Currently the nginx user for the default luci config is root... This is dangerous and unnecessary, reset it back to nobody nogroup.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Currently the socket file for uwsgi can be open only from root user, change this to permit other use to use it. (Needed for nginx to use uwsgi as nobody or dedicated user)
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Ipsec user script (/etc/ipsec.user) now get called indirectly by openwrt
"/sbin/hotplug-call". So other packages could also install their scripts
in "/etc/hotplug.d/ipsec".
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Some package needs nginx as dependency this permit to use nginx-ssl and nginx-all-module as dep for them.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
* Remove stray LICENSE file added to repo
* Use codeload instead of git
* Add proper (as close as possible) SPDX license
* Drop OpenSSL, PCRE and Libxml2 as dependencies
Makes it more suitable alternative for small flash devices
* Drop /etc/uwsgi as there's only one config file
* Remove stray /etc/nginx directory
* Reorganize configuration file
* Convert init.d script to use procd
* Hardset 3 threads and processes, seems like a good tradeoff
between performance and memory usage instead of doing
auto scaling based on amout of cpu cores/threads
Non-scientific benchmark (tm)
ramips, mt7621, WiTi Board 16/256M
1. 3 threads, 6 processes
2. 2 threads, 2 processes
3. 3 threads, 3 processes
- LuCI Main page
1.48s
1.72s
1.64s
- Status --> Firewall
6.24s
6.39s
6.40s
- Status --> Kernel log
266ms
256ms
251ms
- Network --> Firewall
936ms
1.08s
1.07s
- Network --> Wireless
1.39s
1.42s
1.40s
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Currently the uci-defaults scripts reset nginx config even it they are valid due to a bug in the if condition.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Undo previous commit that added an iconv hack. The problem was actually
fixed by including nls.mk in the mariadb package.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
With the current layout CONFIGURE_ARGS can end up like this:
--with-mysql --without-mysql
To avoid that join the ifneqs of the two mysql related plugins.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Unbound UCI so far has limited forward configuration lacking
DNS over TLS connection setup tools. User override files
'unbound_srv.conf' and 'unbound_ext.conf' can implement this.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
They are missed out from the FIXUP check probably because of a flaw in
the fixup-makefile.pl script
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
uwsgi-cgi's build system requires CPP to be set to avoid using include
path from the build system. Otherwise it may wrongly detect
sys/capability.h of the host system and enables libcap support
CPP variable was once introduced into build system in 2017 but then
reverted in b957e45 ("rukes.mk: this patch broken grub2 builds")
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
libmariadb 10.2.x needs to be linked in together with iconv. On glibc
and musl iconv is part of libc. But on uclibc libiconv-full needs to be
used.
gnunet only has access to iconv on uclibc when BUILD_NLS is selected.
This commit adds hidden symbol GNUNET_HAS_ICONV_SUPPORT which sorts this
out.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This add 2 variant of nginx so we can have package with SSL config flag preselected. This also add support for 2 more module and upgrade gninx to latest version. Also add myself as secondary maintainer to apply luci modification quickly.
Use of autoreconf to fix problems with recompilation on every new build (even if the version is the same). Add a patch to ignore on invalid configure option instead of trow error.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
The package was tested on raspberry pi 3. Geth needs about two hours to
fully sync the first try and uses an additional 250Mb of storage.
Signed-off-by: Mislav Novakovic <mislav.novakovic@sartura.hr>
Some of them forgot to update MIRROR_HASH on version change, others
updated with wrong hash value. The new values were generated from
tarballs prepared by the newly introduced github-tarball download
methoded and confirmed consistent with those from sources.openwrt.org
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
By default, libatomic is conditionally enabled on some platforms, but it's not
strictly necessary. We'll disable it here globally rather than introduce an
unnecessary dependency.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Make sure ccnet-server is running during the final setup step to avoid
an error creating django superuser
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Make OLA more useful for untrained users which depend on the built-in
webserver. We may split the ola package into smaller parts to allow
not having web-stuff in case this breaks the space-constraints for some
users.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Several required dependencies were added:
django-formtools
django-simple-captcha
django-webpack-loader
python-qrcode
python-requests
python-requests-oauthlib
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Added a patch applied upstream.
- Fix that table SystemInfo can't be created in sqlite db.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Recent protobuf requires C++11 while OLA was forcing C++98 in order
to keep using auto_ptr without getting warnings... Use gnu++11 to make
everyone happy and live with the warnings about auto_ptr being
deprecated.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This adds an additional file for ngix that contains all the files need to make luci works on the nginx webserver.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
EdDSA support is optional and currently defaults to being disabled.
The following security issues are addressed with this update:
* An error in TSIG handling could permit unauthorized zone transfers
or zone updates. These flaws are disclosed in CVE-2017-3142 and
CVE-2017-3143.
* The BIND installer on Windows used an unquoted service path, which
can enable privilege escalation. This flaw is disclosed in
CVE-2017-3141.
* With certain RPZ configurations, a response with TTL 0 could cause
named to go into an infinite query loop. This flaw is disclosed in
CVE-2017-3140.
