From: Stuart Henderson <stu@spacehopper.org>
Subject: Re: nginx: imrpove compatibiliy with unwind and
To: Robert Nagy <robert@openbsd.org>
Cc: OpenBSD ports <ports@openbsd.org>
Date: Thu, 4 Jul 2024 12:41:17 +0100

On 2024/07/04 13:32, Robert Nagy wrote:
> go ahead

can I do my version of the 'update modules' diff first please,
it will be a pain to merge if this one goes in first.

> On 04/07/24 12:27 GMT, Kirill A. Korinsky wrote:
> > ports@, Robert,
> > 
> > I'd like to ping about this trivial patch that allows me to use nginx with
> > unwind for last weeks.
> > 
> > Additionally, I had added ngx_cache_purge as new subpackage which brings
> > qutie stable module https://github.com/FRiCKLE/ngx_cache_purge which allows
> > to purge some elements of cache via HTTP request. I don't include it into
> > default build, and build it as dynamic module.
> > 
> > The original point about unwind patch:
> > 
> > On Sat, 15 Jun 2024 12:09:21 +0100,
> > Kirill A. Korinsky <kirill@korins.ky> wrote:
> > >
> > > ports@
> > >
> > > Here a trivial patch which improves compatibility with unwind.
> > >
> > > I'm using the following unwind.config:
> > >
> > >     preference { recursor oDoT-autoconf }
> > >
> > >     forwarder { 172.31.2.1 }
> > >
> > >     force accept bogus forwarder {
> > >       some.internal.domain
> > >     }
> > >
> > > where 172.31.2.1 is Unifi GW and nginx is configured as:
> > >
> > >     server {
> > >         listen                              127.0.0.1:80;
> > >
> > >         resolver                            127.0.0.1;
> > >
> > >         set $nas_uri                        "http://nas.some.internal.domain";
> > >
> > >         location / {
> > >                 proxy_pass                  $nas_uri;
> > >         }
> > >     }
> > >
> > > it can't be used due errors in log:
> > >
> > >     2024/06/15 11:53:55 [error] 30452#0: invalid UDP DNS response 49184 fl:81A0
> > >     2024/06/15 11:54:00 [error] 30452#0: invalid UDP DNS response 30883 fl:81A0
> > >     2024/06/15 11:54:00 [error] 30452#0: invalid UDP DNS response 49184 fl:81A0
> > >     2024/06/15 11:54:05 [error] 30452#0: invalid UDP DNS response 30883 fl:81A0
> > >
> > > because nginx rejects response with enabled AD bit.
> > >
> > 
> > And, finally, the diff:
> > 
> > diff --git www/nginx/Makefile www/nginx/Makefile
> > index 7d86279085c..203e8aa3fc5 100644
> > --- www/nginx/Makefile
> > +++ www/nginx/Makefile
> > @@ -17,15 +17,17 @@ COMMENT-njs=		nginx javascript scripting module
> >  COMMENT-passenger=	nginx passenger (ruby/python/nodejs) integration module
> >  COMMENT-rtmp=		nginx module for RTMP streaming
> >  COMMENT-securelink=	nginx HMAC secure link module
> > +COMMENT-cache_purge=	nginx module which adds ability to purge cache content
> >  
> >  VERSION=	1.26.1
> >  DISTNAME=	nginx-${VERSION}
> >  CATEGORIES=	www
> > -REVISION-main=	0
> > +REVISION-main=	1
> >  REVISION-passenger=	0
> >  
> >  VERSION-njs=	0.8.2
> >  VERSION-rtmp=	1.2.1
> > +VERSION-cache_purge=	2.3
> >  
> >  PKGNAME-main=		${DISTNAME}
> >  PKGNAME-image_filter=	nginx-image_filter-${VERSION}
> > @@ -42,6 +44,7 @@ PKGNAME-njs=		nginx-njs-${VERSION}
> >  PKGNAME-passenger=	nginx-passenger-${VERSION}
> >  PKGNAME-rtmp=		nginx-rtmp-${VERSION}
> >  PKGNAME-securelink=	nginx-securelink-${VERSION}
> > +PKGNAME-cache_purge=	ngx_cache_purge-${VERSION}
