Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/nginx: use nginxfmt and gixy #57979

Merged
merged 2 commits into from Apr 4, 2019
Merged

nixos/nginx: use nginxfmt and gixy #57979

merged 2 commits into from Apr 4, 2019

Conversation

4z3
Copy link
Contributor

@4z3 4z3 commented Mar 20, 2019
edited

Motivation for this change

Currently nginx.conf gets formatted by an awk script. This PR replaces that script by writeNginxConfig which uses nginx-config-formatter to format, and gixy to analyze nginx configurations.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@4z3 4z3 requested a review from infinisil as a code owner March 20, 2019 18:01
@Mic92 Mic92 requested a review from fpletz March 21, 2019 14:49
Mic92
Mic92 reviewed Mar 21, 2019
View reviewed changes
pkgs/build-support/writers/default.nix
cp "$textPath" $out
${pkgs.nginx-config-formatter}/bin/nginxfmt $out
${pkgs.gnused}/bin/sed -i '/^$/d' $out
${pkgs.gixy}/bin/gixy $out
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How likely is gixy to break valid configuration?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should there be a opt-out flag?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure how likely it is, but I'd argue that broken configurations should be fixed instead. Alternatively, writeNginxConfig can be overridden. This might not be the most convenient solution, but it's also not too painful either. Basically a writeNginxConfig = self.writeText would be sufficient. Anyway, if it's really desired, we can make it optional, or even pass arguments to gixy (but I haven't needed that myself before).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess we could test on master and see how many people would complain about it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here to complain about it, breaks generic forward proxy configs

TomSmeets
TomSmeets suggested changes Mar 23, 2019
View reviewed changes
Copy link
Contributor

@TomSmeets TomSmeets left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fails with:

error: attribute 'writeNginxConfig' missing

nixos/modules/services/web-servers/nginx/default.nix Outdated Show resolved Hide resolved
@Mic92
Copy link
Member

Mic92 commented Mar 24, 2019

@GrahamcOfBorg test nginx

@Mic92 Mic92 merged commit 6dd7483 into NixOS:master Apr 4, 2019
@Izorkin
Copy link
Contributor

Izorkin commented Apr 8, 2019

Error work this code

location /example { allow 192.168.0.0/16; deny all; }

result

  location /example {
    allow 192.168.0.0/16;
    deny all;
  }
  ;

character is added ;

@Mic92 Mic92 mentioned this pull request Apr 8, 2019
Closed
@Mic92
Copy link
Member

Mic92 commented Apr 8, 2019

@Izorkin is it nginx or gixy that rejects the generated code?

@Izorkin
Copy link
Contributor

Izorkin commented Apr 8, 2019

Nginx error:

апр 08 14:55:45 web.elven.pw systemd[1]: Starting Nginx Web Server...
апр 08 14:55:45 web.elven.pw pnzhwc1q1is8vbdkg34ksicqq9jh5chc-unit-script-nginx-pre-start[2430]: nginx: [emerg] unexpected ";" in /nix/store/glvppaxv9gqg9vj179ph9rmj8yg41d72-nginx.conf:151

@Mic92
Copy link
Member

Mic92 commented Apr 8, 2019

Ok. So it is nginx itself.

@Izorkin Izorkin mentioned this pull request Apr 8, 2019
Merged
10 tasks
@aanderse aanderse mentioned this pull request Apr 10, 2019
Closed
9 tasks
@jb55
Copy link
Contributor

jb55 commented Apr 18, 2019

@Mic92

I guess we could test on master and see how many people would complain about it.

I can't upgrade to latest unstable because of this. I get no useful error messages:

builder for '/nix/store/d2hphy6y9hn4wsj513b70vw8w3hnbzvp-nginx.conf.drv' failed with exit code 1; last 10 log lines:
   }
  }
  
  ==================== Summary ===================
  Total issues:
      Unspecified: 0
      Low: 0
      Medium: 1
      High: 1
cannot build derivation '/nix/store/7r84gqm501i30qqfhzvdvlv1bzg6fsr7-unit-nginx.service.drv': 1 dependencies couldn't be built

@Izorkin
Copy link
Contributor

Izorkin commented Apr 19, 2019

@jb55 need full log. Example:

building all machine configurations...
unpacking 'https://github.com/nix-community/NUR/archive/master.tar.gz'...
these derivations will be built:
  /nix/store/vg217jgnrfmm2kk9nk10rjvbvnqhavk7-nginx.conf.drv
  /nix/store/4k3hn2nvgf21bx551iq0zzf3ib4vl9a5-unit-script-nginx-pre-start.drv
  /nix/store/csixd8qnkwy9llqard5gpilxd52234hb-unit-nginx.service.drv
  /nix/store/z2r5caxs8g0d98ibx8mf779rm5s7l1mm-system-units.drv
  /nix/store/gsjrv7d56f8ipf98bqv95ad5ln420lx0-etc.drv
  /nix/store/wgfp73fldfzcsp8n20ii2yc9mi8wwfmy-nixos-system-my_site-19.09pre176321.4c4ad72a43c.drv
  /nix/store/56wkdkff2w42zfx2063sg978idh0g2s8-nixops-machines.drv
building '/nix/store/vg217jgnrfmm2kk9nk10rjvbvnqhavk7-nginx.conf.drv'...

