Merge pull request #12929 from peter-stadler/nginx-always-ssl

nginx: enable ssl for all variants and remove nginx-util w/o ssl
2020-07-26 02:23:40 -07:00 · 2020-07-26 02:23:40 -07:00 · 6d3767075a
commit 6d3767075a
parent 6c173164ef 3603f50fd5
9 changed files with 144 additions and 471 deletions
--- a/net/nginx-util/Makefile
+++ b/net/nginx-util/Makefile
@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=nginx-util
 PKG_VERSION:=1.4
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_MAINTAINER:=Peter Stadler <peter.stadler@student.uibk.ac.at>

 include $(INCLUDE_DIR)/package.mk
@ -12,26 +12,16 @@ CMAKE_OPTIONS+= -DUBUS=y
 CMAKE_OPTIONS+= -DVERSION=$(PKG_VERSION)


-define Package/nginx-util/default
+define Package/nginx-ssl-util/default
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=Web Servers/Proxies
-  TITLE:=Nginx configurator
-  DEPENDS:=+libstdcpp +libubus +libubox +libpthread
-endef
-
-
-define Package/nginx-util
-  $(Package/nginx-util/default)
-  CONFLICTS:=nginx-ssl-util-nopcre nginx-ssl-util
-endef
-
-
-define Package/nginx-ssl-util/default
-  $(Package/nginx-util/default)
-  TITLE+= including SSL
-  DEPENDS+= +libopenssl
-  CONFLICTS:=nginx-util,
+  TITLE:=Nginx configurator including SSL
+  DEPENDS:=+libstdcpp +libubus +libubox +libpthread +libopenssl
+  # TODO: remove after a transition period (together with below and pkg nginx):
+  # It actually removes nginx-util (replacing it by a dummy pkg) to avoid
+  # conflicts with nginx-ssl-util*
+  EXTRA_DEPENDS:=nginx-util (>=1.4-2)
 endef


@ -39,25 +29,22 @@ define Package/nginx-ssl-util
  $(Package/nginx-ssl-util/default)
  TITLE+= (using PCRE)
  DEPENDS+= +libpcre
-  CONFLICTS+= nginx-ssl-util-nopcre,
+  CONFLICTS:=nginx-ssl-util-nopcre,
 endef


 define Package/nginx-ssl-util-nopcre
  $(Package/nginx-ssl-util/default)
  TITLE+= (using <regex>)
-  CONFLICTS+= nginx-ssl-util
+  CONFLICTS:=nginx-ssl-util
 endef


-define Package/nginx-util/description
+define Package/nginx-ssl-util/default/description
  Utility that builds dynamically LAN listen directives for Nginx.
-endef
-
-
-Package/nginx-ssl-util/default/description = $(Package/nginx-util/description)\
-  Furthermore, it manages SSL directives for its server parts and can create \
+  Furthermore, it manages SSL directives for its server parts and can create
  corresponding (self-signed) certificates.
+endef


 Package/nginx-ssl-util/description = \
@ -70,12 +57,6 @@ Package/nginx-ssl-util-nopcre/description = \
  It uses the standard regex library of C++.


-define Package/nginx-util/install
-	$(INSTALL_DIR) $(1)/usr/bin
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-util $(1)/usr/bin/nginx-util
-endef
-
-
 define Package/nginx-ssl-util/install
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-ssl-util $(1)/usr/bin/nginx-util
@ -89,6 +70,21 @@ define Package/nginx-ssl-util-nopcre/install
 endef


-$(eval $(call BuildPackage,nginx-util))
 $(eval $(call BuildPackage,nginx-ssl-util))
 $(eval $(call BuildPackage,nginx-ssl-util-nopcre))
+
+
+# TODO: remove after a transition period (together with above and pkg nginx):
+# It replaces nginx-util by a dummy pkg for a smooth upgrade of nginx*
+
+define Package/nginx-util
+  TITLE:=Dummy package for removing nginx-util when upgrading.
+  DEPENDS:=+libstdcpp +libubus +libubox +libpthread
+  PKGARCH:=all
+endef
+
+define Package/nginx-util/install
+	$(INSTALL_DIR) $(1)/usr/bin
+endef
+
+$(eval $(call BuildPackage,nginx-util))
--- a/net/nginx-util/src/CMakeLists.txt
+++ b/net/nginx-util/src/CMakeLists.txt
@ -23,11 +23,6 @@ FIND_PATH(ubox_include_dir libubox/blobmsg.h)
 FIND_LIBRARY(ubox NAMES ubox)
 INCLUDE_DIRECTORIES(${ubox_include_dir})

