From: "André Draszik" <git@andred.net>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-webserver][PATCH 2/2] nginx: configuration update
Date: Fri, 18 Jan 2019 14:26:11 +0000 [thread overview]
Message-ID: <20190118142611.21544-2-git@andred.net> (raw)
In-Reply-To: <20190118142611.21544-1-git@andred.net>
From: André Draszik <andre.draszik@jci.com>
Restructure the main configuration file to simplify custom configuration:
* support inclusion of configuration fragments from subdirectories:
- /etc/nginx/modules-enabled/*.conf
- /etc/nginx/conf.d/*.conf
- /etc/nginx/sites-enabled/*
* default site (port 80):
- move into /etc/nginx/sites-available/default_server
and enable via symlink in /etc/nginx/sites-enabled/
- listen on IPv6
- drop unneeded example fragments
* configure and enable gzip
* update TLS settings to drop SSLv3 and enable TLSv1.3 for some safer
defaults
* update remaining bits to follow Debian standard configuration
https://salsa.debian.org/nginx-team/nginx/blob/62a54a8ba66ee6cc1b4f8a33dab9a6f27a3fdac4/debian/conf/nginx.conf
* drop unneeded example configuration bits from /etc/nginx/*.default
These changes, in particular the configuration fragment
support allow to easily customise nginx based on individual
requirements.
In addition, it is now possible for other recipes / packages
to drop fragments into the respective directories in /etc/nginx
without having to meddle with /etc/nginx/nginx.conf
Signed-off-by: André Draszik <andre.draszik@jci.com>
---
.../nginx/files/default_server.site | 14 ++
.../recipes-httpd/nginx/files/nginx.conf | 139 +++++-------------
meta-webserver/recipes-httpd/nginx/nginx.inc | 14 ++
3 files changed, 62 insertions(+), 105 deletions(-)
create mode 100644 meta-webserver/recipes-httpd/nginx/files/default_server.site
diff --git a/meta-webserver/recipes-httpd/nginx/files/default_server.site b/meta-webserver/recipes-httpd/nginx/files/default_server.site
new file mode 100644
index 000000000..7a8a215cf
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/files/default_server.site
@@ -0,0 +1,14 @@
+# Default server configuration
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+
+ root /var/www/localhost/html;
+
+ index index.html index.htm;
+
+ server_name _;
+
+ # redirect server error pages to the static page /50x.html
+ error_page 500 502 503 504 /50x.html;
+}
diff --git a/meta-webserver/recipes-httpd/nginx/files/nginx.conf b/meta-webserver/recipes-httpd/nginx/files/nginx.conf
index 69d3a2adc..6d219422b 100644
--- a/meta-webserver/recipes-httpd/nginx/files/nginx.conf
+++ b/meta-webserver/recipes-httpd/nginx/files/nginx.conf
@@ -1,118 +1,47 @@
-
user www;
-worker_processes 1;
-
-error_log /var/log/nginx/error.log;
-#error_log logs/error.log notice;
-#error_log logs/error.log info;
-
-pid /run/nginx/nginx.pid;
-
+worker_processes 1;
+pid /run/nginx/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
events {
- worker_connections 1024;
+ worker_connections 768;
+ # multi_accept on;
}
-
http {
- include mime.types;
+ # Basic Settings
+ sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 65;
+ types_hash_max_size 2048;
+ # server_tokens off;
+
+ # server_names_hash_bucket_size 64;
+ # server_name_in_redirect off;
+
+ include /etc/nginx/mime.types;
default_type application/octet-stream;
- log_format main '$remote_addr - $remote_user [$time_local] "$request" '
- '$status $body_bytes_sent "$http_referer" '
- '"$http_user_agent" "$http_x_forwarded_for"';
-
- access_log /var/log/nginx/access.log main;
-
- sendfile on;
- #tcp_nopush on;
-
- #keepalive_timeout 0;
- keepalive_timeout 65;
-
- #gzip on;
-
- server {
- listen 80;
- server_name localhost;
-
- #charset koi8-r;
-
- #access_log logs/host.access.log main;
-
- location / {
- root /var/www/localhost/html;
- index index.html index.htm;
- }
-
- #error_page 404 /404.html;
-
- # redirect server error pages to the static page /50x.html
- #
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /var/www/localhost/html;
- }
