nginx port tweaks, ok robert@

- add nginx-auth-ldap module (https://github.com/kvspb/nginx-auth-ldap/)
- reduce duplication in DISTFILES with foo{bar}ext syntax
- simplify RUN_DEPENDS*
- use perl MODULES to get ${P5ARCH} defined, use in PLIST-perl

www/nginx/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.123 2018/09/11 17:16:10 jeremy Exp $
+# $OpenBSD: Makefile,v 1.124 2018/09/28 14:36:16 sthen Exp $
 
 BROKEN-hppa=	src/core/ngx_rwlock.c:116:2: error: \#error ngx_atomic_cmp_set() is not defined!
 
@@ -9,6 +9,7 @@ COMMENT-xslt=		nginx XSLT filter module
 COMMENT-mailproxy=	nginx mail proxy module
 COMMENT-stream=		nginx TCP/UDP proxy module
 COMMENT-naxsi=		nginx web application firewall module
+COMMENT-ldap_auth=	nginx LDAP authentication module
 COMMENT-lua=		nginx lua scripting module
 COMMENT-headers_more=	nginx module for setting/adding/clearing headers
 COMMENT-perl=		nginx perl scripting module
@@ -22,14 +23,15 @@ PKGNAME-main=		${DISTNAME}
 PKGNAME-image_filter=	nginx-image_filter-${VERSION}
 PKGNAME-geoip=		nginx-geoip-${VERSION}
 PKGNAME-xslt=		nginx-xslt-${VERSION}
-PKGNAME-mailproxy= 	nginx-mailproxy-${VERSION}
+PKGNAME-mailproxy=	nginx-mailproxy-${VERSION}
 PKGNAME-stream=		nginx-stream-${VERSION}
 PKGNAME-naxsi=		nginx-naxsi-${VERSION}
+PKGNAME-ldap_auth=	nginx-ldap_auth-${VERSION}
 PKGNAME-lua=		nginx-lua-${VERSION}
 PKGNAME-headers_more=	nginx-headers-more-${VERSION}
 PKGNAME-perl=		nginx-perl-${VERSION}
 PKGNAME-passenger=	nginx-passenger-${VERSION}
-REVISION-main=		0
+REVISION=		1
 
 MASTER_SITES=	https://nginx.org/download/
 MASTER_SITES0=	https://github.com/simpl/ngx_devel_kit/archive/
@@ -37,12 +39,14 @@ MASTER_SITES1=	https://github.com/nbs-system/naxsi/archive/
 MASTER_SITES2=	https://github.com/openresty/lua-nginx-module/archive/
 MASTER_SITES3=	https://raw.githubusercontent.com/rnagy/nginx_chroot_patch/master/
 MASTER_SITES4=	https://github.com/openresty/headers-more-nginx-module/archive/
+MASTER_SITES5=	https://github.com/kvspb/nginx-auth-ldap/archive/
 
 DISTFILES=	${DISTNAME}${EXTRACT_SUFX} \
-		ngx_devel_kit-v0.3.0.tar.gz{v0.3.0.tar.gz}:0 \
-		naxsi-0.55.3.tar.gz{0.55.3.tar.gz}:1 \
-		lua-nginx-module-v0.10.11.tar.gz{v0.10.11.tar.gz}:2 \
-		headers-more-nginx-module-v0.33.tar.gz{v0.33.tar.gz}:4
+		ngx_devel_kit-{}v0.3.0.tar.gz:0 \
+		naxsi-{}0.55.3.tar.gz:1 \
+		lua-nginx-module-{}v0.10.11.tar.gz:2 \
+		headers-more-nginx-module-{}v0.33.tar.gz:4 \
+		nginx-auth-ldap-0.20170725{42d195d7a7575ebab1c369ad3fc5d78dc2c2669c}.tar.gz:5
 
 HOMEPAGE=	http://nginx.org/
 
@@ -52,7 +56,7 @@ MAINTAINER=	Robert Nagy <robert@openbsd.org>
 PERMIT_PACKAGE_CDROM=	yes
 