==================== Results ===================

>> Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Severity: HIGH
Description: Using variables that can contain "\n" or "\r" may lead to http injection.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md
Reason: At least variable "$uri" can contain "\n"
Pseudo config:

server {
        server_name my_site;

        location @backend_prober {
                proxy_pass http://nginx-unit-13/$uri?args;
        }
}

==================== Summary ===================
Total issues:
    Unspecified: 0
    Low: 0
    Medium: 0
    High: 1

builder for '/nix/store/vg217jgnrfmm2kk9nk10rjvbvnqhavk7-nginx.conf.drv' failed with exit code 1
cannot build derivation '/nix/store/csixd8qnkwy9llqard5gpilxd52234hb-unit-nginx.service.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/z2r5caxs8g0d98ibx8mf779rm5s7l1mm-system-units.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/gsjrv7d56f8ipf98bqv95ad5ln420lx0-etc.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/wgfp73fldfzcsp8n20ii2yc9mi8wwfmy-nixos-system-my_site-19.09pre176321.4c4ad72a43c.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/56wkdkff2w42zfx2063sg978idh0g2s8-nixops-machines.drv': 1 dependencies couldn't be built
error: build of '/nix/store/56wkdkff2w42zfx2063sg978idh0g2s8-nixops-machines.drv' failed
Traceback (most recent call last):
  File "/nix/store/dmcxlqi7fwb4jws8c1qrzncfvqibvp0m-nixops-1.6.1/bin/..nixops-wrapped-wrapped", line 990, in <module>
    args.op()
  File "/nix/store/dmcxlqi7fwb4jws8c1qrzncfvqibvp0m-nixops-1.6.1/bin/..nixops-wrapped-wrapped", line 411, in op_deploy
    max_concurrent_activate=args.max_concurrent_activate)
  File "/nix/store/dmcxlqi7fwb4jws8c1qrzncfvqibvp0m-nixops-1.6.1/lib/python2.7/site-packages/nixops/deployment.py", line 1056, in deploy
    self.run_with_notify('deploy', lambda: self._deploy(**kwargs))
  File "/nix/store/dmcxlqi7fwb4jws8c1qrzncfvqibvp0m-nixops-1.6.1/lib/python2.7/site-packages/nixops/deployment.py", line 1045, in run_with_notify
    f()
  File "/nix/store/dmcxlqi7fwb4jws8c1qrzncfvqibvp0m-nixops-1.6.1/lib/python2.7/site-packages/nixops/deployment.py", line 1056, in <lambda>
    self.run_with_notify('deploy', lambda: self._deploy(**kwargs))
  File "/nix/store/dmcxlqi7fwb4jws8c1qrzncfvqibvp0m-nixops-1.6.1/lib/python2.7/site-packages/nixops/deployment.py", line 996, in _deploy
    self.configs_path = self.build_configs(dry_run=dry_run, repair=repair, include=include, exclude=exclude)
  File "/nix/store/dmcxlqi7fwb4jws8c1qrzncfvqibvp0m-nixops-1.6.1/lib/python2.7/site-packages/nixops/deployment.py", line 664, in build_configs
    raise Exception("unable to build all machine configurations")
Exception: unable to build all machine configurations

@jb55
Copy link
Contributor

jb55 commented Apr 20, 2019
edited

lzorkin: I need the full log too, I have no idea how to get that. I just reverted these commits for now.

@Mic92
Copy link
Member

Mic92 commented Apr 23, 2019

@jb55 use nix log /nix/store/d2hphy6y9hn4wsj513b70vw8w3hnbzvp-nginx.conf.drv to get the full log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mic92 Mic92 Mic92 left review comments

@acuteaura acuteaura acuteaura left review comments

@TomSmeets TomSmeets TomSmeets requested changes

@infinisil infinisil Awaiting requested review from infinisil

@fpletz fpletz Awaiting requested review from fpletz

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@4z3 @Mic92 @Izorkin @jb55 @TomSmeets @acuteaura @GrahamcOfBorg