%global _hardened_build 1 %global nginx_user nginx # Disable strict symbol checks in the link editor. # See: https://src.fedoraproject.org/rpms/redhat-rpm-config/c/078af19 %undefine _strict_symbol_defs_build %bcond_with geoip # nginx gperftools support should be disabled for RHEL >= 8 # see: https://bugzilla.redhat.com/show_bug.cgi?id=1931402 %if 0%{?rhel} >= 8 %global with_gperftools 0 %else # gperftools exists only on selected arches # gperftools *detection* is failing on ppc64*, possibly only configure # bug, but disable anyway. %ifnarch s390 s390x ppc64 ppc64le %global with_gperftools 1 %endif %endif %global with_aio 1 %if 0%{?fedora} > 22 %global with_mailcap_mimetypes 1 %endif # kTLS requires OpenSSL 3.0 (default in F36+ and EL9+, available in EPEL8) %if 0%{?fedora} >= 36 || 0%{?rhel} >= 8 %global with_ktls 1 %endif # Build against OpenSSL 1.1 on EL7 %if 0%{?rhel} == 7 %global openssl_pkgversion 11 %endif # Build against OpenSSL 3 on EL8 %if 0%{?rhel} == 8 %global openssl_pkgversion 3 %endif # Cf. https://www.nginx.com/blog/creating-installable-packages-dynamic-modules/ %global nginx_abiversion %{version} %global nginx_moduledir %{_libdir}/nginx/modules %global nginx_moduleconfdir %{_datadir}/nginx/modules %global nginx_srcdir %{_usrsrc}/%{name}-%{version}-%{release} # Do not generate provides/requires from nginx sources %global __provides_exclude_from ^%{nginx_srcdir}/.*$ %global __requires_exclude_from ^%{nginx_srcdir}/.*$ Name: nginx Epoch: 1 Version: 1.22.1 Release: 5%{?dist} Summary: A high performance web server and reverse proxy server # BSD License (two clause) # http://www.freebsd.org/copyright/freebsd-license.html License: BSD URL: https://nginx.org Source0: https://nginx.org/download/nginx-%{version}.tar.gz Source1: https://nginx.org/download/nginx-%{version}.tar.gz.asc # Keys are found here: https://nginx.org/en/pgp_keys.html Source2: https://nginx.org/keys/maxim.key Source3: https://nginx.org/keys/mdounin.key Source4: https://nginx.org/keys/sb.key Source5: https://nginx.org/keys/thresh.key Source10: nginx.service Source11: nginx.logrotate Source12: nginx.conf Source13: nginx-upgrade Source14: nginx-upgrade.8 Source15: macros.nginxmods.in Source16: nginxmods.attr Source17: nginx-ssl-pass-dialog Source102: nginx-logo.png Source103: 404.html Source104: 50x.html Source200: README.dynamic Source210: UPGRADE-NOTES-1.6-to-1.10 # removes -Werror in upstream build scripts. -Werror conflicts with # -D_FORTIFY_SOURCE=2 causing warnings to turn into errors. Patch0: 0001-remove-Werror-in-upstream-build-scripts.patch # downstream patch - fix PIDFile race condition (rhbz#1869026) # rejected upstream: https://trac.nginx.org/nginx/ticket/1897 Patch1: 0002-fix-PIDFile-handling.patch # downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=1955564 Patch2: 0003-Support-loading-cert-hardware-token-PKC.patch # downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2006822 Patch3: 0004-Set-proper-compiler-optimalization-level-O2-for-perl.patch # downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2006420 Patch4: 0005-Init-openssl-engine-properly.patch # downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2028781 Patch5: 0007-Enable-TLSv1.3-by-default.patch # downstream patch - Add ssl-pass-phrase-dialog helper script for # encrypted private keys with pass phrase decryption # # https://bugzilla.redhat.com/show_bug.cgi?id=2170808 Patch6: 0008-add-ssl-pass-phrase-dialog.patch # security fix - https://issues.redhat.com/browse/RHEL-12736 Patch7: 0009-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch BuildRequires: make BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?with_gperftools} BuildRequires: gperftools-devel %endif BuildRequires: openssl%{?openssl_pkgversion}-devel BuildRequires: pcre2-devel BuildRequires: zlib-devel Requires: nginx-filesystem = %{epoch}:%{version}-%{release} %if 0%{?el7} # centos-logos el7 does not provide 'system-indexhtml' Requires: system-logos redhat-indexhtml # need to remove epel7 geoip sub-package, doesn't work anymore # https://bugzilla.redhat.com/show_bug.cgi?id=1576034 # https://bugzilla.redhat.com/show_bug.cgi?id=1664957 Obsoletes: nginx-mod-http-geoip <= 1:1.16 %else Requires: system-logos-httpd %endif Provides: webserver %if 0%{?fedora} || 0%{?rhel} >= 8 Recommends: logrotate %endif Requires: %{name}-core = %{epoch}:%{version}-%{release} BuildRequires: systemd Requires(post): systemd Requires(preun): systemd Requires(postun): systemd # For external nginx modules Provides: nginx(abi) = %{nginx_abiversion} %description Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. %package core Summary: nginx minimal core %if 0%{?with_mailcap_mimetypes} Requires: nginx-mimetypes %endif Requires: