New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nginx: support dynamic conf files #19884
Conversation
90a2290
to
5fdc1f1
Compare
@peter-stadler let's discuss here, since the PR is ready for review. First of all, thanks for the kinds. Totally forgot I cc'd you in the acme PR, lol. I've just finished the implementation of dynamic configs, and tested it on a real device. It support two main features:
For This design should address the use cases you mentioned:
Since users are now supposed to have total control over nginx's config files, we just need to make sure the default config works and luci is served from
Since it's now possible to listen on specific interfaces, firewall should be able to specify such rules. Allow/deny list should also be unnecessary. Let me know if I missed other use cases that was provided by nginx-util. |
For the dynamic config mechanismI stumbled upon the magic return values: I think it would be more verbose to let each The init reverses the behavior: Until now it uses a user created The Who is in charge of removing on uninstall the files automatically created by Will you adopt the wiki after replacing nginx-util by the dynamic config, too?
Would I get all local IPs by For the provided configDo you see a problem in splitting
I think it would be better to install the default_server together with nginx in the first place. Else it can be problematic if the user installs nginx, modifies the config and than installs nginx-mod-luci, which contains the default_server. Maybe it would have been better to add a nginx-mod-etebase and nginx-mod-ariang to this Makefile (beside nginx-mod-luci) and let etebase respective ariang depend on it for installing the corresponding Nonetheless, I would really like it, if other apps (like etebase and ariang) could still install their I do not understand, why the |
With all due respect, I don't think it's a good idea. This loses one-to-one mapping. Currently a
What problems do you have in mind? I see three cases here:
I modeled this after uhttpd, who also uses them to generate certificates, but does not list them as dependencies. I'll ask jow what's his rational behind this choice.
Users themselves. They can simply remove the
I can try. Would you do the honor of reviewing my draft?
You get what's returned by
With dynamic config, users should only use
nginx by itself doesn't install any conf files in
I guess there might be some misunderstanding here. In my mind they could just simply put files in
It's not installed by |
uhttpd's rational for not including openssl-util or px5g is that, without them, uhttpd simply disables https, and only provides http. I think we should do something similar in nginx. |
I've updated PR that splits |
No usage of AUTORELEASE found in changes |
So it would be feasible by passing the filename to be used. (The user can always create arbitrary files, but imho it is easier to get the magic values wrong.)
None in particular, so, it should be good.
We already depend on libopenssl. The openssl-util would be complementary. We decided a while ago to use nginx with ssl by default. I would like to stick with https, albeit uhttpd is doing it differently. (Are all users aware that luci_password is not encrypted, when using http?)
What about the one created by
Sure, but it will take some time.
I understood that and see the problem when the user:
So, do you see a problem to install the default_server already with nginx and let nginx-mod-luci add
They need a server part to run out of the box, but cannot install a server each at the same time. So, they need a common server part that includes their locations (when installing more than one of luci, etebase, ariang, ...)
I meant the
I think then the acme package should install the Edit: Sorry, I submitted too fast; had to format quotes correctly and improve the spelling. BTW: I think functions.sh should use network_get_ipaddrs (instead of network_get_ipaddr) as it does with network_get_ipaddrs6 |
Asking users to deal with designated filename isn't necessarily making their lives easier IMHO. For example, if they need to remove the file, they either have to use And thinking about it, I actually want to eliminate the ability to do nothing for a dynamic config script (i.e., leaving previous generated config untouched). It has the potential to leave config in an unexpected state, and I can't think of a legitimate use case. If you agree supporting it might not be a good idea, it's impossible to enforce if users are allow to directly create/delete the file.
I don't think doing it in a better way just for nginx is a good idea here. If clear text luci_password is a concern, we should take it up with the uhttpd maintainers instead of just calling shots in our own package. IMHO, consistency is more important in this case. Personally, I don't mind a http only config as long as users have the option to choose luci-nginx-ssl. And depending on libopenssl but not containing https config by default for luci-nginx (but users still have the ability to add https config themselves), sounds reasonable to me. In other words, I think we should just provide a nginx package, and no nginx-ssl (or make nginx-ssl just depend on nginx for backward compatibility), then luci-nginx should provide http only config, and luci-nginx-ssl should depend on openssl-util or px5g to offer https config automatically. Just like how the uhttpd and luci packages work. What do you think?
