nginx port tweaks, ok robert@
- add nginx-auth-ldap module (https://github.com/kvspb/nginx-auth-ldap/) - reduce duplication in DISTFILES with foo{bar}ext syntax - simplify RUN_DEPENDS* - use perl MODULES to get ${P5ARCH} defined, use in PLIST-perl
This commit is contained in:
parent
1643483b61
commit
7c960e3aa2
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: Makefile,v 1.123 2018/09/11 17:16:10 jeremy Exp $
|
||||
# $OpenBSD: Makefile,v 1.124 2018/09/28 14:36:16 sthen Exp $
|
||||
|
||||
BROKEN-hppa= src/core/ngx_rwlock.c:116:2: error: \#error ngx_atomic_cmp_set() is not defined!
|
||||
|
||||
@ -9,6 +9,7 @@ COMMENT-xslt= nginx XSLT filter module
|
||||
COMMENT-mailproxy= nginx mail proxy module
|
||||
COMMENT-stream= nginx TCP/UDP proxy module
|
||||
COMMENT-naxsi= nginx web application firewall module
|
||||
COMMENT-ldap_auth= nginx LDAP authentication module
|
||||
COMMENT-lua= nginx lua scripting module
|
||||
COMMENT-headers_more= nginx module for setting/adding/clearing headers
|
||||
COMMENT-perl= nginx perl scripting module
|
||||
@ -22,14 +23,15 @@ PKGNAME-main= ${DISTNAME}
|
||||
PKGNAME-image_filter= nginx-image_filter-${VERSION}
|
||||
PKGNAME-geoip= nginx-geoip-${VERSION}
|
||||
PKGNAME-xslt= nginx-xslt-${VERSION}
|
||||
PKGNAME-mailproxy= nginx-mailproxy-${VERSION}
|
||||
PKGNAME-mailproxy= nginx-mailproxy-${VERSION}
|
||||
PKGNAME-stream= nginx-stream-${VERSION}
|
||||
PKGNAME-naxsi= nginx-naxsi-${VERSION}
|
||||
PKGNAME-ldap_auth= nginx-ldap_auth-${VERSION}
|
||||
PKGNAME-lua= nginx-lua-${VERSION}
|
||||
PKGNAME-headers_more= nginx-headers-more-${VERSION}
|
||||
PKGNAME-perl= nginx-perl-${VERSION}
|
||||
PKGNAME-passenger= nginx-passenger-${VERSION}
|
||||
REVISION-main= 0
|
||||
REVISION= 1
|
||||
|
||||
MASTER_SITES= https://nginx.org/download/
|
||||
MASTER_SITES0= https://github.com/simpl/ngx_devel_kit/archive/
|
||||
@ -37,12 +39,14 @@ MASTER_SITES1= https://github.com/nbs-system/naxsi/archive/
|
||||
MASTER_SITES2= https://github.com/openresty/lua-nginx-module/archive/
|
||||
MASTER_SITES3= https://raw.githubusercontent.com/rnagy/nginx_chroot_patch/master/
|
||||
MASTER_SITES4= https://github.com/openresty/headers-more-nginx-module/archive/
|
||||
MASTER_SITES5= https://github.com/kvspb/nginx-auth-ldap/archive/
|
||||
|
||||
DISTFILES= ${DISTNAME}${EXTRACT_SUFX} \
|
||||
ngx_devel_kit-v0.3.0.tar.gz{v0.3.0.tar.gz}:0 \
|
||||
naxsi-0.55.3.tar.gz{0.55.3.tar.gz}:1 \
|
||||
lua-nginx-module-v0.10.11.tar.gz{v0.10.11.tar.gz}:2 \
|
||||
headers-more-nginx-module-v0.33.tar.gz{v0.33.tar.gz}:4
|
||||
ngx_devel_kit-{}v0.3.0.tar.gz:0 \
|
||||
naxsi-{}0.55.3.tar.gz:1 \
|
||||
lua-nginx-module-{}v0.10.11.tar.gz:2 \
|
||||
headers-more-nginx-module-{}v0.33.tar.gz:4 \