openssl%{?openssl_pkgversion}-libs Requires(pre): nginx-filesystem Conflicts: nginx < 1:1.20.1-13 %description core nginx minimal core %package all-modules Summary: A meta package that installs all available Nginx modules BuildArch: noarch %if %{with geoip} Requires: nginx-mod-http-geoip = %{epoch}:%{version}-%{release} %endif Requires: nginx-mod-http-image-filter = %{epoch}:%{version}-%{release} Requires: nginx-mod-http-perl = %{epoch}:%{version}-%{release} Requires: nginx-mod-http-xslt-filter = %{epoch}:%{version}-%{release} Requires: nginx-mod-mail = %{epoch}:%{version}-%{release} Requires: nginx-mod-stream = %{epoch}:%{version}-%{release} %description all-modules Meta package that installs all available nginx modules. %package filesystem Summary: The basic directory layout for the Nginx server BuildArch: noarch Requires(pre): shadow-utils %description filesystem The nginx-filesystem package contains the basic directory layout for the Nginx server including the correct permissions for the directories. %if %{with geoip} %package mod-http-geoip Summary: Nginx HTTP geoip module BuildRequires: GeoIP-devel Requires: nginx(abi) = %{nginx_abiversion} Requires: GeoIP %description mod-http-geoip %{summary}. %endif %package mod-http-image-filter Summary: Nginx HTTP image filter module BuildRequires: gd-devel Requires: nginx(abi) = %{nginx_abiversion} Requires: gd %description mod-http-image-filter %{summary}. %package mod-http-perl Summary: Nginx HTTP perl module BuildRequires: perl-devel %if 0%{?fedora} >= 24 || 0%{?rhel} >= 7 BuildRequires: perl-generators %endif BuildRequires: perl(ExtUtils::Embed) Requires: nginx(abi) = %{nginx_abiversion} Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) Requires: perl(constant) %description mod-http-perl %{summary}. %package mod-http-xslt-filter Summary: Nginx XSLT module BuildRequires: libxslt-devel Requires: nginx(abi) = %{nginx_abiversion} %description mod-http-xslt-filter %{summary}. %package mod-mail Summary: Nginx mail modules Requires: nginx(abi) = %{nginx_abiversion} %description mod-mail %{summary}. %package mod-stream Summary: Nginx stream modules Requires: nginx(abi) = %{nginx_abiversion} %description mod-stream %{summary}. %package mod-devel Summary: Nginx module development files Requires: nginx = %{epoch}:%{version}-%{release} Requires: make Requires: gcc Requires: gd-devel %if 0%{?with_gperftools} Requires: gperftools-devel %endif %if %{with geoip} Requires: GeoIP-devel %endif Requires: libxslt-devel Requires: openssl%{?openssl_pkgversion}-devel Requires: pcre2-devel Requires: perl-devel Requires: perl(ExtUtils::Embed) Requires: zlib-devel %description mod-devel %{summary}. %prep # Combine all keys from upstream into one file cat %{S:2} %{S:3} %{S:4} %{S:5} > %{_builddir}/%{name}.gpg %{gpgverify} --keyring='%{_builddir}/%{name}.gpg' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} . %if 0%{?rhel} > 0 && 0%{?rhel} < 8 sed -i -e 's#KillMode=.*#KillMode=process#g' nginx.service sed -i -e 's#PROFILE=SYSTEM#HIGH:!aNULL:!MD5#' nginx.conf %endif %if 0%{?openssl_pkgversion} sed \ -e 's|\(ngx_feature_path=\)$|\1%{_includedir}/openssl%{openssl_pkgversion}|' \ -e 's|\(ngx_feature_libs="\)|\1-L%{_libdir}/openssl%{openssl_pkgversion} |' \ -i auto/lib/openssl/conf %endif # Prepare sources for installation cp -a ../%{name}-%{version} ../%{name}-%{version}-%{release}-src mv ../%{name}-%{version}-%{release}-src . %build # nginx does not utilize a standard configure script. It has its own # and the standard configure options cause the nginx configure script # to error out. This is is also the reason for the DESTDIR environment # variable. export DESTDIR=%{buildroot} # So the perl module finds its symbols: nginx_ldopts="$RPM_LD_FLAGS -Wl,-E" if ! ./configure \ --prefix=%{_datadir}/nginx \ --sbin-path=%{_sbindir}/nginx \ --modules-path=%{nginx_moduledir} \ --conf-path=%{_sysconfdir}/nginx/nginx.conf \ --error-log-path=%{_localstatedir}/log/nginx/error.log \ --http-log-path=%{_localstatedir}/log/nginx/access.log \ --http-client-body-temp-path=%{_localstatedir}/lib/nginx/tmp/client_body \ --http-proxy-temp-path=%{_localstatedir}/lib/nginx/tmp/proxy \ --http-fastcgi-temp-path=%{_localstatedir}/lib/nginx/tmp/fastcgi \ --http-uwsgi-temp-path=%{_localstatedir}/lib/nginx/tmp/uwsgi \ --http-scgi-temp-path=%{_localstatedir}/lib/nginx/tmp/scgi \ --pid-path=/run/nginx.pid \ --lock-path=/run/lock/subsys/nginx \ --user=%{nginx_user} \ --group=%{nginx_user} \ --with-compat \ --with-debug \ %if 0%{?with_aio} --with-file-aio \ %endif %if 0%{?with_gperftools} --with-google_perftools_module \ %endif --with-http_addition_module \ --with-http_auth_request_module \ --with-http_dav_module \ --with-http_degradation_module \ --with-http_flv_module \ %if %{with geoip} --with-http_geoip_module=dynamic \ --with-stream_geoip_module=dynamic \ %endif --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_image_filter_module=dynamic \ --with-http_mp4_module \ --with-http_perl_module=dynamic \ --with-http_random_index_module \ --with-http_realip_module \ --with-http_secure_link_module \ --with-http_slice_module \ --with-http_ssl_module \ --with-http_stub_status_module \ --with-http_sub_module \ --with-http_v2_module \ --with-http_xslt_module=dynamic \ --with-mail=dynamic \ --with-mail_ssl_module \ %if 0%{?with_ktls} --with-openssl-opt=enable-ktls \ %endif --with-pcre \ --with-pcre-jit \ --with-stream=dynamic \ --with-stream_realip_module \ --with-stream_ssl_module \ --with-stream_ssl_preread_module \ --with-threads \ --with-cc-opt="%{optflags} $(pcre2-config --cflags)" \ --with-ld-opt="$nginx_ldopts"; then : configure failed cat objs/autoconf.err exit 1 fi %make_build %install %make_install INSTALLDIRS=vendor find %{buildroot} -type f -name .packlist -exec rm -f '{}' \; find %{buildroot} -type f -name perllocal.pod -exec rm -f '{}' \; find %{buildroot} -type f -empty -exec rm -f '{}' \; find %{buildroot} -type f -iname '*.so' -exec chmod 0755 '{}' \; install -p -D -m 0644 ./nginx.service \ %{buildroot}%{_unitdir}/nginx.service install -p -D -m 0644 %{SOURCE11} \ %{buildroot}%{_sysconfdir}/logrotate.d/nginx install -p -d -m 0755 %{buildroot}%{_sysconfdir}/systemd/system/nginx.service.d install -p -d -m 0755 %{buildroot}%{_unitdir}/nginx.service.d install -p -d -m 0755 %{buildroot}%{_sysconfdir}/nginx/conf.d install -p -d -m 0755 %{buildroot}%{_sysconfdir}/nginx/default.d install -p -d -m 0700 %{buildroot}%{_localstatedir}/lib/nginx install -p -d -m 0700 %{buildroot}%{_localstatedir}/lib/nginx/tmp install -p -d -m 0700 %{buildroot}%{_localstatedir}/log/nginx install -p -d -m 0755 %{buildroot}%{_datadir}/nginx/html install -p -d -m 0755 %{buildroot}%{nginx_moduleconfdir} install -p -d -m 0755 %{buildroot}%{nginx_moduledir} install -p -m 0644 ./nginx.conf \ %{buildroot}%{_sysconfdir}/nginx rm -f %{buildroot}%{_datadir}/nginx/html/index.html %if 0%{?el7} ln -s ../../doc/HTML/index.html \ %{buildroot}%{_datadir}/nginx/html/index.html ln -s ../../doc/HTML/img \ %{buildroot}%{_datadir}/nginx/html/img ln -s ../../doc/HTML/en-US \ %{buildroot}%{_datadir}/nginx/html/en-US %else ln -s ../../testpage/index.html \ %{buildroot}%{_datadir}/nginx/html/index.html %endif install -p -m 0644 %{SOURCE102} \ %{buildroot}%{_datadir}/nginx/html ln -s nginx-logo.png %{buildroot}%{_datadir}/nginx/html/poweredby.png mkdir -p %{buildroot}%{_datadir}/nginx/html/icons # Symlink for the powered-by-$DISTRO image: ln -s ../../../pixmaps/poweredby.png \ %{buildroot}%{_datadir}/nginx/html/icons/poweredby.png %if 0%{?rhel} >= 9 ln -s ../../pixmaps/system-noindex-logo.png \ %{buildroot}%{_datadir}/nginx/html/system_noindex_logo.png %endif install -p -m 0644 %{SOURCE103} %{SOURCE104} \ %{buildroot}%{_datadir}/nginx/html %if 0%{?with_mailcap_mimetypes} rm -f %{buildroot}%{_sysconfdir}/nginx/mime.types %endif install -p -D -m 0644 %{_builddir}/nginx-%{version}/objs/nginx.8 \ %{buildroot}%{_mandir}/man8/nginx.8 install -p -D -m 0755 %{SOURCE13} %{buildroot}%{_bindir}/nginx-upgrade install -p -D -m 0644 %{SOURCE14} %{buildroot}%{_mandir}/man8/nginx-upgrade.8 for i in ftdetect ftplugin indent syntax; do install -p -D -m644 contrib/vim/${i}/nginx.vim \ %{buildroot}%{_datadir}/vim/vimfiles/${i}/nginx.vim done %if %{with geoip} echo 'load_module "%{nginx_moduledir}/ngx_http_geoip_module.so";' \ > %{buildroot}%{nginx_moduleconfdir}/mod-http-geoip.conf %endif echo 'load_module "%{nginx_moduledir}/ngx_http_image_filter_module.so";' \ > %{buildroot}%{nginx_moduleconfdir}/mod-http-image-filter.conf echo 'load_module "%{nginx_moduledir}/ngx_http_perl_module.so";' \ > %{buildroot}%{nginx_moduleconfdir}/mod-http-perl.conf echo 'load_module "%{nginx_moduledir}/ngx_http_xslt_filter_module.so";' \ > %{buildroot}%{nginx_moduleconfdir}/mod-http-xslt-filter.conf echo 'load_module "%{nginx_moduledir}/ngx_mail_module.so";' \ > %{buildroot}%{nginx_moduleconfdir}/mod-mail.conf echo 'load_module "%{nginx_moduledir}/ngx_stream_module.so";' \ > %{buildroot}%{nginx_moduleconfdir}/mod-stream.conf # Install files for supporting nginx module builds ## Install source files mkdir -p %{buildroot}%{_usrsrc} mv %{name}-%{version}-%{release}-src %{buildroot}%{nginx_srcdir} ## Install rpm macros mkdir -p %{buildroot}%{_rpmmacrodir} sed -e "s|@@NGINX_ABIVERSION@@|%{nginx_abiversion}|g" \ -e "s|@@NGINX_MODDIR@@|%{nginx_moduledir}|g" \ -e "s|@@NGINX_MODCONFDIR@@|%{nginx_moduleconfdir}|g" \ -e "s|@@NGINX_SRCDIR@@|%{nginx_srcdir}|g" \ %{SOURCE15} > %{buildroot}%{_rpmmacrodir}/macros.nginxmods ## Install dependency generator install -Dpm0644 -t %{buildroot}%{_fileattrsdir} %{SOURCE16} # install http-ssl-pass-dialog mkdir -p $RPM_BUILD_ROOT%{_libexecdir} install -m755 $RPM_SOURCE_DIR/nginx-ssl-pass-dialog \ $RPM_BUILD_ROOT%{_libexecdir}/nginx-ssl-pass-dialog %pre filesystem getent group %{nginx_user} > /dev/null || groupadd -r %{nginx_user} getent passwd %{nginx_user} > /dev/null || \ useradd -r -d %{_localstatedir}/lib/nginx -g %{nginx_user} \ -s /sbin/nologin -c "Nginx web server" %{nginx_user} exit 0 %post %systemd_post nginx.service %if %{with geoip} %post mod-http-geoip if [ $1 -eq 1 ]; then /usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || : fi %endif %post mod-http-image-filter if [ $1 -eq 1 ]; then /usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || : fi %post mod-http-perl if [ $1 -eq 1 ]; then /usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || : fi %post mod-http-xslt-filter if [ $1 -eq 1 ]; then /usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || : fi %post mod-mail if [ $1 -eq 1 ]; then /usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || : fi %post mod-stream if [ $1 -eq 1 ]; then /usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || : fi %preun %systemd_preun nginx.service %postun %systemd_postun nginx.service if [ $1 -ge 1 ]; then /usr/bin/nginx-upgrade >/dev/null 2>&1 || : fi %files %if 0%{?rhel} == 7 %doc UPGRADE-NOTES-1.6-to-1.10 %endif %{_datadir}/nginx/html/* %{_bindir}/nginx-upgrade %{_datadir}/vim/vimfiles/ftdetect/nginx.vim %{_datadir}/vim/vimfiles/ftplugin/nginx.vim %{_datadir}/vim/vimfiles/syntax/nginx.vim %{_datadir}/vim/vimfiles/indent/nginx.vim %{_mandir}/man3/nginx.3pm* %{_mandir}/man8/nginx.8* %{_mandir}/man8/nginx-upgrade.8* %{_unitdir}/nginx.service %{_libexecdir}/nginx-ssl-pass-dialog %files core %license LICENSE %doc CHANGES README README.dynamic %{_sbindir}/nginx %config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf %config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf.default %config(noreplace) %{_sysconfdir}/nginx/fastcgi_params %config(noreplace) %{_sysconfdir}/nginx/fastcgi_params.default %config(noreplace) %{_sysconfdir}/nginx/koi-utf %config(noreplace) %{_sysconfdir}/nginx/koi-win %if ! 0%{?with_mailcap_mimetypes} %config(noreplace) %{_sysconfdir}/nginx/mime.types %endif %config(noreplace) %{_sysconfdir}/nginx/mime.types.default %config(noreplace) %{_sysconfdir}/nginx/nginx.conf %config(noreplace) %{_sysconfdir}/nginx/nginx.conf.default %config(noreplace) %{_sysconfdir}/nginx/scgi_params %config(noreplace) %{_sysconfdir}/nginx/scgi_params.default %config(noreplace) %{_sysconfdir}/nginx/uwsgi_params %config(noreplace) %{_sysconfdir}/nginx/uwsgi_params.default %config(noreplace) %{_sysconfdir}/nginx/win-utf %config(noreplace) %{_sysconfdir}/logrotate.d/nginx %attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx %attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx/tmp %attr(711,root,root) %dir %{_localstatedir}/log/nginx %ghost %attr(640,%{nginx_user},root) %{_localstatedir}/log/nginx/access.log %ghost %attr(640,%{nginx_user},root) %{_localstatedir}/log/nginx/error.log %dir %{nginx_moduledir} %dir %{nginx_moduleconfdir} %files all-modules %files filesystem %dir %{_datadir}/nginx %dir %{_datadir}/nginx/html %dir %{_sysconfdir}/nginx %dir %{_sysconfdir}/nginx/conf.d %dir %{_sysconfdir}/nginx/default.d %dir %{_sysconfdir}/systemd/system/nginx.service.d %dir %{_unitdir}/nginx.service.d %if %{with geoip} %files mod-http-geoip %{nginx_moduleconfdir}/mod-http-geoip.conf %{nginx_moduledir}/ngx_http_geoip_module.so %endif %files mod-http-image-filter %{nginx_moduleconfdir}/mod-http-image-filter.conf %{nginx_moduledir}/ngx_http_image_filter_module.so %files mod-http-perl %{nginx_moduleconfdir}/mod-http-perl.conf %{nginx_moduledir}/ngx_http_perl_module.so %dir %{perl_vendorarch}/auto/nginx %{perl_vendorarch}/nginx.pm %{perl_vendorarch}/auto/nginx/nginx.so %files mod-http-xslt-filter %{nginx_moduleconfdir}/mod-http-xslt-filter.conf %{nginx_moduledir}/ngx_http_xslt_filter_module.so %files mod-mail %{nginx_moduleconfdir}/mod-mail.conf %{nginx_moduledir}/ngx_mail_module.so %files mod-stream %{nginx_moduleconfdir}/mod-stream.conf %{nginx_moduledir}/ngx_stream_module.so %files mod-devel %{_rpmmacrodir}/macros.nginxmods %{_fileattrsdir}/nginxmods.attr %{nginx_srcdir}/ %changelog * Mon Oct 17 2023 Luboš Uhliarik - 1:1.22.1-5 - Resolves: RHEL-12736 - nginx:1.22/nginx: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487) * Mon Aug 07 2023 Luboš Uhliarik - 1:1.22.1-4 - Resolves: #2170808 - Running nginx with systemctl and entering ssl private key's pass phrase - added new ssl_pass_phrase_dialog