File ingress.spec of Package nginx
%global _hardened_build 1
%global nginx_user nginx
# Disable strict symbol checks in the link editor.
# See: https://src.fedoraproject.org/rpms/redhat-rpm-config/c/078af19
%undefine _strict_symbol_defs_build
%bcond_without geoip2
%bcond_with modsecurity
%bcond_without lua
%bcond_with opentelemetry
# nginx gperftools support should be disabled for RHEL >= 8
# see: https://bugzilla.redhat.com/show_bug.cgi?id=1931402
%if 0%{?rhel} >= 8
%global with_gperftools 0
%else
# gperftools exists only on selected arches
# gperftools *detection* is failing on ppc64*, possibly only configure
# bug, but disable anyway.
%ifnarch s390 s390x ppc64 ppc64le
%global with_gperftools 1
%endif
%endif
%global with_aio 1
%if 0%{?fedora} > 22
%global with_mailcap_mimetypes 1
%endif
# kTLS requires OpenSSL 3.0 (default in F36+ and EL9+, available in EPEL8)
%if 0%{?fedora} >= 36 || 0%{?rhel} >= 8
%global with_ktls 1
%endif
# Build against OpenSSL 1.1 on EL7
%if 0%{?rhel} == 7
%global openssl_pkgversion 11
%endif
# Build against OpenSSL 3 on greater than EL8
%if 0%{?rhel} >= 8
%global openssl_pkgversion 3
%endif
# Cf. https://www.nginx.com/blog/creating-installable-packages-dynamic-modules/
%global nginx_abiversion %{version}
%global nginx_moduledir /opt/nginx/modules
%global nginx_moduleconfdir /etc/nginx/conf/modules
%global nginx_srcdir %{_usrsrc}/%{name}-%{version}-%{release}
# Do not generate provides/requires from nginx sources
%global __provides_exclude_from ^%{nginx_srcdir}/.*$
%global __requires_exclude_from ^%{nginx_srcdir}/.*$
Name: nginx
Epoch: 5
Version: 1.28.0
Release: %{epoch}.<RELEASE>%{?dist}
Summary: A high performance web server and reverse proxy server with ingress capabilities
License: BSD-2-Clause AND Apache-2.0
URL: https://nginx.org
Source0: https://nginx.org/download/nginx-%{version}.tar.gz
# Keys are found here: https://nginx.org/en/pgp_keys.html
#Source2: https://nginx.org/keys/maxim.key
#Source3: https://nginx.org/keys/mdounin.key
#Source4: https://nginx.org/keys/sb.key
#Source5: https://nginx.org/keys/thresh.key
Source10: nginx.service
Source11: nginx.logrotate
Source12: nginx.conf
Source13: nginx-upgrade
Source15: macros.nginxmods.in
Source16: nginxmods.attr
Source17: nginx-ssl-pass-dialog
#Source102: nginx-logo.png
#Source103: 404.html
#Source104: 50x.html
#Source200: README.dynamic
#Source210: UPGRADE-NOTES-1.6-to-1.10
# Original modules from your spec
Source90: https://github.com/vozlt/nginx-module-vts/archive/refs/tags/v0.2.3.tar.gz
Source91: https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v0.38.tar.gz
Source92: https://github.com/Refinitiv/nginx-sticky-module-ng/archive/refs/heads/master.tar.gz
Source93: https://github.com/leev/ngx_http_geoip2_module/archive/refs/tags/3.4.tar.gz
Source94: https://github.com/nviennot/nginx-tcp-keepalive/archive/refs/heads/nginx-tcp-keepalive.tar.gz
# Ingress-NGINX specific modules
Source100: https://github.com/nginx/njs/archive/0.8.10.tar.gz
Source101: https://github.com/openresty/luajit2/archive/v2.1-20240815.tar.gz
Source102: https://github.com/vision5/ngx_devel_kit/archive/v0.3.3.tar.gz
Source103: https://github.com/openresty/lua-nginx-module/archive/v0.10.27.tar.gz
Source104: https://github.com/openresty/stream-lua-nginx-module/archive/v0.0.15.tar.gz
Source105: https://github.com/openresty/lua-upstream-nginx-module/archive/v0.07.tar.gz
Source106: https://github.com/SpiderLabs/ModSecurity-nginx/archive/v1.0.3.tar.gz
Source107: https://github.com/SpiderLabs/ModSecurity/archive/v3.0.14.tar.gz
Source108: https://github.com/google/ngx_brotli/archive/a71f9312c2deb28875acc7bacfdd5695a111aa53.tar.gz
Source109: https://github.com/open-telemetry/opentelemetry-cpp/archive/v1.18.0.tar.gz
Source110: https://github.com/open-telemetry/opentelemetry-proto/archive/v1.5.0.tar.gz
Source111: https://github.com/open-telemetry/opentelemetry-cpp-contrib/archive/8933841f0a7f8737f61404cf0a64acf6b079c8a5.tar.gz
# Lua ecosystem modules
Source120: https://github.com/openresty/lua-resty-core/archive/v0.1.30.tar.gz
Source121: https://github.com/openresty/lua-resty-balancer/archive/v0.05.tar.gz
Source122: https://github.com/openresty/lua-cjson/archive/2.1.0.14.tar.gz
Source123: https://github.com/cloudflare/lua-resty-cookie/archive/f418d77082eaef48331302e84330488fdc810ef4.tar.gz
Source124: https://github.com/openresty/lua-resty-lrucache/archive/v0.15.tar.gz
Source125: https://github.com/openresty/lua-resty-dns/archive/v0.23.tar.gz
Source126: https://github.com/ledgetech/lua-resty-http/archive/v0.17.2.tar.gz
Source127: https://github.com/openresty/lua-resty-lock/archive/v0.09.tar.gz
Source128: https://github.com/openresty/lua-resty-upload/archive/v0.11.tar.gz
Source129: https://github.com/openresty/lua-resty-string/archive/v0.16.tar.gz
Source130: https://github.com/openresty/lua-resty-memcached/archive/v0.17.tar.gz
Source131: https://github.com/openresty/lua-resty-redis/archive/v0.31.tar.gz
Source132: https://github.com/api7/lua-resty-ipmatcher/archive/3e93c53eb8c9884efe939ef070486a0e507cc5be.tar.gz
Source133: https://github.com/ElvinEfendi/lua-resty-global-throttle/archive/v0.2.0.tar.gz
# Additional dependencies
Source140: https://github.com/microsoft/mimalloc/archive/v2.1.9.tar.gz
Source141: https://github.com/ssdeep-project/ssdeep/archive/release-2.14.1.tar.gz
