nginx-1.16.1-1

n/nginx/nginx-vl.spec

@@ -1,3 +1,5 @@
+%global nginx_version 1.16.1
+
 # build mod_wsgi
 %bcond_with wsgi
 
@@ -7,7 +9,11 @@
 %else
 %bcond_with geoip
 %endif
+%bcond_without geoip2
+%bcond_without naxsi
 
+%global nginx_modulesdir %{_libdir}/nginx/modules
+%global nginx_modconfdir %{_sysconfdir}/nginx/modules.d
 
 %if "%{_dist_release}" > "vl6"
 %define nginx_user      www-data
@@ -26,8 +32,9 @@
 Summary:        Robust, small and high performance http and reverse proxy server
 Summary(ja):    堅牢・軽量・高性能な HTTP およびリバースプロキシサーバ
 Name:           nginx
-Version:        1.16.0
-Release:        3%{?_dist_release}
+Version:        %{nginx_version}
+# do not reset or decrease.
+Release:        1%{?_dist_release}
 
 Group:          System Environment/Daemons   
 # BSD License (two clause)
@@ -69,9 +76,19 @@ Source2000: lifeeth-mod_wsgi-%{mod_wsgi_version}.tar.bz2
 %define nginx_dav_ext_module_version 3.0.0
 Source2010: https://github.com/arut/nginx-dav-ext-module/archive/v%{nginx_dav_ext_module_version}.tar.gz#/nginx-dav-ext-module-%{nginx_dav_ext_module_version}.tar.gz
 
-%global naxsi_version untagged-afabfc163946baa8036f
-Source2020:  https://github.com/nbs-system/naxsi/archive/untagged-afabfc163946baa8036f.tar.gz#/naxsi-%{naxsi_version}.tar.gz
+%if %{with naxsi}
+%global with_naxsi 1
+%global naxsi_version 0.56
+%global naxsi_srcversion untagged-afabfc163946baa8036f
+Source2020:  https://github.com/nbs-system/naxsi/archive/%{naxsi_srcversion}.tar.gz#/naxsi-%{naxsi_srcversion}.tar.gz
 Source2021:  naxsi_params
+%endif
+
+%if %{with geoip2}
+%global with_geoip2 1
+%global geoip2_version 3.2
+Source2030: https://github.com/leev/ngx_http_geoip2_module/archive/%{geoip2_version}.tar.gz#/ngx_http_geoip2_module-3.2.tar.gz
+%endif
 
 # removes -Werror in upstream build scripts.  -Werror conflicts with
 # -D_FORTIFY_SOURCE=2 causing warnings to turn into errors.
@@ -96,15 +113,9 @@ BuildRequires:      libnsl2-devel
 BuildRequires:      pcre-devel
 BuildRequires:      zlib-devel
 BuildRequires:      openssl-devel
-BuildRequires:	    gd-devel
-BuildRequires:      perl
-BuildRequires:      perl(ExtUtils::Embed)
 BuildRequires:	    libxml2-devel
 BuildRequires:	    libxslt-devel
 BuildRequires:	    curl-devel
-%if %{with geoip}
-BuildRequires:	    GeoIP-devel
-%endif
 
 Requires:           perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 # for /usr/sbin/useradd
@@ -137,6 +148,7 @@ Nginx [engine x/エンジンX] は Igor Sysoev により開発された以下の
 %package passenger
 Summary: Nginx with mod_passenger support
 Summary(ja): Passenger サポート入りの Nginx 
+Version: %{passenger_version}
 Group: System Environment/Daemons
 BuildRequires: ruby, rubygem-rake
 Requires: ruby, rubygem-rake
@@ -147,7 +159,7 @@ Requires: ruby-rubygems
 BuildRequires: rubygems
 Requires: rubygems
 %endif
-Requires: nginx
+Requires: %{name} = %{nginx_version}
 
 %description passenger
 Nginx [engine x] is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3
@@ -161,8 +173,117 @@ Nginx [engine x/エンジンX] は Igor Sysoev により開発された以下の
  - IMAP/POP3 プロキシサーバ
 このパッケージには Passenger サポートを含んだ nginxサーバが入っています。
 
