diff --git a/extra/nginx/.SRCINFO b/extra/nginx/.SRCINFO index b7cf12011..378ba0410 100644 --- a/extra/nginx/.SRCINFO +++ b/extra/nginx/.SRCINFO @@ -1,6 +1,6 @@ pkgbase = nginx pkgdesc = Lightweight HTTP server and IMAP/POP3 proxy server - pkgver = 1.26.1 + pkgver = 1.26.2 pkgrel = 1 url = https://nginx.org arch = x86_64 @@ -21,8 +21,8 @@ pkgbase = nginx makedepends = geoip makedepends = mailcap makedepends = libxcrypt - source = https://nginx.org/download/nginx-1.26.1.tar.gz - source = https://nginx.org/download/nginx-1.26.1.tar.gz.asc + source = https://nginx.org/download/nginx-1.26.2.tar.gz + source = https://nginx.org/download/nginx-1.26.2.tar.gz.asc source = hg+https://hg.nginx.org/nginx-tests#revision=2a607a31f583add7adfa1ac434a3f793d327ca6b source = nginx.service source = logrotate @@ -30,7 +30,7 @@ pkgbase = nginx validpgpkeys = 43387825DDB1BB97EC36BA5D007C8D7C15D87369 validpgpkeys = D6786CE303D9A9022998DC6CC8464D549AF75C0A validpgpkeys = 13C82A63B603576156E30A4EA0EA981B66B0D967 - sha512sums = dfaadde78eb5cf8c8c3a43ead9ac49fc852c8de3e70e69754e3ffafc88c50c8bc08cdac0cc0ba8a9d8c155bdb334865e2e6c7dc1144c79959c426a9e087b3e37 + sha512sums = 470efe9ae5d6150ecbf133979c6c36415679a2156499a3b6820a85eb8f3038a8aa06f7b28ddd834cffb0e982f3ddc89e4b1649d536eba4f84019a72d4cfa3539 sha512sums = SKIP sha512sums = 2c1efc38f4d36c10e7d13bb48e035246215c33213e42d733ef0c1bbbdbce71777b2430247d1c1fe922e03d10ce53c05fe555bd9fea547658e6c6d763af8d8b93 sha512sums = f469b3b14def666e955abf6f2d3c68a47631cad7bee90c92039ffe5bf629aa7e32bb4250844d52c0f963740fb07bf7fea5f8887cc1d5199403f07be6214fcb8d @@ -55,4 +55,4 @@ pkgname = nginx backup = etc/logrotate.d/nginx pkgname = nginx-src - pkgdesc = Source code of nginx 1.26.1, useful for building modules + pkgdesc = Source code of nginx 1.26.2, useful for building modules diff --git a/extra/nginx/PKGBUILD b/extra/nginx/PKGBUILD index ff1b1f1c2..779533b56 100644 --- a/extra/nginx/PKGBUILD +++ b/extra/nginx/PKGBUILD @@ -11,7 +11,7 @@ pkgbase=nginx pkgname=(nginx nginx-src) -pkgver=1.26.1 +pkgver=1.26.2 pkgrel=1 _tests_commit=2a607a31f583add7adfa1ac434a3f793d327ca6b arch=(x86_64) @@ -30,7 +30,7 @@ validpgpkeys=('B0F4253373F8F6F510D42178520A9993A1C052F8' # Maxim Dounin 'D6786CE303D9A9022998DC6CC8464D549AF75C0A' # Sergey Kandaurov '13C82A63B603576156E30A4EA0EA981B66B0D967') # Konstantin Pavlov -sha512sums=('dfaadde78eb5cf8c8c3a43ead9ac49fc852c8de3e70e69754e3ffafc88c50c8bc08cdac0cc0ba8a9d8c155bdb334865e2e6c7dc1144c79959c426a9e087b3e37' +sha512sums=('470efe9ae5d6150ecbf133979c6c36415679a2156499a3b6820a85eb8f3038a8aa06f7b28ddd834cffb0e982f3ddc89e4b1649d536eba4f84019a72d4cfa3539' 'SKIP' '2c1efc38f4d36c10e7d13bb48e035246215c33213e42d733ef0c1bbbdbce71777b2430247d1c1fe922e03d10ce53c05fe555bd9fea547658e6c6d763af8d8b93' 'f469b3b14def666e955abf6f2d3c68a47631cad7bee90c92039ffe5bf629aa7e32bb4250844d52c0f963740fb07bf7fea5f8887cc1d5199403f07be6214fcb8d' diff --git a/extra/nginx/README.md b/extra/nginx/README.md new file mode 100644 index 000000000..6465a9f3c --- /dev/null +++ b/extra/nginx/README.md @@ -0,0 +1,72 @@ +# NGINX Packaging + +## Overview + +Due to the nature of NGINX's module architecture, it is important to understand +the intricacies involved in maintaining compatibility across different +versions. + +## Dynamic Modules + +When we compile a dynamic module, the raw output is a shared object (.so +file). At startup and reload, NGINX loads each of the shared objects named by a +[load_module] directive (which by convention are in the main configuration file, +`nginx.conf`). + +Dynamic modules are binary‑compatible with the official builds of NGINX and +NGINX Plus. However, this binary compatibility has limitations. Dynamic modules +must be compiled against the same version of NGINX they are loaded into. This +means that upgrading NGINX without rebuilding all dynamic modules built against +the matching version results in a failure during load time. + +### Distro flags + +Due to the default configuration of the NGINX dynamic module `configure` +scripts and `Makefile`, our distribution's `LDFLAGS` are ignored. To address +this, the `configure` scripts accept a `--with-ld-opt` option, allowing you to +pass along our distribution's flags. Additionally, for dynamic modules +compatibility, the `--with-compat` option should always be used. + +```sh +/usr/src/nginx/configure \ + --with-compat \ + --with-ld-opt="${LDFLAGS}" \ + --add-dynamic-module=../modsecurity-nginx-v$pkgver +``` + +### Depending on nginx + +Taking the incompatibility into account, dynamic module packages should depend +on the exact nginx version used during compilation to avoid breakage after a +systen upgrade in case a rebuild has been missed. To achieve this, the dynamic +module packages should `makedepends` on `nginx` as well as in their respective +`package()` function add a `depends` on the precise `nginx` version: + +```sh +makedepends=( + nginx + nginx-src +) + +package() { + local _nginx_version=$(nginx -v 2>&1) + _nginx_version=${_nginx_version/* nginx\/} + depends+=("nginx=${_nginx_version}") +} +``` + +### Rebuilding packages + +The easiest way to find the rebuild targets is to lookout for dependencies on +the `nginx-src` split package, which contains the require source code for dynamic +modules to compile against. The rebuild targets can be double checked against the +[ArchWeb frontend]. + +Using `pkgctl` to get a list of packages having a makedepends on `nginx-src`: + +```sh +pkgctl search --json '"makedepends = nginx-src"' | jq --raw-output '.[].project_name' +``` + +[load_module]: https://nginx.org/en/docs/ngx_core_module.html#load_module +[ArchWeb frontend]: https://archlinux.org/packages/extra/x86_64/nginx-src/