2019-12-05 08:48:20 +01:00
|
|
|
include $(TOPDIR)/rules.mk
|
|
|
|
|
|
|
|
|
|
PKG_NAME:=nginx-util
|
nginx-util: fix deprecated openssl 3.0 functions
Since upstream openwrt has been using openssl 3.0 for quite some time,
figured we could clean up some of the legacy code.
This PR updates the code for EC/RSA key generation.
nginx-util currently only generates 'ecc' keys, even though the
framework is there for rsa as well.
In order properly test the changes, I created two binaries:
'nginx-util-ssl' (generates ec keys)
'nginx-util-ssl-rsa' (generates rsa keys)
where I would change line:455 in `src/nginx-ssl-util.hpp`
`auto pkey = gen_eckey(NID_secp384r1)` to `auto pkey = gen_rsakey(2048)`
Example with UCI config
```
config server '_rsa'
list listen '443 ssl default_server'
list listen '[::]:443 ssl default_server'
option server_name '_rsa'
list include 'restrict_locally'
list include 'conf.d/*.locations'
option uci_manage_ssl 'self-signed'
option key_type 'rsa'
option ssl_certificate '/etc/nginx/conf.d/_rsa.crt'
option ssl_certificate_key '/etc/nginx/conf.d/_rsa.key'
option ssl_session_cache 'shared:SSL:32k'
option ssl_session_timeout '64m'
option access_log 'off; # logd openwrt'
```
➤ /opt/bin/nginx-ssl-util-rsa add_ssl _rsa
Adding SSL directives to UCI server: nginx._rsa
uci_manage_ssl='self-signed'
Created self-signed SSL certificate '/etc/nginx/conf.d/_rsa.crt' with key '/etc/nginx/conf.d/_rsa.key'.
[04/14/24 18:37:15](K-6.6.27)
root@WRX36 ~
➤ openssl x509 -in /etc/nginx/conf.d/_rsa.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6d:55:a6:cd:52:25:31:fd:3c:78:66:24:82:5f:bb:b6:a6:fe:8f:c7
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = ZZ, ST = Somewhere, L = None, CN = OpenWrt, O = OpenWrtBF399B64ACF71BC3
Validity
Not Before: Apr 14 22:37:15 2024 GMT
Not After : Jul 16 22:37:15 2027 GMT
Subject: C = ZZ, ST = Somewhere, L = None, CN = OpenWrt, O = OpenWrtBF399B64ACF71BC3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ac:52:71:af:25:e9:05:0a:a5:d7:86:d3:8d:0b:
66:e0:09:cf:2a:cd:a1:63:57:36:46:61:04:16:fe:
94:84:d0:20:ab:01:15:55:aa:a1:89:c2:85:a9:84:
47:ba:84:d7:1f:a9:0c:c0:f0:67:2f:81:1d:1b:3b:
31:d5:94:6e:a0:f0:e6:ec:26:91:4a:e2:fd:58:4c:
ac:b5:9e:a1:cd:7d:91:51:29:81:1d:3e:4a:d9:d1:
d5:f1:2f:34:2f:ca:95:dc:42:d5:c4:d3:d6:b2:91:
d5:19:61:a2:b5:b1:90:f0:83:88:ef:92:c9:bf:a4:
59:a9:d6:00:6f:1c:0d:70:16:40:cc:cb:c0:de:c4:
8f:00:83:a3:2f:77:ca:18:cd:7b:d4:77:96:47:78:
1b:c1:ff:08:86:93:79:91:8f:a7:95:71:46:06:69:
fc:cc:65:64:e7:99:11:cc:82:bb:39:6b:12:27:73:
0e:d1:e7:65:51:9e:ad:dc:b3:ff:3f:ba:b0:72:4f:
22:ad:7e:41:bb:3c:c7:80:30:81:5f:8b:32:f4:7f:
22:48:3f:3d:a9:eb:28:27:12:db:a9:63:c9:7e:e2:
ed:36:de:e7:68:31:4e:9c:c0:36:e8:f2:d9:3f:50:
09:50:a3:e8:7a:03:00:4f:8d:e1:10:eb:a1:87:44:
be:23
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
06:7d:84:00:ac:8f:8b:a6:b6:b7:b5:ed:ee:7f:61:76:6d:ee:
11:53:f6:d1:f8:95:ad:6c:d7:d0:3e:01:ac:bb:d7:7a:8d:59:
80:ec:ba:b2:7b:78:5c:4f:5e:3f:f1:74:ad:d9:8c:a2:6b:08:
9c:bf:b1:42:fd:8d:a6:35:48:4d:a7:2d:92:c9:45:66:77:32:
a4:e0:ea:eb:e0:4a:42:f5:dd:ea:a2:c0:0a:66:5a:32:03:1d:
e7:87:3a:7f:1e:00:ed:d0:21:01:d5:f9:e2:b1:e6:b7:cb:1c:
67:11:de:69:7f:a2:ce:d0:fc:2d:f2:6c:33:84:4c:3d:f4:f6:
60:6b:2e:31:b7:0c:41:2c:73:31:7e:94:19:a2:2b:6a:56:3f:
07:37:71:97:28:58:91:63:b2:58:97:b2:aa:1e:d5:d9:6d:af:
6f:a0:02:e0:06:39:b0:c9:f5:50:41:b5:58:41:6a:30:72:89:
9a:67:7e:a1:7a:a5:02:b9:2a:f3:f8:93:4f:59:6e:b1:27:54:
86:d1:ec:96:7a:dd:d1:44:6b:1e:3b:17:cf:15:64:ad:83:6b:
63:20:2d:42:c3:28:68:14:de:12:4e:8a:c3:f3:10:c8:4b:4f:
c7:d8:2b:a8:45:fb:3a:bd:9d:bd:08:71:08:09:ed:ea:9b:b9:
3b:33:a6:a6
[04/14/24 18:37:27](K-6.6.27)
root@WRX36 ~
➤ /opt/bin/nginx-ssl-util add_ssl _ec
Adding SSL directives to UCI server: nginx._ec
uci_manage_ssl='self-signed'
Created self-signed SSL certificate '/etc/nginx/conf.d/_ec.crt' with key '/etc/nginx/conf.d/_ec.key'.
