Commit graph

925 commits

Author SHA1 Message Date
aszlig
e1d63ada02
nginx: Fix ETag patch to ignore realpath(3) error
While our ETag patch works pretty fine if it comes to serving data off
store paths, it unfortunately broke something that might be a bit more
common, namely when using regexes to extract path components of
location directives for example.

Recently, @devhell has reported a bug with a nginx location directive
like this:

  location ~^/\~([a-z0-9_]+)(/.*)?$" {
    alias /home/$1/public_html$2;
  }

While this might look harmless at first glance, it does however cause
issues with our ETag patch. The alias directive gets broken up by nginx
like this:

  *2 http script copy: "/home/"
  *2 http script capture: "foo"
  *2 http script copy: "/public_html/"
  *2 http script capture: "bar.txt"

In our patch however, we use realpath(3) to get the canonicalised path
from ngx_http_core_loc_conf_s.root, which returns the *configured* value
from the root or alias directive. So in the example above, realpath(3)
boils down to the following syscalls:

  lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
  lstat("/home/$1", 0x7ffd08da6f60) = -1 ENOENT (No such file or directory)

During my review[1] of the initial patch, I didn't actually notice that
what we're doing here is returning NGX_ERROR if the realpath(3) call
fails, which in turn causes an HTTP 500 error.

Since our patch actually made the canonicalisation (and thus additional
syscalls) necessary, we really shouldn't introduce an additional error
so let's - at least for now - silently skip return value if realpath(3)
has failed.

However since we're using the unaltered root from the config we have
another issue, consider this root:

  /nix/store/...-abcde/$1

Calling realpath(3) on this path will fail (except if there's a file
called "$1" of course), so even this fix is not enough because it
results in the ETag not being set to the store path hash.

While this is very ugly and we should fix this very soon, it's not as
serious as getting HTTP 500 errors for serving static files.

I added a small NixOS VM test, which uses the example above as a
regression test.

It seems that my memory is failing these days, since apparently I *knew*
about this issue since digging for existing issues in nixpkgs, I found
this similar pull request which I even reviewed:

https://github.com/NixOS/nixpkgs/pull/66532

However, since the comments weren't addressed and the author hasn't
responded to the pull request, I decided to keep this very commit and do
a follow-up pull request.

[1]: https://github.com/NixOS/nixpkgs/pull/48337

Signed-off-by: aszlig <aszlig@nix.build>
Reported-by: @devhell
Acked-by: @7c6f434c
Acked-by: @yorickvP
Merges: https://github.com/NixOS/nixpkgs/pull/80671
Fixes: https://github.com/NixOS/nixpkgs/pull/66532
2020-03-28 02:57:21 +01:00
Emily
7be86f3b3c openresty: 1.15.8.2 -> 1.15.8.3 2020-03-24 11:37:44 -05:00
Aaron Andersen
6283b00f4f
Merge pull request #82319 from aanderse/tomcat-update
tomcat: 7.0.92 -> 7.0.100, 8.5.42 -> 8.5.51, 9.0.21 -> 9.0.31
2020-03-16 15:46:48 -04:00
R. RyanTM
79586e1b74 tomcat_connectors: 1.2.46 -> 1.2.48 2020-03-14 14:30:51 +01:00
Mario Rodas
34914fce19
Merge pull request #82290 from helsinki-systems/upd/ngx_fastcgi_cache_purge
nginxModules.fastcgi-cache-purge: 2.3 -> 2.5
2020-03-13 08:44:44 -05:00
Izorkin
5dbe01af5b unit: 1.15.0 -> 1.16.0 2020-03-12 19:53:13 +00:00
Aaron Andersen
46e7580f24 tomcat9: 9.0.21 -> 9.0.31 2020-03-11 07:51:04 -04:00
Aaron Andersen
22f24f7859 tomcat8: 8.5.42 -> 8.5.51 2020-03-11 07:51:04 -04:00
Aaron Andersen
78b0222cb2 tomcat7: 7.0.92 -> 7.0.100 2020-03-11 07:51:04 -04:00
ajs124
0aec2cdd08 nginxModules.fastcgi-cache-purge: 2.3 -> 2.5
switch to a fork that seems sort of alive
2020-03-10 23:35:15 +01:00
Aaron Andersen
fc7efd51d6
Merge pull request #80182 from dirkx/Redwax-0.22-update
redwax-modules: 0.2.1 -> 0.2.2/0.2.3
2020-02-22 19:03:21 -05:00
Dirk-Willem van Gulik
928c365a1b redwax-modules: 0.2.1 -> 0.2.2/0.2.3 2020-02-21 12:00:00 +01:00
R. RyanTM
56debabe34 mod_wsgi: 4.7.0 -> 4.7.1 2020-02-19 08:54:38 +00:00
Frederik Rietdijk
1a6c3cb06b Merge staging into staging-next 2020-02-11 07:59:53 +01:00
zimbatm
bcdc90a3a7 ruby_2_4: remove
According to https://endoflife.software/programming-languages/server-side-scripting/ruby
ruby 2.4 will go end-of-life in march, where the new release of nixpkgs
will be cut. We won't be able to support it for security updates.

