-1.21.4-patched/auto/cc/icc ---- nginx-1.21.4/auto/cc/icc 2014-03-04 03:39:24.000000000 -0800 -+++ nginx-1.21.4-patched/auto/cc/icc 2014-03-13 20:54:13.301355329 -0700 -@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in - esac - - # stop on warning --CFLAGS="$CFLAGS -Werror" -+#CFLAGS="$CFLAGS -Werror" - - # debug - CFLAGS="$CFLAGS -g" diff --git a/ingress-nginx/patches/nginx-1.21.4-proxy_host_port_vars.patch b/ingress-nginx/patches/nginx-1.21.4-proxy_host_port_vars.patch deleted file mode 100644 index 01cebd65adb..00000000000 --- a/ingress-nginx/patches/nginx-1.21.4-proxy_host_port_vars.patch +++ /dev/null @@ -1,19 +0,0 @@ ---- nginx-1.21.4/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800 -+++ nginx-1.21.4-patched/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800 -@@ -793,13 +793,13 @@ static ngx_keyval_t ngx_http_proxy_cach - static ngx_http_variable_t ngx_http_proxy_vars[] = { - - { ngx_string("proxy_host"), NULL, ngx_http_proxy_host_variable, 0, -- NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 }, -+ NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("proxy_port"), NULL, ngx_http_proxy_port_variable, 0, -- NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 }, -+ NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("proxy_add_x_forwarded_for"), NULL, -- ngx_http_proxy_add_x_forwarded_for_variable, 0, NGX_HTTP_VAR_NOHASH, 0 }, -+ ngx_http_proxy_add_x_forwarded_for_variable, 0, 0, 0 }, - - #if 0 - { ngx_string("proxy_add_via"), NULL, NULL, 0, NGX_HTTP_VAR_NOHASH, 0 }, diff --git a/ingress-nginx/patches/nginx-1.21.4-resolver_conf_parsing.patch b/ingress-nginx/patches/nginx-1.21.4-resolver_conf_parsing.patch deleted file mode 100644 index 8638cdf2a82..00000000000 --- a/ingress-nginx/patches/nginx-1.21.4-resolver_conf_parsing.patch +++ /dev/null @@ -1,263 +0,0 @@ -diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c -index cd55520c..dade1846 100644 ---- a/src/core/ngx_resolver.c -+++ b/src/core/ngx_resolver.c -@@ -9,12 +9,26 @@ - #include - #include - -+#if !(NGX_WIN32) -+#include -+#endif -+ - - #define NGX_RESOLVER_UDP_SIZE 4096 - - #define NGX_RESOLVER_TCP_RSIZE (2 + 65535) - #define NGX_RESOLVER_TCP_WSIZE 8192 - -+#if !(NGX_WIN32) -+/* -+ * note that 2KB should be more than enough for majority of the -+ * resolv.conf files out there. it also acts as a safety guard to prevent -+ * abuse. -+ */ -+#define NGX_RESOLVER_FILE_BUF_SIZE 2048 -+#define NGX_RESOLVER_FILE_NAME "/etc/resolv.conf" -+#endif -+ - - typedef struct { - u_char ident_hi; -@@ -131,6 +145,191 @@ static ngx_resolver_node_t *ngx_resolver_lookup_addr6(ngx_resolver_t *r, - #endif - - -+#if !(NGX_WIN32) -+static ngx_int_t -+ngx_resolver_read_resolv_conf(ngx_conf_t *cf, ngx_resolver_t *r, u_char *path, -+ size_t path_len) -+{ -+ ngx_url_t u; -+ ngx_resolver_connection_t *rec; -+ ngx_fd_t fd; -+ ngx_file_t file; -+ u_char buf[NGX_RESOLVER_FILE_BUF_SIZE]; -+ u_char ipv6_buf[NGX_INET6_ADDRSTRLEN]; -+ ngx_uint_t address = 0, j, total = 0; -+ ssize_t n, i; -+ enum { -+ sw_nameserver, -+ sw_spaces, -+ sw_address, -+ sw_skip -+ } state; -+ -+ file.name.data = path; -+ file.name.len = path_len; -+ -+ if (ngx_conf_full_name(cf->cycle, &file.name, 1) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY, -+ NGX_FILE_OPEN, 0); -+ -+ if (fd == NGX_INVALID_FILE) { -+ ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, -+ ngx_open_file_n " \"%s\" failed", file.name.data); -+ -+ return NGX_ERROR; -+ } -+ -+ ngx_memzero(&file, sizeof(ngx_file_t)); -+ -+ file.fd = fd; -+ file.log = cf->log; -+ -+ state = sw_nameserver; -+ -+ n = ngx_read_file(&file, buf, NGX_RESOLVER_FILE_BUF_SIZE, 0); -+ -+ if (n == NGX_ERROR) { -+ ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno, -+ ngx_read_file_n " \"%s\" failed", file.name.data); -+ } -+ -+ if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { -+ ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno, -+ ngx_close_file_n " \"%s\" failed", file.name.data); -+ } -+ -+ if (n == NGX_ERROR) { -+ return NGX_ERROR; -+ } -+ -+ if (n == 0) { -+ return NGX_OK; -+ } -+ -+ for (i = 0; i < n && total < MAXNS; /* void */) { -+ if (buf[i] == '#' || buf[i] == ';') { -+ state = sw_skip; -+ } -+ -+ switch (state) { -+ -+ case sw_nameserver: -+ -+ if ((size_t) n - i >= sizeof("nameserver") - 1 -+ && ngx_memcmp(buf + i, "nameserver", -+ sizeof("nameserver") - 1) == 0) -+ { -+ state = sw_spaces; -+ i += sizeof("nameserver") - 1; -+ -+ continue; -+ } -+ -+ break; -+ -+ case sw_spaces: -+ if (buf[i] != '\t' && buf[i] != ' ') { -+ address = i; -+ state = sw_address; -+ } -+ -+ break; -+ -+ case sw_address: -+ -+ if (buf[i] == CR || buf[i] == LF || i == n - 1) { -+ ngx_memzero(&u, sizeof(ngx_url_t)); -+ -+ u.url.data = buf + address; -+ -+ if (i == n - 1 && buf[i] != CR && buf[i] != LF) { -+ u.url.len = n - address; -+ -+ } else { -+ u.url.len = i - address; -+ } -+ -+ u.default_port = 53; -+ -+ /* IPv6? */ -+ if (ngx_strlchr(u.url.data, u.url.data + u.url.len, -+ ':') != NULL) -+ { -+ if (u.url.len + 2 > sizeof(ipv6_buf)) { -+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -+ "IPv6 resolver address is too long:" -+ " \"%V\"", &u.url); -+ -+ return NGX_ERROR; -+ } -+ -+ ipv6_buf[0] = '['; -+ ngx_memcpy(ipv6_buf + 1, u.url.data, u.url.len); -+ ipv6_buf[u.url.len + 1] = ']'; -+ -+ u.url.data = ipv6_buf; -+ u.url.len = u.url.len + 2; -+ } -+ -+ if (ngx_parse_url(cf->pool, &u) != NGX_OK) { -+ if (u.err) { -+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -+ "%s in resolver \"%V\"", -+ u.err, &u.url); -+ } -+ -+ return NGX_ERROR; -+ } -+ -+ rec = ngx_array_push_n(&r->connections, u.naddrs); -+ if (rec == NULL) { -+ return NGX_ERROR; -+ } -+ -+ ngx_memzero(rec, u.naddrs * sizeof(ngx_resolver_connection_t)); -+ -+ for (j = 0; j < u.naddrs; j++) { -+ rec[j].sockaddr = u.addrs[j].sockaddr; -+ rec[j].socklen = u.addrs[j].socklen; -+ rec[j].server = u.addrs[j].name; -+ rec[j].resolver = r; -+ } -+ -+ total++; -+ -+#if (NGX_DEBUG) -+ /* -+ * logs with level below NGX_LOG_NOTICE will not be printed -+ * in this early phase -+ */ -+ ngx_conf_log_error(NGX_LOG_NOTICE, cf, 0, -+ "parsed a resolver: \"%V\"", &u.url); -+#endif -+ -+ state = sw_nameserver; -+ } -+ -+ break; -+ -+ case sw_skip: -+ if (buf[i] == CR || buf[i] == LF) { -+ state = sw_nameserver; -+ } -+ -+ break; -+ } -+ -+ i++; -+ } -+ -+ return NGX_OK; -+} -+#endif -+ -+ - ngx_resolver_t * - ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n) - { -@@ -246,6 +445,39 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n) - } - #endif - -+#if !