public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nginx, nginxUnstable: enable hardening. Flags as recommended by @arno01 (Andrey Arapov) in #7190

This commit is contained in:
Michael Raskin 2016-03-04 16:54:27 +01:00
parent ce9e2012af
commit 7b9684a5b5
2 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pkgs/servers/http/nginx/default.nix
View File

@ -1,6 +1,7 @@
{ stdenv, fetchurl, fetchFromGitHub, openssl, zlib, pcre, libxml2, libxslt, expat { stdenv, fetchurl, fetchFromGitHub, openssl, zlib, pcre, libxml2, libxslt, expat
, gd, geoip , gd, geoip
, modules ? [] , modules ? []
, hardening ? true
}: }:
with stdenv.lib; with stdenv.lib;
@ -53,7 +54,14 @@ stdenv.mkDerivation rec {
NIX_CFLAGS_COMPILE = [ "-I${libxml2}/include/libxml2" ] ++ optional stdenv.isDarwin "-Wno-error=deprecated-declarations -Wno-error=conditional-uninitialized"; NIX_CFLAGS_COMPILE = [ "-I${libxml2}/include/libxml2" ] ++ optional stdenv.isDarwin "-Wno-error=deprecated-declarations -Wno-error=conditional-uninitialized";
preConfigure = concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules; preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules)
+ optionalString hardening ''
configureFlagsArray=(
--with-cc-opt="-fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2"
--with-ld-opt="-pie -Wl,-z,relro,-z,now"
)
''
;
meta = { meta = {
description = "A reverse proxy and lightweight webserver"; description = "A reverse proxy and lightweight webserver";

10
pkgs/servers/http/nginx/unstable.nix
View File

@ -2,6 +2,7 @@
, gd, geoip , gd, geoip
, withStream ? false , withStream ? false
, modules ? [] , modules ? []
, hardening ? true
}: }:
with stdenv.lib; with stdenv.lib;
@ -51,7 +52,14 @@ stdenv.mkDerivation rec {
NIX_CFLAGS_COMPILE = [ "-I${libxml2}/include/libxml2" ] ++ optional stdenv.isDarwin "-Wno-error=deprecated-declarations"; NIX_CFLAGS_COMPILE = [ "-I${libxml2}/include/libxml2" ] ++ optional stdenv.isDarwin "-Wno-error=deprecated-declarations";
preConfigure = concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules; preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules)
+ optionalString hardening ''
configureFlagsArray=(
--with-cc-opt="-fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2"
--with-ld-opt="-pie -Wl,-z,relro,-z,now"
)
''
;
postInstall = '' postInstall = ''
mv $out/sbin $out/bin mv $out/sbin $out/bin