nginx: use /etc/nginx/nginx.conf enabling conf.d/

Instead of the default nginx.conf file this file is a small variant
without examples that enables the /etc/nginx/conf.d/ directory.

It will pull in all configuration files from the conf.d directory.
So, other packages can add their server parts in the conf.d directory
without modifying the main nginx.conf file (cf. #9860).

Changed also the default logging behavior:
	error_log stderr; # the init forwards it to logd
	access_log off;

See the updated documentation at:
https://openwrt.org/docs/guide-user/services/webserver/nginx

Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>

net/nginx/files/README.sh

@@ -0,0 +1,327 @@
+#!/bin/sh
+# This is a template copy it by: ./README.sh | xclip -selection c
+# to https://openwrt.org/docs/guide-user/services/webserver/nginx#configuration
+
+NGINX_UTIL="/usr/bin/nginx-util"
+
+EXAMPLE_COM="example.com"
+
+MSG="
+/* Created by the following bash script that includes the source of some files:
+ * https://github.com/openwrt/packages/net/nginx/files/README.sh
+ */"
+
+eval $("${NGINX_UTIL}" get_env)
+
+code() { printf "<file nginx %s>\n%s</file>" "$1" "$(cat "$(basename $1)")"; }
+
+ifConfEcho() { sed -nE "s/^\s*$1=\s*(\S*)\s*\\\\$/\n$2 \"\1\";/p" ../Makefile;}
+
+cat <<EOF
+
+
+
+
+
+===== Configuration =====${MSG}
+
+
+
+The official Documentation contains a
+[[https://docs.nginx.com/nginx/admin-guide/|Admin Guide]].
+Here we will look at some often used configuration parts and how we handle them
+at OpenWrt.
+At different places there are references to the official
+[[https://docs.nginx.com/nginx/technical-specs/|Technical Specs]]
+for further reading.
+
+**tl;dr:** The main configuration is a minimal configuration enabling the
+''${CONF_DIR}'' directory:
+  * There is a ''${LAN_NAME}.conf'' containing a default server for the LAN, \
+which includes all ''*.locations''.
+  * We can disable parts of the configuration by renaming them.
+  * If we want to install other servers that are also reachable from the LAN, \
+  we can include the ''${LAN_LISTEN}'' file (or ''${LAN_SSL_LISTEN}'' for \
+  HTTPS servers).
+  * If Nginx is installed with SSL support, we have a server \
+in ''_redirect2ssl.conf'' that redirects inexistent URLs to HTTPS, too.
+  * We can create a self-signed certificate and add corresponding directives \
+to e.g. ''${EXAMPLE_COM}.conf'' by invoking \
+<code>$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} ${EXAMPLE_COM}</code>
+
+
+
+==== Basic ====${MSG}
+
+
+We modify the configuration by creating different configuration files in the
+''${CONF_DIR}'' directory.
+The configuration files use the file extensions ''.locations'' and
+''.conf'' (plus ''.crt'' and ''.key'' for Nginx with SSL).
+We can disable single configuration parts by giving them another extension,
+e.g., by adding ''.disabled''.
+For the new configuration to take effect, we must reload it by:
+<code>service nginx reload</code>
+
+For OpenWrt we use a special initial configuration, which is explained below in
+the section [[#openwrt_s_defaults|OpenWrt’s Defaults]].
+So, we can make a site available at a specific URL in the **LAN** by creating a
+''.locations'' file in the directory ''${CONF_DIR}''.
+Such a file consists just of some
+[[https://nginx.org/en/docs/http/ngx_http_core_module.html#location|
+location blocks]].
+Under the latter link, you can find also the official documentation for all
+available directives of the HTTP core of Nginx.
+Look for //location// in the Context list.
+
+The following example provides a simple template, see at the end for
+different [[#locations_for_apps|Locations for Apps]] and look for
+[[https://github.com/search?utf8=%E2%9C%93&q=repo%3Aopenwrt%2Fpackages
++extension%3Alocations&type=Code&ref=advsearch&l=&l=|
+other packages using a .locations file]], too:
+<code nginx ${CONF_DIR}example.locations>