(NGX_WIN32) -+ if (ngx_strncmp(names[i].data, "local=", 6) == 0) { -+ -+ if (ngx_strcmp(&names[i].data[6], "on") == 0) { -+ if (ngx_resolver_read_resolv_conf(cf, r, -+ (u_char *) -+ NGX_RESOLVER_FILE_NAME, -+ sizeof(NGX_RESOLVER_FILE_NAME) -+ - 1) -+ != NGX_OK) -+ { -+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -+ "unable to parse local resolver"); -+ return NULL; -+ } -+ -+ } else if (ngx_strcmp(&names[i].data[6], "off") != 0) { -+ if (ngx_resolver_read_resolv_conf(cf, r, -+ &names[i].data[6], -+ names[i].len - 6) -+ != NGX_OK) -+ { -+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -+ "unable to parse local resolver"); -+ return NULL; -+ } -+ -+ } -+ -+ continue; -+ } -+#endif -+ - ngx_memzero(&u, sizeof(ngx_url_t)); - - u.url = names[i]; diff --git a/ingress-nginx/patches/nginx-1.21.4-reuseport_close_unused_fds.patch b/ingress-nginx/patches/nginx-1.21.4-reuseport_close_unused_fds.patch deleted file mode 100644 index ff4a36fd225..00000000000 --- a/ingress-nginx/patches/nginx-1.21.4-reuseport_close_unused_fds.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff --git a/src/core/ngx_connection.c b/src/core/ngx_connection.c ---- a/src/core/ngx_connection.c -+++ b/src/core/ngx_connection.c -@@ -1118,6 +1118,12 @@ ngx_close_listening_sockets(ngx_cycle_t *cycle) - ls = cycle->listening.elts; - for (i = 0; i < cycle->listening.nelts; i++) { - -+#if (NGX_HAVE_REUSEPORT) -+ if (ls[i].fd == (ngx_socket_t) -1) { -+ continue; -+ } -+#endif -+ - c = ls[i].connection; - - if (c) { -diff --git a/src/event/ngx_event.c b/src/event/ngx_event.c ---- a/src/event/ngx_event.c -+++ b/src/event/ngx_event.c -@@ -775,6 +775,18 @@ ngx_event_process_init(ngx_cycle_t *cycle) - - #if (NGX_HAVE_REUSEPORT) - if (ls[i].reuseport && ls[i].worker != ngx_worker) { -+ ngx_log_debug2(NGX_LOG_DEBUG_CORE, cycle->log, 0, -+ "closing unused fd:%d listening on %V", -+ ls[i].fd, &ls[i].addr_text); -+ -+ if (ngx_close_socket(ls[i].fd) == -1) { -+ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_socket_errno, -+ ngx_close_socket_n " %V failed", -+ &ls[i].addr_text); -+ } -+ -+ ls[i].fd = (ngx_socket_t) -1; -+ - continue; - } - #endif diff --git a/ingress-nginx/patches/nginx-1.21.4-single_process_graceful_exit.patch b/ingress-nginx/patches/nginx-1.21.4-single_process_graceful_exit.patch deleted file mode 100644 index 2754fc2fe7c..00000000000 --- a/ingress-nginx/patches/nginx-1.21.4-single_process_graceful_exit.patch +++ /dev/null @@ -1,75 +0,0 @@ -diff --git a/src/os/unix/ngx_process.c b/src/os/unix/ngx_process.c -index 15680237..12a8c687 100644 ---- a/src/os/unix/ngx_process.c -+++ b/src/os/unix/ngx_process.c -@@ -362,8 +362,15 @@ ngx_signal_handler(int signo, siginfo_t *siginfo, void *ucontext) - break; - - case ngx_signal_value(NGX_RECONFIGURE_SIGNAL): -- ngx_reconfigure = 1; -- action = ", reconfiguring"; -+ if (ngx_process == NGX_PROCESS_SINGLE) { -+ ngx_terminate = 1; -+ action = ", exiting"; -+ -+ } else { -+ ngx_reconfigure = 1; -+ action = ", reconfiguring"; -+ } -+ - break; - - case ngx_signal_value(NGX_REOPEN_SIGNAL): -diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c -index 5817a2c2..f3d58e97 100644 ---- a/src/os/unix/ngx_process_cycle.c -+++ b/src/os/unix/ngx_process_cycle.c -@@ -305,11 +305,26 @@ ngx_single_process_cycle(ngx_cycle_t *cycle) - } - - for ( ;; ) { -+ if (ngx_exiting) { -+ if (ngx_event_no_timers_left() == NGX_OK) { -+ ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting"); -+ -+ for (i = 0; cycle->modules[i]; i++) { -+ if (cycle->modules[i]->exit_process) { -+ cycle->modules[i]->exit_process(cycle); -+ } -+ } -+ -+ ngx_master_process_exit(cycle); -+ } -+ } -+ - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, cycle->log, 0, "worker cycle"); - - ngx_process_events_and_timers(cycle); - -- if (ngx_terminate || ngx_quit) { -+ if (ngx_terminate) { -+ ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting"); - - for (i = 0; cycle->modules[i]; i++) { - if (cycle->modules[i]->exit_process) { -@@ -320,6 +335,20 @@ ngx_single_process_cycle(ngx_cycle_t *cycle) - ngx_master_process_exit(cycle); - } - -+ if (ngx_quit) { -+ ngx_quit = 0; -+ ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, -+ "gracefully shutting down"); -+ ngx_setproctitle("process is shutting down"); -+ -+ if (!ngx_exiting) { -+ ngx_exiting = 1; -+ ngx_set_shutdown_timer(cycle); -+ ngx_close_listening_sockets(cycle); -+ ngx_close_idle_connections(cycle); -+ } -+ } -+ - if (ngx_reconfigure) { - ngx_reconfigure = 0; - ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "reconfiguring"); diff --git a/ingress-nginx/patches/nginx-1.21.4-socket_cloexec.patch b/ingress-nginx/patches/nginx-1.21.4-socket_cloexec.patch deleted file mode 100644 index 8ffe4c16762..00000000000 --- a/ingress-nginx/patches/nginx-1.21.4-socket_cloexec.patch +++ /dev/null @@ -1,185 +0,0 @@ -diff --git a/auto/unix b/auto/unix -index 10835f6c..b5b33bb3 100644 ---- a/auto/unix -+++ b/auto/unix -@@ -990,3 +990,27 @@ ngx_feature_test='struct addrinfo *res; - if (getaddrinfo("localhost", NULL, NULL, &res) != 0) return 1; - freeaddrinfo(res)' - . auto/feature -+ -+ngx_feature="SOCK_CLOEXEC support" -+ngx_feature_name="NGX_HAVE_SOCKET_CLOEXEC" -+ngx_feature_run=no -+ngx_feature_incs="#include -+ #include " -+ngx_feature_path= -+ngx_feature_libs= -+ngx_feature_test="int fd; -+ fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);" -+. auto/feature -+ -+ngx_feature="FD_CLOEXEC support" -+ngx_feature_name="NGX_HAVE_FD_CLOEXEC" -+ngx_feature_run=no -+ngx_feature_incs="#include -+ #include -+ #include " -+ngx_feature_path= -+ngx_feature_libs= -+ngx_feature_test="int fd; -+ fd = socket(AF_INET, SOCK_STREAM, 0); -+ fcntl(fd, F_SETFD, FD_CLOEXEC);" -+. auto/feature -diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c -index cd55520c..438e0806 100644 ---- a/src/core/ngx_resolver.c -+++ b/src/core/ngx_resolver.c -@@ -4466,8 +4466,14 @@ ngx_tcp_connect(ngx_resolver_connection_t *rec) - ngx_event_t *rev, *wev; - ngx_connection_t *c; - -+#if (NGX_HAVE_SOCKET_CLOEXEC) -+ s = ngx_socket(rec->sockaddr->sa_family, SOCK_STREAM | SOCK_CLOEXEC, 0); -+ -+#else - s = ngx_socket(rec->sockaddr->sa_family, SOCK_STREAM, 0); - -+#endif -+ - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, &rec->log, 0, "TCP socket %d", s); - - if (s == (ngx_socket_t) -1) { -@@ -4494,6 +4500,15 @@ ngx_tcp_connect(ngx_resolver_connection_t *rec) - goto failed; - } - -+#if (NGX_HAVE_FD_CLOEXEC) -+ if (ngx_cloexec(s) == -1) { -+ ngx_log_error(NGX_LOG_ALERT, &rec->log, ngx_socket_errno, -+ ngx_cloexec_n " failed"); -+ -+ goto failed; -+ } -+#endif -+ - rev = c->read; - wev = c->write; - -diff --git a/src/event/ngx_event.h b/src/event/ngx_event.h -index 19fec68..8c2f01a 100644 ---- a/src/event/ngx_event.h -+++ b/src/event/ngx_event.h -@@ -73,6 +73,9 @@ struct ngx_event_s { - /* to test on worker exit */ - unsigned channel:1; - unsigned resolver:1; -+#if (HAVE_SOCKET_CLOEXEC_PATCH) -+ unsigned skip_socket_leak_check:1; -+#endif - - unsigned cancelable:1; - -diff --git a/src/event/ngx_event_accept.c b/src/event/ngx_event_accept.c -index 77563709..5827b9d0 100644 ---- a/src/event/ngx_event_accept.c -+++ b/src/event/ngx_event_accept.c -@@ -62,7 +62,9 @@ ngx_event_accept(ngx_event_t *ev) - - #if (NGX_HAVE_ACCEPT4) - if (use_accept4) { -- s = accept4(lc->fd, &sa.sockaddr, &socklen, SOCK_NONBLOCK); -+ s = accept4(lc->fd, &sa.sockaddr, &socklen, -+ SOCK_NONBLOCK | SOCK_CLOEXEC); -+ - } else { - s = accept(lc->fd, &sa.sockaddr, &socklen); - } -@@ -202,6 +204,16 @@ ngx_event_accept(ngx_event_t *ev) - ngx_close_accepted_connection(c); - return; - } -+ -+#if (NGX_HAVE_FD_CLOEXEC) -+ if (ngx_cloexec(s) == -1) { -+ ngx_log_error(NGX_LOG_ALERT, ev->log, ngx_socket_errno, -+ ngx_cloexec_n " failed"); -+ ngx_close_accepted_connection(c); -+ return; -+ } -+#endif -+ - } - } - -diff --git a/src/event/ngx_event_connect.c b/src/event/ngx_event_connect.c -index c5bb8068..cf33b1d2 100644 ---- a/src/event/ngx_event_connect.c -+++ b/src/event/ngx_event_connect.c -@@ -38,8 +38,15 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc) - - type = (pc->type ? pc->type : SOCK_STREAM); - -+#if (NGX_HAVE_SOCKET_CLOEXEC) -+ s = ngx_socket(pc->sockaddr->sa_family, type | SOCK_CLOEXEC, 0); -+ -+#else - s = ngx_socket(pc->sockaddr->sa_family, type, 0); - -+#endif -+ -+ - ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pc->log, 0, "%s socket %d", - (type == SOCK_STREAM) ? "stream" : "dgram", s); - -@@ -80,6 +87,15 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc) - goto failed; - } - -+#if (NGX_HAVE_FD_CLOEXEC) -+ if (ngx_cloexec(s) == -1) { -+ ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno, -+ ngx_cloexec_n " failed"); -+ -+ goto failed; -+ } -+#endif -+ - if (pc->local) { - - #if (NGX_HAVE_TRANSPARENT_PROXY) -diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c -index c4376a5..48e8fa8 100644 ---- a/src/os/unix/ngx_process_cycle.c -+++ b/src/os/unix/ngx_process_cycle.c -@@ -960,6 +1029,9 @@ ngx_worker_process_exit(ngx_cycle_t *cycle) - for (i = 0; i < cycle->connection_n; i++) { - if (c[i].fd != -1 - && c[i].read -+#if (HAVE_SOCKET_CLOEXEC_PATCH) -+ && !c[i].read->skip_socket_leak_check -+#endif - && !c[i].read->accept - && !c[i].read->channel - && !c[i].read->resolver) -diff --git a/src/os/unix/ngx_socket.h b/src/os/unix/ngx_socket.h -index fcc51533..d1eebf47 100644 ---- a/src/os/unix/ngx_socket.h -+++ b/src/os/unix/ngx_socket.h -@@ -38,6 +38,17 @@ int ngx_blocking(ngx_socket_t s); - - #endif - -+#if (NGX_HAVE_FD_CLOEXEC) -+ -+#define ngx_cloexec(s) fcntl(s, F_SETFD, FD_CLOEXEC) -+#define ngx_cloexec_n "fcntl(FD_CLOEXEC)" -+ -+/* at least FD_CLOEXEC is required to ensure connection fd is closed -+ * after execve */ -+#define HAVE_SOCKET_CLOEXEC_PATCH 1 -+ -+#endif -+ - int ngx_tcp_nopush(ngx_socket_t s); - int ngx_tcp_push(ngx_socket_t s); - diff --git a/ingress-nginx/patches/nginx-1.21.4-ssl_cert_cb_yield.patch b/ingress-nginx/patches/nginx-1.21.4-ssl_cert_cb_yield.patch deleted file mode 100644 index 89773c05efa..00000000000 --- a/ingress-nginx/patches/nginx-1.21.4-ssl_cert_cb_yield.patch +++ /dev/null @@ -1,64 +0,0 @@ -# HG changeset patch -# User Yichun Zhang -# Date 1451762084 28800 -# Sat Jan 02 11:14:44 2016 -0800 -# Node ID 449f0461859c16e95bdb18e8be6b94401545d3dd -# Parent 78b4e10b4367b31367aad3c83c9c3acdd42397c4 -SSL: handled SSL_CTX_set_cert_cb() callback yielding. - -OpenSSL 1.0.2+ introduces SSL_CTX_set_cert_cb() to allow custom -callbacks to serve the SSL certificiates and private keys dynamically -and lazily. The callbacks may yield for nonblocking I/O or sleeping. -Here we added support for such usage in NGINX 3rd-party modules -(like ngx_lua) in NGINX's event handlers for downstream SSL -connections. - -diff -r 78b4e10b4367 -r 449f0461859c src/event/ngx_event_openssl.c ---- a/src/event/ngx_event_openssl.c