pyrox.dev / nixpkgs
lol
fork atom

nginx: detect duplicate modules

Nginx breaks at runtime when duplicate modules are added. To detect
this, add a `name` key to all modules.

Also remove the outdated modsecurity v2 module and unify `modsecurity`
and `modsecurity-nginx`.

authored by

Naïm Favier and committed by
Sandro Jäckel 6c61c436 84575b0b

+68 -21
+1 -1
nixos/tests/nginx-modsecurity.nix
··· 4 4 nodes.machine = { config, lib, pkgs, ... }: { 5 5 services.nginx = { 6 6 enable = true; 7 - additionalModules = [ pkgs.nginxModules.modsecurity-nginx ]; 7 + additionalModules = [ pkgs.nginxModules.modsecurity ]; 8 8 virtualHosts.localhost = 9 9 let modsecurity_conf = pkgs.writeText "modsecurity.conf" '' 10 10 SecRuleEngine On
+6
pkgs/servers/http/nginx/generic.nix
··· 32 32 33 33 let 34 34 35 + moduleNames = map (mod: mod.name or (throw "The nginx module with source ${toString mod.src} does not have a `name` attribute. This prevents duplicate module detection and is no longer supported.")) 36 + modules; 37 + 35 38 mapModules = attrPath: flip concatMap modules 36 39 (mod: 37 40 let supports = mod.supports or (_: true); ··· 40 43 else throw "Module at ${toString mod.src} does not support nginx version ${nginxVersion}!"); 41 44 42 45 in 46 + 47 + assert assertMsg (unique moduleNames == moduleNames) 48 + "nginx: duplicate modules: ${concatStringsSep ", " moduleNames}. A common cause for this is that services.nginx.additionalModules adds a module which the nixos module itself already adds."; 43 49 44 50 stdenv.mkDerivation { 45 51 inherit pname;
+60 -19
pkgs/servers/http/nginx/modules.nix
··· 1 - { fetchFromGitHub, fetchFromGitLab, fetchhg, lib, pkgs }: 1 + { config, fetchFromGitHub, fetchFromGitLab, fetchhg, lib, pkgs }: 2 2 3 3 let 4 4 5 5 http_proxy_connect_module_generic = patchName: rec { 6 + name = "http_proxy_connect"; 6 7 src = fetchFromGitHub { 7 8 name = "http_proxy_connect_module_generic"; 8 9 owner = "chobits"; ··· 10 11 rev = "96ae4e06381f821218f368ad0ba964f87cbe0266"; 11 12 sha256 = "1nc7z31i7x9dzp67kzgvs34hs6ps749y26wcpi3wf5mm63i803rh"; 12 13 }; 13 - 14 14 patches = [ 15 15 "${src}/patch/${patchName}.patch" 16 16 ]; ··· 18 18 19 19 in 20 20 21 - { 21 + let self = { 22 22 fastcgi-cache-purge = throw "fastcgi-cache-purge was renamed to cache-purge"; 23 23 ngx_aws_auth = throw "ngx_aws_auth was renamed to aws-auth"; 24 24 25 25 akamai-token-validate = { 26 + name = "akamai-token-validate"; 26 27 src = fetchFromGitHub { 27 28 name = "akamai-token-validate"; 28 29 owner = "kaltura"; ··· 34 35 }; 35 36 36 37 auth-a2aclr = { 38 + name = "auth-a2aclr"; 37 39 src = fetchFromGitLab { 38 40 name = "auth-a2aclr"; 39 41 owner = "arpa2"; ··· 57 59 }; 58 60 59 61 aws-auth = { 62 + name = "aws-auth"; 60 63 src = fetchFromGitHub { 61 64 name = "aws-auth"; 62 65 owner = "anomalizer"; ··· 67 70 }; 68 71 69 72 brotli = { 73 + name = "brotli"; 70 74 src = let gitsrc = pkgs.fetchFromGitHub { 71 75 name = "brotli"; 72 76 owner = "google"; ··· 83 87 }; 84 88 85 89 cache-purge = { 90 + name = "cache-purge"; 86 91 src = fetchFromGitHub { 87 92 name = "cache-purge"; 88 93 owner = "nginx-modules"; ··· 93 98 }; 94 99 95 100 coolkit = { 101 + name = "coolkit"; 96 102 src = fetchFromGitHub { 97 103 name = "coolkit"; 98 104 owner = "FRiCKLE"; ··· 103 109 }; 104 110 105 111 dav = { 112 + name = "dav"; 106 113 src = fetchFromGitHub { 107 114 name = "dav"; 108 115 owner = "arut"; ··· 114 121 }; 115 122 116 123 develkit = { 124 + name = "develkit"; 117 125 src = fetchFromGitHub { 118 126 name = "develkit"; 119 127 owner = "vision5"; ··· 124 132 }; 125 133 126 134 echo = { 135 + name = "echo"; 127 136 src = fetchFromGitHub { 128 137 name = "echo"; 129 138 owner = "openresty"; ··· 134 