nginx: use /etc/nginx/nginx.conf enabling conf.d/

Instead of the default nginx.conf file this file is a small variant without examples that enables the /etc/nginx/conf.d/ directory. It will pull in all configuration files from the conf.d directory. So, other packages can add their server parts in the conf.d directory without modifying the main nginx.conf file (cf. #9860). Changed also the default logging behavior: error_log stderr; # the init forwards it to logd access_log off; See the updated documentation at: https://openwrt.org/docs/guide-user/services/webserver/nginx Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
2020-01-20 22:49:27 +01:00 · 2020-01-20 22:49:27 +01:00 · 2401fd6db5
parent c6b4d7f367
commit 2401fd6db5
11 changed files with 496 additions and 215 deletions
--- a/net/nginx/Makefile
+++ b/net/nginx/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=nginx
 PKG_VERSION:=1.17.7
-PKG_RELEASE:=3
+PKG_RELEASE:=4

 PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://nginx.org/download/
@ -72,7 +72,8 @@ PKG_CONFIG_DEPENDS := \
 	CONFIG_NGINX_RTMP_MODULE \
 	CONFIG_NGINX_TS_MODULE \
 	CONFIG_OPENSSL_ENGINE \
-	CONFIG_OPENSSL_WITH_NPN
+	CONFIG_OPENSSL_WITH_NPN \
+	CONFIG_NGINX_NOPCRE

 include $(INCLUDE_DIR)/package.mk

@ -95,13 +96,16 @@ endef

 define Package/nginx
  $(Package/nginx/default)
+  DEPENDS += +!NGINX_SSL:nginx-util +NGINX_SSL&&NGINX_PCRE:nginx-ssl-util \
+	+NGINX_SSL&&NGINX_NOPCRE:nginx-ssl-util-nopcre
  VARIANT:=no-ssl
 endef

 define Package/nginx-ssl
  $(Package/nginx/default)
  TITLE += with SSL support
-  DEPENDS +=+libopenssl
+  DEPENDS += +libopenssl +NGINX_PCRE:nginx-ssl-util \
+	+!NGINX_PCRE:nginx-ssl-util-nopcre
  VARIANT:=ssl
  PROVIDES:=nginx
 endef
@ -114,7 +118,7 @@ define Package/nginx-all-module
  $(Package/nginx/default)
  TITLE += with ALL module selected
  DEPENDS:=+libpcre +libopenssl +zlib +liblua +libpthread +libxml2 \
-   +libubus +libblobmsg-json +libjson-c
+   +libubus +libblobmsg-json +libjson-c +nginx-ssl-util
  VARIANT:=all-module
  PROVIDES:=nginx
 endef
@ -124,13 +128,17 @@ Package/nginx-all-module/description = $(Package/nginx/description) \

 define Package/nginx/config
  source "$(SOURCE)/Config.in"
+config NGINX_NOPCRE
+	bool
+	default y if !NGINX_PCRE
+	default n if NGINX_PCRE
 endef

 define Package/nginx-ssl/config
  source "$(SOURCE)/Config_ssl.in"
 endef

-config_files=nginx.conf mime.types
+config_files=mime.types

 define Package/nginx/conffiles
 /etc/nginx/
@ -358,7 +366,7 @@ CONFIGURE_ARGS += \
 			--prefix=/usr \
 			--conf-path=/etc/nginx/nginx.conf \
 			$(ADDITIONAL_MODULES) \
-			--error-log-path=/var/log/nginx/error.log \
+			--error-log-path=stderr \
 			--pid-path=/var/run/nginx.pid \
 			--lock-path=/var/lock/nginx.lock \
 			--http-log-path=/var/log/nginx/access.log \
@ -371,26 +379,21 @@ CONFIGURE_ARGS += \
 			--without-http_upstream_zone_module

 define Package/nginx-mod-luci/install
-	$(INSTALL_DIR) $(1)/etc/nginx
-	$(INSTALL_BIN) ./files-luci-support/luci_uwsgi.conf $(1)/etc/nginx/luci_uwsgi.conf
-	$(INSTALL_BIN) ./files-luci-support/luci_nginx.conf $(1)/etc/nginx/luci_nginx.conf
+	$(INSTALL_DIR) $(1)/etc/nginx/conf.d
+	$(INSTALL_CONF) ./files-luci-support/luci.locations $(1)/etc/nginx/conf.d/
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_BIN) ./files-luci-support/60_nginx-luci-support $(1)/etc/uci-defaults/60_nginx-luci-support
 endef