 MULTI_PACKAGES =	-main -image_filter -geoip -xslt -mailproxy -stream \
-			-naxsi -perl -passenger -headers_more -lua
+			-naxsi -perl -passenger -headers_more -ldap_auth -lua
 
 FLAVOR ?=
 PSEUDO_FLAVORS =	no_lua no_passenger
@@ -66,6 +70,7 @@ WANTLIB-image_filter=	gd
 WANTLIB-geoip=		GeoIP
 WANTLIB-xslt=		exslt xml2 xslt
 WANTLIB-naxsi=
+WANTLIB-ldap_auth=	ldap
 WANTLIB-lua=		${MODLUA_WANTLIB} m
 WANTLIB-headers_more=
 WANTLIB-perl=		c m perl
@@ -76,19 +81,15 @@ LIB_DEPENDS-xslt=	textproc/libxml \
 			textproc/libxslt
 LIB_DEPENDS-image_filter=graphics/gd
 LIB_DEPENDS-geoip=	net/GeoIP
+LIB_DEPENDS-ldap_auth=	databases/openldap
 LIB_DEPENDS-lua=	${MODLUA_LIB_DEPENDS}
 
-RUN_DEPENDS-main=	# blank (override addition from lua.port.mk)
-RUN_DEPENDS-mailproxy=	www/nginx,-main=${VERSION}
-RUN_DEPENDS-stream=	www/nginx,-main=${VERSION}
-RUN_DEPENDS-image_filter=www/nginx,-main=${VERSION}
-RUN_DEPENDS-geoip=	www/nginx,-main=${VERSION}
-RUN_DEPENDS-xslt=	www/nginx,-main=${VERSION}
-RUN_DEPENDS-naxsi=	www/nginx,-main=${VERSION}
-RUN_DEPENDS-lua=	www/nginx,-main=${VERSION}
-RUN_DEPENDS-headers_more=www/nginx,-main=${VERSION}
-RUN_DEPENDS-perl=	www/nginx,-main=${VERSION}
-RUN_DEPENDS-passenger=	www/nginx,-main=${VERSION} \
+MODLUA_RUNDEP=		No
+RUN_DEPENDS=		www/nginx,-main=${VERSION}
+RUN_DEPENDS-main=	# blank (override default)
+RUN_DEPENDS-lua=	${RUN_DEPENDS} \
+			${_MODLUA_RUN_DEPENDS}
+RUN_DEPENDS-passenger=	${RUN_DEPENDS} \
 			ruby*-passenger-*:www/ruby-passenger
 
 NGINX_DIR=	/var/www
@@ -100,6 +101,7 @@ PREFIX-stream=		${NGINX_MODULES_DIR}
 PREFIX-image_filter=	${NGINX_MODULES_DIR}
 PREFIX-geoip=		${NGINX_MODULES_DIR}
 PREFIX-xslt=		${NGINX_MODULES_DIR}
+PREFIX-ldap_auth=	${NGINX_MODULES_DIR}
 PREFIX-lua=		${NGINX_MODULES_DIR}
 PREFIX-headers_more=	${NGINX_MODULES_DIR}
 PREFIX-passenger=	${NGINX_MODULES_DIR}
@@ -113,6 +115,7 @@ PATCHFILES+=		nginx-${VERSION}-chroot.patch:3
 PATCH_DIST_STRIP=	-p1
 
 CONFIGURE_STYLE=	simple
+MODULES+=		perl
 
 .if ${BUILD_PACKAGES:M-lua}
 MODULES+=		lang/lua
@@ -159,10 +162,12 @@ CONFIGURE_ARGS+=	--prefix=${NGINX_DIR} \
 			--with-stream=dynamic \
 			--add-dynamic-module=${WRKSRC}/naxsi/naxsi_src/ \
 			--add-dynamic-module=${WRKSRC}/ngx_devel_kit \
-			--add-dynamic-module=${WRKSRC}/headers-more-nginx-module
+			--add-dynamic-module=${WRKSRC}/headers-more-nginx-module \
+			--add-dynamic-module=${WRKSRC}/nginx-auth-ldap
 
