Commit Graph

463 Commits

Author SHA1 Message Date
Dee Anzorge
f124c73686 nginx: change etags for statically compressed files served from store
Per RFC 9110, [section 8.8.1][1], different representations of the same
resource should have different Etags:

> A strong validator is unique across all versions of all
> representations associated with a particular resource over time.
> However, there is no implication of uniqueness across representations
> of different resources (i.e., the same strong validator might be in
> use for representations of multiple resources at the same time and
> does not imply that those representations are equivalent)

When serving statically compressed files (ie, when there is an existing
corresponding .gz/.br/etc. file on disk), Nginx sends the Etag marked
as strong. These tags should be different for each compressed format
(as shown in  an explicit example in section [8.8.3.3][2] of the RFC).
Upstream Etags are composed of the file modification timestamp and
content length, and the latter generally changes between these
representations.

Previous implementation of Nix-specific Etags for things served from
store used the store hash. This is fine to share between different
files, but it becomes a problem for statically compressed versions of
the same file, as it means Nginx was serving different representations
of the same resource with the same Etag, marked as strong.

This patch addresses this by imitating the upstream Nginx behavior, and
appending the value of content length to the store hash.

[1]: https://www.rfc-editor.org/rfc/rfc9110.html#name-validator-fields
[2]:
https://www.rfc-editor.org/rfc/rfc9110.html#name-example-entity-tags-varying
2024-01-13 22:07:50 +01:00
Izorkin
10c06cb060
nginx: enable ktls support by default 2024-01-01 12:02:57 +03:00
Ryan Lahfa
b41904b923
Merge pull request #277449 from SuperSandro2000/moreheaders
nginxModules.moreheaders: 0.33 -> 0.36; adopt
2023-12-31 21:35:16 +01:00
Ryan Lahfa
d07fb6a75c
Merge pull request #263496 from poscat0x04/nginx-lua-resty
nginxModules.{lua,lua-upstream}: switch to luajit_openresty
2023-12-31 21:32:58 +01:00
Sandro Jäckel
d4492ac0f2
nginxModules.moreheaders: 0.33 -> 0.36; adopt 2023-12-29 03:37:35 +01:00
Ryan Lahfa
c6b9fb41c1
Merge pull request #271522 from kristoff3r/nginx-zstd-0-1-1
nginxModules.zstd: 0.1.0 -> 0.1.1
2023-12-24 03:52:40 +01:00
Robin Gloster
b5556f2c37
Merge pull request #268109 from helsinki-systems/helsinki-maintainer-team
maintainers/teams: init and add helsinki-systems
2023-12-20 11:43:29 +01:00
Izorkin
86efccfa45
angie: init at 1.4.0 2023-12-17 22:43:13 +03:00
Izorkin
00cb53de4f
nginx: fix nginx binary pathname 2023-12-17 16:51:29 +03:00
Kristoffer Søholm
6c19bd6631 nginxModules.zstd: 0.1.0 -> 0.1.1 2023-12-01 21:06:38 +01:00
ajs124
7b6580dba4 maintainers/teams: init and add helsinki-systems 2023-11-30 19:11:08 +01:00
Weijia Wang
add7a091c6 nginx: fix build on darwin 2023-11-18 17:01:10 +01:00
Artturi
2d3a5c7ddb
Merge pull request #262254 from Artturin/nginxsandboxrem 2023-10-31 18:39:55 +02:00
Martin Weinelt
e4f4ef7ce8
Merge pull request #263793 from fleaz/update_nginx-videothumb
nginxModules.videothumb-extractor: unstable -> 1.0.0 and switch to ffmpeg-headless
2023-10-28 17:46:01 +02:00
fleaz
55e29313dc
nginxModules: Switch from ffmpeg to ffmpeg-headless 2023-10-27 16:05:30 +02:00
fleaz
87338f90d4
nginxModules.video-thumbextractor: 92b8064 -> 1.0.0
Diff:
92b8064...e81f850
2023-10-27 16:05:29 +02:00
fleaz
f2efd2e9bc
nginxModules.vod: Patch MAX_CLIPS variable
The old limit was only 128 and this breaks some applications like e.g.
Frigate where playlists become bigger than that. According to upstream
you should just change the variable yourself if needed.