-define Package/nginx-mod-luci-ssl/install
-	$(Package/nginx-mod-luci/install)
-	$(INSTALL_DIR) $(1)/etc/nginx
-	$(INSTALL_BIN) ./files-luci-support/luci_nginx_ssl.conf $(1)/etc/nginx/luci_nginx_ssl.conf
-	$(INSTALL_DIR) $(1)/etc/uci-defaults
-	$(INSTALL_BIN) ./files-luci-support/70_nginx-luci-support-ssl $(1)/etc/uci-defaults/70_nginx-luci-support-ssl
-endef
+Package/nginx-mod-luci-ssl/install = $(Package/nginx-mod-luci/install)

 define Package/nginx/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/nginx $(1)/usr/sbin/
-	$(INSTALL_DIR) $(1)/etc/nginx
+	$(INSTALL_DIR) $(1)/etc/nginx/conf.d
 	$(INSTALL_DATA) $(addprefix $(PKG_INSTALL_DIR)/etc/nginx/,$(config_files)) $(1)/etc/nginx/
+	$(INSTALL_CONF) ./files/nginx.conf $(1)/etc/nginx/
+	$(INSTALL_CONF) ./files/_lan.conf $(1)/etc/nginx/conf.d/
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/nginx.init $(1)/etc/init.d/nginx
 ifeq ($(CONFIG_NGINX_NAXSI),y)
@ -400,10 +403,45 @@ ifeq ($(CONFIG_NGINX_NAXSI),y)
 endif
 	$(if $(CONFIG_NGINX_NAXSI),$($(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx))
 	$(if $(CONFIG_NGINX_NAXSI),$(chmod 0640 $(1)/etc/nginx/naxsi_core.rules))
+ifeq ($(CONFIG_NGINX_SSL),y)
+	$(INSTALL_CONF) ./files/_redirect2ssl.conf $(1)/etc/nginx/conf.d/
+endif
+ifneq ($(CONFIG_IPV6),y)
+	$(SED) '/listen\s*\[/d' $(1)/etc/nginx/conf.d/*.conf # without IPv6 [::]
+endif
 endef

-Package/nginx-ssl/install = $(Package/nginx/install)
-Package/nginx-all-module/install = $(Package/nginx/install)
+define Package/nginx-ssl/install
+	$(call Package/nginx/install, $(1))
+	$(INSTALL_CONF) ./files/_redirect2ssl.conf $(1)/etc/nginx/conf.d/
+ifneq ($(CONFIG_IPV6),y)
+	$(SED) '/listen\s*\[/d' $(1)/etc/nginx/conf.d/*.conf # without IPv6 [::]
+endif
+endef
+
+Package/nginx-all-module/install = $(Package/nginx-ssl/install)
+
+define Package/nginx-ssl/prerm
+#!/bin/sh
+[ -z "$${IPKG_INSTROOT}" ] || exit 0
+if [ "$${PKG_UPGRADE}" == "1" ]; then
+	eval $$(/usr/bin/nginx-util get_env)
+	TMP_CRT=$$(mktemp -p "$${CONF_DIR}" "$${LAN_NAME}.crt.tmp-XXXXXX")
+	ln -f "$${CONF_DIR}$${LAN_NAME}.crt" "$${TMP_CRT}"
+	TMP_KEY=$$(mktemp -p "$${CONF_DIR}" "$${LAN_NAME}.key.tmp-XXXXXX")
+	ln -f "$${CONF_DIR}$${LAN_NAME}.key" "$${TMP_KEY}"
+fi
+/usr/bin/nginx-util del_ssl
+[ -f "$${TMP_CRT}" ] && mv -f "$${TMP_CRT}" "$${CONF_DIR}$${LAN_NAME}.crt"
+[ -f "$${TMP_KEY}" ] && mv -f "$${TMP_KEY}" "$${CONF_DIR}$${LAN_NAME}.key"
+exit 0
+endef
+
+ifeq ($(CONFIG_NGINX_SSL),y)
+Package/nginx/prerm = $(Package/nginx-ssl/prerm)
+endif
+
+Package/nginx-all-module/prerm = $(Package/nginx-ssl/prerm)

 define Build/Prepare
 	$(Build/Prepare/Default)
--- a/net/nginx/files-luci-support/60_nginx-luci-support
+++ b/net/nginx/files-luci-support/60_nginx-luci-support
@ -1,33 +1,8 @@
 #!/bin/sh

