theraw/The-World-Is-Yours
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: theraw/The-World-Is-Yours:v2-1
Branches Tags
theraw/The-World-Is-Yours:master theraw/The-World-Is-Yours:raweb-upcoming-release theraw/The-World-Is-Yours:ffs theraw/The-World-Is-Yours:v2-1 theraw/The-World-Is-Yours:pcre-fix theraw/The-World-Is-Yours:docker theraw/The-World-Is-Yours:v3.0 theraw/The-World-Is-Yours:v2 theraw/The-World-Is-Yours:v2.0
theraw/The-World-Is-Yours:v1.27.4 theraw/The-World-Is-Yours:v1.26.0 theraw/The-World-Is-Yours:0.0.1
...
pull from: theraw/The-World-Is-Yours:master
Branches Tags
theraw/The-World-Is-Yours:master theraw/The-World-Is-Yours:raweb-upcoming-release theraw/The-World-Is-Yours:ffs theraw/The-World-Is-Yours:v2-1 theraw/The-World-Is-Yours:pcre-fix theraw/The-World-Is-Yours:docker theraw/The-World-Is-Yours:v3.0 theraw/The-World-Is-Yours:v2 theraw/The-World-Is-Yours:v2.0
theraw/The-World-Is-Yours:v1.27.4 theraw/The-World-Is-Yours:v1.26.0 theraw/The-World-Is-Yours:0.0.1

77 Commits
v2-1 ... master

Author SHA1 Message Date
theraw f77d853118 package update
build-and-publish / build (Raccoon, ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Successful in 3m33s
Details
build-and-publish / build (Trixie, debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Successful in 3m19s
Details
2026-06-09 05:11:17 +00:00
theraw 6dfd126a85 package update
build-and-publish / build (Raccoon, ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Successful in 4m23s
Details
build-and-publish / build (Trixie, debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Successful in 3m22s
Details
2026-06-09 03:10:11 +00:00
theraw a999551d22 Version update
build-and-publish / build (Raccoon, ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Successful in 3m32s
Details
build-and-publish / build (Trixie, debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Successful in 3m23s
Details
2026-05-25 22:05:16 +00:00
theraw 1dd615cf97 update version 2026-05-25 21:48:21 +00:00
root bc8ec6aabe version update
build-and-publish / build (Raccoon, ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Failing after 3m6s
Details
build-and-publish / build (Trixie, debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Failing after 3m0s
Details
2026-05-25 21:20:39 +00:00
root cfde3b7033 version update
build-and-publish / build (Raccoon, ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Failing after 53s
Details
build-and-publish / build (Trixie, debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Failing after 53s
Details
2026-05-25 20:34:21 +00:00
root bba6a61727 package changes
build-and-publish / build (Raccoon, ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Failing after 3m7s
Details
build-and-publish / build (Trixie, debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Failing after 2m57s
Details
2026-05-23 17:57:17 +00:00
root 61d2ca2df8 Service adjustments
build-and-publish / build (debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Successful in 3m42s
Details
build-and-publish / build (ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Successful in 3m19s
Details
2026-05-20 04:47:34 +00:00
root a8966ac108 systemd: switch to deny-everything-by-default (TemporaryFileSystem=/) with explicit BindReadOnlyPaths + BindPaths allowlist
build-and-publish / build (debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Successful in 3m49s
Details
build-and-publish / build (ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Successful in 3m12s
Details
2026-05-15 18:22:16 +00:00
root 9e8d14bd5d systemd: hardening — ProtectSystem=strict, ReadOnlyPaths for /raweb + /srv + letsencrypt, ReadWritePaths for /run + logs; explicitly skip MemoryDenyWriteExecute + ~@resources (known to break LuaJIT/setrlimit)
build-and-publish / build (debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Successful in 3m9s
Details
build-and-publish / build (ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Successful in 4m39s
Details
2026-05-15 18:19:17 +00:00
root 4e04e27682 README: bump nginx version 1.30.0 -> 1.31.0
build-and-publish / build (debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Successful in 3m6s
Details
build-and-publish / build (ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Successful in 3m20s
Details
2026-05-15 17:22:04 +00:00
root b7b4447afc compile temp paths into binary, all tmpfs-backed (/run/nginx/temp/)
build-and-publish / build (debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Successful in 3m7s
Details
build-and-publish / build (ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Successful in 3m16s
Details
2026-05-15 16:51:06 +00:00
root 0b9651ca05 Systemd Patches + CVE Patch
build-and-publish / build (debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Successful in 3m23s
Details
build-and-publish / build (ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Successful in 3m20s
Details
2026-05-15 13:49:54 +00:00
root e82f9f8009 Ubuntu 26.04 Release
build-and-publish / build (debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Successful in 3m16s
Details
build-and-publish / build (ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Successful in 3m34s
Details
2026-04-27 00:16:37 +00:00
root 8a14911502 Ubuntu 26.04 Release
build-and-publish / build (debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Successful in 3m10s
Details
build-and-publish / build (ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Successful in 3m26s
Details
2026-04-26 05:26:09 +00:00
root be3fb4a68f systemd: drop @resources from SystemCallFilter blocklist (nginx workers need prlimit64); set SystemCallErrorNumber=EPERM
build-and-publish / build (ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Has been cancelled
Details
build-and-publish / build (debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Has been cancelled
Details
2026-04-26 05:19:29 +00:00
root a9a9981ae5 ci: ship aws-lc/LuaJIT/modsec at original paths so rpath resolves on target
build-and-publish / build (debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Successful in 3m10s
Details
build-and-publish / build (ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Successful in 3m33s
Details
2026-04-26 05:10:45 +00:00
root 17685466c5 ci: add nx-component-upload + edit privs, strip workflow comments, shorter step names
build-and-publish / build (debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Successful in 3m8s
Details
build-and-publish / build (ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Successful in 3m24s
Details
2026-04-26 04:55:06 +00:00
root 78fe5d2d39 Ubuntu 26.04 Release
build-and-publish / build (debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Failing after 3m10s
Details
build-and-publish / build (ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Failing after 3m23s
Details
2026-04-26 04:41:50 +00:00
root 8b25532d05 Ubuntu 26.04
build-and-publish / build (debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Failing after 9s
Details
build-and-publish / build (ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Failing after 9s
Details
2026-04-26 04:28:29 +00:00
root 198d34766c Ubuntu 26.04
build-and-publish / build (debian:13, NEXUS_REPO_TRIXIE, trixie) (push) Failing after 5s
Details
build-and-publish / build (ubuntu:26.04, NEXUS_REPO_RACCOON, raccoon) (push) Failing after 5s
Details
2026-04-26 04:16:58 +00:00
root 0888f0ef83 ubuntu 26.04 2026-04-26 04:15:12 +00:00
root 0db40af760 2026
build-and-publish / build (push) Successful in 3m18s
Details
2026-04-26 01:52:34 +00:00
root 6689fd295b 2026
build-and-publish / build (push) Has been cancelled
Details
2026-04-26 01:38:39 +00:00
root 51b6eaa694 implementation of nginx 1.30 + AWS-LC + 5k-vhost perf tuning
build-and-publish / build (push) Successful in 3m18s
Details 
- nginx 1.30.0, ModSecurity v3.0.12, AWS-LC 1.72.0 (replaces
  quictls/openssl 3.1.5-quic1; OpenSSL 3.1 is EOL upstream)
- AWS-LC build via cmake+ninja, installed to /usr/local/aws-lc;
  nginx links via -I/-L and rpath
- lua-nginx-module: sed-broaden the existing OPENSSL_IS_BORINGSSL
  guards to also recognise OPENSSL_IS_AWSLC (covers #ifdef,
  #ifndef, #elif defined). without this the missing-API stubs
  never fire on AWS-LC and the build breaks on
  SSL_get1_supported_ciphers / SSL_export_keying_material_early
- lua-resty-core / lrucache: switched from `git clone master`
  to wget tarball pinned via LUA_SCRIPTS_RESTYCORE/LRUCACHE.
  master drifted to wanting ngx_lua 0.10.30 while the pin was
  0.10.29 — silent CI breakage waiting to happen
- ModSec rewritten for v3 build flow (./build.sh && ./configure
  --without-pcre --with-pcre2). v2's standalone.so isn't what
  ModSecurity-nginx connector links against; it wants
  libmodsecurity.so
- PCRE2: switched to /releases/download/ tarball (bundles the
  sljit submodule needed for --with-pcre-jit); /archive/refs/tags/
  is a raw snapshot and omits submodules
- LuaJIT version pin had a stray leading 'v' that produced
  /tags/vv2.1-... → 404
- drop -L/lib/x86_64-linux-gnu -lpcre from --with-ld-opt;
  PCRE1 is gone from debian 13
- drop libpcre3-dev from apt install for the same reason
- fix latent bug in build/run.sh build(): make && make install
  && make clean swallows make failures from set -e because of
  &&-chain semantics. now separate statements
- static/nginx/nginx.conf rewrite for shared hosting at 5k+
  vhosts: server_names_hash_max_size 32768, shared SSL session
  cache 200m, OCSP stapling, open_file_cache, brotli+gzip
  enabled in http{}, worker_cpu_affinity auto, max_headers 100,
  keepalive_requests 10000. client_header_buffer_size dropped
  from 2M to 4k (was a memory amplification surface)
- README: performance section comparing twiy vs vanilla nginx,
  OpenResty, Apache; expected yield breakdown
 2026-04-26 01:09:28 +00:00
root f703f1eaba cleanup
build-and-publish / build (push) Successful in 2m53s
Details
2026-04-25 23:29:29 +00:00
root aa7d66f142 Repo release
build-and-publish / build (push) Successful in 2m51s
Details
2026-04-25 21:24:55 +00:00
claude 44efd905c5 ci: drop dpkg-sig per-deb signing (broken on modern .debs); rely on Nexus repo signing for apt trust chain