directive which enables setting external program for entering password for encrypted private key * Fri Jul 14 2023 MSVSphere Packaging Team - 1:1.22.1-3 - Rebuilt for MSVSphere 9.2 * Sun Dec 18 2022 Luboš Uhliarik - 1:1.22.1-3 - Resolves: #2150932 - No logrotating nginx logs from nginx:1.22 * Thu Dec 01 2022 Neal Gompa - 1:1.22.1-2 - Require pcre2-devel instead of pcre-devel in -mod-devel subpackage Resolves: rhbz#2149965 * Sat Oct 22 2022 Luboš Uhliarik - 1:1.22.1-1 - Resolves: #2096174 - RFE: add nginx:1.22 module stream - switch to pcre2 - add stream_geoip_module and stream_realip_module - enable kTLS support * Wed Jun 22 2022 Luboš Uhliarik - 1:1.20.1-13 - Resolves: #2099752 - nginx minimisation for ubi-micro * Tue Jun 21 2022 Luboš Uhliarik - 1:1.20.1-11 - Resolves: #2028781 - Protocol : TLSv1.3 missing in rhel9 * Wed Feb 02 2022 Luboš Uhliarik - 1:1.20.1-10 - Resolves: #1975747 - CVE-2021-3618 nginx: ALPACA: Application Layer Protocol Confusion - Analyzing and Mitigating Cracks in TLS Authentication * Thu Dec 2 2021 Joe Orton - 1:1.20.1-9 - add delaycompress to logrotate config (#2015250) * Wed Sep 22 2021 Luboš Uhliarik - 1:1.20.1-8 - Resolves: #2007019 - use proper wording in error pages * Wed Sep 22 2021 Luboš Uhliarik - 1:1.20.1-7 - Resolves: #2006420 - Broken loading certificates from hardware token (PKCS#11) * Wed Sep 22 2021 Luboš Uhliarik - 1:1.20.1-6 - Resolves: #2006822 - Hardening tests fail for nginx * Tue Sep 21 2021 Luboš Uhliarik - 1:1.20.1-5 - Add -mod-devel subpackage for building external nginx modules Resolves: rhbz#1991720 (Neal Gompa) * Mon Aug 09 2021 Mohan Boddu - 1:1.20.1-4 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688 * Mon Aug 09 2021 Luboš Uhliarik - 1:1.20.1-3 - Resolves: #1991600 - Add logo symlink required by new testpage * Wed Jun 16 2021 Mohan Boddu - 1:1.20.1-2 - Rebuilt for RHEL 9 BETA for openssl 3.0 Related: rhbz#1971065 * Wed Jun 02 2021 Luboš Uhliarik - 1:1.20.1-1 - new version 1.20.1 - Resolves: #1964814 - CVE-2021-23017 nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name * Fri Apr 30 2021 Lubos Uhliarik - 1:1.20.0-5 - Resolves: #1955564 - [RFE] Support loading certificates from hardware token (PKCS#11) * Fri Apr 30 2021 Lubos Uhliarik - 1:1.20.0-4 - Resolves: #1955560 - centralizing default index.html on nginx * Mon Apr 26 2021 Lubos Uhliarik - 1:1.20.0-3 - Resolve: #1953639 - Rebase nginx to 1.20 * Wed Apr 21 2021 Felix Kaechele - 1:1.20.0-2 - sync rawhide and EPEL7 spec files again - systemd service reload now checks config file (rhbz#1565377) - drop nginx requirement on nginx-all-modules (rhbz#1708799) - let nginx handle log creation on logrotate (rhbz#1683388) - have log directory owned by root (rhbz#1390183, CVE-2016-1247) - remove obsolete --with-ipv6 (src PR#8) - correction: pcre2 is actually not supported by nginx, reintroduce pcre * Wed Apr 21 2021 Felix Kaechele - 1:1.20.0-1 - update to 1.20.0 - sync with mainline spec file - order configure options alphabetically for easier comparinggit - add --with-compat option (rhbz#1834452) - add patch to fix PIDFile race condition (rhbz#1869026) - use pcre2 instead of pcre (rhbz#1938984) - add Wants=network-online.target to systemd unit (rhbz#1943779) * Fri Apr 16 2021 Mohan Boddu - 1:1.18.0-6 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 * Mon Feb 22 2021 Lubos Uhliarik - 1:1.18.0-5 - Resolves: #1931402 - drop gperftools module * Tue Jan 26 2021 Fedora Release Engineering - 1:1.18.0-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild * Tue Jul 28 2020 Fedora Release Engineering - 1:1.18.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild * Mon Jun 22 2020 Jitka Plesnikova - 1:1.18.0-2 - Perl 5.32 rebuild * Fri Apr 24 2020 Felix Kaechele - 1:1.18.0-1 - Update to 1.18.0 - Increased types_hash_max_size to 4096 in default config - Add gpg source verification - Add Recommends: logrotate - Drop location / from default config (rhbz#1564768) - Drop default_sever from default config (rhbz#1373822) * Wed Jan 29 2020 Fedora Release Engineering - 1:1.16.