From a0eadda9106a22b1d7a7c98c4a97c8329171540f Mon Sep 17 00:00:00 2001
From: André Draszik <andre.draszik@jci.com>
Date: Fri, 18 Jan 2019 14:26:10 +0000
Subject: nginx: update systemd unit using nginx recommendation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Our systemd unit doesn't follow the official
recommendation, see
    https://www.nginx.com/resources/wiki/start/topics/examples/systemd/

Most importantly:
* it should start after some additional specific
  targets/units
* using PrivateTmp is a useful security feature, in
  particular to avoid cross domain scripting via the
  temp folder
* using systemd's $MAINPID, we can distinguish between
  multiple running nginx instances correctly

Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 meta-webserver/recipes-httpd/nginx/files/nginx.service | 10 +++++++---
 meta-webserver/recipes-httpd/nginx/nginx.inc           |  1 +
 2 files changed, 8 insertions(+), 3 deletions(-)

(limited to 'meta-webserver')

diff --git a/meta-webserver/recipes-httpd/nginx/files/nginx.service b/meta-webserver/recipes-httpd/nginx/files/nginx.service
index ce99061717..c6fc0495f1 100644
--- a/meta-webserver/recipes-httpd/nginx/files/nginx.service
+++ b/meta-webserver/recipes-httpd/nginx/files/nginx.service
@@ -1,11 +1,15 @@
 [Unit]
-Description=Nginx Server
-After=network.target
+Description=The NGINX HTTP and reverse proxy server
+After=syslog.target network.target remote-fs.target nss-lookup.target
+
 [Service]
 Type=forking
 PIDFile=/run/nginx/nginx.pid
+ExecStartPre=@SBINDIR@/nginx -t
 ExecStart=@SBINDIR@/nginx
-ExecStop=@SBINDIR@/nginx -s stop
 ExecReload=@SBINDIR@/nginx -s reload
+ExecStop=@BINDIR@/kill -s QUIT $MAINPID
+PrivateTmp=true
+
 [Install]
 WantedBy=multi-user.target
diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc
index 24c2cedf5f..ea1c1f782a 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx.inc
+++ b/meta-webserver/recipes-httpd/nginx/nginx.inc
@@ -117,6 +117,7 @@ do_install () {
         sed -i -e 's,@SYSCONFDIR@,${sysconfdir},g' \
             -e 's,@LOCALSTATEDIR@,${localstatedir},g' \
             -e 's,@SBINDIR@,${sbindir},g' \
+            -e 's,@BINDIR@,${bindir},g' \
             ${D}${systemd_unitdir}/system/nginx.service
     fi
 }
-- 
cgit 1.2.3-korg