So far, the Nix store directory was hardcoded and if someone uses a
different Nix store directory the patch won't work. Of course, this is
pretty uncommon, but by not only substituting the store directory but
also the length of it we also save a few calls to ngx_strlen(), which
should save us a few cycles.
Signed-off-by: aszlig <aszlig@nix.build>
The original patch introduced a new "real" variable which gets populated
(and allocated) via ngx_realpath(). It's properly freed in error
conditions but it won't be freed if ngx_http_set_etag returns
successfully.
Adding another ngx_free() just before returning fixes that memory leak.
I also fixed a small indentation issue along the way.
Signed-off-by: aszlig <aszlig@nix.build>
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or
prefork, code executing in less-privileged child processes or
threads (including scripts executed by an in-process scripting interpreter)
could execute arbitrary code with the privileges of the parent process (usually
root) by manipulating the scoreboard.
This adds the nginx module `ngx_http_proxy_connect_module` which allows
to tunnel HTTPS through an nginx proxy[1].
As this module contained patches for several nginx version, some minor
adjustments were needed:
* Allowed each entry in `nginxModules` to provide patches.
* Added an optional `supports` attribute to ensure that each module can
determine if it supports the currently built nginx version (e.g. stable
1.14 ATM or mainline 1.15 ATM).
[1] https://github.com/chobits/ngx_http_proxy_connect_module
Currently, it seems there is no easy way to override package to add
modules. For example, if we want to add the `ipscrub` module, we can
do:
pkgs.nginxStable.override {
modules = [ pkgs.nginxModules.ipscrub ];
};
But, then, we loose `rtmp`, `dav` and `moreheaders` which are defined
in `all-packages.nix`. With this modification, we can now do:
pkgs.nginxStable.override {
modules = pkg.nginxStable.passthru.modules ++ [ pkgs.nginxModules.ipscrub ];
};
The tests were enabled in #53488 and succeeded on Darwin; on Linux they
still failed because of empty hostname inside the sandbox (we have no
UTS-namespace hostname and I think no /etc/hosts). Nix on Darwin lacks
powerful enough sandboxing, so there were no problems on Darwin.
Patching the tests to fallback to "127.0.0.1" if hostname of the
localhost cannot be retrieved matches the behaviour of lighttpd itself
and allows the tests to pass.
Not sure if having no hostname in the test environment is a bit too
weird for the upstream to care.