build-and-publish / build (push) Successful in 2m51s
Details
2026-04-25 21:18:04 +00:00
claude e4d458b185 ci: harden secret handling — tmpfs in /dev/shm, file-based passphrase, netrc auth, EXIT trap
build-and-publish / build (push) Failing after 2m46s
Details
2026-04-25 21:12:55 +00:00
claude f8a197dc49 ci: fix self-mv on deb path; drop stale .github workflow
build-and-publish / build (push) Successful in 2m51s
Details
2026-04-25 21:02:20 +00:00
claude 72bc3fa999 ci: add Gitea Actions workflow to build and publish to apt.julio.al/raweb
build-and-publish / build (push) Failing after 2m46s
Details
2026-04-25 20:57:11 +00:00
𝓙𝓾𝓵𝓲𝓸 e38493230a LUA not supported yet on latest version
Build and Publish NGINX / build (push) Failing after 3m11s
Details
2025-02-18 23:54:18 +01:00
𝓙𝓾𝓵𝓲𝓸 cfb2467782 Merge pull request #37 from theraw/ffs 
Ffs
 2025-02-10 22:52:27 +01:00
𝓙𝓾𝓵𝓲𝓸 e6f35b2a1f Update run.sh 2025-02-10 22:52:09 +01:00
𝓙𝓾𝓵𝓲𝓸 1f8f1149cb Update main.yml 2025-02-10 22:50:50 +01:00
𝓙𝓾𝓵𝓲𝓸 a92ad6e145 Update main.yml 2025-02-10 22:49:23 +01:00
𝓙𝓾𝓵𝓲𝓸 467546961f Update main.yml 2025-02-10 22:46:19 +01:00
𝓙𝓾𝓵𝓲𝓸 b3ae758a82 Update main.yml 2025-02-10 22:45:02 +01:00
𝓙𝓾𝓵𝓲𝓸 400d814e20 Merge pull request #36 from theraw/remove-debug 
Remove debug
 2025-02-10 22:33:32 +01:00
𝓙𝓾𝓵𝓲𝓸 79442acea9 Update main.yml 2025-02-10 22:33:16 +01:00
𝓙𝓾𝓵𝓲𝓸 b84df55970 Update run.sh 2025-02-10 22:32:56 +01:00
𝓙𝓾𝓵𝓲𝓸 cb5ae02ea2 Update main.yml 2025-02-10 22:31:56 +01:00
𝓙𝓾𝓵𝓲𝓸 7b91c32759 debug 2025-02-10 22:26:33 +01:00
𝓙𝓾𝓵𝓲𝓸 599fa32c67 Update run.sh 2025-02-10 21:58:41 +01:00
𝓙𝓾𝓵𝓲𝓸 32edbddf07 Update main.yml 2025-02-09 19:15:07 +01:00
𝓙𝓾𝓵𝓲𝓸 57f25ecac9 Update main.yml 2025-02-09 19:00:49 +01:00
𝓙𝓾𝓵𝓲𝓸 0c5f4b47b4 🤦‍♂️ 2025-02-09 18:43:08 +01:00
𝓙𝓾𝓵𝓲𝓸 710daf1475 Update run.sh 2025-02-09 18:26:42 +01:00
𝓙𝓾𝓵𝓲𝓸 de647fc401 Update version 2025-02-09 18:10:15 +01:00
𝓙𝓾𝓵𝓲𝓸 f1d0957af9 Update main.yml 2024-09-01 13:10:13 +02:00
𝓙𝓾𝓵𝓲𝓸 e15b9d88f1 Update README.md 2024-09-01 13:08:15 +02:00
𝓙𝓾𝓵𝓲𝓸 06624021d4 Merge pull request #33 from theraw/theraw-testrun 
Theraw testrun
 2024-09-01 11:40:01 +02:00
𝓙𝓾𝓵𝓲𝓸 7069b0e0d6 Update main.yml 2024-09-01 11:25:09 +02:00
𝓙𝓾𝓵𝓲𝓸 201e399361 Update main.yml 2024-09-01 11:06:05 +02:00
𝓙𝓾𝓵𝓲𝓸 4f745516cd Update main.yml 2024-09-01 06:20:03 +02:00
𝓙𝓾𝓵𝓲𝓸 b6c8c9ce96 Update main.yml 2024-09-01 06:04:42 +02:00
𝓙𝓾𝓵𝓲𝓸 ebcd3a4d8c Update main.yml 2024-09-01 05:39:08 +02:00
𝓙𝓾𝓵𝓲𝓸 cd68adb0cd Update main.yml 2024-09-01 05:18:26 +02:00
𝓙𝓾𝓵𝓲𝓸 c8c4db0388 Update main.yml 2024-09-01 05:16:38 +02:00
𝓙𝓾𝓵𝓲𝓸 14bc66eac3 Update main.yml 2024-09-01 05:15:02 +02:00
𝓙𝓾𝓵𝓲𝓸 2a57da27dd Update main.yml 2024-09-01 05:12:52 +02:00
𝓙𝓾𝓵𝓲𝓸 14a7a13738 Create main.yml 2024-09-01 05:11:13 +02:00
𝓙𝓾𝓵𝓲𝓸 9e70a9eab5 Delete .github/workflows/main.yml 2024-09-01 05:10:47 +02:00
𝓙𝓾𝓵𝓲𝓸 92e1440c03 Create main.yml 2024-09-01 05:08:54 +02:00
𝓙𝓾𝓵𝓲𝓸 caf9b67fcf Delete .github/workflows/main.yml 2024-09-01 05:07:52 +02:00
𝓙𝓾𝓵𝓲𝓸 ed3bc18f9a Update main.yml 2024-09-01 05:03:13 +02:00
𝓙𝓾𝓵𝓲𝓸 ceb2f81038 Update main.yml 2024-09-01 05:01:01 +02:00
𝓙𝓾𝓵𝓲𝓸 0016be8b72 Update main.yml 2024-09-01 04:58:40 +02:00
𝓙𝓾𝓵𝓲𝓸 648b594996 Create main.yml 2024-09-01 04:56:56 +02:00
𝓙𝓾𝓵𝓲𝓸 32185fd641 Update version 2024-09-01 04:05:43 +02:00
𝓙𝓾𝓵𝓲𝓸 4cab377b5b Update nginx.service 2024-07-02 17:45:40 +02:00
𝓙𝓾𝓵𝓲𝓸 6cf028078e Update README.md 2024-05-22 23:25:20 +02:00
𝓙𝓾𝓵𝓲𝓸 3ee649efd1 Update README.md 2024-05-22 05:18:14 +02:00
𝓙𝓾𝓵𝓲𝓸 41a757b5b7 Update version 2024-05-22 04:37:44 +02:00
𝓙𝓾𝓵𝓲𝓸 8737f183d1 Update nginx.conf 2024-05-22 04:37:29 +02:00
𝓙𝓾𝓵𝓲𝓸 6f09ea58df Update run.sh 2024-05-22 04:34:39 +02:00
𝓙𝓾𝓵𝓲𝓸 529020368a Merge pull request #31 from theraw/v2-1 
V2
 2024-05-22 03:03:10 +02:00
17 changed files with 1524 additions and 131 deletions
Expand all files Collapse all files
.gitea/workflows/build-publish.yml
+187
View File
@@ -0,0 +1,187 @@
name: build-and-publish
on:
push:
branches: [master]
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
target: [trixie, raccoon]
include:
- target: trixie
image: debian:13
distro_dir: Trixie
nexus_repo_secret: NEXUS_REPO_TRIXIE
nexus_user_secret: NEXUS_USER_TRIXIE
nexus_pass_secret: NEXUS_PASS_TRIXIE
- target: raccoon
image: ubuntu:26.04
distro_dir: Raccoon
nexus_repo_secret: NEXUS_REPO_RACCOON
nexus_user_secret: NEXUS_USER_RACCOON
nexus_pass_secret: NEXUS_PASS_RACCOON
container:
image: ${{ matrix.image }}
steps:
- name: Bootstrap
run: |
apt-get update -qq
DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
git ca-certificates nodejs
- name: Checkout
uses: actions/checkout@v4
- name: Build
id: pkg
env:
TARGET: ${{ matrix.target }}
DISTRO_DIR: ${{ matrix.distro_dir }}
run: |
set -euo pipefail
REPO_ROOT="$PWD" # captured before any cd in the build script
touch /.dockerenv
bash build/${TARGET}.sh new
bash build/${TARGET}.sh build
bash build/${TARGET}.sh postfix
NGINX_VER="$(nginx -v 2>&1 | awk -F/ '{print $2}')"
VERSION="${NGINX_VER}-${GITHUB_RUN_NUMBER:-1}~${TARGET}"
ARCH="amd64"
assemble_deb() {
local pkg_name="$1" unit_src="$2" conflicts="$3"
local pkg_dir="/opt/${pkg_name}_${VERSION}_${ARCH}"
local deb_dir="${pkg_dir}/DEBIAN"
mkdir -p "${pkg_dir}/usr/sbin" \
"${pkg_dir}/etc/systemd/system" \
"${pkg_dir}/usr/lib" \
"${pkg_dir}/usr/nginx_lua" \
"${pkg_dir}/usr/share/twiy/defaults/nginx" \
"${pkg_dir}/nginx/live" "${pkg_dir}/nginx/conf.d" \
"${pkg_dir}/nginx/config" "${pkg_dir}/nginx/modsec" \
"${pkg_dir}/nginx/modules"
cp /usr/sbin/nginx "${pkg_dir}/usr/sbin/"
# /nginx ships as an EMPTY, dpkg-owned skeleton (above): the dirs
# are tracked so upgrades from the old layout don't warn about
# "unable to delete old directory /nginx", but NO config file under
# it is tracked. The pristine configs go into a defaults stash;
# postinst places them into /nginx only when missing and never
# overwrites an admin-edited file (drops <file>.new instead).
# /hostdata is intentionally NOT packaged or seeded — postinst only
# ensures the directory exists and never removes it.
cp -R /nginx/. "${pkg_dir}/usr/share/twiy/defaults/nginx/" || true
cp "${unit_src}" "${pkg_dir}/etc/systemd/system/nginx.service"
cp -R /usr/nginx_lua "${pkg_dir}/usr/" || true
for d in /usr/local/aws-lc /usr/local/LuaJIT /usr/local/modsecurity /usr/local/zlib-ng; do
[ -d "$d" ] && cp -R "$d" "${pkg_dir}/usr/local/" || true
done
mkdir -p "${pkg_dir}/usr/local/lib"
cp -R /usr/local/lib/. "${pkg_dir}/usr/local/lib/" 2>/dev/null || true
for lib in $(ldd /usr/sbin/nginx | grep '=> /' | awk '{print $3}'); do
case "$lib" in /usr/local/*) continue ;; esac
cp "$lib" "${pkg_dir}/usr/lib/" || true
done
mkdir -p "${deb_dir}"
printf 'Package: %s\nVersion: %s\nSection: base\nPriority: optional\nArchitecture: %s\nDepends: libjemalloc2, libsystemd0\nConflicts: %s\nReplaces: %s\nMaintainer: Julio <me@julio.al>\nDescription: Nginx L7 DDoS Protection (%s), built by RAWeb CI for %s.\n' \
"${pkg_name}" "${VERSION}" "${ARCH}" "${conflicts}" "${conflicts}" "${pkg_name}" "${TARGET}" \
> "${deb_dir}/control"
# Shared maintainer scripts:
# preinst — backs up /nginx before an upgrade unpacks (so admin
# configs survive the migration off dpkg tracking).
# postinst — restores that backup, then seeds /nginx defaults
# without overwriting any file already there.
cp "${REPO_ROOT}/build/deb/preinst" "${deb_dir}/preinst"
cp "${REPO_ROOT}/build/deb/postinst" "${deb_dir}/postinst"
chmod 755 "${deb_dir}/preinst" "${deb_dir}/postinst"
dpkg-deb --build "${pkg_dir}"
}
assemble_deb "twiy" "${REPO_ROOT}/static/${DISTRO_DIR}/nginx.service" "twiy-raweb"
assemble_deb "twiy-raweb" "${REPO_ROOT}/static/${DISTRO_DIR}/nginx-raweb.service" "twiy"
DEB_TWIY="/opt/twiy_${VERSION}_${ARCH}.deb"
DEB_RAWEB="/opt/twiy-raweb_${VERSION}_${ARCH}.deb"
{
echo "deb_twiy=${DEB_TWIY}"
echo "deb_raweb=${DEB_RAWEB}"
echo "version=${VERSION}"
} >> "$GITHUB_OUTPUT"
ls -la /opt/twiy*.deb
sha256sum /opt/twiy*.deb
- name: Publish
env:
NEXUS_USER: ${{ secrets[matrix.nexus_user_secret] }}
NEXUS_PASS: ${{ secrets[matrix.nexus_pass_secret] }}
NEXUS_URL: ${{ secrets.NEXUS_URL }}
NEXUS_REPO: ${{ secrets[matrix.nexus_repo_secret] }}
DEB_TWIY: ${{ steps.pkg.outputs.deb_twiy }}
DEB_RAWEB: ${{ steps.pkg.outputs.deb_raweb }}
TARGET: ${{ matrix.target }}
run: |
set -euo pipefail
umask 077
apt-get install -y -q --no-install-recommends curl python3 ca-certificates >/dev/null
SECDIR="$(mktemp -d -p /dev/shm twiy-XXXXXXXX 2>/dev/null \
|| mktemp -d -t twiy-XXXXXXXX)"
chmod 700 "$SECDIR"
cleanup() {
find "$SECDIR" -type f -exec shred -uz {} + 2>/dev/null || true
rm -rf "$SECDIR"
}
trap cleanup EXIT INT TERM HUP
NEXUS_HOST="$(printf '%s' "$NEXUS_URL" | awk -F/ '{print $3}')"
printf 'machine %s login %s password %s\n' \
"$NEXUS_HOST" "$NEXUS_USER" "$NEXUS_PASS" > "$SECDIR/netrc"
unset NEXUS_USER NEXUS_PASS
publish_one() {
local deb="$1" pkg_name="$2"
local old_id
old_id="$(curl -fsS --netrc-file "$SECDIR/netrc" \
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO" \
| PKG_NAME="$pkg_name" python3 -c '
import sys, json, os
for c in json.load(sys.stdin).get("items", []):
if c.get("name") == os.environ["PKG_NAME"]:
print(c["id"]); break
' || true)"
if [ -n "$old_id" ]; then
curl -fsS -X DELETE --netrc-file "$SECDIR/netrc" \
"$NEXUS_URL/service/rest/v1/components/$old_id" -o /dev/null
fi
local http
http="$(curl -sS --netrc-file "$SECDIR/netrc" \
-o "$SECDIR/upload.body" -w '%{http_code}' \
-X POST -F "apt.asset=@$deb" \
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO")"
case "$http" in
201|204) echo "[$TARGET] uploaded $(basename "$deb")" ;;
*) echo "[$TARGET] upload failed for $pkg_name (HTTP $http)"; cat "$SECDIR/upload.body"; exit 1 ;;
esac
}
publish_one "$DEB_TWIY" "twiy"
publish_one "$DEB_RAWEB" "twiy-raweb"
.gitignore
+22
View File
@@ -0,0 +1,22 @@
.claude
.codex
.env
.creds
.workers
.local
.pi
.gemini
.cargo
.claude.json
.copilot
.docker
.grok
.ollama
Dockerfile
docker-compose.yaml
docker-compose.yml
PENDING_*.md
PATCH_*.md
CLAUDE.md
GEMINI.md
AGENTS.md
README.md
+57 -23
View File
@@ -2,37 +2,62 @@
![Simple](https://c.tenor.com/uYqsM9uIyuYAAAAC/simple-easy.gif)
- [x] Support Ubuntu 22.04
- [x] Latest Nginx 1.26.0
- [x] ModSecurity Support.