-if [ -f "/etc/nginx/luci_nginx.conf" ] && [ -f "/etc/nginx/nginx.conf" ]; then
-	if [ ! "$(cat '/etc/nginx/nginx.conf' | grep 'luci_uwsgi.conf')" ]; then
-		mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf_old
-		mv /etc/nginx/luci_nginx.conf /etc/nginx/nginx.conf
-		core_number=$(grep -c ^processor /proc/cpuinfo)
-		sed -i "3s/.*/worker_processes  "$core_number";/" /etc/nginx/nginx.conf
-		if [ -n "$(pgrep uhttpd)" ]; then
-			/etc/init.d/uhttpd stop
-			/etc/init.d/uhttpd disable
-		fi
-		if [ -n "$(pgrep nginx)" ]; then
-			/etc/init.d/nginx restart
-		else
-			/etc/init.d/nginx start
-		fi
-		if [ -n "$(pgrep uwsgi)" ]; then
-			/etc/init.d/uwsgi restart
-		else
-			/etc/init.d/uwsgi start
-		fi
-	else
-		rm /etc/nginx/luci_nginx.conf
-	fi
-fi
-
 if nginx -V 2>&1 | grep -q ubus; then
-	if [ -z "$(cat /etc/nginx/luci_uwsgi.conf | grep ubus)" ]; then
-		cat <<EOT >> /etc/nginx/luci_uwsgi.conf
+	if [ -z "$(cat /etc/nginx/conf.d/luci.locations | grep ubus)" ]; then
+		cat <<EOT >> /etc/nginx/conf.d/luci.locations