[04/14/24 18:37:43](K-6.6.27)
root@WRX36 ~
➤ openssl x509 -in /etc/nginx/conf.d/_ec.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
55:32:fe:07:09:79:d1:40:d7:43:2e:45:3d:98:4a:77:65:d0:29:41
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = ZZ, ST = Somewhere, L = None, CN = OpenWrt, O = OpenWrt2EDD40F41960C8C1
Validity
Not Before: Apr 14 22:37:43 2024 GMT
Not After : Jul 16 22:37:43 2027 GMT
Subject: C = ZZ, ST = Somewhere, L = None, CN = OpenWrt, O = OpenWrt2EDD40F41960C8C1
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:97:d2:b2:f0:c9:60:60:89:7e:ea:6f:48:1c:90:
8e:6d:1d:d8:58:46:8c:de:e9:50:e2:74:ea:d8:dd:
8c:d9:ed:f4:4c:b7:41:95:55:98:38:5a:9e:66:83:
b9:7c:79:71:9b:ec:18:ed:d9:09:3c:f7:64:32:ae:
59:ad:92:de:d7:c4:15:2e:e5:89:65:f4:29:8a:62:
a0:85:21:95:22:3a:38:e3:11:e6:f2:01:f6:50:62:
01:ed:68:0d:d0:0c:d4
ASN1 OID: secp384r1
NIST CURVE: P-384
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:65:02:30:78:af:d1:4f:57:b1:97:2b:87:aa:7f:a2:26:39:
19:30:5c:4f:9c:f0:d7:ee:24:8e:a2:39:ec:70:af:16:eb:a6:
72:96:d4:a7:2f:c1:38:f4:65:ed:ed:bf:22:c6:a4:6d:02:31:
00:bc:ec:19:0e:3d:6a:d1:5a:ae:6d:5c:a3:ec:96:60:32:f9:
6a:88:06:92:ed:c1:a7:44:2c:33:7a:22:72:0f:2a:ce:83:f0:
f2:04:9e:49:60:ef:83:b4:7f:8b:af:61:c9
```
Maintainer: Peter Stadler <peter.stadler@student.uibk.ac.at>
Compile tested: aarch64, qualcommax, Master Branch
Run tested: aarch64, Dynalink DL-WRX36, Master Branch
Signed-off-by: Sean Khan <datapronix@protonmail.com>
2024-04-15 02:07:30 +02:00
|
|
|
PKG_VERSION:=1.7
|
|
|
|
|
PKG_RELEASE:=1
|
2020-02-04 13:10:00 +01:00
|
|
|
PKG_MAINTAINER:=Peter Stadler <peter.stadler@student.uibk.ac.at>
|
2019-12-05 08:48:20 +01:00
|
|
|
|
|
|
|
|
include $(INCLUDE_DIR)/package.mk
|
2021-06-11 01:27:06 +02:00
|
|
|
include $(INCLUDE_DIR)/cmake.mk
|
2019-12-05 08:48:20 +01:00
|
|
|
|
2020-02-04 13:10:00 +01:00
|
|
|
CMAKE_OPTIONS+= -DUBUS=y
|
|
|
|
|
CMAKE_OPTIONS+= -DVERSION=$(PKG_VERSION)
|
|
|
|
|
|
2020-05-21 20:21:59 +02:00
|
|
|
define Package/nginx-ssl-util/default
|
2019-12-05 08:48:20 +01:00
|
|
|
SECTION:=net
|
|
|
|
|
CATEGORY:=Network
|
|
|
|
|
SUBMENU:=Web Servers/Proxies
|
2020-05-21 20:21:59 +02:00
|
|
|
TITLE:=Nginx configurator including SSL
|
nginx-util: use UCI for server configuration
**tl;dr:** The functions `{add,del}_ssl` modify a server
section of the UCI config if there is no `.conf` file with
the same name in `/etc/nginx/conf.d/`.
Then `init_lan` creates `/var/lib/nginx/uci.conf` files by
copying the `/etc/nginx/uci.conf.template` and standard
options from the UCI config; additionally the special path
`logd` can be used in `{access,error}_log`.
The init does not change the configuration beside
re-creating self-signed certificates when needed. This is
also the only purpose of the new `check_ssl`, which is
installed as yearly cron job.
**Initialization:**
Invoking `nginx-util init_lan` parses the UCI configuration
for package `nginx`. It creates a server part in
`/var/lib/nginx/uci.conf` for each `section server '$name'`
by copying all UCI options but the following:
* `option uci_manage_ssl` is skipped. It is set to
'self-signed' by `nginx-util add_ssl $name`, removed by
`nginx-util del_ssl $name` and used by
`nginx-util check_ssl` (see below).
* `logd` as path in `error_log` or `access_log` writes them
to STDERR respective STDOUT, which are fowarded by Nginx's
init to the log daemon. Specifically:
`option error_log 'logd'` becomes `error_log stderr;` and
`option access_log 'logd openwrt'` becomes
`access_log /proc/self/fd/1 openwrt;`
Other `[option|list] key 'value'` entries just become
`key value;` directives.
The init.d calls internally also `check_ssl` for rebuilding
self-signed SSL certificates if needed (see below). And it
still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as
it is doing in the current version (so they stay available).