Source142: https://github.com/coreruleset/coreruleset/archive/v4.10.0.tar.gz
# removes -Werror in upstream build scripts. -Werror conflicts with
# -D_FORTIFY_SOURCE=2 causing warnings to turn into errors.
Patch0: 0001-remove-Werror-in-upstream-build-scripts.patch
# downstream patch - fix PIDFile race condition (rhbz#1869026)
# rejected upstream: https://trac.nginx.org/nginx/ticket/1897
Patch1: 0002-fix-PIDFile-handling.patch
# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=1955564
#Patch2: 0003-Support-loading-cert-hardware-token-PKC.patch
# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2006822
#Patch3: 0004-Set-proper-compiler-optimalization-level-O2-for-perl.patch
# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2006420
#Patch4: 0005-Init-openssl-engine-properly.patch
# upstream patch - fixing ALPACA(CVE-2021-3618) security issue - https://bugzilla.redhat.com/show_bug.cgi?id=1975623
#Patch5: 0006-Fix-ALPACA-security-issue.patch
# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2028781
#Patch6: 0007-Enable-TLSv1.3-by-default.patch
# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2028781
Patch99: 0099-nginx-cookie.patch
# Ingress-nginx specific patches
#Patch100: 0100-ingress-nginx-optimizations.patch
#Patch101: 0101-modsecurity-gcc-fix.patch
BuildRequires: make
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: cmake
BuildRequires: ninja-build
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
BuildRequires: git
#BuildRequires: gnupg2
%if 0%{?with_gperftools}
BuildRequires: gperftools-devel
%endif
%if 0%{?openssl_pkgversion} == 3
BuildRequires: openssl-devel
%else
BuildRequires: openssl%{?openssl_pkgversion}-devel
%endif
BuildRequires: pcre2-devel
BuildRequires: zlib-devel
BuildRequires: libxml2-devel
BuildRequires: libxslt-devel
BuildRequires: gd-devel
BuildRequires: perl-devel
%if 0%{?fedora} >= 24 || 0%{?rhel} >= 7
BuildRequires: perl-generators
%endif
BuildRequires: perl(ExtUtils::Embed)
%if %{with geoip2}
BuildRequires: libmaxminddb-devel
%endif
%if %{with modsecurity}
BuildRequires: yajl-devel
BuildRequires: lmdb-devel
BuildRequires: libcurl-devel
BuildRequires: flex
BuildRequires: bison
BuildRequires: python3
%endif
%if %{with opentelemetry}
BuildRequires: protobuf-devel
BuildRequires: grpc-devel
BuildRequires: c-ares-devel
BuildRequires: protobuf-c
BuildRequires: protobuf-lite
%endif
# opentelemetry and modsecurity both required
#BuildRequires: libcurl-devel
Requires: %{name}-filesystem = %{epoch}:%{version}-%{release}
%if 0%{?el7}
# centos-logos el7 does not provide 'system-indexhtml'
Requires: system-logos redhat-indexhtml
# need to remove epel7 geoip sub-package, doesn't work anymore
# https://bugzilla.redhat.com/show_bug.cgi?id=1576034
# https://bugzilla.redhat.com/show_bug.cgi?id=1664957
Obsoletes: %{name}-mod-http-geoip <= 1:1.16
%else
Requires: system-logos-httpd
%endif
Provides: webserver
%if 0%{?fedora} || 0%{?rhel} >= 8
Recommends: logrotate
%endif
Requires: %{name}-core = %{epoch}:%{version}-%{release}
BuildRequires: systemd
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
# For external nginx modules
Provides: %{name} = %{epoch}:%{version}-%{release}
Provides: %{name}.%{openssl_pkgversion}
%description
Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and
IMAP protocols, with a strong focus on high concurrency, performance and low
memory usage. This version includes comprehensive ingress controller capabilities
with Lua scripting, ModSecurity WAF, OpenTelemetry observability, and advanced
traffic management features.
