nginx: configuration update

Restructure the main configuration file to simplify custom configuration:
* support inclusion of configuration fragments from subdirectories:
  - /etc/nginx/modules-enabled/*.conf
  - /etc/nginx/conf.d/*.conf
  - /etc/nginx/sites-enabled/*
* default site (port 80):
  - move into /etc/nginx/sites-available/default_server
    and enable via symlink in /etc/nginx/sites-enabled/
  - listen on IPv6
  - drop unneeded example fragments
* configure and enable gzip
* update TLS settings to drop SSLv3 and enable TLSv1.3 for some safer
  defaults
* update remaining bits to follow Debian standard configuration
  62a54a8ba6/debian/conf/nginx.conf
* drop unneeded example configuration bits from /etc/nginx/*.default

These changes, in particular the configuration fragment
support allow to easily customise nginx based on individual
requirements.
In addition, it is now possible for other recipes / packages
to drop fragments into the respective directories in /etc/nginx
without having to meddle with /etc/nginx/nginx.conf

Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>

meta-webserver/recipes-httpd/nginx/files/default_server.site

@@ -0,0 +1,14 @@
+# Default server configuration
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    root /var/www/localhost/html;
+
+    index index.html index.htm;
+
+    server_name _;
+
+    # redirect server error pages to the static page /50x.html
+    error_page 500 502 503 504 /50x.html;
+}

meta-webserver/recipes-httpd/nginx/files/nginx.conf

@@ -1,118 +1,47 @@
-
 user  www;
-worker_processes  1;
-
-error_log  /var/log/nginx/error.log;
-#error_log  logs/error.log  notice;
-#error_log  logs/error.log  info;
-
-pid        /run/nginx/nginx.pid;
-
+worker_processes 1;
+pid /run/nginx/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
 
 events {
-    worker_connections  1024;
+    worker_connections 768;
+    # multi_accept on;
 }
 
-
 http {
-    include       mime.types;
+    # Basic Settings
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    # server_tokens off;
+
+    # server_names_hash_bucket_size 64;
+    # server_name_in_redirect off;
+
+    include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
+    # SSL Settings
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+    ssl_prefer_server_ciphers on;
 
-    access_log  /var/log/nginx/access.log  main;
+    ## Logging
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
 
-    sendfile        on;
-    #tcp_nopush     on;
+    ## Gzip settings
+    gzip  on;
 
-    #keepalive_timeout  0;
-    keepalive_timeout  65;
-
-    #gzip  on;
-
-    server {
-        listen       80;
-        server_name  localhost;
-
-        #charset koi8-r;
-
-        #access_log  logs/host.access.log  main;
-
-        location / {
-            root   /var/www/localhost/html;
-            index  index.html index.htm;
-        }
-
-        #error_page  404              /404.html;
-
-        # redirect server error pages to the static page /50x.html
-        #
-        error_page   500 502 503 504  /50x.html;
-        location = /50x.html {
-            root   /var/www/localhost/html;
-        }
-
-        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
-        #
-        #location ~ \.php$ {
-        #    proxy_pass   http://127.0.0.1;
-        #}
-
-        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
-        #
-        #location ~ \.php$ {
-        #    root           html;
-        #    fastcgi_pass   127.0.0.1:9000;
-        #    fastcgi_index  index.php;
-        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
-        #    include        fastcgi_params;
-        #}
-
-        # deny access to .htaccess files, if Apache's document root
-        # concurs with nginx's one
-        #
-        #location ~ /\.ht {
-        #    deny  all;
-        #}
-    }
-
-
-    # another virtual host using mix of IP-, name-, and port-based configuration
-    #
-    #server {
-    #    listen       8000;
-    #    listen       somename:8080;
-    #    server_name  somename  alias  another.alias;
-
-    #    location / {
-    #        root   html;
-    #        index  index.html index.htm;
-    #    }
-    #}
-
-
-    # HTTPS server
-    #
-    #server {
-    #    listen       443;
-    #    server_name  localhost;
-
-    #    ssl                  on;
-    #    ssl_certificate      cert.pem;
-    #    ssl_certificate_key  cert.key;
-
-    #    ssl_session_timeout  5m;
-
-    #    ssl_protocols  SSLv2 SSLv3 TLSv1;
-    #    ssl_ciphers  HIGH:!aNULL:!MD5;
-    #    ssl_prefer_server_ciphers   on;
-
-    #    location / {
-    #        root   html;
-    #        index  index.html index.htm;
-    #    }
-    #}
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
+    gzip_http_version 1.1;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
 
+    ## Virtual Host Configs
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
 }

meta-webserver/recipes-httpd/nginx/nginx.inc

@@ -16,6 +16,7 @@ SRC_URI = " \
     file://nginx-cross.patch \
     file://0001-Allow-the-overriding-of-the-endianness-via-the-confi.patch \
     file://nginx.conf \
+    file://default_server.site \
     file://nginx.init \
     file://nginx-volatile.conf \
     file://nginx.service \
@@ -102,15 +103,28 @@ do_install () {
 
     install -d ${D}${sysconfdir}/nginx
     install -m 0644 ${WORKDIR}/nginx.conf ${D}${sysconfdir}/nginx/nginx.conf
+    sed -i 's,/etc/,${sysconfdir}/,g' ${D}${sysconfdir}/nginx/nginx.conf
     sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/nginx/nginx.conf
     sed -i 's/^user.*/user ${NGINX_USER};/g' ${D}${sysconfdir}/nginx/nginx.conf
+    install -Dm 0644 ${WORKDIR}/default_server.site ${D}${sysconfdir}/nginx/sites-available/default_server
+    sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/nginx/sites-available/default_server
     install -d ${D}${sysconfdir}/nginx/sites-enabled
+    ln -s ../sites-available/default_server ${D}${sysconfdir}/nginx/sites-enabled/
 
     install -d ${D}${sysconfdir}/default/volatiles
     install -m 0644 ${WORKDIR}/nginx-volatile.conf ${D}${sysconfdir}/default/volatiles/99_nginx
     sed -i 's,/var/,${localstatedir}/,g' ${D}${sysconfdir}/default/volatiles/99_nginx
     sed -i 's,@NGINX_USER@,${NGINX_USER},g' ${D}${sysconfdir}/default/volatiles/99_nginx
 
+    # cleanup configuration folder
+    rm ${D}${sysconfdir}/nginx/*.default
+
+    # add additional configuration folders
+    install -d ${D}${sysconfdir}/nginx/modules-available
+    install -d ${D}${sysconfdir}/nginx/modules-enabled
+    install -d ${D}${sysconfdir}/nginx/server-conf.d
+    install -d ${D}${sysconfdir}/nginx/conf.d
+
     if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
         install -d ${D}${systemd_unitdir}/system
         install -m 0644 ${WORKDIR}/nginx.service ${D}${systemd_unitdir}/system/