-
- # proxy the PHP scripts to Apache listening on 127.0.0.1:80
- #
- #location ~ \.php$ {
- # proxy_pass http://127.0.0.1;
- #}
-
- # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
- #
- #location ~ \.php$ {
- # root html;
- # fastcgi_pass 127.0.0.1:9000;
- # fastcgi_index index.php;
- # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
- # include fastcgi_params;
- #}
-
- # deny access to .htaccess files, if Apache's document root
- # concurs with nginx's one
- #
- #location ~ /\.ht {
- # deny all;
- #}
- }
-
-
- # another virtual host using mix of IP-, name-, and port-based configuration
- #
- #server {
- # listen 8000;
- # listen somename:8080;
- # server_name somename alias another.alias;
-
- # location / {
- # root html;
- # index index.html index.htm;
- # }
- #}
-
-
- # HTTPS server
- #
- #server {
- # listen 443;
- # server_name localhost;
-
- # ssl on;
- # ssl_certificate cert.pem;
- # ssl_certificate_key cert.key;
+ # SSL Settings
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+ ssl_prefer_server_ciphers on;
- # ssl_session_timeout 5m;
+ ## Logging
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log;
- # ssl_protocols SSLv2 SSLv3 TLSv1;
- # ssl_ciphers HIGH:!aNULL:!MD5;
- # ssl_prefer_server_ciphers on;
+ ## Gzip settings
+ gzip on;
- # location / {
- # root html;
- # index index.html index.htm;
- # }
- #}
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 6;
+ gzip_buffers 16 8k;
+ gzip_http_version 1.1;
+ gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+ ## Virtual Host Configs
+ include /etc/nginx/conf.d/*.conf;
+ include /etc/nginx/sites-enabled/*;
}
diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc
index ea1c1f782..522942504 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx.inc
+++ b/meta-webserver/recipes-httpd/nginx/nginx.inc
@@ -16,6 +16,7 @@ SRC_URI = " \
file://nginx-cross.patch \
file://0001-Allow-the-overriding-of-the-endianness-via-the-confi.patch \
file://nginx.conf \
+ file://default_server.site \
file://nginx.init \
file://nginx-volatile.conf \
file://nginx.service \
@@ -102,15 +103,28 @@ do_install () {
install -d ${D}${sysconfdir}/nginx
install -m 0644 ${WORKDIR}/nginx.conf ${D}${sysconfdir}/nginx/nginx.conf
+ sed -i 's,/etc/,${sysconfdir}/,g' ${D}${sysconfdir}/nginx/nginx.conf
sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/nginx/nginx.conf
sed -i 's/^user.*/user ${NGINX_USER};/g' ${D}${sysconfdir}/nginx/nginx.conf
+ install -Dm 0644 ${WORKDIR}/default_server.site ${D}${sysconfdir}/nginx/sites-available/default_server
+ sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/nginx/sites-available/default_server
install -d ${D}${sysconfdir}/nginx/sites-enabled
+ ln -s ../sites-available/default_server ${D}${sysconfdir}/nginx/sites-enabled/
install -d ${D}${sysconfdir}/default/volatiles
install -m 0644 ${WORKDIR}/nginx-volatile.conf ${D}${sysconfdir}/default/volatiles/99_nginx
sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/default/volatiles/99_nginx
sed -i 's,@NGINX_USER@,${NGINX_USER},g' ${D}${sysconfdir}/default/volatiles/99_nginx
+ # cleanup configuration folder
+ rm ${D}${sysconfdir}/nginx/*.default
+
+ # add additional configuration folders
+ install -d ${D}${sysconfdir}/nginx/modules-available
+ install -d ${D}${sysconfdir}/nginx/modules-enabled
+ install -d ${D}${sysconfdir}/nginx/server-conf.d
+ install -d ${D}${sysconfdir}/nginx/conf.d
+
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
install -d ${D}${systemd_unitdir}/system
install -m 0644 ${WORKDIR}/nginx.service ${D}${systemd_unitdir}/system/
--
2.20.1
prev parent reply other threads:[~2019-01-18 14:26 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-18 14:26 [meta-webserver][PATCH 1/2] nginx: update systemd unit using nginx recommendation André Draszik
2019-01-18 14:26 ` André Draszik [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190118142611.21544-2-git@andred.net \
--to=git@andred.net \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.