%package core
Summary: nginx minimal core
%if 0%{?with_mailcap_mimetypes}
Requires: nginx-mimetypes
%endif
%if 0%{?openssl_pkgversion} == 3
BuildRequires: openssl-libs
%else
BuildRequires: openssl%{?openssl_pkgversion}-libs
%endif
Requires(pre): nginx-filesystem
Conflicts: nginx < 1:1.20.2-4
Provides: %{name}-core.%{openssl_pkgversion}
%description core
nginx minimal core
%package all-modules
Summary: A meta package that installs all available Nginx modules
BuildArch: noarch
%if %{with geoip2}
Requires: %{name}-mod-http-geoip2 = %{epoch}:%{version}-%{release}
%endif
Requires: %{name}-mod-tcp-keepalive = %{epoch}:%{version}-%{release}
Requires: %{name}-mod-stream = %{epoch}:%{version}-%{release}
Requires: %{name}-mod-headers-more = %{epoch}:%{version}-%{release}
Requires: %{name}-mod-http-sticky = %{epoch}:%{version}-%{release}
Requires: %{name}-mod-http-vts = %{epoch}:%{version}-%{release}
Requires: %{name}-mod-http-image-filter = %{epoch}:%{version}-%{release}
Requires: %{name}-mod-http-perl = %{epoch}:%{version}-%{release}
Requires: %{name}-mod-http-xslt-filter = %{epoch}:%{version}-%{release}
Requires: %{name}-mod-mail = %{epoch}:%{version}-%{release}
%if %{with lua}
Requires: %{name}-mod-lua = %{epoch}:%{version}-%{release}
%endif
%if %{with modsecurity}
Requires: %{name}-mod-modsecurity = %{epoch}:%{version}-%{release}
%endif
%if %{with opentelemetry}
Requires: %{name}-mod-opentelemetry = %{epoch}:%{version}-%{release}
%endif
Requires: %{name}-mod-njs = %{epoch}:%{version}-%{release}
Requires: %{name}-mod-brotli = %{epoch}:%{version}-%{release}
%description all-modules
Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and
IMAP protocols, with a strong focus on high concurrency, performance and low
memory usage. This meta-package installs all available modules including
ingress controller capabilities.
%package filesystem
Summary: The basic directory layout for the Nginx server
BuildArch: noarch
Requires(pre): shadow-utils
Provides: %{name}-filesystem.%{openssl_pkgversion}
%description filesystem
The nginx-filesystem package contains the basic directory layout
for the Nginx server including the correct permissions for the
directories.
%if %{with geoip2}
%package mod-http-geoip2
Summary: Nginx HTTP geoip2 module
Requires: %{name} = %{epoch}:%{version}-%{release}
Requires: libmaxminddb
BuildRequires: libmaxminddb-devel
Provides: %{name}-mod-http-geoip2.%{openssl_pkgversion}
%description mod-http-geoip2
%{summary}.
%endif
%package mod-tcp-keepalive
Summary: Nginx TCP KeepAlive module
Requires: %{name} = %{epoch}:%{version}-%{release}
Provides: %{name}-mod-tcp-keepalive.%{openssl_pkgversion}
%description mod-tcp-keepalive
%{summary}.
%package mod-http-image-filter
Summary: Nginx HTTP image filter module
BuildRequires: gd-devel
Requires: %{name} = %{epoch}:%{version}-%{release}
Requires: gd
Provides: %{name}-mod-http-image-filter.%{openssl_pkgversion}
%description mod-http-image-filter
%{summary}.
%package mod-http-perl
Summary: Nginx HTTP perl module
BuildRequires: perl-devel
%if 0%{?fedora} >= 24 || 0%{?rhel} >= 7
BuildRequires: perl-generators
%endif
BuildRequires: perl(ExtUtils::Embed)
Requires: %{name} = %{epoch}:%{version}-%{release}
Requires: perl(constant)
Provides: %{name}-mod-http-perl.%{openssl_pkgversion}
%description mod-http-perl
%{summary}.
%package mod-http-xslt-filter
Summary: Nginx XSLT module
BuildRequires: libxslt-devel
Requires: %{name} = %{epoch}:%{version}-%{release}
Provides: %{name}-mod-http-xslt-filter.%{openssl_pkgversion}
%description mod-http-xslt-filter
%{summary}.
%package mod-mail
Summary: Nginx mail modules
Requires: %{name} = %{epoch}:%{version}-%{release}
Provides: %{name}-mod-mail.%{openssl_pkgversion}
%description mod-mail
%{summary}.
%package mod-stream
Summary: Nginx stream modules
Requires: %{name} = %{epoch}:%{version}-%{release}
Provides: %{name}-mod-stream.%{openssl_pkgversion}
%description mod-stream
%{summary}.
%package mod-http-sticky
Summary: Nginx HTTP Sticky modules
Requires: %{name} = %{epoch}:%{version}-%{release}
Provides: %{name}-mod-http-sticky.%{openssl_pkgversion}
%description mod-http-sticky
%{summary}.
%package mod-http-vts
Summary: Nginx HTTP VTS Metrics modules
Requires: %{name} = %{epoch}:%{version}-%{release}
Provides: %{name}-mod-http-vts.%{openssl_pkgversion}
%description mod-http-vts
%{summary}.
%package mod-headers-more
Summary: Nginx headers more modules
Requires: %{name} = %{epoch}:%{version}-%{release}
Provides: %{name}-mod-headers-more.%{openssl_pkgversion}
%description mod-headers-more
%{summary}.
# Ingress-nginx specific modules
%if %{with lua}
%package mod-lua
Summary: Nginx Lua modules
Requires: %{name} = %{epoch}:%{version}-%{release}
Provides: %{name}-mod-lua.%{openssl_pkgversion}
%description mod-lua
Lua scripting modules for Nginx enabling dynamic request processing
and advanced traffic management logic.
%endif
%if %{with modsecurity}
%package mod-modsecurity
Summary: Nginx ModSecurity WAF module
Requires: %{name} = %{epoch}:%{version}-%{release}
Provides: %{name}-mod-modsecurity.%{openssl_pkgversion}
%description mod-modsecurity
ModSecurity Web Application Firewall module providing advanced security
protection against web attacks.
%endif
%if %{with opentelemetry}
%package mod-opentelemetry
Summary: Nginx OpenTelemetry module
Requires: %{name} = %{epoch}:%{version}-%{release}
Provides: %{name}-mod-opentelemetry.%{openssl_pkgversion}
%description mod-opentelemetry
OpenTelemetry observability module providing distributed tracing and metrics collection.
%endif
%package mod-njs
Summary: Nginx JavaScript module
Requires: %{name} = %{epoch}:%{version}-%{release}
Provides: %{name}-mod-njs.%{openssl_pkgversion}
%description mod-njs
JavaScript scripting module enabling dynamic request/response processing with ES5+ features.