+%if %{with geoip}
+%package geoip
+Summary:           Nginx HTTP geoip module
+BuildRequires:     GeoIP-devel
+Requires:          nginx = %{nginx_version}
+Requires:          GeoIP
+
+%description geoip
+%{summary}.
+%endif
+
+%package image-filter
+Summary:           Nginx HTTP image filter module
+BuildRequires:     gd-devel
+Requires:          %{name} = %{nginx_version}
+Requires:          gd
+
+%description image-filter
+%{summary}.
+
+%package perl
+Summary:           Nginx HTTP perl module
+BuildRequires:     perl
+BuildRequires:     perl(ExtUtils::Embed)
+Requires:          %{name} = %{nginx_version}
+Requires:          perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
+
+%description perl
+%{summary}.
+
+%package xslt-filter
+Summary:           Nginx XSLT module
+BuildRequires:     libxslt-devel
+Requires:          %{name} = %{nginx_version}
+
+%description xslt-filter
+%{summary}.
+
+%package mail
+Summary:           Nginx mail modules
+Requires:          %{name} = %{nginx_version}
+
+%description mail
+%{summary}.
+
+%package stream
+Summary:           Nginx stream modules
+Requires:          %{name} = %{nginx_version}
+
+%description stream
+%{summary}.
+
+%package dav-ext
+Summary:           Nginx dav-ext modules
+Version:           %{nginx_dav_ext_module_version}
+Requires:          %{name} = %{nginx_version}
+
+%description dav-ext
+%{summary}.
+
+%if %{with geoip2}
+%package http-geoip2
+Summary:           Nginx HTTP geoip2 modules
+Version:           %{geoip2_version}
+BuildRequires:     libmaxminddb-devel
+Requires:          %{name} = %{nginx_version}
+
+%description http-geoip2
+%{summary}.
+
+%package stream-geoip2
+Summary:           Nginx stream geoip2 modules
+Version:           %{geoip2_version}
+BuildRequires:     libmaxminddb-devel
+Requires:          %{name} = %{nginx_version}
+Requires:          %{name}-stream = %{nginx_version}
+
+%description stream-geoip2
+%{summary}.
+%endif
+
+%if %{with naxsi}
+%package naxsi
+Summary:           an open-source, high performance, low rules maintenance WAF for NGINX
+Summary(ja):       NGiNXのためのOSS・高パフォーマンス・低メンテナンスコストなWAF
+Version:           %{naxsi_version}
+License:           GPL3
+Requires:          %{name} = %{nginx_version}
+
+%description naxsi
+NAXSI means Nginx Anti XSS & SQL Injection.
+
+ Technically, it is a third party nginx module, available as a package for
+many UNIX-like platforms. This module, by default, reads a small subset of
+simple (and readable) rules containing 99% of known patterns involved in
+website vulnerabilities. For example, <, | or drop are not supposed to be
+part of a URI.
+
+ Being very simple, those patterns may match legitimate queries, it is
+the Naxsi's administrator duty to add specific rules that will whitelist
+legitimate behaviours. The administrator can either add whitelists manually
+by analyzing nginx's error log, or (recommended) start the project with an intensive auto-learning phase that will automatically generate whitelisting
+rules regarding a website's behaviour.
+
+ In short, Naxsi behaves like a DROP-by-default firewall, the only task is
+to add required ACCEPT rules for the target website to work properly.
+%endif
+
+
 %prep
-%setup -q -a 1000 -a 1010 -a 1020 -a 1030 %{?with_wsgi:-a 2000} -a 2010 -a 2020
+%setup -q -a 1000 -a 1010 -a 1020 -a 1030 %{?with_wsgi:-a 2000} -a 2010 %{?with_naxsi:-a 2020} %{?with_geoip2:-a 2030}
 