-ADD_EXECUTABLE(nginx-util nginx-util.cpp)
-TARGET_COMPILE_DEFINITIONS(nginx-util PUBLIC -DNO_SSL)
-TARGET_LINK_LIBRARIES(nginx-util ${ubox} ${ubus} pthread)
-INSTALL(TARGETS nginx-util RUNTIME DESTINATION bin)
-
 ADD_EXECUTABLE(nginx-ssl-util nginx-util.cpp)
 TARGET_LINK_LIBRARIES(nginx-ssl-util ${ubox} ${ubus} pthread ssl crypto pcre)
 INSTALL(TARGETS nginx-ssl-util RUNTIME DESTINATION bin)
--- a/net/nginx/Config.in
+++ b/net/nginx/Config.in
@ -1,270 +0,0 @@
-#
-# Copyright (C) 2010-2016 OpenWrt.org
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-#
-
-menu "Configuration"
-        depends on PACKAGE_nginx
-
-config NGINX_SSL
-	bool
-	prompt "Enable SSL module"
-	help
-		Enable HTTPS/SSL support.
-	default n
-
-config NGINX_DAV
-	bool
-	prompt "Enable WebDAV module"
-	help
-		Enable the HTTP and WebDAV methods PUT, DELETE, MKCOL, COPY and MOVE.
-	default n
-
-config NGINX_UBUS
-	bool
-	prompt "Enable UBUS module"
-	help
-		Enable UBUS api support directly from the server.
-	default y
-
-config NGINX_FLV
-	bool
-	prompt "Enable FLV module"
-	help
-		Provides the ability to seek within FLV (Flash) files using time-based offsets.
-	default n
-
-config NGINX_STUB_STATUS
-	bool
-	prompt "Enable stub status module"
-	help
-		Enable the stub status module which gives some status from the server.
-	default n
-
-config NGINX_HTTP_CHARSET
-	bool
-	prompt "Enable HTTP charset module"
-	default y
-
-config NGINX_HTTP_GZIP
-	bool
-	prompt "Enable HTTP gzip module"
-	default y
-
-config NGINX_HTTP_SSI
-	bool
-	prompt "Enable HTTP ssi module"
-	default y
-
-config NGINX_HTTP_USERID
-	bool
-	prompt "Enable HTTP userid module"
-	default y
-
-config NGINX_HTTP_ACCESS
-	bool
-	prompt "Enable HTTP access module"
-	default y
-
-config NGINX_HTTP_AUTH_BASIC
-	bool
-	prompt "Enable HTTP auth basic"
-	default y
-
-config NGINX_HTTP_AUTH_REQUEST
-	bool
-	prompt "Enable HTTP auth request module"
-	default n
-
-config NGINX_HTTP_AUTOINDEX
-	bool
-	prompt "Enable HTTP autoindex module"
-	default y
-
-config NGINX_HTTP_GEO
-	bool
-	prompt "Enable HTTP geo module"
-	default y
-
-config NGINX_HTTP_MAP
-	bool
-	prompt "Enable HTTP map module"
-	default y
-
-config NGINX_HTTP_SPLIT_CLIENTS
-	bool
-	prompt "Enable HTTP split clients"
-	default y
-
-config NGINX_HTTP_REFERER
-	bool
-	prompt "Enable HTTP referer module"
-	default y
-
-config NGINX_HTTP_REWRITE
-	bool
-	prompt "Enable HTTP rewrite module"
-	select NGINX_PCRE
-	default y
-
-config NGINX_HTTP_PROXY
-	bool
-	prompt "Enable HTTP proxy module"
-	default y
-
-config NGINX_HTTP_FASTCGI
-	bool
-	prompt "Enable HTTP fastcgi module"
-	default y
-
-config NGINX_HTTP_UWSGI
-	bool
-	prompt "Enable HTTP uwsgi module"
-	default y
-
-config NGINX_HTTP_SCGI
-	bool
-	prompt "Enable HTTP scgi module"
-	default y
-
-config NGINX_HTTP_MEMCACHED
-	bool
-	prompt "Enable HTTP memcached module"
