From 4a4cda503c1ec7bfc661727d883597d47f940c132dc8271ff33e03c56cff20d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=98=D0=BB=D1=8C=D1=8F=20=D0=98=D0=BD=D0=B4=D0=B8=D0=B3?= =?UTF-8?q?=D0=BE?= Date: Sat, 28 Sep 2024 06:43:44 +0000 Subject: [PATCH] - Add /srv/www to filelist [bsc#1231027] OBS-URL: https://build.opensuse.org/package/show/server:http/nginx?expand=0&rev=272 --- .gitattributes | 23 + .gitignore | 1 + nginx-1.11.2-html.patch | 14 + nginx-1.11.2-no_Werror.patch | 26 + nginx-1.27.0.tar.gz | 3 + nginx-1.27.0.tar.gz.asc | 17 + nginx-1.27.1.tar.gz | 3 + nginx-1.27.1.tar.gz.asc | 17 + nginx-aio.patch | 45 + nginx-conf.patch | 119 ++ nginx-perl.patch | 12 + nginx.changes | 2818 ++++++++++++++++++++++++++++++++++ nginx.keyring | 65 + nginx.logrotate | 14 + nginx.rpmlintrc | 5 + nginx.service | 31 + nginx.spec | 219 +++ nginx.sysusers | 2 + 18 files changed, 3434 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 nginx-1.11.2-html.patch create mode 100644 nginx-1.11.2-no_Werror.patch create mode 100644 nginx-1.27.0.tar.gz create mode 100644 nginx-1.27.0.tar.gz.asc create mode 100644 nginx-1.27.1.tar.gz create mode 100644 nginx-1.27.1.tar.gz.asc create mode 100644 nginx-aio.patch create mode 100644 nginx-conf.patch create mode 100644 nginx-perl.patch create mode 100644 nginx.changes create mode 100644 nginx.keyring create mode 100644 nginx.logrotate create mode 100644 nginx.rpmlintrc create mode 100644 nginx.service create mode 100644 nginx.spec create mode 100644 nginx.sysusers diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/nginx-1.11.2-html.patch b/nginx-1.11.2-html.patch new file mode 100644 index 0000000..d510580 --- /dev/null +++ b/nginx-1.11.2-html.patch @@ -0,0 +1,14 @@ +Index: nginx-1.11.2/auto/install +=================================================================== +--- nginx-1.11.2.orig/auto/install ++++ nginx-1.11.2/auto/install +@@ -154,8 +154,7 @@ install: build $NGX_INSTALL_PERL_MODULES + test -d '\$(DESTDIR)`dirname "$NGX_HTTP_LOG_PATH"`' \\ + || mkdir -p '\$(DESTDIR)`dirname "$NGX_HTTP_LOG_PATH"`' + +- test -d '\$(DESTDIR)$NGX_PREFIX/html' \\ +- || cp -R $NGX_HTML '\$(DESTDIR)$NGX_PREFIX' ++ test -d '\$(DESTDIR)/srv/www/htdocs' || install -d '\$(DESTDIR)/srv/www/' && cp -r html '\$(DESTDIR)/srv/www/htdocs' + END + + diff --git a/nginx-1.11.2-no_Werror.patch b/nginx-1.11.2-no_Werror.patch new file mode 100644 index 0000000..a7d283b --- /dev/null +++ b/nginx-1.11.2-no_Werror.patch @@ -0,0 +1,26 @@ +Index: nginx-1.11.2/auto/cc/gcc +=================================================================== +--- nginx-1.11.2.orig/auto/cc/gcc ++++ nginx-1.11.2/auto/cc/gcc +@@ -166,7 +166,7 @@ esac + + + # stop on warning +-CFLAGS="$CFLAGS -Werror" ++#CFLAGS="$CFLAGS -Werror" + + # debug + CFLAGS="$CFLAGS -g" +Index: nginx-1.11.2/auto/cc/icc +=================================================================== +--- nginx-1.11.2.orig/auto/cc/icc ++++ nginx-1.11.2/auto/cc/icc +@@ -111,7 +111,7 @@ case "$NGX_ICC_VER" in + esac + + # stop on warning +-CFLAGS="$CFLAGS -Werror" ++#CFLAGS="$CFLAGS -Werror" + + # debug + CFLAGS="$CFLAGS -g" diff --git a/nginx-1.27.0.tar.gz b/nginx-1.27.0.tar.gz new file mode 100644 index 0000000..bc9c2b2 --- /dev/null +++ b/nginx-1.27.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b7230e3cf87eaa2d4b0bc56aadc920a960c7873b9991a1b66ffcc08fc650129c +size 1244887 diff --git a/nginx-1.27.0.tar.gz.asc b/nginx-1.27.0.tar.gz.asc new file mode 100644 index 0000000..8dfdec6 --- /dev/null +++ b/nginx-1.27.0.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJHBAABCAAxFiEE1nhs4wPZqQIpmNxsyEZNVJr3XAoFAmZXPGwTHHMua2FuZGF1 +cm92QGY1LmNvbQAKCRDIRk1UmvdcCuP2EACiocOUQaVfOWCfm01ZA47KcW02UUNk +U8gIZD4iu6ENVKw6ZwO3CpKpwnhixfmNnvKfsYdV+clgLtSk2F5ism82uXSDR4Bs +K8q8SSFnCRltUf9AAddF7fEW3PyWlSW94cICAQLaVBOiRlSmg4ats/pdMR/9za0C +0cg8nCnR3xiFr2LAqZgKXUkC1J3XNIg3r8v2YD1mAURi3h//w4UfNOvJ8/dhIDFy ++SJuaA8uRjS2T1tEhXd91qqmxyfXliR+aYo4PGtpWp+rlFoOZK8jJK3ux0KmlgSr +FpqCIV9uwOt9Ha29bdn8/R0LYnmozoVMkfWjAg6U4pUNXHq8x1TURGahy/TtxqLl +F3H3lz39ioNvLqpSr83B+LKsKXgyjfIe+3JJf6GNPQDjdZyEdK78TLl2fDNZA4Pw +Q3miCdUnGk/FwcJUVsC8pPCTFDGvnesR5+oXRQe1WhSY7mvv86QMbD6H6MteXq87 +dY96qleMIw2VS3VYNqmMaGJoRL/DJyYQF1ChdiNN5bqJBJMrrtNjDFDzJrMOcIrD +w/L40pgZy7HOPX6Tbd5aV8yc32y7AM59Mttibarc+N8qYyQeUOOAt+3sw4aL0/WC +zZznDF4Gj6Pbi9rn4L4RD6Bt5pLal6y4Y4M2m34/x4mfhbFQUnmwzu+F4kD83a9p +cfoao+a5Gr4Plw== +=SMAJ +-----END PGP SIGNATURE----- diff --git a/nginx-1.27.1.tar.gz b/nginx-1.27.1.tar.gz new file mode 100644 index 0000000..9d1944f --- /dev/null +++ b/nginx-1.27.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bd7ba68a6ce1ea3768b771c7e2ab4955a59fb1b1ae8d554fedb6c2304104bdfc +size 1245244 diff --git a/nginx-1.27.1.tar.gz.asc b/nginx-1.27.1.tar.gz.asc new file mode 100644 index 0000000..95e6c10 --- /dev/null +++ b/nginx-1.27.1.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJHBAABCAAxFiEE1nhs4wPZqQIpmNxsyEZNVJr3XAoFAma7Vi8THHMua2FuZGF1 +cm92QGY1LmNvbQAKCRDIRk1UmvdcCtRUEACjv3LHnzN3J1c6h5C9cKTjIIKa4PgA +fM8o41QenN6HMQ8a0ww8zH2zdDUxVr9OgNBV0sqtsL5SX+BuMTjGC75M5qgk45yd +E6FMk2tJ69wVqmN1zP5sYV5n7dmt89mh7W3J3lO4XpgqCQcogmmyMg+1Z9vvO4Nt +VvYO7w45oEqc5rb7IjWtktNS3jjf2Kat6azhOvrbMjuCUt/pOBJiM11diLmURtEx +xE5It7bFwoywJUtjF7XUMeOGljH5VnxTLuIlq/5FkAYklu484B2iLHidhCLfq7g7 +9FJO3XatFrRefA7ryawZ9AnQtrLIt0YZdIEweoOxp16kj3mCmqhF/aeBNAcnQUAM +EZLX/BBYA6cog8YuWffan9G5EYvul0tdXK5DQF8vUjBfw54aI4YnA5TDtSMniBEJ +SJrUCbKazGFwd+K94IrGD8EwypEC+M3gQovNn34NikLr1Xe8Uz3i2x7y0OgYxbUh +hH+ilD5XS0bHfueydYIKl85muwFtiIs3b0EhfvGf4z5d2DmvZ3/cYxjYpzZG0r7L +WckCqgj2uVXvR3phDqpm0aNd8C+4sho+PQmXon8PbIpjuVLvQhz0XiH6D7H61wks +XWNvBFHNjeBJYjaZQQ/2kAKfdwdpYTYvDd3Rlnscn3BNQvu9prWUDCYiNHMnNnOB +ueop2LrbK54ogg== +=bwlL +-----END PGP SIGNATURE----- diff --git a/nginx-aio.patch b/nginx-aio.patch new file mode 100644 index 0000000..4561643 --- /dev/null +++ b/nginx-aio.patch @@ -0,0 +1,45 @@ +Index: nginx-1.19.1/auto/unix +=================================================================== +--- nginx-1.19.1.orig/auto/unix ++++ nginx-1.19.1/auto/unix +@@ -559,7 +559,12 @@ if [ $NGX_FILE_AIO = YES ]; then + ngx_feature="Linux AIO support (SYS_eventfd)" + ngx_feature_incs="#include + #include " +- ngx_feature_test="struct iocb iocb; ++ ngx_feature_test="#ifdef SYS_eventfd ++ int n = SYS_eventfd; ++ #else ++ int n = SYS_eventfd2; ++ #endif ++ struct iocb iocb; + iocb.aio_lio_opcode = IOCB_CMD_PREAD; + iocb.aio_flags = IOCB_FLAG_RESFD; + iocb.aio_resfd = -1; +Index: nginx-1.19.1/src/event/modules/ngx_epoll_module.c +=================================================================== +--- nginx-1.19.1.orig/src/event/modules/ngx_epoll_module.c ++++ nginx-1.19.1/src/event/modules/ngx_epoll_module.c +@@ -77,9 +77,7 @@ int epoll_wait(int epfd, struct epoll_ev + + #if (NGX_HAVE_FILE_AIO) + +-#define SYS_io_setup 245 +-#define SYS_io_destroy 246 +-#define SYS_io_getevents 247 ++#include + + typedef u_int aio_context_t; + +@@ -254,7 +252,11 @@ ngx_epoll_aio_init(ngx_cycle_t *cycle, n + #if (NGX_HAVE_SYS_EVENTFD_H) + ngx_eventfd = eventfd(0, 0); + #else ++#ifdef SYS_eventfd + ngx_eventfd = syscall(SYS_eventfd, 0); ++#else ++ ngx_eventfd = syscall(SYS_eventfd2, 0, 0); ++#endif + #endif + + if (ngx_eventfd == -1) { diff --git a/nginx-conf.patch b/nginx-conf.patch new file mode 100644 index 0000000..543858f --- /dev/null +++ b/nginx-conf.patch @@ -0,0 +1,119 @@ +diff -Pdpru nginx-1.27.1.orig/conf/nginx.conf nginx-1.27.1/conf/nginx.conf +--- nginx-1.27.1.orig/conf/nginx.conf 2024-08-12 17:21:01.000000000 +0300 ++++ nginx-1.27.1/conf/nginx.conf 2024-08-16 02:08:46.680107766 +0300 +@@ -1,16 +1,28 @@ ++#user nginx nginx; ++#worker_processes 1; ++#pcre_jit off; + +-#user nobody; +-worker_processes 1; ++# load_module #LIBDIR#/nginx/modules/ngx_http_echo_module.so; ++# load_module #LIBDIR#/nginx/modules/ngx_http_fancyindex_module.so; ++# load_module #LIBDIR#/nginx/modules/ngx_http_geoip2_module.so; ++# load_module #LIBDIR#/nginx/modules/ngx_http_image_filter_module.so; ++# load_module #LIBDIR#/nginx/modules/ngx_http_lua_module.so; ++# load_module #LIBDIR#/nginx/modules/ngx_http_perl_module.so; ++# load_module #LIBDIR#/nginx/modules/ngx_http_xslt_filter_module.so; ++# load_module #LIBDIR#/nginx/modules/ngx_mail_module.so; ++# load_module #LIBDIR#/nginx/modules/ngx_stream_geoip2_module.so; ++# load_module #LIBDIR#/nginx/modules/ngx_stream_module.so; + +-#error_log logs/error.log; +-#error_log logs/error.log notice; +-#error_log logs/error.log info; ++#error_log /var/log/nginx/error.log; ++#error_log /var/log/nginx/error.log notice; ++#error_log /var/log/nginx/error.log info; + +-#pid logs/nginx.pid; ++#pid /var/run/nginx.pid; + + + events { + worker_connections 1024; ++ use epoll; + } + + +@@ -22,7 +34,7 @@ http { + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + +- #access_log logs/access.log main; ++ #access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; +@@ -32,16 +44,18 @@ http { + + #gzip on; + ++ include conf.d/*.conf; ++ + server { + listen 80; + server_name localhost; + + #charset koi8-r; + +- #access_log logs/host.access.log main; ++ #access_log /var/log/nginx/host.access.log main; + + location / { +- root html; ++ root /srv/www/htdocs/; + index index.html index.htm; + } + +@@ -51,7 +65,7 @@ http { + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { +- root html; ++ root /srv/www/htdocs/; + } + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 +@@ -63,7 +77,7 @@ http { + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { +- # root html; ++ # root /srv/www/htdocs/; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; +@@ -87,7 +101,7 @@ http { + # server_name somename alias another.alias; + + # location / { +- # root html; ++ # root /srv/www/htdocs/; + # index index.html index.htm; + # } + #} +@@ -102,6 +116,10 @@ http { + # ssl_certificate cert.pem; + # ssl_certificate_key cert.key; + ++ # Allow TLS version 1.2 only, which is a recommended default these days ++ # by international information security standards. ++ # ssl_protocols TLSv1.2; ++ + # ssl_session_cache shared:SSL:1m; + # ssl_session_timeout 5m; + +@@ -109,9 +127,11 @@ http { + # ssl_prefer_server_ciphers on; + + # location / { +- # root html; ++ # root /srv/www/htdocs/; + # index index.html index.htm; + # } + #} + ++ include vhosts.d/*.conf; ++ + } diff --git a/nginx-perl.patch b/nginx-perl.patch new file mode 100644 index 0000000..bb05467 --- /dev/null +++ b/nginx-perl.patch @@ -0,0 +1,12 @@ +diff -Pdpru nginx-1.27.1.orig/auto/install nginx-1.27.1/auto/install +--- nginx-1.27.1.orig/auto/install 2024-08-12 17:21:01.000000000 +0300 ++++ nginx-1.27.1/auto/install 2024-08-16 01:34:07.040688796 +0300 +@@ -8,7 +8,7 @@ if [ $USE_PERL != NO ]; then + cat << END >> $NGX_MAKEFILE + + install_perl_modules: +- cd $NGX_OBJS/src/http/modules/perl && \$(MAKE) install ++ cd $NGX_OBJS/src/http/modules/perl && \$(MAKE) install_vendor + END + + NGX_INSTALL_PERL_MODULES=install_perl_modules diff --git a/nginx.changes b/nginx.changes new file mode 100644 index 0000000..79d4b32 --- /dev/null +++ b/nginx.changes @@ -0,0 +1,2818 @@ +------------------------------------------------------------------- +Fri Sep 27 17:32:21 UTC 2024 - Thorsten Kukuk + +- Add /srv/www to filelist [bsc#1231027] + +------------------------------------------------------------------- +Fri Aug 16 02:21:19 UTC 2024 - Илья Индиго + +- Renamed nginx-1.6.1-default_config.patch to nginx-conf.patch. +- Renamed nginx-1.2.4-perl_vendor_install.patch to nginx-perl.patch. +- Used atosetup -p1 macro and replaced editor from perl to sed. +- Added %check section with gpg signature source verification. +- Updated to 1.27.1 + * https://nginx.org/en/CHANGES + * Fixed crash in ngx_http_mp4_module via specially crafted mp4 file (CVE-2024-7347). + * Now the stream module handler is not mandatory. + * Fixed new HTTP/2 connections might ignore graceful shutdown of old worker processes. + +------------------------------------------------------------------- +Fri May 31 08:48:36 UTC 2024 - Илья Индиго + +- Updated to 1.27.0 + * Changed nginx.keyring to Sergey Kandaurov’s PGP public key. + * https://nginx.org/en/CHANGES + * Added variables support in the "proxy_limit_rate", "fastcgi_limit_rate", + "scgi_limit_rate", and "uwsgi_limit_rate" directives. + * Fixed reduced memory consumption for long-lived requests if "gzip", + "gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used. + * Fixed building with gcc 14 with --with-atomic option. + +------------------------------------------------------------------- +Sat May 11 04:03:00 UTC 2024 - Илья Индиго + +- Updated list of recommended modules (deleted unavailable in TW). + +------------------------------------------------------------------- +Wed Apr 17 07:14:59 UTC 2024 - Илья Индиго + +- Updated to 1.25.5 + * Changed nginx.keyring to Roman Arutyunyan’s PGP public key. + * https://nginx.org/en/CHANGES + * Added virtual servers in the stream module. + * Fixed the ngx_stream_pass_module. + * Fixed the "deferred", "accept_filter", and "setfib" parameters + of the "listen" directive in the stream module. + * Added cache line size detection for some architectures. + +------------------------------------------------------------------- +Tue Apr 16 05:52:58 UTC 2024 - Georg Pfuetzenreuter + +- Set RuntimeDirectory to offer a location for Unix sockets at /run/nginx + +------------------------------------------------------------------- +Sun Mar 3 10:24:27 UTC 2024 - Adam Mizerski + +- logrotate: don't fail if service not running + +------------------------------------------------------------------- +Thu Feb 22 14:08:07 UTC 2024 - Dominique Leuenberger + +- Use %patch -P N instead of deprecated %patchN. + +------------------------------------------------------------------- +Sun Feb 18 16:23:59 UTC 2024 - Илья Индиго + +- Updated to 1.25.4 + * Changed nginx.keyring to Sergey Kandaurov’s PGP public key. + * https://nginx.org/en/CHANGES + * Fixed segmentation fault might occur in a worker process while + processing a specially crafted QUIC session (CVE-2024-24989, CVE-2024-24990). + * Fixed connections with pending AIO operations might be closed + prematurely during graceful shutdown of old worker processes. + * Fixed socket leak alerts no longer logged when fast shutdown was + requested after graceful shutdown of old worker processes. + * Fixed socket descriptor error, a socket leak, or a segmentation fault + in a worker process might occur if AIO was used in a subrequest. + * Fixed segmentation fault might occur in a worker process if SSL + proxying was used along with the "image_filter" directive and errors + with code 415 were redirected with the "error_page" directive. + +------------------------------------------------------------------- +Thu Oct 26 13:49:33 UTC 2023 - Илья Индиго + +- Updated to 1.25.3 + * https://nginx.org/en/CHANGES + * Changed: improved detection of misbehaving clients when using HTTP/2. + * Added: startup speedup when using a large number of locations. + * Fixed: a segmentation fault might occur in a worker process when + using HTTP/2 without SSL; the bug had appeared in 1.25.1. + * Fixed: the "Status" backend response header line with an empty + reason phrase was handled incorrectly. + * Fixed: memory leak during reconfiguration when using the PCRE2 library. + +------------------------------------------------------------------- +Sun Aug 20 16:10:31 UTC 2023 - Илья Индиго + +- Updated to 1.25.2 + * https://nginx.org/en/CHANGES + * Changed: uses appname "nginx" when loading OpenSSL configuration. + * Changed: does not try to load OpenSSL configuration if the + --with-openssl option was used to built OpenSSL and the OPENSSL_CONF + environment variable is not set. + +------------------------------------------------------------------- +Wed Jun 14 05:03:46 UTC 2023 - Илья Индиго + +- Updated to 1.25.1 + * https://nginx.org/en/CHANGES + * Added "http2" directive, which enables HTTP/2 on a per-server basis. + * Deprecated "http2" parameter of the "listen" directive. + * Removed HTTP/2 server push support. + * Deprecated "ssl" directive is not supported anymore. + +------------------------------------------------------------------- +Tue May 23 21:44:57 UTC 2023 - Илья Индиго + +- Updated to 1.25.0 + * https://nginx.org/en/CHANGES + * Added experimental HTTP/3 support. + +------------------------------------------------------------------- +Wed Mar 29 18:38:46 UTC 2023 - Илья Индиго + +- Updated to 1.23.4 + * https://nginx.org/en/CHANGES + * Enabled TLSv1.3 protocol by default. + * Supported byte ranges support in the ngx_http_gzip_static_module. + * Fixed port ranges in the "listen" directive did not work. + * Fixed incorrect location might be chosen to process a request if a + prefix location longer than 255 characters. + * Fixed a socket leak might occur when using HTTP/2 and the + "error_page" directive to redirect errors with code 400. + +------------------------------------------------------------------- +Sat Dec 17 19:46:30 UTC 2022 - Michael Ströder + +- Updated to 1.23.3 + * Bugfix: an error might occur when reading PROXY protocol version 2 + header with large number of TLVs. + * Bugfix: a segmentation fault might occur in a worker process if SSI + was used to process subrequests created by other modules. + * Workaround: when a hostname used in the "listen" directive resolves + to multiple addresses, nginx now ignores duplicates within these + addresses. + * Bugfix: nginx might hog CPU during unbuffered proxying if SSL + connections to backends were used. + +------------------------------------------------------------------- +Wed Oct 19 14:06:29 UTC 2022 - Michael Ströder + +- Updated to 1.23.2 + * Security: processing of a specially crafted mp4 file by the + ngx_http_mp4_module might cause a worker process crash, worker + process memory disclosure, or might have potential other