 location /ubus {
        ubus_interpreter;
@ -38,4 +13,26 @@ EOT
 	fi
 fi

+if [ -x /etc/init.d/uhttpd ]; then
+        /etc/init.d/uhttpd disable
+        if [ -n "$(pgrep uhttpd)" ]; then
+                /etc/init.d/uhttpd stop
+        fi
+fi
+
+/etc/init.d/nginx enable
+if [ -n "$(pgrep nginx)" ]; then
+        /etc/init.d/nginx restart
+else
+        /etc/init.d/nginx start
+fi
+
+/etc/init.d/uwsgi enable
+if [ -n "$(pgrep uwsgi)" ]; then
+        /etc/init.d/uwsgi restart
+else
+        /etc/init.d/uwsgi start
+fi
+
+
 exit 0
--- a/net/nginx/files-luci-support/70_nginx-luci-support-ssl
+++ b/net/nginx/files-luci-support/70_nginx-luci-support-ssl
@ -1,48 +0,0 @@
-#!/bin/sh
-
-
-if [ -f "/etc/nginx/luci_nginx_ssl.conf" ] && [ -f "/etc/nginx/nginx.conf" ]; then
-	if [ ! "$(cat '/etc/nginx/nginx.conf' | grep 'return 301 https://$host$request_uri;')" ]; then
-		if [ -f "/etc/nginx/nginx.conf_old" ]; then
-			rm /etc/nginx/nginx.conf
-		else
-			mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf_old
-		fi
-		mv /etc/nginx/luci_nginx_ssl.conf /etc/nginx/nginx.conf
-		core_number=$(grep -c ^processor /proc/cpuinfo)
-		sed -i "3s/.*/worker_processes  "$core_number";/" /etc/nginx/nginx.conf
-		if [ -n "$(pgrep nginx)" ]; then
-			/etc/init.d/nginx restart
-		else
-			/etc/init.d/nginx start
-		fi
-	else
-		rm /etc/nginx/luci_nginx_ssl.conf
-	fi
-fi
-
-
-if [ ! -f "/etc/nginx/nginx.key" ]; then
-	
-	NGINX_KEY=/etc/nginx/nginx.key
-	NGINX_CER=/etc/nginx/nginx.cer
-	OPENSSL_BIN=/usr/bin/openssl
-	PX5G_BIN=/usr/sbin/px5g
-	
-	# Prefer px5g for certificate generation (existence evaluated last)
-	GENKEY_CMD=""
-	UNIQUEID=$(dd if=/dev/urandom bs=1 count=4 | hexdump -e '1/1 "%02x"')
-	[ -x "$OPENSSL_BIN" ] && GENKEY_CMD="$OPENSSL_BIN req -x509 -nodes"
-	[ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned"
-	[ -n "$GENKEY_CMD" ] && {
-		$GENKEY_CMD \
-			-days 730 -newkey rsa:2048 -keyout "${NGINX_KEY}.new" -out "${NGINX_CER}.new" \
-			-subj /C="ZZ"/ST="Somewhere"/L="Unknown"/O="OpenWrt""$UNIQUEID"/CN="OpenWrt"
-		sync
-		mv "${NGINX_KEY}.new" "${NGINX_KEY}"
-		mv "${NGINX_CER}.new" "${NGINX_CER}"
-	}
-fi
-
-
-exit 0
--- a/net/nginx/files-luci-support/luci_uwsgi.conf
+++ b/net/nginx/files-luci-support/luci_uwsgi.conf
--- a/net/nginx/files-luci-support/luci_nginx.conf
+++ b/net/nginx/files-luci-support/luci_nginx.conf
@ -1,52 +0,0 @@
-
-user root;
-worker_processes  1;
-
-#error_log  logs/error.log;
-#error_log  logs/error.log  notice;
-#error_log  logs/error.log  info;
-
-pid        /var/run/nginx.pid;
-
-
-events {
-    worker_connections  1024;
-}
-
-
-http {
-    include       mime.types;
-    default_type  application/octet-stream;
-
-    sendfile on;
-    keepalive_timeout 0;
-
-    client_body_buffer_size 10K;
-    client_header_buffer_size 1k;
-    client_max_body_size 1G;
-    large_client_header_buffers 2 1k;
-
-    gzip on;
-    gzip_http_version 1.1;
-    gzip_vary on;
-    gzip_comp_level 1;
-    gzip_proxied any;
-    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;
-
-    root /www;
-
-    server {
-        listen 80 default_server;
-        listen [::]:80 default_server;
-        server_name  localhost;
-
-        location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
-            expires 365d;
-        }
-
-        include luci_uwsgi.conf;
-
-    }
-
-    include /etc/nginx/conf.d/*.conf;
-}
--- a/net/nginx/files-luci-support/luci_nginx_ssl.conf
+++ b/net/nginx/files-luci-support/luci_nginx_ssl.conf
@ -1,67 +0,0 @@
-
-user  root;
-worker_processes  1;
-
-#error_log  logs/error.log;
-#error_log  logs/error.log  notice;
-#error_log  logs/error.log  info;
-
-pid        /var/run/nginx.pid;
-
-
-events {
-    worker_connections  1024;
-}
-
-
-http {
-    include       mime.types;
-    default_type  application/octet-stream;
-
-    sendfile on;
-    keepalive_timeout 0;
-
-    client_body_buffer_size 10K;
-    client_header_buffer_size 1k;
-    client_max_body_size 1G;
-    large_client_header_buffers 2 1k;
-
-    gzip on;
-    gzip_http_version 1.1;
-    gzip_vary on;
-    gzip_comp_level 1;
-    gzip_proxied any;
-    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;
-
-    root /www;
-
-    server {
-        listen 80 default_server;
-        listen [::]:80 default_server;
-        server_name _;
-        return 301 https://$host$request_uri;
-    }
-
-    server {
-        listen 443 ssl default_server;
-        listen [::]:443 ssl default_server;
-        server_name  localhost;
-
-        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-        ssl_prefer_server_ciphers on;
-        ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!CAMELLIA:!SEED";
-        ssl_session_tickets off;
-
-        ssl_certificate /etc/nginx/nginx.cer;
-        ssl_certificate_key /etc/nginx/nginx.key;
-
-        location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
-            expires 365d;
-        }
-
-        include luci_uwsgi.conf;
-
-    }
-
-    include /etc/nginx/conf.d/*.conf;
-}
--- a/net/nginx/files/README.sh
+++ b/net/nginx/files/README.sh
@ -0,0 +1,327 @@
+#!/bin/sh
+# This is a template copy it by: ./README.sh | xclip -selection c
+# to https://openwrt.org/docs/guide-user/services/webserver/nginx#configuration
+
+NGINX_UTIL="/usr/bin/nginx-util"
+
+EXAMPLE_COM="example.com"
+
+MSG="
