Compiling www-servers/nginx with "security" in NGINX_MODULES_HTTP results in an error: These are the packages that would be merged, in order: Calculating dependencies... done! Dependency resolution took 1.71 s (backtrack: 0/20). [ebuild R ~] www-servers/nginx-1.27.0:mainline::gentoo USE="aio http http2 http3 http-cache pcre pcre2 ssl threads -debug -ktls -libatomic -pcre-jit -rtmp (-selinux) -test -vim-syntax" LUA_SINGLE_TARGET="luajit" NGINX_MODULES_HTTP="access auth_basic auth_pam autoindex brotli browser charset fastcgi gzip limit_conn limit_req naxsi perl proxy realip referer rewrite security stub_status -addition -auth_ldap -auth_request -cache_purge -dav -dav_ext -degradation -echo -empty_gif -fancyindex -flv -geo -geoip -geoip2 -grpc -gunzip -gzip_static -headers_more -image_filter -javascript -lua -map -memc -memcached -metrics -mirror -mogilefs -mp4 -push_stream -random_index -scgi -secure_link -slice -slowfs_cache -spdy -split_clients -ssi -sticky -sub -upload_progress -upstream_check -upstream_hash -upstream_ip_hash -upstream_keepalive -upstream_least_conn -upstream_zone -userid -uwsgi -vhost_traffic_status -vod -xslt" NGINX_MODULES_MAIL="-imap -pop3 -smtp" NGINX_MODULES_STREAM="-access -geo -geoip -geoip2 -javascript -limit_conn -map -realip -return -split_clients -ssl_preread -upstream_hash -upstream_least_conn -upstream_zone" 0 KiB Total: 1 package (1 reinstall), Size of downloads: 0 KiB >>> Verifying ebuild manifests >>> Emerging (1 of 1) www-servers/nginx-1.27.0::gentoo * nginx-1.27.0.tar.gz BLAKE2B SHA512 size ;-) ... [ ok ] * ngx_devel_kit-0.3.1.tar.gz BLAKE2B SHA512 size ;-) ... [ ok ] * ngx_http_auth_pam-1.5.2.tar.gz BLAKE2B SHA512 size ;-) ... [ ok ] * ngx_brotli-1.0.0rc.tar.gz BLAKE2B SHA512 size ;-) ... [ ok ] * ngx_http_naxsi-4140b2ded624eb36f04c783c460379b9403012d0.tar.gz BLAKE2B SHA512 size ;-) ... [ ok ] * ngx_http_naxsi_libinjection-49904c42a6e68dc8f16c022c693e897e4010a06c.tar.gz BLAKE2B SHA512 size ;-) ... [ ok ] * modsecurity-nginx-1.0.3.tar.gz BLAKE2B SHA512 size ;-) ... [ ok ] >>> Unpacking source... >>> Unpacking nginx-1.27.0.tar.gz to /var/tmp/portage/www-servers/nginx-1.27.0/work >>> Unpacking ngx_devel_kit-0.3.1.tar.gz to /var/tmp/portage/www-servers/nginx-1.27.0/work >>> Unpacking ngx_http_auth_pam-1.5.2.tar.gz to /var/tmp/portage/www-servers/nginx-1.27.0/work >>> Unpacking ngx_brotli-1.0.0rc.tar.gz to /var/tmp/portage/www-servers/nginx-1.27.0/work >>> Unpacking ngx_http_naxsi-4140b2ded624eb36f04c783c460379b9403012d0.tar.gz to /var/tmp/portage/www-servers/nginx-1.27.0/work >>> Unpacking ngx_http_naxsi_libinjection-49904c42a6e68dc8f16c022c693e897e4010a06c.tar.gz to /var/tmp/portage/www-servers/nginx-1.27.0/work >>> Unpacking modsecurity-nginx-1.0.3.tar.gz to /var/tmp/portage/www-servers/nginx-1.27.0/work >>> Source unpacked in /var/tmp/portage/www-servers/nginx-1.27.0/work >>> Preparing source in /var/tmp/portage/www-servers/nginx-1.27.0/work/nginx-1.27.0 ... * Applying nginx-1.4.1-fix-perl-install-path.patch ... [ ok ] * Applying nginx-httpoxy-mitigation-r1.patch ... [ ok ] * Applying http_brotli-detect-brotli-r3.patch ... [ ok ] >>> Source prepared. >>> Configuring source in /var/tmp/portage/www-servers/nginx-1.27.0/work/nginx-1.27.0 ... checking for OS + Linux 6.9.3 x86_64 checking for C compiler ... found + using GNU C compiler checking for --with-ld-opt="-L/usr/lib64" ... found checking for -Wl,-E switch ... found checking for gcc builtin atomic operations ... found checking for C99 variadic macros ... found checking for gcc variadic macros ... found checking for gcc builtin 64 bit byteswap ... found checking for unistd.h ... found checking for inttypes.h ... found checking for limits.h ... found checking for sys/filio.h ... not found checking for sys/param.h ... found checking for sys/mount.h ... found checking for sys/statvfs.h ... found checking for crypt.h ... found checking for Linux specific features checking for epoll ... found checking for EPOLLRDHUP ... found checking for EPOLLEXCLUSIVE ... found checking for eventfd() ... found checking for O_PATH ... found checking for sendfile() ... found checking for