|
||||
nginx-auth-ldap-0.20170725{42d195d7a7575ebab1c369ad3fc5d78dc2c2669c}.tar.gz:5
|
||||
|
||||
HOMEPAGE= http://nginx.org/
|
||||
|
||||
@ -52,7 +56,7 @@ MAINTAINER= Robert Nagy <robert@openbsd.org>
|
||||
PERMIT_PACKAGE_CDROM= yes
|
||||
|
||||
MULTI_PACKAGES = -main -image_filter -geoip -xslt -mailproxy -stream \
|
||||
-naxsi -perl -passenger -headers_more -lua
|
||||
-naxsi -perl -passenger -headers_more -ldap_auth -lua
|
||||
|
||||
FLAVOR ?=
|
||||
PSEUDO_FLAVORS = no_lua no_passenger
|
||||
@ -66,6 +70,7 @@ WANTLIB-image_filter= gd
|
||||
WANTLIB-geoip= GeoIP
|
||||
WANTLIB-xslt= exslt xml2 xslt
|
||||
WANTLIB-naxsi=
|
||||
WANTLIB-ldap_auth= ldap
|
||||
WANTLIB-lua= ${MODLUA_WANTLIB} m
|
||||
WANTLIB-headers_more=
|
||||
WANTLIB-perl= c m perl
|
||||
@ -76,19 +81,15 @@ LIB_DEPENDS-xslt= textproc/libxml \
|
||||
textproc/libxslt
|
||||
LIB_DEPENDS-image_filter=graphics/gd
|
||||
LIB_DEPENDS-geoip= net/GeoIP
|
||||
LIB_DEPENDS-ldap_auth= databases/openldap
|
||||
LIB_DEPENDS-lua= ${MODLUA_LIB_DEPENDS}
|
||||
|
||||
RUN_DEPENDS-main= # blank (override addition from lua.port.mk)
|
||||
RUN_DEPENDS-mailproxy= www/nginx,-main=${VERSION}
|
||||
RUN_DEPENDS-stream= www/nginx,-main=${VERSION}
|
||||
RUN_DEPENDS-image_filter=www/nginx,-main=${VERSION}
|
||||
RUN_DEPENDS-geoip= www/nginx,-main=${VERSION}
|
||||
RUN_DEPENDS-xslt= www/nginx,-main=${VERSION}
|
||||
RUN_DEPENDS-naxsi= www/nginx,-main=${VERSION}
|
||||
RUN_DEPENDS-lua= www/nginx,-main=${VERSION}
|
||||
RUN_DEPENDS-headers_more=www/nginx,-main=${VERSION}
|
||||
RUN_DEPENDS-perl= www/nginx,-main=${VERSION}
|
||||
RUN_DEPENDS-passenger= www/nginx,-main=${VERSION} \
|
||||
MODLUA_RUNDEP= No
|
||||
RUN_DEPENDS= www/nginx,-main=${VERSION}
|
||||
RUN_DEPENDS-main= # blank (override default)
|
||||
RUN_DEPENDS-lua= ${RUN_DEPENDS} \
|
||||
${_MODLUA_RUN_DEPENDS}
|
||||
RUN_DEPENDS-passenger= ${RUN_DEPENDS} \
|
||||
ruby*-passenger-*:www/ruby-passenger
|
||||
|
||||
NGINX_DIR= /var/www
|
||||
@ -100,6 +101,7 @@ PREFIX-stream= ${NGINX_MODULES_DIR}
|
||||
PREFIX-image_filter= ${NGINX_MODULES_DIR}
|
||||
PREFIX-geoip= ${NGINX_MODULES_DIR}
|
||||
PREFIX-xslt= ${NGINX_MODULES_DIR}
|
||||
PREFIX-ldap_auth= ${NGINX_MODULES_DIR}
|
||||
PREFIX-lua= ${NGINX_MODULES_DIR}
|
||||
PREFIX-headers_more= ${NGINX_MODULES_DIR}
|
||||
PREFIX-passenger= ${NGINX_MODULES_DIR}
|
||||
@ -113,6 +115,7 @@ PATCHFILES+= nginx-${VERSION}-chroot.patch:3
|
||||
PATCH_DIST_STRIP= -p1
|
||||
|
||||
CONFIGURE_STYLE= simple
|
||||
MODULES+= perl
|
||||
|
||||
.if ${BUILD_PACKAGES:M-lua}
|
||||
MODULES+= lang/lua
|
||||
@ -159,10 +162,12 @@ CONFIGURE_ARGS+= --prefix=${NGINX_DIR} \
|
||||
--with-stream=dynamic \
|
||||
--add-dynamic-module=${WRKSRC}/naxsi/naxsi_src/ \
