Merge pull request #27 from essentialkaos/develop

Version 1.11.5.2
essentialkaos · Nov 17, 2016 · 39aa1a3 · 39aa1a3
2 parents 1c2135d + f95d2db
commit 39aa1a3
Show file tree

Hide file tree

Showing 5 changed files with 122 additions and 26 deletions.
diff --git a/SOURCES/webkaos-debug.service b/SOURCES/webkaos-debug.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=webkaos (HTTP and reverse proxy server)
+Documentation=http://nginx.org/en/docs/
+After=network.target remote-fs.target nss-lookup.target
+
+[Service]
+Type=forking
+PIDFile=/var/run/webkaos.pid
+ExecStart=/etc/init.d/webkaos start debug
+ExecReload=/etc/init.d/webkaos reload
+ExecStop=/etc/init.d/webkaos stop
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SOURCES/webkaos.init b/SOURCES/webkaos.init
@@ -59,7 +59,7 @@ kv.addCommand "reload"       "Reload and apply config"
 kv.addCommand "check"        "Validate config"                                    "check"
 kv.addCommand "config"       "Show full (merged) config"                          "showConfig"
 
-if [[ `grep 'ssl_dhparam' $conf_file` ]] ; then
+if [[ $(grep 'ssl_dhparam' $conf_file) ]] ; then
   if [[ ! -e $dh_param ]] ; then
     kv.addCommand "gendhp" "Generate Diffie-Hellman parameter for EDH ciphers" "gendhp"
     kv.addCommandVars "gendhp" "size"
@@ -316,7 +316,7 @@ upgradeService() {
 
   for i in $(seq 1 $delay_upgrade) ; do
     if [[ -f ${kv[pid_file]} && -f $old_pid_file ]] ; then
-      local old_pid=`cat $old_pid_file`
+      local old_pid=$(cat $old_pid_file)
       kv.sendSignal "${SIGNAL_QUIT}" "$old_pid"
       return $ACTION_OK
     fi
@@ -363,7 +363,7 @@ cleanPagespeedCache() {
 }
 
 updateOwner() {
-  local user=`getUserFromConfig`
+  local user=$(getUserFromConfig)
 
   [[ -z "$user" ]] && return
 
@@ -385,7 +385,7 @@ getUserFromConfig() {
 }
 
 isDHPGenRequired() {
-  if [[ `grep 'ssl_dhparam' $conf_file` ]] ; then
+  if [[ $(grep 'ssl_dhparam' $conf_file) ]] ; then
     [[ ! -e $dh_param ]] && return 0 || return 1
   fi
 

diff --git a/SOURCES/webkaos.service b/SOURCES/webkaos.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=webkaos (HTTP and reverse proxy server)
+Documentation=http://nginx.org/en/docs/
+After=network.target remote-fs.target nss-lookup.target
+
+[Service]
+Type=forking
+PIDFile=/var/run/webkaos.pid
+ExecStart=/etc/init.d/webkaos start
+ExecReload=/etc/init.d/webkaos reload
+ExecStop=/etc/init.d/webkaos stop
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/webkaos-centos6.spec b/webkaos-centos6.spec
@@ -59,7 +59,7 @@
 Summary:              Superb high performance web server
 Name:                 webkaos
 Version:              1.11.5
-Release:              1%{?dist}
+Release:              2%{?dist}
 License:              2-clause BSD-like license
 Group:                System Environment/Daemons
 Vendor:               Nginx / Google / CloudFlare / ESSENTIALKAOS
@@ -204,6 +204,8 @@ cp boringssl/build/crypto/libcrypto.a boringssl/build/ssl/libssl.a boringssl/.op
 ./configure \
         --prefix=%{_sysconfdir}/%{name} \
         --sbin-path=%{_sbindir}/%{name} \
+        --modules-path=%{_libdir}/%{name}/modules \
+        --modules-path=%{_libdir}/%{name}/modules \
         --conf-path=%{_sysconfdir}/%{name}/%{name}.conf \
         --error-log-path=%{_logdir}/%{name}/error.log \
         --http-log-path=%{_logdir}/%{name}/access.log \
@@ -311,17 +313,17 @@ touch boringssl/.openssl/include/openssl/ssl.h
 %{__make} %{?_smp_mflags}
 