impact + (CVE-2022-41741, CVE-2022-41742). + * Feature: the "$proxy_protocol_tlv_..." variables. + * Feature: TLS session tickets encryption keys are now automatically + rotated when using shared memory in the "ssl_session_cache" + directive. + * Change: the logging level of the "bad record type" SSL errors has + been lowered from "crit" to "info". + * Change: now when using shared memory in the "ssl_session_cache" + directive the "could not allocate new session" errors are logged at + the "warn" level instead of "alert" and not more often than once per second. + * Bugfix: nginx/Windows could not be built with OpenSSL 3.0.x. + * Bugfix: in logging of the PROXY protocol errors. + * Workaround: shared memory from the "ssl_session_cache" directive was + spent on sessions using TLS session tickets when using TLSv1.3 with OpenSSL. + * Workaround: timeout specified with the "ssl_session_timeout" + directive did not work when using TLSv1.3 with OpenSSL or BoringSSL. + +------------------------------------------------------------------- +Tue Jul 19 17:47:28 UTC 2022 - Michael Ströder + +- Updated to 1.23.1 + * Feature: memory usage optimization in configurations with SSL proxying. + * Feature: looking up of IPv4 addresses while resolving now can be + disabled with the "ipv4=off" parameter of the "resolver" directive. + * Change: the logging level of the "bad key share", "bad extension", + "bad cipher", and "bad ecpoint" SSL errors has been lowered from "crit" to "info". + * Bugfix: while returning byte ranges nginx did not remove the + "Content-Range" header line if it was present in the original backend response. + * Bugfix: a proxied response might be truncated during reconfiguration + on Linux; the bug had appeared in 1.17.5. + +------------------------------------------------------------------- +Tue Jun 21 23:46:03 UTC 2022 - Илья Индиго + +- Changed nginx.keyring to Konstantin Pavlov’s PGP public key. +- Removed nginx.init. +- Updated to 1.23.0 + * https://nginx.org/en/CHANGES + * Now header lines are represented as linked lists. + * Now nginx combines arbitrary header lines with identical + names when sending to FastCGI, SCGI, and uwsgi backends, in the + $r->header_in() method of the ngx_http_perl_module, and during lookup + of the "$http_...", "$sent_http_...", "$sent_trailer_...", + "$upstream_http_...", and "$upstream_trailer_..." variables. + * Fixed: if there were multiple "Vary" header lines in the backend + response, nginx only used the last of them when caching. + * Fixed: if there were multiple "WWW-Authenticate" header lines in the + backend response and errors with code 401 were intercepted or the + "auth_request" directive was used, nginx only sent the first of the + header lines to the client. + * The logging level of the "application data after close + notify" SSL errors has been lowered from "crit" to "info". + * Fixed: connections might hang if nginx was built on Linux 2.6.17 or + newer, but was used on systems without EPOLLRDHUP support, notably + with epoll emulation layers; the bug had appeared in 1.17.5. + * Fixed: nginx did not cache the response if the "Expires" response + header line disabled caching, but following "Cache-Control" header + line enabled caching. + +------------------------------------------------------------------- +Tue Feb 1 14:50:56 UTC 2022 - Илья Индиго + +- Updated to 1.21.6 + * https://nginx.org/en/CHANGES + * Fixed when using EPOLLEXCLUSIVE on Linux client connections were + unevenly distributed among worker processes. + * Fixed nginx returned the "Connection: keep-alive" header line in + responses during graceful shutdown of old worker processes. + * Fixed in the "ssl_session_ticket_key" when using TLSv1.3. + +------------------------------------------------------------------- +Wed Dec 29 11:03:27 UTC 2021 - Andreas Stieger + +- Updated to 1.21.5 + * https://nginx.org/en/CHANGES + * Build with the PCRE2. + * Supported the $ssl_curve variable. + * Fixed connections might hang when using HTTP/2 without SSL + with the "sendfile" and "aio" directives. + +------------------------------------------------------------------- +Fri Nov 5 21:24:19 UTC 2021 - Илья Индиго + +- Updated to 1.21.4 + * https://nginx.org/en/CHANGES + * Support for NPN instead of ALPN to establish HTTP/2 + connections has been removed. + * Now nginx rejects SSL connections if ALPN is used by the + client, but no supported protocols can be negotiated. + * The default value of the "sendfile_max_chunk" directive was + changed to 2 megabytes. + * The "proxy_half_close" directive in the stream module. + * The "ssl_alpn" directive in the stream module. + * The $ssl_alpn_protocol variable. + * Support for SSL_sendfile() when using OpenSSL 3.0. + * The "mp4_start_key_frame" directive in the ngx_http_mp4_module. + * In the $content_length variable when using chunked transfer encoding. + * After receiving a response with incorrect length from a proxied + backend nginx might nevertheless cache the connection. + * Invalid headers from backends were logged at the "info" level + instead of "error"; the bug had appeared in 1.21.1. + * Requests might hang when using HTTP/2 and the "aio_write" directive. + +------------------------------------------------------------------- +Fri Nov 5 18:10:15 UTC 2021 - Ondřej Súkup + +- drop vim-plugin-nginx, now is provided directly by vim + +------------------------------------------------------------------- +Fri Oct 15 14:23:41 UTC 2021 - Callum Farmer + +- Add CONFIG parameter to %sysusers_generate_pre + +------------------------------------------------------------------- +Mon Oct 11 09:26:39 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * nginx.service + +------------------------------------------------------------------- +Fri Sep 10 17:44:54 UTC 2021 - Илья Индиго + +- Updated to 1.21.3 + * https://nginx.org/en/CHANGES + * Optimization of client request body reading when using HTTP/2. + * Fixed request body filters internal API when using HTTP/2 and + buffering of the data being processed. + +------------------------------------------------------------------- +Wed Sep 1 07:09:54 UTC 2021 - Илья Индиго + +- Updated to 1.21.2 + * https://nginx.org/en/CHANGES + * Now nginx rejects HTTP/1.0 requests with the "Transfer-Encoding" header line. + * Export ciphers are no longer supported. + * Added OpenSSL 3.0 compatibility. + * Added the "Auth-SSL-Protocol" and "Auth-SSL-Cipher" header lines + are now passed to the mail proxy authentication server. + * Added request body filters API now permits buffering of the data being processed. + * Fixed backend SSL connections in the stream module might hang after an SSL handshake. + * Fixed the security level, which is available in OpenSSL 1.1.0 or newer, + did not affect loading of the server certificates when set + with "@SECLEVEL=N" in the "ssl_ciphers" directive. + * Fixed SSL connections with gRPC backends might hang if select, poll, + or /dev/poll methods were used. + * Fixed when using HTTP/2 client request body was always written to + disk if the "Content-Length" header line was not present in the request. + +------------------------------------------------------------------- +Wed Jul 7 18:53:17 UTC 2021 - Илья Индиго + +- Updated to 1.21.1 + * https://nginx.org/en/CHANGES + * Now nginx always returns an error for the CONNECT method. + * Now nginx always returns an error if both "Content-Length" + and "Transfer-Encoding" header lines are present in the request. + * Now nginx always returns an error if spaces or control + characters are used in the request line. + * Now nginx always returns an error if spaces or control + characters are used in a header name. + * Now nginx always returns an error if spaces or control + characters are used in the "Host" request header line. + * Optimization of configuration testing when using many + listening sockets. + * Fixed: nginx did not escape """, "<", ">", "\", "^", "`", "{", "|", + and "}" characters when proxying with changed URI. + * Fixed: SSL variables might be empty when used in logs; the bug had + appeared in 1.19.5. + * Fixed: keepalive connections with gRPC backends might not be closed + after receiving a GOAWAY frame. + * Fixed: reduced memory consumption for long-lived requests when + proxying with more than 64 buffers. + +------------------------------------------------------------------- +Wed Jun 16 13:13:12 UTC 2021 - Felix Schnizlein + +- Fix race condition between nginx and logrotate causing mass reopening of + files (bsc#1183876). + +------------------------------------------------------------------- +Thu May 27 16:35:26 UTC 2021 - Dirk Müller + +- Updated to 1.21.0 + * https://nginx.org/en/CHANGES + * Added variables support in the "proxy_ssl_certificate", + "proxy_ssl_certificate_key" "grpc_ssl_certificate", + "grpc_ssl_certificate_key", "uwsgi_ssl_certificate", and + "uwsgi_ssl_certificate_key" directives. + * Added the "max_errors" directive in the mail proxy module. + * Added the mail proxy module supports POP3 and IMAP pipelining. + * Added the "fastopen" parameter of the "listen" directive in the + stream module. + * Fixed special characters were not escaped during automatic redirect + with appended trailing slash. + * Fixed connections with clients in the mail proxy module might be + closed unexpectedly when using SMTP pipelining. + +------------------------------------------------------------------- +Wed May 26 02:44:27 UTC 2021 - Илья Индиго + +- Update to 1.20.1 + * https://nginx.org/en/CHANGES + * 1-byte memory overwrite might occur during DNS server response processing + if the "resolver" directive was used, allowing an attacker who is able to + forge UDP packets from the DNS server to cause worker process crash or, + potentially, arbitrary code execution (CVE-2021-23017, boo#1186126). + +------------------------------------------------------------------- +Wed Apr 21 04:54:21 UTC 2021 - Andreas Stieger + +- only recommend installation of vim-plugin-nginx if any vim is + also installed or selected (boo#1183710) + +------------------------------------------------------------------- +Tue Apr 20 20:41:21 UTC 2021 - Илья Индиго + +- Update to 1.20.0 + * 1.20.x stable branch. + +------------------------------------------------------------------- +Wed Apr 14 11:09:07 UTC 2021 - Илья Индиго + +- Update to 1.19.10 + * https://nginx.org/en/CHANGES + * Changed default value for "keepalive_requests" to 1000. + * Added "keepalive_time" directive and $connection_time variable. + * Fixed "gzip filter failed to use preallocated memory" alerts + appeared in logs when using zlib-ng. + +------------------------------------------------------------------- +Sat Apr 3 10:29:25 UTC 2021 - Илья Индиго + +- Update to 1.19.9 + * https://nginx.org/en/CHANGES + * Fixed nginx could not be built with the mail proxy module, but + without the ngx_mail_ssl_module; the bug had appeared in 1.19.8. + * Fixed "upstream sent response body larger than indicated content + length" errors might occur when working with gRPC backends; + the bug had appeared in 1.19.1. + * Fixed nginx might not close a connection till keepalive timeout + expiration if the connection was closed by the client while + discarding the request body. + * Fixed nginx might not detect that a connection was already closed + by the client when waiting for auth_delay or limit_req delay, + or when working with backends. + * Fixed in the eventport method. + +------------------------------------------------------------------- +Fri Mar 12 20:17:06 UTC 2021 - Dirk Müller + +- update to 1.19.8: + * Feature: flags in the "proxy_cookie_flags" directive can now contain + variables. + * Feature: the "proxy_protocol" parameter of the "listen" directive, + the "proxy_protocol" and "set_real_ip_from" directives in mail proxy. + * Bugfix: HTTP/2 connections were immediately closed when using + "keepalive_timeout 0"; the bug had appeared in 1.19.7. + * Bugfix: some errors were logged as unknown if nginx was built with + glibc 2.32. + * Bugfix: in the eventport method. + +------------------------------------------------------------------- +Sat Feb 27 12:04:02 UTC 2021 - Илья Индиго + +- Refreshed spec-file via spec-cleaner and manual optimizations. + * Droped obsolete conditional constructs. + * Removed pkg_name macro. + +------------------------------------------------------------------- +Wed Feb 17 00:02:08 UTC 2021 - Marcus Rueckert + +- Drop nginx_upstream_check module, there is no support for dynamic + loading upstream and the module seems kind of unmaintained. +- Removed patch check_1.9.2+.patch. + +------------------------------------------------------------------- +Tue Feb 16 23:40:16 UTC 2021 - Marcus Rueckert + +- Update to 1.19.7 + * https://nginx.org/en/CHANGES + * Change: connections handling in HTTP/2 has been changed to + better match HTTP/1.x; the "http2_recv_timeout", + "http2_idle_timeout", and "http2_max_requests" directives have + been removed, the "keepalive_timeout" and "keepalive_requests" + directives should be used instead. + * Change: the "http2_max_field_size" and "http2_max_header_size" + directives have been removed, the "large_client_header_buffers" + directive should be used instead. + * Feature: now, if free worker connections are exhausted, nginx + starts closing not only keepalive connections, but also + connections in lingering close. + * Bugfix: "zero size buf in output" alerts might appear in logs + if an upstream server returned an incorrect response during + unbuffered proxying; the bug had appeared in 1.19.1. + * Bugfix: HEAD requests were handled incorrectly if the "return" + directive was used with the "image_filter" or "xslt_stylesheet" + directives. + * Bugfix: in the "add_trailer" directive. +- Since we only target sle 12 and above we can skip all + conditionals which apply to suse_version before 1315 + + With changes in nginx itself we will drop support for sysvinit. + http2, libatomic support and pcre_jit will always be on now. + and we build all binaries with PIE now. +- Moved the last 2 path macros from nginx.spec to the macros file. + (pid and lock path) + +------------------------------------------------------------------- +Wed Dec 23 07:18:28 UTC 2020 - Paolo Stivanin + +- Update to 1.19.6 + * https://nginx.org/en/CHANGES + * Fix "no live upstreams" errors if a "server" inside "upstream" + block was marked as "down". + * Fix a segmentation fault might occur in a worker process if HTTPS + was used; the bug had appeared in 1.19.5. + * Fix nginx returned the 400 response on requests like + "GET http://example.com?args HTTP/1.0". + * Fix in the ngx_http_flv_module and ngx_http_mp4_module. + +------------------------------------------------------------------- +Tue Nov 24 19:30:01 UTC 2020 - Илья Индиго + +- Update to 1.19.5 + * https://nginx.org/en/CHANGES + * Add the -e switch. + * The same source files can now be specified in different modules + while building addon modules. + * Fix SSL shutdown did not work when lingering close was used. + * Fix "upstream sent frame for closed stream" errors might occur + when working with gRPC backends. + * Fix in request body filters internal API. + +------------------------------------------------------------------- +Mon Nov 9 11:07:07 UTC 2020 - Илья Индиго + +- Refresh spec-file via spec-cleaner and manual optimizations. + +------------------------------------------------------------------- +Tue Oct 27 20:23:09 UTC 2020 - Илья Индиго + +- Update to 1.19.4 + * https://nginx.org/en/CHANGES + * Add the "ssl_conf_command", "proxy_ssl_conf_command", + "grpc_ssl_conf_command", and "uwsgi_ssl_conf_command" directives. + * Add the "ssl_reject_handshake" directive. + * Add the "proxy_smtp_auth" directive in mail proxy. + +------------------------------------------------------------------- +Fri Oct 2 04:14:33 UTC 2020 - Marcus Rueckert + +- Use the ngx_* macros from the nginx-macros package to simplify + the spec file. + +------------------------------------------------------------------- +Fri Oct 2 01:58:09 UTC 2020 - Marcus Rueckert + +- Moved all the modules that support dynamic modules into their own + modules: + * nginx-module-geoip2 + * nginx-module-fancyindex + * nginx-module-headers-more +- The rtmp module is replaced with nginx-module-http-flv + +------------------------------------------------------------------- +Wed Sep 30 11:28:16 UTC 2020 - Илья Индиго + +- Update to 1.19.3 + * https://nginx.org/en/CHANGES + * Add the ngx_stream_set_module. + * Add the "proxy_cookie_flags" directive. + * Add the "userid_flags" directive. + * Fix the "stale-if-error" cache control extension was erroneously + applied if backend returned a response with status code 500, 502, + 503, 504, 403, 404, or 429. + * Fix "[crit] cache file ... has too long header" messages might + appear in logs if caching was used and the backend returned responses + with the "Vary" header line. + * Fix "[crit] SSL_write() failed" messages might appear in logs + when using OpenSSL 1.1.1. + * Fix "SSL_shutdown() failed (SSL: ... bad write retry)" messages + might appear in logs; the bug had appeared in 1.19.2. + * Fix a segmentation fault might occur in a worker process when + using HTTP/2 if errors with code 400 were redirected to a proxied + location using the "error_page" directive. + * Fix socket leak when using HTTP/2 and subrequests in the njs module. + +------------------------------------------------------------------- +Wed Aug 12 15:23:16 UTC 2020 - Илья Индиго + +- Update to 1.19.2 + * https://nginx.org/en/CHANGES + * Now nginx starts closing keepalive connections before all free + worker connections are exhausted, and logs a warning about this + to the error log. + * Optimization of client request body reading when using chunked + transfer encoding. + * Memory leak if the "ssl_ocsp" directive was used. + * "zero size buf in output" alerts might appear in logs if a + FastCGI server returned an incorrect response; the bug had + appeared in 1.19.1. + * A segmentation fault might occur in a worker process if + different large_client_header_buffers sizes were used in + different virtual servers. + * SSL shutdown might not work. + * "SSL_shutdown() failed (SSL: ... bad write retry)" messages + might appear in logs. + * In the ngx_http_slice_module. + * In the ngx_http_xslt_filter_module. + +------------------------------------------------------------------- +Tue Aug 4 19:10:24 UTC 2020 - Dirk Mueller + +- update nginx-1.6.1-default_config.patch: + * remove geoip_module which is no longer compiled (bsc#1156202) + +------------------------------------------------------------------- +Wed Jul 8 11:52:53 UTC 2020 - Илья Индиго + +- Update to 1.19.1 + * https://nginx.org/en/CHANGES + * The "lingering_close", "lingering_time", and "lingering_timeout" + directives now work when using HTTP/2. + * Now extra data sent by a backend are always discarded. + * Now after receiving a too short response from a FastCGI server + nginx tries to send the available part of the response + to the client, and then closes the client connection. + * Now after receiving a response with incorrect length from a + gRPC backend nginx stops response processing with an error. + * The "min_free" parameter of the "proxy_cache_path", + "fastcgi_cache_path", "scgi_cache_path", + and "uwsgi_cache_path" directives. + * nginx did not delete unix domain listen sockets during + graceful shutdown on the SIGQUIT signal. + * Zero length UDP datagrams were not proxied. + * Proxying to uwsgi backends using SSL might not work. + * In error handling when using the "ssl_ocsp" directive. + * On XFS and NFS file systems disk cache size might be + calculated incorrectly. + * "negative size buf in writer" alerts might appear in logs if + a memcached server returned a malformed response. + +------------------------------------------------------------------- +Thu May 28 01:46:00 UTC 2020 - Илья Индиго + +- Update to 1.19.0 + * https://nginx.org/en/CHANGES + * Client certificate validation with OCSP. + * "upstream sent frame for closed stream" errors might occur + when working with gRPC backends. + * OCSP stapling might not work if the "resolver" directive + was not specified. + * Connections with incorrect HTTP/2 preface were not logged. + +------------------------------------------------------------------- +Thu May 7 16:15:48 UTC 2020 - Cristian Rodríguez + +- Do not arbitrarily limit the default listen backlog + (NGX_LISTEN_BACKLOG) to 511, instead use -1 to choose the + system's default (sysctl net.core.somaxconn) + +------------------------------------------------------------------- +Wed Apr 22 16:46:27 UTC 2020 - Илья Индиго + +- Update to 1.18.0 + * 1.18.x stable branch. + +------------------------------------------------------------------- +Fri Apr 17 12:28:02 UTC 2020 - Thorsten Kukuk + +- Use sysusers.d to create the nginx user and group +- Remove self-conflict + +------------------------------------------------------------------- +Wed Apr 15 13:12:58 UTC 2020 - Илья Индиго + +- Update to 1.17.10 + * https://nginx.org/en/CHANGES + * The "auth_delay" directive. + +------------------------------------------------------------------- +Tue Mar 10 10:49:35 UTC 2020 - Vítězslav Čížek + +- Replace obsolete GeoIP module with MaxMinDB-based GeoIP2 + (bsc#1156202) + +------------------------------------------------------------------- +Wed Mar 4 12:35:47 UTC 2020 - Илья Индиго + +- Update to 1.17.9 + * https://nginx.org/en/CHANGES + * Now nginx does not allow several "Host" request header lines. + * nginx ignored additional "Transfer-Encoding" request header lines. + * Socket leak when using HTTP/2. + * A segmentation fault might occur in a worker process if OCSP + stapling was used. + * In the ngx_http_mp4_module. + * nginx used status code 494 instead of 400 if errors with code + 494 were redirected with the "error_page" directive. + * Socket leak when using subrequests in the njs module and the + "aio" directive. + +------------------------------------------------------------------- +Sun Feb 2 01:03:07 UTC 2020 - Marcus Rueckert + +- Update to 1.17.8 + * Feature: variables support in the "grpc_pass" directive. + * Bugfix: a timeout might occur while handling pipelined requests + in an SSL connection; the bug had appeared in 1.17.5. + * Bugfix: in the "debug_points" directive when using HTTP/2. + Thanks to Daniil Bondarev. + +------------------------------------------------------------------- +Tue Jan 21 16:35:28 UTC 2020 - Thorsten Kukuk + +- Use systemd_ordering instead of systemd_requires, nginx is useable + without sysemd, too. + +------------------------------------------------------------------- +Sat Dec 28 11:03:16 UTC 2019 - Илья Индиго + +- Refresh spec-file via spec-cleaner. +- Add in service-file Wants=network-online.target (boo#1155690) +- Update to 1.17.7 + * https://nginx.org/en/CHANGES + * A segmentation fault might occur on start or during + reconfiguration if the "rewrite" directive with an empty + replacement string was used in the configuration. + * A segmentation fault might occur in a worker process if the + "break" directive was used with the "alias" directive or with + the "proxy_pass" directive with a URI. + * The "Location" response header line might contain garbage if + the request URI was rewritten to the one containing a null character. + * Requests with bodies were handled incorrectly when returning redirections + with the "error_page" directive; the bug had appeared in 0.7.12. + * Socket leak when using HTTP/2. + * A timeout might occur while handling pipelined requests in an + SSL connection; the bug had appeared in 1.17.5. + * Bugfix in the ngx_http_dav_module. + * CVE-2019-20372: Fixed an HTTP request smuggling with certain error_page + configurations which could have allowed unauthorized web page reads (bsc#1160682). + +------------------------------------------------------------------- +Sat Nov 23 20:12:57 UTC 2019 - Marcus Rueckert + +- Update to 1.17.6 + - Feature: the $proxy_protocol_server_addr and + $proxy_protocol_server_port variables. + - Feature: the "limit_conn_dry_run" directive. + - Feature: the $limit_req_status and $limit_conn_status + variables. + +------------------------------------------------------------------- +Mon Oct 28 01:37:06 UTC 2019 - Cristian Rodríguez + +- remove -std=gnu99 -fstack-protector from cflags as they are + no longer needed. + +------------------------------------------------------------------- +Wed Oct 23 17:04:53 UTC 2019 - Илья Индиго + +- Update to 1.17.5 + * https://nginx.org/en/CHANGES + * Now nginx uses ioctl(FIONREAD), if available, to avoid + reading from a fast connection for a long time. + * Incomplete escaped characters at the end of the request URI were ignored. + * "/." and "/.." at the end of the request URI were not normalized. + * In the "merge_slashes" directive. + * In the "ignore_invalid_headers" directive. + * nginx could not be built with MinGW-w64 gcc 8.1 or newer. + +------------------------------------------------------------------- +Mon Oct 21 22:27:00 UTC 2019 - Илья Индиго + +- Update to 1.17.4 + * https://nginx.org/en/CHANGES + * Better detection of incorrect client behavior in HTTP/2. + * In handling of not fully read client request body when + returning errors in HTTP/2. + * The "worker_shutdown_timeout" directive might not work when + using HTTP/2. + * A segmentation fault might occur in a worker process when + using HTTP/2 and the "proxy_request_buffering" directive. + * The ECONNABORTED error log level was "crit" instead of + "error" on Windows when using SSL. + * nginx ignored extra data when using chunked transfer + encoding. + * nginx always returned the 500 error if the "return" directive + was used and an error occurred during reading client request body. + * In memory allocation error handling. + +------------------------------------------------------------------- +Wed Aug 14 23:21:27 UTC 2019 - Marcus Rueckert + +- update to 1.17.3 + - Security: when using HTTP/2 a client might cause excessive + memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, + CVE-2019-9516). + - Bugfix: "zero size buf" alerts might appear in logs when using + gzipping; the bug had appeared in 1.17.2. + - Bugfix: a segmentation fault might occur in a worker process if + the "resolver" directive was used in SMTP proxy. + +------------------------------------------------------------------- +Tue Jul 23 19:57:46 UTC 2019 - Michael Ströder + +- update to 1.17.2 + - Change: minimum supported zlib version is 1.2.0.4. + - Change: the $r->internal_redirect() embedded perl method now expects + escaped URIs. + - Feature: it is now possible to switch to a named location using the + $r->internal_redirect() embedded perl method. + - Bugfix: in error handling in embedded perl. + - Bugfix: a segmentation fault might occur on start or during + reconfiguration if hash bucket size larger than 64 kilobytes was used + in the configuration. + - Bugfix: nginx might hog CPU during unbuffered proxying and when + proxying WebSocket connections if the select, poll, or /dev/poll + methods were used. + - Bugfix: in the ngx_http_xslt_filter_module. + - Bugfix: in the ngx_http_ssi_filter_module. + +------------------------------------------------------------------- +Tue Jul 9 12:05:55 UTC 2019 - Marcus Rueckert + +- update to 1.17.1 + - Feature: the "limit_req_dry_run" directive. + - Feature: when using the "hash" directive inside the "upstream" + block an empty hash key now triggers round-robin balancing. + Thanks to Niklas Keller. + - Bugfix: a segmentation fault might occur in a worker process if + caching was used along with the "image_filter" directive, and + errors with code 415 were redirected with the "error_page" + directive; the bug had appeared in 1.11.10. + - Bugfix: a segmentation fault might occur in a worker process if + embedded perl was used; the bug had appeared in 1.7.3. + +------------------------------------------------------------------- +Thu May 23 19:51:31 UTC 2019 - seanlew@opensuse.org + +- update to version 1.17.0 + * Feature: variables support in the "limit_rate" directives + * Feature: variables support in the "proxy rate" directies + * Change: min supported OpenSSL is 0.9.8 + * Change: now the postpone filter is always built + * Bugfix: the "include" directive didn't work inside "if" + * Bugfix: in byte ranges processing + +------------------------------------------------------------------- +Mon May 06 06:05:23 UTC 2019 - seanlew@opensuse.org + +- update to version 1.16.0 + * 1.16 stable branch + * Bugfix: segfault may occur in ssl_certificate worker process + +------------------------------------------------------------------- +Sun Apr 07 03:17:33 UTC 2019 - seanlew@opensuse.org + +- update to 1.15.10 + * When using hostname in the 'listen' directive, create new socket + * Port ranges in the 'listen' directive + * Loading of SSL certs/secret keys from variables + * $ssl_server_name var might be empty with OpenSSL 1.1.1 + +------------------------------------------------------------------- +Sat Mar 02 14:25:02 UTC 2019 - seanlew@openeuse.org + +- update to 1.15.9 + * Feature: variables support in the "ssl_certificate" directives + * Bugfix: the "proxy_upload_rate" and "proxy_download_rate" + directives in the stream module worked incorrectly with UDP + +------------------------------------------------------------------- +Sun Dec 30 23:19:48 UTC 2018 - sean@suspend.net + +- update to 1.15.8 + * Feature: the $upstream_bytes_sent variable + * Feature: new directives in vim syntax highlighting scripts + * Bugfix: in the "proxy_cache_background_update" directive + * Bugfix: in the "geo" directive when using unix domain listen sockets + * Workaround: the "ignoring stale global SSL error" alerts might appear erroneosuly + * Bugfix: in the ngx_http_autoindex_module on x86 + +------------------------------------------------------------------- +Fri Dec 7 14:53:14 UTC 2018 - chris@computersalat.de + +- update to 1.15.7 + * Feature: the "proxy_requests" directive in the stream module. + * Feature: the "delay" parameter of the "limit_req" directive. + Thanks to Vladislav Shabanov and Peter Shchuchkin. + * Bugfix: memory leak on errors during reconfiguration. + * Bugfix: in the $upstream_response_time, $upstream_connect_time, and + $upstream_header_time variables. + * Bugfix: a segmentation fault might occur in a worker process if the + ngx_http_mp4_module was used on 32-bit platforms. +- fix changes file for submit to Backports + * see https://build.opensuse.org/request/show/653792 + +------------------------------------------------------------------- +Thu Nov 8 11:53:50 UTC 2018 - alarrosa@suse.com + +- update to 1.15.6 + * fix for boo#1115022, boo#1115025 + Security: when using HTTP/2 a client might cause excessive memory + consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844). + * fix for boo#1115015 + Security: processing of a specially crafted mp4 file with the + ngx_http_mp4_module might result in worker process memory disclosure + (CVE-2018-16845). + - Feature: the "proxy_socket_keepalive", "fastcgi_socket_keepalive", + "grpc_socket_keepalive", "memcached_socket_keepalive", + "scgi_socket_keepalive", and "uwsgi_socket_keepalive" directives. + - Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL + 1.1.1, the TLS 1.3 protocol was always enabled. + - Bugfix: working with gRPC backends might result in excessive memory + consumption. +- Fix vim-plugin-nginx rpm group. + +------------------------------------------------------------------- +Sat Nov 03 15:29:50 UTC 2018 - sean@suspend.net + +- update to 1.15.5 + - Bugfix: a segmentation fault might occur in a worker process when using OpenSSL 1.1.0h or lower + - Bugfix: minor potential bugs + +- update to 1.15.4 + - Feature: now the "ssl_early_data" directive can be used with OpenSSL. + - Bugfix: in the ngx_http_uwsgi_module. + - Bugfix: connections with some gRPC backends might not be cached when + using the "keepalive" directive. + - Bugfix: a socket leak might occur when using the "error_page" + directive to redirect early request processing errors, notably errors + with code 400. + - Bugfix: the "return" directive did not change the response code when + returning errors if the request was redirected by the "error_page" + directive. + - Bugfix: standard error pages and responses of the + ngx_http_autoindex_module module used the "bgcolor" attribute, and + might be displayed incorrectly when using custom color settings in + browsers. + - Change: the logging level of the "no suitable key share" and "no + suitable signature algorithm" SSL errors has been lowered from "crit" + to "info". + +------------------------------------------------------------------- +Thu Sep 6 12:36:21 UTC 2018 - Marcus Rueckert + +- update to 1.15.3 + - Feature: now TLSv1.3 can be used with BoringSSL. + - Feature: the "ssl_early_data" directive, currently available + with BoringSSL. + - Feature: the "keepalive_timeout" and "keepalive_requests" + directives in the "upstream" block. + - Bugfix: the ngx_http_dav_module did not truncate destination + file when copying a file over an existing one with the COPY + method. + - Bugfix: the ngx_http_dav_module used zero access rights on the + destination file and did not preserve file modification time + when moving a file between different file systems with the MOVE + method. + - Bugfix: the ngx_http_dav_module used default access rights when + copying a file with the COPY method. + - Workaround: some clients might not work when using HTTP/2; the + bug had appeared in 1.13.5. + - Bugfix: nginx could not be built with LibreSSL 2.8.0. + +------------------------------------------------------------------- +Mon Jul 30 12:21:26 UTC 2018 - mrueckert@suse.de + +- update to 1.15.2 + - Feature: the $ssl_preread_protocol variable in the + ngx_stream_ssl_preread_module. + - Feature: now when using the "reset_timedout_connection" + directive nginx will reset connections being closed with the + 444 code. + - Change: a logging level of the "http request", "https proxy + request", "unsupported protocol", and "version too low" SSL + errors has been lowered from "crit" to "info". + - Bugfix: DNS requests were not resent if initial sending of a + request failed. + - Bugfix: the "reuseport" parameter of the "listen" directive was + ignored if the number of worker processes was specified after + the "listen" directive. + - Bugfix: when using OpenSSL 1.1.0 or newer it was not possible + to switch off "ssl_prefer_server_ciphers" in a virtual server + if it was switched on in the default server. + - Bugfix: SSL session reuse with upstream servers did not work + with the TLS 1.3 protocol. + +------------------------------------------------------------------- +Mon Jul 23 02:30:33 UTC 2018 - mrueckert@suse.de + +- update to 1.15.1 + - Feature: the "random" directive inside the "upstream" block. + - Feature: improved performance when using the "hash" and + "ip_hash" directives with the "zone" directive. + - Feature: the "reuseport" parameter of the "listen" directive + now uses SO_REUSEPORT_LB on FreeBSD 12. + - Bugfix: HTTP/2 server push did not work if SSL was terminated + by a proxy server in front of nginx. + - Bugfix: the "tcp_nopush" directive was always used on backend + connections. + - Bugfix: sending a disk-buffered request body to a gRPC backend + might fail. +- changes from 1.15.0 + - Change: the "ssl" directive is deprecated; the "ssl" parameter + of the "listen" directive should be used instead. + - Change: now nginx detects missing SSL certificates during + configuration testing