Thu Dec 17 16:39:15 2015 +0300 -+++ b/src/event/ngx_event_openssl.c Sat Jan 02 11:14:44 2016 -0800 -@@ -1445,6 +1445,23 @@ ngx_ssl_handshake(ngx_connection_t *c) - return NGX_AGAIN; - } - -+#if OPENSSL_VERSION_NUMBER >= 0x10002000L -+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) { -+ c->read->handler = ngx_ssl_handshake_handler; -+ c->write->handler = ngx_ssl_handshake_handler; -+ -+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ return NGX_AGAIN; -+ } -+#endif -+ - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - - c->ssl->no_wait_shutdown = 1; -@@ -1558,6 +1575,21 @@ ngx_ssl_try_early_data(ngx_connection_t *c) - return NGX_AGAIN; - } - -+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) { -+ c->read->handler = ngx_ssl_handshake_handler; -+ c->write->handler = ngx_ssl_handshake_handler; -+ -+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ return NGX_AGAIN; -+ } -+ - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - - c->ssl->no_wait_shutdown = 1; diff --git a/ingress-nginx/patches/nginx-1.21.4-ssl_sess_cb_yield.patch b/ingress-nginx/patches/nginx-1.21.4-ssl_sess_cb_yield.patch deleted file mode 100644 index ac5fe65eb2d..00000000000 --- a/ingress-nginx/patches/nginx-1.21.4-ssl_sess_cb_yield.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c ---- a/src/event/ngx_event_openssl.c -+++ b/src/event/ngx_event_openssl.c -@@ -1446,7 +1446,12 @@ ngx_ssl_handshake(ngx_connection_t *c) - } - - #if OPENSSL_VERSION_NUMBER >= 0x10002000L -- if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) { -+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP -+# ifdef SSL_ERROR_PENDING_SESSION -+ || sslerr == SSL_ERROR_PENDING_SESSION -+# endif -+ ) -+ { - c->read->handler = ngx_ssl_handshake_handler; - c->write->handler = ngx_ssl_handshake_handler; - -@@ -1575,6 +1580,23 @@ ngx_ssl_try_early_data(ngx_connection_t *c) - return NGX_AGAIN; - } - -+#ifdef SSL_ERROR_PENDING_SESSION -+ if (sslerr == SSL_ERROR_PENDING_SESSION) { -+ c->read->handler = ngx_ssl_handshake_handler; -+ c->write->handler = ngx_ssl_handshake_handler; -+ -+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ return NGX_AGAIN; -+ } -+#endif -+ - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - - c->ssl->no_wait_shutdown = 1; diff --git a/ingress-nginx/patches/nginx-1.21.4-stream_proxy_get_next_upstream_tries.patch b/ingress-nginx/patches/nginx-1.21.4-stream_proxy_get_next_upstream_tries.patch deleted file mode 100644 index cb881f070ca..00000000000 --- a/ingress-nginx/patches/nginx-1.21.4-stream_proxy_get_next_upstream_tries.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff --git a/src/stream/ngx_stream.h b/src/stream/ngx_stream.h -index 09d2459..de92724 100644 ---- a/src/stream/ngx_stream.h -+++ b/src/stream/ngx_stream.h -@@ -303,4 +303,7 @@ typedef ngx_int_t (*ngx_stream_filter_pt)(ngx_stream_session_t *s, - extern ngx_stream_filter_pt ngx_stream_top_filter; - - -+#define HAS_NGX_STREAM_PROXY_GET_NEXT_UPSTREAM_TRIES_PATCH 1 -+ -+ - #endif /* _NGX_STREAM_H_INCLUDED_ */ -diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c -index 0afde1c..3254ce1 100644 ---- a/src/stream/ngx_stream_proxy_module.c -+++ b/src/stream/ngx_stream_proxy_module.c -@@ -2156,3 +2156,14 @@ ngx_stream_proxy_bind(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) - - return NGX_CONF_OK; - } -+ -+ -+ngx_uint_t -+ngx_stream_proxy_get_next_upstream_tries(ngx_stream_session_t *s) -+{ -+ ngx_stream_proxy_srv_conf_t *pscf; -+ -+ pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module); -+ -+ return pscf->next_upstream_tries; -+} diff --git a/ingress-nginx/patches/nginx-1.21.4-stream_ssl_preread_no_skip.patch b/ingress-nginx/patches/nginx-1.21.4-stream_ssl_preread_no_skip.patch deleted file mode 100644 index e45e9f69a7e..00000000000 --- a/ingress-nginx/patches/nginx-1.21.4-stream_ssl_preread_no_skip.