NGINX JavaScript, also knows as njs, is a subset of the JavaScript
language that allows extending nginx functionality. njs is created
in compliance with ECMAScript 5.1 (strict mode) with some ECMAScript 6
and later extensions. It's easy to use njs command line utility to
develop and debug additional functionality. Also, it's light-weight
and very useful as a shebang in some cases as the nodejs substitutor.
Remove build of njs command-line utlity from the www/nginx-devel (*)
process.
Bump PORTREVISION. (*)
<Changelog>
*) Bugfix: when using EPOLLEXCLUSIVE on Linux client connections were
unevenly distributed among worker processes.
*) Bugfix: nginx returned the "Connection: keep-alive" header line in
responses during graceful shutdown of old worker processes.
*) Bugfix: in the "ssl_session_ticket_key" when using TLSv1.3.
</Changelog>
Bump PORTREVISION.
<ChangeLog>
Core:
*) Bugfix: fixed Array.prototype.join() when array is changed
while iterating.
*) Bugfix: fixed Array.prototype.slice() when array is changed
while iterating.
*) Bugfix: fixed Array.prototype.concat() when array is changed
while iterating.
*) Bugfix: fixed Array.prototype.reverse() when array is changed
while iterating.
*) Bugfix: fixed Buffer.concat() with subarrays.
Thanks to Sylvain Etienne.
*) Bugfix: fixed type confusion bug while resolving promises.
*) Bugfix: fixed Function.prototype.apply() with large array
arguments.
*) Bugfix: fixed recursive async function calls.
*) Bugfix: fixed function redeclaration. The bug was introduced
in 0.7.0.
</ChangeLog>
The extra-patch-httpv3 contains the README file now, previously a
diff for that file was omitted. To avoid a rejection for the README
file the original file from nginx distribution is going to be preserved.
Bump PORTREVISION.
HTTP_DAV_EXT module requires libraries, so let's define them
with a more canonical way.
While I'm here use the same way to define dependences for the
HTTP_XSLT module as well.
PR: 261134
Update the third-party module to its recent version to support
both PCRE1 and PCRE2 libraries.
Bump PORTREVISION.
Idea from: http://hg.nginx.org/pkg-oss/rev/45cb552c6860
Thanks to: Mikhail Isachenkov <mikhail.isachenkov@nginx.com>
NGINX 1.21.5 adds support for PCRE2 library, in addition to
support PCRE1. It's possible to choose regular expression
library for the port now.
Please note: several modules are required patching to support
PCRE2 library, so let's keep PCRE1 as default version for now.
Bump PORTREVISION.
Please note: it's possible to build the recent version of nginx
with PCRE2 library, but several third-party modules have some
build issues, so let's keep www/nginx-devel depends on PCRE1
library for now, but keep in mind it needs to switched to the
modern, i.e. second, version of PCRE.
<Changelog>
Changes with nginx 1.21.5
*) Change: now nginx is built with the PCRE2 library by default.
*) Change: now nginx always uses sendfile(SF_NODISKIO) on FreeBSD.
*) Feature: support for sendfile(SF_NOCACHE) on FreeBSD.
*) Feature: the $ssl_curve variable.
*) Bugfix: connections might hang when using HTTP/2 without SSL with the
"sendfile" and "aio" directives.
Changes with njs 0.7.1
nginx modules:
*) Change: the "js_include" directive deprecated since 0.4.0 was
removed.
*) Change: PCRE/PCRE2-specific code was moved to the modules.
This ensures that njs uses the same RegExp library as nginx.
Core:
*) Feature: extended "fs" module. Added stat(), fstat()
and friends.
*) Change: default RegExp engine for CLI is switched
to PCRE2.
*) Bugfix: fixed decodeURI() and decodeURIComponent() with
invalid byte strings. The bug was introduced in 0.4.3.
*) Bugfix: fixed heap-use-after-free in await frame.
The bug was introduced in 0.7.0.
*) Bugfix: fixed WebCrypto sign() and verify() methods
with OpenSSL 3.0.
*) Bugfix: fixed exception throwing when RegExp match fails.
The bug was introduced in 0.1.15.
*) Bugfix: fixed catching of exception thrown in try block
of async function. The bug was introduced in 0.7.0.
*) Bugfix: fixed execution of async function in synchronous
context. The bug was introduced in 0.7.0.
*) Bugfix: fixed function redeclaration in CLI when interactive
mode is on. The bug was introduced in 0.6.2.
*) Bugfix: fixed typeof operator with DataView object.
*) Bugfix: eliminated information leak in Buffer.from().
</Changelog>
A new USES has been added to depend on ImageMagick.
USES=magick
adds a LIB_DEPENDS on graphics/ImageMagick${IMAGEMAGICK_DEFAULT}.
If a specific version is required, use for example
USES=magick:6 resp. USES=magick:7
If only a build, run or test is required, use for example
USES=magick:build resp. USES=magick:6,build,test
If a dependency on the nox11 flavor is required, use for example
USES=magick:nox11 resp. USES=magick:7,nox11,run,test
See magick.mk for more details on the available flags.
The tree has been completely converted to make use of this.
Approved by: bapt
Differential Revision: https://reviews.freebsd.org/D32754
New kernel TLS feature is available starting with FreeBSD 13.0,
and it requires OpenSSL 3.0, compiled with "enable-ktls" option.
Further, KTLS needs to be enabled in kernel, and in OpenSSL,
either via OpenSSL configuration file or with
ssl_conf_command Options KTLS;
in nginx configuration.
To enable kernel TLS on FreeBSD 13 and above:
# kldload ktls_ocf
# sysctl kern.ipc.tls.enable=1
to load a software backend, see man ktls(4) for details.