 %patch0 -p0
 
@@ -195,6 +316,7 @@ CONFIGOPTS="\
     --group=%{nginx_group} \
     --prefix=%{nginx_datadir} \
     --sbin-path=%{_sbindir}/%{name} \
+    --modules-path=%{nginx_modulesdir} \
     --conf-path=%{nginx_confdir}/%{name}.conf \
     --error-log-path=%{nginx_logdir}/error.log \
     --http-log-path=%{nginx_logdir}/access.log \
@@ -209,10 +331,10 @@ CONFIGOPTS="\
     --with-http_v2_module \
     --with-http_realip_module \
     --with-http_addition_module \
-    --with-http_xslt_module \
-    --with-http_image_filter_module \
+    --with-http_xslt_module=dynamic \
+    --with-http_image_filter_module=dynamic \
 %if %{with geoip}
-    --with-http_geoip_module \
+    --with-http_geoip_module=dynamic \
 %endif
     --with-http_sub_module \
     --with-http_dav_module \
@@ -225,10 +347,10 @@ CONFIGOPTS="\
     --with-http_secure_link_module \
     --with-http_degradation_module \
     --with-http_stub_status_module \
-    --with-http_perl_module \
-    --with-mail \
+    --with-http_perl_module=dynamic \
+    --with-mail=dynamic \
     --with-mail_ssl_module \
-    --with-stream \
+    --with-stream=dynamic \
     --with-stream_ssl_preread_module \
     --add-module=ngx-fancyindex-%{ngx_fancyindex_version} \
     --add-module=giom-nginx_accept_language_module-%{nginx_accept_language_module_version} \
@@ -236,8 +358,14 @@ CONFIGOPTS="\
 %if %{with wsgi}
     --add-module=lifeeth-mod_wsgi-%{mod_wsgi_version} \
 %endif
-    --add-module=nginx-dav-ext-module-%{nginx_dav_ext_module_version} \
-    --add-module=naxsi-%{naxsi_version}/naxsi_src \
+    --add-dynamic-module=nginx-dav-ext-module-%{nginx_dav_ext_module_version} \
+%if %{with naxsi}
+    --add-dynamic-module=naxsi-%{naxsi_srcversion}/naxsi_src \
+%endif
+%if %{with geoip2}
+    --add-dynamic-module=ngx_http_geoip2_module-%{geoip2_version} \
+%endif
+    --add-dynamic-module=passenger-%{passenger_version}/src/nginx_module \
 %ifarch i686
     --with-cpu-opt=pentiumpro \
     --with-zlib-asm=pentiumpro \
@@ -246,17 +374,6 @@ CONFIGOPTS="\
 %endif
 "
 
-
-## build with passenger
-./configure \
-    $CONFIGOPTS \
-    --with-cc-opt="%{optflags}" \
-    --add-module=passenger-%{passenger_version}/src/nginx_module
-
-make %{?_smp_mflags} 
-mv objs/nginx objs/nginx.passenger
-
-## build without passenger
 ./configure \
     $CONFIGOPTS \
     --with-cc-opt="%{optflags}"
@@ -271,9 +388,7 @@ find %{buildroot} -type f -name perllocal.pod -exec rm -f {} \;
 find %{buildroot} -type f -empty -exec rm -f {} \;
 find %{buildroot} -type f -exec chmod 0644 {} \;
 find %{buildroot} -type f -name '*.so' -exec chmod 0755 {} \;
-mv  %{buildroot}%{_sbindir}/nginx %{buildroot}%{_sbindir}/nginx.normal
-%{__install} -m 0755 objs/nginx.passenger %{buildroot}%{_sbindir}/
-chmod 0755 %{buildroot}%{_sbindir}/nginx.*
+chmod 0755 %{buildroot}%{_sbindir}/nginx
 %{__install} -p -D -m 0755 %{SOURCE1} %{buildroot}%{_initrddir}/%{name}
 %{__install} -p -D -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
 %{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
@@ -295,6 +410,9 @@ chmod 0755 %{buildroot}%{_sbindir}/nginx.*
 %{__install} -p -m 0644 %{SOURCE103} %{buildroot}%{nginx_webroot}/50x.html
 %{__install} -p -m 0644 %{SOURCE104} %{buildroot}%{nginx_webroot}/404.html
 
+%{__install} -p -d -m 0755 %{buildroot}%{nginx_modulesdir}
+%{__install} -p -d -m 0755 %{buildroot}%{nginx_modconfdir}
+
 %if %{with wsgi}
 %{__install} -p -m 0644 \
     lifeeth-mod_wsgi-%{mod_wsgi_version}/conf/wsgi_vars \
@@ -309,11 +427,47 @@ cp -f gnosek-nginx-upstream-fair-%{upstream_fair_version}/README README.upstream
 cp -f nginx-dav-ext-module-%{nginx_dav_ext_module_version}/LICENSE LICENSE.dav-ext-module
 cp -f nginx-dav-ext-module-%{nginx_dav_ext_module_version}/README.rst README.dav-ext-module.rst
 