%package mod-brotli
Summary: Nginx Brotli compression module
Requires: %{name} = %{epoch}:%{version}-%{release}
Provides: %{name}-mod-brotli.%{openssl_pkgversion}
%description mod-brotli
Brotli compression module for efficient content compression.
%package mod-devel
Summary: Nginx module development files
Requires: nginx = %{epoch}:%{version}-%{release}
Requires: make
Requires: gcc
Requires: gd-devel
%if 0%{?with_gperftools}
Requires: gperftools-devel
%endif
Requires: libxslt-devel
%if 0%{?openssl_pkgversion} == 3
BuildRequires: openssl-devel
%else
BuildRequires: openssl%{?openssl_pkgversion}-devel
%endif
Requires: pcre2-devel
Requires: perl-devel
Requires: perl(ExtUtils::Embed)
Requires: zlib-devel
Provides: %{name}-mod-devel.%{openssl_pkgversion}
%description mod-devel
%{summary}.
%prep
# Combine all keys from upstream into one file
#cat %{S:2} %{S:3} %{S:4} %{S:5} > %{_builddir}/%{name}.gpg
#%{gpgverify} --keyring='%{_builddir}/%{name}.gpg' --signature='%{SOURCE1}' --data='%{SOURCE0}'
# Extract original modules
tar --strip-components=1 --one-top-level=nginx-module-vts -zxf %{SOURCE90}
tar --strip-components=1 --one-top-level=headers-more-nginx-module -zxf %{SOURCE91}
tar --strip-components=1 --one-top-level=nginx-sticky-module-ng -zxf %{SOURCE92}
tar --strip-components=1 --one-top-level=nginx-module-geoip2 -zxf %{SOURCE93}
tar --strip-components=1 --one-top-level=ngx_http_tcp_keepalive_module -zxf %{SOURCE94}
# Extract ingress-nginx modules
tar --strip-components=1 --one-top-level=njs -zxf %{SOURCE100}
tar --strip-components=1 --one-top-level=luajit2 -zxf %{SOURCE101}
tar --strip-components=1 --one-top-level=ngx_devel_kit -zxf %{SOURCE102}
tar --strip-components=1 --one-top-level=lua-nginx-module -zxf %{SOURCE103}
tar --strip-components=1 --one-top-level=stream-lua-nginx-module -zxf %{SOURCE104}
tar --strip-components=1 --one-top-level=lua-upstream-nginx-module -zxf %{SOURCE105}
tar --strip-components=1 --one-top-level=ModSecurity-nginx -zxf %{SOURCE106}
tar --strip-components=1 --one-top-level=ModSecurity -zxf %{SOURCE107}
tar --strip-components=1 --one-top-level=ngx_brotli -zxf %{SOURCE108}
tar --strip-components=1 --one-top-level=opentelemetry-cpp -zxf %{SOURCE109}
tar --strip-components=1 --one-top-level=opentelemetry-proto -zxf %{SOURCE110}
tar --strip-components=1 --one-top-level=opentelemetry-cpp-contrib -zxf %{SOURCE111}
# Extract Lua modules
tar --strip-components=1 --one-top-level=lua-resty-core -zxf %{SOURCE120}
tar --strip-components=1 --one-top-level=lua-resty-balancer -zxf %{SOURCE121}
tar --strip-components=1 --one-top-level=lua-cjson -zxf %{SOURCE122}
tar --strip-components=1 --one-top-level=lua-resty-cookie -zxf %{SOURCE123}
tar --strip-components=1 --one-top-level=lua-resty-lrucache -zxf %{SOURCE124}
tar --strip-components=1 --one-top-level=lua-resty-dns -zxf %{SOURCE125}
tar --strip-components=1 --one-top-level=lua-resty-http -zxf %{SOURCE126}
tar --strip-components=1 --one-top-level=lua-resty-lock -zxf %{SOURCE127}
tar --strip-components=1 --one-top-level=lua-resty-upload -zxf %{SOURCE128}
tar --strip-components=1 --one-top-level=lua-resty-string -zxf %{SOURCE129}
tar --strip-components=1 --one-top-level=lua-resty-memcached -zxf %{SOURCE130}
tar --strip-components=1 --one-top-level=lua-resty-redis -zxf %{SOURCE131}
tar --strip-components=1 --one-top-level=lua-resty-ipmatcher -zxf %{SOURCE132}
tar --strip-components=1 --one-top-level=lua-resty-global-throttle -zxf %{SOURCE133}
# Extract additional dependencies
tar --strip-components=1 --one-top-level=mimalloc -zxf %{SOURCE140}
tar --strip-components=1 --one-top-level=ssdeep -zxf %{SOURCE141}
tar --strip-components=1 --one-top-level=coreruleset -zxf %{SOURCE142}
%autosetup -p1 -N
mv ../nginx-module-vts .
mv ../headers-more-nginx-module .
mv ../nginx-sticky-module-ng .
mv ../nginx-module-geoip2 .
mv ../ngx_http_tcp_keepalive_module .
mv ../njs .
mv ../luajit2 .
mv ../ngx_devel_kit .
mv ../lua-nginx-module .
mv ../stream-lua-nginx-module .
mv ../lua-upstream-nginx-module .
mv ../ModSecurity-nginx .
mv ../ModSecurity .
mv ../ngx_brotli .
mv ../opentelemetry-cpp .
mv ../opentelemetry-proto .
mv ../opentelemetry-cpp-contrib .
mv ../lua-resty-core .
mv ../lua-resty-balancer .
mv ../lua-cjson .
mv ../lua-resty-cookie .
mv ../lua-resty-lrucache .
mv ../lua-resty-dns .
mv ../lua-resty-http .
mv ../lua-resty-lock .
mv ../lua-resty-upload .
mv ../lua-resty-string .
mv ../lua-resty-memcached .
mv ../lua-resty-redis .
mv ../lua-resty-ipmatcher .
mv ../lua-resty-global-throttle .
mv ../mimalloc .
mv ../ssdeep .
mv ../coreruleset .
