colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nginx: detect duplicate modules

Browse Source 
Nginx breaks at runtime when duplicate modules are added. To detect
this, add a `name` key to all modules.

Also remove the outdated modsecurity v2 module and unify `modsecurity`
and `modsecurity-nginx`.
This commit is contained in:
Naïm Favier 2022-12-14 12:36:30 +01:00 committed by Sandro Jäckel
parent 84575b0bd8
commit 6c61c436cf
No known key found for this signature in database
GPG Key ID: 3AF5A43A3EECC2E5
4 changed files with 68 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/tests/nginx-modsecurity.nix
View File

@ -4,7 +4,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: {
nodes.machine = { config, lib, pkgs, ... }: { nodes.machine = { config, lib, pkgs, ... }: {
services.nginx = { services.nginx = {
enable = true; enable = true;
additionalModules = [ pkgs.nginxModules.modsecurity-nginx ]; additionalModules = [ pkgs.nginxModules.modsecurity ];
virtualHosts.localhost = virtualHosts.localhost =
let modsecurity_conf = pkgs.writeText "modsecurity.conf" '' let modsecurity_conf = pkgs.writeText "modsecurity.conf" ''
SecRuleEngine On SecRuleEngine On

6
pkgs/servers/http/nginx/generic.nix
View File

@ -32,6 +32,9 @@ with lib;
let let
moduleNames = map (mod: mod.name or (throw "The nginx module with source ${toString mod.src} does not have a `name` attribute. This prevents duplicate module detection and is no longer supported."))
modules;
mapModules = attrPath: flip concatMap modules mapModules = attrPath: flip concatMap modules
(mod: (mod:
let supports = mod.supports or (_: true); let supports = mod.supports or (_: true);
@ -41,6 +44,9 @@ let
in in
assert assertMsg (unique moduleNames == moduleNames)
"nginx: duplicate modules: ${concatStringsSep ", " moduleNames}. A common cause for this is that services.nginx.additionalModules adds a module which the nixos module itself already adds.";
stdenv.mkDerivation { stdenv.mkDerivation {
inherit pname; inherit pname;
inherit version; inherit version;