-	default y
-
-config NGINX_HTTP_LIMIT_CONN
-	bool
-	prompt "Enable HTTP limit conn"
-	default y
-
-config NGINX_HTTP_LIMIT_REQ
-	bool
-	prompt "Enable HTTP limit req"
-	default y
-
-config NGINX_HTTP_EMPTY_GIF
-	bool
-	prompt "Enable HTTP empty gif"
-	default y
-
-config NGINX_HTTP_BROWSER
-	bool
-	prompt "Enable HTTP browser module"
-	default y
-
-config NGINX_HTTP_UPSTREAM_HASH
-	bool
-	prompt "Enable HTTP hash module"
-	default y
-
-config NGINX_HTTP_UPSTREAM_IP_HASH
-	bool
-	prompt "Enable HTTP IP hash module"
-	default y
-
-config NGINX_HTTP_UPSTREAM_LEAST_CONN
-	bool
-	prompt "Enable HTTP least conn module"
-	default y
-
-config NGINX_HTTP_UPSTREAM_KEEPALIVE
-	bool
-	prompt "Enable HTTP keepalive module"
-	default y
-
-config NGINX_HTTP_CACHE
-	bool
-	prompt "Enable HTTP cache"
-	default y
-
-config NGINX_HTTP_V2
-	bool
-	prompt "Enable HTTP_V2 module"
-	default n
-
-config NGINX_PCRE
-	bool
-	prompt "Enable PCRE library usage"
-	default y
-
-config NGINX_NAXSI
-	bool
-	prompt "Enable NAXSI module"
-	default y
-
-config NGINX_LUA
-	bool
-	prompt "Enable Lua module"
-	default n
-
-config NGINX_HTTP_REAL_IP
-	bool
-	prompt "Enable HTTP real ip module"
-	default n
-
-config NGINX_HTTP_SECURE_LINK
-	bool
-	prompt "Enable HTTP secure link module"
-	default n
-	
-config NGINX_HTTP_SUB
-	bool
-	prompt "Enable HTTP sub module"
-	default n
-	
-config NGINX_HEADERS_MORE
-	bool
-	prompt "Enable Headers_more module"
-	help
-		Set and clear input and output headers...more than "add"!
-	default y
-	
-config NGINX_HTTP_BROTLI
-	bool
-	prompt "Enable Brotli compression module"
-	help
-		Add support for brotli compression module.
-	default n
-
-config NGINX_STREAM_CORE_MODULE
-	bool
-	prompt "Enable stream support"
-	help
-		Add support for NGINX request streaming.
-	default n
-
-config NGINX_STREAM_SSL_MODULE
-	bool
-	prompt "Enable stream support with SSL/TLS termination"
-	depends on NGINX_STREAM_CORE_MODULE
-	help
-		Add support for NGINX request streaming with SSL/TLS termination.
-	default n
-
-config NGINX_STREAM_SSL_PREREAD_MODULE
-	bool
-	prompt "Enable stream support with SSL/TLS pre-read"
-	depends on NGINX_STREAM_CORE_MODULE
-	help
-		Add support for NGINX request streaming using information from the ClientHello message without terminating SSL/TLS.
-	default n
-
-config NGINX_RTMP_MODULE
-	bool
-	prompt "Enable RTMP module"
-	depends on NGINX_SSL
-	help
-		Add support for NGINX-based Media Streaming Server module.
-		DASH enhanced - https://github.com/ut0mt8/nginx-rtmp-module
-	default n
-
-config NGINX_TS_MODULE
-	bool
-	prompt "Enable TS module"
-	help
-		Add support for MPEG-TS Live Module module.
-	default n
-
-endmenu
--- a/net/nginx/Config_ssl.in
+++ b/net/nginx/Config_ssl.in
@ -175,7 +175,7 @@ config NGINX_HTTP_CACHE
 config NGINX_HTTP_V2
 	bool
 	prompt "Enable HTTP_V2 module"
-	default n
+	default y