when using the "ssl" parameter of the + "listen" directive. + - Feature: now the stream module can handle multiple incoming UDP + datagrams from a client within a single session. + - Bugfix: it was possible to specify an incorrect response code + in the "proxy_cache_valid" directive. + - Bugfix: nginx could not be built by gcc 8.1. + - Bugfix: logging to syslog stopped on local IP address changes. + - Bugfix: nginx could not be built by clang with CUDA SDK + installed; the bug had appeared in 1.13.8. + - Bugfix: "getsockopt(TCP_FASTOPEN) ... failed" messages might + appear in logs during binary upgrade when using unix domain + listen sockets on FreeBSD. + - Bugfix: nginx could not be built on Fedora 28 Linux. + - Bugfix: request processing rate might exceed configured rate + when using the "limit_req" directive. + - Bugfix: in handling of client addresses when using unix domain + listen sockets to work with datagrams on Linux. + - Bugfix: in memory allocation error handling. + +------------------------------------------------------------------- +Fri May 25 15:12:27 UTC 2018 - mrostecki@suse.com + +- Add nginx-source package + +------------------------------------------------------------------- +Tue May 15 16:51:56 UTC 2018 - crrodriguez@opensuse.org + +- Do not require insserv on systemd-only releases. + +------------------------------------------------------------------- +Mon May 7 10:25:46 UTC 2018 - achernikov@suse.com + +- update to 1.14.0 + * 1.14.x stable branch. + +- includes changes from 1.13.12 + * bugfix connections with gRPC backends might be closed unexpectedly + when returning a large response. + +------------------------------------------------------------------- +Tue Apr 10 07:40:27 UTC 2018 - astieger@suse.com + +- update to 1.13.11: + * the "proxy_protocol" parameter of the "listen" directive now + supports the PROXY protocol version 2 + * bugfix in the "http_404", "http_500", etc. parameters of the + "proxy_next_upstream" directive +- includes changes from 1.13.10: + * the "set" parameter of the "include" SSI directive now allows + writing arbitrary responses to a variable; the + "subrequest_output_buffer_size" directive defines maximum + response size + * now nginx uses clock_gettime(CLOCK_MONOTONIC) if available, to + avoid timeouts being incorrectly triggered on system time changes + * add the "escape=none" parameter of the "log_format" directive + * add the $ssl_preread_alpn_protocols variable in the + ngx_stream_ssl_preread_module. + * add the ngx_http_grpc_module. + * fix memory allocation error handling in the "geo" directive. + * when using variables in the "auth_basic_user_file" directive + a null character may have appeared in logs +- Use %license (bsc#1082318) + +------------------------------------------------------------------- +Wed Mar 28 11:18:44 UTC 2018 - achernikov@suse.com + +- Recommend to use TLSv1.2 by default (boo#1086855) + +------------------------------------------------------------------- +Wed Feb 21 13:32:25 UTC 2018 - mrueckert@suse.de + +- update rmtp module to 1.2.1 + - just commenting all places where we fallthrough conditionals + +------------------------------------------------------------------- +Wed Feb 21 13:30:07 UTC 2018 - mrueckert@suse.de + +- update headers more to 0.33 + - feature: add wildcard match support for + more_clear_input_headers. + +------------------------------------------------------------------- +Wed Feb 21 13:27:54 UTC 2018 - mrueckert@suse.de + +- update fancyindex module to 0.4.2 + This release contains an important fix which can cause Nginx to + crash when a directory contains zero-sized (empty) files. This + bug has been present in all previous releases, and all users are + strongly encouraged to update to version 0.4.2. + + https://github.com/aperezdc/ngx-fancyindex/releases/tag/v0.4.2 + +------------------------------------------------------------------- +Wed Feb 21 13:23:44 UTC 2018 - mrueckert@suse.de + +- changes from 1.13.9 + - Feature: HTTP/2 server push support; the "http2_push" and + "http2_push_preload" directives. + - Bugfix: "header already sent" alerts might appear in logs when + using cache; the bug had appeared in 1.9.13. + - Bugfix: a segmentation fault might occur in a worker process if + the "ssl_verify_client" directive was used and no SSL + certificate was specified in a virtual server. + - Bugfix: in the ngx_http_v2_module. + - Bugfix: in the ngx_http_dav_module. +- updates from 1.13.8 + - Feature: now nginx automatically preserves the CAP_NET_RAW + capability in worker processes when using the "transparent" + parameter of the "proxy_bind", "fastcgi_bind", + "memcached_bind", "scgi_bind", and "uwsgi_bind" directives. + - Feature: improved CPU cache line size detection. Thanks to + Debayan Ghosh. + - Feature: new directives in vim syntax highlighting scripts. + Thanks to Gena Makhomed. + - Bugfix: binary upgrade refused to work if nginx was re-parented + to a process with PID different from 1 after its parent process + has finished. + - Bugfix: the ngx_http_autoindex_module incorrectly handled + requests with bodies. + - Bugfix: in the "proxy_limit_rate" directive when used with the + "keepalive" directive. + - Bugfix: some parts of a response might be buffered when using + "proxy_buffering off" if the client connection used SSL. + Thanks to Patryk Lesiewicz. + - Bugfix: in the "proxy_cache_background_update" directive. + - Bugfix: it was not possible to start a parameter with a + variable in the "${name}" form with the name in curly brackets + without enclosing the parameter into single or double quotes. + +------------------------------------------------------------------- +Wed Feb 7 15:43:27 UTC 2018 - achernikov@suse.com + +- Install /etc/nginx/conf.d directory for custom user configuration + files + +------------------------------------------------------------------- +Wed Feb 7 15:07:47 UTC 2018 - achernikov@suse.com + +- Install /etc/nginx/vhosts.d directory for default installation + to house custom virtual hosts configuration files + +------------------------------------------------------------------- +Mon Dec 18 02:59:27 UTC 2017 - avindra@opensuse.org + +- update to version 1.13.7 + - Bugfix: in the $upstream_status variable. + - Bugfix: a segmentation fault might occur in a worker process + if a backend returned a "101 Switching Protocols" response to + a subrequest. + - Bugfix: a segmentation fault occurred in a master process if a + shared memory zone size was changed during a reconfiguration + and the reconfiguration failed. + - Bugfix: in the ngx_http_fastcgi_module. + - Bugfix: nginx returned the 500 error if parameters without + variables were specified in the "xslt_stylesheet" directive. + - Workaround: "gzip filter failed to use preallocated memory" + alerts appeared in logs when using a zlib library variant + from Intel. + - Bugfix: the "worker_shutdown_timeout" directive did not work + when using mail proxy and when proxying WebSocket connections. +- partial cleanup with spec-cleaner + +------------------------------------------------------------------- +Thu Oct 12 12:54:28 UTC 2017 - mrueckert@suse.de + +- update to 1.13.6 + - Bugfix: switching to the next upstream server in the stream + module did not work when using the "ssl_preread" directive. + - Bugfix: in the ngx_http_v2_module. Thanks to Piotr Sikora. + - Bugfix: nginx did not support dates after the year 2038 on + 32-bit platforms with 64-bit time_t. + - Bugfix: in handling of dates prior to the year 1970 and after + the year 10000. + - Bugfix: in the stream module timeouts waiting for UDP datagrams + from upstream servers were not logged or logged at the "info" + level instead of "error". + - Bugfix: when using HTTP/2 nginx might return the 400 response + without logging the reason. + - Bugfix: in processing of corrupted cache files. + - Bugfix: cache control headers were ignored when caching errors + intercepted by error_page. + - Bugfix: when using HTTP/2 client request body might be + corrupted. + - Bugfix: in handling of client addresses when using unix domain + sockets. + - Bugfix: nginx hogged CPU when using the "hash ... consistent" + directive in the upstream block if large weights were used and + all or most of the servers were unavailable. + +------------------------------------------------------------------- +Fri Oct 6 13:33:54 UTC 2017 - mrueckert@suse.de + +- extra modules were enabled on sles due to a typo + +------------------------------------------------------------------- +Thu Oct 5 12:49:37 UTC 2017 - achernikov@suse.com + +- Submit nginx to SLES to become a http server for RMT(Repository + mirroring tool) [fate#323994, bsc#1059685, boo#1057831] + +------------------------------------------------------------------- +Fri Sep 22 09:40:19 UTC 2017 - mrueckert@suse.de + +- disable extra modules on sle + +------------------------------------------------------------------- +Sat Sep 16 20:16:46 UTC 2017 - mrueckert@suse.de + +- update to 1.13.5 + - Feature: the $ssl_client_escaped_cert variable. + - Bugfix: the "ssl_session_ticket_key" directive and the + "include" parameter of the "geo" directive did not work on + Windows. + - Bugfix: incorrect response length was returned on 32-bit + platforms when requesting more than 4 gigabytes with multiple + ranges. + - Bugfix: the "expires modified" directive and processing of the + "If-Range" request header line did not use the response last + modification time if proxying without caching was used. +- changes from 1.13.4 + - Feature: the ngx_http_mirror_module. + - Bugfix: client connections might be dropped during + configuration testing when using the "reuseport" parameter of + the "listen" directive on Linux. + - Bugfix: request body might not be available in subrequests if + it was saved to a file and proxying was used. + - Bugfix: cleaning cache based on the "max_size" parameter did + not work on Windows. + - Bugfix: any shared memory allocation required 4096 bytes on + Windows. + - Bugfix: nginx worker might be terminated abnormally when using + the "zone" directive inside the "upstream" block on Windows. + +------------------------------------------------------------------- +Fri Sep 8 09:40:53 UTC 2017 - astieger@suse.com + +- add upstream signing key and verify source tarball signature + +------------------------------------------------------------------- +Mon Jul 17 10:58:21 UTC 2017 - mrueckert@suse.de + +- update to 1.13.3 (boo#1048265) + - Security: a specially crafted request might result in an + integer overflow and incorrect processing of ranges in the + range filter, potentially resulting in sensitive information + leak (CVE-2017-7529). +- changes from 1.13.2 + - Change: nginx now returns 200 instead of 416 when a range + starting with 0 is requested from an empty file. + - Feature: the "add_trailer" directive. Thanks to Piotr Sikora. + - Bugfix: nginx could not be built on Cygwin and NetBSD; the bug + had appeared in 1.13.0. + - Bugfix: nginx could not be built under MSYS2 / MinGW 64-bit. + Thanks to Orgad Shaneh. + - Bugfix: a segmentation fault might occur in a worker process + when using SSI with many includes and proxy_pass with + variables. + - Bugfix: in the ngx_http_v2_module. Thanks to Piotr Sikora. +- update nginx-rtmp-module to 1.2.0: + - DASH improvements + - OpenSSL 1.1 compatibility + +------------------------------------------------------------------- +Thu Jun 1 10:05:49 UTC 2017 - mrueckert@suse.de + +- update to 1.13.1 + - Feature: now a hostname can be used as the "set_real_ip_from" + directive parameter. + - Feature: vim syntax highlighting scripts improvements. + - Feature: the "worker_cpu_affinity" directive now works on + DragonFly BSD. Thanks to Sepherosa Ziehau. + - Bugfix: SSL renegotiation on backend connections did not work + when using OpenSSL before 1.1.0. + - Workaround: nginx could not be built with Oracle Developer + Studio 12.5. + - Workaround: now cache manager ignores long locked cache entries + when cleaning cache based on the "max_size" parameter. + - Bugfix: client SSL connections were immediately closed if + deferred accept and the "proxy_protocol" parameter of the + "listen" directive were used. + - Bugfix: in the "proxy_cache_background_update" directive. + - Workaround: now the "tcp_nodelay" directive sets the + TCP_NODELAY option before an SSL handshake. +- changes from 1.13.0 + - Change: SSL renegotiation is now allowed on backend + connections. + - Feature: the "rcvbuf" and "sndbuf" parameters of the "listen" + directives of the mail proxy and stream modules. + - Feature: the "return" and "error_page" directives can now be + used to return 308 redirections. Thanks to Simon Leblanc. + - Feature: the "TLSv1.3" parameter of the "ssl_protocols" + directive. + - Feature: when logging signals nginx now logs PID of the process + which sent the signal. + - Bugfix: in memory allocation error handling. + - Bugfix: if a server in the stream module listened on a wildcard + address, the source address of a response UDP datagram could + differ from the original datagram destination address. + +------------------------------------------------------------------- +Sun Apr 9 13:15:49 UTC 2017 - michael@stroeder.com + +- update to 1.12.0 + - Feature: the "http_429" parameter of the "proxy_next_upstream", + "fastcgi_next_upstream", "scgi_next_upstream", and + "uwsgi_next_upstream" directives. + Thanks to Piotr Sikora. + - Bugfix: in memory allocation error handling. + - Bugfix: requests might hang when using the "sendfile" and + "timer_resolution" directives on Linux. + - Bugfix: requests might hang when using the "sendfile" and "aio_write" + directives with subrequests. + - Bugfix: in the ngx_http_v2_module. + Thanks to Piotr Sikora. + - Bugfix: a segmentation fault might occur in a worker process when + using HTTP/2. + - Bugfix: requests might hang when using the "limit_rate", + "sendfile_max_chunk", "limit_req" directives, or the $r->sleep() + embedded perl method with subrequests. + - Bugfix: in the ngx_http_slice_module. + +------------------------------------------------------------------- +Wed Mar 29 13:20:50 UTC 2017 - mrueckert@suse.de + +- update to 1.11.12 + - Bugfix: nginx might hog CPU; the bug had appeared in 1.11.11. +- update to 1.11.11 + - Feature: the "worker_shutdown_timeout" directive. + - Feature: vim syntax highlighting scripts improvements. Thanks + to Wei-Ko Kao. + - Bugfix: a segmentation fault might occur in a worker process if + the $limit_rate variable was set to an empty string. + - Bugfix: the "proxy_cache_background_update", + "fastcgi_cache_background_update", + "scgi_cache_background_update", and + "uwsgi_cache_background_update" directives might work + incorrectly if the "if" directive was used. + - Bugfix: a segmentation fault might occur in a worker process if + number of large_client_header_buffers in a virtual server was + different from the one in the default server. + - Bugfix: in the mail proxy server. + +------------------------------------------------------------------- +Tue Feb 28 20:19:17 UTC 2017 - mrueckert@suse.de + +- update to 1.11.10 + - Change: cache header format has been changed, previously cached + responses will be invalidated. + - Feature: support of "stale-while-revalidate" and + "stale-if-error" extensions in the "Cache-Control" backend + response header line. + - Feature: the "proxy_cache_background_update", + "fastcgi_cache_background_update", + "scgi_cache_background_update", and + "uwsgi_cache_background_update" directives. + - Feature: nginx is now able to cache responses with the "Vary" + header line up to 128 characters long (instead of 42 characters + in previous versions). + - Feature: the "build" parameter of the "server_tokens" + directive. Thanks to Tom Thorogood. + - Bugfix: "[crit] SSL_write() failed" messages might appear in + logs when handling requests with the "Expect: 100-continue" + request header line. + - Bugfix: the ngx_http_slice_module did not work in named + locations. + - Bugfix: a segmentation fault might occur in a worker process + when using AIO after an "X-Accel-Redirect" redirection. + - Bugfix: reduced memory consumption for long-lived requests + using gzipping. + +------------------------------------------------------------------- +Mon Jan 30 14:07:32 UTC 2017 - mrueckert@suse.de + +- update to 1.11.9 + - Bugfix: nginx might hog CPU when using the stream module; the + bug had appeared in 1.11.5. + - Bugfix: EXTERNAL authentication mechanism in mail proxy was + accepted even if it was not enabled in the configuration. + - Bugfix: a segmentation fault might occur in a worker process if + the "ssl_verify_client" directive of the stream module was + used. + - Bugfix: the "ssl_verify_client" directive of the stream module + might not work. + - Bugfix: closing keepalive connections due to no free worker + connections might be too aggressive. Thanks to Joel + Cunningham. + - Bugfix: an incorrect response might be returned when using the + "sendfile" directive on FreeBSD and macOS; the bug had appeared + in 1.7.8. + - Bugfix: a truncated response might be stored in cache when + using the "aio_write" directive. + - Bugfix: a socket leak might occur when using the "aio_write" + directive. + +------------------------------------------------------------------- +Sat Jan 7 00:28:48 UTC 2017 - mrueckert@suse.de + +- update to 1.11.8 + - Feature: the "absolute_redirect" directive. + - Feature: the "escape" parameter of the "log_format" directive. + - Feature: client SSL certificates verification in the stream + module. + - Feature: the "ssl_session_ticket_key" directive supports AES256 + encryption of TLS session tickets when used with 80-byte keys. + - Feature: vim-commentary support in vim scripts. Thanks to + Armin Grodon. + - Bugfix: recursion when evaluating variables was not limited. + - Bugfix: in the ngx_stream_ssl_preread_module. + - Bugfix: if a server in an upstream in the stream module failed, + it was considered alive only when a test connection sent to it + after fail_timeout was closed; now a successfully established + connection is enough. + - Bugfix: nginx/Windows could not be built with 64-bit Visual + Studio. + - Bugfix: nginx/Windows could not be built with OpenSSL 1.1.0. +- changes in 1.11.7 + - Change: now in case of a client certificate verification error + the $ssl_client_verify variable contains a string with the + failure reason, for example, "FAILED:certificate has expired". + - Feature: the $ssl_ciphers, $ssl_curves, $ssl_client_v_start, + $ssl_client_v_end, and $ssl_client_v_remain variables. + - Feature: the "volatile" parameter of the "map" directive. + - Bugfix: dependencies specified for a module were ignored while + building dynamic modules. + - Bugfix: when using HTTP/2 and the "limit_req" or "auth_request" + directives client request body might be corrupted; the bug had + appeared in 1.11.0. + - Bugfix: a segmentation fault might occur in a worker process + when using HTTP/2; the bug had appeared in 1.11.3. + - Bugfix: in the ngx_http_mp4_module. Thanks to Congcong Hu. + - Bugfix: in the ngx_http_perl_module. +- changes in 1.11.6 + - Change: format of the $ssl_client_s_dn and $ssl_client_i_dn + variables has been changed to follow RFC 2253 (RFC 4514); + values in the old format are available in the + $ssl_client_s_dn_legacy and $ssl_client_i_dn_legacy variables. + - Change: when storing temporary files in a cache directory they + will be stored in the same subdirectories as corresponding + cache files instead of a separate subdirectory for temporary + files. + - Feature: EXTERNAL authentication mechanism support in mail + proxy. Thanks to Robert Norris. + - Feature: WebP support in the ngx_http_image_filter_module. + - Feature: variables support in the "proxy_method" directive. + Thanks to Dmitry Lazurkin. + - Feature: the "http2_max_requests" directive in the + ngx_http_v2_module. + - Feature: the "proxy_cache_max_range_offset", + "fastcgi_cache_max_range_offset", + "scgi_cache_max_range_offset", and + "uwsgi_cache_max_range_offset" directives. + - Bugfix: graceful shutdown of old worker processes might require + infinite time when using HTTP/2. + - Bugfix: in the ngx_http_mp4_module. + - Bugfix: "ignore long locked inactive cache entry" alerts might + appear in logs when proxying WebSocket connections with caching + enabled. + - Bugfix: nginx did not write anything to log and returned a + response with code 502 instead of 504 when a timeout occurred + during an SSL handshake to a backend. +- changes in 1.11.5 + - Change: the --with-ipv6 configure option was removed, now IPv6 + support is configured automatically. + - Change: now if there are no available servers in an upstream, + nginx will not reset number of failures of all servers as it + previously did, but will wait for fail_timeout to expire. + - Feature: the ngx_stream_ssl_preread_module. + - Feature: the "server" directive in the "upstream" context + supports the "max_conns" parameter. + - Feature: the --with-compat configure option. + - Feature: "manager_files", "manager_threshold", and + "manager_sleep" parameters of the "proxy_cache_path", + "fastcgi_cache_path", "scgi_cache_path", and "uwsgi_cache_path" + directives. + - Bugfix: flags passed by the --with-ld-opt configure option were + not used while building perl module. + - Bugfix: in the "add_after_body" directive when used with the + "sub_filter" directive. + - Bugfix: in the $realip_remote_addr variable. + - Bugfix: the "dav_access", "proxy_store_access", + "fastcgi_store_access", "scgi_store_access", and + "uwsgi_store_access" directives ignored permissions specified + for user. + - Bugfix: unix domain listen sockets might not be inherited + during binary upgrade on Linux. + - Bugfix: nginx returned the 400 response on requests with the + "-" character in the HTTP method. +- update headers-more-nginx-module 0.32 + - tests: skipped the newly added test case that cannot run in + check leak test mode. + - bugfix: more_set_input_headers: skips setting multi-value + headers for bad requests to avoid segfaults. + - skipped check leak mode for two test cases using malformed + requests. + - doc: claims that we work with 1.10.x since it is essentially + the same as 1.9.x. + - bugfix: fixed a typo in an error message. + - bugfix: when the nginx core does not properly initialize + r->headers_in.headers (due to 400 bad requests and etc), + more_set_input_headers might lead to crashes. thanks Marcin + Teodorczyk for the report. +- update nginx-rtmp-module 1.1.10 + - support for nginx 1.11.5-style cache-manager +- update patches to apply cleanly again + check_1.9.2+.patch + nginx-1.6.1-default_config.patch + +------------------------------------------------------------------- +Mon Oct 10 10:23:47 UTC 2016 - mrueckert@suse.de + +- Fix the logrotate script: we had a hardcoded postrotate action + pointing to /etc/init.d/nginx. This does not exist anymore on + systemd hosts. Replace it with /usr/sbin/nginx -s reopen, which + will use the pid file passed in the config file or the compiled + in default path. + +------------------------------------------------------------------- +Thu Sep 29 10:45:57 UTC 2016 - mrueckert@suse.de + +- update to 1.11.4 + - Feature: the $upstream_bytes_received variable. + - Feature: the $bytes_received, $session_time, $protocol, + $status, $upstream_addr, $upstream_bytes_sent, + $upstream_bytes_received, $upstream_connect_time, + $upstream_first_byte_time, and $upstream_session_time variables + in the stream module. + - Feature: the ngx_stream_log_module. + - Feature: the "proxy_protocol" parameter of the "listen" + directive, the $proxy_protocol_addr and $proxy_protocol_port + variables in the stream module. + - Feature: the ngx_stream_realip_module. + - Bugfix: nginx could not be built with the stream module and the + ngx_http_ssl_module, but without ngx_stream_ssl_module; the bug + had appeared in 1.11.3. + - Feature: the IP_BIND_ADDRESS_NO_PORT socket option was not + used; the bug had appeared in 1.11.2. + - Bugfix: in the "ranges" parameter of the "geo" directive. + - Bugfix: an incorrect response might be returned when using the + "aio threads" and "sendfile" directives; the bug had appeared + in 1.9.13. +- drop nginx-1.11.3_ssl_stream.patch again +- refreshed the following patches to apply cleanly again + check_1.9.2+.patch + nginx-1.11.2-html.patch + nginx-1.11.2-no_Werror.patch + nginx-aio.patch + +------------------------------------------------------------------- +Wed Aug 24 11:34:50 UTC 2016 - mrueckert@suse.de + +- update to 1.11.3 + - Change: now the "accept_mutex" directive is turned off by + default. + - Feature: now nginx uses EPOLLEXCLUSIVE on Linux. + - Feature: the ngx_stream_geo_module. + - Feature: the ngx_stream_geoip_module. + - Feature: the ngx_stream_split_clients_module. + - Feature: variables support in the "proxy_pass" and + "proxy_ssl_name" directives in the stream module. + - Bugfix: socket leak when using HTTP/2. + - Bugfix: in configure tests. Thanks to Piotr Sikora. +- backport nginx-1.11.3_ssl_stream.patch from hg +- refresh patches to apply cleanly again: + - check_1.9.2+.patch + - nginx-1.11.2-html.patch + - nginx-1.11.2-no_Werror.patch + - nginx-aio.patch +- enable a few new upstream modules and move some from 1.11.x to + dynamic: + - stream_geoip_module + - mail_ssl_module + - stream_ssl_module +- build fancyindex unconditionally and update it to 0.4.1 + - New `fancyindex_directories_first` configuration directive + (enabled by default), which allows setting whether directories + are sorted before other files. + (Patch by Luke Zapart <>.) + - Fix index files not working when the fancyindex module is in + use (#46). + - The module can now be built as a [dynamic + module](https://www.nginx.com/resources/wiki/extending/converting/). + (Patch by Róbert Nagy <>.) + - New configuration directive `fancyindex_show_path`, which + allows hiding the `

` header which contains the current + path. (Patch by Thomas P. <>.) + - Directory and file links in listings now have a title="..." + attribute. (Patch by `@janglapuk` <>.) + - Fix for hung requests when the module is used along with + `ngx_pagespeed`. + (Patch by Otto van der Schaaf <>.) + - New feature: Allow filtering out symbolic links using the + `fancyindex_hide_symlinks` configuration directive. (Idea and + prototype patch by Thomas Wemm.) + - New feature: Allow specifying the format of timestamps using + the `fancyindex_time_format` configuration directive. (Idea + suggested by Xiao Meng <>). + - Listings in top-level directories will not generate a "Parent + Directory" link as first element of the listing. + (Patch by Thomas P.) + - Fix propagation and overriding of the `fancyindex_css_href` + setting inside nested locations. + - Minor changes in the code to allow building cleanly under + Windows with Visual Studio 2013. + (Patch by Y. Yuan <>). +- added nginx-rtmp-module +- make all modules dynamic that support it: + - ngx-fancyindex + - headers_more_nginx-module + - nginx-rtmp-module +- manually install the docs instead of using %doc +- unify how we install documentation for the modules +- restructure contrib file handling + - moved vim files into the normal vim paths so we can use them + directly + - new BR/R: vim + - split out vim files into a subpackage vim-plugin-nginx so we + dont have the vim requires on the main package + - perl scripts are moved to /usr/share/nginx/ + +------------------------------------------------------------------- +Fri Aug 5 11:03:32 UTC 2016 - rodrigo.oshiro@emc.com + +- update to 1.11.2 + * Change: now nginx always uses internal MD5 and SHA1 implementations; + the --with-md5 and --with-sha1 configure options were canceled. + * Feature: variables support in the stream module. + * Feature: the ngx_stream_map_module. + * Feature: the ngx_stream_return_module. + * Feature: a port can be specified in the "proxy_bind", "fastcgi_bind", + "memcached_bind", "scgi_bind", and "uwsgi_bind" directives. + * Feature: now nginx uses the IP_BIND_ADDRESS_NO_PORT socket option + when available. + * Bugfix: a segmentation fault might occur in a worker process when + using HTTP/2 and the "proxy_request_buffering" directive. + * Bugfix: the "Content-Length" request header line was always added to + requests passed to backends, including requests without body, when + using HTTP/2. + * Bugfix: "http request count is zero" alerts might appear in logs when + using HTTP/2. + * Bugfix: unnecessary buffering might occur when using the "sub_filter" + directive; the issue had appeared in 1.9.4. + +- the following modules were added: + headers-more-nginx-module + nginx_upstream_check_module + +- added patches: + nginx-1.11.2-html.patch + nginx-1.11.2-no_Werror.patch + check_1.9.2+.patch +- dropped patches: + nginx-1.10.0-html.patch + nginx-1.10.0-no_Werror.patch + +------------------------------------------------------------------- +Thu Jun 2 11:55:19 UTC 2016 - mrueckert@suse.de + +- in the sysvinit script use the pid file in /var/run + +------------------------------------------------------------------- +Wed Jun 1 12:33:55 UTC 2016 - mrueckert@suse.de + +- update to 1.10.1 (bsc# 982505) + Security: a segmentation fault might occur in a worker process + while writing a specially crafted request body to a temporary + file (CVE-2016-4450); the bug had appeared in 1.3.9. + +------------------------------------------------------------------- +Sun May 15 11:03:18 UTC 2016 - mrueckert@suse.de + +- improve conditionals + - merge the 12.2 and 12.1 based conditionals into 1 as both of + them are out of support now. + - enable pcre JIT + - make use if libatomic_ops on Leap + +------------------------------------------------------------------- +Sun May 15 10:36:19 UTC 2016 - mrueckert@suse.de + +- enable dynamic modules for intree modules. The following modules + are built as loadable modules now: + + ngx_http_geoip_module.so + ngx_http_image_filter_module.so + ngx_http_perl_module.so + ngx_http_xslt_filter_module.so + ngx_mail_module.so + ngx_stream_module.so + + You will have to load those modules with load_module. + http://nginx.org/en/docs/ngx_core_module.html#load_module + + The correct syntax for this package is: + + # For 64bit machines: + load_module lib64/nginx/modules/ngx_http_geoip_module.so; + + # For 32bit machines: + load_module lib/nginx/modules/ngx_http_geoip_module.so; + + Examples for all the intree modules have been added to the + default nginx.conf +- patches updated: + nginx-1.6.1-default_config.patch - added load_module example + +------------------------------------------------------------------- +Sun May 15 05:34:35 UTC 2016 - mrueckert@suse.de + +- enable slice and stream module + +------------------------------------------------------------------- +Fri May 6 07:05:56 UTC 2016 - dmacvicar@suse.de + +- update to version 1.10.0 stable + * Bugfix: "recv() failed" errors might occur when using HHVM as a + FastCGI server. + * Bugfix: when using HTTP/2 and the "limit_req" or "auth_request" + directives a timeout or a "client violated flow control" error might + occur while reading client request body; the bug had appeared in + 1.9.14. + * Workaround: a response might not be shown by some browsers if HTTP/2 + was used and client request body was not fully read; the bug had + appeared in 1.9.14. + * Bugfix: connections might hang when using the "aio threads" + directive. + Thanks to Mindaugas Rasiukevicius. + * Feature: OpenSSL 1.1.0 compatibility. + * Feature: the "proxy_request_buffering", "fastcgi_request_buffering", + "scgi_request_buffering", and "uwsgi_request_buffering" directives + now work with HTTP/2. + * Bugfix: "zero size buf in output" alerts might appear in logs when + using HTTP/2. + * Bugfix: the "client_max_body_size" directive might work incorrectly + when using HTTP/2. + * Bugfix: of minor bugs in logging. + * Change: non-idempotent requests (POST, LOCK, PATCH) are no longer + passed to the next server by default if a request has been sent to a + backend; the "non_idempotent" parameter of the "proxy_next_upstream" + directive explicitly allows retrying such requests. + * Feature: the ngx_http_perl_module can be built dynamically. + * Feature: UDP support in the stream module. + * Feature: the "aio_write" directive. + * Feature: now cache manager monitors number of elements in caches and + tries to avoid cache keys zone overflows. + * Bugfix: "task already active" and "second aio post" alerts might + appear in logs when using the "sendfile" and "aio" directives with + subrequests. + * Bugfix: "zero size buf in output" alerts might appear in logs if + caching was used and a client closed a connection prematurely. + * Bugfix: connections with clients might be closed needlessly if + caching was used. + Thanks to Justin Li. + * Bugfix: nginx might hog CPU if the "sendfile" directive was used on + Linux or Solaris and a file being sent was changed during sending. + * Bugfix: connections might hang when using the "sendfile" and "aio + threads" directives. + * Bugfix: in the "proxy_pass", "fastcgi_pass", "scgi_pass", and + "uwsgi_pass" directives when using variables. + Thanks to Piotr Sikora. + * Bugfix: in the ngx_http_sub_filter_module. + * Bugfix: if an error occurred in a cached backend connection, the + request was passed to the next server regardless of the + proxy_next_upstream directive. + * Bugfix: "CreateFile() failed" errors when creating temporary files on + Windows. + * Feature: Huffman encoding of response headers in HTTP/2. + Thanks to Vlad Krasnov. + * Feature: the "worker_cpu_affinity" directive now supports more than + 64 CPUs. + * Bugfix: compatibility with 3rd party C++ modules; the bug had + appeared in 1.9.11. + Thanks to Piotr Sikora. + * Bugfix: nginx could not be built statically with OpenSSL on Linux; + the bug had appeared in 1.9.11. + * Bugfix: the "add_header ... always" directive with an empty value did + not delete "Last-Modified" and "ETag" header lines from error + responses. + * Workaround: "called a function you should not call" and "shutdown + while in init" messages might appear in logs when using OpenSSL + 1.0.2f. + * Bugfix: invalid headers might be logged incorrectly. + * Bugfix: socket leak when using HTTP/2. + * Bugfix: in the ngx_http_v2_module. + * Feature: TCP support in resolver. + * Feature: dynamic modules. + * Bugfix: the $request_length variable did not include size of request + headers when using HTTP/2. + * Bugfix: in the ngx_http_v2_module. + * Security: invalid pointer dereference might occur during DNS server + response processing if the "resolver" directive was used, allowing an + attacker who is able to forge UDP packets from the DNS server to + cause segmentation fault in a worker process (CVE-2016-0742). + * Security: use-after-free condition might occur during CNAME response + processing if the "resolver" directive was used, allowing an attacker + who is able to trigger name resolution to cause segmentation fault in + a worker process, or might have potential other impact + (CVE-2016-0746). + * Security: CNAME resolution was insufficiently limited if the + "resolver" directive was used, allowing an attacker who is able to + trigger arbitrary name resolution to cause excessive resource + consumption in worker processes (CVE-2016-0747). + * Feature: the "auto" parameter of the "worker_cpu_affinity" directive. + * Bugfix: the "proxy_protocol" parameter of the "listen" directive did + not work with IPv6 listen sockets. + * Bugfix: connections to upstream servers might be cached incorrectly + when using the "keepalive" directive. + * Bugfix: proxying used the HTTP method of the original request after + an "X-Accel-Redirect" redirection. + * Bugfix: proxying to unix domain sockets did not work when using + variables; the bug had appeared in 1.9.8. + * Feature: pwritev() support. + * Feature: the "include" directive inside the "upstream" block. + * Feature: the ngx_http_slice_module. + * Bugfix: a segmentation fault might occur in a worker process when + using LibreSSL; the bug had appeared in 1.9.6. + * Bugfix: nginx could not be built on OS X in some cases. + * Feature: the "nohostname" parameter of logging to syslog. + * Feature: the "proxy_cache_convert_head" directive. + * Feature: the $realip_remote_addr variable in the + ngx_http_realip_module. + * Bugfix: the "expires" directive might not work when using variables. + * Bugfix: a segmentation fault might occur in a worker process when + using HTTP/2; the bug had appeared in 1.9.6. + * Bugfix: if nginx was built with the ngx_http_v2_module it was + possible to use the HTTP/2 protocol even if the "http2" parameter of + the "listen" directive was not specified. + * Bugfix: in the ngx_http_v2_module. + * Bugfix: a segmentation fault might occur in a worker process when + using HTTP/2. + Thanks to Piotr Sikora and Denis Andzakovic. + * Bugfix: the $server_protocol variable was empty when using HTTP/2. + * Bugfix: backend SSL connections in the stream module might be timed + out unexpectedly. + * Bugfix: a segmentation fault might occur in a worker process if + different ssl_session_cache settings were used in different virtual + servers. + * Bugfix: nginx/Windows could not be built with MinGW gcc; the bug had + appeared in 1.9.4. + Thanks to Kouhei Sutou. + * Bugfix: time was not updated when the timer_resolution directive was + used on Windows. + * Miscellaneous minor fixes and improvements. + Thanks to Markus Linnala, Kurtis Nusbaum and Piotr Sikora. + * Feature: the ngx_http_v2_module (replaces ngx_http_spdy_module). + Thanks to Dropbox and Automattic for sponsoring this work. + * Change: now the "output_buffers" directive uses two buffers by + default. + * Change: now nginx limits subrequests recursion, not simultaneous + subrequests. + * Change: now nginx checks the whole cache key when returning a + response from cache. + Thanks to Gena Makhomed and Sergey Brester. + * Bugfix: "header already sent" alerts might appear in logs when using + cache; the bug had appeared in 1.7.5. + * Bugfix: "writev() failed (4: Interrupted system call)" errors might + appear in logs when using CephFS and the "timer_resolution" directive + on Linux. + * Bugfix: in invalid configurations handling. + Thanks to Markus Linnala. + * Bugfix: a segmentation fault occurred in a worker process if the + "sub_filter" directive was used at http level; the bug had appeared + in 1.9.4. + * Change: the "proxy_downstream_buffer" and "proxy_upstream_buffer" + directives of the stream module are replaced with the + "proxy_buffer_size" directive. + * Feature: the "tcp_nodelay" directive in the stream module. + * Feature: multiple "sub_filter" directives can be used simultaneously. + * Feature: variables support in the search string of the "sub_filter" + directive. + * Workaround: configuration testing might fail under Linux OpenVZ. + Thanks to Gena Makhomed. + * Bugfix: old worker processes might hog CPU after reconfiguration with + a large number of worker_connections. + * Bugfix: a segmentation fault might occur in a worker process if the + "try_files" and "alias" directives were used inside a location given + by a regular expression; the bug had appeared in 1.7.1. + * Bugfix: the "try_files" directive inside a nested location given by a + regular expression worked incorrectly if the "alias" directive was + used in the outer location. + * Bugfix: in hash table initialization error handling. + * Bugfix: nginx could not be built with Visual Studio 2015. + * Change: duplicate "http", "mail", and "stream" blocks are now + disallowed. + * Feature: connection limiting in the stream module. + * Feature: data rate limiting in the stream module. + * Bugfix: the "zone" directive inside the "upstream" block did not work + on Windows. + * Bugfix: compatibility with LibreSSL in the stream module. + Thanks to Piotr Sikora. + * Bugfix: in the "--builddir" configure parameter. + Thanks to Piotr Sikora. + * Bugfix: the "ssl_stapling_file" directive did not work; the bug had + appeared in 1.9.2. + Thanks to Faidon Liambotis and Brandon Black. + * Bugfix: a segmentation fault might occur in a worker process if the + "ssl_stapling" directive was used; the bug had appeared in 1.9.2. + Thanks to Matthew Baldwin. + * Feature: the "backlog" parameter of the "listen" directives of the + mail proxy and stream modules. + * Feature: the "allow" and "deny" directives in the stream module. + * Feature: the "proxy_bind" directive in the stream module. + * Feature: the "proxy_protocol" directive in the stream module. + * Feature: the -T switch. + * Feature: the REQUEST_SCHEME parameter added to the fastcgi.conf, + fastcgi_params, scgi_params, and uwsgi_params standard configuration + files. + * Bugfix: the "reuseport" parameter of the "listen" directive of the + stream module did not work. + * Bugfix: OCSP stapling might return an expired OCSP response in some + cases. + * Change: now SSLv3 protocol is disabled by default. + * Change: some long deprecated directives are not supported anymore. + * Feature: the "reuseport" parameter of the "listen" directive. + Thanks to Yingqi Lu at Intel and Sepherosa Ziehau. + * Feature: the $upstream_connect_time variable. + * Bugfix: in the "hash" directive on big-endian platforms. + * Bugfix: nginx might fail to start on some old Linux variants; the bug + had appeared in 1.7.11. + * Bugfix: in IP address parsing. + Thanks to Sergey Polovko. + * Change: obsolete aio and rtsig event methods have been removed. + * Feature: the "zone" directive inside the "upstream" block. + * Feature: the stream module. + * Feature: byte ranges support in the ngx_http_memcached_module. + Thanks to Martin Mlynář. + * Feature: shared memory can now be used on Windows versions with + address space layout randomization. + Thanks to Sergey Brester. + * Feature: the "error_log" directive can now be used on mail and server + levels in mail proxy. + * Bugfix: the "proxy_protocol" parameter of the "listen" directive did + not work if not specified in the first "listen" directive for a + listen socket. +- removed patches already present upstream + * nginx-0.4.0-no_Werror.patch +- refreshed patches + * nginx-0.6.38-html.patch to nginx-1.10.0-html.patch + * nginx-0.4.0-no_Werror.patch to nginx-1.10.0-no_Werror.patch + * merged nginx-1.0.15_docs.patch in nginx-1.10.0-html.patch +- config option with-http_spdy_module is now with-http_v2_module + +------------------------------------------------------------------- +Thu Jan 28 01:36:01 UTC 2016 - i@marguerite.su + +- update version 1.8.1 stable + * Security: invalid pointer dereference might occur during DNS server + response processing if the "resolver" directive was used, allowing an + attacker who is able to forge UDP packets from the DNS server to + cause segmentation fault in a worker process (CVE-2016-0742). boo#963781 + * Security: use-after-free condition might occur during CNAME response + processing if the "resolver" directive was used, allowing an attacker + who is able to trigger name resolution to cause segmentation fault in + a worker process, or might have potential other impact + (CVE-2016-0746). boo#963778 + * Security: CNAME resolution was insufficiently limited if the + "resolver" directive was used, allowing an attacker who is able to + trigger arbitrary name resolution to cause excessive resource + consumption in worker processes (CVE-2016-0747). boo#963775 + * Bugfix: the "proxy_protocol" parameter of the "listen" directive did + not work if not specified in the first "listen" directive for a + listen socket. + * Bugfix: nginx might fail to start on some old Linux variants; the bug + had appeared in 1.7.11. + * Bugfix: a segmentation fault might occur in a worker process if the + "try_files" and "alias" directives were used inside a location given + by a regular expression; the bug had appeared in 1.7.1. + * Bugfix: the "try_files" directive inside a nested location given by a + regular expression worked incorrectly if the "alias" directive was + used in the outer location. + * Bugfix: "header already sent" alerts might appear in logs when using + cache; the bug had appeared in 1.7.5. + * Bugfix: a segmentation fault might occur in a worker process if + different ssl_session_cache settings were used in different virtual + servers. + * Bugfix: the "expires" directive might not work when using variables. + * Bugfix: if nginx was built with the ngx_http_spdy_module it was + possible to use the SPDY protocol even if the "spdy" parameter of the + "listen" directive was not specified. + +------------------------------------------------------------------- +Fri Oct 16 15:17:30 UTC 2015 - mrueckert@suse.de + +- use libGeoIP-devel everywhere + +------------------------------------------------------------------- +Fri Oct 16 15:08:28 UTC 2015 - mrueckert@suse.de + +- replace custom "kill -QUIT" with the kill signal setting in + the service file + +------------------------------------------------------------------- +Fri Oct 16 15:01:17 UTC 2015 - mrueckert@suse.de + +- clean up conditionals and use bcond_with* everywhere +- drop passenger support for now + * drop nginx-1.8.0-passenger-4.0.18.patch + * drop nginx-1.4.2-passenger-4.0.18.patch + +------------------------------------------------------------------- +Thu Jun 11 14:55:50 UTC 2015 - i@marguerite.su + +- update version 1.8.0 stable + * refer to http://nginx.org/en/CHANGES-1.8 for 1.7.x changes +- enable thread pools invented in nginx 1.7.11 +- refactor nginx-1.4.2-passenger_fix.patch + * rename to nginx-1.4.2-passenger-4.0.18.patch + * remove zero_in_uri usage +- add patch: nginx-1.8.0-passenger-4.0.18.patch + * fix "warning: comparison between pointer and integer" + and "error: invalid type argument of ‘->’ (have ‘int’)" +- drop nginx-1.4.4-passenger-4.0.33_fix.patch + * webyast is dead, we only enable passenger on 13.1 and below, + for compatibility. this patch will never be applied now. +- drop nginx-1.4.4-passenger-3.0.12_fix.patch + * this patch intended to be applied on < 13.1 machines, but + 13.1 is the oldest one we still have to build against. +- update fancyindex to version 0.3.5 + +------------------------------------------------------------------- +Sun Apr 12 04:37:00 UTC 2015 - mrueckert@suse.de + +- disable libatomic-ops on SLE12 for now. the library seems not + available there. + +------------------------------------------------------------------- +Sun Apr 12 04:22:29 UTC 2015 - mrueckert@suse.de + +- enable ngx_http_auth_request_module + +------------------------------------------------------------------- +Sun Apr 12 04:06:26 UTC 2015 - mrueckert@suse.de + +- update version 1.6.3 stable + - Feature: now the "tcp_nodelay" directive works with SPDY + connections. + - Bugfix: in error handling. Thanks to Yichun Zhang and Daniil + Bondarev. + - Bugfix: alerts "header already sent" appeared in logs if the + "post_action" directive was used; the bug had appeared in + 1.5.4. + - Bugfix: alerts "sem_post() failed" might appear in logs. + - Bugfix: in hash table handling. Thanks to Chris West. + - Bugfix: in integer overflow handling. Thanks to Régis Leroy. +- no longer install the init script when using systemd service file +- create rcnginx for systemd case + +------------------------------------------------------------------- +Wed Mar 25 13:09:27 UTC 2015 - vpereirabr@opensuse.org + +- On OpenSUSE 13.2, it requires libGeoIP-devel + +------------------------------------------------------------------- +Wed Sep 17 06:39:25 UTC 2014 - i@marguerite.su + +- update version 1.6.2 stable + * Security: it was possible to reuse SSL sessions in unrelated + contexts if a shared SSL session cache or the same TLS session + ticket key was used for multiple "server" blocks (CVE-2014-3616). + Thanks to Antoine Delignat-Lavaud. + * Bugfix: requests might hang if resolver was used and a DNS server + returned a malformed response; the bug had appeared in 1.5.8. + * Bugfix: requests might hang if resolver was used and a timeout + occurred during a DNS request. + +------------------------------------------------------------------- +Fri Sep 5 18:43:37 UTC 2014 - i@marguerite.su + +- use /run as pid/lock directory on openSUSE Factory (13.2=+) + +------------------------------------------------------------------- +Mon Aug 18 15:46:49 UTC 2014 - i@marguerite.su + +- disable passenger for 1320 as rubygem-passenger isn't in Factory + +------------------------------------------------------------------- +Mon Aug 18 14:48:13 UTC 2014 - i@marguerite.su + +- update version 1.6.1 stable + * Security: pipelined commands were not discarded after STARTTLS + command in SMTP proxy (CVE-2014-3556) + * Bugfix: the $uri variable might contain garbage when returning + errors with code 400 + * Bugfix: in the "none" parameter in the "smtp_auth" directive +- drop nginx-1.0.4_default_config.patch +- add nginx-1.6.1-default_config.patch + +------------------------------------------------------------------- +Mon Aug 18 14:43:55 UTC 2014 - i@marguerite.su + +- clean specfile +- fix for x86_64 builds for 11.4- + * can't build with -fPIE + +------------------------------------------------------------------- +Fri Jun 6 13:54:27 UTC 2014 - lars@linux-schulserver.de + +- use zip file downloaded from github directly, as requested by + Tomáš Chvátal + +------------------------------------------------------------------- +Mon May 5 10:24:04 UTC 2014 - lars@linux-schulserver.de + +- add and include FancyIndex module (with conditional) +- explicit enable http_ssl_module + +------------------------------------------------------------------- +Wed Mar 19 10:04:14 UTC 2014 - aj@ajaissle.de + +- Update to nginx 1.4.7 + - Changelog nginx 1.4.7 + * Security: a heap memory buffer overflow might occur in a worker + process while handling a specially crafted request by + ngx_http_spdy_module, potentially resulting in arbitrary code + execution (CVE-2014-0133). + Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr. + Manuel Sadosky, Buenos Aires, Argentina. + * Bugfix: in the "fastcgi_next_upstream" directive. + Thanks to Lucas Molas. + + - Changelog nginx 1.4.6 + * Bugfix: the "client_max_body_size" directive might not work when + reading a request body using chunked transfer encoding; the bug had + appeared in 1.3.9. + Thanks to Lucas Molas. + * Bugfix: a segmentation fault might occur in a worker process when + proxying WebSocket connections. + + - Changelog nginx 1.4.5 + * Bugfix: the $ssl_session_id variable contained full session + serialized instead of just a session id. + Thanks to Ivan Ristić. + * Bugfix: client connections might be immediately closed if deferred + accept was used; the bug had appeared in 1.3.15. + * Bugfix: alerts "zero size buf in output" might appear in logs while + proxying; the bug had appeared in 1.3.9. + * Bugfix: a segmentation fault might occur in a worker process if the + ngx_http_spdy_module was used. + * Bugfix: proxied WebSocket connections might hang right after + handshake if the select, poll, or /dev/poll methods were used. + * Bugfix: a timeout might occur while reading client request body in an + SSL connection using chunked transfer encoding. + * Bugfix: memory leak in nginx/Windows. + +- Updated Url (nginx.org instead of www.nginx.net) +- Added nginx.rpmlintrc as Source100 + +------------------------------------------------------------------- +Fri Jan 17 11:03:29 UTC 2014 - aj@ajaissle.de + +- Rebased passenger_fix.patch + + nginx-1.4.4-passenger-3.0.12_fix.patch for openSUSE 12.2 and 12.3 + + nginx-1.4.2-passenger_fix.patch for openSUSE 13.1 and Tumbleweed + + nginx-1.4.4-passenger-4.0.33_fix.patch for openSUSE Factory +- Always rebuild libpassenger_common on openSUSE < 1310 with -fPIC + +------------------------------------------------------------------- +Fri Jan 3 10:36:06 UTC 2014 - dmueller@suse.com + +- update to 1.4.4: + *) Security: a character following an unescaped space in a request line + was handled incorrectly (CVE-2013-4547); the bug had appeared in + 0.8.41. + *) Bugfix: a segmentation fault might occur in a worker process if the + ngx_http_spdy_module was used with the "client_body_in_file_only" + directive. + *) Bugfix: a segmentation fault might occur on start or during + reconfiguration if the "try_files" directive was used with an empty + parameter. + *) Bugfix: the $request_time variable did not work in nginx/Windows. + *) Bugfix: in the ngx_http_auth_basic_module when using "$apr1$" + *) Bugfix: in the ngx_http_autoindex_module. + *) Bugfix: in the mail proxy server. + +------------------------------------------------------------------- +Tue Dec 17 17:45:54 UTC 2013 - alarrosa@suse.com + +- Updated passenger patch to apply correctly, also added rubygem-passenger + as BuildRequires + +- modified patches: + * nginx-1.4.2-passenger_fix.patch +------------------------------------------------------------------- +Mon Oct 7 10:20:49 UTC 2013 - lslezak@suse.cz + +- updated passenger patch to apply (Utils/MD5.h patch is not needed + anymore, fixed upstream) + +------------------------------------------------------------------- +Wed Aug 14 08:09:51 UTC 2013 - lslezak@suse.cz + +- enable back passenger support (needed by WebYast) + +------------------------------------------------------------------- +Mon Jul 22 20:27:56 UTC 2013 - crrodriguez@opensuse.org + +- Fix PIE build