Also, please visit the following link to get more details
https://hg.nginx.org/nginx/rev/65946a191197
<Changelog>
*) Change: support for NPN instead of ALPN to establish HTTP/2
connections has been removed.
*) Change: now nginx rejects SSL connections if ALPN is used by the
client, but no supported protocols can be negotiated.
*) Change: the default value of the "sendfile_max_chunk" directive was
changed to 2 megabytes.
*) Feature: the "proxy_half_close" directive in the stream module.
*) Feature: the "ssl_alpn" directive in the stream module.
*) Feature: the $ssl_alpn_protocol variable.
*) Feature: support for SSL_sendfile() when using OpenSSL 3.0.
*) Feature: the "mp4_start_key_frame" directive in the
ngx_http_mp4_module.
Thanks to Tracey Jaquith.
*) Bugfix: in the $content_length variable when using chunked transfer
encoding.
*) Bugfix: after receiving a response with incorrect length from a
proxied backend nginx might nevertheless cache the connection.
Thanks to Awdhesh Mathpal.
*) Bugfix: invalid headers from backends were logged at the "info" level
instead of "error"; the bug had appeared in 1.21.1.
*) Bugfix: requests might hang when using HTTP/2 and the "aio_write"
directive.
</Changelog>
<Changelog>
*) Change: optimization of client request body reading when using
HTTP/2.
*) Bugfix: in request body filters internal API when using HTTP/2 and
buffering of the data being processed.
</Changelog>
While I'm here, fix build of the third-party ajp module by changing
a distribution point.
<Changelog>
*) Change: now nginx rejects HTTP/1.0 requests with the
"Transfer-Encoding" header line.
*) Change: export ciphers are no longer supported.
*) Feature: OpenSSL 3.0 compatibility.
*) Feature: the "Auth-SSL-Protocol" and "Auth-SSL-Cipher" header lines
are now passed to the mail proxy authentication server.
Thanks to Rob Mueller.
*) Feature: request body filters API now permits buffering of the data
being processed.
*) Bugfix: backend SSL connections in the stream module might hang after
an SSL handshake.
*) Bugfix: the security level, which is available in OpenSSL 1.1.0 or
newer, did not affect loading of the server certificates when set
with "@SECLEVEL=N" in the "ssl_ciphers" directive.
*) Bugfix: SSL connections with gRPC backends might hang if select,
poll, or /dev/poll methods were used.
*) Bugfix: when using HTTP/2 client request body was always written to
disk if the "Content-Length" header line was not present in the
request.
</Changelog>
<Changelog>
*) Change: now nginx always returns an error for the CONNECT method.
*) Change: now nginx always returns an error if both "Content-Length"
and "Transfer-Encoding" header lines are present in the request.
*) Change: now nginx always returns an error if spaces or control
characters are used in the request line.
*) Change: now nginx always returns an error if spaces or control
characters are used in a header name.
*) Change: now nginx always returns an error if spaces or control
characters are used in the "Host" request header line.
*) Change: optimization of configuration testing when using many
listening sockets.
*) Bugfix: nginx did not escape """, "<", ">", "\", "^", "`", "{", "|",
and "}" characters when proxying with changed URI.
*) Bugfix: SSL variables might be empty when used in logs; the bug had
appeared in 1.19.5.
*) Bugfix: keepalive connections with gRPC backends might not be closed
after receiving a GOAWAY frame.
*) Bugfix: reduced memory consumption for long-lived requests when
proxying with more than 64 buffers.
</Changelog>
<ChangeLog>
*) Bugfix: fixed RegExpBuiltinExec() with UTF-8 only regexps.
The bug was introduced in 0.4.2.
*) Bugfix: fixed parsing of export default declaration with
non-assignment expressions.
Thanks to Artem S. Povalyukhin.
</ChangeLog>
Bump PORTREVISION.
<ChangeLog for njs 0.5.3>
Core:
*) Feature: added let and const declaration support.
*) Feature: added RegExp.prototype[Symbol.split].
*) Feature: added sticky flag support for RegExp.
*) Bugfix: fixed heap-buffer-overflow in
String.prototype.lastIndexOf().
*) Bugfix: fixed RegExp.prototype.test() according to the
specification.
*) Bugfix: fixed String.prototype.split() according to the
specification.
*) Bugfix: fixed use-of-uninitialized-value while tracking
rejected promises.
*) Bugfix: fixed njs.dump() for objects with circular
references.
</ChangeLog>
Security: 0882f019-bd60-11eb-9bdd-8c164567ca3c
Security: CVE-2021-23017
<Changelog>
*) Security: 1-byte memory overwrite might occur during DNS server
response processing if the "resolver" directive was used, allowing an
attacker who is able to forge UDP packets from the DNS server to
cause worker process crash or, potentially, arbitrary code execution
(CVE-2021-23017).
*) Feature: variables support in the "proxy_ssl_certificate",
"proxy_ssl_certificate_key" "grpc_ssl_certificate",
"grpc_ssl_certificate_key", "uwsgi_ssl_certificate", and
"uwsgi_ssl_certificate_key" directives.
*) Feature: the "max_errors" directive in the mail proxy module.
*) Feature: the mail proxy module supports POP3 and IMAP pipelining.
*) Feature: the "fastopen" parameter of the "listen" directive in the
stream module.
Thanks to Anbang Wen.
*) Bugfix: special characters were not escaped during automatic redirect
with appended trailing slash.
*) Bugfix: connections with clients in the mail proxy module might be
closed unexpectedly when using SMTP pipelining.
</Changelog>
<Changelog>
*) Change: the default value of the "keepalive_requests" directive was
changed to 1000.
*) Feature: the "keepalive_time" directive.
*) Feature: the $connection_time variable.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
</Changelog>