> >  
> >  ONLY_FOR_ARCHS-passenger= aarch64 amd64 arm i386
> >  
> > @@ -59,7 +62,8 @@ _GH_MODS=	\
> >  	nginx		njs				${VERSION-njs} \
> >  	simpl		ngx_devel_kit			v0.3.0 \
> >  	leev		ngx_http_geoip2_module		3.3 \
> > -	nginx-modules	ngx_http_hmac_secure_link_module 48c4625fbbf51ed5a95bfec23fa444f6c3702e50
> > +	nginx-modules	ngx_http_hmac_secure_link_module	48c4625fbbf51ed5a95bfec23fa444f6c3702e50 \
> > +	FRiCKLE		ngx_cache_purge			${VERSION-cache_purge}
> >  
> >  .for _a _p _c in ${_GH_MODS}
> >  DISTFILES.a+=	${_p}-{${_a}/${_p}/archive/}${_c}.tar.gz
> > @@ -76,7 +80,7 @@ MULTI_PACKAGES =	-main -naxsi -perl ${MODULE_PACKAGES}
> >  
> >  MODULE_PACKAGES =	-image_filter -geoip2 -xslt -mailproxy -stream \
> >  			-passenger -headers_more -ldap_auth -lua -njs \
> > -			-rtmp -securelink
> > +			-rtmp -securelink -cache_purge
> >  
> >  FLAVOR ?=
> >  PSEUDO_FLAVORS =	no_lua no_njs no_passenger
> > @@ -100,6 +104,7 @@ WANTLIB-headers_more=
> >  WANTLIB-perl=		c m perl
> >  WANTLIB-passenger=	m pthread ${COMPILER_LIBCXX}
> >  WANTLIB-securelink=	crypto
> > +WANTLIB-cache_purge=
> >  
> >  LIB_DEPENDS-main=	devel/pcre2
> >  LIB_DEPENDS-xslt=	textproc/libxml \
> > @@ -114,6 +119,7 @@ LIB_DEPENDS-securelink=
> >  LIB_DEPENDS-njs=	devel/pcre2 \
> >  			textproc/libxslt \
> >  			textproc/libxml
> > +LIB_DEPENDS-cache_purge=
> >  
> >  MODLUA_RUNDEP=		No
> >  RUN_DEPENDS=		www/nginx,-main=${VERSION}
> > @@ -202,7 +208,8 @@ CONFIGURE_ARGS+=	--prefix=${NGINX_DIR} \
> >  			--add-dynamic-module=${WRKSRC}/headers-more-nginx-module \
> >  			--add-dynamic-module=${WRKSRC}/nginx-auth-ldap \
> >  			--add-dynamic-module=${WRKSRC}/ngx_http_geoip2_module \
> > -			--add-dynamic-module=${WRKSRC}/ngx_http_hmac_secure_link_module
> > +			--add-dynamic-module=${WRKSRC}/ngx_http_hmac_secure_link_module \
> > +			--add-dynamic-module=${WRKSRC}/ngx_cache_purge
> >  
> >  SUBSTFILES=		conf/nginx.conf */config
> >  
> > @@ -212,7 +219,7 @@ ALL_TARGET=
> >  pre-patch:
> >  .for i in headers-more-nginx-module lua-nginx-module naxsi njs \
> >  	nginx-auth-ldap ngx_devel_kit ngx_http_geoip2_module \
> > -	ngx_http_hmac_secure_link_module
> > +	ngx_http_hmac_secure_link_module ngx_cache_purge
> >  	cd ${WRKSRC} && mv ../$i-* $i
> >  .endfor
> >  
> > diff --git www/nginx/distinfo www/nginx/distinfo
> > index 05b5868d540..1138961174f 100644
> > --- www/nginx/distinfo
> > +++ www/nginx/distinfo
> > @@ -5,6 +5,7 @@ SHA256 (nginx-1.20.1-chroot.patch) = SS1TB0j8N4/dn5pUTGT6WvkN3aAUuKz5+R0Nt+MG0gk
> >  SHA256 (nginx-1.26.1.tar.gz) = +Rh0aP8usVkmC/1Thnwl/44zRyYjes8ie56HDlPT42s=
> >  SHA256 (nginx-auth-ldap-83c059b73566c2ee9cbda920d91b66657cf120b7.tar.gz) = aQxOW9sq4ZsP7nXNNW0YATRo20cmFrYJeloLvjRshGQ=
> >  SHA256 (nginx-rtmp-module-v1.2.1.tar.gz) = h6pZdACwtaBSdO4tI9jLgiThJoYiegq+MdeDs6ZF6jc=
> > +SHA256 (ngx_cache_purge-2.3.tar.gz) = y31fIpGcYT8fAzQaGuuWCWUmkwLp6yNCXMqr0vXcu+w=
> >  SHA256 (ngx_devel_kit-v0.3.0.tar.gz) = iOBamainQZBm9a51lm+x78QJutRSLRSYbaB0VUrmFhk=
> >  SHA256 (ngx_http_geoip2_module-3.3.tar.gz) = QTeEOMgz4xOhiGnQxKcnBLSDXDCsr3/WgBOrZzL/eKc=
> >  SHA256 (ngx_http_hmac_secure_link_module-48c4625fbbf51ed5a95bfec23fa444f6c3702e50.tar.gz) = ZXpA2rODS1enIREzlD1OqWwpWcv3NOUXH4eUOgOAmqg=
> > @@ -16,6 +17,7 @@ SIZE (nginx-1.20.1-chroot.patch) = 8783
