Update to Yunohost 2.5.6 - Nginx (1.10) configuration issues

Hello :slight_smile:

I updated my system to Yunohost 2.5.6 (was 2.5.5).
Everything was working fine before the update, but now I have an issue with one package, nginx-extras (that is blocking yunohost update).
I didn’t touch nginx config files, but it seems that every access_by_lua_file parameter fail to pass the config test.
So now nginx server can’t start.

During the update, some change were made to nginx packages, and I chose to keep the old config files. Was it an error ?

Here are the Nginx changes reported:

nginx-common (1.10.2-4) unstable; urgency=medium

Since nginx 1.9.14 Debian has gradually switched to dynamic loadable modules
for all third party modules and core modules that support it. For each
module a new binary package is introduced under the libnginx-mod-* namespace.

The modules are loadable from all nginx flavors (light,full,extras) and are
automatically registered by installing a symlink under
/etc/nginx/modules-enabled/. If you use a modified /etc/nginx/nginx.conf make
sure to include that directory.

– Christos Trochalakis ctrochalakis@debian.org Sun, 22 Jan 2017 12:19:30 +0200


nginx-common (1.10.2-1) unstable; urgency=high

In order to secure nginx against privilege escalation attacks, we are
changing the way log file owners & permissions are handled so that www-data
is not allowed to symlink a logfile. /var/log/nginx is now owned by root:adm
and its permissions are changed to 0755. The package checks for such symlinks
on existing installations and informs the admin using debconf.

That unfortunately may come at a cost in terms of privacy. /var/log/nginx is
now world-readable, and nginx hardcodes permissions of non-existing logs to
0644. On systems running logrotate log files are private after the first
logrotate run, since the new log files are created with 0640 permissions.

– Christos Trochalakis yatiohi@ideopolis.gr Tue, 04 Oct 2016 15:20:33 +0300

Thanks for your help :slight_smile:

Hi there,

keeping the old nginx file should be fine.

Can you copy/paste the result of nginx -t ?

It’s something like:

nginx: [emerg] unknown directive “access_by_lua_file” in /etc/nginx/conf.d/mydomain.tld.conf:6
nginx: configuration file /etc/nginx/nginx.conf test failed

If I comment the line, same result for another subdomain.

So I just did an update and dist-upgrade, and I have version 1.6.2 (both nginx and nginx-common) … I have no idea how you ended up with version 1.10.2 for nginx. Are you using backports ? :confused:

Strangely, I’ve no backports in my sources.list, but all nginx packages (and some others) are from backports…

You should reinstall nginx packages from stable then, that should fix your bug :slight_smile:

Done, and now it raise the same error, but not for access_by_lua_file, it get angry about http2 parameter.

nginx: [emerg] invalid parameter “http2” in /etc/nginx/conf.d/domain.tld.conf:19
nginx: configuration file /etc/nginx/nginx.conf test failed

root@browny:/etc/nginx/conf.d# grep -R http2 . | wc -l

No http2 on my YunoHost, have you been playing with the config files? And tried to get a more up to date version of nginx in the backports and rewinding back?

Yes and it was working before this update. I added it in this line: listen 443 ssl http2;

Edit: removing the parameter solve the issue. But I’m wondering why I can’t keep the http2 parameter… (because I have good speed boost thanks to it)
Edit -2: adding `spdy parameter works well.

Ok after some investigation it seems like Nginx >=1.9.5 is needed for http/2 support.
So it sounds like I had a backported version since the beginning. And now version 1.10 is breaking the compatibility with Yunohost in some way.
Well, let’s switch back to spdy protocol, and wait for a future update of debian packages :confused:

Next Debian (Stretch) should arrive in a few months (something like 4~6 months) and hopefully it won’t take much time for Yunohost to be compatible with it. Many packages should get an update, including nginx.