 %install
-%{__rm} -rf %{buildroot}
+rm -rf %{buildroot}
 
 %{make_install}
 
 install -dm 755 %{buildroot}%{_datadir}/%{name}
 
-%{__rm} -f %{buildroot}%{_sysconfdir}/%{name}/nginx.conf
-%{__rm} -f %{buildroot}%{_sysconfdir}/%{name}/*.default
-%{__rm} -f %{buildroot}%{_sysconfdir}/%{name}/fastcgi.conf
+rm -f %{buildroot}%{_sysconfdir}/%{name}/nginx.conf
+rm -f %{buildroot}%{_sysconfdir}/%{name}/*.default
+rm -f %{buildroot}%{_sysconfdir}/%{name}/fastcgi.conf
 
-%{__rm} -rf %{buildroot}%{_sysconfdir}/%{name}/html
+rm -rf %{buildroot}%{_sysconfdir}/%{name}/html
 
 install -dm 755 %{buildroot}%{_sysconfdir}/%{name}/conf.d
 
@@ -331,6 +333,13 @@ install -dm 755 %{buildroot}%{_cachedir}/%{name}
 install -dm 755 %{buildroot}%{_datadir}/%{name}/html
 install -dm 755 %{buildroot}%{pagespeed_cache_path}
 
+# Install modules dirs
+install -dm 755 %{buildroot}%{_libdir}/%{name}/modules
+install -dm 755 %{buildroot}%{_datadir}/%{name}/modules
+
+ln -sf %{_datadir}/%{name}/modules \
+       %{buildroot}%{_sysconfdir}/%{name}/modules
+
 # Install html pages
 install -pm 644 %{SOURCE30} \
                 %{buildroot}%{_datadir}/%{name}/html/index.html
@@ -398,6 +407,9 @@ getent passwd %{service_user} >/dev/null || useradd -r -g %{service_group} -s /s
 exit 0
 
 %post
+# Ensure secure permissions (CVE-2016-1247)
+%{__chown} root:root %{_logdir}/%{name}
+
 if [[ $1 -eq 1 ]] ; then
   %{__chkconfig} --add %{name}
 
@@ -443,7 +455,7 @@ if [[ $1 -ge 1 ]] ; then
 fi
 
 %clean
-%{__rm} -rf %{buildroot}
+rm -rf %{buildroot}
 
 ###############################################################################
 
@@ -487,9 +499,14 @@ fi
 %dir %{_datadir}/%{name}/html
 %{_datadir}/%{name}/html/*
 
+%dir %{_datadir}/%{name}/modules
+%dir %{_sysconfdir}/%{name}/modules
+
+%dir %{_logdir}/%{name}
+
 %attr(0755,%{service_user},%{service_group}) %dir %{_cachedir}/%{name}
-%attr(0755,%{service_user},%{service_group}) %dir %{_logdir}/%{name}
 %attr(0755,%{service_user},%{service_group}) %dir %{pagespeed_cache_path}
+%attr(0755,%{service_user},%{service_group}) %dir %{_libdir}/%{name}/modules
 
 %files debug
 %defattr(-,root,root)
@@ -506,6 +523,10 @@ fi
 ###############################################################################
 
 %changelog
+* Sun Nov 13 2016 Anton Novojilov <andy@essentialkaos.com> - 1.11.5-2
+- Added dynamic modules support
+- Added fix for CVE-2016-1247
+
 * Wed Nov 09 2016 Anton Novojilov <andy@essentialkaos.com> - 1.11.5-1
 - BoringSSL updated to latest version
 - Lua module updated to 0.10.7

diff --git a/webkaos-centos7.spec b/webkaos-centos7.spec
@@ -35,6 +35,7 @@
 %define __useradd         %{_sbindir}/useradd
 %define __groupadd        %{_sbindir}/groupadd
 %define __getent          %{_bindir}/getent
+%define __sysctl          %{_bindir}/systemctl
 
 ###############################################################################
 
@@ -59,7 +60,7 @@
 Summary:              Superb high performance web server
 Name:                 webkaos
 Version:              1.11.5
-Release:              1%{?dist}
+Release:              2%{?dist}
 License:              2-clause BSD-like license
 Group:                System Environment/Daemons
 Vendor:               Nginx / Google / CloudFlare / ESSENTIALKAOS
@@ -70,6 +71,8 @@ Source1:              %{name}.logrotate
 Source2:              %{name}.init
 Source3:              %{name}.sysconfig
 Source4:              %{name}.conf
+Source5:              %{name}.service
+Source6:              %{name}-debug.service
 