**Defaults:**
The package installs the file `/etc/nginx/restrict_locally`
containing allow/deny directives for restricting the access
to LAN addresses by including it into a server part. The
default server '_lan' includes this file and listens on all
IPs (instead of only the local IPs as it did before; other
servers do not need to listen explicitly on the local IPs
anymore). The default server is contained together with a
server that redirects HTTP requests for inexistent URLs to
HTTPS in the UCI configuration file `/etc/config/nginx`.
Furthermore, the packages installs a
`/etc/nginx/uci.conf.template` containing the current setup
and a marker, which will be replaced by the created UCI
servers when calling `init_lan`.
**Other:**
If there is a file named `/etc/nginx/conf.d/$name.conf` the
functions `init_lan`, `add_ssl $name` and `del_ssl $name`
will use that file instead of a UCI server section (this is
similar to the current version).
Else it selects the UCI `section server $name`, or, when
there is no such section, it searches for the first one
having `option server_name '… $name …'`. For this section:
* `nginx-util add_ssl $name` will add to it:
`option uci_manage_ssl 'self-signed'`
`option ssl_certificate '/etc/nginx/conf.d/$name.crt'`
`option ssl_certificate_key '/etc/nginx/conf.d/$name.key'`
`option ssl_session_cache 'shared:SSL:32k'`
`option ssl_session_timeout '64m'`
If these options are already present, they will stay the
same; just the first option `uci_manage_ssl` will always be
changed to 'self-signed'. The command also changes all
`listen` list items to use port 443 and ssl instead of port
80 (without ssl). If they stated another port than 80
before, they are kept the same. Furthermore, it creates a
self-signed SSL certificate if necessary, i.e., if there is
no *valid* certificate and key at the locations given by
the options `ssl_certificate` and `ssl_certificate_key`.
* `nginx-util del_ssl $name` checks if `uci_manage_ssl` is
set 'self-signed' in the corresponding UCI section. Only
then it removes all of the above options regardless of the
value looking just at the key name. Then, it also changes
all `listen` list items to use port 80 (without ssl)
instead of port 443 with ssl. If stating another port than
443, they are kept the same. Furthermore, it removes the
SSL certificate and key that were indicated by
`ssl_certificate{,_key}`.
* `nginx-util check_ssl` looks through all server sections
of the UCI config for `uci_manage_ssl 'self-signed'`. On
every hit it checks if the SSL certificate-key-pair
indicated by the options `ssl_certificate{,_key}` is
expired. Then it re-creates a self-signed certificate.
If there exists at least one `section server` with
`uci_manage_ssl 'self-signed'`, it will try to install
itself as cron job. If there are no such sections, it
removes that cron job if possible.
For installing a ssl certificate and key managed by
another app, you can call:
`nginx-util add_ssl $name $manager $crtpath $keypath`
Hereby `$name` is as above, `$manager` is an arbitrary
string, and the the ssl certificate and its key are
indicated by their absolute path. If you want to remove
the directives again, then you can use:
`nginx-util del_ssl $name $manager`
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
2020-07-23 14:56:36 +02:00
|
|
|
DEPENDS:=+libstdcpp +libuci +libubus +libubox +libpthread +libopenssl
|
2020-05-21 20:21:59 +02:00
|
|
|
# TODO: remove after a transition period (together with below and pkg nginx):
|
|
|
|
|
# It actually removes nginx-util (replacing it by a dummy pkg) to avoid
|
|
|
|
|
# conflicts with nginx-ssl-util*
|
2020-07-31 12:34:48 +02:00
|
|
|
DEPENDS+= +nginx-util
|
2020-05-21 20:21:59 +02:00
|
|
|
EXTRA_DEPENDS:=nginx-util (>=1.4-2)
|
2019-12-05 08:48:20 +01:00
|
|
|
endef
|
|
|
|
|
|
2020-05-26 16:21:10 +02:00
|
|
|
|
2019-12-05 08:48:20 +01:00
|
|
|
define Package/nginx-ssl-util
|
|
|
|
|
$(Package/nginx-ssl-util/default)
|
|
|
|
|
TITLE+= (using PCRE)
|
2023-09-22 18:15:01 +02:00
|
|
|
DEPENDS+= +libpcre2
|
2020-05-21 20:21:59 +02:00
|
|
|
CONFLICTS:=nginx-ssl-util-nopcre,
|
2019-12-05 08:48:20 +01:00
|
|
|
endef
|
|
|
|
|
|
2020-05-26 16:21:10 +02:00
|
|
|
|
2020-01-23 15:42:03 +01:00
|
|
|
define Package/nginx-ssl-util-nopcre
|
|
|
|
|
$(Package/nginx-ssl-util/default)
|
|
|
|
|
TITLE+= (using <regex>)
|
2020-05-21 20:21:59 +02:00
|
|
|
CONFLICTS:=nginx-ssl-util
|
2020-01-23 15:42:03 +01:00
|
|
|
endef
|
|
|
|
|
|
2020-05-26 16:21:10 +02:00
|
|
|
|
2020-05-21 20:21:59 +02:00
|
|
|
define Package/nginx-ssl-util/default/description
|
2019-12-05 08:48:20 +01:00
|
|
|
Utility that builds dynamically LAN listen directives for Nginx.
|
2020-05-21 20:21:59 +02:00
|
|
|
Furthermore, it manages SSL directives for its server parts and can create
|
2019-12-05 08:48:20 +01:00
|
|
|
corresponding (self-signed) certificates.
|
2020-05-21 20:21:59 +02:00
|
|
|
endef
|
2019-12-05 08:48:20 +01:00
|
|
|
|
2020-05-26 16:21:10 +02:00
|
|
|
|
2019-12-05 08:48:20 +01:00
|
|
|
Package/nginx-ssl-util/description = \
|
|
|
|
|
$(Package/nginx-ssl-util/default/description) \
|
|
|
|
|
It uses the PCRE library for performance.
|
|
|
|
|
|
2020-05-26 16:21:10 +02:00
|
|
|
|
2019-12-05 08:48:20 +01:00
|
|
|
Package/nginx-ssl-util-nopcre/description = \
|
|
|
|
|
$(Package/nginx-ssl-util/default/description) \
|
|
|
|
|
It uses the standard regex library of C++.
|
|
|
|
|
|
2020-05-26 16:21:10 +02:00
|
|
|
|
nginx-util: use UCI for server configuration
**tl;dr:** The functions `{add,del}_ssl` modify a server
section of the UCI config if there is no `.conf` file with
the same name in `/etc/nginx/conf.d/`.
