%global _hardened_build 1 %global nginx_user nginx # Disable strict symbol checks in the link editor. # See: https://src.fedoraproject.org/rpms/redhat-rpm-config/c/078af19 %undefine _strict_symbol_defs_build %bcond_with geoip # nginx gperftools support should be disabled for RHEL >= 8 # see: https://bugzilla.redhat.com/show_bug.cgi?id=1931402 %if 0%{?rhel} >= 8 %global with_gperftools 0 %else # gperftools exists only on selected arches # gperftools *detection* is failing on ppc64*, possibly only configure # bug, but disable anyway. %ifnarch s390 s390x ppc64 ppc64le %global with_gperftools 1 %endif %endif %global with_aio 1 %if 0%{?fedora} > 22 %global with_mailcap_mimetypes 1 %endif # kTLS requires OpenSSL 3.0 (default in F36+ and EL9+, available in EPEL8) %if 0%{?fedora} >= 36 || 0%{?rhel} >= 8 %global with_ktls 1 %endif # Build against OpenSSL 1.1 on EL7 %if 0%{?rhel} == 7 %global openssl_pkgversion 11 %endif # Build against OpenSSL 3 on EL8 %if 0%{?rhel} == 8 %global openssl_pkgversion 3 %endif # Cf. https://www.nginx.com/blog/creating-installable-packages-dynamic-modules/ %global nginx_abiversion %{version} %global nginx_moduledir %{_libdir}/nginx/modules %global nginx_moduleconfdir %{_datadir}/nginx/modules %global nginx_srcdir %{_usrsrc}/%{name}-%{version}-%{release} # Do not generate provides/requires from nginx sources %global __provides_exclude_from ^%{nginx_srcdir}/.*$ %global __requires_exclude_from ^%{nginx_srcdir}/.*$ Name: nginx Epoch: 1 Version: 1.24.0 Release: 1%{?dist} Summary: A high performance web server and reverse proxy server License: BSD-2-Clause URL: https://nginx.org Source0: https://nginx.org/download/nginx-%{version}.tar.gz Source1: https://nginx.org/download/nginx-%{version}.tar.gz.asc # Keys are found here: https://nginx.org/en/pgp_keys.html Source2: https://nginx.org/keys/maxim.key Source3: https://nginx.org/keys/mdounin.key Source4: https://nginx.org/keys/sb.key Source5: https://nginx.org/keys/thresh.key Source10: nginx.service Source11: nginx.logrotate Source12: nginx.conf Source13: nginx-upgrade Source14: nginx-upgrade.8 Source15: macros.nginxmods.in Source16: nginxmods.attr Source17: nginx-ssl-pass-dialog Source102: nginx-logo.png Source103: 404.html Source104: 50x.html Source200: README.dynamic Source210: UPGRADE-NOTES-1.6-to-1.10 # removes -Werror in upstream build scripts. -Werror conflicts with # -D_FORTIFY_SOURCE=2 causing warnings to turn into errors. Patch0: 0001-remove-Werror-in-upstream-build-scripts.patch # downstream patch - fix PIDFile race condition (rhbz#1869026) # rejected upstream: https://trac.nginx.org/nginx/ticket/1897 Patch1: 0002-fix-PIDFile-handling.patch # downstream patch - Add ssl-pass-phrase-dialog helper script for # encrypted private keys with pass phrase decryption Patch2: 0003-add-ssl-pass-phrase-dialog.patch # CVE-2023-44487 Patch3: 0004-HTTP2_per-iteration-stream-handling-limit.patch BuildRequires: make BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?with_gperftools} BuildRequires: gperftools-devel %endif BuildRequires: openssl%{?openssl_pkgversion}-devel BuildRequires: pcre2-devel BuildRequires: zlib-devel Requires: nginx-filesystem = %{epoch}:%{version}-%{release} %if 0%{?el7} # centos-logos el7 does not provide 'system-indexhtml' Requires: system-logos redhat-indexhtml # need to remove epel7 geoip sub-package, doesn't work anymore # https://bugzilla.redhat.com/show_bug.cgi?id=1576034 # https://bugzilla.redhat.com/show_bug.cgi?id=1664957 Obsoletes: nginx-mod-http-geoip <= 1:1.16 %else Requires: system-logos-httpd %endif Provides: webserver %if 0%{?fedora} || 0%{?rhel} >= 8 Recommends: logrotate %endif Requires: %{name}-core = %{epoch}:%{version}-%{release} BuildRequires: systemd Requires(post): systemd Requires(preun): systemd Requires(postun): systemd # For external nginx modules Provides: nginx(abi) = %{nginx_abiversion} %description Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. %package core Summary: nginx minimal core %if 0%{?with_mailcap_mimetypes} Requires: nginx-mimetypes %endif Requires: openssl%{?openssl_pkgversion}-libs Requires(pre): nginx-filesystem Conflicts: nginx < 1:1.20.2-4 %if %{with geoip} Conflicts: nginx-mod-http-geoip < %{epoch}:%{version}-%{release} %endif Conflicts: nginx-mod-http-image-filter < %{epoch}:%{version}-%{release} Conflicts: nginx-mod-http-perl < %{epoch}:%{version}-%{release} Conflicts: nginx-mod-http-xslt-filter < %{epoch}:%{version}-%{release} Conflicts: nginx-mod-mail < %{epoch}:%{version}-%{release} Conflicts: nginx-mod-stream < %{epoch}:%{version}-%{release} %description core nginx minimal core %package all-modules Summary: A meta package that installs all available Nginx modules BuildArch: noarch %if %{with geoip} Requires: nginx-mod-http-geoip = %{epoch}:%{version}-%{release} %endif Requires: nginx-mod-http-image-filter = %{epoch}:%{version}-%{release} Requires: nginx-mod-http-perl = %{epoch}:%{version}-%{release} Requires: nginx-mod-http-xslt-filter = %{epoch}:%{version}-%{release} Requires: nginx-mod-mail = %{epoch}:%{version}-%{release} Requires: nginx-mod-stream = %{epoch}:%{version}-%{release} %description all-modules Meta package that installs all available nginx modules. %package filesystem Summary: The basic directory layout for the Nginx server BuildArch: noarch Requires(pre): shadow-utils %description filesystem The nginx-filesystem package contains the basic directory layout for the Nginx server including the correct permissions for the directories. %if %{with geoip} %package mod-http-geoip Summary: Nginx HTTP geoip module BuildRequires: GeoIP-devel Requires: nginx(abi) = %{nginx_abiversion} Requires: GeoIP %description mod-http-geoip %{summary}. %endif %package mod-http-image-filter Summary: Nginx HTTP image filter module BuildRequires: gd-devel Requires: nginx(abi) = %{nginx_abiversion} Requires: gd %description mod-http-image-filter %{summary}. %package mod-http-perl Summary: Nginx HTTP perl module BuildRequires: perl-devel %if 0%{?fedora} >= 24 || 0%{?rhel} >= 7 BuildRequires: perl-generators %endif BuildRequires: perl(ExtUtils::Embed) Requires: nginx(abi) = %{nginx_abiversion} Requires: perl(constant) %description mod-http-perl %{summary}. %package mod-http-xslt-filter Summary: Nginx XSLT module BuildRequires: libxslt-devel Requires: nginx(abi) = %{nginx_abiversion} %description mod-http-xslt-filter %{summary}. %package mod-mail Summary: Nginx mail modules Requires: nginx(abi) = %{nginx_abiversion} %description mod-mail %{summary}. %package mod-stream Summary: Nginx stream modules Requires: nginx(abi) = %{nginx_abiversion} %description mod-stream %{summary}. %package mod-devel Summary: Nginx module development files Requires: nginx = %{epoch}:%{version}-%{release} Requires: make Requires: gcc Requires: gd-devel %if 0%{?with_gperftools} Requires: gperftools-devel %endif %if %{with geoip} Requires: GeoIP-devel %endif Requires: libxslt-devel Requires: openssl%{?openssl_pkgversion}-devel Requires: pcre2-devel Requires: perl-devel Requires: perl(ExtUtils::Embed) Requires: zlib-devel %description mod-devel %{summary}. %prep # Combine all keys from upstream into one file cat %{S:2} %{S:3} %{S:4} %{S:5} > %{_builddir}/%{name}.gpg %{gpgverify} --keyring='%{_builddir}/%{name}.gpg' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} . %if 0%{?rhel} > 0 && 0%{?rhel} < 8 sed -i -e 's#KillMode=.