79
pkgs/servers/http/nginx/modules.nix
View File

@ -1,8 +1,9 @@
{ fetchFromGitHub, fetchFromGitLab, fetchhg, lib, pkgs }: { config, fetchFromGitHub, fetchFromGitLab, fetchhg, lib, pkgs }:
let let
http_proxy_connect_module_generic = patchName: rec { http_proxy_connect_module_generic = patchName: rec {
name = "http_proxy_connect";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "http_proxy_connect_module_generic"; name = "http_proxy_connect_module_generic";
owner = "chobits"; owner = "chobits";
@ -10,7 +11,6 @@ let
rev = "96ae4e06381f821218f368ad0ba964f87cbe0266"; rev = "96ae4e06381f821218f368ad0ba964f87cbe0266";
sha256 = "1nc7z31i7x9dzp67kzgvs34hs6ps749y26wcpi3wf5mm63i803rh"; sha256 = "1nc7z31i7x9dzp67kzgvs34hs6ps749y26wcpi3wf5mm63i803rh";
}; };
patches = [ patches = [
"${src}/patch/${patchName}.patch" "${src}/patch/${patchName}.patch"
]; ];
@ -18,11 +18,12 @@ let
in in
{ let self = {
fastcgi-cache-purge = throw "fastcgi-cache-purge was renamed to cache-purge"; fastcgi-cache-purge = throw "fastcgi-cache-purge was renamed to cache-purge";
ngx_aws_auth = throw "ngx_aws_auth was renamed to aws-auth"; ngx_aws_auth = throw "ngx_aws_auth was renamed to aws-auth";
akamai-token-validate = { akamai-token-validate = {
name = "akamai-token-validate";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "akamai-token-validate"; name = "akamai-token-validate";
owner = "kaltura"; owner = "kaltura";
@ -34,6 +35,7 @@ in
}; };
auth-a2aclr = { auth-a2aclr = {
name = "auth-a2aclr";
src = fetchFromGitLab { src = fetchFromGitLab {
name = "auth-a2aclr"; name = "auth-a2aclr";
owner = "arpa2"; owner = "arpa2";
@ -57,6 +59,7 @@ in
}; };
aws-auth = { aws-auth = {
name = "aws-auth";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "aws-auth"; name = "aws-auth";
owner = "anomalizer"; owner = "anomalizer";
@ -67,6 +70,7 @@ in
}; };
brotli = { brotli = {
name = "brotli";
src = let gitsrc = pkgs.fetchFromGitHub { src = let gitsrc = pkgs.fetchFromGitHub {
name = "brotli"; name = "brotli";
owner = "google"; owner = "google";
@ -83,6 +87,7 @@ in
}; };
cache-purge = { cache-purge = {
name = "cache-purge";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "cache-purge"; name = "cache-purge";
owner = "nginx-modules"; owner = "nginx-modules";
@ -93,6 +98,7 @@ in
}; };
coolkit = { coolkit = {
name = "coolkit";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "coolkit"; name = "coolkit";
owner = "FRiCKLE"; owner = "FRiCKLE";
@ -103,6 +109,7 @@ in
}; };
dav = { dav = {
name = "dav";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "dav"; name = "dav";
owner = "arut"; owner = "arut";
@ -114,6 +121,7 @@ in
}; };
develkit = { develkit = {
name = "develkit";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "develkit"; name = "develkit";
owner = "vision5"; owner = "vision5";
@ -124,6 +132,7 @@ in
}; };
echo = { echo = {
name = "echo";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "echo"; name = "echo";
owner = "openresty"; owner = "openresty";
@ -134,6 +143,7 @@ in
}; };
fancyindex = { fancyindex = {
name = "fancyindex";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "fancyindex"; name = "fancyindex";
owner = "aperezdc"; owner = "aperezdc";
@ -147,6 +157,7 @@ in
}; };
fluentd = { fluentd = {
name = "fluentd";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "fluentd"; name = "fluentd";
owner = "fluent"; owner = "fluent";
@ -157,6 +168,7 @@ in
}; };
geoip2 = { geoip2 = {
name = "geoip2";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "geoip2"; name = "geoip2";
owner = "leev"; owner = "leev";
@ -180,6 +192,7 @@ in
}; };
ipscrub = { ipscrub = {
name = "ipscrub";
src = fetchFromGitHub src = fetchFromGitHub
{ {
name = "ipscrub"; name = "ipscrub";
@ -192,6 +205,7 @@ in
}; };
limit-speed = { limit-speed = {
name = "limit-speed";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "limit-speed"; name = "limit-speed";
owner = "yaoweibin"; owner = "yaoweibin";
@ -202,6 +216,7 @@ in
}; };
live = { live = {