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild * Sun Sep 15 2019 Warren Togami - add conditionals for EPEL7, see rhbz#1750857 * Tue Aug 13 2019 Jamie Nguyen - 1:1.16.1-1 - Update to upstream release 1.16.1 - Fixes CVE-2019-9511, CVE-2019-9513, CVE-2019-9516 * Thu Jul 25 2019 Fedora Release Engineering - 1:1.16.0-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild * Thu May 30 2019 Jitka Plesnikova - 1:1.16.0-4 - Perl 5.30 rebuild * Tue May 14 2019 Stephen Gallagher - 1.16.0-3 - Move to common default index.html - Resolves: rhbz#1636235 * Tue May 07 2019 Jamie Nguyen - 1:1.16.0-2 - Add missing directory for vim plugin * Fri Apr 26 2019 Jamie Nguyen - 1:1.16.0-1 - Update to upstream release 1.16.0 * Mon Mar 04 2019 Jamie Nguyen - 1:1.15.9-1 - Update to upstream release 1.15.9 - Enable ngx_stream_ssl_preread module - Remove redundant conditionals * Fri Feb 01 2019 Fedora Release Engineering - 1:1.14.1-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild * Mon Jan 14 2019 Björn Esser - 1:1.14.1-4 - Rebuilt for libcrypt.so.2 (#1666033) * Tue Dec 11 2018 Joe Orton - 1:1.14.1-3 - fix unexpanded paths in nginx(8) * Tue Nov 20 2018 Luboš Uhliarik - 1:1.14.1-2 - new version 1.14.1 - Resolves: #1584426 - Upstream Nginx 1.14.0 is now available - Resolves: #1647255 - CVE-2018-16845 nginx: Denial of service and memory disclosure via mp4 module - Resolves: #1647259 - CVE-2018-16843 nginx: Excessive memory consumption via flaw in HTTP/2 implementation - Resolves: #1647258 - CVE-2018-16844 nginx: Excessive CPU usage via flaw in HTTP/2 implementation * Mon Aug 06 2018 Luboš Uhliarik - 1:1.12.1-14 - add requires on perl(constant) for mod-http-perl * Mon Jul 30 2018 Luboš Uhliarik - 1:1.12.1-13 - don't build with geoip by default * Thu Jul 19 2018 Joe Orton - 1:1.12.1-12 - add build conditional for geoip support * Mon Jul 16 2018 Tadej Janež - 1:1.12.1-11 - Add gcc to BuildRequires to account for https://fedoraproject.org/wiki/Changes/Remove_GCC_from_BuildRoot * Fri Jul 13 2018 Fedora Release Engineering - 1:1.12.1-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Wed Jun 27 2018 Jitka Plesnikova - 1:1.12.1-9 - Perl 5.28 rebuild * Mon May 14 2018 Luboš Uhliarik - 1:1.12.1-8 - Related: #1573942 - nginx fails on start * Wed May 02 2018 Luboš Uhliarik - 1:1.12.1-7 - Resolves: #1573942 - nginx fails on start * Thu Feb 08 2018 Fedora Release Engineering - 1:1.12.1-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild * Wed Jan 24 2018 Björn Esser - 1:1.12.1-5 - Add patch to apply glibc bugfix if really needed only - Disable strict symbol checks in the link editor * Sat Jan 20 2018 Björn Esser - 1:1.12.1-4 - Rebuilt for switch to libxcrypt * Tue Oct 24 2017 Joe Orton - 1:1.12.1-3 - rebuild * Tue Sep 19 2017 Remi Collet - 1:1.12.1-2 - own system drop-in directories #1493036 * Tue Aug 15 2017 Joe Orton - 1:1.12.1-1 - update to 1.12.1 (#1469924) - enable http_auth_request_module (Tim Niemueller, #1471106) * Thu Aug 03 2017 Fedora Release Engineering - 1:1.12.0-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild * Wed Jul 26 2017 Fedora Release Engineering - 1:1.12.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild * Sun Jun 04 2017 Jitka Plesnikova - 1:1.12.0-2 - Perl 5.26 rebuild * Tue May 30 2017 Luboš Uhliarik - 1:1.12.0-1 - new version 1.12.0 * Wed Feb 8 2017 Joe Orton - 1:1.10.3-1 - update to upstream release 1.10.3 * Mon Oct 31 2016 Jamie Nguyen - 1:1.10.2-1 - update to upstream release 1.10.2 * Tue May 31 2016 Jamie Nguyen - 1:1.10.1-1 - update to upstream release 1.10.1 * Sun May 15 2016 Jitka Plesnikova - 1:1.10.0-4 - Perl 5.24 rebuild * Sun May 8 2016 Peter Robinson 1:1.10.0-3 - Enable AIO on aarch64 (rhbz 1258414) * Wed Apr 27 2016 Jamie Nguyen - 1:1.10.0-2 - only Require nginx-all-modules for EPEL and current Fedora releases * Wed Apr 27 2016 Jamie Nguyen - 1:1.10.0-1 - update to upstream release 1.10.0 - split dynamic modules into subpackages - spec file cleanup * Thu Feb 04 2016 Fedora Release Engineering - 1:1.8.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild * Tue Jan 26 2016 Jamie Nguyen - 1:1.8.1-1 - update to upstream release 1.8.1 - CVE-2016-0747: Insufficient limits of CNAME resolution in resolver - CVE-2016-0746: Use-after-free during CNAME response processing in resolver - CVE-2016-0742: Invalid pointer dereference in resolver * Sun Oct 04 2015 Jamie Nguyen - 1:1.8.0-14 - consistently use '%%global with_foo' style of logic - remove PID file before starting nginx (#1268621) * Fri Sep 25 2015 Ville Skyttä - 1:1.8.0-13 - Use nginx-mimetypes from mailcap (#1248736) - Mark LICENSE as %%license * Thu Sep 10 2015 Jamie Nguyen - 1:1.8.0-12 - also build with gperftools on aarch64 (#1258412) * Wed Aug 12 2015 Nikos Mavrogiannopoulos - 1:1.8.0-11 - nginx.conf: added commented-out SSL configuration directives (#1179232) * Fri Jul 03 2015 Jamie Nguyen - 1:1.8.0-10 - switch back to /bin/kill in logrotate script due to SELinux denials * Tue Jun 16 2015 Jamie Nguyen - 1:1.8.0-9 - fix path to png in error pages (#1232277) - optimize png images with optipng * Sun Jun 14 2015 Jamie Nguyen - 1:1.8.0-8 - replace /bin/kill with /usr/bin/systemctl kill in logrotate script (#1231543) - remove After=syslog.target in nginx.service (#1231543) - replace ExecStop with KillSignal=SIGQUIT in nginx.service (#1231543) * Wed Jun 03 2015 Jitka Plesnikova - 1:1.8.0-7 - Perl 5.22 rebuild * Sun May 10 2015 