nginx: enable ssl for all variants and remove nginx-util w/o ssl

Make the plain nginx version the same as nginx-ssl.
In a further change we will replace nginx by a dummy package,
depending on +nginx-ssl instead. This allows a smooth upgrade.

For nginx-util leave the ssl and the ssl-nopcre versions only.
For nginx-mod-luci remove the duplicate ssl version.
Replace the removed packages by dummies for a smooth upgrade.
The dummy packages will be removed after a transition period.

Additionally, enable the http2 module for nginx-ssl by default
and cleanup the nginx.init file.

Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>

4 files changed, 70 insertions, 76 deletions

diff --git a/net/nginx/files/README.sh b/net/nginx/files/README.sh
index 6227e6613..2fde1f9ab 100755
--- a/net/nginx/files/README.sh
+++ b/net/nginx/files/README.sh
@@ -40,11 +40,10 @@ for further reading.
   * There is a ''${LAN_NAME}.conf'' containing a default server for the LAN, \
 which includes all ''*.locations''.
   * We can disable parts of the configuration by renaming them.
-  * If we want to install other servers that are also reachable from the LAN, \
-  we can include the ''${LAN_LISTEN}'' file (or ''${LAN_SSL_LISTEN}'' for \
-  HTTPS servers).
-  * If Nginx is installed with SSL support, we have a server \
-in ''_redirect2ssl.conf'' that redirects inexistent URLs to HTTPS, too.
+  * If we want to install other HTTPS servers that are also reachable locally, \
+  we can include the ''${LAN_SSL_LISTEN}'' file.
+  * We have a server in ''_redirect2ssl.conf'' that redirects inexistent URLs \
+  to HTTPS, too.
   * We can create a self-signed certificate and add corresponding directives \
 to e.g. ''${EXAMPLE_COM}.conf'' by invoking \
 <code>$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} ${EXAMPLE_COM}</code>
@@ -57,7 +56,7 @@ to e.g. ''${EXAMPLE_COM}.conf'' by invoking \
 We modify the configuration by creating different configuration files in the
 ''${CONF_DIR}'' directory.
 The configuration files use the file extensions ''.locations'' and
-''.conf'' (plus ''.crt'' and ''.key'' for Nginx with SSL).
+''.conf'' plus ''.crt'' and ''.key'' for SSL certificates and keys.
 We can disable single configuration parts by giving them another extension,
 e.g., by adding ''.disabled''.
 For the new configuration to take effect, we must reload it by:
@@ -95,14 +94,14 @@ All location blocks in all ''.locations'' files must use different URLs,
 since they are all included in the ''${LAN_NAME}.conf'' that is part of the
 [[#openwrt_s_defaults|OpenWrt’s Defaults]].
 We reserve the ''location /'' for making LuCI available under the root URL,
-e.g. [[http://192.168.1.1/|192.168.1.1/]].
+e.g. [[https://192.168.1.1/|192.168.1.1/]].
 All other sites shouldn’t use the root ''location /'' without suffix.
 We can make other sites available on the root URL of other domain names, e.g.
 on www.example.com/.
 In order to do that, we create a ''.conf'' file for every domain name:
 see the next section [[#new_server_parts|New Server Parts]].
-For Nginx with SSL we can also activate SSL there, as described below in the
-section [[#ssl_server_parts|SSL Server Parts]].
+We can also activate SSL there, as described below in the section
+[[#ssl_server_parts|SSL Server Parts]].
 We use such server parts also for publishing sites to the internet (WAN)
 instead of making them available just in the LAN.
 
@@ -139,26 +138,11 @@ the LAN by default.
 Then the site is reachable under the same path at both domains, e.g., by
 http://192.168.1.1/ex/am/ple as well as by http://example.com/ex/am/ple.
 
