APKBUILD

# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
# Contributor: Jeff Bilyk <jbilyk@gmail.com>
# Contributor: Bartłomiej Piotrowski <nospam@bpiotrowski.pl>
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
#   1.16.1-r0:
#     - CVE-2019-9511
#     - CVE-2019-9513
#     - CVE-2019-9516
#   1.14.1-r0:
#     - CVE-2018-16843
#     - CVE-2018-16844
#     - CVE-2018-16845
#   1.12.1-r0:
#     - CVE-2017-7529
#
pkgname=nginx
# NOTE: Upgrade only to even-numbered versions (e.g. 1.14.z, 1.16.z)!
# Odd-numbered versions are mainline (development) versions.
pkgver=1.16.1
pkgrel=1
# Revision of nginx-tests to use for check().
_tests_hgrev=40e5f2a0a238
_njs_ver=0.3.5
pkgdesc="HTTP and reverse proxy server (stable version)"
url="https://www.nginx.org/"
arch="all"
license="BSD-2-Clause"
depends=""
makedepends="
	gd-dev
	geoip-dev
	libmaxminddb-dev
	libxml2-dev
	libxslt-dev
	linux-headers
	openssl-dev
	paxmark
	pcre-dev
	perl-dev
	pkgconf
	zlib-dev
	"
checkdepends="
	gd
	perl
	perl-fcgi
	perl-io-socket-ssl
	perl-net-ssleay
	perl-protocol-websocket
	tzdata
	uwsgi-python
	"
pkgusers="nginx"
_grp_ngx="nginx"
_grp_www="www-data"
pkggroups="$_grp_ngx $_grp_www"
install="$pkgname.pre-install $pkgname.pre-upgrade $pkgname.post-upgrade"
subpackages="$pkgname-doc $pkgname-vim::noarch"
replaces="$pkgname-common $pkgname-initscripts $pkgname-lua $pkgname-rtmp"
source="https://nginx.org/download/$pkgname-$pkgver.tar.gz
	$pkgname-tests-$_tests_hgrev.tar.gz::https://hg.nginx.org/nginx-tests/archive/$_tests_hgrev.tar.gz
	$pkgname-njs-$_njs_ver.tar.gz::https://hg.nginx.org/njs/archive/$_njs_ver.tar.gz
	nginx.conf
	default.conf
	$pkgname.logrotate
	$pkgname.initd
	"
builddir="$srcdir/$pkgname-$pkgver"

_modules_dir="usr/lib/$pkgname/modules"
_stream_js_depends="$pkgname-mod-stream"

# luajit is not available for s390x.
_skip_luajit=
case "$CARCH" in
	s390x) makedepends="$makedepends lua5.1-dev"; _skip_luajit=true;;
	*) makedepends="$makedepends luajit-dev";;
esac

# Built-in dynamic modules
for _mod in \
	http-geoip \
	http-image-filter \
	http-js \
	http-perl \
	http-xslt-filter \
	mail \
	stream \
	stream-geoip \
	stream-js
do
	subpackages="$subpackages $pkgname-mod-$_mod:_module"
done

# Third-party dynamic modules

# For simplicity we assume that module is hosted on GitHub.
_add_module() {
	local name="$1" ver="$2" url="$3" skip="$4"
	local dirname="${url##*/}-${ver#v}"

	# we need to include source even if module is skipped for this architecture,
	# due to the static checksums list.
	source="$source $dirname.tar.gz::$url/archive/$ver.tar.gz"
	if [ -z "$skip" ]; then
		subpackages="$subpackages $pkgname-mod-$name:_module"
		_extra_flags="$_extra_flags --add-dynamic-module=$srcdir/$dirname"
	fi
}

_add_module "devel-kit" "v0.3.0" "https://github.com/simpl/ngx_devel_kit"
_devel_kit_so="ndk_http_module.so"

_add_module "http-cache-purge" "2.5" "https://github.com/nginx-modules/ngx_cache_purge"

_add_module "http-echo" "v0.61" "https://github.com/openresty/echo-nginx-module"

_add_module "http-fancyindex" "v0.4.3" "https://github.com/aperezdc/ngx-fancyindex"

_add_module "http-headers-more" "v0.33" "https://github.com/openresty/headers-more-nginx-module"
_http_headers_more_so="ngx_http_headers_more_filter_module.so"

# luajit is required for lua-nginx-module since v0.10.14
_add_module "http-lua" "v0.10.15" "https://github.com/openresty/lua-nginx-module" $_skip_luajit
_http_lua_depends="$pkgname-mod-devel-kit"
_http_lua_provides="$pkgname-lua"  # for backward compatibility