Jamie Nguyen - 1:1.8.0-6 - revert previous change * Sun May 10 2015 Jamie Nguyen - 1:1.8.0-5 - move default server to default.conf (#1220094) * Sun May 10 2015 Jamie Nguyen - 1:1.8.0-4 - add TimeoutStopSec=5 and KillMode=mixed to nginx.service - set worker_processes to auto - add some common options to the http block in nginx.conf - run nginx-upgrade on package update - remove some redundant scriptlet commands - listen on ipv6 for default server (#1217081) * Wed Apr 22 2015 Jamie Nguyen - 1:1.8.0-3 - improve nginx-upgrade script * Wed Apr 22 2015 Jamie Nguyen - 1:1.8.0-2 - add --with-pcre-jit * Wed Apr 22 2015 Jamie Nguyen - 1:1.8.0-1 - update to upstream release 1.8.0 * Thu Apr 09 2015 Jamie Nguyen - 1:1.7.12-1 - update to upstream release 1.7.12 * Sun Feb 15 2015 Jamie Nguyen - 1:1.7.10-1 - update to upstream release 1.7.10 - remove systemd conditionals * Wed Oct 22 2014 Jamie Nguyen - 1:1.6.2-4 - fix package ownership of directories * Wed Oct 22 2014 Jamie Nguyen - 1:1.6.2-3 - add vim files (#1142849) * Mon Sep 22 2014 Jamie Nguyen - 1:1.6.2-2 - create nginx-filesystem subpackage (patch from Remi Collet) - create /etc/nginx/default.d as a drop-in directory for configuration files for the default server block - clean up nginx.conf * Wed Sep 17 2014 Jamie Nguyen - 1:1.6.2-1 - update to upstream release 1.6.2 - CVE-2014-3616 nginx: virtual host confusion (#1142573) * Wed Aug 27 2014 Jitka Plesnikova - 1:1.6.1-4 - Perl 5.20 rebuild * Sun Aug 17 2014 Fedora Release Engineering - 1:1.6.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild * Tue Aug 05 2014 Jamie Nguyen - 1:1.6.1-2 - add logic for EPEL 7 * Tue Aug 05 2014 Jamie Nguyen - 1:1.6.1-1 - update to upstream release 1.6.1 - (#1126891) CVE-2014-3556: SMTP STARTTLS plaintext injection flaw * Wed Jul 02 2014 Yaakov Selkowitz - 1:1.6.0-3 - Fix FTBFS on aarch64 (#1115559) * Sat Jun 07 2014 Fedora Release Engineering - 1:1.6.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild * Sat Apr 26 2014 Jamie Nguyen - 1:1.6.0-1 - update to upstream release 1.6.0 * Tue Mar 18 2014 Jamie Nguyen - 1:1.4.7-1 - update to upstream release 1.4.7 * Wed Mar 05 2014 Jamie Nguyen - 1:1.4.6-1 - update to upstream release 1.4.6 * Sun Feb 16 2014 Jamie Nguyen - 1:1.4.5-2 - avoid multiple index directives (#1065488) * Sun Feb 16 2014 Jamie Nguyen - 1:1.4.5-1 - update to upstream release 1.4.5 * Wed Nov 20 2013 Peter Borsa - 1:1.4.4-1 - Update to upstream release 1.4.4 - Security fix BZ 1032267 * Sun Nov 03 2013 Jamie Nguyen - 1:1.4.3-1 - update to upstream release 1.4.3 * Fri Aug 09 2013 Jonathan Steffan - 1:1.4.2-3 - Add in conditionals to build for non-systemd targets * Sat Aug 03 2013 Petr Pisar - 1:1.4.2-2 - Perl 5.18 rebuild * Fri Jul 19 2013 Jamie Nguyen - 1:1.4.2-1 - update to upstream release 1.4.2 * Wed Jul 17 2013 Petr Pisar - 1:1.4.1-3 - Perl 5.18 rebuild * Tue Jun 11 2013 Remi Collet - 1:1.4.1-2 - rebuild for new GD 2.1.0 * Tue May 07 2013 Jamie Nguyen - 1:1.4.1-1 - update to upstream release 1.4.1 (#960605, #960606): CVE-2013-2028 stack-based buffer overflow when handling certain chunked transfer encoding requests * Sun Apr 28 2013 Dan Horák - 1:1.4.0-2 - gperftools exist only on selected arches * Fri Apr 26 2013 Jamie Nguyen - 1:1.4.0-1 - update to upstream release 1.4.0 - enable SPDY module (new in this version) - enable http gunzip module (new in this version) - enable google perftools module and add gperftools-devel to BR - enable debugging (#956845) - trim changelog * Tue Apr 02 2013 Jamie Nguyen - 1:1.2.8-1 - update to upstream release 1.2.8 * Fri Feb 22 2013 Jamie Nguyen - 1:1.2.7-2 - make sure nginx directories are not world readable (#913724, #913735) * Sat Feb 16 2013 Jamie Nguyen - 1:1.2.7-1 - update to upstream release 1.2.7 - add .asc file * Tue Feb 05 2013 Jamie Nguyen - 1:1.2.6-6 - use 'kill' instead of 'systemctl' when rotating log files to workaround SELinux issue (#889151) * Wed Jan 23 2013 Jamie Nguyen - 1:1.2.6-5 - uncomment "include /etc/nginx/conf.d/*.conf by default but leave the conf.d directory empty (#903065) * Wed Jan 23 2013 Jamie Nguyen - 1:1.2.6-4 - add comment in nginx.conf regarding "include /etc/nginf/conf.d/*.conf" (#903065) * Wed Dec 19 2012 Jamie Nguyen - 1:1.2.6-3 - use correct file ownership when rotating log files * Tue Dec 18 2012 Jamie Nguyen - 1:1.2.6-2 - send correct kill signal and use correct file permissions when rotating log files (#888225) - send correct kill signal in nginx-upgrade * Tue Dec 11 2012 Jamie Nguyen - 1:1.2.6-1 - update to upstream release 1.2.6 * Sat Nov 17 2012 Jamie Nguyen - 1:1.2.5-1 - update to upstream release 1.2.5 * Sun Oct 28 2012 Jamie Nguyen - 1:1.2.4-1 - update to upstream release 1.2.4 - introduce new systemd-rpm macros (#850228) - link to official documentation not the community wiki (#870733) - do not run systemctl try-restart after package upgrade to allow the administrator to run nginx-upgrade and avoid downtime - add nginx man page (#870738) - add nginx-upgrade man page and remove README.fedora - remove chkconfig from Requires(post/preun) - remove initscripts from Requires(preun/postun) - remove separate configuration files in "/etc/nginx/conf.d" directory and revert to upstream default of a centralized nginx.conf file (#803635) (#842738) * Fri Sep 21 2012 Jamie Nguyen - 1:1.2.3-1 - update to upstream release 1.2.3 * Fri Jul 20 2012 Fedora Release Engineering - 1:1.2.