From nobody Tue Jun 18 09:26:59 2024 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W3LxJ1Dv4z5NRvp; Tue, 18 Jun 2024 09:27:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4W3LxJ0X2fz3x3l; Tue, 18 Jun 2024 09:27:00 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1718702820; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SMugGxalXWJjYdhw1bn0Zv2tjGUvehcKWb+ynAE5Kr8=; b=YpbcaQNUJ/bLhcdbiIn/jbkvNPh2etdGj03uSWNhrr5cJfkCjNJGwr3FdK8pT6ZeaAde+y muNgBVSfI1cK7dSLPYGex84dVvVR/P+nVqaNGVHEMw8TEx3oSDbBJhMhE1n30FDDmreYnA BF9dFUNCQbLKnBlXw8ST51GdjeOmtvX9uKTvnN7gq0bNFgfNN4Q9Cbp93G4/NpQoXHAc/5 tSkniwFnImqdeNbmB30Nfk7pU37JTjOwlMWqfYp+NfaAZY8Uep29CiJnJlv4jxiRCgnX9a 9nalzHL9M8lhsUNhtqgIOiivmIVNY4XwxH4FgQiJuxBHRCGPnw8O2LmjAeXNkg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1718702820; a=rsa-sha256; cv=none; b=DWEKsx/2KzPzUWrZY8JQeAmPX72ELcLnJ4PRKHymo8aYj0BB+FFvSpyo3D19/cBRuF34EZ krhFvJr9acxwii7OrLEmAi1Hu+6L+G1yXyh8pN2Gtq9ZB3UeSf/OBks/ck7DE61IMUTJdY Gd+8T5Dfyqi6OCzoI80lszk9osruc4sdsB+NJN00g5UcDLKzg3Ek6BS1uc9sWuN2D/+lcC VP8XcsrY80OkFrxajbVzZwZUZkOQmihadBvZ1gBbhbXT00a1vT1Dh879w/YoaSzp1maCWo lclVdJHhonMcbXNTuGfIhsAEbCkWzYU/D4bOy8GhBYrLldcushLhPxjjVPX/CQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1718702820; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SMugGxalXWJjYdhw1bn0Zv2tjGUvehcKWb+ynAE5Kr8=; b=Ex9kCLPN/H1+rieKS/9HY6Jj3VTb9NWJcR3hkkqXtVjVu0OPoaKIzzALf6LgV3rGgSEjNn Yq8rKIFFwG18akrr5HRI9fEJ6g8HCDpVDNsywCj3NC51OKk0JYWqne5ZZzdZ0P2XBNhQAZ 0dS9RQmIQx+qFOCm5J/njgyq+FVTLpXcGCgOdjIONqz1kB1OBtdDImpjPV4hGKnf3duS0L RoF80G6mrBXi0csu0C/dRBKtFOKFQjmM+EuipR4x8gKfgStSZDCUzKvCtNCwEuG3eX6Xmh bsl+IporEWB+oBm1gux/d1x7AykfN/NnUginswG1j7SglBlhUKmdItfhTp8vUA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4W3LxJ06yJzsS1; Tue, 18 Jun 2024 09:27:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 45I9QxZY025929; Tue, 18 Jun 2024 09:26:59 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 45I9Qx2G025926; Tue, 18 Jun 2024 09:26:59 GMT (envelope-from git) Date: Tue, 18 Jun 2024 09:26:59 GMT Message-Id: <202406180926.45I9Qx2G025926@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Jochen Neumeister Subject: git: 8ac09f0e8578 - main - www/freenginx: Update to 1.26.0 List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-all@freebsd.org Sender: owner-dev-commits-ports-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: joneum X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 8ac09f0e8578bd95c0bab4369c98c2e5bdc118ae Auto-Submitted: auto-generated The branch main has been updated by joneum: URL: https://cgit.FreeBSD.org/ports/commit/?id=8ac09f0e8578bd95c0bab4369c98c2e5bdc118ae commit 8ac09f0e8578bd95c0bab4369c98c2e5bdc118ae Author: Jochen Neumeister AuthorDate: 2024-06-18 09:21:17 +0000 Commit: Jochen Neumeister CommitDate: 2024-06-18 09:26:47 +0000 www/freenginx: Update to 1.26.0 Changelog: freenginx-1.26.0 stable version has been released, incorporating new features and bug fixes from the 1.25.x mainline branch — including experimental HTTP/3 support, improved mitigation of various DoS attacks, fixes in AIO handling, and more. Adoption of the changes from www/nginx Sponsored by: Netzkommune GmbH --- www/freenginx/Makefile | 43 +- www/freenginx/Makefile.extmod | 82 +- www/freenginx/Makefile.options.desc | 7 +- www/freenginx/distinfo | 54 +- www/freenginx/files/extra-patch-httpv3 | 26867 ------------------- .../files/extra-patch-naxsi-libinjection__sqli_c | 13 + www/freenginx/files/extra-patch-naxsi_config | 26 + ...xtra-patch-nginx-opentracing-opentracing-config | 8 - .../extra-patch-nginx-thumbextractor-module-config | 25 + .../extra-patch-nginx_mod_h264_streaming-config | 41 - .../files/extra-patch-ngx_brotli_filter_config | 41 + .../files/extra-patch-ngx_http_streaming_module.c | 13 - .../files/extra-patch-ngx_stream_ssl_ct_module.c | 14 + .../files/extra-patch-passenger-build-nginx.rb | 4 +- .../files/extra-patch-passenger-disable-telemetry | 4 +- www/freenginx/pkg-descr | 2 +- www/freenginx/pkg-plist | 15 +- 17 files changed, 209 insertions(+), 27050 deletions(-) diff --git a/www/freenginx/Makefile b/www/freenginx/Makefile index 9311dfcdd792..007cf5adcd63 100644 --- a/www/freenginx/Makefile +++ b/www/freenginx/Makefile @@ -1,5 +1,5 @@ PORTNAME= nginx -PORTVERSION= 1.24.0 +PORTVERSION= 1.26.0 PORTREVISION?= 0 CATEGORIES= www MASTER_SITES= https://freenginx.org/download/ \ @@ -14,9 +14,9 @@ WWW= https://freenginx.org/ LICENSE= BSD2CLAUSE LICENSE_FILE= ${WRKSRC}/LICENSE -CONFLICTS_INSTALL= nginx-devel nginx +CONFLICTS_INSTALL= nginx nginx-devel -PORTSCOUT= limit:^1\.24\.[0-9]* +PORTSCOUT= limit:^1\.26\.[0-9]* USES= cpe @@ -79,11 +79,11 @@ OPTIONS_GROUP_MAILGRP= MAIL MAIL_IMAP MAIL_POP3 MAIL_SMTP MAIL_SSL OPTIONS_GROUP_STREAMGRP= STREAM STREAM_REALIP STREAM_SSL \ STREAM_SSL_PREREAD -OPTIONS_DEFINE= DEBUG DEBUGLOG DSO FILE_AIO IPV6 NJS NJS_XML THREADS WWW +OPTIONS_DEFINE= DEBUG DEBUGLOG DSO FILE_AIO IPV6 NJS NJS_XML OTEL THREADS WWW OPTIONS_DEFAULT?