%autopatch -p1
cp %{SOURCE10} %{SOURCE12} .
%if 0%{?rhel} > 0 && 0%{?rhel} < 8
sed -i -e 's#KillMode=.*#KillMode=process#g' nginx.service
sed -i -e 's#PROFILE=SYSTEM#HIGH:!aNULL:!MD5#' nginx.conf
%endif
%if "%{?openssl_pkgversion}"
sed \
-e 's|\(ngx_feature_path=\)$|\1%{_includedir}/openssl%{openssl_pkgversion}|' \
-e 's|\(ngx_feature_libs="\)|\1-L%{_libdir}/openssl%{openssl_pkgversion} |' \
-i auto/lib/openssl/conf
%endif
# Prepare sources for installation
cp -a ../%{name}-%{version} ../%{name}-%{version}-%{release}-src
mv ../%{name}-%{version}-%{release}-src .
%build
# nginx does not utilize a standard configure script. It has its own
# and the standard configure options cause the nginx configure script
# to error out. This is is also the reason for the DESTDIR environment
# variable.
export DESTDIR=%{buildroot}
# Build LuaJIT first
%if %{with lua}
cd luajit2
# Use system /usr prefix but stage install into the buildroot so OBS / chroot is not modified
export LUAJIT_LIB=/usr/lib
export LUAJIT_INC=/usr/include/luajit-2.1
make CCDEBUG=-g
make install PREFIX=/usr DESTDIR=%{buildroot}
# create symlink 'lua' -> 'luajit' inside the buildroot (do not touch real /usr/bin)
mkdir -p %{buildroot}/usr/bin
ln -sf luajit %{buildroot}/usr/bin/lua
# create header alias inside buildroot: /usr/include/lua -> /usr/include/luajit-2.1
mkdir -p %{buildroot}/usr/include
ln -sf luajit-2.1 %{buildroot}/usr/include/lua
cd ..
%endif
# Build ssdeep for ModSecurity
%if %{with modsecurity}
cd ssdeep
./bootstrap
./configure
make
make install
cd ..
%endif
# Build ModSecurity library
%if %{with modsecurity}
cd ModSecurity
git submodule init
git submodule update
./build.sh
PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./configure \
--disable-doxygen-doc \
--disable-doxygen-html \
--disable-examples
make
make install
cd ..
%endif
# Build OpenTelemetry if enabled
%if %{with opentelemetry}
cd opentelemetry-cpp
mkdir -p build
cd build
cmake .. \
-DCMAKE_BUILD_TYPE=Release \
-G Ninja \
-DOTELCPP_PROTO_PATH=../../opentelemetry-proto/ \
-DCMAKE_INSTALL_PREFIX=/usr \
-DBUILD_SHARED_LIBS=ON \
-DBUILD_TESTING=OFF \
-DBUILD_W3CTRACECONTEXT_TEST=OFF \
-DWITH_ABSEIL=ON \
-DWITH_STL=ON \
-DWITH_EXAMPLES=OFF \
-DWITH_ZPAGES=OFF \
-DWITH_OTLP_GRPC=ON \
-DWITH_OTLP_HTTP=ON \
-DWITH_ZIPKIN=ON \
-DWITH_PROMETHEUS=OFF \
-DNLOHMANN_JSON_DOWNLOAD=OFF \
-DBUILD_DEPS=ON
cmake --build .
cmake --install .
cd ../..
%endif
# Build Brotli
cd ngx_brotli
git submodule init
git submodule update
cd ..
# Build mimalloc
cd mimalloc
mkdir -p out/release
cd out/release
cmake ../..
make
make install
cd ../../..
# So the perl module finds its symbols:
nginx_ldopts="$RPM_LD_FLAGS -Wl,-E"
if ! ./configure \
--prefix=/etc/nginx \
--sbin-path=/opt/nginx/bin/nginx \
--modules-path=/opt/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/nginx.log \
--http-client-body-temp-path=/tmp/client_body \
--http-proxy-temp-path=/tmp/proxy \
--http-fastcgi-temp-path=/tmp/fastcgi \
--http-uwsgi-temp-path=/tmp/uwsgi \
--http-scgi-temp-path=/tmp/scgi \
--pid-path=/tmp/nginx.pid \
--lock-path=/tmp \
--user=%{nginx_user} \
--group=%{nginx_user} \
--with-compat \
--with-debug \
%if 0%{?with_aio}
--with-file-aio \
%endif
%if 0%{?with_gperftools}
--with-google_perftools_module \
%endif
--with-select_module \
--with-poll_module \
--with-http_addition_module \
--with-http_auth_request_module \
--with-http_dav_module \
--with-http_degradation_module \
--with-http_flv_module \
%if %{with geoip2}
--add-dynamic-module=nginx-module-geoip2 \
%endif
--add-dynamic-module=ngx_http_tcp_keepalive_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_image_filter_module=dynamic \
--with-http_mp4_module \
--with-http_perl_module=dynamic \
--with-http_random_index_module \
--with-http_realip_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_sub_module \
--with-http_v2_module \
--with-http_v3_module \
--with-http_xslt_module=dynamic \
--with-mail=dynamic \
--with-mail_ssl_module \
%if 0%{?with_ktls}
--with-openssl-opt=enable-ktls \
%else
--with-openssl-opt=no-nextprotoneg \
%endif
--add-dynamic-module=nginx-module-vts \
--add-dynamic-module=headers-more-nginx-module \
--add-dynamic-module=nginx-sticky-module-ng \
%if %{with lua}
--add-module=ngx_devel_kit \
--add-module=lua-nginx-module \
--add-dynamic-module=stream-lua-nginx-module \
--add-dynamic-module=lua-upstream-nginx-module \
%endif
%if %{with modsecurity}
--add-dynamic-module=ModSecurity-nginx \
%endif
--add-dynamic-module=njs/nginx \
--add-dynamic-module=ngx_brotli \
--with-pcre \
--with-pcre-jit \
--with-stream=dynamic \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-threads \
--with-cc-opt="%{optflags} $(pcre2-config --cflags)" \
--with-ld-opt="$nginx_ldopts"; then
: configure failed
cat objs/autoconf.err
exit 1
fi
%make_build
# Build OpenTelemetry nginx module
%if %{with opentelemetry}
cd opentelemetry-cpp-contrib/instrumentation/nginx
mkdir -p build
cd build
cmake .. \
-DCMAKE_BUILD_TYPE=Release \
-G Ninja \
-DCMAKE_CXX_STANDARD=17 \
-DCMAKE_INSTALL_PREFIX=/tmp/otel \
-DBUILD_SHARED_LIBS=ON \
-DNGINX_VERSION=%{version}
cmake --build .
