Bug 238739 - www/nginx www/nginx-devel: add support for FreeBSD accept filters
Summary: www/nginx www/nginx-devel: add support for FreeBSD accept filters
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Jochen Neumeister
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-21 08:53 UTC by Jeremy Chadwick
Modified: 2019-11-28 10:24 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (joneum)


Attachments
nginx.in diff (for both www/nginx and www/nginx-devel) (2.49 KB, patch)
2019-06-21 08:53 UTC, Jeremy Chadwick
no flags Details | Diff
nginx.in diff (for both www/nginx and www/nginx-devel) (2.59 KB, patch)
2019-06-21 09:24 UTC, Jeremy Chadwick
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Chadwick 2019-06-21 08:53:51 UTC
Created attachment 205253 [details]
nginx.in diff (for both www/nginx and www/nginx-devel)

I noticed that nginx's rc.d script had no support for loading accf_http.ko and accf_data.ko kernel modules (see accf_http(9) and accf_data(9)) dynamically at start.

nginx can use these via the "accept_filter=xxx" argument in the "listen" directive.  Reference: http://nginx.org/en/docs/http/ngx_http_core_module.html#listen

Attached is an svn diff/patch for www/{nginx,nginx-devel}/files/nginx.in that adds loading of this module when nginx_http_accept_enable="yes" in rc.conf.  It is based on www/apache24/files/apache24.in which has worked for literally decades.

I did not add the "eval" line supporting this shim via nginx profiles because I don't use/understand them.  But it should be a single line if needed.

Note: testing this was annoying because for whatever reason on stable/11, once accf_http.ko and accf_data.ko are loaded, they cannot be unloaded (Operation not permitted, even when kern.securelevel == -1, no processes using the filters are even running nor any lingering TCP sessions in TIME_WAIT or other states).  Just something to be aware of.

Thanks.
Comment 1 Jeremy Chadwick 2019-06-21 08:55:15 UTC
Adding osa@ (www/nginx-devel maintainer).
Comment 2 Jeremy Chadwick 2019-06-21 09:24:12 UTC
Created attachment 205256 [details]
nginx.in diff (for both www/nginx and www/nginx-devel)

Updated patch to make use of rc.subr's required_modules and thus load_kld; cleaner and more standardised.  This method was partially based on /etc/rc.d/ipfw.  Testing showed this does work properly.

Also moved the checkyesno conditional *before* nginx_checkconfig, since I'm not sure if nginx -t would test to see if a valid accept_filter was available or not; maybe that's only done at runtime/without -t?
Comment 3 commit-hook freebsd_committer freebsd_triage 2019-11-16 20:00:42 UTC
A commit references this bug:

Author: osa
Date: Sat Nov 16 19:59:52 UTC 2019
New revision: 517774
URL: https://svnweb.freebsd.org/changeset/ports/517774

Log:
  Add support for FreeBSD accept filters.

  Bump PORTREVISION.

  PR:	238739

Changes:
  head/www/nginx-devel/Makefile
  head/www/nginx-devel/files/nginx.in
Comment 4 commit-hook freebsd_committer freebsd_triage 2019-11-28 10:18:00 UTC
A commit references this bug:

Author: joneum
Date: Thu Nov 28 10:17:38 UTC 2019
New revision: 518572
URL: https://svnweb.freebsd.org/changeset/ports/518572

Log:
  - Add support for FreeBSD accept filters [1]
  - Fix build with HTTP_AUTH_KRB5 after r518471 [2]
  - Update 3rd party Modul

  PR:	238739 [1], 242256 [2]
  Sponsored by:	Netzkommune GmbH

Changes:
  head/www/nginx/Makefile
  head/www/nginx/Makefile.extmod
  head/www/nginx/distinfo
  head/www/nginx/files/extra-patch-spnego-http-auth-nginx-module-config
  head/www/nginx/files/nginx.in