= DSO FILE_AIO HTTP HTTP_ADDITION HTTP_AUTH_REQ HTTP_CACHE \ HTTP_DAV HTTP_FLV HTTP_GUNZIP_FILTER HTTP_GZIP_STATIC HTTP_MP4 \ HTTP_RANDOM_INDEX HTTP_REALIP HTTP_SECURE_LINK HTTP_SLICE HTTP_SSL \ - HTTP_STATUS HTTP_SUB HTTPV2 MAIL MAIL_SSL STREAM \ + HTTP_STATUS HTTP_SUB HTTPV2 HTTPV3 MAIL MAIL_SSL STREAM \ STREAM_REALIP STREAM_SSL STREAM_SSL_PREREAD THREADS WWW LIB_DEPENDS+= libpcre2-8.so:devel/pcre2 @@ -169,10 +169,7 @@ HTTP_XSLT_LIB_DEPENDS= libxml2.so:textproc/libxml2 \ HTTP_XSLT_VARS= DSO_BASEMODS+=http_xslt_module HTTPV2_IMPLIES= HTTP_SSL HTTPV2_CONFIGURE_ON= --with-http_v2_module -HTTPV3_CONFIGURE_ON= --build=nginx-quic \ - --with-stream_quic_module \ - --with-http_v3_module -HTTPV3_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-httpv3:-p1 +HTTPV3_CONFIGURE_ON= --with-http_v3_module HTTPV3_BORING_BUILD_DEPENDS= ${LOCALBASE}/bin/bssl:security/boringssl HTTPV3_BORING_RUN_DEPENDS= ${LOCALBASE}/bin/bssl:security/boringssl HTTPV3_BORING_IMPLIES= HTTPV3 @@ -192,6 +189,7 @@ MAIL_SMTP_CONFIGURE_OFF= --without-mail_smtp_module MAIL_SSL_USES= ssl MAIL_SSL_CONFIGURE_ON= --with-mail_ssl_module STREAM_VARS= DSO_BASEMODS+=stream +STREAM_CONFIGURE_ON= --with-stream STREAM_REALIP_CONFIGURE_ON= --with-stream_realip_module STREAM_SSL_USES= ssl STREAM_SSL_CONFIGURE_ON= --with-stream_ssl_module @@ -247,8 +245,7 @@ CFLAGS+= -DNDEBUG CONFIGURE_ENV+= EXTRA_PRE_CXXFLAGS="-std=c++14" .endif -.if empty(PORT_OPTIONS:MLUA) && empty(PORT_OPTIONS:MMODSECURITY3) && \ - empty(PORT_OPTIONS:MPASSENGER) +.if empty(PORT_OPTIONS:MMODSECURITY3) && empty(PORT_OPTIONS:MPASSENGER) CONFIGURE_ARGS+= --with-ld-opt="-L ${LOCALBASE}/lib" .else CONFIGURE_ARGS+= --with-ld-opt="-L ${LOCALBASE}/lib -lpcre" @@ -271,9 +268,8 @@ pre-everything:: @${ECHO_MSG} post-extract-NAXSI-on: - @${MKDIR} ${WRKDIR}/naxsi-${NAXSI_NGINX_VER} - @${MV} ${WRKDIR}/naxsi_rules ${WRKDIR}/naxsi_src \ - ${WRKDIR}/naxsi-${NAXSI_NGINX_VER} + @${RMDIR} ${WRKSRC_naxsi}/naxsi_src/libinjection + @${LN} -s ${WRKSRC_libinjection} ${WRKSRC_naxsi}/naxsi_src/libinjection pre-patch-HTTPV3-on: @${MV} ${WRKSRC}/README ${WRKSRC}/README.1st @@ -285,7 +281,7 @@ post-patch: ${WRKSRC}/conf/nginx.conf post-patch-BROTLI-on: - @${REINPLACE_CMD} -E 's!^brotli=.*!brotli="${LOCALBASE}"!' ${WRKSRC_brotli}/config + @${REINPLACE_CMD} 's!%%PREFIX%%!${LOCALBASE}!g' ${WRKSRC_brotli}/filter/config post-patch-DRIZZLE-on: @${REINPLACE_CMD} 's!%%PREFIX%%!${LOCALBASE}!g' ${WRKSRC_drizzle}/config @@ -307,22 +303,12 @@ post-patch-HTTP_AUTH_KRB5-on: post-patch-HTTP_TARANTOOL-on: @${REINPLACE_CMD} 's!%%PREFIX%%!${LOCALBASE}!g' ${WRKSRC_nginx_tarantool}/config -# linker error acquire if --std=c99 defined, add "static" to inline function -post-patch-HTTP_ZIP-on: - @${REINPLACE_CMD} \ - 's!^inline!static inline!' \ - ${WRKSRC_mod_zip}/ngx_http_zip_parsers.* - post-patch-ICONV-on: @${REINPLACE_CMD} 's!%%PREFIX%%!${LOCALBASE}!g' ${WRKSRC_iconv}/config -post-patch-NAXSI-on: - @${REINPLACE_CMD} 's!MSIZE!TOK_MSIZE!g' \ - ${WRKSRC_naxsi}/naxsi_src/libinjection/src/libinjection_sqli.c - post-patch-PASSENGER-on: @${REINPLACE_CMD} \ - '177,179s!true!false!' \ + '168,170s!true!false!' \ ${WRKSRC_PASSENGER}/build/basics.rb @${REINPLACE_CMD} \ 's!-I/usr/include/libev!!; \ @@ -341,11 +327,6 @@ post-patch-SFLOW-on: 's!%%PREFIX%%!${LOCALBASE}!g' \ ${WRKSRC_sflow}/ngx_http_sflow_config.h -post-patch-VOD-on: - @${REINPLACE_CMD} \ - 's!%%PREFIX%%!${LOCALBASE}!g' \ - ${WRKSRC_vod}/config - pre-configure-SMALL_LIGHT-on: ( cd ${WRKSRC_small_light} && ./setup ) diff --git a/www/freenginx/Makefile.extmod b/www/freenginx/Makefile.extmod index f3f6d0526210..f6054544345a 100644 --- a/www/freenginx/Makefile.extmod +++ b/www/freenginx/Makefile.extmod @@ -2,16 +2,16 @@ OPTIONS_GROUP+= THIRDPARTYGRP # External modules (arrayvar MUST appear after devel_kit for build-dep) -OPTIONS_GROUP_THIRDPARTYGRP= AJP AWS_AUTH BROTLI CACHE_PURGE CLOJURE COOKIE_FLAG CT \ +OPTIONS_GROUP_THIRDPARTYGRP= AJP AWS_AUTH BROTLI CACHE_PURGE CT \ DEVEL_KIT ARRAYVAR DRIZZLE DYNAMIC_UPSTREAM ECHO ENCRYPTSESSION \ FIPS_CHECK FORMINPUT GRIDFS HEADERS_MORE HTTP_ACCEPT_LANGUAGE HTTP_AUTH_DIGEST \ HTTP_AUTH_KRB5 HTTP_AUTH_LDAP HTTP_AUTH_PAM HTTP_DAV_EXT HTTP_EVAL \ HTTP_FANCYINDEX HTTP_FOOTER HTTP_GEOIP2 HTTP_IP2LOCATION HTTP_IP2PROXY \ - HTTP_JSON_STATUS HTTP_MOGILEFS HTTP_MP4_H264 HTTP_NOTICE HTTP_PROXY_CONNECT HTTP_PUSH \ + HTTP_JSON_STATUS HTTP_MOGILEFS HTTP_NOTICE HTTP_PUSH \ HTTP_PUSH_STREAM HTTP_REDIS HTTP_SLICE_AHEAD HTTP_SUBS_FILTER HTTP_TARANTOOL \ HTTP_UPLOAD HTTP_UPLOAD_PROGRESS HTTP_UPSTREAM_CHECK HTTP_UPSTREAM_FAIR \ - HTTP_UPSTREAM_STICKY HTTP_VIDEO_THUMBEXTRACTOR HTTP_ZIP ICONV LET LINK LUA MEMC \ - MODSECURITY3 NAXSI OPENTRACING PASSENGER POSTGRES RDS_CSV RDS_JSON \ + HTTP_UPSTREAM_STICKY HTTP_VIDEO_THUMBEXTRACTOR HTTP_ZIP ICONV LET LINK LUA LUASTREAM \ + MEMC MODSECURITY3 NAXSI PASSENGER POSTGRES RDS_CSV RDS_JSON \ REDIS2 RTMP SET_MISC SFLOW SHIBBOLETH SLOWFS_CACHE SRCACHE STS \ VOD VTS XSS WEBSOCKIFY @@ -26,26 +26,18 @@ AWS_AUTH_GH_TUPLE= anomalizer:ngx_aws_auth:21931b2:aws_auth AWS_AUTH_VARS= DSO_EXTMODS+=aws_auth BROTLI_LIB_DEPENDS= libbrotlicommon.so:archivers/brotli -BROTLI_GH_TUPLE= google:ngx_brotli:9aec15e:brotli +BROTLI_GH_TUPLE= google:ngx_brotli:a71f931:brotli BROTLI_VARS= DSO_EXTMODS+=brotli +BROTLI_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-ngx_brotli_filter_config CACHE_PURGE_GH_TUPLE= nginx-modules:ngx_cache_purge:a84b0f3:cache_purge CACHE_PURGE_VARS= DSO_EXTMODS+=cache_purge -CLOJURE_CATEGORIES+= java -CLOJURE_USE= JAVA=yes JAVA_OS=native JAVA_VERSION=1.8 \ - JAVA_VENDOR=openjdk JAVA_BUILD=yes JAVA_RUN=yes -CLOJURE_GH_TUPLE= nginx-clojure:nginx-clojure:v0.6.0:clojure -CLOJURE_CONFIGURE_ENV= "JNI_INCS=-I${LOCALBASE}/openjdk8/include -I${LOCALBASE}/openjdk8/include/freebsd" -CLOJURE_VARS= DSO_EXTMODS+=clojure CLOJURE_SUBDIR=/src/c - -COOKIE_FLAG_GH_TUPLE= AirisX:nginx_cookie_flag_module:c4ff449:cookie_flag -COOKIE_FLAG_VARS= DSO_EXTMODS+=cookie_flag - CT_IMPLIES= HTTP_SSL