From 715d53300da283a3b831388ad074e375d8ba469d Mon Sep 17 00:00:00 2001 From: Ycarus Date: Fri, 9 Mar 2018 10:51:29 +0100 Subject: [PATCH] Add basic IPv6 support and replace haproxy by nginx for VPS failover --- luci-app-nginx-ha/LICENSE | 21 ++ luci-app-nginx-ha/Makefile | 17 + .../luasrc/controller/nginx-ha.lua | 7 + .../luasrc/model/cbi/nginx-ha.lua | 46 +++ luci-app-nginx-ha/root/etc/config/nginx-ha | 8 + luci-app-nginx-ha/root/etc/init.d/nginx-ha | 115 +++++++ .../root/etc/uci-defaults/42_luci-nginx-ha | 13 + nginx/Config.in | 210 +++++++++++++ nginx/Makefile | 290 ++++++++++++++++++ nginx/files/nginx.init | 17 + .../100-no_by_lua_block.patch | 195 ++++++++++++ nginx/patches/101-feature_test_fix.patch | 107 +++++++ nginx/patches/102-sizeof_test_fix.patch | 27 ++ nginx/patches/103-sys_nerr.patch | 12 + nginx/patches/200-config.patch | 18 ++ nginx/patches/300-max-processes.patch | 11 + openmptcprouter-full/Makefile | 6 +- .../files/etc/sysctl.d/ipv6default.conf | 1 - .../etc/uci-defaults/1930-omr-shadowsocks | 2 +- shadowsocks-libev/Makefile | 3 +- .../files/shadowsocks-libev.config | 2 +- .../files/shadowsocks-libev.init | 53 +++- shadowsocks-libev/files/ss-rules6 | 247 +++++++++++++++ 23 files changed, 1419 insertions(+), 9 deletions(-) create mode 100644 luci-app-nginx-ha/LICENSE create mode 100644 luci-app-nginx-ha/Makefile create mode 100644 luci-app-nginx-ha/luasrc/controller/nginx-ha.lua create mode 100644 luci-app-nginx-ha/luasrc/model/cbi/nginx-ha.lua create mode 100644 luci-app-nginx-ha/root/etc/config/nginx-ha create mode 100755 luci-app-nginx-ha/root/etc/init.d/nginx-ha create mode 100644 luci-app-nginx-ha/root/etc/uci-defaults/42_luci-nginx-ha create mode 100644 nginx/Config.in create mode 100644 nginx/Makefile create mode 100644 nginx/files/nginx.init create mode 100644 nginx/patches-lua-nginx/100-no_by_lua_block.patch create mode 100644 nginx/patches/101-feature_test_fix.patch create mode 100644 nginx/patches/102-sizeof_test_fix.patch create mode 100644 nginx/patches/103-sys_nerr.patch create mode 100644 nginx/patches/200-config.patch create mode 100644 nginx/patches/300-max-processes.patch delete mode 100644 openmptcprouter/files/etc/sysctl.d/ipv6default.conf create mode 100755 shadowsocks-libev/files/ss-rules6 diff --git a/luci-app-nginx-ha/LICENSE b/luci-app-nginx-ha/LICENSE new file mode 100644 index 000000000..e09a55e37 --- /dev/null +++ b/luci-app-nginx-ha/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2017 chenhw2 + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/luci-app-nginx-ha/Makefile b/luci-app-nginx-ha/Makefile new file mode 100644 index 000000000..c9e835813 --- /dev/null +++ b/luci-app-nginx-ha/Makefile @@ -0,0 +1,17 @@ +# +# Copyright (C) 2016 chenhw2 +# Copyright (C) 2018 Ycarus (Yannick Chabanois) +# +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +LUCI_TITLE:=LuCI Support for nginx load balancing +LUCI_DEPENDS:=+nginx + +PKG_LICENSE:=MIT + +include ../luci/luci.mk + +# call BuildPackage - OpenWrt buildroot signature diff --git a/luci-app-nginx-ha/luasrc/controller/nginx-ha.lua b/luci-app-nginx-ha/luasrc/controller/nginx-ha.lua new file mode 100644 index 000000000..587c42769 --- /dev/null +++ b/luci-app-nginx-ha/luasrc/controller/nginx-ha.lua @@ -0,0 +1,7 @@ +module("luci.controller.nginx-ha", package.seeall) + +function index() + entry( + {"admin", "services", "nginx-ha"}, + cbi("nginx-ha"), _("Nginx High Availability"), 55) +end diff --git a/luci-app-nginx-ha/luasrc/model/cbi/nginx-ha.lua b/luci-app-nginx-ha/luasrc/model/cbi/nginx-ha.lua new file mode 100644 index 000000000..7f4a43d22 --- /dev/null +++ b/luci-app-nginx-ha/luasrc/model/cbi/nginx-ha.lua @@ -0,0 +1,46 @@ +local m, s, o + +if luci.sys.call("pgrep nginx >/dev/null") == 0 then + m = Map("nginx-ha", translate("Nginx High Availability"), "%s - %s" %{translate("Nginx High Availability"), translate("RUNNING")}) +else + m = Map("nginx-ha", translate("Nginx High Availability"), "%s - %s" %{translate("Nginx High Availability"), translate("NOT RUNNING")}) +end + +s = m:section(TypedSection, "general", translate("General Setting")) +s.anonymous = true + +o = s:option(Flag, "enable", translate("Enable")) +o.rmempty = false + +o = s:option(Value, "startup_delay", translate("Startup Delay")) +o:value(0, translate("Not enabled")) +for _, v in ipairs({5, 10, 15, 25, 40}) do + o:value(v, translate("%u seconds") %{v}) +end +o.datatype = "uinteger" +o.default = 0 +o.rmempty = false + +o = s:option(Value, "listen", translate("Listen Address:Port")) +o.placeholder = "0.0.0.0:6666" +o.default = "0.0.0.0:6666" +o.rmempty = false + +o = s:option(Value, "timeout", translate("Timeout Connect (ms)")) +o.placeholder = "666" +o.default = "666" +o.datatype = "range(33, 10000)" +o.rmempty = false + +o = s:option(Value, "retries", translate("Retries")) +o.placeholder = "1" +o.default = "1" +o.datatype = "range(1, 10)" +o.rmempty = false + + +o = s:option(DynamicList, "upstreams", translate("UpStream Server"), translate("e.g. [123.123.123.123:65101 weight=1 max_fails=3 fail_timeout=30s]")) +o.placeholder = "123.123.123.123:65101 weight=1 max_fails=3 fail_timeout=30s" +o.rmempty = false + +return m diff --git a/luci-app-nginx-ha/root/etc/config/nginx-ha b/luci-app-nginx-ha/root/etc/config/nginx-ha new file mode 100644 index 000000000..b6cfa9761 --- /dev/null +++ b/luci-app-nginx-ha/root/etc/config/nginx-ha @@ -0,0 +1,8 @@ + +config general 'general' + option enable '0' + option retries '1' + option timeout '1000' + option listen '0.0.0.0:65101' + option startup_delay '5' + list upstreams '1.2.3.4:65101 weight=1 max_fails=3 fail_timeout=30s' diff --git a/luci-app-nginx-ha/root/etc/init.d/nginx-ha b/luci-app-nginx-ha/root/etc/init.d/nginx-ha new file mode 100755 index 000000000..fee654f12 --- /dev/null +++ b/luci-app-nginx-ha/root/etc/init.d/nginx-ha @@ -0,0 +1,115 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2016 chenhw2 +# Copyright (C) 2018 Ycarus (Yannick Chabanois) + +START=85 + +USE_PROCD=1 +PROG_NAME=nginx +PROG=/usr/sbin/${PROG_NAME} +NAME=nginx-ha + +PIDCOUNT=0 + +_log() { + logger -p daemon.info -t ${PROG_NAME} "$@" +} + +_err() { + logger -p daemon.err -t ${PROG_NAME} "$@" +} + +validate_section() { + uci_validate_section nginx-ha general "${1}" \ + 'enable:bool:0' \ + 'retries:uinteger:3' \ + 'timeout:uinteger:4000' \ + 'startup_delay:uinteger:5' \ + 'listen:string' \ + 'upstreams:list(string)' +} + +genline_srv(){ + echo " server $1;" +} + +boot() { + local delay=$(uci -q get $NAME.general.startup_delay) + (sleep ${delay:-0} && start >/dev/null 2>&1) & + return 0 +} + +start_instance() { + local enable retries timeout startup_delay listen upstreams + + validate_section "${1}" || { + _err "validation failed" + return 1 + } + + [ "$enable" = 1 ] || return 1 + + mkdir -p /var/etc + cat <<-EOF > /var/etc/$PROG_NAME.cfg + user nobody nogroup; + worker_processes $(grep -c '^processor' /proc/cpuinfo | tr -d "\n"); + worker_rlimit_nofile 300000; + + events { + worker_connections 15000; + multi_accept on; + use epoll; + } + + stream { + upstream allservers { + zone dynamic 64k; + $(config_list_foreach "${1}" "upstreams" genline_srv) + } + + server { + listen ${listen:-0.0.0.0:6666} udp; + proxy_pass allservers; + } + server { + listen ${listen:-0.0.0.0:6666}; + proxy_pass allservers; + } + } + EOF + + procd_open_instance "nginx-ha" + procd_set_param command /usr/sbin/nginx -c /var/etc/$PROG_NAME.cfg -g 'daemon off;' + procd_set_param file /var/etc/$PROG_NAME.cfg + procd_set_param respawn + procd_close_instance +} + +start_service() { + config_load nginx-ha + config_foreach start_instance general +} + +reload_service() { + stop + start +} + +stop_service() { + local _PID=$(cat /var/run/nginx.pid 2>/dev/null) + kill -15 $_PID 2>/dev/null + sleep 1 # give time to shutdown + local _tmp=$(pgrep nginx | tr "\n" " ") + if [ -z "$_tmp" ]; then + logger -p daemon.notice -t "nginx-ha[$_PID]" "Shutdown successfully" + else + kill -9 $_tmp # Normally never come here + logger -p daemon.warn -t "nginx-ha[$_tmp]" "Shutdown forced by KILL" + fi + return 0 +} + + +service_triggers() { + procd_add_reload_trigger nginx-ha +} diff --git a/luci-app-nginx-ha/root/etc/uci-defaults/42_luci-nginx-ha b/luci-app-nginx-ha/root/etc/uci-defaults/42_luci-nginx-ha new file mode 100644 index 000000000..459404901 --- /dev/null +++ b/luci-app-nginx-ha/root/etc/uci-defaults/42_luci-nginx-ha @@ -0,0 +1,13 @@ +#!/bin/sh + +uci -q batch <<-EOF >/dev/null + delete ucitrack.@nginx-ha[-1] + add ucitrack nginx-ha + set ucitrack.@nginx-ha[-1].init=nginx-ha + commit ucitrack +EOF + +/etc/init.d/nginx-ha enable >/dev/null 2>&1 + +rm -f /tmp/luci-indexcache +exit 0 diff --git a/nginx/Config.in b/nginx/Config.in new file mode 100644 index 000000000..85935f70e --- /dev/null +++ b/nginx/Config.in @@ -0,0 +1,210 @@ +# +# Copyright (C) 2010-2016 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +menu "Configuration" + depends on PACKAGE_nginx + +config NGINX_SSL + bool + prompt "Enable SSL module" + help + Enable HTTPS/SSL support. + default n + +config NGINX_DAV + bool + prompt "Enable WebDAV module" + help + Enable the HTTP and WebDAV methods PUT, DELETE, MKCOL, COPY and MOVE. + default n + +config NGINX_FLV + bool + prompt "Enable FLV module" + help + Provides the ability to seek within FLV (Flash) files using time-based offsets. + default n + +config NGINX_STUB_STATUS + bool + prompt "Enable stub status module" + help + Enable the stub status module which gives some status from the server. + default n + +config NGINX_HTTP_CHARSET + bool + prompt "Enable HTTP charset module" + default y + +config NGINX_HTTP_GZIP + bool + prompt "Enable HTTP gzip module" + default y + +config NGINX_HTTP_SSI + bool + prompt "Enable HTTP ssi module" + default y + +config NGINX_HTTP_USERID + bool + prompt "Enable HTTP userid module" + default y + +config NGINX_HTTP_ACCESS + bool + prompt "Enable HTTP access module" + default y + +config NGINX_HTTP_AUTH_BASIC + bool + prompt "Enable HTTP auth basic" + default y + +config NGINX_HTTP_AUTH_REQUEST + bool + prompt "Enable HTTP auth request module" + default n + +config NGINX_HTTP_AUTOINDEX + bool + prompt "Enable HTTP autoindex module" + default y + +config NGINX_HTTP_GEO + bool + prompt "Enable HTTP geo module" + default y + +config NGINX_HTTP_MAP + bool + prompt "Enable HTTP map module" + default y + +config NGINX_HTTP_SPLIT_CLIENTS + bool + prompt "Enable HTTP split clients" + default y + +config NGINX_HTTP_REFERER + bool + prompt "Enable HTTP referer module" + default y + +config NGINX_HTTP_REWRITE + bool + prompt "Enable HTTP rewrite module" + select NGINX_PCRE + default y + +config NGINX_HTTP_PROXY + bool + prompt "Enable HTTP proxy module" + default y + +config NGINX_HTTP_FASTCGI + bool + prompt "Enable HTTP fastcgi module" + default y + +config NGINX_HTTP_UWSGI + bool + prompt "Enable HTTP uwsgi module" + default y + +config NGINX_HTTP_SCGI + bool + prompt "Enable HTTP scgi module" + default y + +config NGINX_HTTP_MEMCACHED + bool + prompt "Enable HTTP memcached module" + default y + +config NGINX_HTTP_LIMIT_CONN + bool + prompt "Enable HTTP limit conn" + default y + +config NGINX_HTTP_LIMIT_REQ + bool + prompt "Enable HTTP limit req" + default y + +config NGINX_HTTP_EMPTY_GIF + bool + prompt "Enable HTTP empty gif" + default y + +config NGINX_HTTP_BROWSER + bool + prompt "Enable HTTP browser module" + default y + +config NGINX_HTTP_UPSTREAM_HASH + bool + prompt "Enable HTTP hash module" + default y + +config NGINX_HTTP_UPSTREAM_IP_HASH + bool + prompt "Enable HTTP IP hash module" + default y + +config NGINX_HTTP_UPSTREAM_LEAST_CONN + bool + prompt "Enable HTTP least conn module" + default y + +config NGINX_HTTP_UPSTREAM_KEEPALIVE + bool + prompt "Enable HTTP keepalive module" + default y + +config NGINX_HTTP_CACHE + bool + prompt "Enable HTTP cache" + default y + +config NGINX_HTTP_V2 + bool + prompt "Enable HTTP_V2 module" + default n + +config NGINX_PCRE + bool + prompt "Enable PCRE library usage" + default y + +config NGINX_NAXSI + bool + prompt "Enable NAXSI module" + default y + +config NGINX_LUA + bool + prompt "Enable Lua module" + default n + +config NGINX_HTTP_REAL_IP + bool + prompt "Enable HTTP real ip module" + default n + +config NGINX_HTTP_SECURE_LINK + bool + prompt "Enable HTTP secure link module" + default n + +config NGINX_STREAM + bool + prompt "Enable stream module" + default y + +endmenu diff --git a/nginx/Makefile b/nginx/Makefile new file mode 100644 index 000000000..adfb77575 --- /dev/null +++ b/nginx/Makefile @@ -0,0 +1,290 @@ +# +# Copyright (C) 2012-2016 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=nginx +PKG_VERSION:=1.12.2 +PKG_RELEASE:=1 + +PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=http://nginx.org/download/ +PKG_HASH:=305f379da1d5fb5aefa79e45c829852ca6983c7cd2a79328f8e084a324cf0416 +PKG_MAINTAINER:=Thomas Heil +PKG_LICENSE:=2-clause BSD-like license + +PKG_BUILD_DIR:=$(BUILD_DIR)/nginx-$(PKG_VERSION) + +PKG_BUILD_PARALLEL:=1 +PKG_INSTALL:=1 + +PKG_CONFIG_DEPENDS := \ + CONFIG_NGINX_SSL \ + CONFIG_NGINX_DAV \ + CONFIG_NGINX_FLV \ + CONFIG_NGINX_STUB_STATUS \ + CONFIG_NGINX_HTTP_CHARSET \ + CONFIG_NGINX_HTTP_GZIP \ + CONFIG_NGINX_HTTP_SSI \ + CONFIG_NGINX_HTTP_USERID \ + CONFIG_NGINX_HTTP_ACCESS \ + CONFIG_NGINX_HTTP_AUTH_BASIC \ + CONFIG_NGINX_HTTP_AUTH_REQUEST \ + CONFIG_NGINX_HTTP_AUTOINDEX \ + CONFIG_NGINX_HTTP_GEO \ + CONFIG_NGINX_HTTP_MAP \ + CONFIG_NGINX_HTTP_SPLIT_CLIENTS \ + CONFIG_NGINX_HTTP_REFERER \ + CONFIG_NGINX_HTTP_REWRITE \ + CONFIG_NGINX_HTTP_PROXY \ + CONFIG_NGINX_HTTP_FASTCGI \ + CONFIG_NGINX_HTTP_UWSGI \ + CONFIG_NGINX_HTTP_SCGI \ + CONFIG_NGINX_HTTP_MEMCACHED \ + CONFIG_NGINX_HTTP_LIMIT_CONN \ + CONFIG_NGINX_HTTP_LIMIT_REQ \ + CONFIG_NGINX_HTTP_EMPTY_GIF \ + CONFIG_NGINX_HTTP_BROWSER \ + CONFIG_NGINX_HTTP_UPSTREAM_HASH \ + CONFIG_NGINX_HTTP_UPSTREAM_IP_HASH \ + CONFIG_NGINX_HTTP_UPSTREAM_LEAST_CONN \ + CONFIG_NGINX_HTTP_UPSTREAM_KEEPALIVE \ + CONFIG_NGINX_HTTP_UPSTREAM_ZONE \ + CONFIG_NGINX_HTTP_CACHE \ + CONFIG_NGINX_HTTP_V2 \ + CONFIG_NGINX_PCRE \ + CONFIG_NGINX_STREAM \ + CONFIG_NGINX_NAXSI \ + CONFIG_NGINX_LUA \ + CONFIG_NGINX_HTTP_REAL_IP \ + CONFIG_NGINX_HTTP_SECURE_LINK + +include $(INCLUDE_DIR)/package.mk + +define Package/nginx + SECTION:=net + CATEGORY:=Network + SUBMENU:=Web Servers/Proxies + TITLE:=Nginx web server + URL:=http://nginx.org/ + DEPENDS:=+NGINX_PCRE:libpcre +(NGINX_SSL||NGINX_HTTP_CACHE||NGINX_HTTP_AUTH_BASIC):libopenssl +NGINX_HTTP_GZIP:zlib +NGINX_LUA:liblua +libpthread + MENU:=1 +endef + +define Package/nginx/description + nginx is an HTTP and reverse proxy server, as well as a mail proxy server, + written by Igor Sysoev. +endef + +define Package/nginx/config + source "$(SOURCE)/Config.in" +endef + +config_files=nginx.conf mime.types + +define Package/nginx/conffiles +/etc/nginx/ +endef + +ADDITIONAL_MODULES:= +ifeq ($(CONFIG_NGINX_NAXSI),y) + ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src +endif +ifeq ($(CONFIG_NGINX_LUA),y) + ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/lua-nginx +endif +ifeq ($(CONFIG_IPV6),y) + ADDITIONAL_MODULES += --with-ipv6 +endif +ifeq ($(CONFIG_NGINX_STUB_STATUS),y) + ADDITIONAL_MODULES += --with-http_stub_status_module +endif +ifeq ($(CONFIG_NGINX_FLV),y) + ADDITIONAL_MODULES += --with-http_flv_module +endif +ifeq ($(CONFIG_NGINX_SSL),y) + ADDITIONAL_MODULES += --with-http_ssl_module +endif +ifeq ($(CONFIG_NGINX_DAV),y) + ADDITIONAL_MODULES += --with-http_dav_module +endif +ifneq ($(CONFIG_NGINX_HTTP_CACHE),y) + ADDITIONAL_MODULES += --without-http-cache +endif +ifneq ($(CONFIG_NGINX_PCRE),y) + ADDITIONAL_MODULES += --without-pcre +endif +ifneq ($(CONFIG_NGINX_HTTP_CHARSET),y) + ADDITIONAL_MODULES += --without-http_charset_module +else + config_files += koi-utf koi-win win-utf +endif +ifneq ($(CONFIG_NGINX_HTTP_GZIP),y) + ADDITIONAL_MODULES += --without-http_gzip_module +endif +ifneq ($(CONFIG_NGINX_HTTP_SSI),y) + ADDITIONAL_MODULES += --without-http_ssi_module +endif +ifneq ($(CONFIG_NGINX_HTTP_USERID),y) + ADDITIONAL_MODULES += --without-http_userid_module +endif +ifneq ($(CONFIG_NGINX_HTTP_ACCESS),y) + ADDITIONAL_MODULES += --without-http_access_module +endif +ifneq ($(CONFIG_NGINX_HTTP_AUTH_BASIC),y) + ADDITIONAL_MODULES += --without-http_auth_basic_module +endif +ifeq ($(CONFIG_NGINX_HTTP_AUTH_REQUEST),y) + ADDITIONAL_MODULES += --with-http_auth_request_module +endif +ifneq ($(CONFIG_NGINX_HTTP_AUTOINDEX),y) + ADDITIONAL_MODULES += --without-http_autoindex_module +endif +ifneq ($(CONFIG_NGINX_HTTP_GEO),y) + ADDITIONAL_MODULES += --without-http_geo_module +endif +ifneq ($(CONFIG_NGINX_HTTP_MAP),y) + ADDITIONAL_MODULES += --without-http_map_module +endif +ifneq ($(CONFIG_NGINX_HTTP_SPLIT_CLIENTS),y) + ADDITIONAL_MODULES += --without-http_split_clients_module +endif +ifneq ($(CONFIG_NGINX_HTTP_REFERER),y) + ADDITIONAL_MODULES += --without-http_referer_module +endif +ifneq ($(CONFIG_NGINX_HTTP_REWRITE),y) + ADDITIONAL_MODULES += --without-http_rewrite_module +endif +ifneq ($(CONFIG_NGINX_HTTP_PROXY),y) + ADDITIONAL_MODULES += --without-http_proxy_module +endif +ifneq ($(CONFIG_NGINX_HTTP_FASTCGI),y) + ADDITIONAL_MODULES += --without-http_fastcgi_module +else + config_files += fastcgi_params +endif +ifneq ($(CONFIG_NGINX_HTTP_UWSGI),y) + ADDITIONAL_MODULES += --without-http_uwsgi_module +endif +ifneq ($(CONFIG_NGINX_HTTP_SCGI),y) + ADDITIONAL_MODULES += --without-http_scgi_module +endif +ifneq ($(CONFIG_NGINX_HTTP_MEMCACHED),y) + ADDITIONAL_MODULES += --without-http_memcached_module +endif +ifneq ($(CONFIG_NGINX_HTTP_LIMIT_CONN),y) + ADDITIONAL_MODULES += --without-http_limit_conn_module +endif +ifneq ($(CONFIG_NGINX_HTTP_LIMIT_REQ),y) + ADDITIONAL_MODULES += --without-http_limit_req_module +endif +ifneq ($(CONFIG_NGINX_HTTP_EMPTY_GIF),y) + ADDITIONAL_MODULES += --without-http_empty_gif_module +endif +ifneq ($(CONFIG_NGINX_HTTP_BROWSER),y) + ADDITIONAL_MODULES += --without-http_browser_module +endif +ifneq ($(CONFIG_NGINX_HTTP_UPSTREAM_HASH),y) + ADDITIONAL_MODULES += --without-http_upstream_hash_module +endif +ifneq ($(CONFIG_NGINX_HTTP_UPSTREAM_IP_HASH),y) + ADDITIONAL_MODULES += --without-http_upstream_ip_hash_module +endif +ifneq ($(CONFIG_NGINX_HTTP_UPSTREAM_LEAST_CONN),y) + ADDITIONAL_MODULES += --without-http_upstream_least_conn_module +endif +ifneq ($(CONFIG_NGINX_HTTP_UPSTREAM_KEEPALIVE),y) + ADDITIONAL_MODULES += --without-http_upstream_keepalive_module +endif +ifeq ($(CONFIG_NGINX_HTTP_V2),y) + ADDITIONAL_MODULES += --with-http_v2_module +endif +ifeq ($(CONFIG_NGINX_HTTP_REAL_IP),y) + ADDITIONAL_MODULES += --with-http_realip_module +endif +ifeq ($(CONFIG_NGINX_HTTP_SECURE_LINK),y) + ADDITIONAL_MODULES += --with-http_secure_link_module +endif +ifeq ($(CONFIG_NGINX_STREAM),y) + ADDITIONAL_MODULES += --with-stream +endif + +TARGET_CFLAGS += -fvisibility=hidden -ffunction-sections -fdata-sections -DNGX_LUA_NO_BY_LUA_BLOCK +TARGET_LDFLAGS += -Wl,--gc-sections + +define Build/Configure + ( cd $(PKG_BUILD_DIR) ; \ + $(if $(CONFIG_NGINX_LUA),LUA_INC=$(STAGING_DIR)/usr/include LUA_LIB=$(STAGING_DIR)/usr/lib) \ + ./configure \ + --crossbuild=Linux::$(ARCH) \ + --prefix=/usr \ + --conf-path=/etc/nginx/nginx.conf \ + $(ADDITIONAL_MODULES) \ + --error-log-path=/var/log/nginx/error.log \ + --pid-path=/var/run/nginx.pid \ + --lock-path=/var/lock/nginx.lock \ + --http-log-path=/var/log/nginx/access.log \ + --http-client-body-temp-path=/var/lib/nginx/body \ + --http-proxy-temp-path=/var/lib/nginx/proxy \ + --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ + --with-cc="$(TARGET_CC)" \ + --with-cc-opt="$(TARGET_CPPFLAGS) $(TARGET_CFLAGS)" \ + --with-ld-opt="$(TARGET_LDFLAGS)" \ + --without-http_upstream_zone_module \ + ) +endef + +define Package/nginx/install + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/nginx $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/etc/nginx + $(INSTALL_DATA) $(addprefix $(PKG_INSTALL_DIR)/etc/nginx/,$(config_files)) $(1)/etc/nginx/ + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/nginx.init $(1)/etc/init.d/nginx +ifeq ($(CONFIG_NGINX_NAXSI),y) + $(INSTALL_DIR) $(1)/etc/nginx + $(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx + chmod 0640 $(1)/etc/nginx/naxsi_core.rules +endif + $(if $(CONFIG_NGINX_NAXSI),$($(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx)) + $(if $(CONFIG_NGINX_NAXSI),$(chmod 0640 $(1)/etc/nginx/naxsi_core.rules)) +endef + +define Build/Prepare + $(call Build/Prepare/Default) + $(if $(CONFIG_NGINX_NAXSI),$(call Prepare/nginx-naxsi)) + $(if $(CONFIG_NGINX_LUA),$(call Prepare/lua-nginx)) +endef + +define Download/nginx-naxsi + VERSION:=cf73f9c8664127252c2a4958d2e169516d3845a1 + SUBDIR:=nginx-naxsi + FILE:=nginx-naxsi-module-$(PKG_VERSION)-$$(VERSION).tar.gz + URL:=https://github.com/nbs-system/naxsi.git + PROTO:=git +endef + +define Prepare/nginx-naxsi + $(eval $(call Download,nginx-naxsi)) + gzip -dc $(DL_DIR)/$(FILE) | tar -C $(PKG_BUILD_DIR) $(TAR_OPTIONS) +endef + +define Download/lua-nginx + VERSION:=cdd2ae921f67bf396c743406493127be496e57ce + SUBDIR:=lua-nginx + FILE:=lua-nginx-module-$(PKG_VERSION)-$$(VERSION).tar.gz + URL:=https://github.com/openresty/lua-nginx-module.git + PROTO:=git +endef + +define Prepare/lua-nginx + $(eval $(call Download,lua-nginx)) + gzip -dc $(DL_DIR)/$(FILE) | tar -C $(PKG_BUILD_DIR) $(TAR_OPTIONS) + $(call PatchDir,$(PKG_BUILD_DIR),./patches-lua-nginx) +endef + +$(eval $(call BuildPackage,nginx)) diff --git a/nginx/files/nginx.init b/nginx/files/nginx.init new file mode 100644 index 000000000..40d389719 --- /dev/null +++ b/nginx/files/nginx.init @@ -0,0 +1,17 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2015 OpenWrt.org + +START=80 + +USE_PROCD=1 + +start_service() { + [ -d /var/log/nginx ] || mkdir -p /var/log/nginx + [ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx + + procd_open_instance + procd_set_param command /usr/sbin/nginx -c /etc/nginx/nginx.conf -g 'daemon off;' + procd_set_param file /etc/nginx/nginx.conf + procd_set_param respawn + procd_close_instance +} diff --git a/nginx/patches-lua-nginx/100-no_by_lua_block.patch b/nginx/patches-lua-nginx/100-no_by_lua_block.patch new file mode 100644 index 000000000..fef983fa7 --- /dev/null +++ b/nginx/patches-lua-nginx/100-no_by_lua_block.patch @@ -0,0 +1,195 @@ +--- a/lua-nginx/src/ngx_http_lua_module.c ++++ b/lua-nginx/src/ngx_http_lua_module.c +@@ -157,14 +157,14 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_lua_loc_conf_t, log_socket_errors), + NULL }, +- ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + { ngx_string("init_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, + ngx_http_lua_init_by_lua_block, + NGX_HTTP_MAIN_CONF_OFFSET, + 0, + (void *) ngx_http_lua_init_by_inline }, +- ++#endif + { ngx_string("init_by_lua"), + NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, + ngx_http_lua_init_by_lua, +@@ -178,14 +178,14 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_MAIN_CONF_OFFSET, + 0, + (void *) ngx_http_lua_init_by_file }, +- ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + { ngx_string("init_worker_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, + ngx_http_lua_init_worker_by_lua_block, + NGX_HTTP_MAIN_CONF_OFFSET, + 0, + (void *) ngx_http_lua_init_worker_by_inline }, +- ++#endif + { ngx_string("init_worker_by_lua"), + NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, + ngx_http_lua_init_worker_by_lua, +@@ -201,6 +201,7 @@ static ngx_command_t ngx_http_lua_cmds[] + (void *) ngx_http_lua_init_worker_by_file }, + + #if defined(NDK) && NDK ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + /* set_by_lua $res { inline Lua code } [$arg1 [$arg2 [...]]] */ + { ngx_string("set_by_lua_block"), + NGX_HTTP_SRV_CONF|NGX_HTTP_SIF_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF +@@ -209,7 +210,7 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_LOC_CONF_OFFSET, + 0, + (void *) ngx_http_lua_filter_set_by_lua_inline }, +- ++#endif + /* set_by_lua $res [$arg1 [$arg2 [...]]] */ + { ngx_string("set_by_lua"), + NGX_HTTP_SRV_CONF|NGX_HTTP_SIF_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF +@@ -237,7 +238,7 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_LOC_CONF_OFFSET, + 0, + (void *) ngx_http_lua_rewrite_handler_inline }, +- ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + /* rewrite_by_lua_block { } */ + { ngx_string("rewrite_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF +@@ -246,7 +247,7 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_LOC_CONF_OFFSET, + 0, + (void *) ngx_http_lua_rewrite_handler_inline }, +- ++#endif + /* access_by_lua "" */ + { ngx_string("access_by_lua"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF +@@ -255,7 +256,7 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_LOC_CONF_OFFSET, + 0, + (void *) ngx_http_lua_access_handler_inline }, +- ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + /* access_by_lua_block { } */ + { ngx_string("access_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF +@@ -264,7 +265,7 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_LOC_CONF_OFFSET, + 0, + (void *) ngx_http_lua_access_handler_inline }, +- ++#endif + /* content_by_lua "" */ + { ngx_string("content_by_lua"), + NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_TAKE1, +@@ -272,7 +273,7 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_LOC_CONF_OFFSET, + 0, + (void *) ngx_http_lua_content_handler_inline }, +- ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + /* content_by_lua_block { } */ + { ngx_string("content_by_lua_block"), + NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, +@@ -280,7 +281,7 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_LOC_CONF_OFFSET, + 0, + (void *) ngx_http_lua_content_handler_inline }, +- ++#endif + /* log_by_lua */ + { ngx_string("log_by_lua"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF +@@ -289,7 +290,7 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_LOC_CONF_OFFSET, + 0, + (void *) ngx_http_lua_log_handler_inline }, +- ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + /* log_by_lua_block { } */ + { ngx_string("log_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF +@@ -298,7 +299,7 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_LOC_CONF_OFFSET, + 0, + (void *) ngx_http_lua_log_handler_inline }, +- ++#endif + { ngx_string("rewrite_by_lua_file"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF + |NGX_CONF_TAKE1, +@@ -353,7 +354,7 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_LOC_CONF_OFFSET, + 0, + (void *) ngx_http_lua_header_filter_inline }, +- ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + /* header_filter_by_lua_block { } */ + { ngx_string("header_filter_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF +@@ -362,7 +363,7 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_LOC_CONF_OFFSET, + 0, + (void *) ngx_http_lua_header_filter_inline }, +- ++#endif + { ngx_string("header_filter_by_lua_file"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF + |NGX_CONF_TAKE1, +@@ -378,7 +379,7 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_LOC_CONF_OFFSET, + 0, + (void *) ngx_http_lua_body_filter_inline }, +- ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + /* body_filter_by_lua_block { } */ + { ngx_string("body_filter_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF +@@ -387,7 +388,7 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_LOC_CONF_OFFSET, + 0, + (void *) ngx_http_lua_body_filter_inline }, +- ++#endif + { ngx_string("body_filter_by_lua_file"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF + |NGX_CONF_TAKE1, +@@ -395,14 +396,14 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_LOC_CONF_OFFSET, + 0, + (void *) ngx_http_lua_body_filter_file }, +- ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + { ngx_string("balancer_by_lua_block"), + NGX_HTTP_UPS_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, + ngx_http_lua_balancer_by_lua_block, + NGX_HTTP_SRV_CONF_OFFSET, + 0, + (void *) ngx_http_lua_balancer_handler_inline }, +- ++#endif + { ngx_string("balancer_by_lua_file"), + NGX_HTTP_UPS_CONF|NGX_CONF_TAKE1, + ngx_http_lua_balancer_by_lua, +@@ -509,14 +510,14 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_lua_loc_conf_t, ssl_ciphers), + NULL }, +- ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + { ngx_string("ssl_certificate_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, + ngx_http_lua_ssl_cert_by_lua_block, + NGX_HTTP_SRV_CONF_OFFSET, + 0, + (void *) ngx_http_lua_ssl_cert_handler_inline }, +- ++#endif + { ngx_string("ssl_certificate_by_lua_file"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_http_lua_ssl_cert_by_lua, diff --git a/nginx/patches/101-feature_test_fix.patch b/nginx/patches/101-feature_test_fix.patch new file mode 100644 index 000000000..2c692bc79 --- /dev/null +++ b/nginx/patches/101-feature_test_fix.patch @@ -0,0 +1,107 @@ +--- a/auto/cc/name ++++ b/auto/cc/name +@@ -7,7 +7,7 @@ if [ "$NGX_PLATFORM" != win32 ]; then + + ngx_feature="C compiler" + ngx_feature_name= +- ngx_feature_run=yes ++ ngx_feature_run= + ngx_feature_incs= + ngx_feature_path= + ngx_feature_libs= +--- a/auto/cc/conf ++++ b/auto/cc/conf +@@ -200,7 +200,7 @@ if [ "$NGX_PLATFORM" != win32 ]; then + else + ngx_feature="C99 variadic macros" + ngx_feature_name="NGX_HAVE_C99_VARIADIC_MACROS" +- ngx_feature_run=yes ++ ngx_feature_run=no + ngx_feature_incs="#include + #define var(dummy, ...) sprintf(__VA_ARGS__)" + ngx_feature_path= +@@ -214,7 +214,7 @@ if [ "$NGX_PLATFORM" != win32 ]; then + + ngx_feature="gcc variadic macros" + ngx_feature_name="NGX_HAVE_GCC_VARIADIC_MACROS" +- ngx_feature_run=yes ++ ngx_feature_run=no + ngx_feature_incs="#include + #define var(dummy, args...) sprintf(args)" + ngx_feature_path= +--- a/auto/os/linux ++++ b/auto/os/linux +@@ -36,7 +36,7 @@ fi + + ngx_feature="epoll" + ngx_feature_name="NGX_HAVE_EPOLL" +-ngx_feature_run=yes ++ngx_feature_run=no + ngx_feature_incs="#include " + ngx_feature_path= + ngx_feature_libs= +@@ -93,7 +93,7 @@ ngx_feature_test="int fd; struct stat sb + CC_AUX_FLAGS="$cc_aux_flags -D_GNU_SOURCE" + ngx_feature="sendfile()" + ngx_feature_name="NGX_HAVE_SENDFILE" +-ngx_feature_run=yes ++ngx_feature_run=no + ngx_feature_incs="#include + #include " + ngx_feature_path= +@@ -114,7 +114,7 @@ fi + CC_AUX_FLAGS="$cc_aux_flags -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64" + ngx_feature="sendfile64()" + ngx_feature_name="NGX_HAVE_SENDFILE64" +-ngx_feature_run=yes ++ngx_feature_run=no + ngx_feature_incs="#include + #include " + ngx_feature_path= +@@ -132,7 +132,7 @@ ngx_include="sys/prctl.h"; . auto/includ + + ngx_feature="prctl(PR_SET_DUMPABLE)" + ngx_feature_name="NGX_HAVE_PR_SET_DUMPABLE" +-ngx_feature_run=yes ++ngx_feature_run=no + ngx_feature_incs="#include " + ngx_feature_path= + ngx_feature_libs= +--- a/auto/unix ++++ b/auto/unix +@@ -735,7 +735,7 @@ ngx_feature_test="void *p; p = memalign( + + ngx_feature="mmap(MAP_ANON|MAP_SHARED)" + ngx_feature_name="NGX_HAVE_MAP_ANON" +-ngx_feature_run=yes ++ngx_feature_run=no + ngx_feature_incs="#include " + ngx_feature_path= + ngx_feature_libs= +@@ -748,7 +748,7 @@ ngx_feature_test="void *p; + + ngx_feature='mmap("/dev/zero", MAP_SHARED)' + ngx_feature_name="NGX_HAVE_MAP_DEVZERO" +-ngx_feature_run=yes ++ngx_feature_run=no + ngx_feature_incs="#include + #include + #include " +@@ -763,7 +763,7 @@ ngx_feature_test='void *p; int fd; + + ngx_feature="System V shared memory" + ngx_feature_name="NGX_HAVE_SYSVSHM" +-ngx_feature_run=yes ++ngx_feature_run=no + ngx_feature_incs="#include + #include " + ngx_feature_path= +@@ -777,7 +777,7 @@ ngx_feature_test="int id; + + ngx_feature="POSIX semaphores" + ngx_feature_name="NGX_HAVE_POSIX_SEM" +-ngx_feature_run=yes ++ngx_feature_run=no + ngx_feature_incs="#include " + ngx_feature_path= + ngx_feature_libs= diff --git a/nginx/patches/102-sizeof_test_fix.patch b/nginx/patches/102-sizeof_test_fix.patch new file mode 100644 index 000000000..8a0e88200 --- /dev/null +++ b/nginx/patches/102-sizeof_test_fix.patch @@ -0,0 +1,27 @@ +--- a/auto/types/sizeof ++++ b/auto/types/sizeof +@@ -25,8 +25,14 @@ $NGX_INCLUDE_UNISTD_H + $NGX_INCLUDE_INTTYPES_H + $NGX_INCLUDE_AUTO_CONFIG_H + ++char object_code_block[] = { ++ '\n', 'e', '4', 'V', 'A', ++ '0', 'x', ('0' + sizeof($ngx_type)), ++ 'Y', '3', 'p', 'M', '\n' ++}; ++ + int main(void) { +- printf("%d", (int) sizeof($ngx_type)); ++ printf("dummy use of object_code_block to avoid gc-section: %c", object_code_block[0]); + return 0; + } + +@@ -40,7 +45,7 @@ eval "$ngx_test >> $NGX_AUTOCONF_ERR 2>& + + + if [ -x $NGX_AUTOTEST ]; then +- ngx_size=`$NGX_AUTOTEST` ++ ngx_size=`sed -ne 's/^e4VA0x\(.\)Y3pM$/\1/p' < $NGX_AUTOTEST` + echo " $ngx_size bytes" + fi + diff --git a/nginx/patches/103-sys_nerr.patch b/nginx/patches/103-sys_nerr.patch new file mode 100644 index 000000000..5f5d106fe --- /dev/null +++ b/nginx/patches/103-sys_nerr.patch @@ -0,0 +1,12 @@ +--- a/src/os/unix/ngx_errno.c ++++ b/src/os/unix/ngx_errno.c +@@ -8,6 +8,9 @@ + #include + #include + ++#ifndef NGX_SYS_NERR ++#define NGX_SYS_NERR 128 ++#endif + + /* + * The strerror() messages are copied because: diff --git a/nginx/patches/200-config.patch b/nginx/patches/200-config.patch new file mode 100644 index 000000000..f35009576 --- /dev/null +++ b/nginx/patches/200-config.patch @@ -0,0 +1,18 @@ +--- a/conf/nginx.conf ++++ b/conf/nginx.conf +@@ -1,5 +1,5 @@ + +-#user nobody; ++user nobody nogroup; + worker_processes 1; + + #error_log logs/error.log; +@@ -16,7 +16,7 @@ events { + + http { + include mime.types; +- default_type application/octet-stream; ++ #default_type application/octet-stream; + + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' diff --git a/nginx/patches/300-max-processes.patch b/nginx/patches/300-max-processes.patch new file mode 100644 index 000000000..f7465d434 --- /dev/null +++ b/nginx/patches/300-max-processes.patch @@ -0,0 +1,11 @@ +--- a/src/os/unix/ngx_process.h ++++ b/src/os/unix/ngx_process.h +@@ -44,7 +44,7 @@ typedef struct { + } ngx_exec_ctx_t; + + +-#define NGX_MAX_PROCESSES 1024 ++#define NGX_MAX_PROCESSES 8 + + #define NGX_PROCESS_NORESPAWN -1 + #define NGX_PROCESS_JUST_SPAWN -2 diff --git a/openmptcprouter-full/Makefile b/openmptcprouter-full/Makefile index b66c4416a..5449a84ed 100644 --- a/openmptcprouter-full/Makefile +++ b/openmptcprouter-full/Makefile @@ -60,9 +60,11 @@ MY_DEPENDS := \ luci-i18n-firewall-en \ luci-i18n-firewall-fr \ ca-bundle ca-certificates \ - luci-mod-admin-full luci-app-firewall luci-app-glorytun luci-app-shadowsocks-libev luci-app-unbound luci-theme-openmptcprouter luci-base luci-app-haproxy-tcp luci-app-omr-tracker luci-app-qos \ + luci-mod-admin-full luci-app-firewall luci-app-glorytun luci-app-shadowsocks-libev luci-app-unbound luci-theme-openmptcprouter luci-base \ + luci-app-nginx-ha luci-app-omr-tracker luci-app-qos \ luci-app-vnstat omr-quota luci-app-omr-quota \ - speedtestc + speedtestc \ + ip6tables-mod-nat define Package/$(PKG_NAME) SECTION:=OMR diff --git a/openmptcprouter/files/etc/sysctl.d/ipv6default.conf b/openmptcprouter/files/etc/sysctl.d/ipv6default.conf deleted file mode 100644 index bef10b7f6..000000000 --- a/openmptcprouter/files/etc/sysctl.d/ipv6default.conf +++ /dev/null @@ -1 +0,0 @@ -net.ipv6.conf.all.disable_ipv6=1 diff --git a/openmptcprouter/files/etc/uci-defaults/1930-omr-shadowsocks b/openmptcprouter/files/etc/uci-defaults/1930-omr-shadowsocks index 2a27d7de8..535406130 100755 --- a/openmptcprouter/files/etc/uci-defaults/1930-omr-shadowsocks +++ b/openmptcprouter/files/etc/uci-defaults/1930-omr-shadowsocks @@ -6,7 +6,7 @@ if [ "$NBCPU" -gt 1 ]; then uci -q batch <<-EOF >/dev/null set shadowsocks-libev.hi$c=ss_redir set shadowsocks-libev.hi$c.server=sss0 - set shadowsocks-libev.hi$c.local_address=0.0.0.0 + set shadowsocks-libev.hi$c.local_address="::" set shadowsocks-libev.hi$c.local_port=1100 set shadowsocks-libev.hi$c.mode=tcp_and_udp set shadowsocks-libev.hi$c.timeout=60 