Remove all references to ruby_2_4 and add ruby_2_7 instead where
missing.

Mark packages that depend on ruby 2.4 as broken:
* chefdk
* sonic-pi
2020-02-10 13:23:35 -05:00
R. RyanTM
3815de80c0 unit: 1.14.0 -> 1.15.0 2020-02-10 14:47:35 +00:00
Frederik Rietdijk
03755ed59a Merge master into staging-next 2020-02-09 09:17:51 +01:00
R. RyanTM
fa84aa8adb lighttpd: 1.4.54 -> 1.4.55 2020-02-08 18:13:10 +01:00
Vladimír Čunát
48a997cd76
Merge #66528: glibc: 2.27 -> 2.30 (into staging)
Includes update of stdenv bootstap tools (for three main platforms)
and many package fixes with new glibc.
2020-02-05 13:41:09 +01:00
Emily
6d046e1079 openresty: rebase on top of nginx package
The primary motivation of this change was to allow third-party modules
to be used with OpenResty, but it also results in a significant
reduction of code duplication.
2020-02-04 19:30:40 -06:00
Emily
db3182a65d nginxModules.brotli: v0.1.2 -> unstable
The fork was merged back upstream but has yet to see a formal release.
2020-02-04 19:30:40 -06:00
Will Dietz
500f032729
Merge pull request #78185 from dtzWill/update/nginx-1.17.8
nginxMainline: 1.17.3 -> 1.17.8
2020-02-03 17:35:42 -06:00
Maximilian Bosch
1bb18d9e8d
lwan: 0.2 -> 0.3, fix build w/glibc-2.30 2020-02-01 17:30:18 +01:00
Silvan Mosberger
80a2740991
Merge pull request #78265 from Synthetica9/https-homepages
treewide: fix redirected urls
2020-01-27 15:00:53 +01:00
Patrick Hilhorst
593e11fd94
treewide: fix redirected urls
According to https://repology.org/repository/nix_unstable/problems, we have a
lot of packages that have http links that redirect to https as their homepage.
This commit updates all these packages to use the https links as their
homepage.

The following script was used to make these updates:

```

curl https://repology.org/api/v1/repository/nix_unstable/problems \
    | jq '.[] | .problem' -r \
    | rg 'Homepage link "(.+)" is a permanent redirect to "(.+)" and should be updated' --replace 's@$1@$2@' \
    | sort | uniq > script.sed

find -name '*.nix' | xargs -P4 -- sed -f script.sed -i
```
2020-01-22 11:26:22 +01:00
R. RyanTM
359f235769 jetty: 9.4.24.v20191120 -> 9.4.25.v20191220 2020-01-21 16:06:08 -08:00
Will Dietz
92d29418b3
nginxMainline: 1.17.3 -> 1.17.8
http://nginx.org/en/CHANGES
2020-01-21 11:02:11 -06:00
Jörg Thalheim
71c19d3efa
Merge pull request #76537 from Izorkin/unit
unit: 1.13.0 -> 1.14.0
2020-01-21 11:39:41 +00:00
Leonhard Markert
8008905e5a lwan: 0.1 -> 0.2 2020-01-16 16:55:07 +00:00
Aaron Andersen
7260d2eb13
Merge pull request #77326 from aanderse/apacheHttpd
nixos/httpd: symlink apache configuration to /etc/httpd/httpd.conf for use in the apachectl command
2020-01-15 21:02:05 -05:00
Mario Rodas
c7e16e71d0
Merge pull request #77011 from r-ryantm/auto-update/mod_wsgi
mod_wsgi: 4.6.8 -> 4.7.0
2020-01-09 05:34:03 -05:00
Aaron Andersen
336a6f471f nixos/httpd: symlink apache configuration to /etc/httpd/httpd.conf for use in the apachectl command 2020-01-08 10:37:46 -05:00
Aaron Andersen
e9d3a3c7d8
Merge pull request #76417 from dirkx/redwax-modules
mod_ca, mod_crl, mod_csr, mod_ocsp, mod_scep, mod_pkcs12, mod_spkac, mod_timestamp: init at 0.2.1
2020-01-07 20:49:24 -05:00
R. RyanTM
aa4fe9c768 mod_wsgi: 4.6.8 -> 4.7.0 2020-01-05 22:08:04 -08:00
Ryan Mulligan
6de8b8f144
Merge pull request #61722 from Izorkin/pinba-nginx
nginxModules.pinba: init at 13.05.2019
2020-01-04 07:58:18 -08:00
Frederik Rietdijk
7aa2b0215b Merge master into staging-next 2020-01-03 10:25:14 +01:00
aszlig
845e92835d
Merge Last-Modified fix for nginx (#76697)
This fixes the patch for nginx to clear the Last-Modified header if a
static file is served from the Nix store.