CT_GH_TUPLE= grahamedgecombe:nginx-ct:93e9884:ct CT_VARS= DSO_EXTMODS+=ct -CT_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-nginx-ct-LibreSSL +CT_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-nginx-ct-LibreSSL \ + ${PATCHDIR}/extra-patch-ngx_stream_ssl_ct_module.c ECHO_GH_TUPLE= openresty:echo-nginx-module:5a402aa:echo ECHO_VARS= DSO_EXTMODS+=echo @@ -61,7 +53,7 @@ DYNAMIC_UPSTREAM_IMPLIES= STREAM DYNAMIC_UPSTREAM_GH_TUPLE= ZigzagAK:ngx_dynamic_upstream:960eef2:dynamic_upstream DYNAMIC_UPSTREAM_VARS= DSO_EXTMODS+=dynamic_upstream -DEVEL_KIT_GH_TUPLE= vision5:ngx_devel_kit:v0.3.2:devel_kit +DEVEL_KIT_GH_TUPLE= vision5:ngx_devel_kit:v0.3.3:devel_kit DEVEL_KIT_VARS= FIRST_DSO_EXTMODS+=devel_kit ENCRYPTSESSION_IMPLIES= DEVEL_KIT @@ -80,7 +72,7 @@ GRIDFS_LIB_DEPENDS= libbson-1.0.so:devel/libbson \ libmongoc-1.0.so:devel/mongo-c-driver GRIDFS_VARS= DSO_EXTMODS+=gridfs GRIDFS_SUBDIR=/nginx-gridfs -HEADERS_MORE_GH_TUPLE= openresty:headers-more-nginx-module:33b646d:headers_more +HEADERS_MORE_GH_TUPLE= openresty:headers-more-nginx-module:06dc0be:headers_more HEADERS_MORE_VARS= DSO_EXTMODS+=headers_more HTTP_ACCEPT_LANGUAGE_GH_TUPLE= dvershinin:nginx_accept_language_module:5683967:accept_language @@ -101,10 +93,6 @@ HTTP_AUTH_LDAP_USES= ldap HTTP_AUTH_PAM_GH_TUPLE= sto:ngx_http_auth_pam_module:v1.5.3:auth_pam HTTP_AUTH_PAM_VARS= DSO_EXTMODS+=auth_pam -HTTP_PROXY_CONNECT_GH_TUPLE= chobits:ngx_http_proxy_connect_module:75febef:mod_https_connect -HTTP_PROXY_CONNECT_EXTRA_PATCHES= ${WRKSRC_mod_https_connect}/patch/proxy_connect_rewrite_102101.patch:-p1 -HTTP_PROXY_CONNECT_VARS= DSO_EXTMODS+=mod_https_connect - HTTP_DAV_EXT_IMPLIES= HTTP_DAV HTTP_DAV_EXT_LIB_DEPENDS= libxml2.so:textproc/libxml2 \ libxslt.so:textproc/libxslt @@ -145,13 +133,6 @@ HTTP_MOGILEFS_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-ngx_http_mogilefs_module.c ${PATCHDIR}/extra-patch-nginx_mogilefs_module-config HTTP_MOGILEFS_VARS= DSO_EXTDIRS+=nginx_mogilefs_module-1.0.4 -HTTP_MP4_H264_MASTER_SITES= http://h264.code-shop.com/download/:mp4streaming -HTTP_MP4_H264_CONFIGURE_ON= --with-cc-opt="-DLARGEFILE_SOURCE -DBUILDING_NGINX" -HTTP_MP4_H264_DISTFILES= nginx_mod_h264_streaming-2.2.7.tar.gz:mp4streaming -HTTP_MP4_H264_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-ngx_http_streaming_module.c \ - ${PATCHDIR}/extra-patch-nginx_mod_h264_streaming-config -HTTP_MP4_H264_VARS= DSO_EXTDIRS+=nginx_mod_h264_streaming-2.2.7 - HTTP_NOTICE_GH_TUPLE= kr:nginx-notice:3c95966:notice HTTP_NOTICE_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-ngx_http_notice_module.c \ ${PATCHDIR}/extra-patch-nginx-notice-config @@ -206,10 +187,11 @@ HTTP_VIDEO_THUMBEXTRACTOR_LIB_DEPENDS= libavformat.so:multimedia/ffmpeg \ libavutil.so:multimedia/ffmpeg \ libswscale.so:multimedia/ffmpeg HTTP_VIDEO_THUMBEXTRACTOR_USES= jpeg -HTTP_VIDEO_THUMBEXTRACTOR_GH_TUPLE= Novetta:nginx-video-thumbextractor-module:28861f2:vte +HTTP_VIDEO_THUMBEXTRACTOR_GH_TUPLE= wandenberg:nginx-video-thumbextractor-module:e81f850:vte HTTP_VIDEO_THUMBEXTRACTOR_VARS= DSO_EXTMODS+=vte +HTTP_VIDEO_THUMBEXTRACTOR_EXTRA_PATCHES=${PATCHDIR}/extra-patch-nginx-thumbextractor-module-config -HTTP_ZIP_GH_TUPLE= evanmiller:mod_zip:39dc908:mod_zip +HTTP_ZIP_GH_TUPLE= vince2678:mod_zip:5b2604b:mod_zip HTTP_ZIP_VARS= DSO_EXTMODS+=mod_zip ICONV_IMPLIES= DEVEL_KIT @@ -229,6 +211,14 @@ LUA_CONFIGURE_ENV= LUAJIT_INC=${LOCALBASE}/include/luajit-2.1 \ LUA_GH_TUPLE= openresty:lua-nginx-module:v0.10.26:lua LUA_VARS= DSO_EXTMODS+=lua +LUASTREAM_IMPLIES= DEVEL_KIT +LUASTREAM_LIB_DEPENDS= libluajit-5.1.so:lang/luajit-openresty +LUASTREAM_RUN_DEPENDS= lua-resty-core>0:www/lua-resty-core +LUASTREAM_CONFIGURE_ENV=LUAJIT_INC=${LOCALBASE}/include/luajit-2.1 \ + LUAJIT_LIB=${LOCALBASE}/lib +LUASTREAM_GH_TUPLE= openresty:stream-lua-nginx-module:v0.0.14:luastream +LUASTREAM_VARS= DSO_EXTMODS+=luastream + LINK_GH_TUPLE= Taymindis:nginx-link-function:3.2.4:link LINK_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-nginx-link-function-config \ ${PATCHDIR}/extra-patch-ngx_link_func_module.c @@ -243,24 +233,32 @@ MODSECURITY3_GH_TUPLE= SpiderLabs:ModSecurity-nginx:v1.0.3:modsecurity3 MODSECURITY3_VARS= DSO_EXTMODS+=modsecurity3 NAXSI_NGINX_VER= 1.6 -NAXSI_MASTER_SITES= https://www.github.com/wargio/naxsi/releases/download/${NAXSI_NGINX_VER}/:naxsi -NAXSI_DISTFILES= naxsi-${NAXSI_NGINX_VER}-src-with-deps.tar.gz:naxsi +NAXSI_GH_TUPLE= wargio:naxsi:${NAXSI_NGINX_VER}:naxsi \ + libinjection:libinjection:4aa3894:libinjection NAXSI_VARS= DSO_EXTMODS+=naxsi NAXSI_SUBDIR=/naxsi_src -WRKSRC_naxsi= ${WRKDIR}/naxsi-${NAXSI_NGINX_VER} +NAXSI_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-naxsi-libinjection__sqli_c \ + ${PATCHDIR}/extra-patch-naxsi_config -NJS_GH_TUPLE= nginx:njs:0.8.0:njs +NJS_GH_TUPLE= nginx:njs:0.8.4:njs NJS_VARS= DSO_EXTMODS+=njs NJS_SUBDIR=/nginx +NJS_IMPLIES= STREAM -NJS_XML_IMPLIES= NJS +NJS_XML_IMPLIES= HTTP NJS NJS_XML_LIB_DEPENDS= libxml2.so:textproc/libxml2 \ libxslt.so:textproc/libxslt -OPENTRACING_GH_TUPLE= opentracing-contrib:nginx-opentracing:v0.24.0:opentracing -OPENTRACING_LIB_DEPENDS= libopentracing.so:devel/libopentracing -OPENTRACING_VARS= DSO_EXTMODS+=opentracing OPENTRACING_SUBDIR=/opentracing -OPENTRACING_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-nginx-opentracing-opentracing-config - -PASSENGER_NGINX_VER= 6.0.17 +OTEL_GH_TUPLE= osokin:nginx-otel:8f0857d:otel +OTEL_VARS= DSO_EXTMODS+=otel OTEL_SUBDIR=/ +OTEL_LIB_DEPENDS= libabsl_base.so:devel/abseil \ + libcares.so:dns/c-ares \ + libgrpc.so:devel/grpc \ + libopentelemetry_common.so:devel/opentelemetry-cpp \ + libprotobuf.so:devel/protobuf \ + libre2.so:devel/re2 +OTEL_BUILD_DEPENDS= ${LOCALBASE}/include/opentelemetry/proto/common/v1/common.proto:devel/opentelemetry-proto +OTEL_CONFIGURE_ENV+= NGX_OTEL_PROTO_DIR=${PREFIX}/include + +PASSENGER_NGINX_VER= 6.0.20 PASSENGER_CATEGORIES= ruby PASSENGER_USES= ruby PASSENGER_BUILD_DEPENDS=${LOCALBASE}/bin/rake:devel/rubygem-rake diff --git a/www/freenginx/Makefile.options.desc b/www/freenginx/Makefile.options.desc index dc7f5a7c47a1..9ab1054b57ef 100644 --- a/www/freenginx/Makefile.options.desc +++ b/www/freenginx/Makefile.options.desc @@ -3,8 +3,6 @@ ARRAYVAR_DESC= 3rd party array_var module AWS_AUTH_DESC= 3rd party aws auth module BROTLI_DESC= 3rd party brotli module CACHE_PURGE_DESC= 3rd party cache_purge module -CLOJURE_DESC= 3rd party clojure module -COOKIE_FLAG_DESC= 3rd party cookie_flag module CT_DESC= 3rd party cert_transparency module (SSL req.) DEBUGLOG_DESC= Enable debug log (--with-debug) DEVEL_KIT_DESC= 3rd party Nginx Development Kit module @@ -51,10 +49,8 @@ HTTP_IP2PROXY_DESC= 3rd party ip2proxy-nginx module HTTP_JSON_STATUS_DESC= 3rd party http_json_status module HTTP_MOGILEFS_DESC= 3rd party mogilefs module HTTP_MP4_DESC= Enable http_mp4 module -HTTP_MP4_H264_DESC= 3rd party mp4/h264 module HTTP_NOTICE_DESC= 3rd party notice module HTTP_PERL_DESC= Enable http_perl module -HTTP_PROXY_CONNECT_DESC= 3rd party https proxy connect module HTTP_PUSH_DESC= 3rd party push module HTTP_PUSH_STREAM_DESC= 3rd party push stream module HTTP_RANDOM_INDEX_DESC= Enable http_random_index module @@ -82,6 +78,7 @@ IPV6_DESC= Enable IPv6 support LET_DESC= 3rd party let module LINK_DESC= 3rd party link function module LUA_DESC= 3rd party lua module +LUASTREAM_DESC= 3rd party lua stream module MAILGRP_DESC= Modules that require MAIL module MAIL_DESC= Enable IMAP4/POP3/SMTP proxy module MAIL_IMAP_DESC= Enable IMAP4 proxy module @@ -93,7 +90,7 @@ MODSECURITY3_DESC= 3rd party modsecurity3 module NAXSI_DESC= 3rd party naxsi module NJS_DESC= Enable javascript (NJS) module NJS_XML_DESC= Enable XML functionality in NJS module -OPENTRACING_DESC= 3rd party opentracing module +OTEL_DESC= Enable OpenTELemetry module PASSENGER_DESC= 3rd party passenger module POSTGRES_DESC= 3rd party postgres module RDS_CSV_DESC= 3rd party rds_csv module diff --git a/www/freenginx/distinfo b/www/freenginx/distinfo index 4a4c3c991169..b797fb230db7 100644 --- a/www/freenginx/distinfo +++ b/www/freenginx/distinfo @@ -1,34 +1,26 @@ -TIMESTAMP = 1708852054 -SHA256 (nginx-1.24.0.tar.gz) = 77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d -SIZE (nginx-1.24.0.tar.gz) = 1112471 +TIMESTAMP = 1718532898 +SHA256 (nginx-1.26.0.tar.gz) = d2e6c8439d6c6db5015d8eaab2470ab52aef85a7bf363182879977e084370497 +SIZE (nginx-1.26.0.tar.gz) = 1244118 SHA256 (nginx_mogilefs_module-1.0.4.tar.gz) = 7ac230d30907f013dff8d435a118619ea6168aa3714dba62c6962d350c6295ae SIZE (nginx_mogilefs_module-1.0.4.tar.gz) = 11208 -SHA256 (nginx_mod_h264_streaming-2.2.7.tar.gz) = 6d974ba630cef59de1f60996c66b401264a345d25988a76037c2856cec756c19 -SIZE (nginx_mod_h264_streaming-2.2.7.tar.gz) = 44012 SHA256 (ngx_http_redis-0.3.9.tar.gz) = 21f87540f0a44b23ffa5df16fb3d788bc90803b255ef14f9c26e3847a6f26f46 SIZE (ngx_http_redis-0.3.9.tar.gz) = 13051 -SHA256 (naxsi-1.6-src-with-deps.tar.gz) = 1add95e5e473fca58b18356fd896221f98a122450d5b6e91b4352ef726f98a06 -SIZE (naxsi-1.6-src-with-deps.tar.gz) = 3352718 -SHA256 (passenger-6.0.17.tar.gz) = 385559ed1d78eb83165222d568721dcc4222bb57c1939811ecd2c4ef33937ba7 -SIZE (passenger-6.0.17.tar.gz) = 8422867 +SHA256 (passenger-6.0.20.tar.gz) = fa8d9a37edb92f4a8f064b3005b57bccf10392ce4eb067838883206060e27107 +SIZE (passenger-6.0.20.tar.gz) = 8476308 SHA256 (msva-nginx_ajp_module-fcbb2cc_GH0.tar.gz) = 522e94c59f5783f281d868ede2adf325bf2f8ffb9e62cf8451d4b9ac0516916c SIZE (msva-nginx_ajp_module-fcbb2cc_GH0.tar.gz) = 110807 SHA256 (openresty-array-var-nginx-module-v0.05_GH0.tar.gz) = c949d4be6f3442c8e2937046448dc8d8def25c0e0fa6f4e805144cea45eabe80 SIZE (openresty-array-var-nginx-module-v0.05_GH0.tar.gz) = 11280 SHA256 (anomalizer-ngx_aws_auth-21931b2_GH0.tar.gz) = d8a2422da96a638e9a911e4edb592954d9c0fe1576456fec9809ef4e2a0a863d SIZE (anomalizer-ngx_aws_auth-21931b2_GH0.tar.gz) = 15580 -SHA256 (google-ngx_brotli-9aec15e_GH0.tar.gz) = 0177b1158ff7092b9996346de28a0b296dc33addb2af4e8904794d19b4a9a808 -SIZE (google-ngx_brotli-9aec15e_GH0.tar.gz) = 16194 +SHA256 (google-ngx_brotli-a71f931_GH0.tar.gz) = b3312a045d5303a40d02beb34711b8ca27f7b72d647e9ee2012a8eddd14d9b22 +SIZE (google-ngx_brotli-a71f931_GH0.tar.gz) = 16376 SHA256 (nginx-modules-ngx_cache_purge-a84b0f3_GH0.tar.gz) = ddfd4fdd99075d906b7b75c49f56ec96b76df7951dfa54502e0f83890447031f SIZE (nginx-modules-ngx_cache_purge-a84b0f3_GH0.tar.gz) = 17162 -SHA256 (nginx-clojure-nginx-clojure-v0.6.0_GH0.tar.gz) = e8215cdebc3eb13f852c10e9bbbf315f2e1b75bb4dec015ca60ec29efcb86509 -SIZE (nginx-clojure-nginx-clojure-v0.6.0_GH0.tar.gz) = 786029 -SHA256 (AirisX-nginx_cookie_flag_module-c4ff449_GH0.tar.gz) = 4b8c1c1e1ed59ed85751f4bd7d68026ad5051103c8b983e05ad17eb0cdab138e -SIZE (AirisX-nginx_cookie_flag_module-c4ff449_GH0.tar.gz) = 4713 SHA256 (grahamedgecombe-nginx-ct-93e9884_GH0.tar.gz) = 72fdd125b9207cdda135f368095f85b943a78a4ff004d1cd217972e12b1571b2 SIZE (grahamedgecombe-nginx-ct-93e9884_GH0.tar.gz) = 7224 -SHA256 (vision5-ngx_devel_kit-v0.3.2_GH0.tar.gz) = aa961eafb8317e0eb8da37eb6e2c9ff42267edd18b56947384e719b85188f58b -SIZE (vision5-ngx_devel_kit-v0.3.2_GH0.tar.gz) = 66551 +SHA256 (vision5-ngx_devel_kit-v0.3.3_GH0.tar.gz) = faa2fcd5168b10764d35081356511d5f84db5c526a1aa4b6add2db94b6853b2b +SIZE (vision5-ngx_devel_kit-v0.3.3_GH0.tar.gz) = 66561 SHA256 (openresty-drizzle-nginx-module-3504fc6_GH0.tar.gz) = 86076735597f14db28cffabc0ab1f233cd51aab7cf112c56e267783e7814fc65 SIZE (openresty-drizzle-nginx-module-3504fc6_GH0.tar.gz) = 51596 SHA256 (ZigzagAK-ngx_dynamic_upstream-960eef2_GH0.tar.gz) = 86e7c6ed6dba2d4c5f5b87ecb91f25ccdb7a08b8a88236e632114f830b9e354b @@ -43,8 +35,8 @@ SHA256 (calio-form-input-nginx-module-v0.12_GH0.tar.gz) = 5c1869d55897075adb3fdf SIZE (calio-form-input-nginx-module-v0.12_GH0.tar.gz) = 11090 SHA256 (nieoding-nginx-gridfs-059bdc3_GH0.tar.gz) = 9b059b5ae7b602d12d32d5ebe2700827ea625f22c0fb3b9956242e11de63845b SIZE (nieoding-nginx-gridfs-059bdc3_GH0.tar.gz) = 4674 -SHA256 (openresty-headers-more-nginx-module-33b646d_GH0.tar.gz) = 4e68ef77ce8bc3c248c04ddc112bb2230adf2de84c77430cedc8a4458ffb7369 -SIZE (openresty-headers-more-nginx-module-33b646d_GH0.tar.gz) = 28812 +SHA256 (openresty-headers-more-nginx-module-06dc0be_GH0.tar.gz) = 883b1e31d59f3eb1e76b34259711ad65a3443102973dcf22df329397f3d5eaa4 +SIZE (openresty-headers-more-nginx-module-06dc0be_GH0.tar.gz) = 29438 SHA256 (dvershinin-nginx_accept_language_module-5683967_GH0.tar.gz) = a58feb576f2231498b8a3863d3c6fba45c7d48bc48735fa714e07a7bfbedb6e3 SIZE (dvershinin-nginx_accept_language_module-5683967_GH0.tar.gz) = 3425 SHA256 (atomx-nginx-http-auth-digest-274490c_GH0.tar.gz) = 0839c33c2f8d519f92daae274f62cf87eb68415d562c6500ee3e3721ce80557c @@ -73,8 +65,6 @@ SHA256 (nginx-modules-ngx_http_json_status_module-1d2f303_GH0.tar.gz) = fdc34e0e SIZE (nginx-modules-ngx_http_json_status_module-1d2f303_GH0.tar.gz) = 6736 SHA256 (kr-nginx-notice-3c95966_GH0.tar.gz) = e829fc94178cc8c91fef15a1fc44ee7ac162c13eddc0bba4c9427aaa23386885 SIZE (kr-nginx-notice-3c95966_GH0.tar.gz) = 3343 -SHA256 (chobits-ngx_http_proxy_connect_module-75febef_GH0.tar.gz) = 6169361f31607af0ec8c78b356e62c2aeb128649161d688d7ea92f4d2c1c39f9 -SIZE (chobits-ngx_http_proxy_connect_module-75febef_GH0.tar.gz) = 32645 SHA256 (slact-nchan-v1.3.6_GH0.tar.gz) = ba0b7cc6b710a20ce1ed2554caf56154035291aaf115e407d7a6bb699fde42df SIZE (slact-nchan-v1.3.6_GH0.tar.gz) = 761436 SHA256 (wandenberg-nginx-push-stream-module-8c02220_GH0.tar.gz) = ab4fbe236e8bc500f0c5e13403d6a0e2e4e4ec17b81e0fcedaf669b4339626a6 @@ -93,10 +83,10 @@ SHA256 (jaygooby-nginx-upstream-fair-10ecdcf_GH0.tar.gz) = 93f71b7cf0db9c6dbf97e SIZE (jaygooby-nginx-upstream-fair-10ecdcf_GH0.tar.gz) = 10433 SHA256 (dvershinin-nginx-sticky-module-ng-2753211_GH0.tar.gz) = e4a533dfa214ea28122301aeebbb1a38e1d1972edb7ee9bc72271c14f2693005 SIZE (dvershinin-nginx-sticky-module-ng-2753211_GH0.tar.gz) = 120676 -SHA256 (Novetta-nginx-video-thumbextractor-module-28861f2_GH0.tar.gz) = 04656da527d9e64cbdf1bf475a93193fa60324ffea160d05d4cc53c864943bc1 -SIZE (Novetta-nginx-video-thumbextractor-module-28861f2_GH0.tar.gz) = 34447 -SHA256 (evanmiller-mod_zip-39dc908_GH0.tar.gz) = bc5c3d725268abbe1c5c38de5b18a4ad9dbe5821c4afeaccabd3eec38b272be4 -SIZE (evanmiller-mod_zip-39dc908_GH0.tar.gz) = 30275 +SHA256 (wandenberg-nginx-video-thumbextractor-module-e81f850_GH0.tar.gz) = 9113f887a8740fe72614ee32f481177d33e9542c3b0625627da19a1c4f3da2cb +SIZE (wandenberg-nginx-video-thumbextractor-module-e81f850_GH0.tar.gz) = 2710072 +SHA256 (vince2678-mod_zip-5b2604b_GH0.tar.gz) = 4fe63be3b842882494152e586f0b87e73f51bfbfd801b78f033c71a011cba789 +SIZE (vince2678-mod_zip-5b2604b_GH0.tar.gz) = 29559 SHA256 (calio-iconv-nginx-module-v0.14_GH0.tar.gz) = b8b9f355c05c0790226512f6732348a2404d48531688a1fc04ce6768163bf462 SIZE (calio-iconv-nginx-module-v0.14_GH0.tar.gz) = 13133 SHA256 (baysao-nginx-let-module-c1f23aa_GH0.tar.gz) = 7393809d5d8877812da1bd5b5fbd1d8b00bc85e71f2f387c344f007773e49050 @@ -105,14 +95,20 @@ SHA256 (Taymindis-nginx-link-function-3.2.4_GH0.tar.gz) = 20c3679199ba7efe1598f0 SIZE (Taymindis-nginx-link-function-3.2.4_GH0.tar.gz) = 139656 SHA256 (openresty-lua-nginx-module-v0.10.26_GH0.tar.gz) = a75983287a2bdc5e964ace56a51b215dc2ec996639d4916cd393d6ebba94b565 SIZE (openresty-lua-nginx-module-v0.10.26_GH0.tar.gz) = 745785 +SHA256 (openresty-stream-lua-nginx-module-v0.0.14_GH0.tar.gz) = 8e2ff6ad5f91127da3c01757e7e654f1addf9769450d9159601d2cc153953c47 +SIZE (openresty-stream-lua-nginx-module-v0.0.14_GH0.tar.gz) = 381313 SHA256 (openresty-memc-nginx-module-v0.19_GH0.tar.gz) = 8c2bdbe875e4f5225d0778bfb09a2668f9281d7de6218c7b462a7ba2cee06fe8 SIZE (openresty-memc-nginx-module-v0.19_GH0.tar.gz) = 34654 SHA256 (SpiderLabs-ModSecurity-nginx-v1.0.3_GH0.tar.gz) = 32a42256616cc674dca24c8654397390adff15b888b77eb74e0687f023c8751b SIZE (SpiderLabs-ModSecurity-nginx-v1.0.3_GH0.tar.gz) = 34063 -SHA256 (nginx-njs-0.8.0_GH0.tar.gz) = b98033fff6aadcbb8e108b96e80c0d94c6e2103bcbe75846b5ae0b560696084b -SIZE (nginx-njs-0.8.0_GH0.tar.gz) = 715391 -SHA256 (opentracing-contrib-nginx-opentracing-v0.24.0_GH0.tar.gz) = 5328c5f37e0615b5252aed51b9cd40f3d14989d995ad54134076aeda4ab9b280 -SIZE (opentracing-contrib-nginx-opentracing-v0.24.0_GH0.tar.gz) = 679417 +SHA256 (wargio-naxsi-1.6_GH0.tar.gz) = e5920fdd09cae155b89eb21a94a21c029ebfdb056c284130221525be54044aae +SIZE (wargio-naxsi-1.6_GH0.tar.gz) = 1116227 +SHA256 (libinjection-libinjection-4aa3894_GH0.tar.gz) = ededea133e89e238ef2e60d0d62ef7ef9e741449eed8c5d856007132505bcd5b +SIZE (libinjection-libinjection-4aa3894_GH0.tar.gz) = 2218294 +SHA256 (nginx-njs-0.8.4_GH0.tar.gz) = fe197e254204c15e9f1df0acf375add57be3416901ec8d7b87319dccb490f90d +SIZE (nginx-njs-0.8.4_GH0.tar.gz) = 743910 +SHA256 (osokin-nginx-otel-8f0857d_GH0.tar.gz) = bbf93813928460bdaf78f752f74ecc6c34d13078e97fdffcaa29dbd8689314fc +SIZE (osokin-nginx-otel-8f0857d_GH0.tar.gz) = 30197 SHA256 (konstruxi-ngx_postgres-8aa7359_GH0.tar.gz) = c69ad4495de7c7883ebc23e1e6c4cc83a4ac6a7fddd4d5c12e49d33b65f7c50b SIZE (konstruxi-ngx_postgres-8aa7359_GH0.tar.gz) = 48544 SHA256 (openresty-rds-csv-nginx-module-v0.09_GH0.tar.gz) = 896be99c0cad50218417800a159e43ec088d6b58c099472ed3b3d7f179d6c0ea diff --git a/www/freenginx/files/extra-patch-httpv3 b/www/freenginx/files/extra-patch-httpv3 deleted file mode 100644 index c49f591c25d5..000000000000 --- a/www/freenginx/files/extra-patch-httpv3 +++ /dev/null @@ -1,26867 +0,0 @@ -diff -r ac779115ed6e README ---- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/README Thu May 11 11:48:37 2023 -0400 -@@ -0,0 +1,386 @@ -+Experimental QUIC support for nginx -+----------------------------------- -+ -+1. Introduction -+2. Building from sources -+3. Configuration -+4. Directives -+5. Clients -+6. Troubleshooting -+7. Contributing -+8. Links -+ -+1. Introduction -+ -+ This is an experimental QUIC [1] / HTTP/3 [2] support for nginx. -+ -+ The code is developed in a separate "quic" branch available -+ at https://hg.nginx.org/nginx-quic. Currently it is based -+ on nginx mainline 1.23.x. We merge new nginx releases into -+ this branch regularly. -+ -+ The project code base is under the same BSD license as nginx. -+ -+ The code is currently at a beta level of quality, however -+ there are several production deployments with it. -+ -+ NGINX Development Team is working on improving HTTP/3 support to -+ integrate it into the main NGINX codebase. Thus, expect further -+ updates of this code, including features, changes in behaviour, -+ bug fixes, and refactoring. NGINX Development team will be -+ grateful for any feedback and code submissions. -+ -+ Please contact NGINX Development Team via nginx-devel mailing list [3]. -+ -+ What works now: -+ -+ IETF QUIC version 1 is supported. Internet drafts are no longer supported. -+ -+ nginx should be able to respond to HTTP/3 requests over QUIC and -+ it should be possible to upload and download big files without errors. -+ -+ + The handshake completes successfully -+ + One endpoint can update keys and its peer responds correctly -+ + 0-RTT data is being received and acted on -+ + Connection is established using TLS Resume Ticket -+ + A handshake that includes a Retry packet completes successfully -+ + Stream data is being exchanged and ACK'ed -+ + An H3 transaction succeeded -+ + One or both endpoints insert entries into dynamic table and -+ subsequently reference them from header blocks -+ + Version Negotiation packet is sent to client with unknown version -+ + Lost packets are detected and retransmitted properly -+ + Clients may migrate to new address -+ -+2. Building from sources -+ -+ The build is configured using the configure command. -+ Refer to http://nginx.org/en/docs/configure.html for details. -+ -+ When configuring nginx, it's possible to enable QUIC and HTTP/3 -+ using the following new configuration options: -+ -+ --with-http_v3_module - enable QUIC and HTTP/3 -+ --with-stream_quic_module - enable QUIC in Stream -+ -+ A library that provides QUIC support is recommended to build nginx, there -+ are several of those available on the market: -+ + BoringSSL [4] -+ + LibreSSL [5] -+ + QuicTLS [6] -+ -+ Alternatively, nginx can be configured with OpenSSL compatibility -+ layer, which emulates BoringSSL QUIC API for OpenSSL. This mode is -+ enabled by default if native QUIC support is not detected. -+ 0-RTT is not supported in OpenSSL compatibility mode. -+ -+ Clone the NGINX QUIC repository -+ -+ $ hg clone -b quic https://hg.nginx.org/nginx-quic -+ $ cd nginx-quic -+ -+ Use the following command to configure nginx with BoringSSL [4] -+ -+ $ ./auto/configure --with-debug --with-http_v3_module \ -+ --with-cc-opt="-I../boringssl/include" \ -+ --with-ld-opt="-L../boringssl/build/ssl \ -+ -L../boringssl/build/crypto" -+ $ make -+ -+ Alternatively, nginx can be configured with QuicTLS [6] -+ -+ $ ./auto/configure --with-debug --with-http_v3_module \ -+ --with-cc-opt="-I../quictls/build/include" \ -+ --with-ld-opt="-L../quictls/build/lib" -+ -+ Alternatively, nginx can be configured with a modern version -+ of LibreSSL [7] -+ -+ $ ./auto/configure --with-debug --with-http_v3_module \ -+ --with-cc-opt="-I../libressl/build/include" \ -+ --with-ld-opt="-L../libressl/build/lib" -+ -+3. Configuration -+ -+ The HTTP "listen" directive got a new option "quic" which enables -+ QUIC as client transport protocol instead of TCP. -+ -+ The Stream "listen" directive got a new option "quic" which enables -+ QUIC as client transport protocol instead of TCP or plain UDP. -+ -+ Along with "quic", it's also possible to specify "reuseport" -+ option [8] to make it work properly with multiple workers. -+ -+ To enable address validation: -+ -+ quic_retry on; -+ -+ To enable 0-RTT: -+ -+ ssl_early_data on; -+ -+ To enable GSO (Generic Segmentation Offloading): -+ -+ quic_gso on; -+ -+ To limit maximum UDP payload size on receive path: -+ -+ quic_mtu ; -+ -+ To set host