ci: ship aws-lc/LuaJIT/modsec at original paths so rpath resolves on target

.gitea/workflows/build-publish.yml

@@ -57,7 +57,7 @@ jobs:
 
           mkdir -p "${PKG_DIR}/usr/sbin" "${PKG_DIR}/nginx" \
                    "${PKG_DIR}/etc/systemd/system" "${PKG_DIR}/var/log/nginx" \
-                   "${PKG_DIR}/usr/lib" "${PKG_DIR}/usr/local/lib" \
+                   "${PKG_DIR}/usr/lib" \
                    "${PKG_DIR}/hostdata/default/public_html" \
                    "${PKG_DIR}/usr/nginx_lua" \
                    "${PKG_DIR}/usr/local/nginx/client_body_temp" \
@@ -72,7 +72,25 @@ jobs:
           cp -R /hostdata/default "${PKG_DIR}/hostdata/" || true
           cp -R /usr/nginx_lua "${PKG_DIR}/usr/" || true
 
+          # Preserve compile-time rpath paths so the dynamic loader resolves
+          # AWS-LC, LuaJIT, libinjection, and libmodsecurity correctly on the
+          # target host. Flattening these into /usr/lib (the old behaviour)
+          # made the loader fall back to the host's system libssl/libcrypto
+          # which have a different ABI from AWS-LC -> "undefined symbol"
+          # crashes at runtime.
+          for d in /usr/local/aws-lc /usr/local/LuaJIT /usr/local/modsecurity; do
+            [ -d "$d" ] && cp -R "$d" "${PKG_DIR}/usr/local/" || true
+          done
+          mkdir -p "${PKG_DIR}/usr/local/lib"
+          cp -R /usr/local/lib/. "${PKG_DIR}/usr/local/lib/" 2>/dev/null || true
+
+          # Other libs nginx links against (system glibc deps, libpcre2, etc.)
+          # go to /usr/lib. Skip anything under /usr/local — it's already
+          # shipped at its original path above.
           for lib in $(ldd /usr/sbin/nginx | grep '=> /' | awk '{print $3}'); do
+            case "$lib" in
+              /usr/local/*) continue ;;
+            esac
             cp "$lib" "${PKG_DIR}/usr/lib/" || true
           done