So far we only used the ETag from the store path, but if the
Last-Modified header is always set to "Thu, 01 Jan 1970 00:00:01 GMT",
Firefox and Chrome/Chromium seem to ignore the ETag and simply use the
cached content instead of revalidating.

Alongside the fix, this also adds a dedicated NixOS VM test, which uses
WebDriver and Firefox to check whether the content is actually served
from the browser's cache and to have a more real-world test case.
2020-01-02 21:41:59 +01:00
Frederik Rietdijk
f08e3e38d4 Merge master into staging-next 2020-01-02 21:41:13 +01:00
zimbatm
c187844214
unit: add withRuby_2_7 option 2020-01-01 00:25:03 +00:00
Robin Gloster
6ca6ac796b
treewide: configureFlags is a flat list 2019-12-31 01:37:49 +01:00
Robin Gloster
760e23136a
treewide: *inputs are lists 2019-12-31 01:09:25 +01:00
Robin Gloster
313da176d3
treewide: NIX_*_FLAGS -> string 2019-12-31 00:16:46 +01:00
Robin Gloster
5f2b92e3ec
treewide: NIX_*_COMPILE -> string 2019-12-31 00:13:29 +01:00
aszlig
ccf55bead1
nginx: Clear Last-Modified if ETag is from store
This is what I've suspected a while ago[1]:

> Heads-up everyone: After testing this in a few production instances,
> it seems that some browsers still get cache hits for new store paths
> (and changed contents) for some reason. I highly suspect that it might
> be due to the last-modified header (as mentioned in [2]).
>
> Going to test this with last-modified disabled for a little while and
> if this is the case I think we should improve that patch by disabling
> last-modified if serving from a store path.

Much earlier[2] when I reviewed the patch, I wrote this:

> Other than that, it looks good to me.
>
> However, I'm not sure what we should do with Last-Modified header.
> From RFC 2616, section 13.3.4:
>
> - If both an entity tag and a Last-Modified value have been
>   provided by the origin server, SHOULD use both validators in
>   cache-conditional requests. This allows both HTTP/1.0 and
>   HTTP/1.1 caches to respond appropriately.
>
> I'm a bit nervous about the SHOULD here, as user agents in the wild
> could possibly just use Last-Modified and use the cached content
> instead.

Unfortunately, I didn't pursue this any further back then because
@pbogdan noted[3] the following:

> Hmm, could they (assuming they are conforming):
>
>  * If an entity tag has been provided by the origin server, MUST
>    use that entity tag in any cache-conditional request (using If-
>    Match or If-None-Match).

Since running with this patch in some deployments, I found that both
Firefox and Chrome/Chromium do NOT re-validate against the ETag if the
Last-Modified header is still the same.

So I wrote a small NixOS VM test with Geckodriver to have a test case
which is closer to the real world and I indeed was able to reproduce
this.

Whether this is actually a bug in Chrome or Firefox is an entirely
different issue and even IF it is the fault of the browsers and it is
fixed at some point, we'd still need to handle this for older browser
versions.

Apart from clearing the header, I also recreated the patch by using a
plain "git diff" with a small description on top. This should make it
easier for future authors to work on that patch.

[1]: https://github.com/NixOS/nixpkgs/pull/48337#issuecomment-495072764
[2]: https://github.com/NixOS/nixpkgs/pull/48337#issuecomment-451644084
[3]: https://github.com/NixOS/nixpkgs/pull/48337#issuecomment-451646135

Signed-off-by: aszlig <aszlig@nix.build>
2019-12-30 14:30:36 +01:00
Robin Gloster
2157dcd141
treewide: installFlags is a list 2019-12-30 13:22:43 +01:00
Nathan
b0caf68bff
maintainer-list.nix: remove ndowens 2019-12-26 16:47:41 -05:00
Izorkin
b5bd159690 unit: add drop capabilites patch 2019-12-26 17:51:53 +03:00
Izorkin
681dca1b67 unit: 1.13.0 -> 1.14.0 2019-12-26 17:39:14 +03:00
Dirk-Willem van Gulik
f85ec2d896 Additional redwax modules - including comments from review on #75620. 2019-12-24 17:01:04 +01:00
Jörg Thalheim
b9bc38934b
h2o: build with openssl
otherwise we get symbol conflicts, once we link it against applications using
openssl
2019-12-21 22:55:58 +00:00