Update to Yunohost 2.5.6 - Nginx (1.10) configuration issues

Hello

I updated my system to Yunohost 2.5.6 (was 2.5.5).
Everything was working fine before the update, but now I have an issue with one package, nginx-extras (that is blocking yunohost update).
I didn’t touch nginx config files, but it seems that every access_by_lua_file parameter fail to pass the config test.
So now nginx server can’t start.

During the update, some change were made to nginx packages, and I chose to keep the old config files. Was it an error ?

Here are the Nginx changes reported:

nginx-common (1.10.2-4) unstable; urgency=medium

Since nginx 1.9.14 Debian has gradually switched to dynamic loadable modules
for all third party modules and core modules that support it. For each
module a new binary package is introduced under the libnginx-mod-* namespace.

The modules are loadable from all nginx flavors (light,full,extras) and are
automatically registered by installing a symlink under
/etc/nginx/modules-enabled/. If you use a modified /etc/nginx/nginx.conf make
sure to include that directory.

– Christos Trochalakis ctrochalakis@debian.org Sun, 22 Jan 2017 12:19:30 +0200

and:

nginx-common (1.10.2-1) unstable; urgency=high

In order to secure nginx against privilege escalation attacks, we are
changing the way log file owners & permissions are handled so that www-data
is not allowed to symlink a logfile. /var/log/nginx is now owned by root:adm
and its permissions are changed to 0755. The package checks for such symlinks
on existing installations and informs the admin using debconf.

That unfortunately may come at a cost in terms of privacy. /var/log/nginx is
now world-readable, and nginx hardcodes permissions of non-existing logs to
0644. On systems running logrotate log files are private after the first
logrotate run, since the new log files are created with 0640 permissions.

– Christos Trochalakis yatiohi@ideopolis.gr Tue, 04 Oct 2016 15:20:33 +0300

Thanks for your help

Hi there,

keeping the old nginx file should be fine.

Can you copy/paste the result of nginx -t ?

It’s something like:

nginx: [emerg] unknown directive “access_by_lua_file” in /etc/nginx/conf.d/mydomain.tld.conf:6
nginx: configuration file /etc/nginx/nginx.conf test failed

If I comment the line, same result for another subdomain.

So I just did an update and dist-upgrade, and I have version 1.6.2 (both nginx and nginx-common) … I have no idea how you ended up with version 1.10.2 for nginx. Are you using backports ?

Strangely, I’ve no backports in my sources.list, but all nginx packages (and some others) are from backports…

You should reinstall nginx packages from stable then, that should fix your bug

Done, and now it raise the same error, but not for access_by_lua_file, it get angry about http2 parameter.

nginx: [emerg] invalid parameter “http2” in /etc/nginx/conf.d/domain.tld.conf:19
nginx: configuration file /etc/nginx/nginx.conf test failed

root@browny:/etc/nginx/conf.d# grep -R http2 . | wc -l
0

No http2 on my YunoHost, have you been playing with the config files? And tried to get a more up to date version of nginx in the backports and rewinding back?

Yes and it was working before this update. I added it in this line: listen 443 ssl http2;

Edit: removing the parameter solve the issue. But I’m wondering why I can’t keep the http2 parameter… (because I have good speed boost thanks to it)
Edit -2: adding `spdy parameter works well.

Ok after some investigation it seems like Nginx >=1.9.5 is needed for http/2 support.
So it sounds like I had a backported version since the beginning. And now version 1.10 is breaking the compatibility with Yunohost in some way.
Well, let’s switch back to spdy protocol, and wait for a future update of debian packages

Next Debian (Stretch) should arrive in a few months (something like 4~6 months) and hopefully it won’t take much time for Yunohost to be compatible with it. Many packages should get an update, including nginx.