*#KillMode=process#g' nginx.service sed -i -e 's#PROFILE=SYSTEM#HIGH:!aNULL:!MD5#' nginx.conf %endif %if 0%{?openssl_pkgversion} sed \ -e 's|\(ngx_feature_path=\)$|\1%{_includedir}/openssl%{openssl_pkgversion}|' \ -e 's|\(ngx_feature_libs="\)|\1-L%{_libdir}/openssl%{openssl_pkgversion} |' \ -i auto/lib/openssl/conf %endif # Prepare sources for installation cp -a ../%{name}-%{version} ../%{name}-%{version}-%{release}-src mv ../%{name}-%{version}-%{release}-src . %build # nginx does not utilize a standard configure script. It has its own # and the standard configure options cause the nginx configure script # to error out. This is is also the reason for the DESTDIR environment # variable. export DESTDIR=%{buildroot} # So the perl module finds its symbols: nginx_ldopts="$RPM_LD_FLAGS -Wl,-E" if ! ./configure \ --prefix=%{_datadir}/nginx \ --sbin-path=%{_sbindir}/nginx \ --modules-path=%{nginx_moduledir} \ --conf-path=%{_sysconfdir}/nginx/nginx.conf \ --error-log-path=%{_localstatedir}/log/nginx/error.log \ --http-log-path=%{_localstatedir}/log/nginx/access.log \ --http-client-body-temp-path=%{_localstatedir}/lib/nginx/tmp/client_body \ --http-proxy-temp-path=%{_localstatedir}/lib/nginx/tmp/proxy \ --http-fastcgi-temp-path=%{_localstatedir}/lib/nginx/tmp/fastcgi \ --http-uwsgi-temp-path=%{_localstatedir}/lib/nginx/tmp/uwsgi \ --http-scgi-temp-path=%{_localstatedir}/lib/nginx/tmp/scgi \ --pid-path=/run/nginx.pid \ --lock-path=/run/lock/subsys/nginx \ --user=%{nginx_user} \ --group=%{nginx_user} \ --with-compat \ --with-debug \ %if 0%{?with_aio} --with-file-aio \ %endif %if 0%{?with_gperftools} --with-google_perftools_module \ %endif --with-http_addition_module \ --with-http_auth_request_module \ --with-http_dav_module \ --with-http_degradation_module \ --with-http_flv_module \ %if %{with geoip} --with-http_geoip_module=dynamic \ --with-stream_geoip_module=dynamic \ %endif --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_image_filter_module=dynamic \ --with-http_mp4_module \ --with-http_perl_module=dynamic \ --with-http_random_index_module \ --with-http_realip_module \ --with-http_secure_link_module \ --with-http_slice_module \ --with-http_ssl_module \ --with-http_stub_status_module \ --with-http_sub_module \ --with-http_v2_module \ --with-http_xslt_module=dynamic \ --with-mail=dynamic \ --with-mail_ssl_module \ %if 0%{?with_ktls} --with-openssl-opt=enable-ktls \ %endif --with-pcre \ --with-pcre-jit \ --with-stream=dynamic \ --with-stream_realip_module \ --with-stream_ssl_module \ --with-stream_ssl_preread_module \ --with-threads \ --with-cc-opt="%{optflags} $(pcre2-config --cflags)" \ --with-ld-opt="$nginx_ldopts"; then : configure failed cat objs/autoconf.err exit 1 fi %make_build %install %make_install INSTALLDIRS=vendor find %{buildroot} -type f -name .packlist -exec rm -f '{}' \; find %{buildroot} -type f -name perllocal.pod -exec rm -f '{}' \; find %{buildroot} -type f -empty -exec rm -f '{}' \; find %{buildroot} -type f -iname '*.so' -exec chmod 0755 '{}' \; install -p -D -m 0644 ./nginx.service \ %{buildroot}%{_unitdir}/nginx.service install -p -D -m 0644 %{SOURCE11} \ %{buildroot}%{_sysconfdir}/logrotate.d/nginx install -p -d -m 0755 %{buildroot}%{_sysconfdir}/systemd/system/nginx.service.d install -p -d -m 0755 %{buildroot}%{_unitdir}/nginx.service.d install -p -d -m 0755 %{buildroot}%{_sysconfdir}/nginx/conf.d install -p -d -m 0755 %{buildroot}%{_sysconfdir}/nginx/default.d install -p -d -m 0700 %{buildroot}%{_localstatedir}/lib/nginx install -p -d -m 0700 %{buildroot}%{_localstatedir}/lib/nginx/tmp install -p -d -m 0700 %{buildroot}%{_localstatedir}/log/nginx install -p -d -m 0755 %{buildroot}%{_datadir}/nginx/html install -p -d -m 0755 %{buildroot}%{nginx_moduleconfdir} install -p -d -m 0755 %{buildroot}%{nginx_moduledir} install -p -m 0644 ./nginx.conf \ %{buildroot}%{_sysconfdir}/nginx rm -f %{buildroot}%{_datadir}/nginx/html/index.html %if 0%{?el7} ln -s ../../doc/HTML/index.html \ %{buildroot}%{_datadir}/nginx/html/index.html ln -s ../../doc/HTML/img \ %{buildroot}%{_datadir}/nginx/html/img ln -s ../../doc/HTML/en-US \ %{buildroot}%{_datadir}/nginx/html/en-US %else ln -s ../../testpage/index.html \ %{buildroot}%{_datadir}/nginx/html/index.html %endif install -p -m 0644 %{SOURCE102} \ %{buildroot}%{_datadir}/nginx/html ln -s nginx-logo.png %{buildroot}%{_datadir}/nginx/html/poweredby.png mkdir -p %{buildroot}%{_datadir}/nginx/html/icons # Symlink for the powered-by-$DISTRO image: ln -s ../../../pixmaps/poweredby.png \ %{buildroot}%{_datadir}/nginx/html/icons/poweredby.png %if 0%{?rhel} >= 9 ln -s ../../pixmaps/system-noindex-logo.png \ %{buildroot}%{_datadir}/nginx/html/system_noindex_logo.png %endif install -p -m 0644 %{SOURCE103} %{SOURCE104} \ %{buildroot}%{_datadir}/nginx/html %if 0%{?with_mailcap_mimetypes} rm -f %{buildroot}%{_sysconfdir}/nginx/mime.types %endif install -p -D -m 0644 %{_builddir}/nginx-%{version}/objs/nginx.8 \ %{buildroot}%{_mandir}/man8/nginx.8 install -p -D -m 0755 %{SOURCE13} %{buildroot}%{_bindir}/nginx-upgrade install -p -D -m 0644 %{SOURCE14} %{buildroot}%{_mandir}/man8/nginx-upgrade.8 for i in ftdetect ftplugin indent syntax; do install -p -D -m644 contrib/vim/${i}/nginx.vim \ %{buildroot}%{_datadir}/vim/vimfiles/${i}/nginx.vim done %if %{with geoip} echo 'load_module "%{nginx_moduledir}/ngx_http_geoip_module.so";' \ > %{buildroot}%{nginx_moduleconfdir}/mod-http-geoip.conf %endif echo 'load_module "%{nginx_moduledir}/ngx_http_image_filter_module.so";' \ > %{buildroot}%{nginx_moduleconfdir}/mod-http-image-filter.conf echo 'load_module "%{nginx_moduledir}/ngx_http_perl_module.so";' \ > %{buildroot}%{nginx_moduleconfdir}/mod-http-perl.conf echo 'load_module "%{nginx_moduledir}/ngx_http_xslt_filter_module.so";' \ > %{buildroot}%{nginx_moduleconfdir}/mod-http-xslt-filter.conf echo 'load_module "%{nginx_moduledir}/ngx_mail_module.so";' \ > %{buildroot}%{nginx_moduleconfdir}/mod-mail.conf echo 'load_module "%{nginx_moduledir}/ngx_stream_module.so";' \ > %{buildroot}%{nginx_moduleconfdir}/mod-stream.conf # Install files for supporting nginx module builds ## Install source files mkdir -p %{buildroot}%{_usrsrc} mv %{name}-%{version}-%{release}-src %{buildroot}%{nginx_srcdir} ## Install rpm macros mkdir -p %{buildroot}%{_rpmmacrodir} sed -e "s|@@NGINX_ABIVERSION@@|%{nginx_abiversion}|g" \ -e "s|@@NGINX_MODDIR@@|%{nginx_moduledir}|g" \ -e "s|@@NGINX_MODCONFDIR@@|%{nginx_moduleconfdir}|g" \ -e "s|@@NGINX_SRCDIR@@|%{nginx_srcdir}|g" \ %{SOURCE15} > %{buildroot}%{_rpmmacrodir}/macros.nginxmods ## Install dependency generator install -Dpm0644 %{SOURCE16} %{buildroot}%{_fileattrsdir}/nginxmods.attr # install http-ssl-pass-dialog mkdir -p $RPM_BUILD_ROOT%{_libexecdir} install -m755 $RPM_SOURCE_DIR/nginx-ssl-pass-dialog \ $RPM_BUILD_ROOT%{_libexecdir}/nginx-ssl-pass-dialog %pre filesystem getent group %{nginx_user} > /dev/null || groupadd -r %{nginx_user} getent passwd %{nginx_user} > /dev/null || \ useradd -r -d %{_localstatedir}/lib/nginx -g %{nginx_user} \ -s /sbin/nologin -c "Nginx web server" %{nginx_user} exit 0 %post %systemd_post nginx.service %if %{with geoip} %post mod-http-geoip if [ $1 -eq 1 ]; then /usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || : fi %endif %post