_add_module "http-lua-upstream" "v0.07" "https://github.com/openresty/lua-upstream-nginx-module" $_skip_luajit
_http_lua_upstream_depends="$pkgname-mod-http-lua"

_add_module "http-nchan" "v1.2.5" "https://github.com/slact/nchan"
_http_nchan_so="ngx_nchan_module.so"

_add_module "http-shibboleth" "v2.0.1" "https://github.com/nginx-shib/nginx-http-shibboleth"

_add_module "http-redis2" "v0.15" "https://github.com/openresty/redis2-nginx-module"

_add_module "http-set-misc" "v0.32" "https://github.com/openresty/set-misc-nginx-module"
_http_set_misc_depends="$pkgname-mod-devel-kit"

_add_module "http-upload-progress" "v0.9.2" "https://github.com/masterzen/nginx-upload-progress-module"
_http_upload_progress_so="ngx_http_uploadprogress_module.so"

_add_module "http-upstream-fair" "0.1.3" "https://github.com/itoffshore/nginx-upstream-fair"

_add_module "rtmp" "v1.2.1" "https://github.com/arut/nginx-rtmp-module"
_rtmp_provides="$pkgname-rtmp"  # for backward compatibility

_add_module "http-vod" "1.24" "https://github.com/kaltura/nginx-vod-module"

_add_module "http-geoip2" "3.2" "https://github.com/leev/ngx_http_geoip2_module"
_http_geoip2_so="ngx_http_geoip2_module.so ngx_stream_geoip2_module.so"

prepare() {
	local file; for file in $source; do
		case $file in
		*~*.patch)
			msg $file
			cd "$srcdir"/${file%%~*}-*
			patch -p 1 -i "$srcdir/$file"
			;;
		*.patch)
			msg $file
			cd "$builddir"
			patch -p 1 -i "$srcdir/$file"
			;;
		esac
	done

	# This test requires superuser privileges and CAP_NET_ADMIN.
	rm "$srcdir"/nginx-tests-*/proxy_bind_transparent.t
	rm "$srcdir"/nginx-tests-*/proxy_bind_transparent_capability.t
	# Travis and Drone.io does not support IPv6...
	rm -f "$srcdir"/nginx-tests-*/upstream_ip_hash_ipv6.t
}

build() {
	cd "$builddir"

	export LUAJIT_LIB="$(pkgconf --variable=libdir luajit)"
	export LUAJIT_INC="$(pkgconf --variable=includedir luajit)"
	./configure \
		--prefix=/var/lib/$pkgname \
		--sbin-path=/usr/sbin/$pkgname \
		--modules-path=/$_modules_dir \
		--conf-path=/etc/$pkgname/$pkgname.conf \
		--pid-path=/run/$pkgname/$pkgname.pid \
		--lock-path=/run/$pkgname/$pkgname.lock \
		--http-client-body-temp-path=/var/lib/$pkgname/tmp/client_body \
		--http-proxy-temp-path=/var/lib/$pkgname/tmp/proxy \
		--http-fastcgi-temp-path=/var/lib/$pkgname/tmp/fastcgi \
		--http-uwsgi-temp-path=/var/lib/$pkgname/tmp/uwsgi \
		--http-scgi-temp-path=/var/lib/$pkgname/tmp/scgi \
		--with-perl_modules_path=/usr/lib/perl5/vendor_perl \
		\
		--user=$pkgusers \
		--group=$_grp_ngx \
		--with-threads \
		--with-file-aio \
		\
		--with-http_ssl_module \
		--with-http_v2_module \
		--with-http_realip_module \
		--with-http_addition_module \
		--with-http_xslt_module=dynamic \
		--with-http_image_filter_module=dynamic \
		--with-http_geoip_module=dynamic \
		--with-http_sub_module \
		--with-http_dav_module \
		--with-http_flv_module \
		--with-http_mp4_module \
		--with-http_gunzip_module \
		--with-http_gzip_static_module \
		--with-http_auth_request_module \
		--with-http_random_index_module \
		--with-http_secure_link_module \
		--with-http_degradation_module \
		--with-http_slice_module \
		--with-http_stub_status_module \
		--with-http_perl_module=dynamic \
		--with-mail=dynamic \
		--with-mail_ssl_module \
		--with-stream=dynamic \
		--with-stream_ssl_module \
		--with-stream_realip_module \
		--with-stream_geoip_module=dynamic \
		--with-stream_ssl_preread_module \
		\
		--add-dynamic-module="$srcdir/njs-$_njs_ver/nginx" \
		$_extra_flags

	make
}

check() {
	msg "Running nginx tests..."
	cd "$srcdir"/nginx-tests-*
	TEST_NGINX_BINARY="$builddir/objs/nginx" prove .