key for various tokens: -+ -+ quic_host_key ; -+ -+ QUIC requires TLSv1.3 protocol, which is enabled by the default -+ by "ssl_protocols" directive. -+ -+ By default, GSO Linux-specific optimization [10] is disabled. -+ Enable it in case a corresponding network interface is configured to -+ support GSO. -+ -+ A number of directives were added that configure HTTP/3: -+ -+ http3 -+ http3_hq -+ http3_stream_buffer_size -+ http3_max_concurrent_pushes -+ http3_max_concurrent_streams -+ http3_push -+ http3_push_preload -+ -+ In http, an additional variable is available: $http3. -+ The value of $http3 is "h3" for HTTP/3 connections, -+ "hq" for hq connections, or an empty string otherwise. -+ -+ In stream, an additional variable is available: $quic. -+ The value of $quic is "quic" if QUIC connection is used, -+ or an empty string otherwise. -+ -+Example configuration: -+ -+ http { -+ log_format quic '$remote_addr - $remote_user [$time_local] ' -+ '"$request" $status $body_bytes_sent ' -+ '"$http_referer" "$http_user_agent" "$http3"'; -+ -+ access_log logs/access.log quic; -+ -+ server { -+ # for better compatibility it's recommended -+ # to use the same port for quic and https -+ listen 8443 quic reuseport; -+ listen 8443 ssl; -+ -+ ssl_certificate certs/example.com.crt; -+ ssl_certificate_key certs/example.com.key; -+ -+ location / { -+ # required for browsers to direct them into quic port -+ add_header Alt-Svc 'h3=":8443"; ma=86400'; -+ } -+ } -+ } -+ -+4. Directives -+ -+ Syntax: quic_bpf on | off; -+ Default: quic_bpf off; -+ Context: main -+ -+ Enables routing of QUIC packets using eBPF. -+ When enabled, this allows to support QUIC connection migration. -+ The directive is only supported on Linux 5.7+. -+ -+ -+ Syntax: quic_retry on | off; -+ Default: quic_retry off; -+ Context: http | stream, server -+ -+ Enables the QUIC Address Validation feature. This includes: -+ - sending a new token in a Retry packet or a NEW_TOKEN frame -+ - validating a token received in the Initial packet -+ -+ -+ Syntax: quic_gso on | off; -+ Default: quic_gso off; -+ Context: http | stream, server -+ -+ Enables sending in optimized batch mode using segmentation offloading. -+ Optimized sending is only supported on Linux featuring UDP_SEGMENT. -+ -+ -+ Syntax: quic_mtu size; -+ Default: quic_mtu 65527; -+ Context: http | stream, server -+ -+ Sets the QUIC max_udp_payload_size transport parameter value. -+ This is the maximum UDP payload that we are willing to receive. -+ -+ -+ Syntax: quic_host_key file; -+ Default: - -+ Context: http | stream, server -+ -+ Specifies a file with the secret key used to encrypt stateless reset and -+ address validation tokens. By default, a randomly generated key is used. -+ -+ -+ Syntax: quic_active_connection_id_limit number; -+ Default: quic_active_connection_id_limit 2; -+ Context: http | stream, server -+ -+ Sets the QUIC active_connection_id_limit transport parameter value. -+ This is the maximum number of connection IDs we are willing to store. -+ -+ -+ Syntax: quic_timeout time; -+ Default: quic_timeout 60s; -+ Context: stream, server -+ -+ Defines a timeout used to negotiate the QUIC idle timeout. -+ In the http module, it is taken from the keepalive_timeout directive. -+ -+ -+ Syntax: quic_stream_buffer_size size; -+ Default: quic_stream_buffer_size 64k; -+ Context: stream, server -+ -+ Syntax: http3_stream_buffer_size size; -+ Default: http3_stream_buffer_size 64k; -+ Context: http, server -+ -+ Sets buffer size for reading and writing of the QUIC STREAM payload. -+ The buffer size is used to calculate initial flow control limits -+ in the following QUIC transport parameters: -+ - initial_max_data -+ - initial_max_stream_data_bidi_local -+ - initial_max_stream_data_bidi_remote -+ - initial_max_stream_data_uni -+ -+ -+ Syntax: http3_max_concurrent_pushes number; -+ Default: http3_max_concurrent_pushes 10; -+ Context: http, server -+ -+ Limits the maximum number of concurrent push requests in a connection. -+ -+ -+ Syntax: http3_max_concurrent_streams number; -+ Default: http3_max_concurrent_streams 128; -+ Context: http, server -+ -+ Sets the maximum number of concurrent HTTP/3 streams in a connection. -+ -+ -+ Syntax: http3_push uri | off; -+ Default: http3_push off; -+ Context: http, server, location -+ -+ Pre-emptively sends (pushes) a request to the specified uri along with -+ the response to the original request. Only relative URIs with absolute -+ path will be processed, for example: -+ -+ http3_push /static/css/main.css; -+ -+ The uri value can contain variables. -+ -+ Several http3_push directives can be specified on the same configuration -+ level. The off parameter cancels the effect of the http3_push directives -+ inherited from the previous configuration level. -+ -+ -+ Syntax: http3_push_preload on | off; -+ Default: http3_push_preload off; -+ Context: http, server, location -+ -+ Enables automatic conversion of preload links specified in the “Link” -+ response header fields into push requests. -+ -+ -+ Syntax: http3 on | off; -+ Default: http3 on; -+ Context: http, server -+ -+ Enables HTTP/3 protocol negotiation. -+ -+ -+ Syntax: http3_hq on | off; -+ Default: http3_hq off; -+ Context: http, server -+ -+ Enables HTTP/0.9 protocol negotiation used in QUIC interoperability tests. -+ -+5. Clients -+ -+ * Browsers -+ -+ Known to work: Firefox 90+ and Chrome 92+ (QUIC version 1) -+ -+ Beware of strange issues: sometimes browser may