mod-http-image-filter if [ $1 -eq 1 ]; then /usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || : fi %post mod-http-perl if [ $1 -eq 1 ]; then /usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || : fi %post mod-http-xslt-filter if [ $1 -eq 1 ]; then /usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || : fi %post mod-mail if [ $1 -eq 1 ]; then /usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || : fi %post mod-stream if [ $1 -eq 1 ]; then /usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || : fi %preun %systemd_preun nginx.service %postun %systemd_postun nginx.service if [ $1 -ge 1 ]; then /usr/bin/nginx-upgrade >/dev/null 2>&1 || : fi %files %if 0%{?rhel} == 7 %doc UPGRADE-NOTES-1.6-to-1.10 %endif %{_datadir}/nginx/html/* %{_bindir}/nginx-upgrade %{_datadir}/vim/vimfiles/ftdetect/nginx.vim %{_datadir}/vim/vimfiles/ftplugin/nginx.vim %{_datadir}/vim/vimfiles/syntax/nginx.vim %{_datadir}/vim/vimfiles/indent/nginx.vim %{_mandir}/man3/nginx.3pm* %{_mandir}/man8/nginx.8* %{_mandir}/man8/nginx-upgrade.8* %{_unitdir}/nginx.service %{_libexecdir}/nginx-ssl-pass-dialog %files core %license LICENSE %doc CHANGES README README.dynamic %{_sbindir}/nginx %config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf %config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf.default %config(noreplace) %{_sysconfdir}/nginx/fastcgi_params %config(noreplace) %{_sysconfdir}/nginx/fastcgi_params.default %config(noreplace) %{_sysconfdir}/nginx/koi-utf %config(noreplace) %{_sysconfdir}/nginx/koi-win %if ! 0%{?with_mailcap_mimetypes} %config(noreplace) %{_sysconfdir}/nginx/mime.types %endif %config(noreplace) %{_sysconfdir}/nginx/mime.types.default %config(noreplace) %{_sysconfdir}/nginx/nginx.conf %config(noreplace) %{_sysconfdir}/nginx/nginx.conf.default %config(noreplace) %{_sysconfdir}/nginx/scgi_params %config(noreplace) %{_sysconfdir}/nginx/scgi_params.default %config(noreplace) %{_sysconfdir}/nginx/uwsgi_params %config(noreplace) %{_sysconfdir}/nginx/uwsgi_params.default %config(noreplace) %{_sysconfdir}/nginx/win-utf %config(noreplace) %{_sysconfdir}/logrotate.d/nginx %attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx %attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx/tmp %attr(711,root,root) %dir %{_localstatedir}/log/nginx %ghost %attr(640,%{nginx_user},root) %{_localstatedir}/log/nginx/access.log %ghost %attr(640,%{nginx_user},root) %{_localstatedir}/log/nginx/error.log %dir %{nginx_moduledir} %dir %{nginx_moduleconfdir} %files all-modules %files filesystem %dir %{_datadir}/nginx %dir %{_datadir}/nginx/html %dir %{_sysconfdir}/nginx %dir %{_sysconfdir}/nginx/conf.d %dir %{_sysconfdir}/nginx/default.d %dir %{_sysconfdir}/systemd/system/nginx.service.d %dir %{_unitdir}/nginx.service.d %if %{with geoip} %files mod-http-geoip %{nginx_moduleconfdir}/mod-http-geoip.conf %{nginx_moduledir}/ngx_http_geoip_module.so %endif %files mod-http-image-filter %{nginx_moduleconfdir}/mod-http-image-filter.conf %{nginx_moduledir}/ngx_http_image_filter_module.so %files mod-http-perl %{nginx_moduleconfdir}/mod-http-perl.conf %{nginx_moduledir}/ngx_http_perl_module.so %dir %{perl_vendorarch}/auto/nginx %{perl_vendorarch}/nginx.pm %{perl_vendorarch}/auto/nginx/nginx.so %files mod-http-xslt-filter %{nginx_moduleconfdir}/mod-http-xslt-filter.conf %{nginx_moduledir}/ngx_http_xslt_filter_module.so %files mod-mail %{nginx_moduleconfdir}/mod-mail.conf %{nginx_moduledir}/ngx_mail_module.so %files mod-stream %{nginx_moduleconfdir}/mod-stream.conf %{nginx_moduledir}/ngx_stream_module.so %files mod-devel %{_rpmmacrodir}/macros.nginxmods %{_fileattrsdir}/nginxmods.attr %{nginx_srcdir}/