cmake --install .
cd ../../../..
%endif
%install
%make_install INSTALLDIRS=vendor
find %{buildroot} -type f -name .packlist -exec rm -f '{}' \;
find %{buildroot} -type f -name perllocal.pod -exec rm -f '{}' \;
find %{buildroot} -type f -empty -exec rm -f '{}' \;
find %{buildroot} -type f -iname '*.so' -exec chmod 0755 '{}' \;
install -p -D -m 0644 ./nginx.service \
%{buildroot}%{_unitdir}/nginx.service
install -p -D -m 0644 %{SOURCE11} \
%{buildroot}/etc/nginx/logrotate.conf
install -p -d -m 0755 %{buildroot}%{_sysconfdir}/systemd/system/nginx.service.d
install -p -d -m 0755 %{buildroot}%{_unitdir}/nginx.service.d
install -p -d -m 0755 %{buildroot}/etc/nginx/conf.d
install -p -d -m 0755 %{buildroot}/etc/nginx/default.d
install -p -d -m 0700 %{buildroot}/opt/nginx/lib
install -p -d -m 0700 %{buildroot}/opt/nginx/lib/tmp
install -p -d -m 0700 %{buildroot}/var/log/nginx
install -p -d -m 0755 %{buildroot}/etc/nginx/html
install -p -d -m 0755 %{buildroot}%{nginx_moduleconfdir}
install -p -d -m 0755 %{buildroot}%{nginx_moduledir}
install -p -m 0644 ./nginx.conf \
%{buildroot}/etc/nginx
rm -f %{buildroot}/etc/nginx/html/index.html
%if 0%{?el7}
ln -s ../../doc/HTML/index.html \
%{buildroot}/etc/nginx/html/index.html
ln -s ../../doc/HTML/img \
%{buildroot}/etc/nginx/html/img
ln -s ../../doc/HTML/en-US \
%{buildroot}/etc/nginx/html/en-US
%else
ln -s ../../testpage/index.html \
%{buildroot}/etc/nginx/html/index.html
%endif
mkdir -p %{buildroot}/etc/nginx/html/icons
[ ! -d %{buildroot}/opt/nginx/bin ] && mkdir -p %{buildroot}/opt/nginx/bin
# Symlink for the powered-by-$DISTRO image:
ln -s ../../../pixmaps/poweredby.png \
%{buildroot}/etc/nginx/html/icons/poweredby.png
%if 0%{?rhel} >= 9
ln -s ../../pixmaps/system-noindex-logo.png \
%{buildroot}/etc/nginx/html/system_noindex_logo.png
%endif
%if 0%{?with_mailcap_mimetypes}
rm -f %{buildroot}/etc/nginx/mime.types
%endif
install -p -D -m 0644 %{_builddir}/nginx-%{version}/objs/nginx.8 \
%{buildroot}%{_mandir}/man8/nginx.8
install -p -D -m 0755 %{SOURCE13} %{buildroot}/opt/nginx/bin/nginx-upgrade
for i in ftdetect ftplugin indent syntax; do
install -p -D -m644 contrib/vim/${i}/nginx.vim \
%{buildroot}/opt/nginx/vim/vimfiles/${i}/nginx.vim
done
%if %{with geoip2}
echo 'load_module "%{nginx_moduledir}/ngx_http_geoip2_module.so";' \
> %{buildroot}%{nginx_moduleconfdir}/mod-http-geoip2.conf
echo 'load_module "%{nginx_moduledir}/ngx_stream_geoip2_module.so";' \
>> %{buildroot}%{nginx_moduleconfdir}/mod-http-geoip2.conf
%endif
echo 'load_module "%{nginx_moduledir}/ngx_http_tcp_keepalive_module.so";' \
> %{buildroot}%{nginx_moduleconfdir}/mod-tcp-keepalive.conf
echo 'load_module "%{nginx_moduledir}/ngx_http_image_filter_module.so";' \
> %{buildroot}%{nginx_moduleconfdir}/mod-http-image-filter.conf
echo 'load_module "%{nginx_moduledir}/ngx_http_perl_module.so";' \
> %{buildroot}%{nginx_moduleconfdir}/mod-http-perl.conf
echo 'load_module "%{nginx_moduledir}/ngx_http_xslt_filter_module.so";' \
> %{buildroot}%{nginx_moduleconfdir}/mod-http-xslt-filter.conf
echo 'load_module "%{nginx_moduledir}/ngx_mail_module.so";' \
> %{buildroot}%{nginx_moduleconfdir}/mod-mail.conf
echo 'load_module "%{nginx_moduledir}/ngx_stream_module.so";' \
> %{buildroot}%{nginx_moduleconfdir}/mod-stream.conf
echo 'load_module "%{nginx_moduledir}/ngx_http_sticky_module.so";' \
> %{buildroot}%{nginx_moduleconfdir}/mod-http-sticky.conf
echo 'load_module "%{nginx_moduledir}/ngx_http_vhost_traffic_status_module.so";' \
> %{buildroot}%{nginx_moduleconfdir}/mod-http-vts.conf
echo 'load_module "%{nginx_moduledir}/ngx_http_headers_more_filter_module.so";' \
> %{buildroot}%{nginx_moduleconfdir}/mod-headers-more.conf
%if %{with lua}
echo 'load_module "%{nginx_moduledir}/ngx_stream_lua_module.so";' \
> %{buildroot}%{nginx_moduleconfdir}/mod-lua.conf
echo 'load_module "%{nginx_moduledir}/ngx_http_lua_upstream_module.so";' \
>> %{buildroot}%{nginx_moduleconfdir}/mod-lua.conf
%endif
%if %{with modsecurity}
echo 'load_module "%{nginx_moduledir}/ngx_http_modsecurity_module.so";' \
> %{buildroot}%{nginx_moduleconfdir}/mod-modsecurity.conf
%endif