143 }; 135 144 136 145 fancyindex = { 146 + name = "fancyindex"; 137 147 src = fetchFromGitHub { 138 148 name = "fancyindex"; 139 149 owner = "aperezdc"; ··· 147 157 }; 148 158 149 159 fluentd = { 160 + name = "fluentd"; 150 161 src = fetchFromGitHub { 151 162 name = "fluentd"; 152 163 owner = "fluent"; ··· 157 168 }; 158 169 159 170 geoip2 = { 171 + name = "geoip2"; 160 172 src = fetchFromGitHub { 161 173 name = "geoip2"; 162 174 owner = "leev"; ··· 180 192 }; 181 193 182 194 ipscrub = { 195 + name = "ipscrub"; 183 196 src = fetchFromGitHub 184 197 { 185 198 name = "ipscrub"; ··· 192 205 }; 193 206 194 207 limit-speed = { 208 + name = "limit-speed"; 195 209 src = fetchFromGitHub { 196 210 name = "limit-speed"; 197 211 owner = "yaoweibin"; ··· 202 216 }; 203 217 204 218 live = { 219 + name = "live"; 205 220 src = fetchFromGitHub { 206 221 name = "live"; 207 222 owner = "arut"; ··· 212 227 }; 213 228 214 229 lua = { 230 + name = "lua"; 215 231 src = fetchFromGitHub { 216 232 name = "lua"; 217 233 owner = "openresty"; ··· 228 244 }; 229 245 230 246 lua-upstream = { 247 + name = "lua-upstream"; 231 248 src = fetchFromGitHub { 232 249 name = "lua-upstream"; 233 250 owner = "openresty"; ··· 240 257 }; 241 258 242 259 modsecurity = { 243 - src = "${pkgs.modsecurity_standalone.nginx}/nginx/modsecurity"; 244 - inputs = [ pkgs.curl pkgs.apr pkgs.aprutil pkgs.apacheHttpd pkgs.yajl ]; 245 - preConfigure = '' 246 - export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -I${pkgs.aprutil.dev}/include/apr-1 -I${pkgs.apacheHttpd.dev}/include -I${pkgs.apr.dev}/include/apr-1 -I${pkgs.yajl}/include" 247 - ''; 248 - }; 249 - 250 - modsecurity-nginx = { 260 + name = "modsecurity"; 251 261 src = fetchFromGitHub { 252 262 name = "modsecurity-nginx"; 253 263 owner = "SpiderLabs"; ··· 260 270 }; 261 271 262 272 moreheaders = { 273 + name = "moreheaders"; 263 274 src = fetchFromGitHub { 264 275 name = "moreheaders"; 265 276 owner = "openresty"; ··· 270 281 }; 271 282 272 283 mpeg-ts = { 284 + name = "mpeg-ts"; 273 285 src = fetchFromGitHub { 274 286 name = "mpeg-ts"; 275 287 owner = "arut"; ··· 280 292 }; 281 293 282 294 naxsi = { 283 - src = fetchFromGitHub 284 - { 285 - name = "naxsi"; 286 - owner = "nbs-system"; 287 - repo = "naxsi"; 288 - rev = "95ac520eed2ea04098a76305fd0ad7e9158840b7"; 289 - sha256 = "0b5pnqkgg18kbw5rf2ifiq7lsx5rqmpqsql6hx5ycxjzxj6acfb3"; 290 - } + "/naxsi_src"; 295 + name = "naxsi"; 296 + src = fetchFromGitHub { 297 + name = "naxsi"; 298 + owner = "nbs-system"; 299 + repo = "naxsi"; 300 + rev = "95ac520eed2ea04098a76305fd0ad7e9158840b7"; 301 + sha256 = "0b5pnqkgg18kbw5rf2ifiq7lsx5rqmpqsql6hx5ycxjzxj6acfb3"; 302 + } + "/naxsi_src"; 291 303 }; 292 304 293 305 njs = rec { 306 + name = "njs"; 294 307 src = fetchhg { 295 308 url = "https://hg.nginx.org/njs"; 296 309 rev = "0.7.8"; ··· 313 326 }; 314 327 315 328 opentracing = { 329 + name = "opentracing"; 316 330 src = 317 331 let src' = fetchFromGitHub { 318 332 name = "opentracing"; ··· 353 367 ''; 354 368 in 355 369 { 370 + name = "pagespeed"; 356 371 src = ngx_pagespeed; 357 372 inputs = [ pkgs.zlib pkgs.libuuid ]; # psol deps 358 373 allowMemoryWriteExecute = true; 359 374 }; 360 375 361 376 pam = { 377 + name = "pam"; 362 378 src = fetchFromGitHub { 363 379 name = "pam"; 364 380 owner = "sto"; ··· 370 386 }; 371 387 372 388 pinba = { 389 + name = "pinba"; 373 390 src = fetchFromGitHub { 374 391 name = "pinba"; 375 392 owner = "tony2001"; ··· 380 397 }; 381 398 382 399 push-stream = { 400 + name = "push-stream"; 383 401 src = fetchFromGitHub { 384 402 name = "push-stream"; 385 403 owner = "wandenberg"; ··· 390 408 }; 391 409 392 410 rtmp = { 411 + name = "rtmp"; 393 412 src = fetchFromGitHub { 394 413 name = "rtmp"; 395 414 owner = "arut"; ··· 400 419 }; 401 420 402 421 secure-token = { 422 + name = "secure-token"; 403 423 src = fetchFromGitHub { 404 424 name = "secure-token"; 405 425 owner = "kaltura"; ··· 411 431 }; 412 432 413 433 set-misc = { 434 + name = "set-misc"; 414 435 src = fetchFromGitHub { 415 436 name = "set-misc"; 416 437 owner = "openresty"; ··· 421 442 }; 422 443 423 444 shibboleth = { 445 + name = "shibboleth"; 424 446 src = fetchFromGitHub { 425 447 name = "shibboleth"; 426 448 owner = "nginx-shib"; ··· 431 453 }; 432 454 433 455 sla = { 456 + name = "sla"; 434 457 src = fetchFromGitHub { 435 458 name = "sla"; 436 459 owner = "goldenclone"; ··· 441 464 }; 442 465 443 466 slowfs-cache = { 467 + name = "slowfs-cache"; 444 468 src = fetchFromGitHub { 445 469 name = "slowfs-cache"; 446 470 owner = "FRiCKLE"; ··· 451 475 }; 452 476 453 477 sorted-querystring = { 478 + name = "sorted-querystring"; 454 479 src = fetchFromGitHub { 455 480 name = "sorted-querystring"; 456 481 owner = "wandenberg"; ··· 461 486 }; 462 487 463 488 spnego-http-auth = { 489 + name = "spnego-http-auth"; 464 490 src = fetchFromGitHub { 465 491 name = "spnego-http-auth"; 466 492 owner = "stnoonan"; ··· 471 497 }; 472 498 473 499 statsd = { 500 + name = "statsd"; 474 501 src = fetchFromGitHub { 475 502 name = "statsd"; 476 503 owner = "harvesthq"; ··· 481 508 }; 482 509 483 510 stream-sts = { 511 + name = "stream-sts"; 484 512 src = fetchFromGitHub { 485 513 name = "stream-sts"; 486 514 owner = "vozlt"; ··· 491 519 }; 492 520 493 521 sts = { 522 + name = "sts"; 494 523 src = fetchFromGitHub { 495 524 name = "sts"; 496 525 owner = "vozlt"; ··· 501 530 }; 502 531 503 532 subsFilter = { 533 + name = "subsFilter"; 504 534 src = fetchFromGitHub { 505 535 name = "subsFilter"; 506 536 owner = "yaoweibin"; ··· 511 541 }; 512 542 513 543 sysguard = { 544 + name = "sysguard"; 514 545 src = fetchFromGitHub { 515 546 name = "sysguard"; 516 547 owner = "vozlt"; ··· 521 552 }; 522 553 523 554 upload = { 555 + name = "upload"; 524 556 src = fetchFromGitHub { 525 557 name = "upload"; 526 558 owner = "fdintino"; ··· 531 563 }; 532 564 533 565 upstream-check = { 566 + name = "upstream-check"; 534 567 src = fetchFromGitHub { 535 568 name = "upstream-check"; 536 569 owner = "yaoweibin"; ··· 541 574 }; 542 575 543 576 upstream-tarantool = { 577 + name = "upstream-tarantool"; 544 578 src = fetchFromGitHub { 545 579 name = "upstream-tarantool"; 546 580 owner = "tarantool"; ··· 552 586 }; 553 587 554 588 url = { 589 + name = "url"; 555 590 src = fetchFromGitHub { 556 591 name = "url"; 557 592 owner = "vozlt"; ··· 562 597 }; 563 598 564 599 video-thumbextractor = { 600 + name = "video-thumbextractor"; 565 601 src = fetchFromGitHub { 566 602 name = "video-thumbextractor"; 567 603 owner = "wandenberg"; ··· 573 609 }; 574 610 575 611 vod = { 612 + name = "vod"; 576 613 src = fetchFromGitHub { 577 614 name = "vod"; 578 615 owner = "kaltura"; ··· 584 621 }; 585 622 586 623 vts = { 624 + name = "vts"; 587 625 src = fetchFromGitHub { 588 626 name = "vts"; 589 627 owner = "vozlt"; ··· 592 630 sha256 = "sha256-x4ry5ljPeJQY+7Mp04/xYIGf22d6Nee7CSqHezdK4gQ="; 593 631 }; 594 632 }; 633 + }; in self // lib.optionalAttrs config.allowAliases { 634 + # deprecated or renamed packages 635 + modsecurity-nginx = self.modsecurity; 595 636 }
+1 -1
pkgs/top-level/all-packages.nix
··· 34907 34907 34908 34908 tengine = callPackage ../servers/http/tengine { 34909 34909 openssl = openssl_1_1; 34910 - modules = with nginxModules; [ rtmp dav moreheaders modsecurity-nginx ]; 34910 + modules = with nginxModules; [ rtmp dav moreheaders modsecurity ]; 34911 34911 }; 34912 34912 34913 34913 tennix = callPackage ../games/tennix { };