- [x] Naxsi Support.
- [x] Lua Support.
- [x] Cookie Based Challenge.
- [x] [Versions List](https://github.com/theraw/The-World-Is-Yours/blob/master/version)
- [x] Debian 13 (trixie) and Ubuntu 26.04 LTS (raccoon) supported
- [x] nginx 1.31.1
- [x] HTTP/3 (QUIC) via AWS-LC
- [x] ModSecurity v3 (libmodsecurity)
- [x] Naxsi
- [x] Lua (LuaJIT 2.1)
- [x] Cookie-based challenge
- [x] [Versions List](https://git.julio.al/theraw/The-World-Is-Yours/src/branch/master/version)
## Compile from source
### Debian 13 (trixie)
```bash
apt-get -y install git && cd /root/ && git clone https://github.com/theraw/The-World-Is-Yours.git && cd The-World-Is-Yours/
bash build/run.sh new
bash build/run.sh build
bash build/run.sh postfix
sudo install -d /etc/apt/keyrings
sudo curl -fsSL https://apt.julio.al/repository/public/keys/raweb.asc -o /etc/apt/keyrings/raweb.asc
echo "deb [signed-by=/etc/apt/keyrings/raweb.asc] https://apt.julio.al/repository/raweb-trixie trixie main" | sudo tee /etc/apt/sources.list.d/raweb.list
sudo apt update && sudo apt install twiy
```
If you want to try with a custom nginx version then, open `version` file and change versions then run
### Ubuntu 26.04 LTS (raccoon)
```bash
bash build/run.sh new
bash build/run.sh build
```
## Basic cli info
```
bash build/run.sh new => Download all modules + nginx that are missing from /opt/. (If you make version changes to 'version' file then simply rerun this to download again)
bash build/run.sh build => This is going to simply compile nginx nothing else. (You can run this as many times as you need, its not going to replace configs)
bash build/run.sh postfix => This will redownload /nginx/nginx.conf everytime you run it. (Suggested to run only once when you install nginx via my repo for first time)
sudo install -d /etc/apt/keyrings
sudo curl -fsSL https://apt.julio.al/repository/public/keys/raweb.asc -o /etc/apt/keyrings/raweb.asc
echo "deb [signed-by=/etc/apt/keyrings/raweb.asc] https://apt.julio.al/repository/raweb-raccoon raccoon main" | sudo tee /etc/apt/sources.list.d/raweb.list
sudo apt update && sudo apt install twiy
```
## Compile from source by yourself.
## Basic info.
```bash
apt-get -y install git && cd /root/ && git clone https://git.julio.al/theraw/The-World-Is-Yours.git && cd The-World-Is-Yours/
# Debian 13
bash build/trixie.sh new
bash build/trixie.sh build
bash build/trixie.sh postfix
# Ubuntu 26.04 LTS
bash build/raccoon.sh new
bash build/raccoon.sh build
bash build/raccoon.sh postfix
```
To try a different upstream version, edit `version` and re-run `new` then `build`.
## CLI Info
```
bash build/<distro>.sh new => Download all modules + nginx that are missing from /opt/.
(Re-run after changing the `version` file to fetch new versions.)
bash build/<distro>.sh build => Compile nginx. Re-runnable; will not touch your configs.
bash build/<distro>.sh postfix => Drop the default /nginx/nginx.conf, vhost, and systemd unit
into place. Run once on first install; re-running overwrites
/nginx/nginx.conf.
```
where `<distro>` is `trixie` or `raccoon`.
## Nginx info.
```
=> Nginx Folder = /nginx/
@@ -54,6 +79,15 @@ cd /opt/mod/lua-resty-lrucache; make install PREFIX=${LUA_SCRIPTS}
nginx -s reload
```
## Performance
### vs. vanilla nginx (same version, default config)
| Area | Twiy | Vanilla nginx | Why |
|---|---|---|---|
| TLS handshake throughput | **+515%** | baseline | AWS-LC's tuned AES/ChaCha asm vs OpenSSL |
| WAF, Lua, HTTP/3 | included | not included | needs custom build |
# Support options.
- No free support for how to do things, please don't spam with questions in discord.
build/deb/postinst
Executable
+58
View File
@@ -0,0 +1,58 @@
#!/bin/sh
# postinst — shared by the twiy and twiy-raweb packages.
#
# Config files live under /nginx but are NOT tracked by dpkg. The package
# ships an empty /nginx skeleton (so dpkg keeps the dirs across upgrades) plus
# a pristine copy of every config under /usr/share/twiy/defaults/nginx. We
# place configs from that stash here and NEVER overwrite a file that already
# exists — our copy is dropped beside it as <file>.new instead (e.g.
# nginx.conf.new). An upgrade therefore never changes an admin-edited config.
#
# /hostdata is left entirely to the admin: we only make sure the dir exists,
# and we never touch or remove its contents.
set -e
useradd -r -s /bin/false nginx 2>/dev/null || true
# Existing dirs are left exactly as they are (mkdir -p is a no-op then).
mkdir -p /nginx /hostdata
# Migration: older releases shipped /nginx/* as dpkg-tracked files, so the
# upgrade unpack deletes them before this script runs. preinst stashed a copy
# first — restore it now, without clobbering anything already present.
if [ -d /var/backups/twiy-nginx ]; then
cp -an /var/backups/twiy-nginx/. /nginx/ 2>/dev/null || true
rm -rf /var/backups/twiy-nginx
fi
# Seed packaged defaults:
# - target absent -> install it
# - target present, differs -> keep theirs, drop ours as <file>.new
# - target present, same -> do nothing
seed_tree() {
stash="$1"
target="$2"
[ -d "$stash" ] || return 0
find "$stash" -type f | while IFS= read -r src; do
rel=${src#$stash/}
dst="$target/$rel"
install -d "$(dirname "$dst")"
if [ -e "$dst" ]; then
cmp -s "$src" "$dst" || cp -p "$src" "$dst.new"
else
cp -p "$src" "$dst"
fi
done
}
seed_tree /usr/share/twiy/defaults/nginx /nginx
install -d /nginx/conf.d /nginx/config
install -d -o nginx -g nginx -m 0755 /var/log/nginx
chown -R nginx:nginx /var/log/nginx /nginx 2>/dev/null || true
systemctl daemon-reload 2>/dev/null || true
systemctl enable nginx.service 2>/dev/null || true
systemctl restart nginx.service 2>/dev/null || true
exit 0
build/deb/preinst
Executable
+18
View File
@@ -0,0 +1,18 @@
#!/bin/sh
# preinst — shared by the twiy and twiy-raweb packages.
#
# Older releases shipped /nginx as dpkg-tracked files. When upgrading from one
# of those, dpkg deletes the old /nginx/* files during unpack (they are no
# longer part of the package) BEFORE postinst runs. Stash a copy of the live
# config tree first so postinst can restore any admin-edited config and it
# survives the migration. Never touched on a fresh install.
set -e
if [ "$1" = upgrade ] && [ -d /nginx ]; then
rm -rf /var/backups/twiy-nginx
mkdir -p /var/backups
cp -a /nginx /var/backups/twiy-nginx
fi
exit 0
build/patches/nginx-1.31.1-dynamic-tls-records.patch
+220
View File
@@ -0,0 +1,220 @@
diff -urN nginx-1.31.0-pristine2/src/event/ngx_event_openssl.c nginx-1.31.0-manual/src/event/ngx_event_openssl.c
--- nginx-1.31.0-pristine2/src/event/ngx_event_openssl.c 2026-05-15 13:37:51.446080719 +0000
+++ nginx-1.31.0-manual/src/event/ngx_event_openssl.c 2026-05-15 13:38:11.254620535 +0000
@@ -2115,6 +2115,7 @@
sc->buffer = ((flags & NGX_SSL_BUFFER) != 0);
sc->buffer_size = ssl->buffer_size;
+ sc->dyn_rec = ssl->dyn_rec;
sc->session_ctx = ssl->ctx;
@@ -3086,6 +3087,41 @@
for ( ;; ) {
+ /* Dynamic record resizing:
+ We want the initial records to fit into one TCP segment
+ so we don't get TCP HoL blocking due to TCP Slow Start.
+ A connection always starts with small records, but after
+ a given amount of records sent, we make the records larger
+ to reduce header overhead.