Sorry, maybe I missed something again? (Hoping that users will treat
I see what I missed, thanks for the clarification. Yeah it's a problem, and I think your previous suggestion of providing the default server in the main package is a good one. I'm not a fan of the What about a design like this:
It was a mistake. I should've mentioned it in my previous reply. Since default https server uses a self-signed certificate, it should not support acme. It's fixed in my new commit. Sorry for the confusion.
I don't think the acme package should directly deal with httpds. If it needs to add nginx config, then it needs to add config for all other httpds, which isn't maintainable.
Since acme.conf by default is only included in an example, it shouldn't be a concern. Users who actually modify the example to enable it are expected to install the acme package. Maybe we can comment the example to remind them that fact?
Good point. I'll fix that. |
Thank you for your detailed reply. I agree with the points for the most part, the main difference I see with https:
I see the inequality justified by the idea that uhttpd is very lightweight whereas nginx handles advanced use cases. I think we can expect that nginx is not used on the most limited devices. For uhttpd one can choose between libustream-mbedtls, libustream-wolfssl or libustream-openssl, and could use corresponding px5g-mbedtls, px5g-wolfssl or openssl-util. In contrast nginx depends on libopenssl; it makes less sense to depend on libmbedtls or libwolfssl, too. And I would expect more users of nginx than of uhttpd to use https. NB: acme.sh depends on openssl-util, but uacme could depend only on libopenssl (or libmbedtls or libgnutls).
You did write that before mentioning to move the default server to the main package. I will think the quoted statement with nginx and nginx-ssl instead of luci-nginx respective luci-nginx-ssl. Then luci-nginx would depend on nginx, while luci-nginx-ssl would depend on nginx-ssl. But, would other apps (like ariang and etebase) provide two variants, too? Does the user has to keep them consistent? What if the user wants to change between nginx and nginx-ssl? That is a lot of hassle beside maintaining two default_server. What do we gain besides the dependency on openssl-util less (would a smaller px5g-openssl help there)? Is it worth the effort? For the rest I just have some notes:
I get the point. Then I would suggest commenting the return values in all provided
I meant: If you would install
Currently I am including specific, e.g. But I like your design:
As this means to transition the other packages (luci, etebase and ariang), should we add there both ways for some time: conf.d/app.locations symlinked to conf.d/default_server/app.conf?
No problem, I thought we talk about different things. Was it intentional to remove the redirect from http to https (for not interfering with the http only server)?
We could comment the line |
c69f828
to
593214a
Compare
I've updated the PR. I think it's in a much better shape, thanks for the suggestions. Change summary:
I did mean nginx and nginx-ssl. I think I failed to make it clear how that works, sorry about that. With dynamic config, it's now possible to offer both http and https server conf files but automatically disables https if no certificate utils exist. That means we can just provide a single nginx package with conditional ssl, depending on the existence of openssl or px5g, which is controlled by the choice of installing luci-nginx or luci-nginx-ssl. Both the default http and https server should include the same location defs, so that they behave identically.
Other apps, when dealing with the default server, should not care about http or https at all. They should just put locations in
I think that's orthogonal to if redirecting http to https by default for the default server. The new design where independent http and https servers include identical locations can also support advanced use cases IMO.
Fixed.