See this issue: https://github.com/kaltura/nginx-vod-module/issues/238
2023-10-26 23:21:32 +02:00
fleaz
30c49cdd91
nginxModules.vod: 1.31 -> 1.32
Changelog: https://github.com/kaltura/nginx-vod-module/compare/1.31...1.32
2023-10-26 23:20:08 +02:00
poscat
0c50d6ec92
nginxModules.{lua,lua-upstream}: switch to luajit_openresty 2023-10-26 10:12:37 +08:00
Maximilian Bosch
4df6cc87b5
Merge pull request #263304 from trofi/nginxMainline-update
nginxMainline: 1.25.2 -> 1.25.3
2023-10-25 19:15:31 +02:00
Sergei Trofimovich
4ca546d75e nginxMainline: 1.25.2 -> 1.25.3
Changes: https://nginx.org/en/CHANGES
2023-10-25 09:58:14 +01:00
Mario Rodas
10fad9387a
Merge pull request #257336 from trofi/nginxModules.http_proxy_connect_module-update
nginxModules.http_proxy_connect_module_v{24,25}: new modules for up t…
2023-10-23 18:35:50 -05:00
Artturin
d3234553aa nixosTests.nginx-sandbox: remove broken test and move the sandboxing test to the openresty test
nginx lua needs resty

the enableSandbox option of nginx was removed in 535896671b

the test fails with

```
vm-test-run-nginx-sandbox> machine # [   47.753580] nginx[1142]: nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
vm-test-run-nginx-sandbox> machine # [   47.756064] nginx[1142]: nginx: [alert] failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: module 'resty.core' not found:
vm-test-run-nginx-sandbox> machine # [   57.911766] systemd[1]: Failed to start Nginx Web Server.
```
2023-10-23 06:09:45 +03:00
Ryan Lahfa
76d4d2e76b
Merge pull request #262329 from SuperSandro2000/nginx-zstd-0-1-0 2023-10-22 00:59:19 +01:00
Ryan Lahfa
c5442c247f
Merge pull request #257262 from dongcarl/2023-09-nginx-fixes
nixos/nginx: Allow empty port for listen directive (for unix socket)
2023-10-21 17:26:57 +01:00
Sandro Jäckel
479739b03e
nginxModules.zstd: 25d88c262be47462cf90015ee7ebf6317b6848f9 -> 0.1.0 2023-10-20 18:03:37 +02:00
Artturi
9c30003e04
Merge pull request #258652 from trofi/nginx-install-manpages 2023-10-20 12:37:26 +03:00
Carl Dong
e5c2c71280 nixos/nginx: Allow empty port for listen directive
When listening on unix sockets, it doesn't make sense to specify a port
for nginx's listen directive.

Since nginx defaults to port 80 when the port isn't specified (but the
address is), we can change the default for the option to null as well
without changing any behaviour.
2023-10-09 21:16:03 -04:00
Sergei Trofimovich
c814bbda40 nginx: add missing nginx.8 manpage
Without the change "man nginx" does not render any synopsis.