+ After a connection has idled for a given timeout, begin
+ the process from the start. The actual parameters are
+ configurable. If dyn_rec_timeout is 0, we assume dyn_rec is off. */
+
+ if (c->ssl->dyn_rec.timeout > 0 ) {
+
+ if (ngx_current_msec - c->ssl->dyn_rec_last_write >
+ c->ssl->dyn_rec.timeout)
+ {
+ buf->end = buf->start + c->ssl->dyn_rec.size_lo;
+ c->ssl->dyn_rec_records_sent = 0;
+
+ } else {
+ if (c->ssl->dyn_rec_records_sent >
+ c->ssl->dyn_rec.threshold * 2)
+ {
+ buf->end = buf->start + c->ssl->buffer_size;
+
+ } else if (c->ssl->dyn_rec_records_sent >
+ c->ssl->dyn_rec.threshold)
+ {
+ buf->end = buf->start + c->ssl->dyn_rec.size_hi;
+
+ } else {
+ buf->end = buf->start + c->ssl->dyn_rec.size_lo;
+ }
+ }
+ }
+
while (in && buf->last < buf->end && send < limit) {
if (in->buf->last_buf || in->buf->flush) {
flush = 1;
@@ -3225,6 +3261,9 @@
if (n > 0) {
+ c->ssl->dyn_rec_records_sent++;
+ c->ssl->dyn_rec_last_write = ngx_current_msec;
+
if (c->ssl->saved_read_handler) {
c->read->handler = c->ssl->saved_read_handler;
diff -urN nginx-1.31.0-pristine2/src/event/ngx_event_openssl.h nginx-1.31.0-manual/src/event/ngx_event_openssl.h
--- nginx-1.31.0-pristine2/src/event/ngx_event_openssl.h 2026-05-15 13:37:51.446142384 +0000
+++ nginx-1.31.0-manual/src/event/ngx_event_openssl.h 2026-05-15 13:38:11.246599371 +0000
@@ -101,10 +101,19 @@
typedef struct ngx_ssl_ocsp_s ngx_ssl_ocsp_t;
+typedef struct {
+ ngx_msec_t timeout;
+ ngx_uint_t threshold;
+ size_t size_lo;
+ size_t size_hi;
+} ngx_ssl_dyn_rec_t;
+
+
struct ngx_ssl_s {
SSL_CTX *ctx;
ngx_log_t *log;
size_t buffer_size;
+ ngx_ssl_dyn_rec_t dyn_rec;
ngx_array_t certs;
@@ -142,6 +151,10 @@
unsigned no_send_shutdown:1;
unsigned shutdown_without_free:1;
unsigned handshake_buffer_set:1;
+
+ ngx_ssl_dyn_rec_t dyn_rec;
+ ngx_msec_t dyn_rec_last_write;
+ ngx_uint_t dyn_rec_records_sent;
unsigned session_timeout_set:1;
unsigned try_early_data:1;
unsigned in_early:1;
diff -urN nginx-1.31.0-pristine2/src/http/modules/ngx_http_ssl_module.c nginx-1.31.0-manual/src/http/modules/ngx_http_ssl_module.c
--- nginx-1.31.0-pristine2/src/http/modules/ngx_http_ssl_module.c 2026-05-15 13:37:51.444851287 +0000
+++ nginx-1.31.0-manual/src/http/modules/ngx_http_ssl_module.c 2026-05-15 13:38:11.254833775 +0000
@@ -313,6 +313,41 @@
offsetof(ngx_http_ssl_srv_conf_t, reject_handshake),
NULL },
+ { ngx_string("ssl_dyn_rec_enable"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_enable),
+ NULL },
+
+ { ngx_string("ssl_dyn_rec_timeout"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_msec_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_timeout),
+ NULL },
+
+ { ngx_string("ssl_dyn_rec_size_lo"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_size_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_size_lo),
+ NULL },
+
+ { ngx_string("ssl_dyn_rec_size_hi"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_size_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_size_hi),
+ NULL },
+
+ { ngx_string("ssl_dyn_rec_threshold"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_num_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_threshold),
+ NULL },
+
ngx_null_command
};
@@ -668,6 +703,11 @@
sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR;
sscf->stapling = NGX_CONF_UNSET;
sscf->stapling_verify = NGX_CONF_UNSET;
+ sscf->dyn_rec_enable = NGX_CONF_UNSET;
+ sscf->dyn_rec_timeout = NGX_CONF_UNSET_MSEC;
+ sscf->dyn_rec_size_lo = NGX_CONF_UNSET_SIZE;
+ sscf->dyn_rec_size_hi = NGX_CONF_UNSET_SIZE;
+ sscf->dyn_rec_threshold = NGX_CONF_UNSET_UINT;
return sscf;
}
@@ -739,6 +779,20 @@
ngx_conf_merge_str_value(conf->stapling_responder,
prev->stapling_responder, "");
+ ngx_conf_merge_value(conf->dyn_rec_enable, prev->dyn_rec_enable, 0);
+ ngx_conf_merge_msec_value(conf->dyn_rec_timeout, prev->dyn_rec_timeout,
+ 1000);
+ /* Default sizes for the dynamic record sizes are defined to fit maximal
+ TLS + IPv6 overhead in a single TCP segment for lo and 3 segments for hi:
+ 1369 = 1500 - 40 (IP) - 20 (TCP) - 10 (Time) - 61 (Max TLS overhead) */
+ ngx_conf_merge_size_value(conf->dyn_rec_size_lo, prev->dyn_rec_size_lo,
+ 1369);
+ /* 4229 = (1500 - 40 - 20 - 10) * 3 - 61 */
+ ngx_conf_merge_size_value(conf->dyn_rec_size_hi, prev->dyn_rec_size_hi,
+ 4229);
+ ngx_conf_merge_uint_value(conf->dyn_rec_threshold, prev->dyn_rec_threshold,
+ 40);
+
conf->ssl.log = cf->log;
if (conf->certificates) {
@@ -962,6 +1016,28 @@
return NGX_CONF_ERROR;
}
+ if (conf->dyn_rec_enable) {
+ conf->ssl.dyn_rec.timeout = conf->dyn_rec_timeout;
+ conf->ssl.dyn_rec.threshold = conf->dyn_rec_threshold;
+
+ if (conf->buffer_size > conf->dyn_rec_size_lo) {
+ conf->ssl.dyn_rec.size_lo = conf->dyn_rec_size_lo;
+
+ } else {
+ conf->ssl.dyn_rec.size_lo = conf->buffer_size;
+ }
+
+ if (conf->buffer_size > conf->dyn_rec_size_hi) {
+ conf->ssl.dyn_rec.size_hi = conf->dyn_rec_size_hi;
+
+ } else {
+ conf->ssl.dyn_rec.size_hi = conf->buffer_size;
+ }
+
+ } else {
+ conf->ssl.dyn_rec.timeout = 0;
+ }
+
return NGX_CONF_OK;
}
diff -urN nginx-1.31.0-pristine2/src/http/modules/ngx_http_ssl_module.h nginx-1.31.0-manual/src/http/modules/ngx_http_ssl_module.h
--- nginx-1.31.0-pristine2/src/http/modules/ngx_http_ssl_module.h 2026-05-15 13:37:51.445106976 +0000
+++ nginx-1.31.0-manual/src/http/modules/ngx_http_ssl_module.h 2026-05-15 13:38:11.252995002 +0000
@@ -66,6 +66,12 @@
ngx_flag_t stapling_verify;
ngx_str_t stapling_file;
ngx_str_t stapling_responder;
+
+ ngx_flag_t dyn_rec_enable;
+ ngx_msec_t dyn_rec_timeout;
+ size_t dyn_rec_size_lo;
+ size_t dyn_rec_size_hi;
+ ngx_uint_t dyn_rec_threshold;
} ngx_http_ssl_srv_conf_t;
build/patches/nginx-1.31.1-systemd-notify.patch
+70
View File
@@ -0,0 +1,70 @@
Add sd_notify() integration to nginx master process so the systemd unit can
use Type=notify. nginx mainline ships #if (NGX_HAVE_SYSTEMD) guards in nothing
of its own — every distro carries its own patch. This is ours, kept minimal.
Send:
READY=1 after workers + cache manager are spawned (master enters loop)
READY=1 again after a successful reconfigure
RELOADING=1 when reconfigure starts
STOPPING=1 in ngx_master_process_exit
The build script provides -DNGX_HAVE_SYSTEMD and -lsystemd, so this patch
doesn't touch auto/ configure scripts — only the source.
--- a/src/os/unix/ngx_process_cycle.c
+++ b/src/os/unix/ngx_process_cycle.c
@@ -12,6 +12,10 @@
#include <ngx_channel.h>
+#if (NGX_HAVE_SYSTEMD)
+#include <systemd/sd-daemon.h>
+#endif
+
static void ngx_start_worker_processes(ngx_cycle_t *cycle, ngx_int_t n,
ngx_int_t type);
static void ngx_start_cache_manager_processes(ngx_cycle_t *cycle,
@@ -132,6 +136,10 @@ ngx_master_process_cycle(ngx_cycle_t *cycle)
sigio = 0;
live = 1;
+#if (NGX_HAVE_SYSTEMD)
+ sd_notify(0, "READY=1\nSTATUS=nginx is ready\n");
+#endif
+
for ( ;; ) {
if (delay) {
if (ngx_sigalrm) {
@@ -211,6 +219,10 @@ ngx_master_process_cycle(ngx_cycle_t *cycle)
if (ngx_reconfigure) {
ngx_reconfigure = 0;
+#if (NGX_HAVE_SYSTEMD)
+ sd_notify(0, "RELOADING=1\nSTATUS=nginx is reloading\n");
+#endif
+
if (ngx_new_binary) {
ngx_start_worker_processes(cycle, ccf->worker_processes,
NGX_PROCESS_RESPAWN);
@@ -241,6 +253,10 @@ ngx_master_process_cycle(ngx_cycle_t *cycle)
live = 1;
ngx_signal_worker_processes(cycle,
ngx_signal_value(NGX_SHUTDOWN_SIGNAL));
+
+#if (NGX_HAVE_SYSTEMD)
+ sd_notify(0, "READY=1\nSTATUS=nginx is ready\n");
+#endif
}
if (ngx_restart) {
@@ -655,6 +671,10 @@ static void
ngx_master_process_exit(ngx_cycle_t *cycle)
{
ngx_uint_t i;
+
+#if (NGX_HAVE_SYSTEMD)
+ sd_notify(0, "STOPPING=1\nSTATUS=nginx is stopping\n");
+#endif
ngx_delete_pidfile(cycle);
build/run.sh → build/raccoon.sh
+144 -43
View File
@@ -1,15 +1,40 @@
. ./version
set -e
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
function reqs() {
apt-get update -y; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get -y install tzdata dialog
# apt-get purge nftables firewalld ufw -y; apt-get autoremove -y
apt-get -y install wget zip unzip build-essential libssl-dev curl nano git
# apt-get -y install iptables ipset
apt-get install libtool pkg-config make cmake automake autoconf -y
apt-get install libyajl-dev ssdeep zlib1g-dev libxslt1-dev libgd-dev libgeoip-dev liblmdb-dev libfuzzy-dev libmaxminddb-dev liblua5.2-dev libcurl4-openssl-dev libxml2 libxml2-dev libpcre3-dev mercurial libpcre2-dev libc-ares-dev libre2-dev -y
apt-get install libtool pkg-config make cmake automake autoconf golang-go ninja-build -y
apt-get install libyajl-dev ssdeep zlib1g-dev libxslt1-dev libgd-dev libgeoip-dev liblmdb-dev libfuzzy-dev libmaxminddb-dev liblua5.1-dev libcurl4-openssl-dev libxml2-dev mercurial libpcre2-dev libc-ares-dev libre2-dev libzstd-dev libjemalloc2 libsystemd-dev -y
mkdir -p $LUA_SCRIPTS
}
function apply_patches() {
local nginx_src="/opt/nginx-${NGINX}"
local patch_dir="${SCRIPT_DIR}/patches"
[ -f "${nginx_src}/.patches_applied" ] && return 0
apply_one() {
local toggle="$1" file="$2"
if [ "$toggle" != "1" ]; then
echo "[patch] skip $file (toggle=$toggle)"; return 0
fi
if [ ! -f "${patch_dir}/${file}" ]; then
echo "[patch] MISSING ${patch_dir}/${file}"; return 1
fi
echo "[patch] applying ${file}"
( cd "$nginx_src" && patch -p1 < "${patch_dir}/${file}" )
}
apply_one "${APPLY_PATCH_SYSTEMD_NOTIFY:-0}" "nginx-${NGINX}-systemd-notify.patch"
apply_one "${APPLY_PATCH_DYNAMIC_TLS_RECORDS:-0}" "nginx-${NGINX}-dynamic-tls-records.patch"
apply_one "${APPLY_PATCH_HTTP2_HPACK_ENC:-0}" "nginx-${NGINX}-http2-hpack-enc.patch"
touch "${nginx_src}/.patches_applied"
}
function clean_install() {
mkdir -p /opt/mod
@@ -18,19 +43,46 @@ function clean_install() {
cd /opt/ && wget https://nginx.org/download/nginx-${NGINX}.tar.gz
tar xf nginx-${NGINX}.tar.gz && rm -Rf nginx-${NGINX}.tar.gz
fi
apply_patches
# START OF SYSTEM REQUIRED LIBS
# ============================================================================================================
# OPENSSL
if [ ! -d /opt/mod/openssl-opernssl-${SYSTEM_OPENSSL} ]; then
cd /opt/mod; wget https://github.com/quictls/openssl/archive/refs/tags/opernssl-${SYSTEM_OPENSSL}.tar.gz
cd /opt/mod && tar xf opernssl-${SYSTEM_OPENSSL}.tar.gz; rm -Rf opernssl-${SYSTEM_OPENSSL}.tar.gz
# AWS-LC — TLS+QUIC backend. Replaces quictls/openssl. Built standalone
# (cmake+ninja) and installed to /usr/local/aws-lc/. nginx 1.29.2+ links
# against it via -I/-L; we no longer pass --with-openssl=PATH because we
# don't want nginx's configure to rebuild OpenSSL itself.
if [ ! -d /opt/mod/aws-lc-${SYSTEM_AWSLC} ]; then
cd /opt/mod && wget https://github.com/aws/aws-lc/archive/refs/tags/v${SYSTEM_AWSLC}.tar.gz
