From bayberry.uninspired694 at aceecat.org Sat Nov 1 22:57:57 2025 From: bayberry.uninspired694 at aceecat.org (bayberry.uninspired694 at aceecat.org) Date: Sat, 1 Nov 2025 15:57:57 -0700 Subject: OpenSSL related build failures Message-ID: Hello friends, trying to build freenginx 1.19.2 from source, I get the following errors: cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -I src/core -I src/event -I src/event/modules -I src/os/unix -I objs \ -o objs/src/event/ngx_event_openssl.o \ src/event/ngx_event_openssl.c src/event/ngx_event_openssl.c: In function ?ngx_ssl_load_certificate_key?: src/event/ngx_event_openssl.c:729:9: error: ?ENGINE_by_id? is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 729 | engine = ENGINE_by_id((char *) p); | ^~~~~~ In file included from src/event/ngx_event_openssl.h:22, from src/core/ngx_core.h:84, from src/event/ngx_event_openssl.c:9: /usr/include/openssl/engine.h:336:31: note: declared here 336 | OSSL_DEPRECATEDIN_3_0 ENGINE *ENGINE_by_id(const char *id); | ^~~~~~~~~~~~ src/event/ngx_event_openssl.c:738:9: error: ?ENGINE_load_private_key? is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 738 | pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); | ^~~~ /usr/include/openssl/engine.h:638:11: note: declared here 638 | EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, | ^~~~~~~~~~~~~~~~~~~~~~~ src/event/ngx_event_openssl.c:742:13: error: ?ENGINE_free? is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 742 | ENGINE_free(engine); | ^~~~~~~~~~~ /usr/include/openssl/engine.h:493:27: note: declared here 493 | OSSL_DEPRECATEDIN_3_0 int ENGINE_free(ENGINE *e); | ^~~~~~~~~~~ src/event/ngx_event_openssl.c:746:9: error: ?ENGINE_free? is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 746 | ENGINE_free(engine); | ^~~~~~~~~~~ /usr/include/openssl/engine.h:493:27: note: declared here 493 | OSSL_DEPRECATEDIN_3_0 int ENGINE_free(ENGINE *e); | ^~~~~~~~~~~ src/event/ngx_event_openssl.c: In function ?ngx_ssl_dhparam?: src/event/ngx_event_openssl.c:1345:5: error: ?PEM_read_bio_DHparams? is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 1345 | dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); | ^~ In file included from /usr/include/openssl/ssl.h:36, from src/event/ngx_event_openssl.h:15: /usr/include/openssl/pem.h:469:1: note: declared here 469 | DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, DHparams, DH) | ^~~~~~~~~~~~~~~~~~~ src/event/ngx_event_openssl.c:1355:5: error: ?DH_free? is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 1355 | DH_free(dh); | ^~~~~~~ In file included from /usr/include/openssl/dsa.h:51, from /usr/include/openssl/x509.h:37, from /usr/include/openssl/ssl.h:31: /usr/include/openssl/dh.h:204:28: note: declared here 204 | OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh); | ^~~~~~~ src/event/ngx_event_openssl.c: In function ?ngx_ssl_error?: src/event/ngx_event_openssl.c:3100:13: error: ?ERR_peek_error_line_data? is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 3100 | n = ERR_peek_error_line_data(NULL, NULL, &data, &flags); | ^ In file included from src/event/ngx_event_openssl.h:16: /usr/include/openssl/err.h:437:15: note: declared here 437 | unsigned long ERR_peek_error_line_data(const char **file, int *line, | ^~~~~~~~~~~~~~~~~~~~~~~~ src/event/ngx_event_openssl.c: In function ?ngx_ssl_session_ticket_key_callback?: src/event/ngx_event_openssl.c:4010:9: error: ?HMAC_Init_ex? is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 4010 | if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { | ^~ In file included from /usr/include/openssl/ssl.h:37: /usr/include/openssl/hmac.h:43:27: note: declared here 43 | OSSL_DEPRECATEDIN_3_0 int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, | ^~~~~~~~~~~~ src/event/ngx_event_openssl.c:4054:9: error: ?HMAC_Init_ex? is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 4054 | if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { | ^~ /usr/include/openssl/hmac.h:43:27: note: declared here 43 | OSSL_DEPRECATEDIN_3_0 int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, | ^~~~~~~~~~~~ src/event/ngx_event_openssl.c: In function ?ngx_openssl_engine?: src/event/ngx_event_openssl.c:5188:5: error: ?ENGINE_by_id? is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 5188 | engine = ENGINE_by_id((char *) value[1].data); | ^~~~~~ /usr/include/openssl/engine.h:336:31: note: declared here 336 | OSSL_DEPRECATEDIN_3_0 ENGINE *ENGINE_by_id(const char *id); | ^~~~~~~~~~~~ src/event/ngx_event_openssl.c:5196:5: error: ?ENGINE_set_default? is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 5196 | if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) { | ^~ /usr/include/openssl/engine.h:708:27: note: declared here 708 | OSSL_DEPRECATEDIN_3_0 int ENGINE_set_default(ENGINE *e, unsigned int flags); | ^~~~~~~~~~~~~~~~~~ src/event/ngx_event_openssl.c:5201:9: error: ?ENGINE_free? is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 5201 | ENGINE_free(engine); | ^~~~~~~~~~~ /usr/include/openssl/engine.h:493:27: note: declared here 493 | OSSL_DEPRECATEDIN_3_0 int ENGINE_free(ENGINE *e); | ^~~~~~~~~~~ src/event/ngx_event_openssl.c:5206:5: error: ?ENGINE_free? is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 5206 | ENGINE_free(engine); | ^~~~~~~~~~~ /usr/include/openssl/engine.h:493:27: note: declared here 493 | OSSL_DEPRECATEDIN_3_0 int ENGINE_free(ENGINE *e); | ^~~~~~~~~~~ cc1: all warnings being treated as errors make[1]: *** [objs/Makefile:848: objs/src/event/ngx_event_openssl.o] Error 1 make[1]: Leaving directory '/var/local/git/nginx' make: *** [Makefile:8: build] Error 2 relevant environmental info: # dpkg --status libssl-dev Version: 3.0.17-1~deb12u3 # dpkg --status gcc Version: 4:12.2.0-3 (edited for clarity) and this is how I run configure: /var/local/git/nginx/auto/configure \ --prefix=/usr/local \ --conf-path=/usr/local/etc/nginx/nginx.conf \ --error-log-path=/var/spool/nginx/log/error.log \ --pid-path=/var/spool/nginx/pid \ --lock-path=/var/spool/nginx/lock \ --user=www-data \ --group=www-data \ --with-http_ssl_module \ --with-http_gunzip_module \ --with-http_auth_request_module \ --with-http_dav_module \ --http-log-path=/var/spool/nginx/access.log \ --http-client-body-temp-path=/var/spool/nginx/body \ --http-proxy-temp-path=/var/spool/nginx/proxy \ --http-fastcgi-temp-path=/var/spool/nginx/fastcgi \ --http-uwsgi-temp-path=/var/spool/nginx/uwsgi \ --http-scgi-temp-path=/var/spool/nginx/scgi help? -- Ian From mdounin at mdounin.ru Sun Nov 2 01:47:42 2025 From: mdounin at mdounin.ru (Maxim Dounin) Date: Sun, 2 Nov 2025 04:47:42 +0300 Subject: OpenSSL related build failures In-Reply-To: References: Message-ID: Hello! (Cc'd as you don't seem to be subscribed to the mailing list.) On Sat, Nov 01, 2025 at 03:57:57PM -0700, bayberry.uninspired694 at aceecat.org wrote: > trying to build freenginx 1.19.2 from source, I get the following errors: Current version is freenginx 1.29.2, not 1.19.2. Building with OpenSSL 3.0 should work fine starting with nginx 1.21.2: Changes with nginx 1.21.2, 31 Aug 2021 ... *) Feature: OpenSSL 3.0 compatibility. ... > cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -I src/core -I src/event -I src/event/modules -I src/os/unix -I objs \ > -o objs/src/event/ngx_event_openssl.o \ > src/event/ngx_event_openssl.c > src/event/ngx_event_openssl.c: In function ?ngx_ssl_load_certificate_key?: > src/event/ngx_event_openssl.c:729:9: error: ?ENGINE_by_id? is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] > 729 | engine = ENGINE_by_id((char *) p); > | ^~~~~~ If you really need to build 1.19.2, an obvious fix would be to use ./configure --with-cc-opt="-Wno-error" so warnings like this won't be fatal. Hope this helps. [...] -- Maxim Dounin http://mdounin.ru/ From bayberry.uninspired694 at aceecat.org Sun Nov 2 02:19:57 2025 From: bayberry.uninspired694 at aceecat.org (bayberry.uninspired694 at aceecat.org) Date: Sat, 1 Nov 2025 19:19:57 -0700 Subject: OpenSSL related build failures In-Reply-To: References: Message-ID: On Sun, Nov 02, 2025 at 04:47:42AM +0300, Maxim Dounin wrote: > Current version is freenginx 1.29.2, not 1.19.2. Building with > OpenSSL 3.0 should work fine starting with nginx 1.21.2: Yes, totally a user error. Sorry. I knew something was fishy when I needed to install original PCRE for configure to finish ;-) -- Ian From mdounin at mdounin.ru Tue Nov 11 13:41:20 2025 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 11 Nov 2025 16:41:20 +0300 Subject: freenginx-1.29.3 Message-ID: Changes with freenginx 1.29.3 11 Nov 2025 *) Feature: loading of certificates and secret keys from hardware tokens with OpenSSL STORE API. *) Change: loading of external character entities declared in the internal DTD subset is now disabled by default in the ngx_http_xslt_filter_module; loading can be enabled with the "xml_external_entities" directive. *) Bugfix: the ngx_http_xslt_filter_module might try loading of external character entities over the network, which