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild * Thu Jun 28 2012 Petr Pisar - 1:1.2.1-2 - Perl 5.16 rebuild * Sun Jun 10 2012 Jamie Nguyen - 1:1.2.1-1 - update to upstream release 1.2.1 * Fri Jun 08 2012 Petr Pisar - 1:1.2.0-2 - Perl 5.16 rebuild * Wed May 16 2012 Jamie Nguyen - 1:1.2.0-1 - update to upstream release 1.2.0 * Wed May 16 2012 Jamie Nguyen - 1:1.0.15-4 - add nginx-upgrade to replace functionality from the nginx initscript that was lost after migration to systemd - add README.fedora to describe usage of nginx-upgrade - nginx.logrotate: use built-in systemd kill command in postrotate script - nginx.service: start after syslog.target and network.target - nginx.service: remove unnecessary references to config file location - nginx.service: use /bin/kill instead of "/usr/sbin/nginx -s" following advice from nginx-devel - nginx.service: use private /tmp * Mon May 14 2012 Jamie Nguyen - 1:1.0.15-3 - fix incorrect postrotate script in nginx.logrotate * Thu Apr 19 2012 Jamie Nguyen - 1:1.0.15-2 - renable auto-cc-gcc patch due to warnings on rawhide * Sat Apr 14 2012 Jamie Nguyen - 1:1.0.15-1 - update to upstream release 1.0.15 - no need to apply auto-cc-gcc patch - add %%global _hardened_build 1 * Thu Mar 15 2012 Jamie Nguyen - 1:1.0.14-1 - update to upstream release 1.0.14 - amend some %%changelog formatting * Tue Mar 06 2012 Jamie Nguyen - 1:1.0.13-1 - update to upstream release 1.0.13 - amend --pid-path and --log-path * Sun Mar 04 2012 Jamie Nguyen - 1:1.0.12-5 - change pid path in nginx.conf to match systemd service file * Sun Mar 04 2012 Jamie Nguyen - 1:1.0.12-3 - fix %%pre scriptlet * Mon Feb 20 2012 Jamie Nguyen - 1:1.0.12-2 - update upstream URL - replace %%define with %%global - remove obsolete BuildRoot tag, %%clean section and %%defattr - remove various unnecessary commands - add systemd service file and update scriptlets - add Epoch to accommodate %%triggerun as part of systemd migration * Sun Feb 19 2012 Jeremy Hinegardner - 1.0.12-1 - Update to 1.0.12 * Thu Nov 17 2011 Keiran "Affix" Smith - 1.0.10-1 - Bugfix: a segmentation fault might occur in a worker process if resolver got a big DNS response. Thanks to Ben Hawkes. - Bugfix: in cache key calculation if internal MD5 implementation wasused; the bug had appeared in 1.0.4. - Bugfix: the module ngx_http_mp4_module sent incorrect "Content-Length" response header line if the "start" argument was used. Thanks to Piotr Sikora. * Thu Oct 27 2011 Keiran "Affix" Smith - 1.0.8-1 - Update to new 1.0.8 stable release * Fri Aug 26 2011 Keiran "Affix" Smith - 1.0.5-1 - Update nginx to Latest Stable Release * Fri Jun 17 2011 Marcela Mašláňová - 1.0.0-3 - Perl mass rebuild * Thu Jun 09 2011 Marcela Mašláňová - 1.0.0-2 - Perl 5.14 mass rebuild * Wed Apr 27 2011 Jeremy Hinegardner - 1.0.0-1 - Update to 1.0.0 * Tue Feb 08 2011 Fedora Release Engineering - 0.8.53-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild * Sun Dec 12 2010 Jeremy Hinegardner - 0.8.53.5 - Extract out default config into its own file (bug #635776) * Sun Dec 12 2010 Jeremy Hinegardner - 0.8.53-4 - Revert ownership of log dir * Sun Dec 12 2010 Jeremy Hinegardner - 0.8.53-3 - Change ownership of /var/log/nginx to be 0700 nginx:nginx - update init script to use killproc -p - add reopen_logs command to init script - update init script to use nginx -q option * Sun Oct 31 2010 Jeremy Hinegardner - 0.8.53-2 - Fix linking of perl module * Sun Oct 31 2010 Jeremy Hinegardner - 0.8.53-1 - Update to new stable 0.8.53 * Sat Jul 31 2010 Jeremy Hinegardner - 0.7.67-2 - add Provides: webserver (bug #619693) * Sun Jun 20 2010 Jeremy Hinegardner - 0.7.67-1 - Update to new stable 0.7.67 - fix bugzilla #591543 * Tue Jun 01 2010 Marcela Maslanova - 0.7.65-2 - Mass rebuild with perl-5.12.0 * Mon Feb 15 2010 Jeremy Hinegardner - 0.7.65-1 - Update to new stable 0.7.65 - change ownership of logdir to root:root - add support for ipv6 (bug #561248) - add random_index_module - add secure_link_module * Fri Dec 04 2009 Jeremy Hinegardner - 0.7.64-1 - Update to new stable 0.7.64