sendfile64() ... found checking for sys/prctl.h ... found checking for prctl(PR_SET_DUMPABLE) ... found checking for prctl(PR_SET_KEEPCAPS) ... found checking for capabilities ... found checking for crypt_r() ... found checking for sys/vfs.h ... found checking for BPF sockhash ... found checking for SO_COOKIE ... found checking for UDP_SEGMENT ... found checking for poll() ... found checking for /dev/poll ... not found checking for kqueue ... not found checking for crypt() ... not found checking for crypt() in libcrypt ... found checking for F_READAHEAD ... not found checking for posix_fadvise() ... found checking for O_DIRECT ... found checking for F_NOCACHE ... not found checking for directio() ... not found checking for statfs() ... found checking for statvfs() ... found checking for dlopen() ... found checking for sched_yield() ... found checking for sched_setaffinity() ... found checking for SO_SETFIB ... not found checking for SO_REUSEPORT ... found checking for SO_ACCEPTFILTER ... not found checking for SO_BINDANY ... not found checking for IP_TRANSPARENT ... found checking for IP_BINDANY ... not found checking for IP_BIND_ADDRESS_NO_PORT ... found checking for IP_RECVDSTADDR ... not found checking for IP_SENDSRCADDR ... not found checking for IP_PKTINFO ... found checking for IPV6_RECVPKTINFO ... found checking for IP_MTU_DISCOVER ... found checking for IPV6_MTU_DISCOVER ... found checking for IP_DONTFRAG ... not found checking for IPV6_DONTFRAG ... found checking for TCP_DEFER_ACCEPT ... found checking for TCP_KEEPIDLE ... found checking for TCP_FASTOPEN ... found checking for TCP_INFO ... found checking for accept4() ... found checking for kqueue AIO support ... not found checking for Linux AIO support ... found checking for int size ... 4 bytes checking for long size ... 8 bytes checking for long long size ... 8 bytes checking for void * size ... 8 bytes checking for uint32_t ... found checking for uint64_t ... found checking for sig_atomic_t ... found checking for sig_atomic_t size ... 4 bytes checking for socklen_t ... found checking for in_addr_t ... found checking for in_port_t ... found checking for rlim_t ... found checking for uintptr_t ... uintptr_t found checking for system byte ordering ... little endian checking for size_t size ... 8 bytes checking for off_t size ... 8 bytes checking for time_t size ... 8 bytes checking for AF_INET6 ... found checking for setproctitle() ... not found checking for pread() ... found checking for pwrite() ... found checking for pwritev() ... found checking for strerrordesc_np() ... found checking for localtime_r() ... found checking for clock_gettime(CLOCK_MONOTONIC) ... found checking for posix_memalign() ... found checking for memalign() ... found checking for mmap(MAP_ANON|MAP_SHARED) ... found checking for mmap("/dev/zero", MAP_SHARED) ... found checking for System V shared memory ... found checking for POSIX semaphores ... found checking for struct msghdr.msg_control ... found checking for ioctl(FIONBIO) ... found checking for ioctl(FIONREAD) ... found checking for struct tm.tm_gmtoff ... found checking for struct dirent.d_namlen ... not found checking for struct dirent.d_type ... found checking for sysconf(_SC_NPROCESSORS_ONLN) ... found checking for sysconf(_SC_LEVEL1_DCACHE_LINESIZE) ... found checking for openat(), fstatat() ... found checking for getaddrinfo() ... found configuring additional modules adding module in /var/tmp/portage/www-servers/nginx-1.27.0/work/ngx_http_auth_pam_module-1.5.2 + ngx_http_auth_pam_module was configured adding module in /var/tmp/portage/www-servers/nginx-1.27.0/work/naxsi-4140b2ded624eb36f04c783c460379b9403012d0/naxsi_src + naxsi was configured adding module in /var/tmp/portage/www-servers/nginx-1.27.0/work/ModSecurity-nginx-1.0.3 checking for ModSecurity library ... not found checking for ModSecurity library in /usr/local/modsecurity ... not found ./configure: error: ngx_http_modsecurity_module requires the ModSecurity library. * ERROR: www-servers/nginx-1.27.0::gentoo failed (configure phase): * configure failed * * Call stack: * ebuild.sh, line 136: Called src_configure * environment, line 3631: Called die * The specific snippet of code: * ./configure --prefix="${EPREFIX}"/usr --conf-path="${EPREFIX}"/etc/${PN}/${PN}.conf --error-log-path="${EPREFIX}"/var/log/${PN}/error_log --pid-path="${EPREFIX}"/run/${PN}.pid --lock-path="${EPREFIX}"/run/lock/${PN}.lock --with-cc-opt="-I${ESYSROOT}/usr/include" --with-ld-opt="-L${ESYSROOT}/usr/$(get_libdir)" --http-log-path="${EPREFIX}"/var/log/${PN}/access_log --http-client-body-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/client --http-proxy-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/proxy --http-fastcgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/fastcgi --http-scgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/scgi --http-uwsgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/uwsgi --with-compat "${myconf[@]}" || die "configure failed"; * * If you need support, post the output of `emerge --info '=www-servers/nginx-1.27.0::gentoo'`, * the complete build log and the output of `emerge -pqv '=www-servers/nginx-1.27.0::gentoo'`. * The complete build log is located at '/var/tmp/portage/www-servers/nginx-1.27.0/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/www-servers/nginx-1.27.0/temp/environment'. * Working directory: '/var/tmp/portage/www-servers/nginx-1.27.0/work/nginx-1.27.0' * S: '/var/tmp/portage/www-servers/nginx-1.27.0/work/nginx-1.27.0' >>> Failed to emerge www-servers/nginx-1.27.0, Log file: >>> '/var/tmp/portage/www-servers/nginx-1.27.0/temp/build.log' * Messages for package www-servers/nginx-1.27.0: * ERROR: www-servers/nginx-1.27.0::gentoo failed (configure phase): * configure failed * * Call stack: * ebuild.sh, line 136: Called src_configure * environment, line 3631: Called die * The specific snippet of code: * ./configure --prefix="${EPREFIX}"/usr --conf-path="${EPREFIX}"/etc/${PN}/${PN}.conf --error-log-path="${EPREFIX}"/var/log/${PN}/error_log --pid-path="${EPREFIX}"/run/${PN}.pid --lock-path="${EPREFIX}"/run/lock/${PN}.lock --with-cc-opt="-I${ESYSROOT}/usr/include" --with-ld-opt="-L${ESYSROOT}/usr/$(get_libdir)" --http-log-path="${EPREFIX}"/var/log/${PN}/access_log --http-client-body-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/client --http-proxy-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/proxy --http-fastcgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/fastcgi --http-scgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/scgi --http-uwsgi-temp-path="${EPREFIX}${NGINX_HOME_TMP}"/uwsgi --with-compat "${myconf[@]}" || die "configure failed"; * * If you need support, post the output of `emerge --info '=www-servers/nginx-1.27.0::gentoo'`, * the complete build log and the output of `emerge -pqv '=www-servers/nginx-1.27.0::gentoo'`. * The complete build log is located at '/var/tmp/portage/www-servers/nginx-1.27.0/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/www-servers/nginx-1.27.0/temp/environment'. * Working directory: '/var/tmp/portage/www-servers/nginx-1.27.0/work/nginx-1.27.0' * S: '/var/tmp/portage/www-servers/nginx-1.27.0/work/nginx-1.27.0' The problem is that the configure script of modSecurity plugin for nginx has an known issue and is producing an error: ---------------------------------------- checking for ModSecurity library objs/autotest.c: In function 'main': objs/autotest.c:7:5: error: implicit declaration of function 'printf' [-Wimplicit-function-declaration] 7 | printf("hello");; | ^~~~~~ objs/autotest.c:5:1: note: include '<stdio.h>' or provide a declaration of 'printf' 4 | #include <modsecurity/modsecurity.h> +++ |+#include <stdio.h> 5 | objs/autotest.c:7:5: warning: incompatible implicit declaration of built-in function 'printf' [-Wbuiltin-declaration-mismatch] 7 | printf("hello");; | ^~~~~~ objs/autotest.c:7:5: note: include '<stdio.h>' or provide a declaration of 'printf' ---------- #include <sys/types.h> #include <unistd.h> #include <modsecurity/modsecurity.h> int main(void) { printf("hello");; return 0; } ---------- x86_64-pc-linux-gnu-gcc -march=native -O2 -pipe -I/usr/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -o objs/autotest objs/autotest.c -L/usr/lib64 -lmodsecurity ---------- ---------------------------------------- checking for ModSecurity library in /usr/local/modsecurity objs/autotest.c: In function 'main': objs/autotest.c:7:5: error: implicit declaration of function 'printf' [-Wimplicit-function-declaration] 7 | printf("hello");; | ^~~~~~ objs/autotest.c:5:1: note: include '<stdio.h>' or provide a declaration of 'printf' 4 | #include <modsecurity/modsecurity.h> +++ |+#include <stdio.h> 5 | objs/autotest.c:7:5: warning: incompatible implicit declaration of built-in function 'printf' [-Wbuiltin-declaration-mismatch] 7 | printf("hello");; | ^~~~~~ objs/autotest.c:7:5: note: include '<stdio.h>' or provide a declaration of 'printf' ---------- #include <sys/types.h> #include <unistd.h> #include <modsecurity/modsecurity.h> int main(void) { printf("hello");; return 0; } ---------- x86_64-pc-linux-gnu-gcc -march=native -O2 -pipe -I/usr/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -I /usr/local/modsecurity/include -o objs/autotest objs/autotest.c -L/usr/lib64 -Wl,-rpath,/usr/local/modsecurity/lib -L/usr/local/modsecurity/lib -lmodsecurity ---------- The issue is documented here: https://github.com/owasp-modsecurity/ModSecurity-nginx/pull/275 And the patch to fix this issue is here: https://github.com/owasp-modsecurity/ModSecurity-nginx/pull/275/files Reproducible: Always Steps to Reproduce: 1. Enable "security" module for nginx HTTP 2. Emerge either www-servers/nginx-1.26.1 or www-servers/nginx-1.27.0 3. Fail
CFLAGS="-O2 -pipe -g -Wno-everything" emerge -Ov1gk nginx I had been using this option to ignore the compiler error on warning (previous) for a long time.
(In reply to Zhixu Liu from comment #1) > CFLAGS="-O2 -pipe -g -Wno-everything" emerge -Ov1gk nginx > > I had been using this option to ignore the compiler error on warning > (previous) for a long time. That's not a good idea.
Created attachment 896024 [details, diff] Patch for ModSecurity 1.3.0 + gcc 14
Created attachment 896025 [details] Changed ebuild
The error results from the module's nginx configuration tests using printf() without including stdio.h. I'm suspecting gcc 14 being more strict in that regard together with compiler flags maybe. Either way, it's safe and sane to include stdio.h for the feature test. I'm providing - the patch itself (syntax made matching to upstream examples) - a changed ebuild (conditionally using eapply for the patch) The patched ebuild + file has been tested on ~amd64.
Upstream bug report: https://github.com/owasp-modsecurity/ModSecurity-nginx/issues/325
(In reply to Sam James from comment #2) > (In reply to Zhixu Liu from comment #1) > > CFLAGS="-O2 -pipe -g -Wno-everything" emerge -Ov1gk nginx > > > > I had been using this option to ignore the compiler error on warning > > (previous) for a long time. > > That's not a good idea. I don't 100% agree, the reason is: 1. The code is compiled fine w/ old compiler, failed because newer compiler (especially clang) have more restricted check. I have been faced with many such kinds of problem (package compile failed) sinace switch the compiler to clang, but no problem when using gcc. 2. In general, this is a issue should be handled in development stage, not a runtime issue (not 100%), since the code should had been running and tested w/ older compiler.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e98d8ef5572fae7d42e80acbb2464e70eb0ab5e7 commit e98d8ef5572fae7d42e80acbb2464e70eb0ab5e7 Author: Z. Liu <zhixu.liu@gmail.com> AuthorDate: 2024-08-30 09:19:56 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-09-02 02:54:28 +0000 www-servers/nginx: add patch for http_security from upstream see https://github.com/owasp-modsecurity/ModSecurity-nginx/commit/7d37ace7431ea9704faa98f29876bcd72ef4b1ff Closes: https://bugs.gentoo.org/933598 Signed-off-by: Z. Liu <zhixu.liu@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/38343 Signed-off-by: Sam James <sam@gentoo.org> .../nginx/files/http_security-nginx-1.26.2.patch | 26 ++++++++++++++++++++++ ...inx-1.26.2-r1.ebuild => nginx-1.26.2-r2.ebuild} | 6 +++++ ...inx-1.27.1-r1.ebuild => nginx-1.27.1-r2.ebuild} | 6 +++++ 3 files changed, 38 insertions(+)
