Learn about Centmin Mod LEMP Stack today
Register Now

Nginx Nginx 1.21.5 Released

Discussion in 'Nginx and PHP-FPM news & discussions' started by buik, Dec 29, 2021.

  1. buik

    buik “The best traveler is one without a camera.” Premium Member

    1,506
    407
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,284
    Local Time:
    8:37 AM
    Nginx 1.21.5 is released.
    Main change is the default dependency of PCRE2.
    Affects the compilation of Nginx, thus also Centminmod.
    So this is a matter for @eva2000


     
  2. cloud9

    cloud9 Premium Member Premium Member

    219
    67
    28
    Oct 6, 2015
    England
    Ratings:
    +103
    Local Time:
    7:37 AM
    1.21.5
    10.3.32
    @eva2000 Give me the heads up and ill install it for a test run

    That feels better, feel like im first to the party for a change :)
     
  3. eva2000

    eva2000 Administrator Staff Member

    47,837
    10,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,947
    Local Time:
    5:37 PM
    Nginx 1.21.x
    MariaDB 10.x
    Yup sure does. Did a quick private test with 1.21.5 + pcre2 v10.39 and will be a while for proper public release given other nginx modules from third parties depend on pcre too i.e. ngx_brotli & nginx lua module = more testing :)

    In the meantime, pcre v8.45 like normal will work fine with Nginx 1.21.5+
     
  4. eva2000

    eva2000 Administrator Staff Member

    47,837
    10,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,947
    Local Time:
    5:37 PM
    Nginx 1.21.x
    MariaDB 10.x
    So according to Maxim at Nginx, one of the main motivations for adding PCRE2 support in Nginx is that PCRE is essentially gone/EOL without security updates it seems https://forum.nginx.org/read.php?29,281263,292622#msg-292622

     
  5. buik

    buik “The best traveler is one without a camera.” Premium Member

    1,506
    407
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,284
    Local Time:
    8:37 AM
    PCRE2 is released for almost 7 years ago now.
    Then you would say, the Nginx team had time enough to support PCRE2.
    Especially when security would be so important.
    Because EOL had been coming for a long time.

    The PCRE team has not guaranteed updates to PCRE1 since the release of PCRE2.
    As PCRE1 had no maintainer since the release of PCRE2.

    For the current and future PCRE1 based Nginx users.
    Latest PCRE security CVE is from 2017-03-23.
    Most current distros provide PCRE1.
    So if there would be a CVE in the future.
    Then that CVE fix will be backported.

    In other words, nothing to worry about. No problem.
     
    Last edited: Dec 30, 2021
  6. eva2000

    eva2000 Administrator Staff Member

    47,837
    10,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,947
    Local Time:
    5:37 PM
    Nginx 1.21.x
    MariaDB 10.x
    Yeah true.

    Yeah Nginx folks have been resistant to add PCRE2 support as you can see even from age of the thread starter date at https://forum.nginx.org/read.php?29,281263,281263#msg-281263 - September 2018.

    So far, ngx brotli is fine with PCRE2, but nginx lua module needs updates for PCRE2 module do not support with PCRE2 on nginx 1.21.5 · Issue #1984 · openresty/lua-nginx-module so that would be holding Centmin Mod Nginx 1.21.5+ and PCRE2 support if folks using nginx lua module. But nginx lua module is optional and not enabled by default in Centmin Mod 123.09beta01, so without nginx lua module, Nginx 1.21.5 + PCRE2 does work from initial test

    PCRE2 shared library /usr/local/nginx-dep/lib/libpcre2-8.so.0 in Nginx binary built
    Code (Text):
    ldd $(which nginx)
            linux-vdso.so.1 =>  (0x00007fff55db4000)
            libpcre2-8.so.0 => /usr/local/nginx-dep/lib/libpcre2-8.so.0 (0x00007f91506a0000)
            libjemalloc.so.1 => /lib64/libjemalloc.so.1 (0x00007f91502db000)
            libdl.so.2 => /lib64/libdl.so.2 (0x00007f91500d7000)
            libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f914febb000)
            libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f914fc84000)
            libGeoIP.so.1 => /lib64/libGeoIP.so.1 (0x00007f914fa52000)
            libatomic_ops.so.1 => /usr/local/lib/libatomic_ops.so.1 (0x00007f914f850000)
            libc.so.6 => /lib64/libc.so.6 (0x00007f914f482000)
            /lib64/ld-linux-x86-64.so.2 (0x00007f915050f000)
            libfreebl3.so => /lib64/libfreebl3.so (0x00007f914f27f000)
    
     
  7. buik

    buik “The best traveler is one without a camera.” Premium Member

    1,506
    407
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,284
    Local Time:
    8:37 AM
    The OpenResty team is great.
    Better safe than sorry.

    As I mentioned earlier, I think Nginx is way too fast in releasing new bits.
    You usually don't replace an essential dependency like PCRE2 as default dependency in a mainline product you put on the market. Only a few days after adding the bits itself.

    This can never be stressed tested including the most common modules. In such a short time.

    Too many modules depend on it.
    Good example is the lua plugin as you image above.
     
    Last edited: Dec 30, 2021
  8. eva2000

    eva2000 Administrator Staff Member

    47,837
    10,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,947
    Local Time:
    5:37 PM
    Nginx 1.21.x
    MariaDB 10.x
    Sounds like they did have private in house PCRE2 test/patches planned just not rolled out in production
    Maxims stated this back in October 2021 - so a few months. Generally, Nginx folks release quite stable stuff - so fingers crossed. And yes Openresty folks do good stuff - a lot of their Nginx modules are baked into Centmin Mod Nginx either by default or as optionally enabled modules i.e. Nginx Lua.
     