-The [[#openwrt_s_defaults|OpenWrt’s Defaults]] include a ''${LAN_NAME}.conf''
-file containing a server part that listens on the LAN address(es) and acts as
-//default_server//.
-For making the domain name accessible in the LAN, too, the corresponding
-server part must listen **explicitly** on the local IP address(es), cf. the
-official documentation on
-[[https://nginx.org/en/docs/http/request_processing.html|request_processing]].
-We can include the file ''${LAN_LISTEN}'' that contains the listen
-directives for all LAN addresses on the HTTP port 80 and is automatically
-updated.
-
-The following example is a simple template, see
-[[https://github.com/search?q=repo%3Aopenwrt%2Fpackages
-+include+${LAN_LISTEN}+extension%3Aconf&type=Code|
-such server parts of other packages]], too:
+The following example is a simple template:
 <code nginx ${CONF_DIR}${EXAMPLE_COM}.conf>
 server {
 	listen 80;
 	listen [::]:80;
-	include '${LAN_LISTEN}';
 	server_name ${EXAMPLE_COM};
 	# location / { … } # root location for this server.
 	include '${CONF_DIR}${EXAMPLE_COM}.locations';
@@ -180,19 +164,23 @@ we only have to adjust the listen directives by adding the //ssl// parameter,
 see the official documentation for
 [[https://nginx.org/en/docs/http/configuring_https_servers.html|
 configuring HTTPS servers]], too.
-For making the domain available also in the LAN, we can include the file
-''${LAN_SSL_LISTEN}'' that contains the listen directives with ssl
-parameter for all LAN addresses on the HTTPS port 443 and is automatically
-updated.
+
+The [[#openwrt_s_defaults|OpenWrt’s Defaults]] include a ''${LAN_NAME}.conf''
+file containing a server part that listens on the LAN address(es) and acts as
+//default_server// with ssl on port 443.
+For making the domain name accessible in the LAN, too, the corresponding
+server part must listen **explicitly** on the local IP address(es), cf. the
+official documentation on
+[[https://nginx.org/en/docs/http/request_processing.html|request_processing]].
+We can include the file ''${LAN_SSL_LISTEN}'' that contains the listen
+directives with ssl parameter for all LAN addresses on the HTTP port 443 and is
+updated automatically.
 
 The official documentation of the SSL module contains an
 [[https://nginx.org/en/docs/http/ngx_http_ssl_module.html#example|
 example]],
 which includes some optimizations.
-The following template is extended similarly, see also
-[[https://github.com/search?q=repo%3Aopenwrt%2Fpackages
-+include+${LAN_SSL_LISTEN}+extension%3Aconf&type=Code|
-other packages providing SSL server parts]]:
+The following template is extended similarly:
 <code nginx ${CONF_DIR}${EXAMPLE_COM}>
 server {
 	listen 443 ssl;
@@ -271,35 +259,22 @@ We can install the location parts of different sites there (see above in the
 This is needed especially for making them available to the WAN as described
 above in the section [[#new_server_parts|New Server Parts]].
 All ''.locations'' become available on the LAN through the file
-''$(basename ${LAN_LISTEN}).default'', which contains one of the following
+''$(basename ${LAN_SSL_LISTEN}).default'', which contains one of the following
 directives for every local IP address:
 <code nginx>
-	listen IPv4:80 default_server;
-	listen [IPv6]:80 default_server;
+	listen IPv4:443 ssl default_server;
+	listen [IPv6]:443 ssl default_server;
 </code>
-The ''${LAN_LISTEN}'' file contains the same directives without the
+The ''${LAN_SSL_LISTEN}'' file contains the same directives without the
 parameter ''default_server''.
 We can include this file in other server parts that should be reachable in the
 LAN through their //server_name//.
-Both files ''${LAN_LISTEN}{,.default}'' are (re-)created if Nginx starts
+Both files ''${LAN_SSL_LISTEN}{,.default}'' are (re-)created if Nginx starts
 through its init for OpenWrt or the LAN interface changes.
 
-=== Additional Defaults for OpenWrt if Nginx is installed with SSL support ===
-
-When Nginx is installed with SSL support, there will be automatically managed
-files ''$(basename ${LAN_SSL_LISTEN}).default'' and
-''$(basename ${LAN_SSL_LISTEN})'' in the directory
-''$(dirname ${LAN_SSL_LISTEN})/'' containing the following directives for all
-IPv4 and IPv6 addresses of the LAN:
-<code nginx>
-	listen IP:443 ssl; # with respectively without: default_server
-</code>
-Both files as well as the ''${LAN_LISTEN}{,.default}'' files are (re-)created
-if Nginx starts through its init for OpenWrt or the LAN interface changes.
-
-For Nginx with SSL there is also the following server part that redirects
-requests for an inexistent ''server_name'' from HTTP to HTTPS (using an invalid
-name, more in the official documentation on
+There is also the following server part that redirects requests for an
+inexistent ''server_name'' from HTTP to HTTPS (using an invalid name, more in
+the official documentation on
 [[https://nginx.org/en/docs/http/request_processing.html|request_processing]]):
 $(code ${CONF_DIR}_redirect2ssl.conf)
 