decide to ignore QUIC -+ Cache clearing/restart might help. Always check access.log and -+ error.log to make sure the browser is using HTTP/3 and not TCP https. -+ -+ * Console clients -+ -+ Known to work: ngtcp2, firefox's neqo and chromium's console clients: -+ -+ $ examples/client 127.0.0.1 8443 https://example.com:8443/index.html -+ -+ $ ./neqo-client https://127.0.0.1:8443/ -+ -+ $ chromium-build/out/my_build/quic_client http://example.com:8443 -+ -+ -+ In case everyhing is right, the access log should show something like: -+ -+ 127.0.0.1 - - [24/Apr/2020:11:27:29 +0300] "GET / HTTP/3" 200 805 "-" -+ "nghttp3/ngtcp2 client" "quic" -+ -+ -+6. Troubleshooting -+ -+ Here are some tips that may help to identify problems: -+ -+ + Ensure nginx is built with proper SSL library that supports QUIC -+ -+ + Ensure nginx is using the proper SSL library in runtime -+ (`nginx -V` shows what it's using) -+ -+ + Ensure a client is actually sending requests over QUIC -+ (see "Clients" section about browsers and cache) -+ -+ We recommend to start with simple console client like ngtcp2 -+ to ensure the server is configured properly before trying -+ with real browsers that may be very picky with certificates, -+ for example. -+ -+ + Build nginx with debug support [9] and check the debug log. -+ It should contain all details about connection and why it -+ failed. All related messages contain "quic " prefix and can -+ be easily filtered out. -+ -+ + For a deeper investigation, please enable additional debugging -+ in src/event/quic/ngx_event_quic_connection.h: -+ -+ #define NGX_QUIC_DEBUG_PACKETS -+ #define NGX_QUIC_DEBUG_FRAMES -+ #define NGX_QUIC_DEBUG_ALLOC -+ #define NGX_QUIC_DEBUG_CRYPTO -+ -+7. Contributing -+ -+ Please refer to -+ http://nginx.org/en/docs/contributing_changes.html -+ -+8. Links -+ -+ [1] https://datatracker.ietf.org/doc/html/rfc9000 -+ [2] https://datatracker.ietf.org/doc/html/rfc9114 -+ [3] https://mailman.nginx.org/mailman/listinfo/nginx-devel -+ [4] https://boringssl.googlesource.com/boringssl/ -+ [5] https://www.libressl.org/ -+ [6] https://github.com/quictls/openssl -+ [7] https://github.com/libressl-portable/portable/releases/tag/v3.6.0 -+ [8] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen -+ [9] https://nginx.org/en/docs/debugging_log.html -+ [10] http://vger.kernel.org/lpc_net2018_talks/willemdebruijn-lpc2018-udpgso-paper-DRAFT-1.pdf -diff -r ac779115ed6e auto/lib/openssl/conf ---- a/auto/lib/openssl/conf Tue Mar 28 18:01:53 2023 +0300 -+++ b/auto/lib/openssl/conf Thu May 11 11:48:37 2023 -0400 -@@ -5,12 +5,17 @@ - - if [ $OPENSSL != NONE ]; then - -+ have=NGX_OPENSSL . auto/have -+ have=NGX_SSL . auto/have -+ -+ if [ $USE_OPENSSL_QUIC = YES ]; then -+ have=NGX_QUIC . auto/have -+ have=NGX_QUIC_OPENSSL_COMPAT . auto/have -+ fi -+ - case "$CC" in - - cl | bcc32) -- have=NGX_OPENSSL . auto/have -- have=NGX_SSL . auto/have -- - CFLAGS="$CFLAGS -DNO_SYS_TYPES_H" - - CORE_INCS="$CORE_INCS $OPENSSL/openssl/include" -@@ -33,9 +38,6 @@ if [ $OPENSSL != NONE ]; then - ;; - - *) -- have=NGX_OPENSSL . auto/have -- have=NGX_SSL . auto/have -- - CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include" - CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h" - CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a" -@@ -123,6 +125,35 @@ else - CORE_INCS="$CORE_INCS $ngx_feature_path" - CORE_LIBS="$CORE_LIBS $ngx_feature_libs" - OPENSSL=YES -+ -+ if [ $USE_OPENSSL_QUIC = YES ]; then -+ -+ ngx_feature="OpenSSL QUIC support" -+ ngx_feature_name="NGX_QUIC" -+ ngx_feature_test="SSL_set_quic_method(NULL, NULL)" -+ . auto/feature -+ -+ if [ $ngx_found = no ]; then -+ have=NGX_QUIC_OPENSSL_COMPAT . auto/have -+ -+ ngx_feature="OpenSSL QUIC compatibility" -+ ngx_feature_test="SSL_CTX_add_custom_ext(NULL, 0, 0, -+ NULL, NULL, NULL, NULL, NULL)" -+ . auto/feature -+ fi -+ -+ if [ $ngx_found = no ]; then -+cat << END -+ -+$0: error: certain modules require OpenSSL QUIC support. -+You can either do not enable the modules, or install the OpenSSL library with -+QUIC support into the system, or build the OpenSSL library with QUIC support -+statically from the source with nginx by using --with-openssl= option. -+ -+END -+ exit 1 -+ fi -+ fi - fi - fi - -diff -r ac779115ed6e auto/make ---- a/auto/make Tue Mar 28 18:01:53 2023 +0300 -+++ b/auto/make Thu May 11 11:48:37 2023 -0400 -@@ -6,9 +6,10 @@ - echo "creating $NGX_MAKEFILE" - - mkdir -p $NGX_OBJS/src/core $NGX_OBJS/src/event $NGX_OBJS/src/event/modules \ -+ $NGX_OBJS/src/event/quic \ - $NGX_OBJS/src/os/unix $NGX_OBJS/src/os/win32 \ -- $NGX_OBJS/src/http $NGX_OBJS/src/http/v2 $NGX_OBJS/src/http/modules \ -- $NGX_OBJS/src/http/modules/perl \ -+ $NGX_OBJS/src/http $NGX_OBJS/src/http/v2 $NGX_OBJS/src/http/v3 \ -+ $NGX_OBJS/src/http/modules $NGX_OBJS/src/http/modules/perl \ - $NGX_OBJS/src/mail \ - $NGX_OBJS/src/stream \ - $NGX_OBJS/src/misc -diff -r ac779115ed6e auto/modules ---- a/auto/modules Tue Mar 28 18:01:53 2023 +0300 -+++ b/auto/modules Thu May 11 11:48:37 2023 -0400 -@@ -102,7 +102,7 @@ if [ $HTTP = YES ]; then - fi - - -- if [ $HTTP_V2 = YES ]; then -+ if [ $HTTP_V2 = YES -o $HTTP_V3 = YES ]; then - HTTP_SRCS="$HTTP_SRCS $HTTP_HUFF_SRCS" - fi - -@@ -124,6 +124,7 @@ if [ $HTTP = YES ]; then - # ngx_http_header_filter - # ngx_http_chunked_filter - # ngx_http_v2_filter -+ # ngx_http_v3_filter - # ngx_http_range_header_filter - # ngx_http_gzip_filter - # ngx_http_postpone_filter *** 26690 LINES SKIPPED ***