 config NGINX_PCRE
 	bool
--- a/net/nginx/Makefile
+++ b/net/nginx/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=nginx
 PKG_VERSION:=1.19.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2

 PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://nginx.org/download/
@ -25,7 +25,6 @@ PKG_BUILD_PARALLEL:=1
 PKG_INSTALL:=1

 PKG_CONFIG_DEPENDS := \
-	CONFIG_NGINX_SSL \
 	CONFIG_NGINX_DAV \
 	CONFIG_NGINX_FLV \
 	CONFIG_NGINX_UBUS \
@ -72,8 +71,7 @@ PKG_CONFIG_DEPENDS := \
 	CONFIG_NGINX_RTMP_MODULE \
 	CONFIG_NGINX_TS_MODULE \
 	CONFIG_OPENSSL_ENGINE \
-	CONFIG_OPENSSL_WITH_NPN \
-	CONFIG_NGINX_NOPCRE
+	CONFIG_OPENSSL_WITH_NPN

 include $(INCLUDE_DIR)/package.mk

@ -83,31 +81,23 @@ define Package/nginx/default
  SUBMENU:=Web Servers/Proxies
  TITLE:=Nginx web server
  URL:=http://nginx.org/
-  DEPENDS:=+NGINX_PCRE:libpcre +NGINX_SSL:libopenssl \
+  DEPENDS:=+NGINX_PCRE:libpcre +libopenssl \
+	+NGINX_PCRE:nginx-ssl-util +!NGINX_PCRE:nginx-ssl-util-nopcre \
 	+NGINX_HTTP_GZIP:zlib +NGINX_LUA:liblua +libpthread +NGINX_DAV:libxml2 \
 	+NGINX_UBUS:libubus +NGINX_UBUS:libblobmsg-json +NGINX_UBUS:libjson-c
+  PROVIDES:=nginx
 endef

 define Package/nginx/description
 nginx is an HTTP and reverse proxy server, as well as a mail proxy server, \
- written by Igor Sysoev. (Some module require SSL module enable to show up in \
- config menu)
-endef
-
-define Package/nginx
-  $(Package/nginx/default)
-  DEPENDS += +!NGINX_SSL:nginx-util +NGINX_SSL&&NGINX_PCRE:nginx-ssl-util \
-	+NGINX_SSL&&NGINX_NOPCRE:nginx-ssl-util-nopcre
-  VARIANT:=no-ssl
+ written by Igor Sysoev.
 endef

 define Package/nginx-ssl
  $(Package/nginx/default)
  TITLE += with SSL support
-  DEPENDS += +libopenssl +NGINX_PCRE:nginx-ssl-util \
-	+!NGINX_PCRE:nginx-ssl-util-nopcre
  VARIANT:=ssl
-  PROVIDES:=nginx
+  CONFLICTS:=nginx-all-module
 endef

 Package/nginx-ssl/description = $(Package/nginx/description) \
@ -118,22 +108,14 @@ define Package/nginx-all-module
  $(Package/nginx/default)
  TITLE += with ALL module selected
  DEPENDS:=+libpcre +libopenssl +zlib +liblua +libpthread +libxml2 \
-   +libubus +libblobmsg-json +libjson-c +nginx-ssl-util
+	+libubus +libblobmsg-json +libjson-c +nginx-ssl-util
  VARIANT:=all-module
-  PROVIDES:=nginx nginx-ssl
+  PROVIDES += nginx-ssl
 endef

 Package/nginx-all-module/description = $(Package/nginx/description) \
  This variant is compiled with ALL module selected.

-define Package/nginx/config
-  source "$(SOURCE)/Config.in"
-config NGINX_NOPCRE
-	bool
-	default y if !NGINX_PCRE
-	default n if NGINX_PCRE
-endef
-
 define Package/nginx-ssl/config
  source "$(SOURCE)/Config_ssl.in"
 endef
@ -148,7 +130,7 @@ Package/nginx-ssl/conffiles = $(Package/nginx/conffiles)
 Package/nginx-all-module/conffiles = $(Package/nginx/conffiles)


-ADDITIONAL_MODULES:=
+ADDITIONAL_MODULES:= --with-http_ssl_module

 ifneq ($(BUILD_VARIANT),all-module)
  ifneq ($(CONFIG_NGINX_HTTP_CACHE),y)
@ -238,16 +220,6 @@ ifneq ($(BUILD_VARIANT),all-module)
  ifneq ($(CONFIG_NGINX_HTTP_UPSTREAM_KEEPALIVE),y)
    ADDITIONAL_MODULES += --without-http_upstream_keepalive_module
  endif
-  
-  ifeq ($(BUILD_VARIANT),ssl)
-    ifneq ($(CONFIG_NGINX_SSL),y)
-      ADDITIONAL_MODULES += --with-http_ssl_module
-    endif
-  endif
-  
-  ifeq ($(CONFIG_NGINX_SSL),y)
-    ADDITIONAL_MODULES += --with-http_ssl_module
-  endif
  ifeq ($(CONFIG_NGINX_NAXSI),y)
    ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src
  endif
@ -314,7 +286,7 @@ else
  CONFIG_NGINX_LUA:=y
  CONFIG_NGINX_DAV:=y
  CONFIG_NGINX_UBUS:=y
-  ADDITIONAL_MODULES += --with-http_ssl_module --add-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src \
+  ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src \
    --add-module=$(PKG_BUILD_DIR)/lua-nginx --with-ipv6 --with-http_stub_status_module --with-http_flv_module \
 	--with-http_dav_module --add-module=$(PKG_BUILD_DIR)/nginx-dav-ext-module \
 	--with-http_auth_request_module --with-http_v2_module --with-http_realip_module \
@ -325,33 +297,21 @@ else
  config_files += koi-utf koi-win win-utf fastcgi_params uwsgi_params
 endif