cd /opt/mod && tar xf v${SYSTEM_AWSLC}.tar.gz; rm -Rf v${SYSTEM_AWSLC}.tar.gz
fi
if [ ! -f /usr/local/aws-lc/lib/libssl.so ]; then
cd /opt/mod/aws-lc-${SYSTEM_AWSLC} && \
cmake -GNinja -B build \
-DCMAKE_INSTALL_PREFIX=/usr/local/aws-lc \
-DBUILD_SHARED_LIBS=1 \
-DCMAKE_BUILD_TYPE=Release && \
cmake --build build -j`nproc` && \
cmake --install build && \
ldconfig
fi
# ZLIB
if [ ! -d /opt/mod/zlib ]; then
cd /opt/mod && wget http://zlib.net/current/zlib.tar.gz
cd /opt/mod && tar xf zlib.tar.gz; rm -Rf zlib.tar.gz; mv zlib-* zlib
# ZLIB (zlib-ng, --zlib-compat mode). Drop-in libz replacement with SIMD-
# accelerated DEFLATE. Installed to /usr/local/zlib-ng/. nginx links via
# -I/-L below (no more --with-zlib=PATH; nginx finds libz via -L+rpath).
if [ ! -d /opt/mod/zlib-ng-${SYSTEM_ZLIBNG} ]; then
cd /opt/mod && wget https://github.com/zlib-ng/zlib-ng/archive/refs/tags/${SYSTEM_ZLIBNG}.tar.gz
cd /opt/mod && tar xf ${SYSTEM_ZLIBNG}.tar.gz; rm -Rf ${SYSTEM_ZLIBNG}.tar.gz
fi
if [ ! -f /usr/local/zlib-ng/lib/libz.so ]; then
cd /opt/mod/zlib-ng-${SYSTEM_ZLIBNG} && \
cmake -GNinja -B build \
-DCMAKE_INSTALL_PREFIX=/usr/local/zlib-ng \
-DZLIB_COMPAT=ON \
-DBUILD_SHARED_LIBS=ON \
-DCMAKE_BUILD_TYPE=Release && \
cmake --build build -j`nproc` && \
cmake --install build && \
ldconfig
fi
# SYSTEM_LUAJIT
@@ -43,20 +95,22 @@ function clean_install() {
fi
fi
# SYSTEM_MODSECURITY
# SYSTEM_MODSECURITY (v3 — libmodsecurity, what ModSecurity-nginx connector needs)
if [ ! -d /opt/mod/modsecurity-v${SYSTEM_MODSECURITY} ]; then
cd /opt/mod && wget https://github.com/SpiderLabs/ModSecurity/releases/download/v${SYSTEM_MODSECURITY}/modsecurity-v${SYSTEM_MODSECURITY}.tar.gz
cd /opt/mod && tar xf modsecurity-v${SYSTEM_MODSECURITY}.tar.gz; rm -Rf modsecurity-v${SYSTEM_MODSECURITY}.tar.gz
if [ ! -d /usr/local/modsecurity ]; then
cd /opt/mod/modsecurity-v${SYSTEM_MODSECURITY} && ./configure && make -j`nproc` && make install
fi
fi
if [ ! -f /usr/local/modsecurity/lib/libmodsecurity.so ]; then
cd /opt/mod/modsecurity-v${SYSTEM_MODSECURITY} && ./build.sh && ./configure --without-pcre --with-pcre2 && make -j`nproc` && make install
fi
# SYSTEM_PCRE
if [ ! -d /opt/mod/pcre2-pcre2-${SYSTEM_PCRE} ]; then
cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/archive/refs/tags/pcre2-${SYSTEM_PCRE}.tar.gz
# Use the official release tarball (bundles the sljit submodule needed for
# JIT). The /archive/refs/tags/ tarball from GitHub is a raw source snapshot
# that omits submodules and breaks `--with-pcre-jit`.
if [ ! -d /opt/mod/pcre2-${SYSTEM_PCRE} ]; then
cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${SYSTEM_PCRE}/pcre2-${SYSTEM_PCRE}.tar.gz
cd /opt/mod && tar xf pcre2-${SYSTEM_PCRE}.tar.gz; rm -Rf pcre2-${SYSTEM_PCRE}.tar.gz
cd /opt/mod/pcre2-pcre2-${SYSTEM_PCRE} && ./autogen.sh
fi
# LibInjection
@@ -75,18 +129,36 @@ function clean_install() {
cd /opt/mod/; wget https://github.com/openresty/lua-nginx-module/archive/refs/tags/v${NGX_MOD_LUA}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_LUA}.tar.gz; rm -Rf v${NGX_MOD_LUA}.tar.gz
sed -i 's/cookies/cookie/g' /opt/mod/lua-nginx-module-${NGX_MOD_LUA}/src/ngx_http_lua_headers_in.c
# AWS-LC compatibility: lua-nginx-module already has guards around APIs
# missing from BoringSSL (SSL_get1_supported_ciphers, SSL_export_keying_
# material_early, etc.). AWS-LC has the same API limitations but defines
# OPENSSL_IS_AWSLC instead of OPENSSL_IS_BORINGSSL, so the guards never
# fire. Broaden every form (#if, #ifdef, #ifndef, #elif) to recognise
# both macros. Order matters: the bare `defined()` substitution runs
# first so the later #ifdef/#ifndef substitutions don't double-rewrite.
sed -i \
-e 's@defined(OPENSSL_IS_BORINGSSL)@(defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
-e 's@#ifdef OPENSSL_IS_BORINGSSL@#if (defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
-e 's@#ifndef OPENSSL_IS_BORINGSSL@#if !(defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
/opt/mod/lua-nginx-module-${NGX_MOD_LUA}/src/*.c
fi
# NGX_LUA_CORE
if [ ! -d /opt/mod/lua-resty-core ]; then
cd /opt/mod/; git clone https://github.com/openresty/lua-resty-core.git
cd /opt/mod/lua-resty-core; make install PREFIX=${LUA_SCRIPTS}
# NGX_LUA_CORE — must stay in lockstep with NGX_MOD_LUA. lua-resty-core
# does a strict-equality check on ngx.config.ngx_lua_version at startup,
# so an upstream bump on master silently breaks the build. Pinning via
# the tagged tarball (dir name embeds the version) means changing
# LUA_SCRIPTS_RESTYCORE in `version` invalidates the cache automatically.
if [ ! -d /opt/mod/lua-resty-core-${LUA_SCRIPTS_RESTYCORE} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-core/archive/refs/tags/v${LUA_SCRIPTS_RESTYCORE}.tar.gz
cd /opt/mod/; tar xf v${LUA_SCRIPTS_RESTYCORE}.tar.gz; rm -Rf v${LUA_SCRIPTS_RESTYCORE}.tar.gz
cd /opt/mod/lua-resty-core-${LUA_SCRIPTS_RESTYCORE} && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_LUA_LRUCACHE
if [ ! -d /opt/mod/lua-resty-lrucache ]; then
cd /opt/mod/; git clone https://github.com/openresty/lua-resty-lrucache.git
cd /opt/mod/lua-resty-lrucache; make install PREFIX=${LUA_SCRIPTS}
# NGX_LUA_LRUCACHE — same pattern, pinned to LUA_SCRIPTS_LRUCACHE.
if [ ! -d /opt/mod/lua-resty-lrucache-${LUA_SCRIPTS_LRUCACHE} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-lrucache/archive/refs/tags/v${LUA_SCRIPTS_LRUCACHE}.tar.gz
cd /opt/mod/; tar xf v${LUA_SCRIPTS_LRUCACHE}.tar.gz; rm -Rf v${LUA_SCRIPTS_LRUCACHE}.tar.gz
cd /opt/mod/lua-resty-lrucache-${LUA_SCRIPTS_LRUCACHE} && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_MOD_LUA_MYSQL
@@ -171,6 +243,14 @@ function clean_install() {
cd /opt/mod/; git clone --recurse-submodules https://github.com/wargio/naxsi.git naxsi
fi
# NGX_MOD_ZSTD — Zstandard compression module from tokers. Pinned via
# NGX_MOD_ZSTD; tarball pattern (dir name embeds version → cache invalidates
# automatically when the pin moves).
if [ ! -d /opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD} ]; then
cd /opt/mod/; wget https://github.com/tokers/zstd-nginx-module/archive/refs/tags/${NGX_MOD_ZSTD}.tar.gz
cd /opt/mod/; tar xf ${NGX_MOD_ZSTD}.tar.gz; rm -Rf ${NGX_MOD_ZSTD}.tar.gz
fi
# END OF NGINX MODULES
# ============================================================================================================
}
@@ -182,16 +262,18 @@ test_nginx() {
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--modules-path=/nginx/modules \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--pid-path=/run/nginx.pid \
--lock-path=/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-openssl=/opt/mod/openssl-opernssl-${SYSTEM_OPENSSL} \
--with-openssl-opt=enable-tls1_3 \
--http-client-body-temp-path=/run/nginx/temp/client_body \
--http-proxy-temp-path=/run/nginx/temp/proxy \
--http-fastcgi-temp-path=/run/nginx/temp/fastcgi \
--http-uwsgi-temp-path=/run/nginx/temp/uwsgi \
--http-scgi-temp-path=/run/nginx/temp/scgi \
--with-pcre \
--with-pcre-jit \
--with-pcre=/opt/mod/pcre2-pcre2-${SYSTEM_PCRE} \
--with-zlib=/opt/mod/zlib \
--with-pcre=/opt/mod/pcre2-${SYSTEM_PCRE} \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
@@ -230,9 +312,10 @@ test_nginx() {
--add-module=/opt/mod/srcache-nginx-module-${NGX_MOD_LUA_SRCACHE} \
--add-module=/opt/mod/redis2-nginx-module \
--add-module=/opt/mod/ngx_brotli \
--add-module=/opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD} \
--add-module=/opt/mod/testcookie \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/lib/x86_64-linux-gnu -lpcre"
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I/usr/local/aws-lc/include -I/usr/local/zlib-ng/include -DNGX_HAVE_SYSTEMD" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/usr/local/aws-lc/lib -lssl -lcrypto -Wl,-rpath,/usr/local/aws-lc/lib -L/usr/local/zlib-ng/lib -lz -Wl,-rpath,/usr/local/zlib-ng/lib -lsystemd"
make clean
}
function build() {
@@ -242,16 +325,18 @@ function build() {
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--modules-path=/nginx/modules \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--pid-path=/run/nginx.pid \
--lock-path=/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-openssl=/opt/mod/openssl-opernssl-${SYSTEM_OPENSSL} \
--with-openssl-opt=enable-tls1_3 \
--http-client-body-temp-path=/run/nginx/temp/client_body \
--http-proxy-temp-path=/run/nginx/temp/proxy \
--http-fastcgi-temp-path=/run/nginx/temp/fastcgi \
--http-uwsgi-temp-path=/run/nginx/temp/uwsgi \
--http-scgi-temp-path=/run/nginx/temp/scgi \
--with-pcre \
--with-pcre-jit \
--with-pcre=/opt/mod/pcre2-pcre2-${SYSTEM_PCRE} \
--with-zlib=/opt/mod/zlib \
--with-pcre=/opt/mod/pcre2-${SYSTEM_PCRE} \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
@@ -290,11 +375,17 @@ function build() {
--add-module=/opt/mod/srcache-nginx-module-${NGX_MOD_LUA_SRCACHE} \
--add-module=/opt/mod/redis2-nginx-module \
--add-module=/opt/mod/ngx_brotli \
--add-module=/opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD} \
--add-module=/opt/mod/testcookie \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/lib/x86_64-linux-gnu -lpcre"
make -j`nproc` && make install && make clean
unset NGINX
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I/usr/local/aws-lc/include -I/usr/local/zlib-ng/include -DNGX_HAVE_SYSTEMD" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/usr/local/aws-lc/lib -lssl -lcrypto -Wl,-rpath,/usr/local/aws-lc/lib -L/usr/local/zlib-ng/lib -lz -Wl,-rpath,/usr/local/zlib-ng/lib -lsystemd"
# NOTE: kept as separate statements (not `make && make install && make clean`)
# so `set -e` actually fires on a make failure. The && chain hides left-side
# failures from set -e, which previously let half-built nginx ship.
cd /opt/nginx-${NGINX} && make -j`nproc`
cd /opt/nginx-${NGINX} && make install
cd /opt/nginx-${NGINX} && make clean
unset NGINX
}
function post_build() {
useradd nginx; unset NGINX; rm -rf /nginx/*.default;
@@ -311,6 +402,16 @@ function post_build() {
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/nginx/live/default > /nginx/live/default
mkdir -p /hostdata/default/public_html/ && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/index.html > /hostdata/default/public_html/index.html
mkdir -p /hostdata/default/public_html/cdn/modsec && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/aes.min.js > /hostdata/default/public_html/cdn/modsec/aes.min.js
SRC_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
install -m 0644 "${SRC_DIR}/static/Raccoon/nginx.service" /etc/systemd/system/nginx.service
if [ -f "/run/.containerenv" ] || [ -f "/.dockerenv" ] || [ -f "/home/runner/.dockerenv" ]; then
echo "Skipping systemctl commands on GitHub runner"
mkdir -p /etc/systemd/system/
else
systemctl daemon-reload
systemctl restart nginx.service
systemctl enable nginx.service
fi
}
# Handling command-line arguments
build/trixie.sh
+442
View File
@@ -0,0 +1,442 @@
. ./version
set -e
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
function reqs() {
apt-get update -y; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get -y install tzdata dialog
# apt-get purge nftables firewalld ufw -y; apt-get autoremove -y
apt-get -y install wget zip unzip build-essential libssl-dev curl nano git
# apt-get -y install iptables ipset
apt-get install libtool pkg-config make cmake automake autoconf golang-go ninja-build -y
apt-get install libyajl-dev ssdeep zlib1g-dev libxslt1-dev libgd-dev libgeoip-dev liblmdb-dev libfuzzy-dev libmaxminddb-dev liblua5.1-dev libcurl4-openssl-dev libxml2 libxml2-dev mercurial libpcre2-dev libc-ares-dev libre2-dev libzstd-dev libjemalloc2 libsystemd-dev -y
mkdir -p $LUA_SCRIPTS
}
function apply_patches() {
local nginx_src="/opt/nginx-${NGINX}"
local patch_dir="${SCRIPT_DIR}/patches"
[ -f "${nginx_src}/.patches_applied" ] && return 0
apply_one() {
local toggle="$1" file="$2"
if [ "$toggle" != "1" ]; then
echo "[patch] skip $file (toggle=$toggle)"; return 0
fi
if [ ! -f "${patch_dir}/${file}" ]; then
echo "[patch] MISSING ${patch_dir}/${file}"; return 1
fi
echo "[patch] applying ${file}"
( cd "$nginx_src" && patch -p1 < "${patch_dir}/${file}" )
}
apply_one "${APPLY_PATCH_SYSTEMD_NOTIFY:-0}" "nginx-${NGINX}-systemd-notify.patch"
apply_one "${APPLY_PATCH_DYNAMIC_TLS_RECORDS:-0}" "nginx-${NGINX}-dynamic-tls-records.patch"
apply_one "${APPLY_PATCH_HTTP2_HPACK_ENC:-0}" "nginx-${NGINX}-http2-hpack-enc.patch"
touch "${nginx_src}/.patches_applied"