diff --git a/shadowsocks-libev/Makefile b/shadowsocks-libev/Makefile index 1ff787685..86f8c5c66 100644 --- a/shadowsocks-libev/Makefile +++ b/shadowsocks-libev/Makefile @@ -15,7 +15,7 @@ include $(TOPDIR)/rules.mk # PKG_NAME:=shadowsocks-libev PKG_VERSION:=3.1.2 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev/releases/download/v$(PKG_VERSION) @@ -88,6 +88,7 @@ endef define Package/shadowsocks-libev-ss-rules/install $(INSTALL_DIR) $(1)/usr/bin $(INSTALL_BIN) ./files/ss-rules $(1)/usr/bin + $(INSTALL_BIN) ./files/ss-rules6 $(1)/usr/bin $(INSTALL_DIR) $(1)/etc/uci-defaults $(INSTALL_DATA) ./files/firewall.ss-rules $(1)/etc $(INSTALL_BIN) ./files/ss-rules.defaults $(1)/etc/uci-defaults diff --git a/shadowsocks-libev/files/shadowsocks-libev.config b/shadowsocks-libev/files/shadowsocks-libev.config index e439c1f25..580df0c72 100644 --- a/shadowsocks-libev/files/shadowsocks-libev.config +++ b/shadowsocks-libev/files/shadowsocks-libev.config @@ -1,7 +1,7 @@ config ss_redir hi option disabled 1 option server 'sss0' - option local_address '0.0.0.0' + option local_address '::' option local_port '1100' option mode 'tcp_and_udp' option timeout '60' diff --git a/shadowsocks-libev/files/shadowsocks-libev.init b/shadowsocks-libev/files/shadowsocks-libev.init index 7402cc49b..c781f2666 100644 --- a/shadowsocks-libev/files/shadowsocks-libev.init +++ b/shadowsocks-libev/files/shadowsocks-libev.init @@ -178,9 +178,11 @@ ss_rules_cb() { ss_redir_servers="$ss_redir_servers $server" if [ "$mode" = tcp_only -o "$mode" = "tcp_and_udp" ]; then eval "ss_rules_redir_tcp_$cfg=$local_port" + eval "ss_rules6_redir_tcp_$cfg=$local_port" fi if [ "$mode" = udp_only -o "$mode" = "tcp_and_udp" ]; then eval "ss_rules_redir_udp_$cfg=$local_port" + eval "ss_rules6_redir_udp_$cfg=$local_port" fi fi } @@ -203,11 +205,54 @@ ss_rules() { eval local_port_tcp="\$ss_rules_redir_tcp_$redir_tcp" eval local_port_udp="\$ss_rules_redir_udp_$redir_udp" [ -n "$local_port_tcp" -o -n "$local_port_udp" ] || return 1 - ss_redir_servers="$(echo "$ss_redir_servers" | tr ' ' '\n' | sort -u)" + ss_redir_servers4="$(echo "$ss_redir_servers" | awk -F. 'NF == 4' | tr ' ' '\n' | sort -u)" + [ "$dst_forward_recentrst" = 0 ] || args="$args --dst-forward-recentrst" "$bin" \ - -s "$ss_redir_servers" \ + -s "$ss_redir_servers4" \ + -l "$local_port_tcp" \ + -L "$local_port_udp" \ + --src-default "$src_default" \ + --dst-default "$dst_default" \ + --local-default "$local_default" \ + --dst-bypass-file "$dst_ips_bypass_file" \ + --dst-forward-file "$dst_ips_forward_file" \ + --dst-bypass "$dst_ips_bypass" \ + --dst-forward "$dst_ips_forward" \ + --src-bypass "$src_ips_bypass" \ + --src-forward "$src_ips_forward" \ + --src-checkdst "$src_ips_checkdst" \ + --ifnames "$ifnames" \ + --ipt-extra "$ipt_args" \ + $args \ + || "$bin" -f +} + +ss_rules6() { + local cfg="ss_rules" + local bin="$ss_bindir/ss-rules6" + local cfgtype + local local_port_tcp local_port_udp + local args + + [ -x "$bin" ] || return 1 + config_get cfgtype "$cfg" TYPE + [ "$cfgtype" = ss_rules ] || return 1 + + eval "$(validate_ss_rules_section "$cfg" ss_validate_mklocal)" + validate_ss_rules_section "$cfg" || return 1 + [ "$disabled" = 0 ] || return 1 + + eval local_port_tcp="\$ss_rules6_redir_tcp_$redir_tcp" + eval local_port_udp="\$ss_rules6_redir_udp_$redir_udp" + [ -n "$local_port_tcp" -o -n "$local_port_udp" ] || return 1 + ss_redir_servers6="$(echo "$ss_redir_servers" | awk -F: 'NF>4' | tr ' ' '\n' | sort -u)" + + [ "$dst_forward_recentrst" = 0 ] || args="$args --dst-forward-recentrst" + + "$bin" \ + -s "$ss_redir_servers6" \ -l "$local_port_tcp" \ -L "$local_port_udp" \ --src-default "$src_default" \ @@ -235,12 +280,14 @@ start_service() { config_foreach ss_xxx "$cfgtype" "$cfgtype" done ss_rules + ss_rules6 } stop_service() { local bin="$ss_bindir/ss-rules" - [ -x "$bin" ] && "$bin" -f + local bin6="$ss_bindir/ss-rules6" + [ -x "$bin6" ] && "$bin6" -f rm -rf "$ss_confdir" } diff --git a/shadowsocks-libev/files/ss-rules6 b/shadowsocks-libev/files/ss-rules6 new file mode 100755 index 000000000..c6a7f61b2 --- /dev/null +++ b/shadowsocks-libev/files/ss-rules6 @@ -0,0 +1,247 @@ +#!/bin/sh -e +# +# Copyright (C) 2017 Yousong Zhou +# +# The design idea was derived from ss-rules by Jian Chang +# +# This is free software, licensed under the GNU General Public License v3. +# See /LICENSE for more information. +# + +ss_rules6_usage() { + cat >&2 < Local port number of ss-redir with TCP mode + -L Local port number of ss-redir with UDP mode + -s List of ip addresses of remote shadowsocks server + --ifnames Only apply rules on packets from these ifnames + --src-bypass + --src-forward + --src-checkdst + --src-default + Packets will have their src ip checked in order against + bypass, forward, checkdst list and will bypass, forward + through, or continue to have their dst ip checked + respectively on the first match. Otherwise, --src-default + decide the default action + --dst-bypass + --dst-forward + --dst-bypass-file + --dst-forward-file + --dst-default + Same as with their --src-xx equivalent + --dst-forward-recentrst + Forward those packets whose destinations have recently + sent to us multiple tcp-rst packets + --local-default + Default action for local out TCP traffic + +The following ipsets will be created by ss-rules. They are also intended to be +populated by other programs like dnsmasq with ipset support + + ss_rules6_src_bypass + ss_rules6_src_forward + ss_rules6_src_checkdst + ss_rules6_dst_bypass + ss_rules6_dst_forward +EOF +} + +o_dst_bypass_=" +" +o_src_default=bypass +o_dst_default=bypass +o_local_default=bypass + +__errmsg() { + echo "ss-rules6: $*" >&2 +} + +ss_rules6_parse_args() { + while [ "$#" -gt 0 ]; do + case "$1" in + -h|--help) ss_rules6_usage; exit 0;; + -f|--flush) ss_rules6_flush; exit 0;; + -l) o_redir_tcp_port="$2"; shift 2;; + -L) o_redir_udp_port="$2"; shift 2;; + -s) o_remote_servers="$2"; shift 2;; + --ifnames) o_ifnames="$2"; shift 