name = "live";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "live"; name = "live";
owner = "arut"; owner = "arut";
@ -212,6 +227,7 @@ in
}; };
lua = { lua = {
name = "lua";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "lua"; name = "lua";
owner = "openresty"; owner = "openresty";
@ -228,6 +244,7 @@ in
}; };
lua-upstream = { lua-upstream = {
name = "lua-upstream";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "lua-upstream"; name = "lua-upstream";
owner = "openresty"; owner = "openresty";
@ -240,14 +257,7 @@ in
}; };
modsecurity = { modsecurity = {
src = "${pkgs.modsecurity_standalone.nginx}/nginx/modsecurity"; name = "modsecurity";
inputs = [ pkgs.curl pkgs.apr pkgs.aprutil pkgs.apacheHttpd pkgs.yajl ];
preConfigure = ''
export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -I${pkgs.aprutil.dev}/include/apr-1 -I${pkgs.apacheHttpd.dev}/include -I${pkgs.apr.dev}/include/apr-1 -I${pkgs.yajl}/include"
'';
};
modsecurity-nginx = {
src = fetchFromGitHub { src = fetchFromGitHub {
name = "modsecurity-nginx"; name = "modsecurity-nginx";
owner = "SpiderLabs"; owner = "SpiderLabs";
@ -260,6 +270,7 @@ in
}; };
moreheaders = { moreheaders = {
name = "moreheaders";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "moreheaders"; name = "moreheaders";
owner = "openresty"; owner = "openresty";
@ -270,6 +281,7 @@ in
}; };
mpeg-ts = { mpeg-ts = {
name = "mpeg-ts";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "mpeg-ts"; name = "mpeg-ts";
owner = "arut"; owner = "arut";
@ -280,17 +292,18 @@ in
}; };
naxsi = { naxsi = {
src = fetchFromGitHub name = "naxsi";
{ src = fetchFromGitHub {
name = "naxsi"; name = "naxsi";
owner = "nbs-system"; owner = "nbs-system";
repo = "naxsi"; repo = "naxsi";
rev = "95ac520eed2ea04098a76305fd0ad7e9158840b7"; rev = "95ac520eed2ea04098a76305fd0ad7e9158840b7";
sha256 = "0b5pnqkgg18kbw5rf2ifiq7lsx5rqmpqsql6hx5ycxjzxj6acfb3"; sha256 = "0b5pnqkgg18kbw5rf2ifiq7lsx5rqmpqsql6hx5ycxjzxj6acfb3";
} + "/naxsi_src"; } + "/naxsi_src";
}; };
njs = rec { njs = rec {
name = "njs";
src = fetchhg { src = fetchhg {
url = "https://hg.nginx.org/njs"; url = "https://hg.nginx.org/njs";
rev = "0.7.8"; rev = "0.7.8";
@ -313,6 +326,7 @@ in
}; };
opentracing = { opentracing = {
name = "opentracing";
src = src =
let src' = fetchFromGitHub { let src' = fetchFromGitHub {
name = "opentracing"; name = "opentracing";
@ -353,12 +367,14 @@ in
''; '';
in in
{ {
name = "pagespeed";
src = ngx_pagespeed; src = ngx_pagespeed;
inputs = [ pkgs.zlib pkgs.libuuid ]; # psol deps inputs = [ pkgs.zlib pkgs.libuuid ]; # psol deps
allowMemoryWriteExecute = true; allowMemoryWriteExecute = true;
}; };
pam = { pam = {
name = "pam";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "pam"; name = "pam";
owner = "sto"; owner = "sto";
@ -370,6 +386,7 @@ in
}; };
pinba = { pinba = {
name = "pinba";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "pinba"; name = "pinba";
owner = "tony2001"; owner = "tony2001";
@ -380,6 +397,7 @@ in
}; };
push-stream = { push-stream = {
name = "push-stream";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "push-stream"; name = "push-stream";
owner = "wandenberg"; owner = "wandenberg";
@ -390,6 +408,7 @@ in
}; };
rtmp = { rtmp = {
name = "rtmp";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "rtmp"; name = "rtmp";
owner = "arut"; owner = "arut";
@ -400,6 +419,7 @@ in
}; };
secure-token = { secure-token = {
name = "secure-token";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "secure-token"; name = "secure-token";
owner = "kaltura"; owner = "kaltura";
@ -411,6 +431,7 @@ in
}; };
set-misc = { set-misc = {
name = "set-misc";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "set-misc"; name = "set-misc";
owner = "openresty"; owner = "openresty";
@ -421,6 +442,7 @@ in
}; };
shibboleth = { shibboleth = {
name = "shibboleth";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "shibboleth"; name = "shibboleth";
owner = "nginx-shib"; owner = "nginx-shib";
@ -431,6 +453,7 @@ in