Then `init_lan` creates `/var/lib/nginx/uci.conf` files by
copying the `/etc/nginx/uci.conf.template` and standard
options from the UCI config; additionally the special path
`logd` can be used in `{access,error}_log`.
The init does not change the configuration beside
re-creating self-signed certificates when needed. This is
also the only purpose of the new `check_ssl`, which is
installed as yearly cron job.
**Initialization:**
Invoking `nginx-util init_lan` parses the UCI configuration
for package `nginx`. It creates a server part in
`/var/lib/nginx/uci.conf` for each `section server '$name'`
by copying all UCI options but the following:
* `option uci_manage_ssl` is skipped. It is set to
'self-signed' by `nginx-util add_ssl $name`, removed by
`nginx-util del_ssl $name` and used by
`nginx-util check_ssl` (see below).
* `logd` as path in `error_log` or `access_log` writes them
to STDERR respective STDOUT, which are fowarded by Nginx's
init to the log daemon. Specifically:
`option error_log 'logd'` becomes `error_log stderr;` and
`option access_log 'logd openwrt'` becomes
`access_log /proc/self/fd/1 openwrt;`
Other `[option|list] key 'value'` entries just become
`key value;` directives.
The init.d calls internally also `check_ssl` for rebuilding
self-signed SSL certificates if needed (see below). And it
still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as
it is doing in the current version (so they stay available).
**Defaults:**
The package installs the file `/etc/nginx/restrict_locally`
containing allow/deny directives for restricting the access
to LAN addresses by including it into a server part. The
default server '_lan' includes this file and listens on all
IPs (instead of only the local IPs as it did before; other
servers do not need to listen explicitly on the local IPs
anymore). The default server is contained together with a
server that redirects HTTP requests for inexistent URLs to
HTTPS in the UCI configuration file `/etc/config/nginx`.
Furthermore, the packages installs a
`/etc/nginx/uci.conf.template` containing the current setup
and a marker, which will be replaced by the created UCI
servers when calling `init_lan`.
**Other:**
If there is a file named `/etc/nginx/conf.d/$name.conf` the
functions `init_lan`, `add_ssl $name` and `del_ssl $name`
will use that file instead of a UCI server section (this is
similar to the current version).
Else it selects the UCI `section server $name`, or, when
there is no such section, it searches for the first one
having `option server_name '… $name …'`. For this section:
* `nginx-util add_ssl $name` will add to it:
`option uci_manage_ssl 'self-signed'`
`option ssl_certificate '/etc/nginx/conf.d/$name.crt'`
`option ssl_certificate_key '/etc/nginx/conf.d/$name.key'`
`option ssl_session_cache 'shared:SSL:32k'`
`option ssl_session_timeout '64m'`
If these options are already present, they will stay the
same; just the first option `uci_manage_ssl` will always be
changed to 'self-signed'. The command also changes all
`listen` list items to use port 443 and ssl instead of port
80 (without ssl). If they stated another port than 80
before, they are kept the same. Furthermore, it creates a
self-signed SSL certificate if necessary, i.e., if there is
no *valid* certificate and key at the locations given by
the options `ssl_certificate` and `ssl_certificate_key`.
* `nginx-util del_ssl $name` checks if `uci_manage_ssl` is
set 'self-signed' in the corresponding UCI section. Only
then it removes all of the above options regardless of the
value looking just at the key name. Then, it also changes
all `listen` list items to use port 80 (without ssl)
instead of port 443 with ssl. If stating another port than
443, they are kept the same. Furthermore, it removes the
SSL certificate and key that were indicated by
`ssl_certificate{,_key}`.
* `nginx-util check_ssl` looks through all server sections
of the UCI config for `uci_manage_ssl 'self-signed'`. On
every hit it checks if the SSL certificate-key-pair
indicated by the options `ssl_certificate{,_key}` is
expired. Then it re-creates a self-signed certificate.
If there exists at least one `section server` with
`uci_manage_ssl 'self-signed'`, it will try to install
itself as cron job. If there are no such sections, it
removes that cron job if possible.
For installing a ssl certificate and key managed by
another app, you can call:
`nginx-util add_ssl $name $manager $crtpath $keypath`
Hereby `$name` is as above, `$manager` is an arbitrary
string, and the the ssl certificate and its key are
indicated by their absolute path. If you want to remove
the directives again, then you can use:
`nginx-util del_ssl $name $manager`
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
2020-07-23 14:56:36 +02:00
|
|
|
define Package/nginx-ssl-util/install/default
|
|
|
|
|
$(INSTALL_DIR) $(1)/etc/nginx/conf.d/
|
|
|
|
|
|
|
|
|
|
$(INSTALL_CONF) ./files/uci.conf.template $(1)/etc/nginx/
|
|
|
|
|
$(LN) /var/lib/nginx/uci.conf $(1)/etc/nginx/uci.conf
|
|
|
|
|
|
|
|
|
|
$(INSTALL_CONF) ./files/restrict_locally $(1)/etc/nginx/
|
|
|
|
|
|
2023-04-20 12:59:08 +02:00
|
|
|
$(INSTALL_DIR) $(1)/etc/nginx/module.d/
|
|
|
|
|
|
nginx-util: use UCI for server configuration
**tl;dr:** The functions `{add,del}_ssl` modify a server
section of the UCI config if there is no `.conf` file with
the same name in `/etc/nginx/conf.d/`.