+location /ex/am/ple {
+	access_log off; # default: not logging accesses.
+	# access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout).
+	# error_log stderr; # default: logging to logd (init forwards stderr).
+	error_log /dev/null; # disable error logging after config file is read.
+	# (state path of a file for access_log/error_log to the file instead.)
+	index index.html;
+}
+# location /eg/static { … }
+</code>
+
+All location blocks in all ''.locations'' files must use different URLs,
+since they are all included in the ''${LAN_NAME}.conf'' that is part of the
+[[#openwrt_s_defaults|OpenWrt’s Defaults]].
+We reserve the ''location /'' for making LuCI available under the root URL,
+e.g. [[http://192.168.1.1/|192.168.1.1/]].
+All other sites shouldn’t use the root ''location /'' without suffix.
+We can make other sites available on the root URL of other domain names, e.g.
+on www.example.com/.
+In order to do that, we create a ''.conf'' file for every domain name:
+see the next section [[#new_server_parts|New Server Parts]].
+For Nginx with SSL we can also activate SSL there, as described below in the
+section [[#ssl_server_parts|SSL Server Parts]].
+We use such server parts also for publishing sites to the internet (WAN)
+instead of making them available just in the LAN.
+
+Via ''.conf'' files we can also add directives to the //http// part of the
+configuration. The difference to editing the main ''${NGINX_CONF}''
+file instead is the following: If the package’s ''nginx.conf'' file is updated
+it will only be installed if the old file has not been changed.
+
+
+
+==== New Server Parts ====${MSG}
+
+
+For making the router reachable from the WAN at a registered domain name,
+it is not enough to give the name server the internet IP address of the router
+(maybe updated automatically by a
+[[docs:guide-user:services:ddns:client|DDNS Client]]).
+We also need to set up virtual hosting for this domain name by creating an
+appropriate server part in a ''${CONF_DIR}*.conf'' file.
+All such files are included at the start of Nginx by the default main
+configuration of OpenWrt ''${NGINX_CONF}'' as depicted in
+[[#openwrt_s_defaults|OpenWrt’s Defaults]].
+
+In the server part, we state the domain as
+[[https://nginx.org/en/docs/http/ngx_http_core_module.html#server_name|
+server_name]].
+The link points to the same document as for the location blocks in the
+[[#basic|Basic Configuration]]: the official documentation for all available
+directives of the HTTP core of Nginx.
+This time look for //server// in the Context list, too.
+The server part should also contain similar location blocks as before.
+We can re-include a ''.locations'' file that is included in the server part for
+the LAN by default.
+Then the site is reachable under the same path at both domains, e.g., by
+http://192.168.1.1/ex/am/ple as well as by http://example.com/ex/am/ple.
+
+The [[#openwrt_s_defaults|OpenWrt’s Defaults]] include a ''${LAN_NAME}.conf''
+file containing a server part that listens on the LAN address(es) and acts as
+//default_server//.
+For making the domain name accessible in the LAN, too, the corresponding
+server part must listen **explicitly** on the local IP address(es), cf. the
+official documentation on
+[[https://nginx.org/en/docs/http/request_processing.html|request_processing]].
+We can include the file ''${LAN_LISTEN}'' that contains the listen
+directives for all LAN addresses on the HTTP port 80 and is automatically
+updated.
+
+The following example is a simple template, see
+[[https://github.com/search?q=repo%3Aopenwrt%2Fpackages
++include+${LAN_LISTEN}+extension%3Aconf&type=Code|
+such server parts of other packages]], too:
+<code nginx ${CONF_DIR}${EXAMPLE_COM}.conf>
+server {
+	listen 80;
+	listen [::]:80;
+	include '${LAN_LISTEN}';
+	server_name ${EXAMPLE_COM};
+	# location / { … } # root location for this server.
