Bug 238739

Summary:

www/nginx www/nginx-devel: add support for FreeBSD accept filters

Product:

Ports & Packages

Reporter:

Jeremy Chadwick <jdc>

Component:

Individual Port(s)

Assignee:

Jochen Neumeister <joneum>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

debdrup, jdc, joneum, osa

Priority:

---

Flags:

bugzilla: maintainer-feedback? (joneum)

Version:

Latest

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
nginx.in diff (for both www/nginx and www/nginx-devel)	none
nginx.in diff (for both www/nginx and www/nginx-devel)	none

Description Jeremy Chadwick 2019-06-21 08:53:51 UTC

Created attachment 205253 [details]
nginx.in diff (for both www/nginx and www/nginx-devel)

I noticed that nginx's rc.d script had no support for loading accf_http.ko and accf_data.ko kernel modules (see accf_http(9) and accf_data(9)) dynamically at start.

nginx can use these via the "accept_filter=xxx" argument in the "listen" directive.  Reference: http://nginx.org/en/docs/http/ngx_http_core_module.html#listen

Attached is an svn diff/patch for www/{nginx,nginx-devel}/files/nginx.in that adds loading of this module when nginx_http_accept_enable="yes" in rc.conf.  It is based on www/apache24/files/apache24.in which has worked for literally decades.

I did not add the "eval" line supporting this shim via nginx profiles because I don't use/understand them.  But it should be a single line if needed.

Note: testing this was annoying because for whatever reason on stable/11, once accf_http.ko and accf_data.ko are loaded, they cannot be unloaded (Operation not permitted, even when kern.securelevel == -1, no processes using the filters are even running nor any lingering TCP sessions in TIME_WAIT or other states).  Just something to be aware of.

Thanks.

Comment 1 Jeremy Chadwick 2019-06-21 08:55:15 UTC

Adding osa@ (www/nginx-devel maintainer).

Comment 2 Jeremy Chadwick 2019-06-21 09:24:12 UTC

Created attachment 205256 [details]
nginx.in diff (for both www/nginx and www/nginx-devel)

Updated patch to make use of rc.subr's required_modules and thus load_kld; cleaner and more standardised.  This method was partially based on /etc/rc.d/ipfw.  Testing showed this does work properly.

Also moved the checkyesno conditional *before* nginx_checkconfig, since I'm not sure if nginx -t would test to see if a valid accept_filter was available or not; maybe that's only done at runtime/without -t?

Comment 3 commit-hook freebsd_committer

2019-11-16 20:00:42 UTC

A commit references this bug:

Author: osa
Date: Sat Nov 16 19:59:52 UTC 2019
New revision: 517774
URL: https://svnweb.freebsd.org/changeset/ports/517774

Log:
  Add support for FreeBSD accept filters.

  Bump PORTREVISION.

  PR:	238739

Changes:
  head/www/nginx-devel/Makefile
  head/www/nginx-devel/files/nginx.in

Comment 4 commit-hook freebsd_committer

2019-11-28 10:18:00 UTC

A commit references this bug:

Author: joneum
Date: Thu Nov 28 10:17:38 UTC 2019
New revision: 518572
URL: https://svnweb.freebsd.org/changeset/ports/518572

Log:
  - Add support for FreeBSD accept filters [1]
  - Fix build with HTTP_AUTH_KRB5 after r518471 [2]
  - Update 3rd party Modul

  PR:	238739 [1], 242256 [2]
  Sponsored by:	Netzkommune GmbH

Changes:
  head/www/nginx/Makefile
  head/www/nginx/Makefile.extmod
  head/www/nginx/distinfo
  head/www/nginx/files/extra-patch-spnego-http-auth-nginx-module-config
  head/www/nginx/files/nginx.in