Then `init_lan` creates `/var/lib/nginx/uci.conf` files by
copying the `/etc/nginx/uci.conf.template` and standard
options from the UCI config; additionally the special path
`logd` can be used in `{access,error}_log`.
The init does not change the configuration beside
re-creating self-signed certificates when needed. This is
also the only purpose of the new `check_ssl`, which is
installed as yearly cron job.
**Initialization:**
Invoking `nginx-util init_lan` parses the UCI configuration
for package `nginx`. It creates a server part in
`/var/lib/nginx/uci.conf` for each `section server '$name'`
by copying all UCI options but the following:
* `option uci_manage_ssl` is skipped. It is set to
'self-signed' by `nginx-util add_ssl $name`, removed by
`nginx-util del_ssl $name` and used by
`nginx-util check_ssl` (see below).
* `logd` as path in `error_log` or `access_log` writes them
to STDERR respective STDOUT, which are fowarded by Nginx's
init to the log daemon. Specifically:
`option error_log 'logd'` becomes `error_log stderr;` and
`option access_log 'logd openwrt'` becomes
`access_log /proc/self/fd/1 openwrt;`
Other `[option|list] key 'value'` entries just become
`key value;` directives.
The init.d calls internally also `check_ssl` for rebuilding
self-signed SSL certificates if needed (see below). And it
still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as
it is doing in the current version (so they stay available).
**Defaults:**
The package installs the file `/etc/nginx/restrict_locally`
containing allow/deny directives for restricting the access
to LAN addresses by including it into a server part. The
default server '_lan' includes this file and listens on all
IPs (instead of only the local IPs as it did before; other
servers do not need to listen explicitly on the local IPs
anymore). The default server is contained together with a
server that redirects HTTP requests for inexistent URLs to
HTTPS in the UCI configuration file `/etc/config/nginx`.
Furthermore, the packages installs a
`/etc/nginx/uci.conf.template` containing the current setup
and a marker, which will be replaced by the created UCI
servers when calling `init_lan`.
**Other:**
If there is a file named `/etc/nginx/conf.d/$name.conf` the
functions `init_lan`, `add_ssl $name` and `del_ssl $name`
will use that file instead of a UCI server section (this is
similar to the current version).
Else it selects the UCI `section server $name`, or, when
there is no such section, it searches for the first one
having `option server_name '… $name …'`. For this section:
* `nginx-util add_ssl $name` will add to it:
`option uci_manage_ssl 'self-signed'`
`option ssl_certificate '/etc/nginx/conf.d/$name.crt'`
`option ssl_certificate_key '/etc/nginx/conf.d/$name.key'`
`option ssl_session_cache 'shared:SSL:32k'`
`option ssl_session_timeout '64m'`
If these options are already present, they will stay the
same; just the first option `uci_manage_ssl` will always be
changed to 'self-signed'. The command also changes all
`listen` list items to use port 443 and ssl instead of port
80 (without ssl). If they stated another port than 80
before, they are kept the same. Furthermore, it creates a
self-signed SSL certificate if necessary, i.e., if there is
no *valid* certificate and key at the locations given by
the options `ssl_certificate` and `ssl_certificate_key`.
* `nginx-util del_ssl $name` checks if `uci_manage_ssl` is
set 'self-signed' in the corresponding UCI section. Only
then it removes all of the above options regardless of the
value looking just at the key name. Then, it also changes
all `listen` list items to use port 80 (without ssl)
instead of port 443 with ssl. If stating another port than
443, they are kept the same. Furthermore, it removes the
SSL certificate and key that were indicated by
`ssl_certificate{,_key}`.
* `nginx-util check_ssl` looks through all server sections
of the UCI config for `uci_manage_ssl 'self-signed'`. On
every hit it checks if the SSL certificate-key-pair
indicated by the options `ssl_certificate{,_key}` is
expired. Then it re-creates a self-signed certificate.
If there exists at least one `section server` with
`uci_manage_ssl 'self-signed'`, it will try to install
itself as cron job. If there are no such sections, it
removes that cron job if possible.
For installing a ssl certificate and key managed by
another app, you can call:
`nginx-util add_ssl $name $manager $crtpath $keypath`
Hereby `$name` is as above, `$manager` is an arbitrary
string, and the the ssl certificate and its key are
indicated by their absolute path. If you want to remove
the directives again, then you can use:
`nginx-util del_ssl $name $manager`
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
2020-07-23 14:56:36 +02:00
|
|
|
$(INSTALL_DIR) $(1)/etc/config/
|
|
|
|
|
$(INSTALL_CONF) ./files/nginx.config $(1)/etc/config/nginx
|
|
|
|
|
|
|
|
|
|
ifneq ($(CONFIG_IPV6),y) # the used IPv6 directives have `::` in them:
|
|
|
|
|
$(SED) "/::/d" $(1)/etc/nginx/restrict_locally
|
|
|
|
|
$(SED) "/::/d" $(1)/etc/config/nginx
|
|
|
|
|
endif
|
|
|
|
|
endef
|
|
|
|
|
|
|
|
|
|
|
2019-12-05 08:48:20 +01:00
|
|
|
define Package/nginx-ssl-util/install
|
nginx-util: use UCI for server configuration
**tl;dr:** The functions `{add,del}_ssl` modify a server
section of the UCI config if there is no `.conf` file with
the same name in `/etc/nginx/conf.d/`.
Then `init_lan` creates `/var/lib/nginx/uci.conf` files by
copying the `/etc/nginx/uci.conf.template` and standard
options from the UCI config; additionally the special path
`logd` can be used in `{access,error}_log`.