	msg "Running njs tests..."
	cd "$srcdir"/njs-*
	make test
}

package() {
	cd "$builddir"

	make DESTDIR="$pkgdir" install

	# Disable some PaX protections; this is needed for Lua module.
	local paxflags="-m"
	[ "$CARCH" = "x86" ] && paxflags="-msp"
	paxmark $paxflags "$pkgdir"/usr/sbin/nginx

	install -Dm644 LICENSE "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
	install -Dm644 README "$pkgdir"/usr/share/doc/$pkgname/README

	install -Dm644 objs/$pkgname.8 "$pkgdir"/usr/share/man/man8/$pkgname.8

	local name; for name in ngx_devel_kit lua-nginx-module nginx-rtmp-module; do
		cp -r "$srcdir"/$name-*/doc* "$pkgdir"/usr/share/doc/$pkgname/$name
	done

	cd "$pkgdir"

	install -Dm644 "$srcdir"/nginx.conf ./etc/$pkgname/nginx.conf
	install -Dm644 "$srcdir"/default.conf ./etc/$pkgname/conf.d/default.conf
	install -Dm755 "$srcdir"/$pkgname.initd ./etc/init.d/$pkgname
	install -Dm644 "$srcdir"/$pkgname.logrotate ./etc/logrotate.d/$pkgname

	install -dm755 ./etc/$pkgname/modules
	install -dm750 -o $pkgusers -g $_grp_ngx ./var/lib/$pkgname
	install -dm700 -o $pkgusers -g $_grp_ngx ./var/lib/$pkgname/tmp
	install -dm755 -g $_grp_www ./var/www/localhost/htdocs

	install -dm755 ./var/log
	mv ./var/lib/$pkgname/logs ./var/log/$pkgname

	ln -sf /$_modules_dir ./var/lib/$pkgname/modules
	ln -sf /var/log/$pkgname ./var/lib/$pkgname/logs
	ln -sf /run/$pkgname ./var/lib/$pkgname/run

	# Remove archaic charset maps.
	rm ./etc/$pkgname/koi-* ./etc/$pkgname/win-utf

	rm -rf ./run ./etc/$pkgname/*.default
}

vim() {
	pkgdesc="$pkgdesc (vim syntax)"
	install_if="vim $pkgname=$pkgver-r$pkgrel"
	depends=

	mkdir -p "$subpkgdir"/usr/share/vim
	cp -r "$builddir"/contrib/vim "$subpkgdir"/usr/share/vim/vimfiles
}

_module() {
	local name="${subpkgname#$pkgname-mod-}"
	name="${name//-/_}"
	local sonames="$(eval "echo \$_${name}_so")";
	sonames="${sonames:-"ngx_${name}_module.so"}"

	pkgdesc="$pkgdesc (module $name)"
	depends="$pkgname $(eval "echo \$_${name}_depends")"
	provides="$(eval "echo \$_${name}_provides")"

	mkdir -p "$subpkgdir"/$_modules_dir
	mkdir -p "$subpkgdir"/etc/nginx/modules

	cd "$subpkgdir"

	local soname; for soname in $sonames; do
		mv "$pkgdir"/$_modules_dir/$soname ./$_modules_dir/$soname
		echo "load_module \"modules/$soname\";" > ./etc/nginx/modules/$name.conf
	done
}