-define Package/nginx-mod-luci/default
+define Package/nginx-mod-luci
  TITLE:=Nginx on LuCI
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=Web Servers/Proxies
  TITLE:=Support file for Nginx
  URL:=http://nginx.org/
-  DEPENDS:=+uwsgi +uwsgi-luci-support
-endef
-
-define Package/nginx-mod-luci
-  $(Package/nginx-mod-luci/default)
-  DEPENDS += +nginx
+  DEPENDS:=+uwsgi +uwsgi-luci-support +nginx
+  PROVIDES:=nginx-mod-luci-ssl
 endef

 define Package/nginx-mod-luci/description
 Support file for LuCI in nginx. Include custom nginx configuration, autostart script for uwsgi.
 endef

-define Package/nginx-mod-luci-ssl
-  $(Package/nginx-mod-luci/default)
-  TITLE += with HTTPS support
-  DEPENDS += +nginx-ssl
-endef
-
-Package/nginx-mod-luci-ssl/description = $(define Package/nginx-mod-luci/description) \
-  This also include redirect from http to https and cert autogeneration.

 TARGET_CFLAGS += -fvisibility=hidden -ffunction-sections -fdata-sections -DNGX_LUA_NO_BY_LUA_BLOCK
 TARGET_LDFLAGS += -Wl,--gc-sections
@ -387,9 +347,7 @@ define Package/nginx-mod-luci/install
 	$(INSTALL_BIN) ./files-luci-support/60_nginx-luci-support $(1)/etc/uci-defaults/60_nginx-luci-support
 endef

-Package/nginx-mod-luci-ssl/install = $(Package/nginx-mod-luci/install)
-
-define Package/nginx/install
+define Package/nginx-ssl/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/nginx $(1)/usr/sbin/
 	$(INSTALL_DIR) $(1)/etc/nginx/conf.d
@ -405,16 +363,6 @@ ifeq ($(CONFIG_NGINX_NAXSI),y)
 endif
 	$(if $(CONFIG_NGINX_NAXSI),$($(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx))
 	$(if $(CONFIG_NGINX_NAXSI),$(chmod 0640 $(1)/etc/nginx/naxsi_core.rules))
-ifeq ($(CONFIG_NGINX_SSL),y)
-	$(INSTALL_CONF) ./files/_redirect2ssl.conf $(1)/etc/nginx/conf.d/
-endif
-ifneq ($(CONFIG_IPV6),y)
-	$(SED) '/listen\s*\[/d' $(1)/etc/nginx/conf.d/*.conf # without IPv6 [::]
-endif
-endef
-
-define Package/nginx-ssl/install
-	$(call Package/nginx/install, $(1))
 	$(INSTALL_CONF) ./files/_redirect2ssl.conf $(1)/etc/nginx/conf.d/
 ifneq ($(CONFIG_IPV6),y)
 	$(SED) '/listen\s*\[/d' $(1)/etc/nginx/conf.d/*.conf # without IPv6 [::]
@ -426,27 +374,13 @@ Package/nginx-all-module/install = $(Package/nginx-ssl/install)
 define Package/nginx-ssl/prerm
 #!/bin/sh
 [ -z "$${IPKG_INSTROOT}" ] || exit 0
-if [ "$${PKG_UPGRADE}" = "1" ]; then
-	eval $$(/usr/bin/nginx-util get_env)
-	TMP_CRT=$$(mktemp -p "$${CONF_DIR}" "$${LAN_NAME}.crt.tmp-XXXXXX")
-	ln -f "$${CONF_DIR}$${LAN_NAME}.crt" "$${TMP_CRT}"
-	TMP_KEY=$$(mktemp -p "$${CONF_DIR}" "$${LAN_NAME}.key.tmp-XXXXXX")
-	ln -f "$${CONF_DIR}$${LAN_NAME}.key" "$${TMP_KEY}"
-fi
-/usr/bin/nginx-util del_ssl
-[ -f "$${TMP_CRT}" ] &&
-rm -f "$${CONF_DIR}$${LAN_NAME}.crt" &&
-mv -f "$${TMP_CRT}" "$${CONF_DIR}$${LAN_NAME}.crt"
-[ -f "$${TMP_KEY}" ] &&
-rm -f "$${CONF_DIR}$${LAN_NAME}.key" &&
-mv -f "$${TMP_KEY}" "$${CONF_DIR}$${LAN_NAME}.key"
+[ "$${PKG_UPGRADE}" = "1" ] && exit 0
+eval $$(/usr/bin/nginx-util get_env)
+rm -f "$${CONF_DIR}$${LAN_NAME}.crt"
+rm -f "$${CONF_DIR}$${LAN_NAME}.key"
 exit 0
 endef