}
function clean_install() {
mkdir -p /opt/mod
# Nginx
if [ ! -d /opt/nginx-${NGINX} ]; then
cd /opt/ && wget https://nginx.org/download/nginx-${NGINX}.tar.gz
tar xf nginx-${NGINX}.tar.gz && rm -Rf nginx-${NGINX}.tar.gz
fi
apply_patches
# START OF SYSTEM REQUIRED LIBS
# ============================================================================================================
# AWS-LC — TLS+QUIC backend. Replaces quictls/openssl. Built standalone
# (cmake+ninja) and installed to /usr/local/aws-lc/. nginx 1.29.2+ links
# against it via -I/-L; we no longer pass --with-openssl=PATH because we
# don't want nginx's configure to rebuild OpenSSL itself.
if [ ! -d /opt/mod/aws-lc-${SYSTEM_AWSLC} ]; then
cd /opt/mod && wget https://github.com/aws/aws-lc/archive/refs/tags/v${SYSTEM_AWSLC}.tar.gz
cd /opt/mod && tar xf v${SYSTEM_AWSLC}.tar.gz; rm -Rf v${SYSTEM_AWSLC}.tar.gz
fi
if [ ! -f /usr/local/aws-lc/lib/libssl.so ]; then
cd /opt/mod/aws-lc-${SYSTEM_AWSLC} && \
cmake -GNinja -B build \
-DCMAKE_INSTALL_PREFIX=/usr/local/aws-lc \
-DBUILD_SHARED_LIBS=1 \
-DCMAKE_BUILD_TYPE=Release && \
cmake --build build -j`nproc` && \
cmake --install build && \
ldconfig
fi
# ZLIB (zlib-ng, --zlib-compat mode). Drop-in libz replacement with SIMD-
# accelerated DEFLATE. Installed to /usr/local/zlib-ng/. nginx links via
# -I/-L below (no more --with-zlib=PATH; nginx finds libz via -L+rpath).
if [ ! -d /opt/mod/zlib-ng-${SYSTEM_ZLIBNG} ]; then
cd /opt/mod && wget https://github.com/zlib-ng/zlib-ng/archive/refs/tags/${SYSTEM_ZLIBNG}.tar.gz
cd /opt/mod && tar xf ${SYSTEM_ZLIBNG}.tar.gz; rm -Rf ${SYSTEM_ZLIBNG}.tar.gz
fi
if [ ! -f /usr/local/zlib-ng/lib/libz.so ]; then
cd /opt/mod/zlib-ng-${SYSTEM_ZLIBNG} && \
cmake -GNinja -B build \
-DCMAKE_INSTALL_PREFIX=/usr/local/zlib-ng \
-DZLIB_COMPAT=ON \
-DBUILD_SHARED_LIBS=ON \
-DCMAKE_BUILD_TYPE=Release && \
cmake --build build -j`nproc` && \
cmake --install build && \
ldconfig
fi
# SYSTEM_LUAJIT
if [ ! -d /opt/mod/luajit2-${SYSTEM_LUAJIT} ]; then
cd /opt/mod && wget https://github.com/openresty/luajit2/archive/refs/tags/v${SYSTEM_LUAJIT}.tar.gz
cd /opt/mod && tar xf v${SYSTEM_LUAJIT}.tar.gz && rm -Rf v${SYSTEM_LUAJIT}.tar.gz
if [ ! -d /usr/local/LuaJIT/include/luajit-2.1 ]; then
cd /opt/mod/luajit2-${SYSTEM_LUAJIT}/ && make clean && make install PREFIX=/usr/local/LuaJIT && ldconfig
# apt-get -y install liblua5.1-0-dev; apt-get -y install luarocks; luarocks install lua-resty-core
fi
fi
# SYSTEM_MODSECURITY (v3 — libmodsecurity, what ModSecurity-nginx connector needs)
if [ ! -d /opt/mod/modsecurity-v${SYSTEM_MODSECURITY} ]; then
cd /opt/mod && wget https://github.com/SpiderLabs/ModSecurity/releases/download/v${SYSTEM_MODSECURITY}/modsecurity-v${SYSTEM_MODSECURITY}.tar.gz
cd /opt/mod && tar xf modsecurity-v${SYSTEM_MODSECURITY}.tar.gz; rm -Rf modsecurity-v${SYSTEM_MODSECURITY}.tar.gz
fi
if [ ! -f /usr/local/modsecurity/lib/libmodsecurity.so ]; then
cd /opt/mod/modsecurity-v${SYSTEM_MODSECURITY} && ./build.sh && ./configure --without-pcre --with-pcre2 && make -j`nproc` && make install
fi
# SYSTEM_PCRE
# Use the official release tarball (bundles the sljit submodule needed for
# JIT). The /archive/refs/tags/ tarball from GitHub is a raw source snapshot
# that omits submodules and breaks `--with-pcre-jit`.
if [ ! -d /opt/mod/pcre2-${SYSTEM_PCRE} ]; then
cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${SYSTEM_PCRE}/pcre2-${SYSTEM_PCRE}.tar.gz
cd /opt/mod && tar xf pcre2-${SYSTEM_PCRE}.tar.gz; rm -Rf pcre2-${SYSTEM_PCRE}.tar.gz
fi
# LibInjection
if [ ! -d /opt/mod/libinjection ]; then
cd /opt/mod && git clone https://github.com/libinjection/libinjection.git
cd /opt/mod/libinjection && ./autogen.sh && ./configure && make -j`nproc` && make install
fi
# END OF SYSTEM REQUIRED LIBS
# ============================================================================================================
# START OF NGINX MODULES
# ============================================================================================================
# NGX_MOD_LUA
if [ ! -d /opt/mod/lua-nginx-module-${NGX_MOD_LUA} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-nginx-module/archive/refs/tags/v${NGX_MOD_LUA}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_LUA}.tar.gz; rm -Rf v${NGX_MOD_LUA}.tar.gz
sed -i 's/cookies/cookie/g' /opt/mod/lua-nginx-module-${NGX_MOD_LUA}/src/ngx_http_lua_headers_in.c
# AWS-LC compatibility: lua-nginx-module already has guards around APIs
# missing from BoringSSL (SSL_get1_supported_ciphers, SSL_export_keying_
# material_early, etc.). AWS-LC has the same API limitations but defines
# OPENSSL_IS_AWSLC instead of OPENSSL_IS_BORINGSSL, so the guards never
# fire. Broaden every form (#if, #ifdef, #ifndef, #elif) to recognise
# both macros. Order matters: the bare `defined()` substitution runs
# first so the later #ifdef/#ifndef substitutions don't double-rewrite.
sed -i \
-e 's@defined(OPENSSL_IS_BORINGSSL)@(defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
-e 's@#ifdef OPENSSL_IS_BORINGSSL@#if (defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
-e 's@#ifndef OPENSSL_IS_BORINGSSL@#if !(defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
/opt/mod/lua-nginx-module-${NGX_MOD_LUA}/src/*.c
fi
# NGX_LUA_CORE — must stay in lockstep with NGX_MOD_LUA. lua-resty-core
# does a strict-equality check on ngx.config.ngx_lua_version at startup,
# so an upstream bump on master silently breaks the build. Pinning via
# the tagged tarball (dir name embeds the version) means changing
# LUA_SCRIPTS_RESTYCORE in `version` invalidates the cache automatically.
if [ ! -d /opt/mod/lua-resty-core-${LUA_SCRIPTS_RESTYCORE} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-core/archive/refs/tags/v${LUA_SCRIPTS_RESTYCORE}.tar.gz
cd /opt/mod/; tar xf v${LUA_SCRIPTS_RESTYCORE}.tar.gz; rm -Rf v${LUA_SCRIPTS_RESTYCORE}.tar.gz
cd /opt/mod/lua-resty-core-${LUA_SCRIPTS_RESTYCORE} && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_LUA_LRUCACHE — same pattern, pinned to LUA_SCRIPTS_LRUCACHE.
if [ ! -d /opt/mod/lua-resty-lrucache-${LUA_SCRIPTS_LRUCACHE} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-lrucache/archive/refs/tags/v${LUA_SCRIPTS_LRUCACHE}.tar.gz
cd /opt/mod/; tar xf v${LUA_SCRIPTS_LRUCACHE}.tar.gz; rm -Rf v${LUA_SCRIPTS_LRUCACHE}.tar.gz
cd /opt/mod/lua-resty-lrucache-${LUA_SCRIPTS_LRUCACHE} && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_MOD_LUA_MYSQL
if [ ! -d /opt/mod/lua-resty-mysql-${NGX_MOD_LUA_MYSQL} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-mysql/archive/refs/tags/v${NGX_MOD_LUA_MYSQL}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_LUA_MYSQL}.tar.gz; rm -Rf v${NGX_MOD_LUA_MYSQL}.tar.gz
cd /opt/mod/lua-resty-mysql-${NGX_MOD_LUA_MYSQL} && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_MOD_LUA_SRCACHE
if [ ! -d /opt/mod/srcache-nginx-module-${NGX_MOD_LUA_SRCACHE} ]; then
cd /opt/mod/; wget https://github.com/openresty/srcache-nginx-module/archive/refs/tags/v${NGX_MOD_LUA_SRCACHE}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_LUA_SRCACHE}.tar.gz; rm -Rf v${NGX_MOD_LUA_SRCACHE}.tar.gz
fi
# NGX_MOD_LUA_REDIS2
if [ ! -d /opt/mod/redis2-nginx-module ]; then
cd /opt/mod/; git clone --recursive https://github.com/openresty/redis2-nginx-module.git
fi
# NGX_MOD_LUA_LOCK 0.09
if [ ! -d /opt/mod/lua-resty-lock-${NGX_MOD_LUA_LOCK} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-lock/archive/refs/tags/v${NGX_MOD_LUA_LOCK}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_LUA_LOCK}.tar.gz; rm -Rf v${NGX_MOD_LUA_LOCK}.tar.gz
cd /opt/mod/lua-resty-lock-${NGX_MOD_LUA_LOCK} && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_MOD_LUA_CACHE
if [ ! -d /opt/mod/lua-resty-cache ]; then
cd /opt/mod/; git clone --branch feature-srcache --recursive https://github.com/lloydzhou/lua-resty-cache
cd /opt/mod/lua-resty-cache && make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_MOD_DEVELKIT
if [ ! -d /opt/mod/ngx_devel_kit-${NGX_MOD_DEVELKIT} ]; then
cd /opt/mod/; wget https://github.com/vision5/ngx_devel_kit/archive/refs/tags/v${NGX_MOD_DEVELKIT}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_DEVELKIT}.tar.gz; rm -Rf v${NGX_MOD_DEVELKIT}.tar.gz
fi
# NGX_MOD_GEOIP2
if [ ! -d /opt/mod/ngx_http_geoip2_module-${NGX_MOD_GEOIP2} ]; then
cd /opt/mod/; wget https://github.com/leev/ngx_http_geoip2_module/archive/refs/tags/${NGX_MOD_GEOIP2}.tar.gz
cd /opt/mod/; tar xf ${NGX_MOD_GEOIP2}.tar.gz; rm -Rf ${NGX_MOD_GEOIP2}.tar.gz
fi
# NGX_MOD_MODSECURITY
if [ ! -d /opt/mod/ModSecurity-nginx-${NGX_MOD_MODSECURITY} ]; then
cd /opt/mod/; wget https://github.com/SpiderLabs/ModSecurity-nginx/archive/refs/tags/v${NGX_MOD_MODSECURITY}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_MODSECURITY}.tar.gz; rm -Rf v${NGX_MOD_MODSECURITY}.tar.gz
fi
# NGX_MOD_HTTPFLV
if [ ! -d /opt/mod/nginx-http-flv-module-${NGX_MOD_HTTPFLV} ]; then
cd /opt/mod/; wget https://github.com/winshining/nginx-http-flv-module/archive/refs/tags/v${NGX_MOD_HTTPFLV}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_HTTPFLV}.tar.gz; rm -Rf v${NGX_MOD_HTTPFLV}.tar.gz
fi
# NGX_MOD_HEADERS_MORE
if [ ! -d /opt/mod/headers-more-nginx-module-${NGX_MOD_HEADERS_MORE} ]; then
cd /opt/mod/; wget https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v${NGX_MOD_HEADERS_MORE}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_HEADERS_MORE}.tar.gz; rm -Rf v${NGX_MOD_HEADERS_MORE}.tar.gz
fi
# NGX_MOD_SETMISC
if [ ! -d /opt/mod/set-misc-nginx-module-${NGX_MOD_SETMISC} ]; then
cd /opt/mod/; wget https://github.com/openresty/set-misc-nginx-module/archive/refs/tags/v${NGX_MOD_SETMISC}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_SETMISC}.tar.gz; rm -Rf v${NGX_MOD_SETMISC}.tar.gz
fi
# Testcookie
if [ ! -d /opt/mod/testcookie ]; then
cd /opt/mod/; git clone https://github.com/kyprizel/testcookie-nginx-module.git testcookie
fi
# Brotli
if [ ! -d /opt/mod/ngx_brotli ]; then
cd /opt/mod/; git clone https://github.com/google/ngx_brotli.git ngx_brotli; cd /opt/mod/ngx_brotli && git submodule update --init
fi
# Naxsi
if [ ! -d /opt/mod/naxsi ]; then
cd /opt/mod/; git clone --recurse-submodules https://github.com/wargio/naxsi.git naxsi