The init does not change the configuration beside
re-creating self-signed certificates when needed. This is
also the only purpose of the new `check_ssl`, which is
installed as yearly cron job.
**Initialization:**
Invoking `nginx-util init_lan` parses the UCI configuration
for package `nginx`. It creates a server part in
`/var/lib/nginx/uci.conf` for each `section server '$name'`
by copying all UCI options but the following:
* `option uci_manage_ssl` is skipped. It is set to
'self-signed' by `nginx-util add_ssl $name`, removed by
`nginx-util del_ssl $name` and used by
`nginx-util check_ssl` (see below).
* `logd` as path in `error_log` or `access_log` writes them
to STDERR respective STDOUT, which are fowarded by Nginx's
init to the log daemon. Specifically:
`option error_log 'logd'` becomes `error_log stderr;` and
`option access_log 'logd openwrt'` becomes
`access_log /proc/self/fd/1 openwrt;`
Other `[option|list] key 'value'` entries just become
`key value;` directives.
The init.d calls internally also `check_ssl` for rebuilding
self-signed SSL certificates if needed (see below). And it
still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as
it is doing in the current version (so they stay available).
**Defaults:**
The package installs the file `/etc/nginx/restrict_locally`
containing allow/deny directives for restricting the access
to LAN addresses by including it into a server part. The
default server '_lan' includes this file and listens on all
IPs (instead of only the local IPs as it did before; other
servers do not need to listen explicitly on the local IPs
anymore). The default server is contained together with a
server that redirects HTTP requests for inexistent URLs to
HTTPS in the UCI configuration file `/etc/config/nginx`.
Furthermore, the packages installs a
`/etc/nginx/uci.conf.template` containing the current setup
and a marker, which will be replaced by the created UCI
servers when calling `init_lan`.
**Other:**
If there is a file named `/etc/nginx/conf.d/$name.conf` the
functions `init_lan`, `add_ssl $name` and `del_ssl $name`
will use that file instead of a UCI server section (this is
similar to the current version).
Else it selects the UCI `section server $name`, or, when
there is no such section, it searches for the first one
having `option server_name '… $name …'`. For this section:
* `nginx-util add_ssl $name` will add to it:
`option uci_manage_ssl 'self-signed'`
`option ssl_certificate '/etc/nginx/conf.d/$name.crt'`
`option ssl_certificate_key '/etc/nginx/conf.d/$name.key'`
`option ssl_session_cache 'shared:SSL:32k'`
`option ssl_session_timeout '64m'`
If these options are already present, they will stay the
same; just the first option `uci_manage_ssl` will always be
changed to 'self-signed'. The command also changes all
`listen` list items to use port 443 and ssl instead of port
80 (without ssl). If they stated another port than 80
before, they are kept the same. Furthermore, it creates a
self-signed SSL certificate if necessary, i.e., if there is
no *valid* certificate and key at the locations given by
the options `ssl_certificate` and `ssl_certificate_key`.
* `nginx-util del_ssl $name` checks if `uci_manage_ssl` is
set 'self-signed' in the corresponding UCI section. Only
then it removes all of the above options regardless of the
value looking just at the key name. Then, it also changes
all `listen` list items to use port 80 (without ssl)
instead of port 443 with ssl. If stating another port than
443, they are kept the same. Furthermore, it removes the
SSL certificate and key that were indicated by
`ssl_certificate{,_key}`.
* `nginx-util check_ssl` looks through all server sections
of the UCI config for `uci_manage_ssl 'self-signed'`. On
every hit it checks if the SSL certificate-key-pair
indicated by the options `ssl_certificate{,_key}` is
expired. Then it re-creates a self-signed certificate.
If there exists at least one `section server` with
`uci_manage_ssl 'self-signed'`, it will try to install
itself as cron job. If there are no such sections, it
removes that cron job if possible.
For installing a ssl certificate and key managed by
another app, you can call:
`nginx-util add_ssl $name $manager $crtpath $keypath`
Hereby `$name` is as above, `$manager` is an arbitrary
string, and the the ssl certificate and its key are
indicated by their absolute path. If you want to remove
the directives again, then you can use:
`nginx-util del_ssl $name $manager`
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
2020-07-23 14:56:36 +02:00
|
|
|
$(call Package/nginx-ssl-util/install/default, $(1))
|
2019-12-05 08:48:20 +01:00
|
|
|
$(INSTALL_DIR) $(1)/usr/bin
|
|
|
|
|
$(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-ssl-util $(1)/usr/bin/nginx-util
|
|
|
|
|
endef
|
|
|
|
|
|
2020-05-26 16:21:10 +02:00
|
|
|
|
2019-12-05 08:48:20 +01:00
|
|
|
define Package/nginx-ssl-util-nopcre/install
|
nginx-util: use UCI for server configuration
**tl;dr:** The functions `{add,del}_ssl` modify a server
section of the UCI config if there is no `.conf` file with
the same name in `/etc/nginx/conf.d/`.
Then `init_lan` creates `/var/lib/nginx/uci.conf` files by
copying the `/etc/nginx/uci.conf.template` and standard
options from the UCI config; additionally the special path
`logd` can be used in `{access,error}_log`.
The init does not change the configuration beside
re-creating self-signed certificates when needed. This is
also the only purpose of the new `check_ssl`, which is
installed as yearly cron job.
**Initialization:**
Invoking `nginx-util init_lan` parses the UCI configuration
for package `nginx`. It creates a server part in
`/var/lib/nginx/uci.conf` for each `section server '$name'`
by copying all UCI options but the following:
* `option uci_manage_ssl` is skipped. It is set to
'self-signed' by `nginx-util add_ssl $name`, removed by
`nginx-util del_ssl $name` and used by
`nginx-util check_ssl` (see below).
