diff options
| author | Peter Stadler <peter.stadler@student.uibk.ac.at> | 2020-07-23 15:30:45 +0200 |
|---|---|---|
| committer | Peter Stadler <peter.stadler@student.uibk.ac.at> | 2021-01-11 23:08:01 +0100 |
| commit | 5cffe853e694d7eea60cad00c9033d1ad69c0eb5 (patch) | |
| tree | db1c00fb2c76de1c1ee9f07a29e65e35b5c7b818 /net/nginx/files | |
| parent | bd49d481235f15b0c1ede20dfbd15441b27a2caa (diff) | |
nginx: use UCI configuration provided by nginx-util
* update to version 1.19.6
* remove default configuration files and documentation as
they are in the package `nginx-util`.
* do not install a `/etc/nginx/nginx.conf` file.
* use the dynamic `/etc/nginx/uci.conf` if the symlink (to
`/var/lib/nginx/uci.conf`) is not dead after calling
`nginx-util init_lan` (else try `/etc/nginx/nginx.conf`)
* replace nginx package by a dummy depending on `nginx-ssl`;
the dummies will be removed after a transition period.
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
Diffstat (limited to 'net/nginx/files')
| -rwxr-xr-x | net/nginx/files/README.sh | 302 | ||||
| -rw-r--r-- | net/nginx/files/_lan.conf | 12 | ||||
| -rw-r--r-- | net/nginx/files/_redirect2ssl.conf | 7 | ||||
| -rw-r--r-- | net/nginx/files/nginx.conf | 30 | ||||
| -rw-r--r-- | net/nginx/files/nginx.init | 18 |
5 files changed, 10 insertions, 359 deletions
diff --git a/net/nginx/files/README.sh b/net/nginx/files/README.sh deleted file mode 100755 index 2fde1f9ab..000000000 --- a/net/nginx/files/README.sh +++ /dev/null @@ -1,302 +0,0 @@ -#!/bin/sh -# This is a template copy it by: ./README.sh | xclip -selection c -# to https://openwrt.org/docs/guide-user/services/webserver/nginx#configuration - -NGINX_UTIL="/usr/bin/nginx-util" - -EXAMPLE_COM="example.com" - -MSG=" -/* Created by the following bash script that includes the source of some files: - * https://github.com/openwrt/packages/net/nginx/files/README.sh - */" - -eval $("${NGINX_UTIL}" get_env) - -code() { printf "<file nginx %s>\n%s</file>" "$1" "$(cat "$(basename $1)")"; } - -ifConfEcho() { sed -nE "s/^\s*$1=\s*(\S*)\s*\\\\$/\n$2 \"\1\";/p" ../Makefile;} - -cat <<EOF - - - - - -===== Configuration =====${MSG} - - - -The official Documentation contains a -[[https://docs.nginx.com/nginx/admin-guide/|Admin Guide]]. -Here we will look at some often used configuration parts and how we handle them -at OpenWrt. -At different places there are references to the official -[[https://docs.nginx.com/nginx/technical-specs/|Technical Specs]] -for further reading. - -**tl;dr:** The main configuration is a minimal configuration enabling the -''${CONF_DIR}'' directory: - * There is a ''${LAN_NAME}.conf'' containing a default server for the LAN, \ -which includes all ''*.locations''. - * We can disable parts of the configuration by renaming them. - * If we want to install other HTTPS servers that are also reachable locally, \ - we can include the ''${LAN_SSL_LISTEN}'' file. - * We have a server in ''_redirect2ssl.conf'' that redirects inexistent URLs \ - to HTTPS, too. - * We can create a self-signed certificate and add corresponding directives \ -to e.g. ''${EXAMPLE_COM}.conf'' by invoking \ -<code>$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} ${EXAMPLE_COM}</code> - - - -==== Basic ====${MSG} - - -We modify the configuration by creating different configuration files in the -''${CONF_DIR}'' directory. -The configuration files use the file extensions ''.locations'' and -''.conf'' plus ''.crt'' and ''.key'' for SSL certificates and keys. -We can disable single configuration parts by giving them another extension, -e.g., by adding ''.disabled''. -For the new configuration to take effect, we must reload it by: -<code>service nginx reload</code> - -For OpenWrt we use a special initial configuration, which is explained below in -the section [[#openwrt_s_defaults|OpenWrt’s Defaults]]. -So, we can make a site available at a specific URL in the **LAN** by creating a -''.locations'' file in the directory ''${CONF_DIR}''. -Such a file consists just of some -[[https://nginx.org/en/docs/http/ngx_http_core_module.html#location| -location blocks]]. -Under the latter link, you can find also the official documentation for all -available directives of the HTTP core of Nginx. -Look for //location// in the Context list. - -The following example provides a simple template, see at the end for -different [[#locations_for_apps|Locations for Apps]] and look for -[[https://github.com/search?utf8=%E2%9C%93&q=repo%3Aopenwrt%2Fpackages -+extension%3Alocations&type=Code&ref=advsearch&l=&l=| -other packages using a .locations file]], too: -<code nginx ${CONF_DIR}example.locations> -location /ex/am/ple { - access_log off; # default: not logging accesses. - # access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout). - # error_log stderr; # default: logging to logd (init forwards stderr). - error_log /dev/null; # disable error logging after config file is read. - # (state path of a file for access_log/error_log to the file instead.) - index index.html; -} -# location /eg/static { … } -</code> - -All location blocks in all ''.locations'' files must use different URLs, -since they are all included in the ''${LAN_NAME}.conf'' that is part of the -[[#openwrt_s_defaults|OpenWrt’s Defaults]]. -We reserve the ''location /'' for making LuCI available under the root URL, -e.g. [[https://192.168.1.1/|192.168.1.1/]]. -All other sites shouldn’t use the root ''location /'' without suffix. -We can make other sites available on the root URL of other domain names, e.g. -on www.example.com/. -In order to do that, we create a ''.conf'' file for every domain name: -see the next section [[#new_server_parts|New Server Parts]]. -We can also activate SSL there, as described below in the section -[[#ssl_server_parts|SSL Server Parts]]. -We use such server parts also for publishing sites to the internet (WAN) -instead of making them available just in the LAN. - -Via ''.conf'' files we can also add directives to the //http// part of the -configuration. The difference to editing the main ''${NGINX_CONF}'' -file instead is the following: If the package’s ''nginx.conf'' file is updated -it will only be installed if the old file has not been changed. - - - -==== New Server Parts ====${MSG} - - -For making the router reachable from the WAN at a registered domain name, -it is not enough to give the name server the internet IP address of the router -(maybe updated automatically by a -[[docs:guide-user:services:ddns:client|DDNS Client]]). -We also need to set up virtual hosting for this domain name by creating an -appropriate server part in a ''${CONF_DIR}*.conf'' file. -All such files are included at the start of Nginx by the default main -configuration of OpenWrt ''${NGINX_CONF}'' as depicted in -[[#openwrt_s_defaults|OpenWrt’s Defaults]]. - -In the server part, we state the domain as -[[https://nginx.org/en/docs/http/ngx_http_core_module.html#server_name| -server_name]]. -The link points to the same document as for the location blocks in the -[[#basic|Basic Configuration]]: the official documentation for all available -directives of the HTTP core of Nginx. -This time look for //server// in the Context list, too. -The server part should also contain similar location blocks as before. -We can re-include a ''.locations'' file that is included in the server part for -the LAN by default. -Then the site is reachable under the same path at both domains, e.g., by -http://192.168.1.1/ex/am/ple as well as by http://example.com/ex/am/ple. - -The following example is a simple template: -<code nginx ${CONF_DIR}${EXAMPLE_COM}.conf> -server { - listen 80; - listen [::]:80; - server_name ${EXAMPLE_COM}; - # location / { … } # root location for this server. - include '${CONF_DIR}${EXAMPLE_COM}.locations'; -} -</code> - - - -==== SSL Server Parts ====${MSG} - - -We can enable HTTPS for a domain if Nginx is installed with SSL support. -We need a SSL certificate as well as its key and add them by the directives -//ssl_certificate// respective //ssl_certificate_key// to the server part of the -domain. -The rest of the configuration is similar as described in the previous section -[[#new_server_parts|New Server Parts]], -we only have to adjust the listen directives by adding the //ssl// parameter, -see the official documentation for -[[https://nginx.org/en/docs/http/configuring_https_servers.html| -configuring HTTPS servers]], too. - -The [[#openwrt_s_defaults|OpenWrt’s Defaults]] include a ''${LAN_NAME}.conf'' -file containing a server part that listens on the LAN address(es) and acts as -//default_server// with ssl on port 443. -For making the domain name accessible in the LAN, too, the corresponding -server part must listen **explicitly** on the local IP address(es), cf. the -official documentation on -[[https://nginx.org/en/docs/http/request_processing.html|request_processing]]. -We can include the file ''${LAN_SSL_LISTEN}'' that contains the listen -directives