 SUBSTFILES=		conf/nginx.conf \
-			lua-nginx-module/config
+			lua-nginx-module/config \
+			nginx-auth-ldap/config
 
 NO_TEST=		Yes
 ALL_TARGET=
@@ -173,7 +178,8 @@ pre-patch:
 	cd ${WRKSRC} && \
 	    mv ../ngx_devel_kit-* ngx_devel_kit && \
 	    mv ../lua-nginx-module-* lua-nginx-module && \
-	    mv ../headers-more-nginx-module-* headers-more-nginx-module
+	    mv ../headers-more-nginx-module-* headers-more-nginx-module && \
+	    mv ../nginx-auth-ldap-* nginx-auth-ldap
 
 pre-configure:
 	@cd ${WRKSRC} && ${SUBST_CMD} ${SUBSTFILES}

www/nginx/distinfo

@@ -3,10 +3,12 @@ SHA256 (lua-nginx-module-v0.10.11.tar.gz) = wPuR/P0cbn3sNMpkgm74H/66/e9hdNJURnY2
 SHA256 (naxsi-0.55.3.tar.gz) = CzyV0lB3Lcia2LSeR8HgJMWuLHbAz/pEXp/gXE3RNJU=
 SHA256 (nginx-1.14.0-chroot.patch) = 6dERcspRpgEau5QbXHC+K0r5C9Ogy/df6j8BpYrStL0=
 SHA256 (nginx-1.14.0.tar.gz) = XRW+y/aauh/jP41BbZft2V6okZ6prFGe/5uv67YCLLU=
+SHA256 (nginx-auth-ldap-0.20170725.tar.gz) = gNbM6amHfVHewvhaEc580l7b0tYFwovChofsxWlSKe4=
 SHA256 (ngx_devel_kit-v0.3.0.tar.gz) = iOBamainQZBm9a51lm+x78QJutRSLRSYbaB0VUrmFhk=
 SIZE (headers-more-nginx-module-v0.33.tar.gz) = 28130
 SIZE (lua-nginx-module-v0.10.11.tar.gz) = 616653
 SIZE (naxsi-0.55.3.tar.gz) = 187416
 SIZE (nginx-1.14.0-chroot.patch) = 8220
 SIZE (nginx-1.14.0.tar.gz) = 1016272
+SIZE (nginx-auth-ldap-0.20170725.tar.gz) = 18457
 SIZE (ngx_devel_kit-v0.3.0.tar.gz) = 66455

www/nginx/patches/patch-nginx-auth-ldap_config

@@ -0,0 +1,15 @@
+$OpenBSD: patch-nginx-auth-ldap_config,v 1.1 2018/09/28 14:36:16 sthen Exp $
+
+Index: nginx-auth-ldap/config
+--- nginx-auth-ldap/config.orig
++++ nginx-auth-ldap/config
+@@ -3,6 +3,9 @@ ngx_addon_name=ngx_http_auth_ldap_module
+ LDAP_REQUIRED_LIBS="-lldap"
+ 
+ case "$NGX_PLATFORM" in
++    OpenBSD:*)
++        LDAP_REQUIRED_LIBS="-L${LOCALBASE}/lib $LDAP_REQUIRED_LIBS"
++    ;;
+     Darwin:*|FreeBSD:*|Linux:*|SunOS:*)
+         LDAP_REQUIRED_LIBS="$LDAP_REQUIRED_LIBS -llber"
+     ;;