might cause blocking of the worker process for a significant time. *) Bugfix: the "working_directory", "google_perftools_profiles", "geoip_country", "geoip_city", "geoip_org", and "xml_entities" directives incorrectly handled relative paths. -- Maxim Dounin http://freenginx.org/ From noloader at gmail.com Tue Nov 11 20:37:55 2025 From: noloader at gmail.com (Jeffrey Walton) Date: Tue, 11 Nov 2025 15:37:55 -0500 Subject: Add a header globally for all servers Message-ID: Hi Everyone, I'd like to add the nosniff content option to all pages served by Nginx. When I attempt to set the option: $ cat /etc/nginx/conf.d/nosniff.conf # Prevent MIME type sniffing attacks http { add_header X-Content-Type-Options "nosniff" always; } It results in: $ sudo nginx -t nginx: [emerg] "http" directive is not allowed here in /etc/nginx/conf.d/nosniff.conf:2 nginx: configuration file /etc/nginx/nginx.conf test failed I don't want to modify /etc/nginx/nginx.conf since it is owned by the package, and not me. On upgrade, my changes could/would be lost when I take the maintainers version of the conf file. What should I do to add the nosniff content option to all pages served by Nginx? Thanks in advance. From showfom at gmail.com Tue Nov 11 22:31:57 2025 From: showfom at gmail.com (Xiufeng Guo) Date: Wed, 12 Nov 2025 07:31:57 +0900 Subject: Add a header globally for all servers In-Reply-To: References: Message-ID: Hi, 1. Don?t place it under /etc/nginx/conf.d. You can use a separate folder such as /etc/nginx/snippets. 2. Remove the http {} block and only include the following line: add_header X-Content-Type-Options "nosniff" always; 3. Then, in each website?s configuration file (inside the server {} block), add: include /etc/nginx/snippets/nosniff.conf; On Wed, Nov 12, 2025 at 5:38?AM Jeffrey Walton wrote: > > Hi Everyone, > > I'd like to add the nosniff content option to all pages served by > Nginx. When I attempt to set the option: > > $ cat /etc/nginx/conf.d/nosniff.conf > # Prevent MIME type sniffing attacks > http { > add_header X-Content-Type-Options "nosniff" always; > } > > It results in: > > $ sudo nginx -t > nginx: [emerg] "http" directive is not allowed here in > /etc/nginx/conf.d/nosniff.conf:2 > nginx: configuration file /etc/nginx/nginx.conf test failed > > I don't want to modify /etc/nginx/nginx.conf since it is owned by the > package, and not me. On upgrade, my changes could/would be lost when > I take the maintainers version of the conf file. > > What should I do to add the nosniff content option to all pages served by Nginx? > > Thanks in advance. -- Best Regards, Xiufeng Guo From osa at freebsd.org.ru Wed Nov 12 13:35:32 2025 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Wed, 12 Nov 2025 16:35:32 +0300 Subject: Add a header globally for all servers In-Reply-To: References: Message-ID: Hi Jeffrey, hope you're doing well. On Tue, Nov 11, 2025 at 03:37:55PM -0500, Jeffrey Walton wrote: > > I'd like to add the nosniff content option to all pages served by > Nginx. When I attempt to set the option: > > $ cat /etc/nginx/conf.d/nosniff.conf > # Prevent MIME type sniffing attacks > http { > add_header X-Content-Type-Options "nosniff" always; > } > > It results in: > > $ sudo nginx -t > nginx: [emerg] "http" directive is not allowed here in > /etc/nginx/conf.d/nosniff.conf:2 > nginx: configuration file /etc/nginx/nginx.conf test failed > > I don't want to modify /etc/nginx/nginx.conf since it is owned by the > package, and not me. On upgrade, my changes could/would be lost when > I take the maintainers version of the conf file. > > What should I do to add the nosniff content option to all pages served by Nginx? My assumptions are the following: 1. the main configuration file, /etc/nginx/nginx.conf, defines http { ... } block; 2. the main configuration file, /etc/nginx/nginx.conf, includes directive with the "/etc/nginx/conf.d/*.conf" parameter, and that leads including all "*.conf" files; 3. creation of the /etc/nginx/conf.d/nosniff.conf with another http { ... } block cause an error and the root cause is two http { ... } blocks in the nginx whole configuration file. Another assumption is this nginx instance is running on a GNU/Linux operating system, so /etc/nginx/conf.d/default.conf may take place. One of the tricks might be zeroed the last configuration file, but keep it in place, which preventing an upgrade package process recretes it. Hope that helps. -- Sergey A. Osokin https://tipi.work/ - modern load balancing solutions