with ssl parameter for all LAN addresses on the HTTP port 443 and is -updated automatically. - -The official documentation of the SSL module contains an -[[https://nginx.org/en/docs/http/ngx_http_ssl_module.html#example| -example]], -which includes some optimizations. -The following template is extended similarly: -<code nginx ${CONF_DIR}${EXAMPLE_COM}> -server { - listen 443 ssl; - listen [::]:443 ssl; - include '${LAN_SSL_LISTEN}'; - server_name ${EXAMPLE_COM}; - ssl_certificate '${CONF_DIR}${EXAMPLE_COM}.crt'; - ssl_certificate_key '${CONF_DIR}${EXAMPLE_COM}.key'; - ssl_session_cache ${SSL_SESSION_CACHE_ARG}; - ssl_session_timeout ${SSL_SESSION_TIMEOUT_ARG}; - # location / { … } # root location for this server. - include '${CONF_DIR}${EXAMPLE_COM}.locations'; -} -</code> - -For creating a certificate (and its key) we can use Let’s Encrypt by installing -[[https://github.com/Neilpang/acme.sh|ACME Shell Script]]: -<code>opkg update && opkg install acme # and for LuCI: luci-app-acme</code> - -For the LAN server in the ''${LAN_NAME}.conf'' file, the init script -''/etc/init.d/nginx'' script installs automatically a self-signed certificate. -We can use this mechanism also for other sites by issuing, e.g.: -<code>$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} ${EXAMPLE_COM}</code> - - It adds SSL directives to the server part of \ - ''${CONF_DIR}${EXAMPLE_COM}.conf'' like in the example above. - - Then, it checks if there is a certificate and key for the given domain name\ - that is valid for at least 13 months or tries to create a self-signed one. - - When cron is activated, it installs a cron job for renewing the self-signed\ - certificate every year if needed, too. We can activate cron by: \ - <code>service cron enable && service cron start</code> - -Beside the ''${LAN_NAME}.conf'' file, the -[[#openwrt_s_defaults|OpenWrt’s Defaults]] include also the -''_redirect2ssl.conf'' file containing a server part that redirects all HTTP -request for inexistent URIs to HTTPS. - - - -==== OpenWrt’s Defaults ====${MSG} - - -The default main configuration file is: -$(code ${NGINX_CONF}) - -We can pretend the main configuration contains also the following presets, -since Nginx is configured with them: -<code nginx>$(ifConfEcho --pid-path pid)\ -$(ifConfEcho --lock-path lock_file)\ -$(ifConfEcho --error-log-path error_log)\ -$(false && ifConfEcho --http-log-path access_log)\ -$(ifConfEcho --http-proxy-temp-path proxy_temp_path)\ -$(ifConfEcho --http-client-body-temp-path client_body_temp_path)\ -$(ifConfEcho --http-fastcgi-temp-path fastcgi_temp_path)\ -</code> - -So, the access log is turned off by default and we can look at the error log -by ''logread'', as Nginx’s init file forwards stderr and stdout to the -[[docs:guide-user:base-system:log.essentials|logd]]. -We can set the //error_log// and //access_log// to files where the log -messages are forwarded to instead (after the configuration is read). -And for redirecting the access log of a //server// or //location// to the logd, -too, we insert the following directive in the corresponding block: -<code nginx> - access_log /proc/self/fd/1 openwrt; -</code> - -At the end, the main configuration pulls in all ''.conf'' files from the -directory ''${CONF_DIR}'' into the http block, especially the following -server part for the LAN: -$(code ${CONF_DIR}${LAN_NAME}.conf) - -It pulls in all ''.locations'' files from the directory ''${CONF_DIR}''. -We can install the location parts of different sites there (see above in the -[[#basic|Basic Configuration]]) and re-include them in server parts of other -''${CONF_DIR}*.conf'' files. -This is needed especially for making them available to the WAN as described -above in the section [[#new_server_parts|New Server Parts]]. -All ''.locations'' become available on the LAN through the file -''$(basename ${LAN_SSL_LISTEN}).default'', which contains one of the following -directives for every local IP address: -<code nginx> - listen IPv4:443 ssl default_server; - listen [IPv6]:443 ssl default_server; -</code> -The ''${LAN_SSL_LISTEN}'' file contains the same directives without the -parameter ''default_server''. -We can include this file in other server parts that should be reachable in the -LAN through their //server_name//. -Both files ''${LAN_SSL_LISTEN}{,.default}'' are (re-)created if Nginx starts -through its init for OpenWrt or the LAN interface changes. - -There is also the following server part that redirects