 Source20:             pagespeed.conf
 Source21:             pagespeed-enabled.conf
@@ -98,7 +101,7 @@ Patch3:               boring.patch
 
 BuildRoot:            %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
-Requires:             initscripts >= 8.36 kaosv >= 2.8
+Requires:             initscripts >= 8.36 systemd kaosv >= 2.10
 Requires:             gd libXpm libxslt libluajit
 
 BuildRequires:        make gcc-c++ perl libluajit-devel cmake golang
@@ -158,6 +161,7 @@ mkdir boringssl
 %patch2 -p1
 %patch3 -p1
 
+
 %build
 
 # Fixed bug with ngx_pagespeed comilation on i386
@@ -200,6 +204,7 @@ cp boringssl/build/crypto/libcrypto.a boringssl/build/ssl/libssl.a boringssl/.op
 ./configure \
         --prefix=%{_sysconfdir}/%{name} \
         --sbin-path=%{_sbindir}/%{name} \
+        --modules-path=%{_libdir}/%{name}/modules \
         --conf-path=%{_sysconfdir}/%{name}/%{name}.conf \
         --error-log-path=%{_logdir}/%{name}/error.log \
         --http-log-path=%{_logdir}/%{name}/access.log \
@@ -257,6 +262,7 @@ touch boringssl/.openssl/include/openssl/ssl.h
 ./configure \
         --prefix=%{_sysconfdir}/%{name} \
         --sbin-path=%{_sbindir}/%{name} \
+        --modules-path=%{_libdir}/%{name}/modules \
         --conf-path=%{_sysconfdir}/%{name}/%{name}.conf \
         --error-log-path=%{_logdir}/%{name}/error.log \
         --http-log-path=%{_logdir}/%{name}/access.log \
@@ -306,18 +312,19 @@ touch boringssl/.openssl/include/openssl/ssl.h
 
 %{__make} %{?_smp_mflags}
 
+
 %install
-%{__rm} -rf %{buildroot}
+rm -rf %{buildroot}
 
 %{make_install}
 
 install -dm 755 %{buildroot}%{_datadir}/%{name}
 
-%{__rm} -f %{buildroot}%{_sysconfdir}/%{name}/nginx.conf
-%{__rm} -f %{buildroot}%{_sysconfdir}/%{name}/*.default
-%{__rm} -f %{buildroot}%{_sysconfdir}/%{name}/fastcgi.conf
+rm -f %{buildroot}%{_sysconfdir}/%{name}/nginx.conf
+rm -f %{buildroot}%{_sysconfdir}/%{name}/*.default
+rm -f %{buildroot}%{_sysconfdir}/%{name}/fastcgi.conf
 
-%{__rm} -rf %{buildroot}%{_sysconfdir}/%{name}/html
+rm -rf %{buildroot}%{_sysconfdir}/%{name}/html
 
 install -dm 755 %{buildroot}%{_sysconfdir}/%{name}/conf.d
 
@@ -327,6 +334,13 @@ install -dm 755 %{buildroot}%{_cachedir}/%{name}
 install -dm 755 %{buildroot}%{_datadir}/%{name}/html
 install -dm 755 %{buildroot}%{pagespeed_cache_path}
 
+# Install modules dirs
+install -dm 755 %{buildroot}%{_libdir}/%{name}/modules
+install -dm 755 %{buildroot}%{_datadir}/%{name}/modules
+
+ln -sf %{_datadir}/%{name}/modules \
+       %{buildroot}%{_sysconfdir}/%{name}/modules
+
 # Install html pages
 install -pm 644 %{SOURCE30} \
                 %{buildroot}%{_datadir}/%{name}/html/index.html
@@ -340,6 +354,14 @@ install -dm 755 %{buildroot}%{_initrddir}
 install -pm 755 %{SOURCE2} \
                 %{buildroot}%{_initrddir}/%{service_name}
 
+# Install systemd stuff
+install -dm 755 %{buildroot}%{_unitdir}
+
+install -pm 644 %{SOURCE5} \
+                %{buildroot}%{_unitdir}/
+install -pm 644 %{SOURCE6} \
+                %{buildroot}%{_unitdir}/
+
 # Install log rotation stuff
 install -dm 755 %{buildroot}%{_sysconfdir}/logrotate.d
 