diff --git a/net/nginx/files/_lan.conf b/net/nginx/files/_lan.conf
index d44871f3c..2aec00151 100644
--- a/net/nginx/files/_lan.conf
+++ b/net/nginx/files/_lan.conf
@@ -1,8 +1,12 @@
 # default_server for the LAN addresses getting the IPs by:
 # ifstatus lan | jsonfilter -e '@["ipv4-address","ipv6-address"].*.address'
 server {
-	include '/var/lib/nginx/lan.listen.default';
-	server_name _lan;
-	# access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout).
-	include conf.d/*.locations;
+        server_name _lan;
+        include '/var/lib/nginx/lan_ssl.listen.default';
+        ssl_certificate '/etc/nginx/conf.d/_lan.crt';
+        ssl_certificate_key '/etc/nginx/conf.d/_lan.key';
+        ssl_session_cache 'shared:SSL:32k';
+        ssl_session_timeout '64m';
+        # access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout).
+        include conf.d/*.locations;
 }
diff --git a/net/nginx/files/_redirect2ssl.conf b/net/nginx/files/_redirect2ssl.conf
index cfae48707..1877f0287 100644
--- a/net/nginx/files/_redirect2ssl.conf
+++ b/net/nginx/files/_redirect2ssl.conf
@@ -2,7 +2,6 @@
 server {
 	listen 80;
 	listen [::]:80;
-	include '/var/lib/nginx/lan.listen';
 	server_name _redirect2ssl;
 	return 302 https://$host$request_uri;
 }
diff --git a/net/nginx/files/nginx.init b/net/nginx/files/nginx.init
index fa189931c..56d1a000c 100644
--- a/net/nginx/files/nginx.init
+++ b/net/nginx/files/nginx.init
@@ -5,54 +5,70 @@ START=80
 
 USE_PROCD=1
 
+G_OPTS="daemon off;"
+
 NGINX_UTIL="/usr/bin/nginx-util"
 
 eval $("${NGINX_UTIL}" get_env)
 
-start_service() {
+CONF=""
+
+
+nginx_init() {
+	[ -z "${CONF}" ] || return # already called.
+
 	[ -d /var/log/nginx ] || mkdir -p /var/log/nginx
 	[ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx
 
 	${NGINX_UTIL} init_lan
 
+	CONF="${NGINX_CONF}"
+
+	local message
+	message="$(/usr/sbin/nginx -t -c "${CONF}" -g "${G_OPTS}" 2>&1)" ||
+	{
+		echo -e "${message}" | logger -t "nginx_init" -p "daemon.err"
+		logger -s -t "nginx_init" -p "daemon.err" "NOT using conf file!"
+		echo "show config to be used by: nginx -T -c '${CONF}'" >&2
+		exit 1
+	}
+
+	logger -t "nginx_init" -p "daemon.info" "using ${CONF} (the test is ok)"
+}
+
+
+start_service() {
+	nginx_init
+
 	procd_open_instance
-	procd_set_param command /usr/sbin/nginx -c "${NGINX_CONF}" \
-		-g "daemon off;"
+	procd_set_param command /usr/sbin/nginx -c "${CONF}" -g "${G_OPTS}"
 	procd_set_param stdout 1
 	procd_set_param stderr 1
-	procd_set_param file "${LAN_LISTEN}" "${LAN_LISTEN}.default" \
-		"${NGINX_CONF}" "${CONF_DIR}*.conf" "${CONF_DIR}*.locations"
-	[ "${LAN_SSL_LISTEN}" == "" ] \
-	|| procd_append_param file "${CONF_DIR}*.crt" "${CONF_DIR}*.key" \
-		"${LAN_SSL_LISTEN}" "${LAN_SSL_LISTEN}.default"
+	procd_set_param file "${CONF}" "${CONF_DIR}*.crt" "${CONF_DIR}*.key" \
+		"${CONF_DIR}*.conf" "${CONF_DIR}*.locations"
 	procd_set_param respawn
 	procd_close_instance
 }
 
-stop_service() {
-	rm -f "${LAN_LISTEN}" "${LAN_LISTEN}.default"
-	[ "${LAN_SSL_LISTEN}" == "" ] \
-	|| rm -f "${LAN_SSL_LISTEN}" "${LAN_SSL_LISTEN}.default"
-}
 
 service_triggers() {
 	procd_add_reload_interface_trigger loopback
 	procd_add_reload_interface_trigger lan
 }
 
-reload_service() {
-	[ -d /var/log/nginx ] || mkdir -p /var/log/nginx
-	[ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx
 
-	${NGINX_UTIL} init_lan
+reload_service() {
+	nginx_init
 
 	procd_send_signal nginx
 }
 
+
 relog() {
 	[ -d /var/log/nginx ] || mkdir -p /var/log/nginx
 	procd_send_signal nginx '*' USR1
 }
 
+
 EXTRA_COMMANDS="relog"
 EXTRA_HELP="	relog	Reopen log files (without reloading)"