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/stream/ngx_stream_ssl_preread_module.c b/src/stream/ngx_stream_ssl_preread_module.c -index e3d11fd9..3717b5fe 100644 ---- a/src/stream/ngx_stream_ssl_preread_module.c -+++ b/src/stream/ngx_stream_ssl_preread_module.c -@@ -159,7 +159,7 @@ ngx_stream_ssl_preread_handler(ngx_stream_session_t *s) - - rc = ngx_stream_ssl_preread_parse_record(ctx, p, p + len); - if (rc != NGX_AGAIN) { -- return rc; -+ return rc == NGX_OK ? NGX_DECLINED : rc; - } - - p += len; diff --git a/ingress-nginx/patches/nginx-1.21.4-upstream_pipelining.patch b/ingress-nginx/patches/nginx-1.21.4-upstream_pipelining.patch deleted file mode 100644 index aed80365ad9..00000000000 --- a/ingress-nginx/patches/nginx-1.21.4-upstream_pipelining.patch +++ /dev/null @@ -1,23 +0,0 @@ -commit f9907b72a76a21ac5413187b83177a919475c75f -Author: Yichun Zhang (agentzh) -Date: Wed Feb 10 16:05:08 2016 -0800 - - bugfix: upstream: keep sending request data after the first write attempt. - - See - http://mailman.nginx.org/pipermail/nginx-devel/2012-March/002040.html - for more details on the issue. - -diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c -index 69019417..92b7c97f 100644 ---- a/src/http/ngx_http_upstream.c -+++ b/src/http/ngx_http_upstream.c -@@ -2239,7 +2239,7 @@ ngx_http_upstream_send_request_handler(ngx_http_request_t *r, - - #endif - -- if (u->header_sent && !u->conf->preserve_output) { -+ if (u->request_body_sent && !u->conf->preserve_output) { - u->write_event_handler = ngx_http_upstream_dummy_handler; - - (void) ngx_handle_write_event(c->write, 0); diff --git a/ingress-nginx/patches/nginx-1.21.4-upstream_timeout_fields.patch b/ingress-nginx/patches/nginx-1.21.4-upstream_timeout_fields.patch deleted file mode 100644 index 2314ddf801e..00000000000 --- a/ingress-nginx/patches/nginx-1.21.4-upstream_timeout_fields.patch +++ /dev/null @@ -1,112 +0,0 @@ -diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c -index 69019417..2265d8f7 100644 ---- a/src/http/ngx_http_upstream.c -+++ b/src/http/ngx_http_upstream.c -@@ -509,12 +509,19 @@ void - ngx_http_upstream_init(ngx_http_request_t *r) - { - ngx_connection_t *c; -+ ngx_http_upstream_t *u; - - c = r->connection; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http init upstream, client timer: %d", c->read->timer_set); - -+ u = r->upstream; -+ -+ u->connect_timeout = u->conf->connect_timeout; -+ u->send_timeout = u->conf->send_timeout; -+ u->read_timeout = u->conf->read_timeout; -+ - #if (NGX_HTTP_V2) - if (r->stream) { - ngx_http_upstream_init_request(r); -@@ -1626,7 +1633,7 @@ ngx_http_upstream_connect(ngx_http_request_t *r, ngx_http_upstream_t *u) - u->request_body_blocked = 0; - - if (rc == NGX_AGAIN) { -- ngx_add_timer(c->write, u->conf->connect_timeout); -+ ngx_add_timer(c->write, u->connect_timeout); - return; - } - -@@ -1704,7 +1711,7 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r, - if (rc == NGX_AGAIN) { - - if (!c->write->timer_set) { -- ngx_add_timer(c->write, u->conf->connect_timeout); -+ ngx_add_timer(c->write, u->connect_timeout); - } - - c->ssl->handler = ngx_http_upstream_ssl_handshake_handler; -@@ -2022,7 +2029,7 @@ ngx_http_upstream_send_request(ngx_http_request_t *r, ngx_http_upstream_t *u, - - if (rc == NGX_AGAIN) { - if (!c->write->ready || u->request_body_blocked) { -- ngx_add_timer(c->write, u->conf->send_timeout); -+ ngx_add_timer(c->write, u->send_timeout); - - } else if (c->write->timer_set) { - ngx_del_timer(c->write); -@@ -2084,7 +2091,7 @@ ngx_http_upstream_send_request(ngx_http_request_t *r, ngx_http_upstream_t *u, - return; - } - -- ngx_add_timer(c->read, u->conf->read_timeout); -+ ngx_add_timer(c->read, u->read_timeout); - - if (c->read->ready) { - ngx_http_upstream_process_header(r, u); -@@ -3213,7 +3220,7 @@ ngx_http_upstream_send_response(ngx_http_request_t *r, ngx_http_upstream_t *u) - p->cyclic_temp_file = 0; - } - -- p->read_timeout = u->conf->read_timeout; -+ p->read_timeout = u->read_timeout; - p->send_timeout = clcf->send_timeout; - p->send_lowat = clcf->send_lowat; - -@@ -3458,7 +3465,7 @@ ngx_http_upstream_process_upgraded(ngx_http_request_t *r, - } - - if (upstream->write->active && !upstream->write->ready) { -- ngx_add_timer(upstream->write, u->conf->send_timeout); -+ ngx_add_timer(upstream->write, u->send_timeout); - - } else if (upstream->write->timer_set) { - ngx_del_timer(upstream->write); -@@ -3470,7 +3477,7 @@ ngx_http_upstream_process_upgraded(ngx_http_request_t *r, - } - - if (upstream->read->active && !upstream->read->ready) { -- ngx_add_timer(upstream->read, u->conf->read_timeout); -+ ngx_add_timer(upstream->read, u->read_timeout); - - } else if (upstream->read->timer_set) { - ngx_del_timer(upstream->read); -@@ -3664,7 +3671,7 @@ ngx_http_upstream_process_non_buffered_request(ngx_http_request_t *r, - } - - if (upstream->read->active && !upstream->read->ready) { -- ngx_add_timer(upstream->read, u->conf->read_timeout); -+ ngx_add_timer(upstream->read, u->read_timeout); - - } else if (upstream->read->timer_set) { - ngx_del_timer(upstream->read); -diff --git a/src/http/ngx_http_upstream.h b/src/http/ngx_http_upstream.h -index c2f4dc0b..b9eef118 100644 ---- a/src/http/ngx_http_upstream.h -+++ b/src/http/ngx_http_upstream.h -@@ -333,6 +333,11 @@ struct ngx_http_upstream_s { - ngx_array_t *caches; - #endif - -+#define HAVE_NGX_UPSTREAM_TIMEOUT_FIELDS 1 -+ ngx_msec_t connect_timeout; -+ ngx_msec_t send_timeout; -+ ngx_msec_t read_timeout; -+ - ngx_http_upstream_headers_in_t headers_in; - - ngx_http_upstream_resolved_t *resolved; diff --git a/lua-resty-core.yaml b/lua-resty-core.yaml index ca9fbe2674b..84e74b04ac1 100644 --- a/lua-resty-core.yaml +++ b/lua-resty-core.yaml @@ -1,7 +1,7 @@ package: name: lua-resty-core - version: 0.1.17 - epoch: 0 + version: 0.1.23 + epoch: 4 description: "lua-resty-core - New FFI-based Lua API for ngx_http_lua_module and/or ngx_stream_lua_module" copyright: - license: BSD @@ -16,16 +16,20 @@ environment: - ca-certificates-bundle - build-base - luajit + - automake pipeline: - uses: fetch with: uri: https://github.com/openresty/lua-resty-core/archive/v${{package.version}}.tar.gz - expected-sha256: 8f5f76d2689a3f6b0782f0a009c56a65e4c7a4382be86422c9b3549fe95b0dc4 + expected-sha256: efd6b51520429e64b1bcc10f477d370ebed1631c190f7e4dc270d959a743ad7d - - uses: autoconf/make + - runs: | + export LUAJIT_LIB=/usr/lib + export LUA_LIB_DIR="$LUAJIT_LIB/lua" + export LUAJIT_INC=/usr/include/luajit-2.1 - - uses: autoconf/make-install + make DESTDIR=${{targets.destdir}} install update: enabled: false