+/* Created by the following bash script that includes the source of some files:
+ * https://github.com/openwrt/packages/net/nginx/files/README.sh
+ */"
+
+eval $("${NGINX_UTIL}" get_env)
+
+code() { printf "<file nginx %s>\n%s</file>" "$1" "$(cat "$(basename $1)")"; }
+
+ifConfEcho() { sed -nE "s/^\s*$1=\s*(\S*)\s*\\\\$/\n$2 \"\1\";/p" ../Makefile;}
+
+cat <<EOF
+
+
+
+
+
+===== Configuration =====${MSG}
+
+
+
+The official Documentation contains a
+[[https://docs.nginx.com/nginx/admin-guide/|Admin Guide]].
+Here we will look at some often used configuration parts and how we handle them
+at OpenWrt.
+At different places there are references to the official
+[[https://docs.nginx.com/nginx/technical-specs/|Technical Specs]]
+for further reading.
+
+**tl;dr:** The main configuration is a minimal configuration enabling the
+''${CONF_DIR}'' directory:
+  * There is a ''${LAN_NAME}.conf'' containing a default server for the LAN, \
+which includes all ''*.locations''.
+  * We can disable parts of the configuration by renaming them.
+  * If we want to install other servers that are also reachable from the LAN, \
+  we can include the ''${LAN_LISTEN}'' file (or ''${LAN_SSL_LISTEN}'' for \
+  HTTPS servers).
+  * If Nginx is installed with SSL support, we have a server \
+in ''_redirect2ssl.conf'' that redirects inexistent URLs to HTTPS, too.
+  * We can create a self-signed certificate and add corresponding directives \
+to e.g. ''${EXAMPLE_COM}.conf'' by invoking \
+<code>$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} ${EXAMPLE_COM}</code>
+
+
+
+==== Basic ====${MSG}
+
+
+We modify the configuration by creating different configuration files in the
+''${CONF_DIR}'' directory.
+The configuration files use the file extensions ''.locations'' and
+''.conf'' (plus ''.crt'' and ''.key'' for Nginx with SSL).
+We can disable single configuration parts by giving them another extension,
+e.g., by adding ''.disabled''.
+For the new configuration to take effect, we must reload it by:
+<code>service nginx reload</code>
+
+For OpenWrt we use a special initial configuration, which is explained below in
+the section [[#openwrt_s_defaults|OpenWrt’s Defaults]].
+So, we can make a site available at a specific URL in the **LAN** by creating a
+''.locations'' file in the directory ''${CONF_DIR}''.
+Such a file consists just of some
+[[https://nginx.org/en/docs/http/ngx_http_core_module.html#location|
+location blocks]].
+Under the latter link, you can find also the official documentation for all
+available directives of the HTTP core of Nginx.
+Look for //location// in the Context list.
+
+The following example provides a simple template, see at the end for
+different [[#locations_for_apps|Locations for Apps]] and look for
+[[https://github.com/search?utf8=%E2%9C%93&q=repo%3Aopenwrt%2Fpackages
+extension%3Alocations&type=Code&ref=advsearch&l=&l=|
+other packages using a .locations file]], too:
+<code nginx ${CONF_DIR}example.locations>
+location /ex/am/ple {
+	access_log off; # default: not logging accesses.
+	# access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout).
+	# error_log stderr; # default: logging to logd (init forwards stderr).
+	error_log /dev/null; # disable error logging after config file is read.
+	# (state path of a file for access_log/error_log to the file instead.)
+	index index.html;
+}
+# location /eg/static { … }
+</code>
+
+All location blocks in all ''.locations'' files must use different URLs,
+since they are all included in the ''${LAN_NAME}.conf'' that is part of the
+[[#openwrt_s_defaults|OpenWrt’s Defaults]].
+We reserve the ''location /'' for making LuCI available under the root URL,
+e.g. [[http://192.168.1.1/|192.168.1.1/]].
+All other sites shouldn’t use the root ''location /'' without suffix.
+We can make other sites available on the root URL of other domain names, e.g.
+on www.example.com/.
+In order to do that, we create a ''.conf'' file for every domain name:
+see the next section [[#new_server_parts|New Server Parts]].
+For Nginx with SSL we can also activate SSL there, as described below in the
+section [[#ssl_server_parts|SSL Server Parts]].
+We use such server parts also for publishing sites to the internet (WAN)
+instead of making them available just in the LAN.
+
+Via ''.conf'' files we can also add directives to the //http// part of the
+configuration. The difference to editing the main ''${NGINX_CONF}''
+file instead is the following: If the package’s ''nginx.conf'' file is updated
+it will only be installed if the old file has not been changed.
+
+
+
+==== New Server Parts ====${MSG}
+
+
+For making the router reachable from the WAN at a registered domain name,
+it is not enough to give the name server the internet IP address of the router
+(maybe updated automatically by a
+[[docs:guide-user:services:ddns:client|DDNS Client]]).
+We also need to set up virtual hosting for this domain name by creating an
+appropriate server part in a ''${CONF_DIR}*.conf'' file.
+All such files are included at the start of Nginx by the default main
+configuration of OpenWrt ''${NGINX_CONF}'' as depicted in
+[[#openwrt_s_defaults|OpenWrt’s Defaults]].
+
+In the server part, we state the domain as
+[[https://nginx.org/en/docs/http/ngx_http_core_module.html#server_name|
+server_name]].
+The link points to the same document as for the location blocks in the