+# configuration for dynamic modules
+%if %{with geoip}
+echo 'load_module "%{nginx_modulesdir}/ngx_http_geoip_module.so";' \
+    > %{buildroot}%{nginx_modconfdir}/geoip.conf
+%endif
+echo 'load_module "%{nginx_modulesdir}/ngx_http_image_filter_module.so";' \
+    > %{buildroot}%{nginx_modconfdir}/image-filter.conf
+echo 'load_module "%{nginx_modulesdir}/ngx_http_perl_module.so";' \
+    > %{buildroot}%{nginx_modconfdir}/perl.conf
+echo 'load_module "%{nginx_modulesdir}/ngx_http_xslt_filter_module.so";' \
+    > %{buildroot}%{nginx_modconfdir}/xslt-filter.conf
+echo 'load_module "%{nginx_modulesdir}/ngx_mail_module.so";' \
+    > %{buildroot}%{nginx_modconfdir}/mail.conf
+echo 'load_module "%{nginx_modulesdir}/ngx_stream_module.so";' \
+    > %{buildroot}%{nginx_modconfdir}/stream.conf
+echo 'load_module "%{nginx_modulesdir}/ngx_http_dav_ext_module.so";' \
+    > %{buildroot}%{nginx_modconfdir}/dav-ext.conf
+
+echo 'load_module "%{nginx_modulesdir}/ngx_http_passenger_module.so";' \
+    > %{buildroot}%{nginx_modconfdir}/passenger.conf
+
+%if %{with geoip2}
+# geoip2 module
+cp -f ngx_http_geoip2_module-%{geoip2_version}/LICENSE LICENSE.geoip2
+cp -f ngx_http_geoip2_module-%{geoip2_version}/README.md README.geoip2.md
+echo 'load_module "%{nginx_modulesdir}/ngx_http_geoip2_module.so";' \
+    > %{buildroot}%{nginx_modconfdir}/http-geoip2.conf
+echo 'load_module "%{nginx_modulesdir}/ngx_stream_geoip2_module.so";' \
+    > %{buildroot}%{nginx_modconfdir}/stream-geoip2.conf
+%endif
+
+%if %{with naxsi}
 # NAXSI module
-cp -f naxsi-%{naxsi_version}/LICENSE LICENSE.naxsi
-cp -f naxsi-%{naxsi_version}/README.md README.naxsi.md
-install -p -m0644 naxsi-%{naxsi_version}/naxsi_config/naxsi_core.rules %{buildroot}%{nginx_confdir}/
+cp -f naxsi-%{naxsi_srcversion}/LICENSE LICENSE.naxsi
+cp -f naxsi-%{naxsi_srcversion}/README.md README.naxsi.md
+install -p -m0644 naxsi-%{naxsi_srcversion}/naxsi_config/naxsi_core.rules \
+    %{buildroot}%{nginx_confdir}/
 install -p -m0644 %{SOURCE2021} %{buildroot}%{nginx_confdir}/naxsi_params
+echo 'load_module "%{nginx_modulesdir}/ngx_http_naxsi_module.so";' \
+    > %{buildroot}%{nginx_modconfdir}/naxsi.conf
+%endif
 
 touch %{buildroot}%{nginx_confdir}/conf.d/virtual.conf
 
@@ -328,28 +482,24 @@ done
 %clean
 rm -rf %{buildroot}
 
+%pre
+if [ -L %{_sbindir}/nginx ]; then
+    update-alternatives --remove nginx %{_sbindir}/nginx.normal ||:
+    update-alternatives --remove nginx %{_sbindir}/nginx.passenger ||:
+	rm -f %{_sbindir}/nginx
+fi
+
 %post
 if [ $1 == 1 ]; then
     /sbin/chkconfig --add %{name}
 fi
-update-alternatives --install %{_sbindir}/nginx nginx %{_sbindir}/nginx.normal 20
-
-%post passenger
-update-alternatives --install %{_sbindir}/nginx nginx %{_sbindir}/nginx.passenger 30
 
 %preun
 if [ $1 = 0 ]; then
     /sbin/service %{name} stop >/dev/null 2>&1
     /sbin/chkconfig --del %{name}
-    update-alternatives --remove nginx %{_sbindir}/nginx.normal
-fi
-
-%preun passenger
-if [ $1 = 0 ]; then
-    update-alternatives --remove nginx %{_sbindir}/nginx.passenger
 fi
 
-
 %postun
 if [ $1 == 2 ]; then
     /sbin/service %{name} upgrade || :
@@ -357,15 +507,16 @@ fi
 