www/nginx/patches/patch-nginx-auth-ldap_ngx_http_auth_ldap_module_c

@@ -0,0 +1,33 @@
+$OpenBSD: patch-nginx-auth-ldap_ngx_http_auth_ldap_module_c,v 1.1 2018/09/28 14:36:16 sthen Exp $
+
+conn->sockaddr is NULL in ngx_http_auth_ldap_ssl_handshake_handler(),
+remove support for bare IPs with certs to workaround.
+
+Index: nginx-auth-ldap/ngx_http_auth_ldap_module.c
+--- nginx-auth-ldap/ngx_http_auth_ldap_module.c.orig
++++ nginx-auth-ldap/ngx_http_auth_ldap_module.c
+@@ -1333,23 +1333,12 @@ ngx_http_auth_ldap_ssl_handshake_handler(ngx_connectio
+           char *hostname = c->server->ludpp->lud_host;
+           addr_verified = X509_check_host(cert, hostname, 0, 0, 0);
+ 
+-          if (!addr_verified) { // domain not in cert? try IP
+-            size_t len; // get IP length
+-            if (conn->sockaddr->sa_family == 4) len = 4;
+-            else if (conn->sockaddr->sa_family == 6) len = 16;
+-            else { // very unlikely indeed
+-              ngx_http_auth_ldap_close_connection(c);
+-              return;
+-            }
+-            addr_verified = X509_check_ip(cert, (const unsigned char*)conn->sockaddr->sa_data, len, 0);
+-          }
+-
+           // Find anything fishy?
+           if ( !(cert && addr_verified && chain_verified == X509_V_OK) ) {
+             if (!addr_verified) {
+               ngx_log_error(NGX_LOG_ERR, c->log, 0,
+                 "http_auth_ldap: Remote side presented invalid SSL certificate: "
+-                "does not match address (neither server's domain nor IP in certificate's CN or SAN)");
++                "does not match address");
+                 fprintf(stderr, "DEBUG: SSL cert domain mismatch\n"); fflush(stderr);
+             } else {
+               ngx_log_error(NGX_LOG_ERR, c->log, 0,

www/nginx/patches/patch-src_event_ngx_event_openssl_h

@@ -0,0 +1,20 @@
+$OpenBSD: patch-src_event_ngx_event_openssl_h,v 1.4 2018/09/28 14:36:16 sthen Exp $
+
+LibreSSL now has enough of the 1.1 API for nginx
+
+Index: src/event/ngx_event_openssl.h
+--- src/event/ngx_event_openssl.h.orig
++++ src/event/ngx_event_openssl.h
+@@ -34,12 +34,6 @@
+ #define NGX_SSL_NAME     "OpenSSL"
+ 
+ 
+-#if (defined LIBRESSL_VERSION_NUMBER && OPENSSL_VERSION_NUMBER == 0x20000000L)
+-#undef OPENSSL_VERSION_NUMBER
+-#define OPENSSL_VERSION_NUMBER  0x1000107fL
+-#endif
+-
+-
+ #if (OPENSSL_VERSION_NUMBER >= 0x10100001L)
+ 
+ #define ngx_ssl_version()       OpenSSL_version(OPENSSL_VERSION)

www/nginx/pkg/DESCR-ldap_auth

@@ -0,0 +1,2 @@
+nginx-auth-ldap is a module which allows one or more LDAP servers to be
+used as an authentication source for NGINX.

www/nginx/pkg/PLIST-ldap_auth

@@ -0,0 +1,2 @@
+@comment $OpenBSD: PLIST-ldap_auth,v 1.1 2018/09/28 14:36:17 sthen Exp $
+ngx_http_auth_ldap_module.so

www/nginx/pkg/PLIST-perl

@@ -1,5 +1,7 @@
-@comment $OpenBSD: PLIST-perl,v 1.1 2016/11/04 22:13:43 jeremy Exp $
-libdata/perl5/site_perl/${ARCH}-openbsd/nginx.pm
-libdata/perl5/site_perl/${ARCH}-openbsd/nginx.so
+@comment $OpenBSD: PLIST-perl,v 1.2 2018/09/28 14:36:17 sthen Exp $
+${P5ARCH}/
+${P5ARCH}/auto/
+${P5ARCH}/nginx.pm
+${P5ARCH}/nginx.so
 @cwd /var/www/modules
 ngx_http_perl_module.so