Sorry, I totally misread your previous descriptions. Yes, they are not deleted, but that shouldn't cause any problem? And I think it's actually desirable to keep the certificate, because reinstalling
Fixed. Given the new design, I propose that we make Since we're changing the package, I'd also like to take the opportunity to rename |
@peter-stadler @Ansuel Are you available for reviewing this PR? |
It took me some time (and I fear this will be the case for future comments, too). I think for now, we should focus on the structure. The code changes can help with it, but unless you want to, there is no need to adjust it every time. I have two major points:
And some minor comments:
It is not a problem, more a different view: I think it is more common to try something out, i.e. install and uninstall it, than to reinstall it (except upgrading), where you can reuse them. In the first case it is desirable to remove the created files. I thought about commenting the exit values of the *.dynconf files just below the Is there a use case to create
Maybe we should think about putting the In the wan.dynconf.example it is better to comment out I see no advantage in merely making the options for the self-signed certificate configurable via uci. I have no preferences for the renaming, just keep in mind that users will not get upgrades if a package name is dropped ... Have you thought about:
Or should we have |
P.S.: The following should only be included if
|
The main feature of nginx-util is to make Nginx config UCI compatible. However, for the nginx package, the benefit of being UCI compatible is debatable. There is currently no luci-app-nginx. Given the complexity of Nginx config system, one that can thoroughly support all Nginx config features is unlikely to happen. If it were to be developed, and only serves to provide basic web server features, it really should be luci-app-uhttpd instead. So, without the prospect of a corresponding LuCI app, being UCI compatible adds complexity unnecessarily. This change simplifies this package by providing a basic native Nginx config that optionally supports serving LuCI. Users are expect to directly edit the nginx config. A few design choices/changes: - Since there is no reliable method to read Nginx SSL options and determine if a certificate should be generated automatically, no default https server is provided. - Not specifying config files via "procd_set_param file" in /etc/init.d/nginx, since they modifications shouldn't cause Nginx to restart. Signed-off-by: Glen Huang <i@glenhuang.com>
Signed-off-by: Glen Huang <i@glenhuang.com>
Good idea, since the design seems still in flux, but I couldn't resist implementing a suggestion you made. :)
Functions use
I'm not sure this works, since they're really a dependency of the package? For example, what should happen, if a user installs nginx-mod-luci, but with NGINX_DEFAULT_SERVER or CONFIG_NGINX_UBUS turned off?
So if NGINX_DEFAULT_SERVER_HTTPS is off, does that mean luci-nginx-ssl now does nothing, since http is always supported? This doesn't sound right.
Peter, I'm with you on this one from strictly security point of view. My only gripe is that I think the nginx package is in no position to implement it BY DEFAULT, since the official httpd (uhttpd) package doesn't take approach. I don't think Nginx being more complex or heavyweight has anything to do with if it should take a different approach on how to support https. Redirecting HTTP to HTTPS by default can lead to some deeper level change. For example, if uhttpd is to redirect HTTP to HTTPS by default, then that means the luci package supports HTTPS out of the box, which in turn mean either px5g or openssl-utils should be supported out of the box, and luci-ssl should be deprecated, etc. This should impact how other httpd should be packaged. IMHO we should either make that deeper change or follow the convention set by uhttpd. Users who are concerned about security implication could always add the redirection themselves. Let me know if you can agree with me on this one.
I'm fine with removing such file as long as they could be recreated identically, which is not the case with certificates. I don't think we should default to a behavior where user could lost files they could never get back. The alternative that a removed package leaves an unused certificate behind isn't as serious.
I really like this suggestion and has changed the PR accordingly.
I think it's should be fine, since for any /etc/nginx/conf.d/.conf, they usually only need to include the server of their concern, and not others, meaning usually only /etc/nginx/conf.d/example.com.conf would included /etc/nginx/conf.d/example.com/.conf.
Will change.
What do you suggest we do with self-signed certificates? They shouldn't be customizable or the options should come from elsewhere?
We will make the original package depend on the renamed package for backward compatibility.
This sounds like the easier approach, I think it's a good idea to make the default server include them, making the transition easier. |
@peter-stadler Are you still available? |
It was a long delay, I will keep having some but little spare time.
How did you test that it works as intended? I have problems that e.g.
When you turn NGINX_DEFAULT_SERVER off, you are responsible to provide a server for luci to work at all. When you turn CONFIG_NGINX_UBUS off, all should work beside the parts of luci that rely on ubus.
We would need to remove luci-nginx-ssl and keep just luci-nginx modifying the description that the usage of HTTPS depends on nginx (it would be on if the configuration is not changed). I still prefer to just install a default server with SSL enabled.
I thought a while about it and I still want to stick to https by default. I think it is justifiable that nginx and uhttpd behave different here; they have different use cases:
But, if you still want to change it, you do not need to convince me: Ansuel is the maintainer, he can decide.
I would say the first: there is very little reason to deviate from secure default options. |
I'll try to have a working package on my local device before I continue the discussion, to save us both some time.
@Ansuel could you comment on where the direction we are taking is good? It'd be a waste if the implement is shot down because the direction was wrong. I accidentally deleted the branch, recreated it, but it seems I can't reopen the PR anymore. |
Maintainer: @Ansuel
Description:
This implements #19875, and is based on #19878