and linkage, must use --with-ld-opt + +------------------------------------------------------------------- +Mon Jul 22 19:56:44 UTC 2013 - crrodriguez@opensuse.org + +- Update to version 1.4.2 stable + +* The list of changes is massive and it wont fit here see + http://nginx.org/en/CHANGES-1.4. packaging changes follow. + +- Enable the SPDY module on distributions that ship openssl >= 1.0.1 +- Build with full RELRO and PIE. +- systemd unit: +* remove syslog.target that no longer exists +* set PrivateTmp to true +* Make it a non-forking service. + +------------------------------------------------------------------- +Mon Jul 1 13:46:16 UTC 2013 - schwab@suse.de + +- nginx-aio.patch: fix AIO support for asm-generic platforms +- Fix quilt setup + +------------------------------------------------------------------- +Wed Jun 26 12:37:22 UTC 2013 - coolo@suse.com + +- since passenger 4.0 the nginx extensions does not build, so disable + it + +------------------------------------------------------------------- +Fri May 24 12:24:35 UTC 2013 - suse@ammler.ch + +- update to 1.2.9 + *) Security: contents of worker process memory might be sent to a client + if HTTP backend returned specially crafted response (CVE-2013-2070); + the bug had appeared in 1.1.4. (bnc#821184) + +------------------------------------------------------------------- +Tue Apr 16 12:04:35 UTC 2013 - suse@ammler.ch + +- update to 1.2.8 + *) Bugfix: new sessions were not always stored if the "ssl_session_cache + shared" directive was used and there was no free space in shared + memory. + *) Bugfix: responses might hang if subrequests were used and a DNS error + happened during subrequest processing. + *) Bugfix: in the ngx_http_mp4_module. + *) Bugfix: in backend usage accounting. + +------------------------------------------------------------------- +Tue Apr 9 08:45:55 UTC 2013 - coolo@suse.com + +- remove workaround breaking things + +------------------------------------------------------------------- +Thu Mar 21 06:50:21 UTC 2013 - e.istomin@edss.ee + +- updated to 1.2.7 + *) Bugfix: a segmentation fault might occur in a worker process if the + "if" directive was used. + Thanks to Piotr Sikora. + *) Bugfix: a "100 Continue" response was issued with "413 Request Entity + Too Large" responses. + *) Bugfix: the "[crit] SSL_write() failed (SSL:)" error. + +- added mp4 module (--with-http_mp4_module) + +------------------------------------------------------------------- +Mon Jan 7 20:24:52 UTC 2013 - jengelh@inai.de + +- Parallel building with %_smp_mflags; remove redundant %clean section + +------------------------------------------------------------------- +Mon Dec 17 10:32:12 UTC 2012 - suse@ammler.ch + +- update to 1.2.6 + *) Feature: the $request_time and $msec variables can now be used not + only in the "log_format" directive. + *) Bugfix: cache manager and cache loader processes might not be able to + start if more than 512 listen sockets were used. + *) Bugfix: in the ngx_http_dav_module. + +------------------------------------------------------------------- +Wed Dec 5 12:09:58 UTC 2012 - opensuse@dschung.de + +- add Provides: httpd and http_daemon, so a "Requires: httpd" + or "Suggests: httpd" doesn't only resolve to apache2 + +------------------------------------------------------------------- +Wed Nov 21 18:07:33 UTC 2012 - suse@ammler.ch + +- revert permission for /var/log/nginx so reopen is possible (bnc#790726) + +------------------------------------------------------------------- +Wed Nov 14 14:47:52 UTC 2012 - suse@ammler.ch + +- update to 1.2.5 + *) Feature: the "optional_no_ca" parameter of the "ssl_verify_client" + directive. + *) Feature: the $bytes_sent, $connection, and $connection_requests + variables can now be used not only in the "log_format" directive. + *) Feature: resolver now randomly rotates addresses returned from cache. + *) Feature: the "auto" parameter of the "worker_processes" directive. + *) Bugfix: "cache file ... has md5 collision" alert. + *) Bugfix: OpenSSL 0.9.7 compatibility. + +------------------------------------------------------------------- +Wed Oct 24 08:14:06 UTC 2012 - suse@ammler.ch + +- reenable passenger (required by webyast, was silently disabled) +- /var/log/nginx/ should belong to root (rpmlint issue) +- Recommends: logrotate (rpmlint issue) +- no need to keep default configs +- change FSF from postal to url address (rpmlint issue) + +------------------------------------------------------------------- +Thu Oct 11 14:53:37 UTC 2012 - suse@ammler.ch + +- remove version from package name +- update to 1.2.4 + * Bugfix: in the "limit_req" directive; the bug had appeared in 1.1.14. + Thanks to Charles Chen. + + * Bugfix: nginx could not be built by gcc 4.7 with -O2 optimization if + the --with-ipv6 option was used. + + * Bugfix: a segmentation fault might occur in a worker process if the + "map" directive was used with variables as values. + + * Bugfix: a segmentation fault might occur in a worker process if the + "geo" directive was used with the "ranges" parameter but without the + "default" parameter; the bug had appeared in 0.8.43. + Thanks to Zhen Chen and Weibin Yao. + + * Bugfix: in the -p command-line parameter handling. + + * Bugfix: in the mail proxy server. + + * Bugfix: of minor potential bugs. + Thanks to Coverity. + + - Changes with nginx 1.2.3 + + * Feature: the Clang compiler support. + + * Bugfix: extra listening sockets might be created. + Thanks to Roman Odaisky. + + * Bugfix: the "proxy_pass_header", "fastcgi_pass_header", + "scgi_pass_header", "uwsgi_pass_header", "proxy_hide_header", + "fastcgi_hide_header", "scgi_hide_header", and "uwsgi_hide_header" + directives might be inherited incorrectly. + + * Bugfix: trailing dot in a source value was not ignored if the "map" + directive was used with the "hostnames" parameter. + + * Bugfix: incorrect location might be used to process a request if a + URI was changed via a "rewrite" directive before an internal redirect + to a named location. +- update patch nginx-1.2.4-perl_vendor_install.patch + +------------------------------------------------------------------- +Sat Jul 21 02:41:34 UTC 2012 - crrodriguez@opensuse.org + +- Update to version 1,2,2 +- Enable only the epoll event model. + +------------------------------------------------------------------- +Fri Jun 8 17:57:35 UTC 2012 - crrodriguez@opensuse.org + +- Update to version 1.2.1; list too long to mention here + see http://nginx.org/en/CHANGES-1.2. +- Add systemd support. + +------------------------------------------------------------------- +Tue Jun 5 07:33:42 UTC 2012 - lslezak@suse.cz + +- added "BuildRequires: ruby" (needed for %rb_ver macro expansion), + fixes build at Factory + +------------------------------------------------------------------- +Mon Apr 16 08:42:51 UTC 2012 - schubi@suse.com + +- Update to version 1.0.15 + Changes with nginx 1.0.15 12 Apr 2012 + + * Security: specially crafted mp4 file might allow to overwrite memory + locations in a worker process if the ngx_http_mp4_module was used, + potentially resulting in arbitrary code execution (CVE-2012-2089). + Thanks to Matthew Daley. + + * Bugfix: in the ngx_http_mp4_module. + +------------------------------------------------------------------- +Fri Mar 16 14:16:44 UTC 2012 - schubi@suse.com + +- Update to Version 1.0.14 + + Changes with nginx 1.0.14 15 Mar 2012 + + * Security: content of previously freed memory might be sent to a + client if backend returned specially crafted response. + Thanks to Matthew Daley. + +------------------------------------------------------------------- +Tue Mar 13 09:49:05 UTC 2012 - schubi@suse.com + +- Update to Version 1.0.13 + + Changes with nginx 1.0.13 05 Mar 2012 + + * Feature: the "return" and "error_page" directives can now be used to + return 307 redirections. + + * Bugfix: a segmentation fault might occur in a worker process if the + "resolver" directive was used and there was no "error_log" directive + specified at global level. + Thanks to Roman Arutyunyan. + + * Bugfix: memory leaks. + Thanks to Lanshun Zhou. + + * Bugfix: nginx might log incorrect error "upstream prematurely closed + connection" instead of correct "upstream sent too big header" one. + Thanks to Feibo Li. + + * Bugfix: on ZFS filesystem disk cache size might be calculated + incorrectly; the bug had appeared in 1.0.1. + + * Bugfix: the number of internal redirects to named locations was not + limited. + + * Bugfix: temporary files might be not removed if the "proxy_store" + directive was used with SSI includes. + + * Bugfix: in some cases non-cacheable variables (such as the $args + variable) returned old empty cached value. + + * Bugfix: the "proxy_redirect" directives might be inherited + incorrectly. + + * Bugfix: nginx could not be built with the ngx_http_perl_module if the + --with-openssl option was used. + + * Bugfix: nginx could not be built by the icc 12.1 compiler. + + + Changes with nginx 1.0.12 06 Feb 2012 + + * Feature: the "TLSv1.1" and "TLSv1.2" parameters of the + "ssl_protocols" directive. + + * Feature: the "if" SSI command supports captures in regular + expressions. + + * Bugfix: the "if" SSI command did not work inside the "block" command. + + * Bugfix: in AIO error handling on FreeBSD. + + * Bugfix: in the OpenSSL library initialization. + + * Bugfix: the "worker_cpu_affinity" directive might not work. + + * Bugfix: the "limit_conn_log_level" and "limit_req_log_level" + directives might not work. + + * Bugfix: the "read_ahead" directive might not work combined with + "try_files" and "open_file_cache". + + * Bugfix: the "proxy_cache_use_stale" directive with "error" parameter + did not return answer from cache if there were no live upstreams. + + * Bugfix: a segmentation fault might occur in a worker process if small + time was used in the "inactive" parameter of the "proxy_cache_path" + directive. + + * Bugfix: responses from cache might hang. + + * Bugfix: in error handling while connecting to a backend. + Thanks to Piotr Sikora. + + * Bugfix: in the "epoll" event method. + Thanks to Yichun Zhang. + + * Bugfix: the $sent_http_cache_control variable might contain a wrong + value if the "expires" directive was used. + Thanks to Yichun Zhang. + + * Bugfix: the "limit_rate" directive did not allow to use full + throughput, even if limit value was very high. + + * Bugfix: the "sendfile_max_chunk" directive did not work, if the + "limit_rate" directive was used. + + * Bugfix: nginx could not be built on Solaris; the bug had appeared in + 1.0.11. + + * Bugfix: in the ngx_http_scgi_module. + + * Bugfix: in the ngx_http_mp4_module. + + + Changes with nginx 1.0.11 15 Dec 2011 + + * Change: now double quotes are encoded in an "echo" SSI-command + output. + Thanks to Zaur Abasmirzoev. + + * Feature: the "image_filter_sharpen" directive. + + * Bugfix: a segmentation fault might occur in a worker process if SNI + was used; the bug had appeared in 1.0.9. + + * Bugfix: SIGWINCH signal did not work after first binary upgrade; the + bug had appeared in 1.0.9. + + * Bugfix: the "If-Modified-Since", "If-Range", etc. client request + header lines might be passed to backend while caching; or not passed + without caching if caching was enabled in another part of the + configuration. + + * Bugfix: in the "scgi_param" directive, if complex parameters were + used. + + * Bugfix: "add_header" and "expires" directives did not work if a + request was proxied and response status code was 206. + + * Bugfix: in the "expires @time" directive. + + * Bugfix: in the ngx_http_flv_module. + Thanks to Piotr Sikora. + + * Bugfix: in the ngx_http_mp4_module. + + * Bugfix: nginx could not be built on FreeBSD 10. + + * Bugfix: nginx could not be built on AIX. + + +------------------------------------------------------------------- +Fri Dec 2 14:48:35 UTC 2011 - schubi@suse.com + +- 1.0.10 includes a fix for: + Fixed VUL-0: CVE-2011-4315: nginx: heap overflow (bnc #731084) + +------------------------------------------------------------------- +Fri Nov 18 12:56:55 UTC 2011 - schubi@suse.com + +- Uppstream update to 1.0.10 + Changes with nginx 1.0.10 + + * Bugfix: a segmentation fault might occur in a worker process if + resolver got a big DNS response. + Thanks to Ben Hawkes. + + * Bugfix: in cache key calculation if internal MD5 implementation was + used; the bug had appeared in 1.0.4. + + * Bugfix: the module ngx_http_mp4_module sent incorrect + "Content-Length" response header line if the "start" argument was + used. + Thanks to Piotr Sikora. + + + Changes with nginx 1.0.9 + + * Change: now the 0x7F-0x1F characters are escaped as \xXX in an + access_log. + + * Change: now SIGWINCH signal works only in daemon mode. + + * Feature: "proxy/fastcgi/scgi/uwsgi_ignore_headers" directives support + the following additional values: X-Accel-Limit-Rate, + X-Accel-Buffering, X-Accel-Charset. + + * Feature: decrease of memory consumption if SSL is used. + + * Feature: accept filters are now supported on NetBSD. + + * Feature: the "uwsgi_buffering" and "scgi_buffering" directives. + Thanks to Peter Smit. + + * Bugfix: a segmentation fault occurred on start or while + reconfiguration if the "ssl" directive was used at http level and + there was no "ssl_certificate" defined. + + * Bugfix: some UTF-8 characters were processed incorrectly. + Thanks to Alexey Kuts. + + * Bugfix: the ngx_http_rewrite_module directives specified at "server" + level were executed twice if no matching locations were defined. + + * Bugfix: a socket leak might occurred if "aio sendfile" was used. + + * Bugfix: connections with fast clients might be closed after + send_timeout if file AIO was used. + + * Bugfix: in the ngx_http_autoindex_module. + + * Bugfix: the module ngx_http_mp4_module did not support seeking on + 32-bit platforms. + + * Bugfix: non-cacheable responses might be cached if + "proxy_cache_bypass" directive was used. + Thanks to John Ferlito. + + * Bugfix: cached responses with an empty body were returned + incorrectly; the bug had appeared in 0.8.31. + + * Bugfix: 201 responses of the ngx_http_dav_module were incorrect; the + bug had appeared in 0.8.32. + + * Bugfix: in the "return" directive. + + * Bugfix: the "ssl_verify_client", "ssl_verify_depth", and + "ssl_prefer_server_ciphers" directives might work incorrectly if SNI + was used. + + + Changes with nginx 1.0.8 + + * Bugfix: nginx could not be built --with-http_mp4_module and without + --with-debug option. + + + Changes with nginx 1.0.7 + + * Change: now if total size of all ranges is greater than source + response size, then nginx disables ranges and returns just the source + response. + + * Feature: the "max_ranges" directive. + + * Feature: the module ngx_http_mp4_module. + + * Feature: the "worker_aio_requests" directive. + + * Bugfix: if nginx was built --with-file-aio it could not be run on + Linux kernel which did not support AIO. + + * Bugfix: in Linux AIO error processing. + Thanks to Hagai Avrahami. + + * Bugfix: in Linux AIO combined with open_file_cache. + + * Bugfix: open_file_cache did not update file info on retest if file + was not atomically changed. + + * Bugfix: reduced memory consumption for long-lived requests. + + * Bugfix: in the "proxy/fastcgi/scgi/uwsgi_ignore_client_abort" + directives. + + * Bugfix: nginx could not be built on MacOSX 10.7. + + * Bugfix: request body might be processed incorrectly if client used + pipelining. + + * Bugfix: in the "request_body_in_single_buf" directive. + + * Bugfix: in "proxy_set_body" and "proxy_pass_request_body" directives + if SSL connection to backend was used. + + * Bugfix: nginx hogged CPU if all servers in an upstream were marked as + "down". + + * Bugfix: a segmentation fault might occur during reconfiguration if + ssl_session_cache was defined but not used in previous configuration. + + * Bugfix: a segmentation fault might occur in a worker process if many + backup servers were used in an upstream. + + + Changes with nginx 1.0.6 + + * Feature: cache loader run time decrease. + + * Feature: loading time decrease of configuration with large number of + HTTPS sites. + + * Feature: now nginx supports ECDHE key exchange ciphers. + Thanks to Adrian Kotelba. + + * Feature: the "lingering_close" directive. + + * Feature: now shared zones and caches use POSIX semaphores on Solaris. + Thanks to Den Ivanov. + + * Bugfix: nginx could not be built on Linux 3.0. + + * Bugfix: a segmentation fault might occur in a worker process if + "fastcgi/scgi/uwsgi_param" directives were used with values starting + with "HTTP_"; the bug had appeared in 0.8.40. + + * Bugfix: in closing connection for pipelined requests. + + * Bugfix: nginx did not disable gzipping if client sent "gzip;q=0" in + "Accept-Encoding" request header line. + + * Bugfix: in timeout in unbuffered proxied mode. + + * Bugfix: memory leaks when a "proxy_pass" directive contains variables + and proxies to an HTTPS backend. + + * Bugfix: in parameter validaiton of a "proxy_pass" directive with + variables. + Thanks to Lanshun Zhou. + + * Bugfix: SSL did not work on QNX. + + * Bugfix: SSL modules could not be built by gcc 4.6 without + --with-debug option. + +------------------------------------------------------------------- +Mon Oct 24 11:59:37 UTC 2011 - schubi@suse.com + +- Reduce requirement of rubygem-rack to 1_1 cause 1_3 produces + errors. + +------------------------------------------------------------------- +Tue Aug 16 15:23:23 UTC 2011 - ammler@openttdcoop.org + +- upstream update 1.0.5 + * Change: now default SSL ciphers are "HIGH:!aNULL:!MD5". + * Feature: the "referer_hash_max_size" and "referer_hash_bucket_size" + directives. + * Feature: $uid_reset variable. + * Bugfix: a segmentation fault might occur in a worker process, if a + caching was