+	include '${CONF_DIR}${EXAMPLE_COM}.locations';
+}
+</code>
+
+
+
+==== SSL Server Parts ====${MSG}
+
+
+We can enable HTTPS for a domain if Nginx is installed with SSL support.
+We need a SSL certificate as well as its key and add them by the directives
+//ssl_certificate// respective //ssl_certificate_key// to the server part of the
+domain.
+The rest of the configuration is similar as described in the previous section
+[[#new_server_parts|New Server Parts]],
+we only have to adjust the listen directives by adding the //ssl// parameter,
+see the official documentation for
+[[https://nginx.org/en/docs/http/configuring_https_servers.html|
+configuring HTTPS servers]], too.
+For making the domain available also in the LAN, we can include the file
+''${LAN_SSL_LISTEN}'' that contains the listen directives with ssl
+parameter for all LAN addresses on the HTTPS port 443 and is automatically
+updated.
+
+The official documentation of the SSL module contains an
+[[https://nginx.org/en/docs/http/ngx_http_ssl_module.html#example|
+example]],
+which includes some optimizations.
+The following template is extended similarly, see also
+[[https://github.com/search?q=repo%3Aopenwrt%2Fpackages
++include+${LAN_SSL_LISTEN}+extension%3Aconf&type=Code|
+other packages providing SSL server parts]]:
+<code nginx ${CONF_DIR}${EXAMPLE_COM}>
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+	include '${LAN_SSL_LISTEN}';
+	server_name ${EXAMPLE_COM};
+	ssl_certificate '${CONF_DIR}${EXAMPLE_COM}.crt';
+	ssl_certificate_key '${CONF_DIR}${EXAMPLE_COM}.key';
+	ssl_session_cache ${SSL_SESSION_CACHE_ARG};
+	ssl_session_timeout ${SSL_SESSION_TIMEOUT_ARG};
+	# location / { … } # root location for this server.
+	include '${CONF_DIR}${EXAMPLE_COM}.locations';
+}
+</code>
+
+For creating a certificate (and its key) we can use Let’s Encrypt by installing
+[[https://github.com/Neilpang/acme.sh|ACME Shell Script]]:
+<code>opkg update && opkg install acme # and for LuCI: luci-app-acme</code>
+
+For the LAN server in the ''${LAN_NAME}.conf'' file, the init script
+''/etc/init.d/nginx'' script installs automatically a self-signed certificate.
+We can use this mechanism also for other sites by issuing, e.g.:
+<code>$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} ${EXAMPLE_COM}</code>
+  - It adds SSL directives to the server part of \
+    ''${CONF_DIR}${EXAMPLE_COM}.conf'' like in the example above.
+  - Then, it checks if there is a certificate and key for the given domain name\
+    that is valid for at least 13 months or tries to create a self-signed one.
+  - When cron is activated, it installs a cron job for renewing the self-signed\
+    certificate every year if needed, too. We can activate cron by: \
+    <code>service cron enable && service cron start</code>
+
+Beside the ''${LAN_NAME}.conf'' file, the
+[[#openwrt_s_defaults|OpenWrt’s Defaults]] include also the
+''_redirect2ssl.conf'' file containing a server part that redirects all HTTP
+request for inexistent URIs to HTTPS.
+
+
+
+==== OpenWrt’s Defaults ====${MSG}
+
+
+The default main configuration file is:
+$(code ${NGINX_CONF})
+
+We can pretend the main configuration contains also the following presets,
+since Nginx is configured with them:
+<code nginx>$(ifConfEcho --pid-path pid)\
+$(ifConfEcho --lock-path lock_file)\
+$(ifConfEcho --error-log-path error_log)\
+$(false && ifConfEcho --http-log-path access_log)\
+$(ifConfEcho --http-proxy-temp-path proxy_temp_path)\
+$(ifConfEcho --http-client-body-temp-path client_body_temp_path)\
+$(ifConfEcho --http-fastcgi-temp-path fastcgi_temp_path)\
+</code>
+
+So, the access log is turned off by default and we can look at the error log
+by ''logread'', as Nginx’s init file forwards stderr and stdout to the
+[[docs:guide-user:base-system:log.essentials|logd]].
+We can set the //error_log// and //access_log// to files where the log