  9. eva2000

    eva2000 Administrator Staff Member

    47,837
    10,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,947
    Local Time:
    5:37 PM
    Nginx 1.21.x
    MariaDB 10.x
    Currently, Nginx 1.21.5+ with PCRE2 isn't compatible with optional Nginx Lua and ModSecurity Nginx modules as at Dec 31, 2021. So probably will be a while before Centmin Mod Nginx switches from PCRE v8.45 to PCRE2 v10.x.

    Both Nginx Lua and ModSecurity Nginx modules are disabled by default unless you specifically enable them via persistent config set variables in /etc/centminmod/custom_config.inc.

    Nginx Lua PCRE2 Incompatibilty

    Centmin Mod optionally enabled Nginx Lua module from OpenResty manages to get to end of centmin.sh menu option 4 Nginx compile run, but the resulting Nginx binary has an error and is unable to start the Nginx server with error on Nginx config check
    Code (Text):
    nginx -t
    nginx: [emerg] dlopen() "/usr/local/nginx/modules/ngx_http_lua_module.so" failed (/usr/local/nginx/modules/ngx_http_lua_module.so: undefined symbol: pcre_malloc) in /usr/local/nginx/conf/dynamic-modules.conf:9
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
    

    Nginx restart error
    Code (Text):
    ngxrestart
    Restarting nginx (via systemctl):  Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
                                                               [FAILED]
    

    and journatlctl log for Nginx shows the same error message as above Nginx config check
    Code (Text):
    journalctl -u nginx --no-pager | sed -e "s|$HOSTNAME|hostname|g"| tail -7
    
    Dec 30 23:48:38 hostname systemd[1]: Starting SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server...
    Dec 30 23:48:38 hostname nginx[4223]: Starting nginx: nginx: [emerg] dlopen() "/usr/local/nginx/modules/ngx_http_lua_module.so" failed (/usr/local/nginx/modules/ngx_http_lua_module.so: undefined symbol: pcre_malloc) in /usr/local/nginx/conf/dynamic-modules.conf:9
    Dec 30 23:48:38 hostname nginx[4223]: [FAILED]
    Dec 30 23:48:38 hostname systemd[1]: nginx.service: control process exited, code=exited status=1
    Dec 30 23:48:38 hostname systemd[1]: Failed to start SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server.
    Dec 30 23:48:38 hostname systemd[1]: Unit nginx.service entered failed state.
    Dec 30 23:48:38 hostname systemd[1]: nginx.service failed.
    


    ModSecurity PCRE2 Incompatibility

    Centmin Mod optionally enabled ModSecurity Nginx module compiles (with NGINX_MODSECURITY='y') of Nginx 1.21.5 with PCRE2 enabled will result in errors like below during Nginx make stage.
    Code (Text):
    -L/usr/local/nginx-dep/lib -Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/nginx-dep/lib -lpcre2-8 -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/nginx-dep/lib:/usr/local/zlib-cf/lib:/usr/local/nginx-dep/lib -flto=8 -fuse-ld=gold \
    -shared
    ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c: In function ‘ngx_http_modsecurity_pcre_malloc_init’:
    ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c:78:9: error: ‘pcre_malloc’ undeclared (first use in this function); did you mean ‘old_pcre_malloc’?
       78 |     if (pcre_malloc != ngx_http_modsec_pcre_malloc) {
          |         ^~~~~~~~~~~
          |         old_pcre_malloc
    ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c:78:9: note: each undeclared identifier is reported only once for each function it appears in
    ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c:82:25: error: ‘pcre_free’ undeclared (first use in this function); did you mean ‘old_pcre_free’?
       82 |         old_pcre_free = pcre_free;
          |                         ^~~~~~~~~
          |                         old_pcre_free
    ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c: In function ‘ngx_http_modsecurity_pcre_malloc_done’:
    ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c:102:9: error: ‘pcre_malloc’ undeclared (first use in this function); did you mean ‘old_pcre_malloc’?
      102 |         pcre_malloc = old_pcre_malloc;
          |         ^~~~~~~~~~~
          |         old_pcre_malloc
    ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c:103:9: error: ‘pcre_free’ undeclared (first use in this function); did you mean ‘old_pcre_free’?
      103 |         pcre_free = old_pcre_free;
          |         ^~~~~~~~~
          |         old_pcre_free
    make[1]: *** [objs/addon/src/ngx_http_modsecurity_module.o] Error 1
    make[1]: *** Waiting for unfinished jobs....
    make[1]: Leaving directory `/svr-setup/nginx-1.21.5'
    make: *** [build] Error 2
    
     
  10. eva2000

    eva2000 Administrator Staff Member

    47,837
    10,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,947
    Local Time:
    5:37 PM
    Nginx 1.21.x
    MariaDB 10.x
  11. eva2000

    eva2000 Administrator Staff Member

    47,837
    10,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,947
    Local Time:
    5:37 PM
    Nginx 1.21.x
    MariaDB 10.x
    Interesting doing more research. It seems Nginx PCRE2 library is less tolerant of regular expression errors than PCRE https://serverfault.com/questions/1...ows-in-index-html-after-updating-to-nginx-1-2
    These gotchas will be interesting :)