* `logd` as path in `error_log` or `access_log` writes them
to STDERR respective STDOUT, which are fowarded by Nginx's
init to the log daemon. Specifically:
`option error_log 'logd'` becomes `error_log stderr;` and
`option access_log 'logd openwrt'` becomes
`access_log /proc/self/fd/1 openwrt;`
Other `[option|list] key 'value'` entries just become
`key value;` directives.
The init.d calls internally also `check_ssl` for rebuilding
self-signed SSL certificates if needed (see below). And it
still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as
it is doing in the current version (so they stay available).
**Defaults:**
The package installs the file `/etc/nginx/restrict_locally`
containing allow/deny directives for restricting the access
to LAN addresses by including it into a server part. The
default server '_lan' includes this file and listens on all
IPs (instead of only the local IPs as it did before; other
servers do not need to listen explicitly on the local IPs
anymore). The default server is contained together with a
server that redirects HTTP requests for inexistent URLs to
HTTPS in the UCI configuration file `/etc/config/nginx`.
Furthermore, the packages installs a
`/etc/nginx/uci.conf.template` containing the current setup
and a marker, which will be replaced by the created UCI
servers when calling `init_lan`.
**Other:**
If there is a file named `/etc/nginx/conf.d/$name.conf` the
functions `init_lan`, `add_ssl $name` and `del_ssl $name`
will use that file instead of a UCI server section (this is
similar to the current version).
Else it selects the UCI `section server $name`, or, when
there is no such section, it searches for the first one
having `option server_name '… $name …'`. For this section:
* `nginx-util add_ssl $name` will add to it:
`option uci_manage_ssl 'self-signed'`
`option ssl_certificate '/etc/nginx/conf.d/$name.crt'`
`option ssl_certificate_key '/etc/nginx/conf.d/$name.key'`
`option ssl_session_cache 'shared:SSL:32k'`
`option ssl_session_timeout '64m'`
If these options are already present, they will stay the
same; just the first option `uci_manage_ssl` will always be
changed to 'self-signed'. The command also changes all
`listen` list items to use port 443 and ssl instead of port
80 (without ssl). If they stated another port than 80
before, they are kept the same. Furthermore, it creates a
self-signed SSL certificate if necessary, i.e., if there is
no *valid* certificate and key at the locations given by
the options `ssl_certificate` and `ssl_certificate_key`.
* `nginx-util del_ssl $name` checks if `uci_manage_ssl` is
set 'self-signed' in the corresponding UCI section. Only
then it removes all of the above options regardless of the
value looking just at the key name. Then, it also changes
all `listen` list items to use port 80 (without ssl)
instead of port 443 with ssl. If stating another port than
443, they are kept the same. Furthermore, it removes the
SSL certificate and key that were indicated by
`ssl_certificate{,_key}`.
* `nginx-util check_ssl` looks through all server sections
of the UCI config for `uci_manage_ssl 'self-signed'`. On
every hit it checks if the SSL certificate-key-pair
indicated by the options `ssl_certificate{,_key}` is
expired. Then it re-creates a self-signed certificate.
If there exists at least one `section server` with
`uci_manage_ssl 'self-signed'`, it will try to install
itself as cron job. If there are no such sections, it
removes that cron job if possible.
For installing a ssl certificate and key managed by
another app, you can call:
`nginx-util add_ssl $name $manager $crtpath $keypath`
Hereby `$name` is as above, `$manager` is an arbitrary
string, and the the ssl certificate and its key are
indicated by their absolute path. If you want to remove
the directives again, then you can use:
`nginx-util del_ssl $name $manager`
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
2020-07-23 14:56:36 +02:00
|
|
|
$(call Package/nginx-ssl-util/install/default, $(1))
|
2019-12-05 08:48:20 +01:00
|
|
|
$(INSTALL_DIR) $(1)/usr/bin
|
|
|
|
|
$(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-ssl-util-nopcre \
|
|
|
|
|
$(1)/usr/bin/nginx-util
|
|
|
|
|
endef
|
|
|
|
|
|
2020-05-26 16:21:10 +02:00
|
|
|
|
nginx-util: use UCI for server configuration
**tl;dr:** The functions `{add,del}_ssl` modify a server
section of the UCI config if there is no `.conf` file with
the same name in `/etc/nginx/conf.d/`.
Then `init_lan` creates `/var/lib/nginx/uci.conf` files by
copying the `/etc/nginx/uci.conf.template` and standard
options from the UCI config; additionally the special path
`logd` can be used in `{access,error}_log`.
The init does not change the configuration beside
re-creating self-signed certificates when needed. This is
also the only purpose of the new `check_ssl`, which is
installed as yearly cron job.
**Initialization:**
Invoking `nginx-util init_lan` parses the UCI configuration
for package `nginx`. It creates a server part in
`/var/lib/nginx/uci.conf` for each `section server '$name'`
by copying all UCI options but the following:
* `option uci_manage_ssl` is skipped. It is set to
'self-signed' by `nginx-util add_ssl $name`, removed by
`nginx-util del_ssl $name` and used by
`nginx-util check_ssl` (see below).
* `logd` as path in `error_log` or `access_log` writes them
to STDERR respective STDOUT, which are fowarded by Nginx's
init to the log daemon. Specifically:
`option error_log 'logd'` becomes `error_log stderr;` and
`option access_log 'logd openwrt'` becomes
`access_log /proc/self/fd/1 openwrt;`
Other `[option|list] key 'value'` entries just become
`key value;` directives.
The init.d calls internally also `check_ssl` for rebuilding
self-signed SSL certificates if needed (see below). And it
still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as
it is doing in the current version (so they stay available).
**Defaults:**
The package installs the file `/etc/nginx/restrict_locally`
containing allow/deny directives for restricting the access
to LAN addresses by including it into a server part. The
default server '_lan' includes this file and listens on all
IPs (instead of only the local IPs as it did before; other
servers do not need to listen explicitly on the local IPs
anymore). The default server is contained together with a
server that redirects HTTP requests for inexistent URLs to
HTTPS in the UCI configuration file `/etc/config/nginx`.