@@ -383,8 +405,10 @@ install -dm 755 %{buildroot}%{_sysconfdir}/%{name}/ssl
 ln -sf %{_sysconfdir}/%{name}/ %{buildroot}%{_sysconfdir}/nginx
 ln -sf %{_sysconfdir}/%{name}/%{name}.conf %{buildroot}%{_sysconfdir}/%{name}/nginx.conf
 ln -sf %{_logdir}/%{name}/ %{buildroot}%{_logdir}/nginx
-ln -sf %{_initrddir}/%{service_name} %{buildroot}%{_initrddir}/nginx
 ln -sf %{_sbindir}/%{name} %{buildroot}%{_sbindir}/nginx
+ln -sf %{_initrddir}/%{service_name} %{buildroot}%{_initrddir}/nginx
+ln -sf %{_unitdir}/%{name}.service %{buildroot}%{_unitdir}/nginx.service
+ln -sf %{_unitdir}/%{name}-debug.service %{buildroot}%{_unitdir}/nginx-debug.service
 
 ###############################################################################
 
@@ -393,9 +417,13 @@ getent group %{service_group} >/dev/null || groupadd -r %{service_group}
 getent passwd %{service_user} >/dev/null || useradd -r -g %{service_group} -s /sbin/nologin -d %{service_home} %{service_user}
 exit 0
 
+
 %post
+# Ensure secure permissions (CVE-2013-0337)
+%{__chown} root:root %{_logdir}/%{name}
+
 if [[ $1 -eq 1 ]] ; then
-  %{__chkconfig} --add %{name}
+  %{__sysctl} enable %{name}.service &>/dev/null || :
 
   if [[ -d %{_logdir}/%{name} ]] ; then
     if [[ ! -e %{_logdir}/%{name}/access.log ]]; then
@@ -429,17 +457,20 @@ fi
 
 %preun
 if [[ $1 -eq 0 ]] ; then
-  %{__service} %{service_name} stop > /dev/null 2>&1
-  %{__chkconfig} --del %{service_name}
+  %{__sysctl} --no-reload disable %{name}.service &>/dev/null || :
+  %{__sysctl} stop %{name}.service &>/dev/null || :
 fi
 
+
 %postun
 if [[ $1 -ge 1 ]] ; then
+  %{__sysctl} daemon-reload &>/dev/null || :
   %{__service} %{service_name} upgrade &>/dev/null || :
 fi
 
+
 %clean
-%{__rm} -rf %{buildroot}
+rm -rf %{buildroot}
 
 ###############################################################################
 
@@ -477,31 +508,45 @@ fi
 
 %config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
 %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
+
 %{_initrddir}/%{service_name}
+%{_unitdir}/%{name}.service
 
 %dir %{_datadir}/%{name}
 %dir %{_datadir}/%{name}/html
 %{_datadir}/%{name}/html/*
 
+%dir %{_datadir}/%{name}/modules
+%{_sysconfdir}/%{name}/modules
+
+%{_logdir}/%{name}
+
 %attr(0755,%{service_user},%{service_group}) %dir %{_cachedir}/%{name}
-%attr(0755,%{service_user},%{service_group}) %dir %{_logdir}/%{name}
 %attr(0755,%{service_user},%{service_group}) %dir %{pagespeed_cache_path}
+%attr(0755,%{service_user},%{service_group}) %dir %{_libdir}/%{name}/modules
 
 %files debug
 %defattr(-,root,root)
 %attr(0755,root,root) %{_sbindir}/%{name}.debug
+%{_unitdir}/%{name}-debug.service
 
 %files nginx
 %defattr(-,root,root)
 %{_sysconfdir}/%{name}/nginx.conf
 %{_sysconfdir}/nginx
 %{_logdir}/nginx
-%{_initrddir}/nginx
 %{_sbindir}/nginx
+%{_initrddir}/nginx
+%{_unitdir}/nginx.service
+%{_unitdir}/nginx-debug.service
 
 ###############################################################################
 
 %changelog
+* Sun Nov 13 2016 Anton Novojilov <andy@essentialkaos.com> - 1.11.5-2
+- Added dynamic modules support
+- Added systemd support
+
 * Wed Nov 09 2016 Anton Novojilov <andy@essentialkaos.com> - 1.11.5-1
 - BoringSSL updated to latest version
 - Lua module updated to 0.10.7