fi
# NGX_MOD_ZSTD — Zstandard compression module from tokers. Pinned via
# NGX_MOD_ZSTD; tarball pattern (dir name embeds version → cache invalidates
# automatically when the pin moves).
if [ ! -d /opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD} ]; then
cd /opt/mod/; wget https://github.com/tokers/zstd-nginx-module/archive/refs/tags/${NGX_MOD_ZSTD}.tar.gz
cd /opt/mod/; tar xf ${NGX_MOD_ZSTD}.tar.gz; rm -Rf ${NGX_MOD_ZSTD}.tar.gz
fi
# END OF NGINX MODULES
# ============================================================================================================
}
test_nginx() {
cd /opt/nginx-${NGINX} && LUAJIT_LIB="/usr/local/LuaJIT/lib" LUAJIT_INC="/usr/local/LuaJIT/include/luajit-2.1/" CFLAGS=-fPIC CXXFLAGS=-fPIC ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--modules-path=/nginx/modules \
--pid-path=/run/nginx.pid \
--lock-path=/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--http-client-body-temp-path=/run/nginx/temp/client_body \
--http-proxy-temp-path=/run/nginx/temp/proxy \
--http-fastcgi-temp-path=/run/nginx/temp/fastcgi \
--http-uwsgi-temp-path=/run/nginx/temp/uwsgi \
--http-scgi-temp-path=/run/nginx/temp/scgi \
--with-pcre \
--with-pcre-jit \
--with-pcre=/opt/mod/pcre2-${SYSTEM_PCRE} \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_v3_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--add-module=/opt/mod/ngx_devel_kit-${NGX_MOD_DEVELKIT} \
--add-module=/opt/mod/set-misc-nginx-module-${NGX_MOD_SETMISC} \
--add-module=/opt/mod/ngx_http_geoip2_module-${NGX_MOD_GEOIP2} \
--add-module=/opt/mod/headers-more-nginx-module-${NGX_MOD_HEADERS_MORE} \
--add-module=/opt/mod/lua-nginx-module-${NGX_MOD_LUA} \
--add-module=/opt/mod/ModSecurity-nginx-${NGX_MOD_MODSECURITY} \
--add-module=/opt/mod/naxsi/naxsi_src \
--add-module=/opt/mod/nginx-http-flv-module-${NGX_MOD_HTTPFLV} \
--add-module=/opt/mod/srcache-nginx-module-${NGX_MOD_LUA_SRCACHE} \
--add-module=/opt/mod/redis2-nginx-module \
--add-module=/opt/mod/ngx_brotli \
--add-module=/opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD} \
--add-module=/opt/mod/testcookie \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I/usr/local/aws-lc/include -I/usr/local/zlib-ng/include -DNGX_HAVE_SYSTEMD" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/usr/local/aws-lc/lib -lssl -lcrypto -Wl,-rpath,/usr/local/aws-lc/lib -L/usr/local/zlib-ng/lib -lz -Wl,-rpath,/usr/local/zlib-ng/lib -lsystemd"
make clean
}
function build() {
cd /opt/nginx-${NGINX} && LUAJIT_LIB="/usr/local/LuaJIT/lib" LUAJIT_INC="/usr/local/LuaJIT/include/luajit-2.1/" CFLAGS=-fPIC CXXFLAGS=-fPIC ./configure --with-compat \
--user=nginx \
--group=nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--modules-path=/nginx/modules \
--pid-path=/run/nginx.pid \
--lock-path=/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--http-client-body-temp-path=/run/nginx/temp/client_body \
--http-proxy-temp-path=/run/nginx/temp/proxy \
--http-fastcgi-temp-path=/run/nginx/temp/fastcgi \
--http-uwsgi-temp-path=/run/nginx/temp/uwsgi \
--http-scgi-temp-path=/run/nginx/temp/scgi \
--with-pcre \
--with-pcre-jit \
--with-pcre=/opt/mod/pcre2-${SYSTEM_PCRE} \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_v3_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--add-module=/opt/mod/ngx_devel_kit-${NGX_MOD_DEVELKIT} \
--add-module=/opt/mod/set-misc-nginx-module-${NGX_MOD_SETMISC} \
--add-module=/opt/mod/ngx_http_geoip2_module-${NGX_MOD_GEOIP2} \
--add-module=/opt/mod/headers-more-nginx-module-${NGX_MOD_HEADERS_MORE} \
--add-module=/opt/mod/ModSecurity-nginx-${NGX_MOD_MODSECURITY} \
--add-module=/opt/mod/lua-nginx-module-${NGX_MOD_LUA} \
--add-module=/opt/mod/naxsi/naxsi_src \
--add-module=/opt/mod/nginx-http-flv-module-${NGX_MOD_HTTPFLV} \
--add-module=/opt/mod/srcache-nginx-module-${NGX_MOD_LUA_SRCACHE} \
--add-module=/opt/mod/redis2-nginx-module \
--add-module=/opt/mod/ngx_brotli \
--add-module=/opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD} \
--add-module=/opt/mod/testcookie \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I/usr/local/aws-lc/include -I/usr/local/zlib-ng/include -DNGX_HAVE_SYSTEMD" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/usr/local/aws-lc/lib -lssl -lcrypto -Wl,-rpath,/usr/local/aws-lc/lib -L/usr/local/zlib-ng/lib -lz -Wl,-rpath,/usr/local/zlib-ng/lib -lsystemd"
# NOTE: kept as separate statements (not `make && make install && make clean`)
# so `set -e` actually fires on a make failure. The && chain hides left-side
# failures from set -e, which previously let half-built nginx ship.
cd /opt/nginx-${NGINX} && make -j`nproc`
cd /opt/nginx-${NGINX} && make install
cd /opt/nginx-${NGINX} && make clean
unset NGINX
}
function post_build() {
useradd nginx; unset NGINX; rm -rf /nginx/*.default;
mkdir -p /nginx/live
mkdir -p /nginx/conf.d
mkdir -p /nginx/config
mkdir -p /var/log/nginx
mkdir -p /nginx/modsec; curl -s https://raw.githubusercontent.com/nbs-system/naxsi/master/naxsi_config/naxsi_core.rules > /nginx/modsec/naxi.core
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/l7.conf > /nginx/modsec/l7.conf
curl -s https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended > /nginx/modsec/modsecurity.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/tester.conf > /nginx/modsec/tester.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/unicode.mapping > /nginx/modsec/unicode.mapping
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/nginx/nginx.conf > /nginx/nginx.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/nginx/live/default > /nginx/live/default
mkdir -p /hostdata/default/public_html/ && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/index.html > /hostdata/default/public_html/index.html
mkdir -p /hostdata/default/public_html/cdn/modsec && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/aes.min.js > /hostdata/default/public_html/cdn/modsec/aes.min.js
SRC_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
install -m 0644 "${SRC_DIR}/static/Trixie/nginx.service" /etc/systemd/system/nginx.service
if [ -f "/run/.containerenv" ] || [ -f "/.dockerenv" ] || [ -f "/home/runner/.dockerenv" ]; then
echo "Skipping systemctl commands on GitHub runner"
mkdir -p /etc/systemd/system/
else
systemctl daemon-reload
systemctl restart nginx.service
systemctl enable nginx.service
fi
}
# Handling command-line arguments
case "$1" in
new)
reqs
clean_install
;;
test)
test_nginx
;;
build)
build
;;
postfix)
post_build
;;
*)
echo "Invalid option: $1"
echo "Usage: $0 {new|test|build|postfix}"
echo ""
echo " new: will download all modules & nginx (if you change a version from file, simply rerun this to download that)"
echo " test: Test nginx configuration"
echo " build: Build nginx, or Rebuild (mods/configs will not be redownloaded this will only build)"
echo " postfix: After first installation, run this to download nginx configs (it will replace nginx.conf if there already is one)"
exit 1
;;
esac
static/Focal/nginx.service
-16
View File
@@ -1,16 +0,0 @@
[Nginx]
Description=A high performance web server and a reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
static/Jammy/nginx.service
-16
View File
@@ -1,16 +0,0 @@
[Nginx]
Description=A high performance web server and a reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
static/Raccoon/nginx-raweb.service
+70
View File
@@ -0,0 +1,70 @@
[Unit]
Description=A high performance web server and a reverse proxy server (twiy)
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2
ExecStartPre=/usr/bin/install -d -o nginx -g nginx -m 0755 /run/nginx/temp /run/nginx/temp/client_body /run/nginx/temp/proxy /run/nginx/temp/fastcgi /run/nginx/temp/uwsgi /run/nginx/temp/scgi /var/log/nginx
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx -c /nginx/nginx.conf
ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /run/nginx.pid)"
ExecStop=/bin/sh -c "/bin/kill -s QUIT $(/bin/cat /run/nginx.pid)"
TimeoutStartSec=10
LimitNOFILE=65535
# === hardening: deny-everything by default, allowlist via bind mounts ===
# TemporaryFileSystem=/ replaces the visible filesystem with an empty tmpfs.
# Everything not bind-mounted below is invisible to nginx workers — even
# read access. Compromise of a worker can no longer enumerate /etc/passwd,
# /home/*, /var/lib/*, /root, /opt, etc.
TemporaryFileSystem=/
# Read-only: nginx binary, dynamic linker, all linked libs, system config,
# CA bundles, Let's Encrypt certs (live/ + archive/ both under /etc).
BindReadOnlyPaths=/usr
BindReadOnlyPaths=/lib
BindReadOnlyPaths=/lib64
BindReadOnlyPaths=/bin
BindReadOnlyPaths=/sbin
BindReadOnlyPaths=/etc
# Read-write: nginx runtime state.
# /run nginx.pid, nginx.lock, /run/nginx/temp/*, PHP-FPM sock
# /var/log/nginx access.log, error.log
# /nginx config dir (read-mostly but reload writes some state)
BindPaths=/run
BindPaths=/var/log/nginx
BindPaths=/nginx
BindPaths=/var/cache/nginx
BindPaths=/srv
BindPaths=/hostdata
BindPaths=/raweb
NoNewPrivileges=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectClock=true