Furthermore, the packages installs a
`/etc/nginx/uci.conf.template` containing the current setup
and a marker, which will be replaced by the created UCI
servers when calling `init_lan`.
**Other:**
If there is a file named `/etc/nginx/conf.d/$name.conf` the
functions `init_lan`, `add_ssl $name` and `del_ssl $name`
will use that file instead of a UCI server section (this is
similar to the current version).
Else it selects the UCI `section server $name`, or, when
there is no such section, it searches for the first one
having `option server_name '… $name …'`. For this section:
* `nginx-util add_ssl $name` will add to it:
`option uci_manage_ssl 'self-signed'`
`option ssl_certificate '/etc/nginx/conf.d/$name.crt'`
`option ssl_certificate_key '/etc/nginx/conf.d/$name.key'`
`option ssl_session_cache 'shared:SSL:32k'`
`option ssl_session_timeout '64m'`
If these options are already present, they will stay the
same; just the first option `uci_manage_ssl` will always be
changed to 'self-signed'. The command also changes all
`listen` list items to use port 443 and ssl instead of port
80 (without ssl). If they stated another port than 80
before, they are kept the same. Furthermore, it creates a
self-signed SSL certificate if necessary, i.e., if there is
no *valid* certificate and key at the locations given by
the options `ssl_certificate` and `ssl_certificate_key`.
* `nginx-util del_ssl $name` checks if `uci_manage_ssl` is
set 'self-signed' in the corresponding UCI section. Only
then it removes all of the above options regardless of the
value looking just at the key name. Then, it also changes
all `listen` list items to use port 80 (without ssl)
instead of port 443 with ssl. If stating another port than
443, they are kept the same. Furthermore, it removes the
SSL certificate and key that were indicated by
`ssl_certificate{,_key}`.
* `nginx-util check_ssl` looks through all server sections
of the UCI config for `uci_manage_ssl 'self-signed'`. On
every hit it checks if the SSL certificate-key-pair
indicated by the options `ssl_certificate{,_key}` is
expired. Then it re-creates a self-signed certificate.
If there exists at least one `section server` with
`uci_manage_ssl 'self-signed'`, it will try to install
itself as cron job. If there are no such sections, it
removes that cron job if possible.
For installing a ssl certificate and key managed by
another app, you can call:
`nginx-util add_ssl $name $manager $crtpath $keypath`
Hereby `$name` is as above, `$manager` is an arbitrary
string, and the the ssl certificate and its key are
indicated by their absolute path. If you want to remove
the directives again, then you can use:
`nginx-util del_ssl $name $manager`
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
2020-07-23 14:56:36 +02:00
|
|
|
define Package/nginx-ssl-util/prerm
|
|
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
|
|
[ -n "$${IPKG_INSTROOT}" ] && exit 0
|
|
|
|
|
[ "$${PKG_UPGRADE}" = "1" ] && exit 0
|
|
|
|
|
case "$$(/sbin/uci get "nginx.global.uci_enable" 2>/dev/null)" in
|
|
|
|
|
1|on|true|yes|enabled) ;;
|
|
|
|
|
*) exit 0;;
|
|
|
|
|
esac
|
|
|
|
|
|
|
|
|
|
eval "$$(/usr/bin/nginx-util get_env)" &&
|
|
|
|
|
[ "$$(/sbin/uci get "nginx.$${LAN_NAME}.$${MANAGE_SSL}" 2>/dev/null)" = \
|
|
|
|
|
"self-signed" ] &&
|
|
|
|
|
cd "/etc/nginx" &&
|
|
|
|
|
rm -f "$$(/sbin/uci get "nginx.$${LAN_NAME}.ssl_certificate")" \
|
|
|
|
|
"$$(/sbin/uci get "nginx.$${LAN_NAME}.ssl_certificate_key")"
|
|
|
|
|
|
|
|
|
|
exit 0
|
|
|
|
|
endef
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Package/nginx-ssl-util-nopcre/prerm = $(Package/nginx-ssl-util/prerm)
|
|
|
|
|
|
|
|
|
|
|
2021-10-24 12:33:35 +02:00
|
|
|
define Package/nginx-ssl-util/conffiles
|
|
|
|
|
/etc/config/nginx
|
|
|
|
|
/etc/nginx/restrict_locally
|
|
|
|
|
/etc/nginx/uci.conf.template
|
|
|
|
|
endef
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Package/nginx-ssl-util-nopcre/conffiles = $(Package/nginx-ssl-util/conffiles)
|
|
|
|
|
|
|
|
|
|
|
2019-12-05 08:48:20 +01:00
|
|
|
$(eval $(call BuildPackage,nginx-ssl-util))
|
|
|
|
|
$(eval $(call BuildPackage,nginx-ssl-util-nopcre))
|
2020-05-21 20:21:59 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
# TODO: remove after a transition period (together with above and pkg nginx):
|
|
|
|
|
# It replaces nginx-util by a dummy pkg for a smooth upgrade of nginx*
|
|
|
|
|
|
|
|
|
|
define Package/nginx-util
|
|
|
|
|
TITLE:=Dummy package for removing nginx-util when upgrading.
|
|
|
|
|
DEPENDS:=+libstdcpp +libubus +libubox +libpthread
|
|
|
|
|
PKGARCH:=all
|
|
|
|
|
endef
|
|
|
|
|
|
|
|
|
|
define Package/nginx-util/install
|
|
|
|
|
$(INSTALL_DIR) $(1)/usr/bin
|
|
|
|
|
endef
|
|
|
|
|
|
|
|
|
|
$(eval $(call BuildPackage,nginx-util))
|