2;; + --ipt-extra) o_ipt_extra="$2"; shift 2;; + --src-default) o_src_default="$2"; shift 2;; + --dst-default) o_dst_default="$2"; shift 2;; + --local-default) o_local_default="$2"; shift 2;; + --src-bypass) o_src_bypass="$2"; shift 2;; + --src-forward) o_src_forward="$2"; shift 2;; + --src-checkdst) o_src_checkdst="$2"; shift 2;; + --dst-bypass) o_dst_bypass="$2"; shift 2;; + --dst-forward) o_dst_forward="$2"; shift 2;; + --dst-forward-recentrst) o_dst_forward_recentrst=1; shift 1;; + --dst-bypass-file) o_dst_bypass_file="$2"; shift 2;; + --dst-forward-file) o_dst_forward_file="$2"; shift 2;; + *) __errmsg "unknown option $1"; return 1;; + esac + done + + if [ -z "$o_redir_tcp_port" -a -z "$o_redir_udp_port" ]; then + __errmsg "Requires at least -l or -L option" + return 1 + fi + if [ -n "$o_dst_forward_recentrst" ] && ! ip6tables -m recent -h >/dev/null; then + __errmsg "Please install ip6tables-mod-conntrack-extra with opkg" + return 1 + fi + o_remote_servers="$(for s in $o_remote_servers; do resolveip -6 "$s"; done)" +} + +ss_rules6_flush() { + local setname + + ip6tables-save --counters | grep -v ss_rules6_ | ip6tables-restore --counters + while ip -f inet6 rule del fwmark 1 lookup 100 2>/dev/null; do true; done + ip -f inet6 route flush table 100 + for setname in $(ipset -n list | grep "ss_rules6_"); do + ipset destroy "$setname" 2>/dev/null || true + done +} + +ss_rules6_ipset_init() { + ipset --exist restore <<-EOF + create ss_rules6_src_bypass hash:net family inet6 hashsize 64 + create ss_rules6_src_forward hash:net family inet6 hashsize 64 + create ss_rules6_src_checkdst hash:net family inet6 hashsize 64 + create ss_rules6_dst_bypass hash:net family inet6 hashsize 64 + create ss_rules6_dst_bypass_ hash:net family inet6 hashsize 64 + create ss_rules6_dst_forward hash:net family inet6 hashsize 64 + create ss_rules6_dst_forward_recrst_ hash:ip family inet6 hashsize 64 timeout 3600 + $(ss_rules6_ipset_mkadd ss_rules6_dst_bypass_ "$o_dst_bypass_ $o_remote_servers") + $(ss_rules6_ipset_mkadd ss_rules6_src_bypass "$o_src_bypass") + $(ss_rules6_ipset_mkadd ss_rules6_src_forward "$o_src_forward") + $(ss_rules6_ipset_mkadd ss_rules6_src_checkdst "$o_src_checkdst") + $(ss_rules6_ipset_mkadd ss_rules6_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null)") + $(ss_rules6_ipset_mkadd ss_rules6_dst_forward "$o_dst_forward $(cat "$o_dst_forward_file" 2>/dev/null)") + EOF +} + +ss_rules6_ipset_mkadd() { + local setname="$1"; shift + local i + + for i in $*; do + echo "add $setname $i" + done +} + +ss_rules6_iptchains_init() { + ss_rules6_iptchains_init_tcp + ss_rules6_iptchains_init_udp +} + +ss_rules6_iptchains_init_tcp() { + local local_target + + [ -n "$o_redir_tcp_port" ] || return 0 + + ss_rules6_iptchains_init_ nat tcp + + case "$o_local_default" in + checkdst) local_target=ss_rules6_dst ;; + forward) local_target=ss_rules6_forward ;; + bypass|*) return 0;; + esac + + ip6tables-restore --noflush <<-EOF + *nat + :ss_rules6_local_out - + -I OUTPUT 1 -p tcp -j ss_rules6_local_out + -A ss_rules6_local_out -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN + -A ss_rules6_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default" + COMMIT + EOF + +} + +ss_rules6_iptchains_init_udp() { + [ -n "$o_redir_udp_port" ] || return 0 + ss_rules6_iptchains_init_ mangle udp +} + +ss_rules6_iptchains_init_() { + local table="$1" + local proto="$2" + local forward_rules + local src_default_target dst_default_target + local recentrst_mangle_rules recentrst_addset_rules + + case "$proto" in + tcp) + forward_rules="-A ss_rules6_forward -p tcp -j REDIRECT --to-ports $o_redir_tcp_port" + if [ -n "$o_dst_forward_recentrst" ]; then + recentrst_mangle_rules=" + *mangle + -I PREROUTING 1 -p tcp -m tcp --tcp-flags RST RST -m recent --name ss_rules6_recentrst --set --rsource + COMMIT + " + recentrst_addset_rules=" + -A ss_rules6_dst -m recent --name ss_rules6_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules6_dst_forward_recrst_ dst --exist + -A ss_rules6_dst -m set --match-set ss_rules6_dst_forward_recrst_ dst -j ss_rules6_forward + " + fi + ;; + udp) + ip -f inet6 rule add fwmark 1 lookup 100 + ip -f inet6 route add local default dev lo table 100 + forward_rules="-A ss_rules6_forward -p udp -j TPROXY --on-port "$o_redir_udp_port" --tproxy-mark 0x01/0x01" + ;; + esac + case "$o_src_default" in + forward) src_default_target=ss_rules6_forward ;; + checkdst) src_default_target=ss_rules6_dst ;; + bypass|*) src_default_target=RETURN ;; + esac + case "$o_dst_default" in + forward) dst_default_target=ss_rules6_forward ;; + bypass|*) dst_default_target=RETURN ;; + esac + sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | ip6tables-restore --noflush + *$table + :ss_rules6_pre_src - + :ss_rules6_src - + :ss_rules6_dst - + :ss_rules6_forward - + $(ss_rules6_iptchains_mkprerules "$proto") + -A ss_rules6_pre_src -p $proto $o_ipt_extra -j ss_rules6_src + -A ss_rules6_src -m set --match-set ss_rules6_src_bypass src -j RETURN + -A ss_rules6_src -m set --match-set ss_rules6_src_forward src -j ss_rules6_forward + -A ss_rules6_src -m set --match-set ss_rules6_src_checkdst src -j ss_rules6_dst + -A ss_rules6_src -j $src_default_target -m comment --comment "src_default: $o_src_default" + -A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN + -A ss_rules6_dst -m set --match-set ss_rules6_dst_bypass dst -j RETURN + -A ss_rules6_dst -m set --match-set ss_rules6_dst_forward dst -j ss_rules6_forward + $recentrst_addset_rules + -A ss_rules6_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default" + $forward_rules + COMMIT + $recentrst_mangle_rules + EOF + +} + +ss_rules6_iptchains_mkprerules() { + local proto="$1" + + if [ -z "$o_ifnames" ]; then + echo "-I PREROUTING 1 -p $proto -j ss_rules6_pre_src" + else + echo $o_ifnames \ + | tr ' ' '\n' \ + | sed "s/.*/-I PREROUTING 1 -i \\0 -p $proto -j ss_rules6_pre_src/" + fi +} + +ss_rules6_parse_args "$@" +ss_rules6_flush +ss_rules6_ipset_init +ss_rules6_iptchains_init