echo 'load_module "%{nginx_moduledir}/ngx_js_module.so";' \
> %{buildroot}%{nginx_moduleconfdir}/mod-njs.conf
echo 'load_module "%{nginx_moduledir}/ngx_stream_js_module.so";' \
>> %{buildroot}%{nginx_moduleconfdir}/mod-njs.conf
echo 'load_module "%{nginx_moduledir}/ngx_http_brotli_filter_module.so";' \
> %{buildroot}%{nginx_moduleconfdir}/mod-brotli.conf
echo 'load_module "%{nginx_moduledir}/ngx_http_brotli_static_module.so";' \
>> %{buildroot}%{nginx_moduleconfdir}/mod-brotli.conf
# Install OpenTelemetry module
%if %{with opentelemetry}
install -p -m 0755 /tmp/otel/otel_ngx_module.so %{buildroot}%{nginx_moduledir}/
echo 'load_module "%{nginx_moduledir}/otel_ngx_module.so";' \
> %{buildroot}%{nginx_moduleconfdir}/mod-opentelemetry.conf
%endif
# Build and install Lua modules
%if %{with lua}
# Ensure package-stage include alias for lua5.1 points to the installed luajit headers
export LUA_INCLUDE_DIR=/usr/include/luajit-2.1
mkdir -p %{buildroot}/usr/include
ln -sf $LUA_INCLUDE_DIR %{buildroot}/usr/include/lua5.1
# Install lua-resty modules
for module in lua-resty-core lua-resty-balancer lua-cjson lua-resty-cookie \
lua-resty-lrucache lua-resty-dns lua-resty-http \
lua-resty-lock lua-resty-upload lua-resty-string lua-resty-memcached \
lua-resty-redis lua-resty-ipmatcher lua-resty-global-throttle; do
cd $module
make install DESTDIR=%{buildroot}
cd ..
done
%endif
# Install files for supporting nginx module builds
## Install source files
mkdir -p %{buildroot}%{_usrsrc}
mv %{name}-%{version}-%{release}-src %{buildroot}%{nginx_srcdir}
## Install rpm macros
mkdir -p %{buildroot}%{_rpmmacrodir}
sed -e "s|@@NGINX_ABIVERSION@@|%{nginx_abiversion}|g" \
-e "s|@@NGINX_MODDIR@@|%{nginx_moduledir}|g" \
-e "s|@@NGINX_MODCONFDIR@@|%{nginx_moduleconfdir}|g" \
-e "s|@@NGINX_SRCDIR@@|%{nginx_srcdir}|g" \
%{SOURCE15} > %{buildroot}%{_rpmmacrodir}/macros.nginxmods
## Install dependency generator
install -Dpm0644 %{SOURCE16} %{buildroot}%{_fileattrsdir}/nginxmods.attr
# install http-ssl-pass-dialog
install -m755 %{SOURCE17} \
%{buildroot}/opt/nginx/bin/nginx-ssl-pass-dialog
%pre filesystem
getent group %{nginx_user} > /dev/null || groupadd -r %{nginx_user}
getent passwd %{nginx_user} > /dev/null || \
useradd -r -d /opt/nginx/lib -g %{nginx_user} \
-s /sbin/nologin -c "Nginx web server" %{nginx_user}
exit 0
%post
%systemd_post nginx.service
%if %{with geoip2}
%post mod-http-geoip2
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%endif
%post mod-tcp-keepalive
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%post mod-http-image-filter
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%post mod-http-perl
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%post mod-http-xslt-filter
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%post mod-mail
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%post mod-stream
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%post mod-http-sticky
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%post mod-http-vts
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%post mod-headers-more
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%if %{with lua}
%post mod-lua
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%endif
%if %{with modsecurity}
%post mod-modsecurity
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%endif
%if %{with opentelemetry}
%post mod-opentelemetry
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%endif
%post mod-njs
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%post mod-brotli
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%preun
%systemd_preun nginx.service
%postun
%systemd_postun nginx.service
if [ $1 -ge 1 ]; then
/opt/nginx/bin/nginx-upgrade >/dev/null 2>&1 || :
fi
%files
/etc/nginx/html/*
/opt/nginx/bin/nginx-upgrade
/opt/nginx/vim/vimfiles/ftdetect/nginx.vim
/opt/nginx/vim/vimfiles/ftplugin/nginx.vim
/opt/nginx/vim/vimfiles/syntax/nginx.vim
/opt/nginx/vim/vimfiles/indent/nginx.vim
%{_mandir}/man3/nginx.3pm*
%{_mandir}/man8/nginx.8*
%{_unitdir}/nginx.service
/opt/nginx/bin/nginx-ssl-pass-dialog
%files core
%license LICENSE
%doc CHANGES
/opt/nginx/bin/nginx