requests for an -inexistent ''server_name'' from HTTP to HTTPS (using an invalid name, more in -the official documentation on -[[https://nginx.org/en/docs/http/request_processing.html|request_processing]]): -$(code ${CONF_DIR}_redirect2ssl.conf) - -Nginx’s init file for OpenWrt installs automatically a self-signed certificate -for the LAN server part if needed and possible: - - Everytime Nginx starts, we check if the LAN is set up for SSL. - - We add //ssl*// directives (like in the example of the previous section \ - [[#ssl_server_parts|SSL Server Parts]]) to the configuration file \ - ''${CONF_DIR}${LAN_NAME}.conf'' if needed and if it looks “normal”, i.e., \ - it has a ''server_name ${LAN_NAME};'' part. - - If there is no corresponding certificate that is valid for more than 13 \ - months at ''${CONF_DIR}${LAN_NAME}.{crt,key}'', we create a self-signed one. - - We activate SSL by including the ssl listen directives from \ - ''${LAN_SSL_LISTEN}.default'' and it becomes available by the default \ - redirect from ''listen *:80;'' in ''${CONF_DIR}_redirect2ssl.conf'' - - If cron is available, i.e., its status is not ''inactive'', we use it \ - to check the certificate for validity once a year and renew it if there \ - are only about 13 months of the more than 3 years life time left. - -The points 2, 3 and 5 can be used for other domains, too: -As described in the section [[#new_server_parts|New Server Parts]] above, we -create a server part in ''${CONF_DIR}www.example.com.conf'' with -a corresponding ''server_name www.example.com;'' directive and call -<code>$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} www.example.com</code> -EOF diff --git a/net/nginx/files/_lan.conf b/net/nginx/files/_lan.conf deleted file mode 100644 index 2aec00151..000000000 --- a/net/nginx/files/_lan.conf +++ /dev/null @@ -1,12 +0,0 @@ -# default_server for the LAN addresses getting the IPs by: -# ifstatus lan | jsonfilter -e '@["ipv4-address","ipv6-address"].*.address' -server { - server_name _lan; - include '/var/lib/nginx/lan_ssl.listen.default'; - ssl_certificate '/etc/nginx/conf.d/_lan.crt'; - ssl_certificate_key '/etc/nginx/conf.d/_lan.key'; - ssl_session_cache 'shared:SSL:32k'; - ssl_session_timeout '64m'; - # access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout). - include conf.d/*.locations; -} diff --git a/net/nginx/files/_redirect2ssl.conf b/net/nginx/files/_redirect2ssl.conf deleted file mode 100644 index 1877f0287..000000000 --- a/net/nginx/files/_redirect2ssl.conf +++ /dev/null @@ -1,7 +0,0 @@ -# acts as default server if there is no other. -server { - listen 80; - listen [::]:80; - server_name _redirect2ssl; - return 302 https://$host$request_uri; -} diff --git a/net/nginx/files/nginx.conf b/net/nginx/files/nginx.conf deleted file mode 100644 index da1cbdf42..000000000 --- a/net/nginx/files/nginx.conf +++ /dev/null @@ -1,30 +0,0 @@ -# Please consider creating files in /etc/nginx/conf.d/ instead of editing this. -# For details see https://openwrt.org/docs/guide-user/services/webserver/nginx - -worker_processes auto; - -user root; - -events {} - -http { - access_log off; - log_format openwrt - '$request_method $scheme://$host$request_uri => $status' - ' (${body_bytes_sent}B in ${request_time}s) <- $http_referer'; - - include mime.types; - default_type application/octet-stream; - sendfile on; - - client_max_body_size 128M; - large_client_header_buffers 2 1k; - - gzip on; - gzip_vary on; - gzip_proxied any; - - root /www; - - include conf.d/*.conf; -} diff --git a/net/nginx/files/nginx.init b/net/nginx/files/nginx.init index bedde754a..300a8c657 100644 --- a/net/nginx/files/nginx.init +++ b/net/nginx/files/nginx.init @@ -20,9 +20,13 @@ nginx_init() { [ -d /var/log/nginx ] || mkdir -p /var/log/nginx [ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx + rm -f "$(readlink "${UCI_CONF}")" ${NGINX_UTIL} init_lan - CONF="${NGINX_CONF}" + if [ -e "${UCI_CONF}" ] + then CONF="${UCI_CONF}" + else CONF="${NGINX_CONF}" + fi local message message="$(/usr/sbin/nginx -t -c "${CONF}" -g "${G_OPTS}" 2>&1)" || @@ -51,16 +55,14 @@ start_service() { } -service_triggers() { - procd_add_reload_interface_trigger loopback - procd_add_reload_interface_trigger lan -} - - reload_service() { nginx_init - procd_send_signal nginx + if [ "$(cat "/proc/$(cat "/var/run/nginx.pid")/cmdline")" = \ + "nginx: master process /usr/sbin/nginx -c ${CONF} -g ${G_OPTS}" ] + then procd_send_signal nginx + else restart + fi } |