* Addresses could be referenced after being freed during resolver
processing, causing an assertion failure. The chances of this
happening were remote, but the introduction of a delay in
resolution increased them. This bug is disclosed in CVE-2017-3145.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
When UCI local zone is private and static, Unbound covered private
addresses with defaults. Optional delegated global IP6 prefix
protection lacked a static zone, but it was prevented from appearing
in global DNS responses. Domain names router-as-TLD, "lan." and
"local." were static, but they lacked default SOA or NS such as
Unbound had assinged to private addresses. Clean up these local
zones UCI evaluation and block global DNS inclusion.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
A few bug fixes but importantly fix a deadlock on
AXFR configuration when notify occurs (auth-zone:)
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
The internal nameservers and the DHCP default domain should be
squirted into /tmp/resolv.conf.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
It's been quite a long time since there was a release, and this one
includes quite a bit of fixes/updates.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
new ddns script for polish service FreeDNS.42.pl where you can
host your own domains for free
Signed-off-by: Michal Lipka <michal@sysadmin.care>
(commits from PR #6150 squashed together)
Adds support for openssl 1.1.0.
Removed all patches as they are now integrated into upstream.
Thanks to: Eneas U de Queiroz <cote2004-github@yahoo.com> for his OpenSSL patch
Signed-off-by: Christian Pointner <equinox@spreadspace.org>
Add -fPIC to TARGET_LD_FLAGS
ce9TpAS.ltrans0.ltrans.o: relocation R_MIPS16_26 against `syslog' can not
be used when making a shared object; recompile with -fPIC
cce9TpAS.ltrans0.ltrans.o: error adding symbols: Bad value
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
backend:
* enhance the whitelist function. Now sub-domains could be whitelisted
(e.g. 'fakenews.facebook.com'), even if the correspondent tld is
blacklisted (e.g. 'facebook.com') - this makes whitelisting
much more flexible and predictable
* rework the domain query function to adapt the whitelist changes
* refine startup error checks/messages
* small fixes
luci:
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
Do not call library initialization when compiling with openssl 1.1.
The package generates the C source files for its DH parameters at
compile time using the host installed openssl. This patch adds a DH
source, using the same parameters, compatible with openssl 1.0 and 1.1.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Changes summarized by upstream maintainer
* Add MinGW support by @linusyang.
* Refine c-ares integration by @xnoreq.
* Fix building issues with GCC8 by @FlyingheartCN.
* Minor bug fixes.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
New scheme mainly provides three packages: openvswitch,
openvswitch-ovn-north, openvswitch-ovn-controller. These should fit
most usage scenarios. Other subpackages like openvswitch-libXXX
etc. are there for dependency management and are hidden from the
menu.
Many python and shell scripts are removed in this revision. Most of
them cannot run out of box at all for lack of dependencies. Others
being legacy ones are not that useful now. Add them back at later time
when real need appears
Below are a simple listing of additions
- initscript now incorporate also ovn north and controller support
- ovn-ctl and ovs-ctl can be invoked directly from within $PATH
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Currently this 3 variable are used only 1 time in the sh script and cause 10s of delay for them to load... move them to load only if it's required by the command. This also fix luci-app-ddns delay problem derived by calling dns_lucihelper (that use tdns_functions to load data) for the version.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
This bump nginx package to latest stable.
Also add support for the brotli compression module and head_more module.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Originally this was indended as a fix for devices without RTC support
which do not have the correct time set after a reboot (until ntp is able
to update the system time). vnstat checks if there is a time difference
between the latest entry in the database and detects that the system time
is incorrect. In this case vnstat does not start (to prevent database
corruption), the following message is reported instead:
'Error: Interface "..." has previous update date too much in the future,
exiting.'
Once we have network connectivity (and ntp has updated the system time)
vnstat starts correctly though.
vnstat 1.18 fixes this by waiting a few minutes (instead of exiting) and
the following message is logged:
"Latest database update is in the future (db: 2018-04-28 08:39:11 > now:
2018-04-28 08:07:18). Giving the system clock up to 5 minutes to sync
before continuing."
This still adds a procd respawn trigger to let procd automatically
restart vnstat in case:
- vnstat it crashes
- no valid system time is received for a long time (no network
connectivity, broken NTP servers, ...)
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
This ports the init-script from the legacy functions to procd. There
should be no functional changes with this patch.
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
If an interface is not tracked by mwan3 or enabled and this interface is
setup by netifd, then the connected ipset is not update by mwan3.
To fix this also call connected ipset update code even if the interface
is not tracked or enabled by mwan3.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Add the possibility to use Unbound auto-zone: clause to
fetch complete root, arpa, in-addr.arpa, and ip6.arpa
zone files. This can speed up recursion when users
access many ccTLD or connection logging hits many PTR.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Some resource options bundled many Unbound.conf options and
made customizing on top of UCI difficult. Make it easier to
use Unbound built defaults (blank conf sections).
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
It's a python script and requires backtrace support when building
openvswitch which requires glibc.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
The overlay and underlay driver, and ovs-docker utilities requires setup
and dependencies that are just not available in known maintained state.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Mainly a bugfix for XSS. Patches have been refreshed.
Added an upstream fix for TLS verification. Now enabled by default.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The sources for usbip are within the kernel. A patch that was included
with the package, which changed the old signal name SIGCLD to the new
one, SIGCHLD, was merged upstream. However, different targets use
different kernel versions. Current version 4.14 and 4.9 are fine, but
older versions do not have the patch applied. So, I used
-DSIGCLD=SIGCHLD to please both worlds.
libudev-fbsd currently used by openwrt does not implement the
udev_device_get_devpath function. eudev's implementation of libudev
sets it as (src/libudev/libudev-device.c):
udev_device->devpath = udev_device->syspath + strlen("/sys");
I used a command-line define to use the same logic, as it works with
new and old versions of the kernel--the use of ..devpath is quite
recent.
I also linked with libbsd, when using glibc.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