+[[#basic|Basic Configuration]]: the official documentation for all available
+directives of the HTTP core of Nginx.
+This time look for //server// in the Context list, too.
+The server part should also contain similar location blocks as before.
+We can re-include a ''.locations'' file that is included in the server part for
+the LAN by default.
+Then the site is reachable under the same path at both domains, e.g., by
+http://192.168.1.1/ex/am/ple as well as by http://example.com/ex/am/ple.
+
+The [[#openwrt_s_defaults|OpenWrt’s Defaults]] include a ''${LAN_NAME}.conf''
+file containing a server part that listens on the LAN address(es) and acts as
+//default_server//.
+For making the domain name accessible in the LAN, too, the corresponding
+server part must listen **explicitly** on the local IP address(es), cf. the
+official documentation on
+[[https://nginx.org/en/docs/http/request_processing.html|request_processing]].
+We can include the file ''${LAN_LISTEN}'' that contains the listen
+directives for all LAN addresses on the HTTP port 80 and is automatically
+updated.
+
+The following example is a simple template, see
+[[https://github.com/search?q=repo%3Aopenwrt%2Fpackages
+include+${LAN_LISTEN}+extension%3Aconf&type=Code|
+such server parts of other packages]], too:
+<code nginx ${CONF_DIR}${EXAMPLE_COM}.conf>
+server {
+	listen 80;
+	listen [::]:80;
+	include '${LAN_LISTEN}';
+	server_name ${EXAMPLE_COM};
+	# location / { … } # root location for this server.
+	include '${CONF_DIR}${EXAMPLE_COM}.locations';
+}
+</code>
+
+
+
+==== SSL Server Parts ====${MSG}
+
+
+We can enable HTTPS for a domain if Nginx is installed with SSL support.
+We need a SSL certificate as well as its key and add them by the directives
+//ssl_certificate// respective //ssl_certificate_key// to the server part of the
+domain.
+The rest of the configuration is similar as described in the previous section
+[[#new_server_parts|New Server Parts]],
+we only have to adjust the listen directives by adding the //ssl// parameter,
+see the official documentation for
+[[https://nginx.org/en/docs/http/configuring_https_servers.html|
+configuring HTTPS servers]], too.
+For making the domain available also in the LAN, we can include the file
+''${LAN_SSL_LISTEN}'' that contains the listen directives with ssl
+parameter for all LAN addresses on the HTTPS port 443 and is automatically
+updated.
+
+The official documentation of the SSL module contains an
+[[https://nginx.org/en/docs/http/ngx_http_ssl_module.html#example|
+example]],
+which includes some optimizations.
+The following template is extended similarly, see also
+[[https://github.com/search?q=repo%3Aopenwrt%2Fpackages
+include+${LAN_SSL_LISTEN}+extension%3Aconf&type=Code|
+other packages providing SSL server parts]]:
+<code nginx ${CONF_DIR}${EXAMPLE_COM}>
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+	include '${LAN_SSL_LISTEN}';
+	server_name ${EXAMPLE_COM};
+	ssl_certificate '${CONF_DIR}${EXAMPLE_COM}.crt';
+	ssl_certificate_key '${CONF_DIR}${EXAMPLE_COM}.key';
+	ssl_session_cache ${SSL_SESSION_CACHE_ARG};
+	ssl_session_timeout ${SSL_SESSION_TIMEOUT_ARG};
+	# location / { … } # root location for this server.
+	include '${CONF_DIR}${EXAMPLE_COM}.locations';
+}
+</code>
+
+For creating a certificate (and its key) we can use Let’s Encrypt by installing
+[[https://github.com/Neilpang/acme.sh|ACME Shell Script]]:
+<code>opkg update && opkg install acme # and for LuCI: luci-app-acme</code>
+
+For the LAN server in the ''${LAN_NAME}.conf'' file, the init script
+''/etc/init.d/nginx'' script installs automatically a self-signed certificate.
+We can use this mechanism also for other sites by issuing, e.g.:
+<code>$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} ${EXAMPLE_COM}</code>
+  - It adds SSL directives to the server part of \
+    ''${CONF_DIR}${EXAMPLE_COM}.conf'' like in the example above.
+  - Then, it checks if there is a certificate and key for the given domain name\
+    that is valid for at least 13 months or tries to create a self-signed one.
+  - When cron is activated, it installs a cron job for renewing the self-signed\
+    certificate every year if needed, too. We can activate cron by: \
+    <code>service cron enable && service cron start</code>
+
+Beside the ''${LAN_NAME}.conf'' file, the
+[[#openwrt_s_defaults|OpenWrt’s Defaults]] include also the
+''_redirect2ssl.conf'' file containing a server part that redirects all HTTP
+request for inexistent URIs to HTTPS.
+
+
+
+==== OpenWrt’s Defaults ====${MSG}
+
+
+The default main configuration file is:
+$(code ${NGINX_CONF})
+
+We can pretend the main configuration contains also the following presets,
+since Nginx is configured with them:
+<code nginx>$(ifConfEcho --pid-path pid)\
+$(ifConfEcho --lock-path lock_file)\
+$(ifConfEcho --error-log-path error_log)\
+$(false && ifConfEcho --http-log-path access_log)\
+$(ifConfEcho --http-proxy-temp-path proxy_temp_path)\
+$(ifConfEcho --http-client-body-temp-path client_body_temp_path)\
+$(ifConfEcho --http-fastcgi-temp-path fastcgi_temp_path)\
+</code>
+
+So, the access log is turned off by default and we can look at the error log
+by ''logread'', as Nginx’s init file forwards stderr and stdout to the
+[[docs:guide-user:base-system:log.essentials|logd]].
+We can set the //error_log// and //access_log// to files where the log