-ifeq ($(CONFIG_NGINX_SSL),y)
-Package/nginx/prerm = $(Package/nginx-ssl/prerm)
-endif
-
 Package/nginx-all-module/prerm = $(Package/nginx-ssl/prerm)

 define Build/Prepare
@ -606,8 +540,32 @@ ifeq ($(CONFIG_NGINX_UBUS),y)
  endef
 endif

-$(eval $(call BuildPackage,nginx))
 $(eval $(call BuildPackage,nginx-ssl))
 $(eval $(call BuildPackage,nginx-all-module))
 $(eval $(call BuildPackage,nginx-mod-luci))
+
+
+# TODO: remove after a transition period (together with pkg nginx-util):
+# It is for smoothly substituting nginx and nginx-mod-luci-ssl (by nginx-ssl
+# respectively nginx-mod-luci).
+
+Package/nginx = $(Package/nginx-ssl)
+
+Package/nginx/install = $(Package/nginx-ssl/install)
+
+Package/nginx/prerm = $(Package/nginx-ssl/prerm)
+
+$(eval $(call BuildPackage,nginx))
+
+
+define Package/nginx-mod-luci-ssl
+  TITLE:=Dummy package for transition when upgrading.
+  DEPENDS:=+nginx-mod-luci
+  PKGARCH:=all
+endef
+
+define Package/nginx-mod-luci-ssl/install
+	$(INSTALL_DIR) $(1)/usr/bin
+endef
+
 $(eval $(call BuildPackage,nginx-mod-luci-ssl))
--- a/net/nginx/files/README.sh
+++ b/net/nginx/files/README.sh
@ -40,11 +40,10 @@ for further reading.
  * There is a ''${LAN_NAME}.conf'' containing a default server for the LAN, \
 which includes all ''*.locations''.
  * We can disable parts of the configuration by renaming them.
-  * If we want to install other servers that are also reachable from the LAN, \
-  we can include the ''${LAN_LISTEN}'' file (or ''${LAN_SSL_LISTEN}'' for \
-  HTTPS servers).
-  * If Nginx is installed with SSL support, we have a server \
-in ''_redirect2ssl.conf'' that redirects inexistent URLs to HTTPS, too.
+  * If we want to install other HTTPS servers that are also reachable locally, \
+  we can include the ''${LAN_SSL_LISTEN}'' file.
+  * We have a server in ''_redirect2ssl.conf'' that redirects inexistent URLs \
+  to HTTPS, too.
  * We can create a self-signed certificate and add corresponding directives \
 to e.g. ''${EXAMPLE_COM}.conf'' by invoking \
 <code>$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} ${EXAMPLE_COM}</code>
@ -57,7 +56,7 @@ to e.g. ''${EXAMPLE_COM}.conf'' by invoking \
 We modify the configuration by creating different configuration files in the
 ''${CONF_DIR}'' directory.
 The configuration files use the file extensions ''.locations'' and
-''.conf'' (plus ''.crt'' and ''.key'' for Nginx with SSL).
+''.conf'' plus ''.crt'' and ''.key'' for SSL certificates and keys.
 We can disable single configuration parts by giving them another extension,
 e.g., by adding ''.disabled''.
 For the new configuration to take effect, we must reload it by:
@ -95,14 +94,14 @@ All location blocks in all ''.locations'' files must use different URLs,
 since they are all included in the ''${LAN_NAME}.conf'' that is part of the
 [[#openwrt_s_defaults|OpenWrt’s Defaults]].
 We reserve the ''location /'' for making LuCI available under the root URL,
-e.g. [[http://192.168.1.1/|192.168.1.1/]].
+e.g. [[https://192.168.1.1/|192.168.1.1/]].
 All other sites shouldn’t use the root ''location /'' without suffix.
 We can make other sites available on the root URL of other domain names, e.g.
 on www.example.com/.
 In order to do that, we create a ''.conf'' file for every domain name:
 see the next section [[#new_server_parts|New Server Parts]].
-For Nginx with SSL we can also activate SSL there, as described below in the
-section [[#ssl_server_parts|SSL Server Parts]].
+We can also activate SSL there, as described below in the section
+[[#ssl_server_parts|SSL Server Parts]].
 We use such server parts also for publishing sites to the internet (WAN)
 instead of making them available just in the LAN.

@ -139,26 +138,11 @@ the LAN by default.
 Then the site is reachable under the same path at both domains, e.g., by
 http://192.168.1.1/ex/am/ple as well as by http://example.com/ex/am/ple.