sha512sums="17e95b43fa47d4fef5e652dea587518e16ab5ec562c9c94355c356440166d4b6a6a41ee520d406e5a34791a327d2e3c46b3f9b105ac9ce07afdd495c49eca437  nginx-1.16.1.tar.gz
69ebc81dba60c062e3a0e1ba0a7e1f2c2bf74f38f2bbd4dd0c5608e6c6965b819dc3c57fe21b596c1faceef61bc4a1c804eb9634f8824d62bc9293d17cd2bab2  nginx-tests-40e5f2a0a238.tar.gz
e7e11b5ed8703adac1d4fb3b8e82731f868eb6c1cad405e9664f3761733ebfaa9a122517ac78cf4ef93d8d78cdb58d36bdbd96dff164079a3a18e9eba60f4aae  nginx-njs-0.3.5.tar.gz
ac7e3153ab698b4cde077f0d5d7ac0a58897927eb36cf3b58cb01268ca0296f1d589c0a5b4f889b96b5b4a57bef05b17c59be59a9d7c4d7a3d3be58f101f7f41  nginx.conf
0907f69dc2d3dc1bad3a04fb6673f741f1a8be964e22b306ef9ae2f8e736e1f5733a8884bfe54f3553fff5132a0e5336716250f54272c3fec2177d6ba16986f3  default.conf
09b110693e3f4377349ccea3c43cb8199c8579ee351eae34283299be99fdf764b0c1bddd552e13e4d671b194501618b29c822e1ad53b34101a73a63954363dbb  nginx.logrotate
eb183860cd511361346e4079c1fcf470985e1c3b2a034a57f8b2a92ba851fed99256261f9b779770a5f57e3750e9e71bd1550a9d19ad9bf3a4d288864f0374a2  nginx.initd
558764c9be913a4f61d0e277d07bf3c272e1ce086b3fadb85b693a7e92805cd9fca4da7a8d29c96e53fc0d23b331327d3b2561ff61f19d2330e7d5d35ac7d614  ngx_devel_kit-0.3.0.tar.gz
1f6c15b148856e5d258ed804b8340ae286e8ef925128ba230c59c24c3412c60e58952be4511e8360695cb5301268a9a3407760b0887323e6f46ccc9e81a73642  ngx_cache_purge-2.5.tar.gz
c90b81a4e85a8e9beeb5ff591dc91adb25fa4e0b6cb47086b577e5fa36db2368442dd011187675e358781956c364b949bc4d920ca2b534481b21c9987d2a9a3b  echo-nginx-module-0.61.tar.gz
fe5f6afc29c99f66151c1a06e27b5749b0a16227638583d9c961adc94b2942b981184382f95e70d927f00b09b43f597b963a85a41bde5903b10e42f86bc321f1  ngx-fancyindex-0.4.3.tar.gz
13165b1b8d4be281b8bd2404fa48d456013d560bace094c81da08a35dc6a4f025a809a3ae3a42be6bbf67abbcbe41e0730aba06f905220f3baeb01e1192a7d37  headers-more-nginx-module-0.33.tar.gz
1feea538464275e6e571860592628ad639b2259c8aab7f38575b81c0b355f1ade32a91643267bc9ec16519e3bcf3d132511513dc8c949f74a3bff975c85d8ff7  lua-nginx-module-0.10.15.tar.gz
72887c4490854b099cb26bb3f840073a36b0d812bde4486f04dc1be182ca74f0d1e3fd709e77c240c2dcf37665f74cf04e188ea9efe8e127c6789b27b487d0cd  lua-upstream-nginx-module-0.07.tar.gz
016bbc4a33dccb4f06d43d32b132159473f26b96df2366f6eea246c695073842bcd6252a71873f42032fa47404cbbf9e34ac80f2ea819a9196491ef6c58713f7  nchan-1.2.5.tar.gz
1730845ea2e52be8c2f6cfceb2894304c5a07959a96940bb1617ee0e7cf81d22283304f411d9a219ddb71e4d9a66012bba0f6f5574d101aeb3c406f26c5d6a4e  nginx-http-shibboleth-2.0.1.tar.gz
d6ca250db8de93edbd7875afca35e73cecdaf82132d1a7ee933cf94c6b8afa8e629e9e647a9321f2bc1fbb92137ec0d32dcd89b82ac5fae31e342537fb7e0431  redis2-nginx-module-0.15.tar.gz
5590526f60c99630f99a49bfa9e3455baee6d58cd2a1419eab1367a838dafb87a50f5e2607aa8ac557b90dbf633dcf61069c997b3526cddc8f2fc45820a7bc3b  set-misc-nginx-module-0.32.tar.gz
c31c46344d49704389722325a041b9cd170fa290acefe92cfc572c07f711cd3039de78f28df48ca7dcb79b2e4bbe442580aaaf4d92883fd3a14bf41d66dd9d8c  nginx-upload-progress-module-0.9.2.tar.gz
8adb7453c27748f4e685e3352e9b318b408da818754dc5b6244e908423941a8ba337561104f6e481f2553cbc0e334dcea73b57f8e810a9d6e974bb69ff8859e5  nginx-upstream-fair-0.1.3.tar.gz
4a0af5e9afa4deb0b53de8de7ddb2cfa6430d372e1ef9e421f01b509548bd134d427345442ac1ce667338cc2a1484dc2ab732e316e878ac7d3537dc527d5f922  nginx-rtmp-module-1.2.1.tar.gz
daa9b23858937e57f1bcd5f4400b33155ab4e0e455eea01d80eec5285fc85bd10db63d80a1560f1fea51914a4eb4c59cc54110b7e4de208adbf52ea691cfd6d9  nginx-vod-module-1.24.tar.gz
84b26955234e29dbfbf2431b652fcc453c5e86b95f837296df4f3d6c730e3e0773223dae890eebfc9b5763f46082bde6f38d6505b8bf78133b89e7297016cc5d  ngx_http_geoip2_module-3.2.tar.gz"