+messages are forwarded to instead (after the configuration is read).
+And for redirecting the access log of a //server// or //location// to the logd,
+too, we insert the following directive in the corresponding block:
+<code nginx>
+	access_log /proc/self/fd/1 openwrt;
+</code>
+
+At the end, the main configuration pulls in all ''.conf'' files from the
+directory ''${CONF_DIR}'' into the http block, especially the following
+server part for the LAN:
+$(code ${CONF_DIR}${LAN_NAME}.conf)
+
+It pulls in all ''.locations'' files from the directory ''${CONF_DIR}''.
+We can install the location parts of different sites there (see above in the
+[[#basic|Basic Configuration]]) and re-include them in server parts  of other
+''${CONF_DIR}*.conf'' files.
+This is needed especially for making them available to the WAN as described
+above in the section [[#new_server_parts|New Server Parts]].
+All ''.locations'' become available on the LAN through the file
+''$(basename ${LAN_LISTEN}).default'', which contains one of the following
+directives for every local IP address:
+<code nginx>
+	listen IPv4:80 default_server;
+	listen [IPv6]:80 default_server;
+</code>
+The ''${LAN_LISTEN}'' file contains the same directives without the
+parameter ''default_server''.
+We can include this file in other server parts that should be reachable in the
+LAN through their //server_name//.
+Both files ''${LAN_LISTEN}{,.default}'' are (re-)created if Nginx starts
+through its init for OpenWrt or the LAN interface changes.
+
+=== Additional Defaults for OpenWrt if Nginx is installed with SSL support ===
+
+When Nginx is installed with SSL support, there will be automatically managed
+files ''$(basename ${LAN_SSL_LISTEN}).default'' and
+''$(basename ${LAN_SSL_LISTEN})'' in the directory
+''$(dirname ${LAN_SSL_LISTEN})/'' containing the following directives for all
+IPv4 and IPv6 addresses of the LAN:
+<code nginx>
+	listen IP:443 ssl; # with respectively without: default_server
+</code>
+Both files as well as the ''${LAN_LISTEN}{,.default}'' files are (re-)created
+if Nginx starts through its init for OpenWrt or the LAN interface changes.
+
+For Nginx with SSL there is also the following server part that redirects
+requests for an inexistent ''server_name'' from HTTP to HTTPS (using an invalid
+name, more in the official documentation on
+[[https://nginx.org/en/docs/http/request_processing.html|request_processing]]):
+$(code ${CONF_DIR}_redirect2ssl.conf)
+
+Nginx’s init file for OpenWrt installs automatically a self-signed certificate
+for the LAN server part if needed and possible:
+  - Everytime Nginx starts, we check if the LAN is set up for SSL.
+  - We add //ssl*// directives (like in the example of the previous section \
+    [[#ssl_server_parts|SSL Server Parts]]) to the configuration file \
+    ''${CONF_DIR}${LAN_NAME}.conf'' if needed and if it looks “normal”, i.e., \
+    it has a ''server_name ${LAN_NAME};'' part.
+  - If there is no corresponding certificate that is valid for more than 13 \
+    months at ''${CONF_DIR}${LAN_NAME}.{crt,key}'', we create a self-signed one.
+  - We activate SSL by including the ssl listen directives from \
+    ''${LAN_SSL_LISTEN}.default'' and it becomes available by the default \
+    redirect from ''listen *:80;'' in ''${CONF_DIR}_redirect2ssl.conf''
+  - If cron is available, i.e., its status is not ''inactive'', we use it \
+    to check the certificate for validity once a year and renew it if there \
+    are only about 13 months of the more than 3 years life time left.
+
+The points 2, 3 and 5 can be used for other domains, too:
+As described in the section [[#new_server_parts|New Server Parts]] above, we
+create a server part in ''${CONF_DIR}www.example.com.conf'' with
+a corresponding ''server_name www.example.com;'' directive and call
+<code>$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} www.example.com</code>
+EOF
--- a/net/nginx/files/_lan.conf
+++ b/net/nginx/files/_lan.conf
@ -0,0 +1,8 @@
+# default_server for the LAN addresses getting the IPs by:
+# ifstatus lan | jsonfilter -e '@["ipv4-address","ipv6-address"].*.address'
+server {
+	include '/var/lib/nginx/lan.listen.default';
+	server_name _lan;
+	# access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout).
+	include conf.d/*.locations;
+}
--- a/net/nginx/files/_redirect2ssl.conf
+++ b/net/nginx/files/_redirect2ssl.conf
@ -0,0 +1,8 @@
+# acts as default server if there is no other.
+server {
+	listen 80;
+	listen [::]:80;
+	include '/var/lib/nginx/lan.listen';
+	server_name _redirect2ssl;
+	return 302 https://$host$request_uri;
+}
--- a/net/nginx/files/nginx.conf
+++ b/net/nginx/files/nginx.conf
@ -0,0 +1,28 @@
+# Please consider creating files in /etc/nginx/conf.d/ instead of editing this.
+# For details see https://openwrt.org/docs/guide-user/services/webserver/nginx
+
+user root;
+
+events {}
+
+http {
+	access_log off;
+	log_format openwrt
+		'$request_method $scheme://$host$request_uri => $status'
+		' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';
+
+	include mime.types;
+	default_type application/octet-stream;
+	sendfile on;
+
+	client_max_body_size 17M;
+	large_client_header_buffers 2 1k;
+
+	gzip on;
+	gzip_vary on;
+	gzip_proxied any;
+
+	root /www;
+
+	include conf.d/*.conf;
+}
--- a/net/nginx/files/nginx.init
+++ b/net/nginx/files/nginx.init
@ -5,13 +5,55 @@ START=80