ProtectHostname=true
PrivateDevices=true
PrivateTmp=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
LockPersonality=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
# NOTE deliberately OFF:
# MemoryDenyWriteExecute=true breaks LuaJIT (JIT writable+executable pages)
# SystemCallFilter=~@resources breaks nginx workers' prlimit64()
# ProtectSystem and ProtectHome are redundant under TemporaryFileSystem=/.
[Install]
WantedBy=multi-user.target
static/Raccoon/nginx.service
+19
View File
@@ -0,0 +1,19 @@
[Unit]
Description=A high performance web server and a reverse proxy server (twiy)
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2
ExecStartPre=/usr/bin/install -d -o nginx -g nginx -m 0755 /run/nginx/temp /run/nginx/temp/client_body /run/nginx/temp/proxy /run/nginx/temp/fastcgi /run/nginx/temp/uwsgi /run/nginx/temp/scgi /var/log/nginx
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx -c /nginx/nginx.conf
ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /run/nginx.pid)"
ExecStop=/bin/sh -c "/bin/kill -s QUIT $(/bin/cat /run/nginx.pid)"
TimeoutStartSec=10
LimitNOFILE=65535
[Install]
WantedBy=multi-user.target
static/Trixie/nginx-raweb.service
+70
View File
@@ -0,0 +1,70 @@
[Unit]
Description=A high performance web server and a reverse proxy server (twiy)
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2
ExecStartPre=/usr/bin/install -d -o nginx -g nginx -m 0755 /run/nginx/temp /run/nginx/temp/client_body /run/nginx/temp/proxy /run/nginx/temp/fastcgi /run/nginx/temp/uwsgi /run/nginx/temp/scgi /var/log/nginx
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx -c /nginx/nginx.conf
ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /run/nginx.pid)"
ExecStop=/bin/sh -c "/bin/kill -s QUIT $(/bin/cat /run/nginx.pid)"
TimeoutStartSec=10
LimitNOFILE=65535
# === hardening: deny-everything by default, allowlist via bind mounts ===
# TemporaryFileSystem=/ replaces the visible filesystem with an empty tmpfs.
# Everything not bind-mounted below is invisible to nginx workers — even
# read access. Compromise of a worker can no longer enumerate /etc/passwd,
# /home/*, /var/lib/*, /root, /opt, etc.
TemporaryFileSystem=/
# Read-only: nginx binary, dynamic linker, all linked libs, system config,
# CA bundles, Let's Encrypt certs (live/ + archive/ both under /etc).
BindReadOnlyPaths=/usr
BindReadOnlyPaths=/lib
BindReadOnlyPaths=/lib64
BindReadOnlyPaths=/bin
BindReadOnlyPaths=/sbin
BindReadOnlyPaths=/etc
# Read-write: nginx runtime state.
# /run nginx.pid, nginx.lock, /run/nginx/temp/*, PHP-FPM sock
# /var/log/nginx access.log, error.log
# /nginx config dir (read-mostly but reload writes some state)
BindPaths=/run
BindPaths=/var/log/nginx
BindPaths=/nginx
BindPaths=/var/cache/nginx
BindPaths=/srv
BindPaths=/hostdata
BindPaths=/raweb
NoNewPrivileges=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectClock=true
ProtectHostname=true
PrivateDevices=true
PrivateTmp=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
LockPersonality=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
# NOTE deliberately OFF:
# MemoryDenyWriteExecute=true breaks LuaJIT (JIT writable+executable pages)
# SystemCallFilter=~@resources breaks nginx workers' prlimit64()
# ProtectSystem and ProtectHome are redundant under TemporaryFileSystem=/.
[Install]
WantedBy=multi-user.target
static/Trixie/nginx.service
+19
View File
@@ -0,0 +1,19 @@
[Unit]
Description=A high performance web server and a reverse proxy server (twiy)
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2
ExecStartPre=/usr/bin/install -d -o nginx -g nginx -m 0755 /run/nginx/temp /run/nginx/temp/client_body /run/nginx/temp/proxy /run/nginx/temp/fastcgi /run/nginx/temp/uwsgi /run/nginx/temp/scgi /var/log/nginx
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx -c /nginx/nginx.conf
ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /run/nginx.pid)"
ExecStop=/bin/sh -c "/bin/kill -s QUIT $(/bin/cat /run/nginx.pid)"
TimeoutStartSec=10
LimitNOFILE=65535
[Install]
WantedBy=multi-user.target
static/nginx/nginx.conf
+73 -15
View File
@@ -1,8 +1,7 @@
# Suggestions? => https://github.com/theraw/The-World-Is-Yours/issues
# Problems? => https://github.com/theraw/The-World-Is-Yours/issues
user nginx;
pid /var/run/nginx.pid;
pid /run/nginx.pid;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 65535;
events {
@@ -13,7 +12,8 @@ events {
http {
# =================== LOAD LUA ========================= #
lua_package_path "/usr/nginx_lua/lib/lua/?.lua";
lua_package_path "/usr/nginx_lua/lib/lua/?.lua;;";
lua_package_cpath "/usr/nginx_lua/lib/lua/5.1/?.so;;";
# =================== END LUA ========================== #
# =================== LOAD L7 ========================== #
@@ -21,25 +21,64 @@ http {
# =================== END L7 =========================== #
# ===================== LOGS =========================== #
log_format main 'DATE: $time_local FROM: $remote_addr | STATUS: $status | TO: $request | CACHE: $upstream_cache_status | A: $http_user_agent';
map $upstream_cache_status $log_cache_status {
"" "STATIC";
default $upstream_cache_status;
}
more_set_headers "X-Cache-Status: $log_cache_status";
log_format main 'DATE: $time_local FROM: $remote_addr | STATUS: $status | TO: $request | CACHE: $log_cache_status | A: $http_user_agent';
# =================== END LOGS ========================= #
# ==================== GENERAL ========================= #
client_body_buffer_size 2M;
client_header_buffer_size 2M;
client_body_timeout 90s;
client_header_timeout 90s;
client_header_buffer_size 4k;
large_client_header_buffers 4 16k;
client_body_buffer_size 16k;
client_max_body_size 2M;
keepalive_timeout 15s;
client_body_timeout 30s;
client_header_timeout 30s;
send_timeout 30s;
reset_timedout_connection on;
keepalive_timeout 65s;
keepalive_requests 2000;
max_headers 100;
port_in_redirect off;
sendfile on;
server_names_hash_bucket_size 6969;
server_name_in_redirect off;
server_tokens off;
sendfile_max_chunk 1m;
tcp_nodelay on;
tcp_nopush on;
types_hash_max_size 2048;
resolver 1.1.1.1 1.0.0.1;
server_tokens off;
server_name_in_redirect off;
server_names_hash_bucket_size 128;
server_names_hash_max_size 32768;
types_hash_max_size 4096;
# File metadata cache — biggest single win for static-heavy shared hosting.
open_file_cache max=200000 inactive=30s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# ===================== TLS ============================ #
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:200m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
# Cloudflare dynamic TLS record sizing (build/patches/nginx-X-dynamic-tls-records.patch).
# Small records up front cut TTFB by ~1 RTT, then ramp up to amortise TLS
# overhead once the connection is past head-of-line blocking.
ssl_dyn_rec_enable on;
ssl_dyn_rec_size_lo 1369;
ssl_dyn_rec_size_hi 4229;
ssl_dyn_rec_threshold 40;
ssl_dyn_rec_timeout 1000;
# ===================== END TLS ======================== #
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;
default_type application/octet-stream;
include /nginx/mime.types;
@@ -47,6 +86,25 @@ http {
default upgrade;
'' close;
}
# ==================== COMPRESSION ===================== #
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 4;
gzip_min_length 256;
gzip_types text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
brotli on;
brotli_comp_level 4;
brotli_min_length 256;
brotli_types text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
zstd on;
zstd_comp_level 4;
zstd_min_length 256;
zstd_types text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
# =================== END COMPRESSION ================== #
# =================== END GENERAL ====================== #
# ================ LOAD VHOST +CONFIGS ================= #
version
+54 -17
View File
@@ -1,51 +1,88 @@
export NGINX="1.26.0"
export NGINX="1.31.1"
export LUA_SCRIPTS="/usr/nginx_lua/"
# Lua Path
export LUA_SCRIPTS="/usr/nginx_lua"
# https://github.com/openresty/lua-nginx-module/tags
export NGX_MOD_LUA="0.10.26"
export NGX_MOD_LUA="0.10.29"
# https://github.com/vision5/ngx_devel_kit/tags
export NGX_MOD_DEVELKIT="0.3.3"
export NGX_MOD_DEVELKIT="0.3.4"
# https://github.com/leev/ngx_http_geoip2_module/releases
export NGX_MOD_GEOIP2="3.4"
# https://github.com/owasp-modsecurity/ModSecurity-nginx/releases
export NGX_MOD_MODSECURITY="1.0.3"
export NGX_MOD_MODSECURITY="1.0.4"
# https://github.com/winshining/nginx-http-flv-module/releases
export NGX_MOD_HTTPFLV="1.2.11"
export NGX_MOD_HTTPFLV="1.2.13"
# https://github.com/openresty/headers-more-nginx-module/tags
export NGX_MOD_HEADERS_MORE="0.37"
export NGX_MOD_HEADERS_MORE="0.39"
# https://github.com/openresty/set-misc-nginx-module/releases
export NGX_MOD_SETMISC="0.33"
# https://github.com/openresty/lua-resty-core/tags
export LUA_SCRIPTS_RESTYCORE="0.1.28"
# https://github.com/openresty/lua-resty-core/tags
export LUA_SCRIPTS_RESTYCORE="0.1.32"
# https://github.com/openresty/lua-resty-lrucache/tags
export LUA_SCRIPTS_LRUCACHE="0.13"
export LUA_SCRIPTS_LRUCACHE="0.15"
# https://github.com/openresty/luajit2/tags
export SYSTEM_LUAJIT="2.1-20231117"
export SYSTEM_LUAJIT="2.1-20260311"
# https://github.com/PCRE2Project/pcre2/releases
export SYSTEM_PCRE="10.43"
export SYSTEM_PCRE="10.47"
# https://github.com/openssl/openssl
export SYSTEM_OPENSSL="3.1.5-quic1"
# https://github.com/aws/aws-lc/tags
# AWS-LC = Amazon's BoringSSL fork. Supported natively in nginx since 1.29.2.
# Picked over quictls (EOL OpenSSL 3.1 base) and over OpenSSL 3.5 native QUIC
# because of better TLS handshake throughput and clean release tagging.
export SYSTEM_AWSLC="1.72.0"
# https://github.com/SpiderLabs/ModSecurity/releases
export SYSTEM_MODSECURITY="3.0.12"
# https://github.com/SpiderLabs/ModSecurity/releases 3.0.12
export SYSTEM_MODSECURITY="3.0.14"
# https://github.com/openresty/lua-resty-mysql/tags
export NGX_MOD_LUA_MYSQL="0.27"
export NGX_MOD_LUA_MYSQL="0.29"
# https://github.com/openresty/lua-resty-lock/tags
export NGX_MOD_LUA_LOCK="0.09"
# https://github.com/openresty/srcache-nginx-module/tags
export NGX_MOD_LUA_SRCACHE="0.33"
# https://github.com/tokers/zstd-nginx-module/tags
# Zstandard compression module. Chrome 123+ and Firefox 126+ send
# `Accept-Encoding: zstd`; older clients fall back to brotli/gzip.
export NGX_MOD_ZSTD="0.1.1"
# https://github.com/zlib-ng/zlib-ng/releases
# Drop-in libz replacement with SIMD-accelerated DEFLATE. Built in --zlib-compat
# mode, installed to /usr/local/zlib-ng/. ~2-3x faster gzip CPU vs stock zlib.
export SYSTEM_ZLIBNG="2.3.3"
# ---------------------------------------------------------------------------
# Patches applied on top of upstream nginx source (committed at build/patches/).
# 1 = apply, 0 = skip. Each patch's filename embeds the nginx version it was
# authored against — bumping NGINX above means reviewing/refreshing every patch
# in build/patches/.
# ---------------------------------------------------------------------------
# Required for Type=notify in the systemd unit. Mainline nginx has the
# #if (NGX_HAVE_SYSTEMD) guards but no actual sd_notify call sites; every distro
# carries their own patch. Without this, `Type=notify` times out at startup.
export APPLY_PATCH_SYSTEMD_NOTIFY=1
# Cloudflare's dynamic TLS records: ssl_dyn_rec_* directives. Varies TLS record
# size based on connection state. -1 RTT TTFB on first byte, +reduced overhead
# at steady state. Patch shipped at build/patches/.
export APPLY_PATCH_DYNAMIC_TLS_RECORDS=1
# Cloudflare's HPACK dynamic-table encoder: --with-http_v2_hpack_enc. Smaller
# HTTP/2 response headers on the wire. Upstream patch is stale (last touched
# 2017; nginx 1.31 has already absorbed parts of it upstream and the remaining
# hunks reference internals that have drifted). Patch NOT yet shipped — would
# need a full rebase. Keep toggle here for the day someone ports it.
export APPLY_PATCH_HTTP2_HPACK_ENC=0