Index | Thread | Search

From:
Kirill A. Korinsky <kirill@korins.ky>
Subject:
Re: nginx: imrpove compatibiliy with unwind
To:
Robert Nagy <robert@openbsd.org>, ports@openbsd.org
Date:
Sun, 23 Jun 2024 01:56:41 +0100

Download raw body.

Thread 
Greetings,

I just realized that I forgot to add maintainer.

So, I fix it.

BTW the patch were accepted to freenginy:
https://freenginx.org/hg/nginx/rev/ea0eef2dd12c

ports@

Here a trivial patch which improves compatibility with unwind.

I'm using the following unwind.config:

    preference { recursor oDoT-autoconf }

    forwarder { 172.31.2.1 }

    force accept bogus forwarder {
      some.internal.domain
    }

where 172.31.2.1 is Unifi GW and nginx is configured as:

    server {
        listen                              127.0.0.1:80;

        resolver                            127.0.0.1;

        set $nas_uri                        "http://nas.some.internal.domain";

        location / {
                proxy_pass                  $nas_uri;
        }
    }

it can't be used due errors in log:

    2024/06/15 11:53:55 [error] 30452#0: invalid UDP DNS response 49184 fl:81A0
    2024/06/15 11:54:00 [error] 30452#0: invalid UDP DNS response 30883 fl:81A0
    2024/06/15 11:54:00 [error] 30452#0: invalid UDP DNS response 49184 fl:81A0
    2024/06/15 11:54:05 [error] 30452#0: invalid UDP DNS response 30883 fl:81A0

because nginx rejects response with enabled AD bit.

So, here the diff to include a patch that allows it. This patch was sent to
both nginx and freenginx upstreams.

diff --git www/nginx/Makefile www/nginx/Makefile
index e0ed50751ed..2051bc152b3 100644
--- www/nginx/Makefile
+++ www/nginx/Makefile
@@ -21,7 +21,7 @@ COMMENT-securelink=	nginx HMAC secure link module
 VERSION=	1.26.1
 DISTNAME=	nginx-${VERSION}
 CATEGORIES=	www
-REVISION-main=	0
+REVISION-main=	1
 
 VERSION-njs=	0.8.2
 VERSION-rtmp=	1.2.1
diff --git www/nginx/patches/patch-src_core_ngx_resolver_c www/nginx/patches/patch-src_core_ngx_resolver_c
new file mode 100644
index 00000000000..b07cea4cc97
--- /dev/null
+++ www/nginx/patches/patch-src_core_ngx_resolver_c
@@ -0,0 +1,12 @@
+Index: src/core/ngx_resolver.c
+--- src/core/ngx_resolver.c.orig
++++ src/core/ngx_resolver.c
+@@ -1774,7 +1774,7 @@ ngx_resolver_process_response(ngx_resolver_t *r, u_cha
+                    (response->nar_hi << 8) + response->nar_lo);
+ 
+     /* response to a standard query */
+-    if ((flags & 0xf870) != 0x8000 || (trunc && tcp)) {
++    if ((flags & 0xf850) != 0x8000 || (trunc && tcp)) {
+         ngx_log_error(r->log_level, r->log, 0,
+                       "invalid %s DNS response %ui fl:%04Xi",
+                       tcp ? "TCP" : "UDP", ident, flags);


-- 
wbr, Kirill