 %files
 %defattr(-,root,root,-)
-%doc LICENSE CHANGES README LICENSE.dav-ext-module LICENSE.naxsi
+%license LICENSE
+%doc CHANGES README
 %doc README.upstream_fair
-%doc README.dav-ext-module.rst
-%doc README.naxsi.md
 %doc %{?with_wsgi:README.mod_wsgi}
 %{nginx_datadir}/
-%{_sbindir}/%{name}.normal
+%{_sbindir}/%{name}
 %{_mandir}/man3/%{name}.3pm.gz
 %{_initrddir}/%{name}
+%dir %{nginx_modulesdir}
+%dir %{nginx_modconfdir}
 %dir %{nginx_confdir}
 %dir %{nginx_confdir}/conf.d
 %config(noreplace) %{nginx_confdir}/conf.d/*.conf
@@ -393,9 +544,6 @@ fi
 %config(noreplace) %{nginx_confdir}/naxsi_core.rules
 %config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
 %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
-%dir %{perl_vendorarch}/auto/%{name}
-%{perl_vendorarch}/%{name}.pm
-%{perl_vendorarch}/auto/%{name}/%{name}.so
 %attr(-,%{nginx_user},%{nginx_group}) %dir %{nginx_home}
 %attr(-,%{nginx_user},%{nginx_group}) %dir %{nginx_home_tmp}
 %attr(-,%{nginx_user},%{nginx_group}) %dir %{nginx_home_cache}
@@ -409,10 +557,72 @@ fi
 %doc passenger-%{passenger_version}/doc/templates
 %doc passenger-%{passenger_version}/doc/users_guide_snippets
 %doc passenger-%{passenger_version}/doc/images
-%{_sbindir}/%{name}.passenger
+%config(noreplace) %{nginx_modconfdir}/passenger.conf
+%{nginx_modulesdir}/ngx_http_passenger_module.so
 
+%if %{with geoip}
+%files geoip
+%config(noreplace) %{nginx_modconfdir}/geoip.conf
+%{nginx_modulesdir}/ngx_http_geoip_module.so
+%endif
+
+%files image-filter
+%config(noreplace) %{nginx_modconfdir}/image-filter.conf
+%{nginx_modulesdir}/ngx_http_image_filter_module.so
+
+%files perl
+%config(noreplace) %{nginx_modconfdir}/perl.conf
+%{nginx_modulesdir}/ngx_http_perl_module.so
+%dir %{perl_vendorarch}/auto/%{name}
+%{perl_vendorarch}/%{name}.pm
+%{perl_vendorarch}/auto/%{name}/%{name}.so
+
+%files xslt-filter
+%config(noreplace) %{nginx_modconfdir}/xslt-filter.conf
+%{nginx_modulesdir}/ngx_http_xslt_filter_module.so
+
+%files mail
+%config(noreplace) %{nginx_modconfdir}/mail.conf
+%{nginx_modulesdir}/ngx_mail_module.so
+
+%files stream
+%config(noreplace) %{nginx_modconfdir}/stream.conf
+%{nginx_modulesdir}/ngx_stream_module.so
+
+%files dav-ext
+%license LICENSE.dav-ext-module
+%doc README.dav-ext-module.rst
+%config(noreplace) %{nginx_modconfdir}/dav-ext.conf
+%{nginx_modulesdir}/ngx_http_dav_ext_module.so
+
+%if %{with geoip2}
+%files http-geoip2
+%license LICENSE.geoip2
+%doc README.geoip2.md
+%{nginx_modulesdir}/ngx_http_geoip2_module.so
+%config(noreplace) %{nginx_modconfdir}/http-geoip2.conf
+
+%files stream-geoip2
+%license LICENSE.geoip2
+%doc README.geoip2.md
+%{nginx_modulesdir}/ngx_stream_geoip2_module.so
+%config(noreplace) %{nginx_modconfdir}/stream-geoip2.conf
+%endif
+
+%if %{with naxsi}
+%files naxsi
+%defattr(-,root,root,-)
+%license LICENSE.naxsi
+%doc README.naxsi.md
+%{nginx_modulesdir}/ngx_http_naxsi_module.so
+%config(noreplace) %{nginx_modconfdir}/naxsi.conf
+%endif
 
 %changelog
+* Sat Aug 24 2019 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.16.1-1
+- updated to 1.16.1.
+- made to install NAXSI as a dynamic module.
+
 * Wed Aug 07 2019 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.16.0-3
 - added NAXSI module.