%config(noreplace) %attr(640,%{nginx_user},root) /etc/nginx/fastcgi.conf
%config(noreplace) %attr(640,%{nginx_user},root) /etc/nginx/fastcgi.conf.default
%config(noreplace) /etc/nginx/fastcgi_params
%config(noreplace) /etc/nginx/fastcgi_params.default
%config(noreplace) /etc/nginx/koi-utf
%config(noreplace) /etc/nginx/koi-win
%if ! 0%{?with_mailcap_mimetypes}
%config(noreplace) /etc/nginx/mime.types
%endif
%config(noreplace) /etc/nginx/mime.types.default
%config(noreplace) /etc/nginx/nginx.conf
%config(noreplace) /etc/nginx/nginx.conf.default
%config(noreplace) /etc/nginx/scgi_params
%config(noreplace) /etc/nginx/scgi_params.default
%config(noreplace) /etc/nginx/uwsgi_params
%config(noreplace) /etc/nginx/uwsgi_params.default
%config(noreplace) /etc/nginx/win-utf
%config(noreplace) /etc/nginx/logrotate.conf
%attr(770,%{nginx_user},root) %dir /opt/nginx/lib
%attr(770,%{nginx_user},root) %dir /opt/nginx/lib/tmp
%attr(711,root,root) %dir /var/log/nginx
%ghost %attr(640,%{nginx_user},root) /var/log/nginx/nginx.log
%ghost %attr(640,%{nginx_user},root) /var/log/nginx/error.log
%dir %{nginx_moduledir}
%dir %{nginx_moduleconfdir}
%files all-modules
%files filesystem
%dir /opt/nginx
%dir /etc/nginx/html
%dir /etc/nginx/conf.d
%dir /etc/nginx/default.d
%dir %{_sysconfdir}/systemd/system/nginx.service.d
%dir %{_unitdir}/nginx.service.d
%if %{with geoip2}
%files mod-http-geoip2
%{nginx_moduleconfdir}/mod-http-geoip2.conf
%{nginx_moduledir}/ngx_http_geoip2_module.so
%{nginx_moduledir}/ngx_stream_geoip2_module.so
%endif
%files mod-tcp-keepalive
%{nginx_moduleconfdir}/mod-tcp-keepalive.conf
%{nginx_moduledir}/ngx_http_tcp_keepalive_module.so
%files mod-http-image-filter
%{nginx_moduleconfdir}/mod-http-image-filter.conf
%{nginx_moduledir}/ngx_http_image_filter_module.so
%files mod-http-perl
%{nginx_moduleconfdir}/mod-http-perl.conf
%{nginx_moduledir}/ngx_http_perl_module.so
%dir %{perl_vendorarch}/auto/nginx
%{perl_vendorarch}/nginx.pm
%{perl_vendorarch}/auto/nginx/nginx.so
%files mod-http-xslt-filter
%{nginx_moduleconfdir}/mod-http-xslt-filter.conf
%{nginx_moduledir}/ngx_http_xslt_filter_module.so
%files mod-mail
%{nginx_moduleconfdir}/mod-mail.conf
%{nginx_moduledir}/ngx_mail_module.so
%files mod-stream
%{nginx_moduleconfdir}/mod-stream.conf
%{nginx_moduledir}/ngx_stream_module.so
%files mod-http-sticky
%{nginx_moduleconfdir}/mod-http-sticky.conf
%{nginx_moduledir}/ngx_http_sticky_module.so
%files mod-http-vts
%{nginx_moduleconfdir}/mod-http-vts.conf
%{nginx_moduledir}/ngx_http_vhost_traffic_status_module.so
%files mod-headers-more
%{nginx_moduleconfdir}/mod-headers-more.conf
%{nginx_moduledir}/ngx_http_headers_more_filter_module.so
%if %{with lua}
%files mod-lua
%{nginx_moduleconfdir}/mod-lua.conf
%{nginx_moduledir}/ngx_stream_lua_module.so
%{nginx_moduledir}/ngx_http_lua_upstream_module.so
/usr/lib/lua
/usr/share/lua
/usr/include/lua5.1
%endif
%if %{with modsecurity}
%files mod-modsecurity
%{nginx_moduleconfdir}/mod-modsecurity.conf
%{nginx_moduledir}/ngx_http_modsecurity_module.so
%endif
%if %{with opentelemetry}
%files mod-opentelemetry
%{nginx_moduleconfdir}/mod-opentelemetry.conf
%{nginx_moduledir}/otel_ngx_module.so
%endif
%files mod-njs
%{nginx_moduleconfdir}/mod-njs.conf
%{nginx_moduledir}/ngx_js_module.so
%{nginx_moduledir}/ngx_stream_js_module.so
%files mod-brotli
%{nginx_moduleconfdir}/mod-brotli.conf
%{nginx_moduledir}/ngx_http_brotli_filter_module.so
%{nginx_moduledir}/ngx_http_brotli_static_module.so
%files mod-devel
%{_rpmmacrodir}/macros.nginxmods
%{_fileattrsdir}/nginxmods.attr
%{nginx_srcdir}/
%changelog
* Thu Oct 02 2025 Ganapathi Chidambaram <ganapathi.rj@gmail.com> - 1.28.0-1
- Consolidated nginx package with ingress controller capabilities
- Includes all original modules: VTS, headers-more, sticky, geoip2, tcp-keepalive
- Added ingress-specific modules: Lua, ModSecurity, OpenTelemetry, NJS, Brotli
- Updated to nginx 1.28.0 with comprehensive module support
- Enhanced security with ModSecurity WAF and OWASP Core Rule Set
- Improved observability with OpenTelemetry integration
- Performance optimizations with Lua scripting and advanced compression