+messages are forwarded to instead (after the configuration is read).
+And for redirecting the access log of a //server// or //location// to the logd,
+too, we insert the following directive in the corresponding block:
+<code nginx>
+	access_log /proc/self/fd/1 openwrt;
+</code>
+
+At the end, the main configuration pulls in all ''.conf'' files from the
+directory ''${CONF_DIR}'' into the http block, especially the following
+server part for the LAN:
+$(code ${CONF_DIR}${LAN_NAME}.conf)
+
+It pulls in all ''.locations'' files from the directory ''${CONF_DIR}''.
+We can install the location parts of different sites there (see above in the
+[[#basic|Basic Configuration]]) and re-include them in server parts  of other
+''${CONF_DIR}*.conf'' files.
+This is needed especially for making them available to the WAN as described
+above in the section [[#new_server_parts|New Server Parts]].
+All ''.locations'' become available on the LAN through the file
+''$(basename ${LAN_LISTEN}).default'', which contains one of the following
+directives for every local IP address:
+<code nginx>
+	listen IPv4:80 default_server;
+	listen [IPv6]:80 default_server;
+</code>
+The ''${LAN_LISTEN}'' file contains the same directives without the
+parameter ''default_server''.
+We can include this file in other server parts that should be reachable in the
+LAN through their //server_name//.
+Both files ''${LAN_LISTEN}{,.default}'' are (re-)created if Nginx starts
+through its init for OpenWrt or the LAN interface changes.
+
+=== Additional Defaults for OpenWrt if Nginx is installed with SSL support ===
+
+When Nginx is installed with SSL support, there will be automatically managed
+files ''$(basename ${LAN_SSL_LISTEN}).default'' and
+''$(basename ${LAN_SSL_LISTEN})'' in the directory
+''$(dirname ${LAN_SSL_LISTEN})/'' containing the following directives for all
+IPv4 and IPv6 addresses of the LAN:
+<code nginx>
+	listen IP:443 ssl; # with respectively without: default_server
+</code>
+Both files as well as the ''${LAN_LISTEN}{,.default}'' files are (re-)created
+if Nginx starts through its init for OpenWrt or the LAN interface changes.
+
+For Nginx with SSL there is also the following server part that redirects
+requests for an inexistent ''server_name'' from HTTP to HTTPS (using an invalid
+name, more in the official documentation on
+[[https://nginx.org/en/docs/http/request_processing.html|request_processing]]):
+$(code ${CONF_DIR}_redirect2ssl.conf)
+
+Nginx’s init file for OpenWrt installs automatically a self-signed certificate
+for the LAN server part if needed and possible:
+  - Everytime Nginx starts, we check if the LAN is set up for SSL.
+  - We add //ssl*// directives (like in the example of the previous section \
+    [[#ssl_server_parts|SSL Server Parts]]) to the configuration file \
+    ''${CONF_DIR}${LAN_NAME}.conf'' if needed and if it looks “normal”, i.e., \
+    it has a ''server_name ${LAN_NAME};'' part.
+  - If there is no corresponding certificate that is valid for more than 13 \
+    months at ''${CONF_DIR}${LAN_NAME}.{crt,key}'', we create a self-signed one.
+  - We activate SSL by including the ssl listen directives from \
+    ''${LAN_SSL_LISTEN}.default'' and it becomes available by the default \
+    redirect from ''listen *:80;'' in ''${CONF_DIR}_redirect2ssl.conf''
+  - If cron is available, i.e., its status is not ''inactive'', we use it \
+    to check the certificate for validity once a year and renew it if there \
+    are only about 13 months of the more than 3 years life time left.
+
+The points 2, 3 and 5 can be used for other domains, too:
+As described in the section [[#new_server_parts|New Server Parts]] above, we
+create a server part in ''${CONF_DIR}www.example.com.conf'' with
+a corresponding ''server_name www.example.com;'' directive and call
+<code>$(basename ${NGINX_UTIL}) ${ADD_SSL_FCT} www.example.com</code>
+EOF