 USE_PROCD=1

+NGINX_UTIL="/usr/bin/nginx-util"
+
+eval $("${NGINX_UTIL}" get_env)
+
 start_service() {
 	[ -d /var/log/nginx ] || mkdir -p /var/log/nginx
 	[ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx

+	${NGINX_UTIL} init_lan
+
 	procd_open_instance
-	procd_set_param command /usr/sbin/nginx -c /etc/nginx/nginx.conf -g 'daemon off;'
-	procd_set_param file /etc/nginx/nginx.conf
+	NCPUS="$(grep -c '^processor\s*:' /proc/cpuinfo)"
+	procd_set_param command /usr/sbin/nginx -c "${NGINX_CONF}" \
+		-g "daemon off; worker_processes $NCPUS;"
+	procd_set_param stdout 1
+	procd_set_param stderr 1
+	procd_set_param file "${LAN_LISTEN}" "${LAN_LISTEN}.default" \
+		"${NGINX_CONF}" "${CONF_DIR}*.conf" "${CONF_DIR}*.locations"
+	[ "${LAN_SSL_LISTEN}" == "" ] \
+	|| procd_append_param file "${CONF_DIR}*.crt" "${CONF_DIR}*.key" \
+		"${LAN_SSL_LISTEN}" "${LAN_SSL_LISTEN}.default"
 	procd_set_param respawn
 	procd_close_instance
 }
+
+stop_service() {
+	rm -f "${LAN_LISTEN}" "${LAN_LISTEN}.default"
+	[ "${LAN_SSL_LISTEN}" == "" ] \
+	|| rm -f "${LAN_SSL_LISTEN}" "${LAN_SSL_LISTEN}.default"
+}
+
+service_triggers() {
+	procd_add_reload_interface_trigger loopback
+	procd_add_reload_interface_trigger lan
+}
+
+reload_service() {
+	[ -d /var/log/nginx ] || mkdir -p /var/log/nginx
+	[ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx
+
+	${NGINX_UTIL} init_lan
+
+	procd_send_signal nginx
+}
+
+relog() {
+	[ -d /var/log/nginx ] || mkdir -p /var/log/nginx
+	procd_send_signal nginx '*' USR1
+}
+
+EXTRA_COMMANDS="relog"
+EXTRA_HELP="	relog	Reopen log files (without reloading)"