}; };
sla = { sla = {
name = "sla";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "sla"; name = "sla";
owner = "goldenclone"; owner = "goldenclone";
@ -441,6 +464,7 @@ in
}; };
slowfs-cache = { slowfs-cache = {
name = "slowfs-cache";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "slowfs-cache"; name = "slowfs-cache";
owner = "FRiCKLE"; owner = "FRiCKLE";
@ -451,6 +475,7 @@ in
}; };
sorted-querystring = { sorted-querystring = {
name = "sorted-querystring";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "sorted-querystring"; name = "sorted-querystring";
owner = "wandenberg"; owner = "wandenberg";
@ -461,6 +486,7 @@ in
}; };
spnego-http-auth = { spnego-http-auth = {
name = "spnego-http-auth";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "spnego-http-auth"; name = "spnego-http-auth";
owner = "stnoonan"; owner = "stnoonan";
@ -471,6 +497,7 @@ in
}; };
statsd = { statsd = {
name = "statsd";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "statsd"; name = "statsd";
owner = "harvesthq"; owner = "harvesthq";
@ -481,6 +508,7 @@ in
}; };
stream-sts = { stream-sts = {
name = "stream-sts";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "stream-sts"; name = "stream-sts";
owner = "vozlt"; owner = "vozlt";
@ -491,6 +519,7 @@ in
}; };
sts = { sts = {
name = "sts";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "sts"; name = "sts";
owner = "vozlt"; owner = "vozlt";
@ -501,6 +530,7 @@ in
}; };
subsFilter = { subsFilter = {
name = "subsFilter";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "subsFilter"; name = "subsFilter";
owner = "yaoweibin"; owner = "yaoweibin";
@ -511,6 +541,7 @@ in
}; };
sysguard = { sysguard = {
name = "sysguard";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "sysguard"; name = "sysguard";
owner = "vozlt"; owner = "vozlt";
@ -521,6 +552,7 @@ in
}; };
upload = { upload = {
name = "upload";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "upload"; name = "upload";
owner = "fdintino"; owner = "fdintino";
@ -531,6 +563,7 @@ in
}; };
upstream-check = { upstream-check = {
name = "upstream-check";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "upstream-check"; name = "upstream-check";
owner = "yaoweibin"; owner = "yaoweibin";
@ -541,6 +574,7 @@ in
}; };
upstream-tarantool = { upstream-tarantool = {
name = "upstream-tarantool";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "upstream-tarantool"; name = "upstream-tarantool";
owner = "tarantool"; owner = "tarantool";
@ -552,6 +586,7 @@ in
}; };
url = { url = {
name = "url";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "url"; name = "url";
owner = "vozlt"; owner = "vozlt";
@ -562,6 +597,7 @@ in
}; };
video-thumbextractor = { video-thumbextractor = {
name = "video-thumbextractor";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "video-thumbextractor"; name = "video-thumbextractor";
owner = "wandenberg"; owner = "wandenberg";
@ -573,6 +609,7 @@ in
}; };
vod = { vod = {
name = "vod";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "vod"; name = "vod";
owner = "kaltura"; owner = "kaltura";
@ -584,6 +621,7 @@ in
}; };
vts = { vts = {
name = "vts";
src = fetchFromGitHub { src = fetchFromGitHub {
name = "vts"; name = "vts";
owner = "vozlt"; owner = "vozlt";
@ -592,4 +630,7 @@ in
sha256 = "sha256-x4ry5ljPeJQY+7Mp04/xYIGf22d6Nee7CSqHezdK4gQ="; sha256 = "sha256-x4ry5ljPeJQY+7Mp04/xYIGf22d6Nee7CSqHezdK4gQ=";
}; };
}; };
}; in self // lib.optionalAttrs config.allowAliases {
# deprecated or renamed packages
modsecurity-nginx = self.modsecurity;
} }

2
pkgs/top-level/all-packages.nix
View File

@ -34907,7 +34907,7 @@ with pkgs;
tengine = callPackage ../servers/http/tengine { tengine = callPackage ../servers/http/tengine {
openssl = openssl_1_1; openssl = openssl_1_1;
modules = with nginxModules; [ rtmp dav moreheaders modsecurity-nginx ]; modules = with nginxModules; [ rtmp dav moreheaders modsecurity ];
}; };
tennix = callPackage ../games/tennix { }; tennix = callPackage ../games/tennix { };