net/nginx/files/_lan.conf

@@ -0,0 +1,8 @@
+# default_server for the LAN addresses getting the IPs by:
+# ifstatus lan | jsonfilter -e '@["ipv4-address","ipv6-address"].*.address'
+server {
+	include '/var/lib/nginx/lan.listen.default';
+	server_name _lan;
+	# access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout).
+	include conf.d/*.locations;
+}

net/nginx/files/_redirect2ssl.conf

@@ -0,0 +1,8 @@
+# acts as default server if there is no other.
+server {
+	listen 80;
+	listen [::]:80;
+	include '/var/lib/nginx/lan.listen';
+	server_name _redirect2ssl;
+	return 302 https://$host$request_uri;
+}

net/nginx/files/nginx.conf

@@ -0,0 +1,28 @@
+# Please consider creating files in /etc/nginx/conf.d/ instead of editing this.
+# For details see https://openwrt.org/docs/guide-user/services/webserver/nginx
+
+user root;
+
+events {}
+
+http {
+	access_log off;
+	log_format openwrt
+		'$request_method $scheme://$host$request_uri => $status'
+		' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';
+
+	include mime.types;
+	default_type application/octet-stream;
+	sendfile on;
+
+	client_max_body_size 17M;
+	large_client_header_buffers 2 1k;
+
+	gzip on;
+	gzip_vary on;
+	gzip_proxied any;
+
+	root /www;
+
+	include conf.d/*.conf;
+}

net/nginx/files/nginx.init

@@ -5,13 +5,55 @@ START=80
 
 USE_PROCD=1
 
+NGINX_UTIL="/usr/bin/nginx-util"
+
+eval $("${NGINX_UTIL}" get_env)
+
 start_service() {
 	[ -d /var/log/nginx ] || mkdir -p /var/log/nginx
 	[ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx
 
+	${NGINX_UTIL} init_lan
+
 	procd_open_instance
-	procd_set_param command /usr/sbin/nginx -c /etc/nginx/nginx.conf -g 'daemon off;'
-	procd_set_param file /etc/nginx/nginx.conf
+	NCPUS="$(grep -c '^processor\s*:' /proc/cpuinfo)"
+	procd_set_param command /usr/sbin/nginx -c "${NGINX_CONF}" \
+		-g "daemon off; worker_processes $NCPUS;"
+	procd_set_param stdout 1
+	procd_set_param stderr 1
+	procd_set_param file "${LAN_LISTEN}" "${LAN_LISTEN}.default" \
+		"${NGINX_CONF}" "${CONF_DIR}*.conf" "${CONF_DIR}*.locations"
+	[ "${LAN_SSL_LISTEN}" == "" ] \
+	|| procd_append_param file "${CONF_DIR}*.crt" "${CONF_DIR}*.key" \
+		"${LAN_SSL_LISTEN}" "${LAN_SSL_LISTEN}.default"
 	procd_set_param respawn
 	procd_close_instance
 }
+
+stop_service() {
+	rm -f "${LAN_LISTEN}" "${LAN_LISTEN}.default"
+	[ "${LAN_SSL_LISTEN}" == "" ] \
+	|| rm -f "${LAN_SSL_LISTEN}" "${LAN_SSL_LISTEN}.default"
+}
+
+service_triggers() {
+	procd_add_reload_interface_trigger loopback
+	procd_add_reload_interface_trigger lan
+}
+
+reload_service() {
+	[ -d /var/log/nginx ] || mkdir -p /var/log/nginx
+	[ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx
+
+	${NGINX_UTIL} init_lan
+
+	procd_send_signal nginx
+}
+
+relog() {
+	[ -d /var/log/nginx ] || mkdir -p /var/log/nginx
+	procd_send_signal nginx '*' USR1
+}
+
+EXTRA_COMMANDS="relog"
+EXTRA_HELP="	relog	Reopen log files (without reloading)"