used. + * Bugfix: worker processes may got caught in an endless loop during + reconfiguration, if a caching was used; the bug had appeared in + 0.8.48. + * Bugfix: "stalled cache updating" alert. +- add logrotate + * add reopen killsiganl -USR1 to init script + * logrotate conf +- Backport r4003: Configure: catch up with new Linux version numbering + +------------------------------------------------------------------- +Fri Jun 24 10:40:30 UTC 2011 - jreidinger@novell.com + +- fix init script to write use its pid file to allow separate nginx + server run independent (bnc#702005) + +------------------------------------------------------------------- +Thu Jun 9 12:02:59 UTC 2011 - ammler@openttdcoop.org + +- upstream update 1.0.4 + * Change: now regular expressions case sensitivity in the "map" + directive is given by prefixes "~" or "~*". + * Feature: now shared zones and caches use POSIX semaphores on + Linux. Thanks to Denis F. Latypoff. + * Bugfix: "stalled" cache updating" alert. + * Bugfix: nginx could not be built + --without-http_auth_basic_module; the bug had appeared in + 1.0.3. +- additional changes from 1.0.3 + - Feature: the "auth_basic_user_file" directive supports "$apr1", + "{PLAIN}", and "{SSHA}" password encryption methods. Thanks to + Maxim Dounin. + - Feature: the "geoip_org" directive and $geoip_org variable. + Thanks to Alexander Uskov, Arnaud Granal, and Denis F. + Latypoff. + - Feature: ngx_http_geo_module and ngx_http_geoip_module support + IPv4 addresses mapped to IPv6 addresses. + - Bugfix: a segmentation fault occurred in a worker process + during testing IPv4 address mapped to IPv6 address, if access + or deny rules were defined only for IPv6; the bug had appeared + in 0.8.22. + - Bugfix: a cached response may be broken if proxy/fastcgi/scgi/ + uwsgi_cache_bypass and proxy/fastcgi/scgi/uwsgi_no_cache + directive values were different; the bug had appeared in + 0.8.46. +- additional changes from 1.0.2 + - Feature: now shared zones and caches use POSIX semaphores. + - Bugfix: in the "rotate" parameter of the "image_filter" + directive. Thanks to Adam Bocim. + - Bugfix: nginx could not be built on Solaris; the bug had + appeared in 1.0.1. +- additional changes from 1.0.1 + - Change: now the "split_clients" directive uses MurmurHash2 + algorithm because of better distribution. Thanks to Oleg + Mamontov. + - Change: now long strings starting with zero are not considered + as false values. Thanks to Maxim Dounin. + - Change: now nginx uses a default listen backlog value 511 on + Linux. + - Feature: the $upstream_... variables may be used in the SSI and + perl modules. + - Bugfix: now nginx limits better disk cache size. Thanks to + Oleg Mamontov. + - Bugfix: a segmentation fault might occur while parsing + incorrect IPv4 address; the bug had appeared in 0.9.3. Thanks + to Maxim Dounin. + - Bugfix: nginx could not be built by gcc 4.6 without + --with-debug option. + - Bugfix: nginx could not be built on Solaris 9 and earlier; the + bug had appeared in 0.9.3. Thanks to Dagobert Michelsen. + - Bugfix: $request_time variable had invalid values if + subrequests were used; the bug had appeared in 0.8.47. Thanks + to Igor A. Valcov. +- new config directories included in context http: + conf.d/*.conf on top before first server + vhosts.d/*.conf on bottom (for servers) + +------------------------------------------------------------------- +Thu May 26 10:20:30 UTC 2011 - mrueckert@suse.de + +- more accurate license header: BSD-2-Clause + +------------------------------------------------------------------- +Thu Apr 14 12:17:01 UTC 2011 - mrueckert@suse.de + +- move the libatomic usage to sle11/11.1 or newer + +------------------------------------------------------------------- +Thu Apr 14 10:59:36 UTC 2011 - mrueckert@suse.de + +- remove /srv/www/htdocs/index.html (bnc#670031). + +------------------------------------------------------------------- +Thu Apr 14 10:34:52 UTC 2011 - mrueckert@suse.de + +- build with libatomic_ops + +------------------------------------------------------------------- +Thu Apr 14 10:28:37 UTC 2011 - mrueckert@suse.de + +- minor spec file cleanup + - use perl instead of dos2unix + - remove commented out patches from the preamble + - fix ordering in preamble + +------------------------------------------------------------------- +Wed Apr 13 23:50:04 UTC 2011 - alexandre@exatati.com.br + +- Add epoll in default events config as recommended in + http://www.kegel.com/c10k.html#nb.epoll. + +------------------------------------------------------------------- +Tue Apr 12 18:42:32 UTC 2011 - mrueckert@suse.de + +- enable building of the passenger extension + +------------------------------------------------------------------- +Tue Apr 12 16:10:00 UTC 2011 - mrueckert@suse.de + +- added more directives to the configure line + - specify tmp path for scgi/uwsgi + - enabled more modules + - geoip lookup + - http_degradation + - mail ssl support + - added build time options to build the profiling/testing stuff + - see with_google_perftools and with_cpp_test + +------------------------------------------------------------------- +Tue Apr 12 15:16:54 UTC 2011 - mrueckert@suse.de + +- start 1.0 branch package diff --git a/nginx.keyring b/nginx.keyring new file mode 100644 index 0000000..da196a7 --- /dev/null +++ b/nginx.keyring @@ -0,0 +1,65 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGKE4psBEADpHSM/IxFD1nXBmnODYXzcl2A+6b6m9m1m2Y4Dlr0ed+y5Lxne +QidE9I74A2KSm6+eHW2yh4i1ZwZbmwpmQqM+j5BMt7axoXOdKSyN+fYtUakzNbBN +EDRKT79q/zIzkgTJradHkCQkwF1W3go+qPXjR2ZEnLma9dZED9VNI6PmOpeYaASo +IkEfbKbwa/vPrvnDSSYY6Y02RXSRk5U1NvQgVUTJP9WGK7NlPUcTBDELLQv6fFPU +kjBOel6MecsQ+v8iq4RJF2cbVF0hNjbAiNldjLV74Xd7yWVRlCbdb2agyvQjMNrD +jHSvbEMiNB3R8yBHVW2Zldv8q0XjcwoDfdiZYFJe3lRUYmv6I2p+/DptD4r/3ILI +peGZtSeOdQEw+vvODL/Ehq03anTrzcpZ6sDLfLrYJhYcrltj0/LMUnLDAjciwRUq +XI46EfxwqsdLeqoZFQeO3LOFsh0kJKR2xOrUHIVy84NJ4Gmro6WmUkb1NfdjyHzF +z8Lfbo46NKoTcwFsFF0q74jVVIVNUyIS91DusiMqLCsP8jqDOz/kyP4bOJQ+aUXf +BANn4Ll1TFWsJ417moxz+Pi5sTaI0na8z2XB1N9WPsSml3FS75hJPJshN2T3VIea +zB7GFWqk33ynSDt+cAisG5nsK9fFdcH+t5wm59oobyFbFhKxwX6ROuxlZwARAQAB +tCRTZXJnZXkgS2FuZGF1cm92IDxwbHVrbmV0QG5naW54LmNvbT6JAk4EEwEKADgW +IQTWeGzjA9mpAimY3GzIRk1UmvdcCgUCYoTimwIbAwULCQgHAwUVCgkICwUWAwIB +AAIeAQIXgAAKCRDIRk1UmvdcCqbOD/9Htgk3mWvUFmrApkWQTIDNmLACZ1Sw1PXj +Uqte8StYB0bYY+nmAXs7O5eC2h1ViParl7En1joEEMQQmH0qSnw4X1CM/hA8TAYW +mBPITTNWo/R52WoyWeWGFnFNIperQmuIZc+pXm0VEFVPiX/2DXbCIu+jaXySvlCN +LekmOD4VC7dJS8/ohoaXOR2T8ufS+1CsyPXomEb+COhqRZ3EVBa+k7pnElkFft3Y +a1fR0AgatZFQpy+ukePhK7s/M5RGhDJWHgSAZFkf+X2jVV4NRJ+XsY80gU5DD2ZX +QT6Je6Knxqk7FnWNSxkhReH6Ss5flZSoGDCmJ2AsPtGeUhus2fGqeN+waGKTZC35 +die2V4/cro1SWswSI6Y5GFDZT1olIUztPmSXU/A3oyizJI7XZybwUbpk5kK83VXm +el3U/7Qr/VErlDWFefZWeUvT1RILZ8IRoNj4dv158RnKHt9G508A5qz4hUPKoSeq +SiXhYwfkc31WPzIJ4ev+X5Ka2sG/CKbEMJ7qwc0Kadiu+ePPfqqbXjpTWRyrbcRM +hRNcLNUi1SLWMBClOQG+5GNG1dPPHkbj4dO1OZuaUMwQdu8R8NlsGoVWS40bmVv5 +pXstzYCl7k/UnC/Ytlq61GeAoq8ILa6jGj0EWqlhvi0ZNMN+fROhzrRlTzIr/+WE +Xf8EiVNFSbQlU2VyZ2V5IEthbmRhdXJvdiA8cy5rYW5kYXVyb3ZAZjUuY29tPokC +TgQTAQoAOBYhBNZ4bOMD2akCKZjcbMhGTVSa91wKBQJihO2zAhsDBQsJCAcDBRUK +CQgLBRYDAgEAAh4BAheAAAoJEMhGTVSa91wKgLQQANaf4UMndkWoefDQPkJ5qR4K +fuV0WRz59riZEApTkVpPXzl8Y1i8Rgt9pa1v1i12vPyIXKav1rJXQcuDEzqrhQ2G +yvuAE2U/t2mYaMUmwxWO2d8JA3slvBSgOkiYpbLooDizAdKMT5UQWGyw31Wm51iz +HjoztebsyXeXgq9VDjv3D8LUBr/OY3Hguj6HV+zRtC95qgXYadW2FiCtvBK6RTDb +iShTuseLSheGh9dZIUSnzaOiJpDA61ZDYtFZxSpe67vEzhSfHVsF+ZdCjoWhhVv+ ++2wR4E0VQQtOM9uX1PMlZ5Ymr02/gidsXCM0ZjYXx4cDDhnq+nKomN64VloXWY9t +PIi86XmzcSWlGUd+Ac6LyW7/f64bUWs4Ih0Idl0PF0sAr/6axKUsIs1nbn5MEtXk +ZPAjcDLqLb9IIQaXRurm/il8v+bLXVBOJq33YUuGRuz8pu4vPA5Q97zglqhlIgbu +prHMJ9hl5q39JwS3As2rK0o6Q9VVKr29rqSEfk4wEttvk0QMMU5zEvVl8MtqPj42 +qURqpHOadFbYMTwhUmRBUszRZPa5/pWqq0gWOtpyCWFVAsHFWQGJM1Eo6gGEyHZM +YgBp+d29p2p409r1+06U67GBnXvUy0RyIpkLQtU+lyOJ6vvrBmmsDs/gc69GnlSC +tZmCt0pLesJ7ZJzGdDkduQINBGKE4psBEADQr/enuDeVT11v6ejuYrg7aaZaGFUe +3i28bQ4pRUKNfxs7zVYDDHi2i2bhS5j2yQnbsQtGcgoenw6lapmdQRzr4vjQAz9o +kT6l4qpqvFFQM0wZTnigVDmmO9vTHR8Uk3iCKTd2ax3oko/xPWWYJautJ6ex8cOA +coHSDeOjuIWSxCKq0BDFp6LoxkM8nuyLAX2cbhI3LncaZhVveMeN+Fmcsv+WpkKs +yhX92umZuGwlraSyFy23FiRWSZPu9qVIxMMHvVrQJIgfhyWaHFzoF4M4qDoSKx92 +uWfUWgFwPOxOJ6/YcPsX4T8qTl9htmwPN0BibPTlcWaIFXtiU5bE1MivUPeACrI/ +gwUfCR3Mg+GYc13C6jzepREUhI7PLi3+A203PlMZd/aaSZkP6j+h4cwdapH5P4uF +7T1EQ0MSdx3neAvu5p0IM6JpriwxfT3HsG+Y952T6MIeXcjNRebsBrygJhJ0/vyr +wV5t8jL0yQty4CiE/QFnBs42l+rngi7K7Y1AZRBGK7JA09XaoLrfLmS+PrbYPsaJ +flkM8GzUB7BBCLozxDHPzmPkf/A1w3XHZnYuZmS+pvjWCIoKpLQHI99oSUGho/TR +gMRO4v7EAzluqCiepMl0xwFfHB115ND/mATazc4Pt6FxUsqffzfZrN01e1UVPrp5 +4x6YLO80JnOY6QARAQABiQI2BBgBCgAgFiEE1nhs4wPZqQIpmNxsyEZNVJr3XAoF +AmKE4psCGwwACgkQyEZNVJr3XAp9ghAAgCgErxQYn/Lh/mzsxYXPnisggcBpceks +mGw7knj1EGkXqq9CHn3EjCw8dB5N857UFlUr++DHwpFL5O36PRQo33RIUFbmBypG +8C/xX1jWGu3xcaqS3P1ncsSSl6ckdvy9pjMxThm/RkXO0eJCn7FcanwPJXEB3Pbb +mm0wLI2OXl/m7l5QAr7kErnPvGNzcbX6G35Q/MY8mumBWQ9H53R5ZPpi+OS40Wfn +pZNKdh/Acwa7+2RokPqoOcJfxVdBOUigXTzb45qZgqEsSR7bkZAy2E80A/sJKPqs +OGjp9cog3rBYyNBn5dasfR9KeBtluKnjUbzutXsQoKUSECY00YGrtneSXMku5hoE +Dguk68w/L63ZApYHO/JTgJAYvqPOErAVUegPIw2CT1/2qi5vpClBcKkNS7RXrssA +X+lElE0zbzX3bNG+lQuXby7jNUFYltkEiz6vTtc4HuHy8u40DHMswzkoDr0T8IE0 +7ZRAWXwV1nlA/dI337cHCsWMJyqem5wZZO13iqe07qaCg1uvBPeqDo81hOCn1us7 +l5SYRUTlt7KSFEHZ+Sx4bmVneAuRi5okaQdmrepy/ss/vVpRwWuQxsPkvT8boS7s +mqOVsZFcNOuUJPUyOz1dHUL6FMYpk1dw+9n41gO4fLBzJekFTB/fxL6SRbYFWWn7 +x0VGHDmuaYQ= +=HmVo +-----END PGP PUBLIC KEY BLOCK----- diff --git a/nginx.logrotate b/nginx.logrotate new file mode 100644 index 0000000..6d64cb6 --- /dev/null +++ b/nginx.logrotate @@ -0,0 +1,14 @@ +/var/log/nginx/*.log { + compress + dateext + maxage 365 + rotate 99 + size=+4096k + missingok + notifempty + delaycompress + lastaction + # "-s reopen" will use the pid file passed in the config file or the compiled in default path + [ -f /run/nginx.pid ] && /usr/sbin/nginx -s reopen + endscript +} diff --git a/nginx.rpmlintrc b/nginx.rpmlintrc new file mode 100644 index 0000000..5164567 --- /dev/null +++ b/nginx.rpmlintrc @@ -0,0 +1,5 @@ +# user nginx needs write permissions to /var/log/nginx so nginx is able to reopen the logs +addFilter("nginx.*: W: suse-logrotate-user-writable-log-dir /var/log/nginx nginx:nginx 0750") +# nginx sources need to be installed in /usr/src/nginx +addFilter("nginx.* W: suse-filelist-forbidden-fhs23 /usr/src/nginx") + diff --git a/nginx.service b/nginx.service new file mode 100644 index 0000000..2516000 --- /dev/null +++ b/nginx.service @@ -0,0 +1,31 @@ +[Unit] +Description=The nginx HTTP and reverse proxy server +After=network-online.target remote-fs.target nss-lookup.target +Wants=network-online.target + +[Service] +RuntimeDirectory=nginx +PIDFile=/run/nginx.pid +ExecStartPre=/usr/sbin/nginx -t +ExecStart=/usr/sbin/nginx -g "daemon off;" +ExecReload=/bin/kill -s HUP $MAINPID +KillSignal=SIGQUIT +TimeoutStopSec=5 +KillMode=mixed +PrivateTmp=true +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=read-only +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions + +[Install] +WantedBy=multi-user.target diff --git a/nginx.spec b/nginx.spec new file mode 100644 index 0000000..c83f17b --- /dev/null +++ b/nginx.spec @@ -0,0 +1,219 @@ +# +# spec file for package nginx +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%{!?vim_data_dir:%global vim_data_dir %{_datadir}/vim/%(readlink %{_datadir}/vim/current)} +%define src_install_dir %{_prefix}/src/%{name} +# keep in sync with #ngx_conditionals +%bcond_with ngx_cpp_test +%bcond_with ngx_google_perftools +# +Name: nginx +Version: 1.27.1 +Release: 0 +Summary: A HTTP server and IMAP/POP3 proxy server +License: BSD-2-Clause +Group: Productivity/Networking/Web/Proxy +URL: https://nginx.org +Source0: https://nginx.org/download/%{name}-%{version}.tar.gz +Source1: https://nginx.org/download/%{name}-%{version}.tar.gz.asc +Source2: https://nginx.org/keys/pluknet.key#/%{name}.keyring +Source3: %{name}.rpmlintrc +Source4: %{name}.logrotate +Source5: %{name}.service +Source6: %{name}.sysusers +# PATCH-FIX-UPSTREAM nginx-1.11.2-no_Werror.patch +Patch0: %{name}-1.11.2-no_Werror.patch +# PATCH-FIX-OPENSUSE nginx-1.11.2-html.patch +Patch1: %{name}-1.11.2-html.patch +# PATCH-FIX-UPSTREAM nginx-1.2.4-perl_vendor_install.patch +Patch2: %{name}-perl.patch +# PATCH-FIX-UPSTREAM fix /etc/nginx/nginx.conf to suit Linux env +Patch3: %{name}-conf.patch +# PATCH-FIX-UPSTREAM nginx-aio.patch fix support for Linux AIO +Patch4: %{name}-aio.patch +BuildRequires: %{name}-macros +BuildRequires: gcc-c++ +BuildRequires: gpg2 +BuildRequires: libatomic-ops-devel +BuildRequires: pkgconfig +BuildRequires: sysuser-shadow +BuildRequires: sysuser-tools +BuildRequires: vim +BuildRequires: pkgconfig(gdlib) +BuildRequires: pkgconfig(libpcre2-8) +BuildRequires: pkgconfig(libxslt) +BuildRequires: pkgconfig(openssl) +BuildRequires: pkgconfig(systemd) +BuildRequires: pkgconfig(zlib) +%requires_eq perl +Recommends: %{name}-module-echo +Recommends: %{name}-module-lua +Recommends: logrotate +Provides: http_daemon +Provides: httpd +%{?systemd_ordering} +%sysusers_requires +# +%if %{with ngx_google_perftools} +BuildRequires: google-perftools-devel +%endif + +%description +%{name} [engine x] is a HTTP server and IMAP/POP3 proxy server written by Igor Sysoev. +It has been running on many heavily loaded Russian sites for more than two years. + +%package source +Summary: The nginx source +Group: Development/Sources +Requires: gcc-c++ +Requires: libatomic-ops-devel +Requires: nginx = %{version} +Requires: pkgconfig +Requires: vim +Requires: pkgconfig(gdlib) +Requires: pkgconfig(libpcre2-8) +Requires: pkgconfig(libxslt) +Requires: pkgconfig(openssl) +Requires: pkgconfig(zlib) +%requires_ge %{name}-macros +BuildArch: noarch + +%description source +The source of %{name} [engine x] HTTP server and IMAP/POP3 proxy server. + +%prep +%autosetup -p1 + +sed -i 's/\r//g' contrib/geo2nginx.pl +sed -i 's|#LIBDIR#|%{_libdir}|g' conf/nginx.conf + +%if %{with systemd} +sed -i 's/\/var\/run/\/run/' conf/nginx.conf +%endif + +sed -i 's/^\(#define NGX_LISTEN_BACKLOG \).*/\1-1/' src/os/unix/ngx_linux_config.h + +%build +%{ngx_configure} + +%make_build +%sysusers_generate_pre %{SOURCE6} %{name} %{name}.conf + +%install +%make_install +%perl_process_packlist + +install -dpm0750 %{buildroot}%{ngx_home}/{,tmp,proxy,fastcgi,scgi,uwsgi} +install -Dpm0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} +install -Dpm0644 %{SOURCE5} %{buildroot}%{_unitdir}/%{name}.service +install -Dpm0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf + +rm %{buildroot}/srv/www/htdocs/index.html + +mkdir -p %{buildroot}%{ngx_doc_dir} +cp -av CHANGES* LICENSE \ + %{buildroot}%{ngx_doc_dir} + +mkdir -p %{buildroot}%{_datadir}/%{name}/ +mkdir -p %{buildroot}%{ngx_conf_dir}/vhosts.d/ +mkdir -p %{buildroot}%{ngx_conf_dir}/conf.d/ + +chmod a+rx contrib/geo2nginx.pl +cp -av contrib/geo2nginx.pl contrib/unicode2nginx/ \ + %{buildroot}%{_datadir}/%{name}/ + +mkdir -p %{buildroot}%{src_install_dir} +tar -xzf %{SOURCE0} --strip-components=1 -C %{buildroot}%{src_install_dir} + +copydocs() { + subdir=$1; + shift; + mkdir -p %{buildroot}%{ngx_doc_dir}/$subdir/ + pushd $subdir + cp -av $* %{buildroot}%{ngx_doc_dir}/$subdir/ + popd +} + +%check +GPGTMP=`mktemp -d` +gpg --homedir $GPGTMP -q --no-default-keyring --keyring $GPGTMP/.gpg-keyring --trust-model always --import %{SOURCE2} +gpg --homedir $GPGTMP -q --no-default-keyring --keyring $GPGTMP/.gpg-keyring --trust-model always -q --verify -- %{SOURCE1} %{SOURCE0} +rm -r $GPGTMP + +%pre -f %{name}.pre +%service_add_pre %{name}.service + +%preun +%service_del_preun %{name}.service + +%post +%service_add_post %{name}.service + +%postun +%service_del_postun %{name}.service + +%files +%dir %{ngx_conf_dir}/ +%dir %{ngx_conf_dir}/vhosts.d +%dir %{ngx_conf_dir}/conf.d +%config(noreplace) %{ngx_conf_dir}/koi-utf +%config(noreplace) %{ngx_conf_dir}/koi-win +%config(noreplace) %{ngx_conf_dir}/fastcgi_params +%config %{ngx_conf_dir}/fastcgi_params.default +%config(noreplace) %{ngx_conf_dir}/mime.types +%config %{ngx_conf_dir}/mime.types.default +%config(noreplace) %{ngx_conf_dir}/nginx.conf +%config %{ngx_conf_dir}/%{name}.conf.default +%config(noreplace) %{ngx_conf_dir}/fastcgi.conf +%config %{ngx_conf_dir}/fastcgi.conf.default +%config(noreplace) %{ngx_conf_dir}/win-utf +%config(noreplace) %{ngx_conf_dir}/scgi_params +%config %{ngx_conf_dir}/scgi_params.default +%config(noreplace) %{ngx_conf_dir}/uwsgi_params +%config %{ngx_conf_dir}/uwsgi_params.default +%{perl_vendorarch}/auto/%{name}/ +%{perl_vendorarch}/%{name}.pm +%{ngx_sbin_path} +%dir %{_libdir}/%{name}/ +%dir %{ngx_module_dir}/ +%{ngx_module_dir}/ngx_http_image_filter_module.so +%{ngx_module_dir}/ngx_http_perl_module.so +%{ngx_module_dir}/ngx_http_xslt_filter_module.so +%{ngx_module_dir}/ngx_mail_module.so +%{ngx_module_dir}/ngx_stream_module.so +%{_mandir}/man3/%{name}.3pm* +%dir /srv/www +%dir /srv/www/htdocs +/srv/www/htdocs/50x.html +%config(noreplace) %{_sysconfdir}/logrotate.d/%{name} +%dir %attr(750,%{ngx_user_group},%{ngx_user_group}) %{_localstatedir}/log/nginx/ +%dir %attr(750,%{ngx_user_group},%{ngx_user_group}) %{ngx_home}/ +%dir %attr(750,%{ngx_user_group},%{ngx_user_group}) %{ngx_tmp_http} +%dir %attr(750,%{ngx_user_group},%{ngx_user_group}) %{ngx_tmp_proxy} +%dir %attr(750,%{ngx_user_group},%{ngx_user_group}) %{ngx_tmp_fcgi} +%dir %attr(750,%{ngx_user_group},%{ngx_user_group}) %{ngx_tmp_scgi} +%dir %attr(750,%{ngx_user_group},%{ngx_user_group}) %{ngx_tmp_uwsgi} +%doc %{ngx_doc_dir} +%{_unitdir}/%{name}.service +%{_sysusersdir}/%{name}.conf +%{_datadir}/%{name}/ + +%files source +%{src_install_dir} + +%changelog diff --git a/nginx.sysusers b/nginx.sysusers new file mode 100644 index 0000000..f8d7cc8 --- /dev/null +++ b/nginx.sysusers @@ -0,0 +1,2 @@ +# Type Name ID GECOS [HOME] +u nginx - "User for nginx" /var/lib/nginx