> >  SIZE (nginx-1.26.1.tar.gz) = 1244738
> >  SIZE (nginx-auth-ldap-83c059b73566c2ee9cbda920d91b66657cf120b7.tar.gz) = 18542
> >  SIZE (nginx-rtmp-module-v1.2.1.tar.gz) = 519919
> > +SIZE (ngx_cache_purge-2.3.tar.gz) = 11717
> >  SIZE (ngx_devel_kit-v0.3.0.tar.gz) = 66455
> >  SIZE (ngx_http_geoip2_module-3.3.tar.gz) = 8509
> >  SIZE (ngx_http_hmac_secure_link_module-48c4625fbbf51ed5a95bfec23fa444f6c3702e50.tar.gz) = 6159
> > diff --git www/nginx/patches/patch-ngx_cache_purge_config www/nginx/patches/patch-ngx_cache_purge_config
> > new file mode 100644
> > index 00000000000..e12d5e5a802
> > --- /dev/null
> > +++ www/nginx/patches/patch-ngx_cache_purge_config
> > @@ -0,0 +1,25 @@
> > +Build ngx_cache_purge as dynamic module
> > +
> > +Index: ngx_cache_purge/config
> > +--- ngx_cache_purge/config.orig
> > ++++ ngx_cache_purge/config
> > +@@ -15,7 +15,17 @@ if [ "$HTTP_UWSGI" = "YES" ]; then
> > + fi
> > + 
> > + ngx_addon_name=ngx_http_cache_purge_module
> > +-HTTP_MODULES="$HTTP_MODULES ngx_http_cache_purge_module"
> > +-NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/ngx_cache_purge_module.c"
> > ++CACHE_PURGE_SRCS="$ngx_addon_dir/ngx_cache_purge_module.c"
> > ++
> > ++if [ -n "$ngx_module_link" ]; then
> > ++    ngx_module_type=HTTP
> > ++    ngx_module_name="$ngx_addon_name"
> > ++    ngx_module_srcs="$CACHE_PURGE_SRCS"
> > ++
> > ++    . auto/module
> > ++else
> > ++    HTTP_MODULES="$HTTP_MODULES $ngx_addon_name"
> > ++    NGX_ADDON_SRCS="$NGX_ADDON_SRCS $CACHE_PURGE_SRCS"
> > ++fi
> > + 
> > + have=NGX_CACHE_PURGE_MODULE . auto/have
> > diff --git www/nginx/patches/patch-src_core_ngx_resolver_c www/nginx/patches/patch-src_core_ngx_resolver_c
> > new file mode 100644
> > index 00000000000..b07cea4cc97
> > --- /dev/null
> > +++ www/nginx/patches/patch-src_core_ngx_resolver_c
> > @@ -0,0 +1,12 @@
> > +Index: src/core/ngx_resolver.c
> > +--- src/core/ngx_resolver.c.orig
> > ++++ src/core/ngx_resolver.c
> > +@@ -1774,7 +1774,7 @@ ngx_resolver_process_response(ngx_resolver_t *r, u_cha
> > +                    (response->nar_hi << 8) + response->nar_lo);
> > + 
> > +     /* response to a standard query */
> > +-    if ((flags & 0xf870) != 0x8000 || (trunc && tcp)) {
> > ++    if ((flags & 0xf850) != 0x8000 || (trunc && tcp)) {
> > +         ngx_log_error(r->log_level, r->log, 0,
> > +                       "invalid %s DNS response %ui fl:%04Xi",
> > +                       tcp ? "TCP" : "UDP", ident, flags);
> > diff --git www/nginx/pkg/DESCR-cache_purge www/nginx/pkg/DESCR-cache_purge
> > new file mode 100644
> > index 00000000000..a1021baf292
> > --- /dev/null
> > +++ www/nginx/pkg/DESCR-cache_purge
> > @@ -0,0 +1,8 @@
> > +ngx_cache_purge is nginx module which adds ability to purge content from
> > +FastCGI, proxy, SCGI and uWSGI caches.
> > +
> > +It is build as separated dynamic module and it should be load as:
> > +
> > +  load_module modules/ngx_http_cache_purge_module.so;
> > +
> > +Documentation available at https://github.com/FRiCKLE/ngx_cache_purge
> > diff --git www/nginx/pkg/PLIST-cache_purge www/nginx/pkg/PLIST-cache_purge
> > new file mode 100644
> > index 00000000000..ea7fe579cd9
> > --- /dev/null
> > +++ www/nginx/pkg/PLIST-cache_purge
> > @@ -0,0 +1 @@
> > +@so ngx_http_cache_purge_module.so
> > 
> > 
> > --
> > wbr, Kirill
> 
> -- 
> Regards,
> Robert Nagy
>