Bug 238739 - www/nginx www/nginx-devel: add support for FreeBSD accept filters
Summary: www/nginx www/nginx-devel: add support for FreeBSD accept filters
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Jochen Neumeister
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-21 08:53 UTC by Jeremy Chadwick
Modified: 2019-11-28 10:24 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (joneum)

Attachments
nginx.in diff (for both www/nginx and www/nginx-devel) (2.49 KB, patch)
2019-06-21 08:53 UTC, Jeremy Chadwick 		no flags Details | Diff
nginx.in diff (for both www/nginx and www/nginx-devel) (2.59 KB, patch)
2019-06-21 09:24 UTC, Jeremy Chadwick 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Chadwick 2019-06-21 08:53:51 UTC 
Created attachment 205253 [details]
nginx.in diff (for both www/nginx and www/nginx-devel)

I noticed that nginx's rc.d script had no support for loading accf_http.ko and accf_data.ko kernel modules (see accf_http(9) and accf_data(9)) dynamically at start.

nginx can use these via the "accept_filter=xxx" argument in the "listen" directive.  Reference: http://nginx.org/en/docs/http/ngx_http_core_module.html#listen

Attached is an svn diff/patch for www/{nginx,nginx-devel}/files/nginx.in that adds loading of this module when nginx_http_accept_enable="yes" in rc.conf.  It is based on www/apache24/files/apache24.in which has worked for literally decades.

I did not add the "eval" line supporting this shim via nginx profiles because I don't use/understand them.  But it should be a single line if needed.

Note: testing this was annoying because for whatever reason on stable/11, once accf_http.ko and accf_data.ko are loaded, they cannot be unloaded (Operation not permitted, even when kern.securelevel == -1, no processes using the filters are even running nor any lingering TCP sessions in TIME_WAIT or other states).  Just something to be aware of.

Thanks.
Comment 1 Jeremy Chadwick 2019-06-21 08:55:15 UTC 
Adding osa@ (www/nginx-devel maintainer).
Comment 2 Jeremy Chadwick 2019-06-21 09:24:12 UTC 
Created attachment 205256 [details]
nginx.in diff (for both www/nginx and www/nginx-devel)

Updated patch to make use of rc.subr's required_modules and thus load_kld; cleaner and more standardised.  This method was partially based on /etc/rc.d/ipfw.  Testing showed this does work properly.

Also moved the checkyesno conditional *before* nginx_checkconfig, since I'm not sure if nginx -t would test to see if a valid accept_filter was available or not; maybe that's only done at runtime/without -t?
Comment 3 commit-hook freebsd_committer freebsd_triage 2019-11-16 20:00:42 UTC 
A commit references this bug:

Author: osa
Date: Sat Nov 16 19:59:52 UTC 2019
New revision: 517774
URL: https://svnweb.freebsd.org/changeset/ports/517774

Log:
  Add support for FreeBSD accept filters.

  Bump PORTREVISION.

  PR:	238739

Changes:
  head/www/nginx-devel/Makefile
  head/www/nginx-devel/files/nginx.in
Comment 4 commit-hook freebsd_committer freebsd_triage 2019-11-28 10:18:00 UTC 
A commit references this bug:

Author: joneum
Date: Thu Nov 28 10:17:38 UTC 2019
New revision: 518572
URL: https://svnweb.freebsd.org/changeset/ports/518572

Log:
  - Add support for FreeBSD accept filters [1]
  - Fix build with HTTP_AUTH_KRB5 after r518471 [2]
  - Update 3rd party Modul

  PR:	238739 [1], 242256 [2]
  Sponsored by:	Netzkommune GmbH

Changes:
  head/www/nginx/Makefile
  head/www/nginx/Makefile.extmod
  head/www/nginx/distinfo
  head/www/nginx/files/extra-patch-spnego-http-auth-nginx-module-config
  head/www/nginx/files/nginx.in