-The [[#openwrt_s_defaults|OpenWrt’s Defaults]] include a ''${LAN_NAME}.conf''
-file containing a server part that listens on the LAN address(es) and acts as
-//default_server//.
-For making the domain name accessible in the LAN, too, the corresponding
-server part must listen **explicitly** on the local IP address(es), cf. the
-official documentation on
-[[https://nginx.org/en/docs/http/request_processing.html|request_processing]].
-We can include the file ''${LAN_LISTEN}'' that contains the listen
-directives for all LAN addresses on the HTTP port 80 and is automatically
-updated.
-
-The following example is a simple template, see
-[[https://github.com/search?q=repo%3Aopenwrt%2Fpackages
-+include+${LAN_LISTEN}+extension%3Aconf&type=Code|
-such server parts of other packages]], too:
+The following example is a simple template:
 <code nginx ${CONF_DIR}${EXAMPLE_COM}.conf>
 server {
 	listen 80;
 	listen [::]:80;
-	include '${LAN_LISTEN}';
 	server_name ${EXAMPLE_COM};
 	# location / { … } # root location for this server.
 	include '${CONF_DIR}${EXAMPLE_COM}.locations';
@ -180,19 +164,23 @@ we only have to adjust the listen directives by adding the //ssl// parameter,
 see the official documentation for
 [[https://nginx.org/en/docs/http/configuring_https_servers.html|
 configuring HTTPS servers]], too.
-For making the domain available also in the LAN, we can include the file
-''${LAN_SSL_LISTEN}'' that contains the listen directives with ssl
-parameter for all LAN addresses on the HTTPS port 443 and is automatically
-updated.
+
+The [[#openwrt_s_defaults|OpenWrt’s Defaults]] include a ''${LAN_NAME}.conf''
+file containing a server part that listens on the LAN address(es) and acts as
+//default_server// with ssl on port 443.
+For making the domain name accessible in the LAN, too, the corresponding
+server part must listen **explicitly** on the local IP address(es), cf. the
+official documentation on
+[[https://nginx.org/en/docs/http/request_processing.html|request_processing]].
+We can include the file ''${LAN_SSL_LISTEN}'' that contains the listen
+directives with ssl parameter for all LAN addresses on the HTTP port 443 and is
+updated automatically.

 The official documentation of the SSL module contains an
 [[https://nginx.org/en/docs/http/ngx_http_ssl_module.html#example|
 example]],
 which includes some optimizations.
-The following template is extended similarly, see also
-[[https://github.com/search?q=repo%3Aopenwrt%2Fpackages
-+include+${LAN_SSL_LISTEN}+extension%3Aconf&type=Code|
-other packages providing SSL server parts]]:
+The following template is extended similarly:
 <code nginx ${CONF_DIR}${EXAMPLE_COM}>
 server {
 	listen 443 ssl;
@ -271,35 +259,22 @@ We can install the location parts of different sites there (see above in the
 This is needed especially for making them available to the WAN as described
 above in the section [[#new_server_parts|New Server Parts]].
 All ''.locations'' become available on the LAN through the file
-''$(basename ${LAN_LISTEN}).default'', which contains one of the following
+''$(basename ${LAN_SSL_LISTEN}).default'', which contains one of the following
 directives for every local IP address:
 <code nginx>
-	listen IPv4:80 default_server;
-	listen [IPv6]:80 default_server;
+	listen IPv4:443 ssl default_server;
+	listen [IPv6]:443 ssl default_server;
 </code>
-The ''${LAN_LISTEN}'' file contains the same directives without the
+The ''${LAN_SSL_LISTEN}'' file contains the same directives without the
 parameter ''default_server''.
 We can include this file in other server parts that should be reachable in the
 LAN through their //server_name//.
-Both files ''${LAN_LISTEN}{,.default}'' are (re-)created if Nginx starts
+Both files ''${LAN_SSL_LISTEN}{,.default}'' are (re-)created if Nginx starts
 through its init for OpenWrt or the LAN interface changes.

-=== Additional Defaults for OpenWrt if Nginx is installed with SSL support ===
-
-When Nginx is installed with SSL support, there will be automatically managed
-files ''$(basename ${LAN_SSL_LISTEN}).default'' and
-''$(basename ${LAN_SSL_LISTEN})'' in the directory
-''$(dirname ${LAN_SSL_LISTEN})/'' containing the following directives for all
-IPv4 and IPv6 addresses of the LAN:
-<code nginx>
-	listen IP:443 ssl; # with respectively without: default_server
-</code>
-Both files as well as the ''${LAN_LISTEN}{,.default}'' files are (re-)created
-if Nginx starts through its init for OpenWrt or the LAN interface changes.
-
-For Nginx with SSL there is also the following server part that redirects
-requests for an inexistent ''server_name'' from HTTP to HTTPS (using an invalid
-name, more in the official documentation on
+There is also the following server part that redirects requests for an
+inexistent ''server_name'' from HTTP to HTTPS (using an invalid name, more in
+the official documentation on
 [[https://nginx.org/en/docs/http/request_processing.html|request_processing]]):
 $(code ${CONF_DIR}_redirect2ssl.conf)