Closes: https://github.com/NixOS/nixpkgs/issues/258658
2023-10-08 08:07:19 +01:00
Sergei Trofimovich
c8a23dd807 nginxModules.http_proxy_connect_module_v{18,19}: drop old broken modules
THe modules are failing assertions when are built against `nginx`
versions in `nixpkgs`.
2023-09-27 18:56:06 +01:00
Sergei Trofimovich
1b95937767 nginxModules.http_proxy_connect_module_v{24,25}: new modules for up to date nginx 2023-09-25 22:03:02 +01:00
WilliButz
d49a4c10ce
nginxModules.njs: 0.7.10 -> 0.8.1 2023-09-19 14:37:19 +02:00
Izorkin
f4e49466ef
nginxMainline: 1.25.1 -> 1.25.2 2023-08-16 16:09:52 +03:00
squalus
d29b49f39b nginxModules.set-misc: 0.32 -> 0.33 2023-08-07 11:12:59 -07:00
h7x4
ecb40c69d8
nixos/nginx: sort test include order alphabetically 2023-07-28 20:30:43 +02:00
h7x4
25b7b82ee0
nixos/nginx: add test for status page 2023-07-28 20:29:09 +02:00
Raito Bezarius
6d563b70b4 nginx: remove unactive maintainers and add raitobezarius as a maintainer
Removed maintainers which does not maintain NGINX anymore for the last year at least.
Added myself as I use it actively.
2023-07-21 21:12:21 +02:00
Franz Pletz
6a4b949a95
nginxMainline: 1.25.0 -> 1.25.1 2023-06-21 13:47:28 +02:00
Sandro Jäckel
819289b1e5
nginxModules.zstd: add SuperSandro2000 as maintainer 2023-05-29 20:41:08 +02:00
Sandro Jäckel
0000007dcc
nginxModules.vts: 0.2.1 -> 0.2.2, add SuperSandro2000 as maintainer 2023-05-29 20:40:50 +02:00
Raito Bezarius
69bb0f94de nixos/nginx: first-class PROXY protocol support
PROXY protocol is a convenient way to carry information about the
originating address/port of a TCP connection across multiple layers of
proxies/NAT, etc.

Currently, it is possible to make use of it in NGINX's NixOS module, but
is painful when we want to enable it "globally".
Technically, this is achieved by reworking the defaultListen options and
the objective is to have a coherent way to specify default listeners in
the current API design.
See `mkDefaultListenVhost` and `defaultListen` for the details.

It adds a safeguard against running a NGINX with no HTTP listeners (e.g.
only PROXY listeners) while asking for ACME certificates over HTTP-01.

An interesting usecase of PROXY protocol is to enable seamless IPv4 to
IPv6 proxy with origin IPv4 address for IPv6-only NGINX servers, it is
demonstrated how to achieve this in the tests, using sniproxy.

Finally, the tests covers:

- NGINX `defaultListen` mechanisms are not broken by these changes;
- NGINX PROXY protocol listeners are working in a final usecase
  (sniproxy);
- uses snakeoil TLS certs from ACME setup with wildcard certificates;

In the future, it is desirable to spoof-attack NGINX in this scenario to
ascertain that `set_real_ip_from` and all the layers are working as
intended and preventing any user from setting their origin IP address to
any arbitrary, opening up the NixOS module to bad™ vulnerabilities.

For now, it is quite hard to achieve while being minimalistic about the
tests dependencies.
2023-05-26 19:48:26 +02:00
Sandro
c898813431
Merge pull request #233029 from jlamur/nginx-spnego-build-fix
nginx: fix build of module spnego-http-auth
2023-05-24 21:54:24 +02:00
ajs124
27d53b81cc nginxQuic: share src and version with nginxMainline
quic support was merged
still a separate package, because it uses quictls
and sets configureFlags
2023-05-23 18:37:54 +02:00
ajs124
91ecb7d7ff nginxMainline: 1.24.0 -> 1.25.0 2023-05-23 18:28:04 +02:00
Martin Weinelt
9d0bbc2c12
nginxModules.secure-token: 2020-08-28 -> 1.5 2023-05-22 16:29:55 +02:00
Martin Weinelt
2c1cc78307
nginxModules.vod: 1.29 -> 1.31 2023-05-22 16:29:55 +02:00
Jules Lamur
dcb2cc849e
nginx: fix build of module spnego-http-auth 2023-05-20 16:12:04 +02:00
zowoq
9f8b8befcf nginxModules.zstd: add missing meta 2023-05-04 20:21:37 +10:00
Sandro
7a4d8131fa
Merge pull request #208161 from SuperSandro2000/nginx-modules-meta
nginx: add meta section to modules
2023-05-04 00:59:20 +02:00
Sandro Jäckel
50b8c237b7
nginx: move aliases behind config.allowAliases 2023-04-28 21:38:43 +02:00