|
||||
--add-dynamic-module=${WRKSRC}/ngx_devel_kit \
|
||||
--add-dynamic-module=${WRKSRC}/headers-more-nginx-module
|
||||
--add-dynamic-module=${WRKSRC}/headers-more-nginx-module \
|
||||
--add-dynamic-module=${WRKSRC}/nginx-auth-ldap
|
||||
|
||||
SUBSTFILES= conf/nginx.conf \
|
||||
lua-nginx-module/config
|
||||
lua-nginx-module/config \
|
||||
nginx-auth-ldap/config
|
||||
|
||||
NO_TEST= Yes
|
||||
ALL_TARGET=
|
||||
@ -173,7 +178,8 @@ pre-patch:
|
||||
cd ${WRKSRC} && \
|
||||
mv ../ngx_devel_kit-* ngx_devel_kit && \
|
||||
mv ../lua-nginx-module-* lua-nginx-module && \
|
||||
mv ../headers-more-nginx-module-* headers-more-nginx-module
|
||||
mv ../headers-more-nginx-module-* headers-more-nginx-module && \
|
||||
mv ../nginx-auth-ldap-* nginx-auth-ldap
|
||||
|
||||
pre-configure:
|
||||
@cd ${WRKSRC} && ${SUBST_CMD} ${SUBSTFILES}
|
||||
|
@ -3,10 +3,12 @@ SHA256 (lua-nginx-module-v0.10.11.tar.gz) = wPuR/P0cbn3sNMpkgm74H/66/e9hdNJURnY2
|
||||
SHA256 (naxsi-0.55.3.tar.gz) = CzyV0lB3Lcia2LSeR8HgJMWuLHbAz/pEXp/gXE3RNJU=
|
||||
SHA256 (nginx-1.14.0-chroot.patch) = 6dERcspRpgEau5QbXHC+K0r5C9Ogy/df6j8BpYrStL0=
|
||||
SHA256 (nginx-1.14.0.tar.gz) = XRW+y/aauh/jP41BbZft2V6okZ6prFGe/5uv67YCLLU=
|
||||
SHA256 (nginx-auth-ldap-0.20170725.tar.gz) = gNbM6amHfVHewvhaEc580l7b0tYFwovChofsxWlSKe4=
|
||||
SHA256 (ngx_devel_kit-v0.3.0.tar.gz) = iOBamainQZBm9a51lm+x78QJutRSLRSYbaB0VUrmFhk=
|
||||
SIZE (headers-more-nginx-module-v0.33.tar.gz) = 28130
|
||||
SIZE (lua-nginx-module-v0.10.11.tar.gz) = 616653
|
||||
SIZE (naxsi-0.55.3.tar.gz) = 187416
|
||||
SIZE (nginx-1.14.0-chroot.patch) = 8220
|
||||
SIZE (nginx-1.14.0.tar.gz) = 1016272
|
||||
SIZE (nginx-auth-ldap-0.20170725.tar.gz) = 18457
|
||||
SIZE (ngx_devel_kit-v0.3.0.tar.gz) = 66455
|
||||
|
15
www/nginx/patches/patch-nginx-auth-ldap_config
Normal file
15
www/nginx/patches/patch-nginx-auth-ldap_config
Normal file
@ -0,0 +1,15 @@
|
||||
$OpenBSD: patch-nginx-auth-ldap_config,v 1.1 2018/09/28 14:36:16 sthen Exp $
|
||||
|
||||
Index: nginx-auth-ldap/config
|
||||
--- nginx-auth-ldap/config.orig
|
||||
+++ nginx-auth-ldap/config
|
||||
@@ -3,6 +3,9 @@ ngx_addon_name=ngx_http_auth_ldap_module
|
||||
LDAP_REQUIRED_LIBS="-lldap"
|
||||
|
||||
case "$NGX_PLATFORM" in
|
||||
+ OpenBSD:*)
|
||||
+ LDAP_REQUIRED_LIBS="-L${LOCALBASE}/lib $LDAP_REQUIRED_LIBS"
|
||||
+ ;;
|
||||
Darwin:*|FreeBSD:*|Linux:*|SunOS:*)
|
||||
LDAP_REQUIRED_LIBS="$LDAP_REQUIRED_LIBS -llber"
|
||||
;;
|
@ -0,0 +1,33 @@
|
||||
$OpenBSD: patch-nginx-auth-ldap_ngx_http_auth_ldap_module_c,v 1.1 2018/09/28 14:36:16 sthen Exp $
|
||||
|
||||
conn->sockaddr is NULL in ngx_http_auth_ldap_ssl_handshake_handler(),
|
||||
remove support for bare IPs with certs to workaround.