--- a/net/nginx/files/_lan.conf
+++ b/net/nginx/files/_lan.conf
@ -1,8 +1,12 @@
 # default_server for the LAN addresses getting the IPs by:
 # ifstatus lan | jsonfilter -e '@["ipv4-address","ipv6-address"].*.address'
 server {
-	include '/var/lib/nginx/lan.listen.default';
-	server_name _lan;
-	# access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout).
-	include conf.d/*.locations;
+        server_name _lan;
+        include '/var/lib/nginx/lan_ssl.listen.default';
+        ssl_certificate '/etc/nginx/conf.d/_lan.crt';
+        ssl_certificate_key '/etc/nginx/conf.d/_lan.key';
+        ssl_session_cache 'shared:SSL:32k';
+        ssl_session_timeout '64m';
+        # access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout).
+        include conf.d/*.locations;
 }
--- a/net/nginx/files/_redirect2ssl.conf
+++ b/net/nginx/files/_redirect2ssl.conf
@ -2,7 +2,6 @@
 server {
 	listen 80;
 	listen [::]:80;
-	include '/var/lib/nginx/lan.listen';
 	server_name _redirect2ssl;
 	return 302 https://$host$request_uri;
 }
--- a/net/nginx/files/nginx.init
+++ b/net/nginx/files/nginx.init
@ -5,54 +5,70 @@ START=80

 USE_PROCD=1

+G_OPTS="daemon off;"
+
 NGINX_UTIL="/usr/bin/nginx-util"

 eval $("${NGINX_UTIL}" get_env)

-start_service() {
+CONF=""
+
+
+nginx_init() {
+	[ -z "${CONF}" ] || return # already called.
+
 	[ -d /var/log/nginx ] || mkdir -p /var/log/nginx
 	[ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx

 	${NGINX_UTIL} init_lan

+	CONF="${NGINX_CONF}"
+
+	local message
+	message="$(/usr/sbin/nginx -t -c "${CONF}" -g "${G_OPTS}" 2>&1)" ||
+	{
+		echo -e "${message}" | logger -t "nginx_init" -p "daemon.err"
+		logger -s -t "nginx_init" -p "daemon.err" "NOT using conf file!"
+		echo "show config to be used by: nginx -T -c '${CONF}'" >&2
+		exit 1
+	}
+
+	logger -t "nginx_init" -p "daemon.info" "using ${CONF} (the test is ok)"
+}
+
+
+start_service() {
+	nginx_init
+
 	procd_open_instance
-	procd_set_param command /usr/sbin/nginx -c "${NGINX_CONF}" \
-		-g "daemon off;"
+	procd_set_param command /usr/sbin/nginx -c "${CONF}" -g "${G_OPTS}"
 	procd_set_param stdout 1
 	procd_set_param stderr 1
-	procd_set_param file "${LAN_LISTEN}" "${LAN_LISTEN}.default" \
-		"${NGINX_CONF}" "${CONF_DIR}*.conf" "${CONF_DIR}*.locations"
-	[ "${LAN_SSL_LISTEN}" == "" ] \
-	|| procd_append_param file "${CONF_DIR}*.crt" "${CONF_DIR}*.key" \
-		"${LAN_SSL_LISTEN}" "${LAN_SSL_LISTEN}.default"
+	procd_set_param file "${CONF}" "${CONF_DIR}*.crt" "${CONF_DIR}*.key" \
+		"${CONF_DIR}*.conf" "${CONF_DIR}*.locations"
 	procd_set_param respawn
 	procd_close_instance
 }

-stop_service() {
-	rm -f "${LAN_LISTEN}" "${LAN_LISTEN}.default"
-	[ "${LAN_SSL_LISTEN}" == "" ] \
-	|| rm -f "${LAN_SSL_LISTEN}" "${LAN_SSL_LISTEN}.default"
-}

 service_triggers() {
 	procd_add_reload_interface_trigger loopback
 	procd_add_reload_interface_trigger lan
 }

-reload_service() {
-	[ -d /var/log/nginx ] || mkdir -p /var/log/nginx
-	[ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx

-	${NGINX_UTIL} init_lan
+reload_service() {
+	nginx_init

 	procd_send_signal nginx
 }

+
 relog() {
 	[ -d /var/log/nginx ] || mkdir -p /var/log/nginx
 	procd_send_signal nginx '*' USR1
 }

+
 EXTRA_COMMANDS="relog"
 EXTRA_HELP="	relog	Reopen log files (without reloading)"