|
||||
|
||||
Index: nginx-auth-ldap/ngx_http_auth_ldap_module.c
|
||||
--- nginx-auth-ldap/ngx_http_auth_ldap_module.c.orig
|
||||
+++ nginx-auth-ldap/ngx_http_auth_ldap_module.c
|
||||
@@ -1333,23 +1333,12 @@ ngx_http_auth_ldap_ssl_handshake_handler(ngx_connectio
|
||||
char *hostname = c->server->ludpp->lud_host;
|
||||
addr_verified = X509_check_host(cert, hostname, 0, 0, 0);
|
||||
|
||||
- if (!addr_verified) { // domain not in cert? try IP
|
||||
- size_t len; // get IP length
|
||||
- if (conn->sockaddr->sa_family == 4) len = 4;
|
||||
- else if (conn->sockaddr->sa_family == 6) len = 16;
|
||||
- else { // very unlikely indeed
|
||||
- ngx_http_auth_ldap_close_connection(c);
|
||||
- return;
|
||||
- }
|
||||
- addr_verified = X509_check_ip(cert, (const unsigned char*)conn->sockaddr->sa_data, len, 0);
|
||||
- }
|
||||
-
|
||||
// Find anything fishy?
|
||||
if ( !(cert && addr_verified && chain_verified == X509_V_OK) ) {
|
||||
if (!addr_verified) {
|
||||
ngx_log_error(NGX_LOG_ERR, c->log, 0,
|
||||
"http_auth_ldap: Remote side presented invalid SSL certificate: "
|
||||
- "does not match address (neither server's domain nor IP in certificate's CN or SAN)");
|
||||
+ "does not match address");
|
||||
fprintf(stderr, "DEBUG: SSL cert domain mismatch\n"); fflush(stderr);
|
||||
} else {
|
||||
ngx_log_error(NGX_LOG_ERR, c->log, 0,
|
20
www/nginx/patches/patch-src_event_ngx_event_openssl_h
Normal file
20
www/nginx/patches/patch-src_event_ngx_event_openssl_h
Normal file
@ -0,0 +1,20 @@
|
||||
$OpenBSD: patch-src_event_ngx_event_openssl_h,v 1.4 2018/09/28 14:36:16 sthen Exp $
|
||||
|
||||
LibreSSL now has enough of the 1.1 API for nginx
|
||||
|
||||
Index: src/event/ngx_event_openssl.h
|
||||
--- src/event/ngx_event_openssl.h.orig
|
||||
+++ src/event/ngx_event_openssl.h
|
||||
@@ -34,12 +34,6 @@
|
||||
#define NGX_SSL_NAME "OpenSSL"
|
||||
|
||||
|
||||
-#if (defined LIBRESSL_VERSION_NUMBER && OPENSSL_VERSION_NUMBER == 0x20000000L)
|
||||
-#undef OPENSSL_VERSION_NUMBER
|
||||
-#define OPENSSL_VERSION_NUMBER 0x1000107fL
|
||||
-#endif
|
||||
-
|
||||
-
|
||||
#if (OPENSSL_VERSION_NUMBER >= 0x10100001L)
|
||||
|
||||
#define ngx_ssl_version() OpenSSL_version(OPENSSL_VERSION)
|
2
www/nginx/pkg/DESCR-ldap_auth
Normal file
2
www/nginx/pkg/DESCR-ldap_auth
Normal file
@ -0,0 +1,2 @@
|
||||
nginx-auth-ldap is a module which allows one or more LDAP servers to be
|
||||
used as an authentication source for NGINX.
|
2
www/nginx/pkg/PLIST-ldap_auth
Normal file
2
www/nginx/pkg/PLIST-ldap_auth
Normal file
@ -0,0 +1,2 @@
|
||||
@comment $OpenBSD: PLIST-ldap_auth,v 1.1 2018/09/28 14:36:17 sthen Exp $
|
||||
ngx_http_auth_ldap_module.so
|
@ -1,5 +1,7 @@
|
||||
@comment $OpenBSD: PLIST-perl,v 1.1 2016/11/04 22:13:43 jeremy Exp $
|
||||
libdata/perl5/site_perl/${ARCH}-openbsd/nginx.pm
|
||||
libdata/perl5/site_perl/${ARCH}-openbsd/nginx.so
|
||||
@comment $OpenBSD: PLIST-perl,v 1.2 2018/09/28 14:36:17 sthen Exp $
|
||||
${P5ARCH}/
|
||||
${P5ARCH}/auto/
|
||||
${P5ARCH}/nginx.pm
|
||||
${P5ARCH}/nginx.so
|
||||
@cwd /var/www/modules
|
||||
ngx_http_perl_module.so
|
||||
|
Loading…
Reference in New Issue
Block a user