Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • fornari/ngx_http_voms_module
  • cnafsd/ngx_http_voms_module
2 results
Show changes
Commits on Source (380)
280 additional commits have been omitted to prevent performance issues.
Expand all Hide whitespace changes
Inline Side-by-side
Showing
with 1590 additions and 131 deletions
.clang-format
View file @ 6d052991
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
---
Language: Cpp
# BasedOnStyle: Google
......
.devcontainer/Dockerfile 0 → 100644
View file @ 6d052991
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
FROM almalinux:9
# Allow customization of build user ID and name
ARG USERNAME=vscode
ARG USER_UID=1000
ARG USER_GID=${USER_UID}
COPY library-scripts/*.sh /tmp/library-scripts/
RUN \
sh /tmp/library-scripts/provide-dev-deps.sh && \
sh /tmp/library-scripts/provide-user.sh ${USERNAME} ${USER_UID} ${USER_GID} && \
dnf clean all && rm -rf /var/cache/dnf
USER $USERNAME
.devcontainer/README.md 0 → 100644
View file @ 6d052991
<!--
SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
SPDX-License-Identifier: EUPL-1.2
-->
# `ngx_http_voms_module` for developers
A devcontainer is ready to use for the developers. A set of packages without nginx are already installed.
## How to build and install nginx with or without httpg patch
To build and install the latest stable version of [nginx](http://nginx.org/en/download.html) you have to copy the `nginx.repo` file (it is contained in the `docker` directory) into the `/etc/yum.repos.d/` directory and install nginx with `yum`:
```shell
$ sudo cp docker/nginx.repo /etc/yum.repos.d/
$ sudo yum install -y nginx
```
Otherwise, if you want to build and install the latest stable version of [nginx](http://nginx.org/en/download.html) with the httpg patch, a bash library is ready to use. You can source it and follow the commands below:
```shell
$ source .devcontainer/assets/build-library.sh
$ downloadNginx
$ buildHttpgNginxRPM
$ sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/nginx-*.httpg.x86_64.rpm
```
## How to build and install the `ngx_http_voms_module`
If you want to build and install the `ngx_http_voms_module`, nginx have to be installed in the container (see the previous section). When this requirement is satisfied, you can use the library contained in the `.devcontainer/assets` folder as follows (NOTE: if you have already download nginx source file, you can skip the relative command):
```shell
$ source .devcontainer/assets/build-library.sh
$ downloadNginx
$ buildVomsModuleRPM
$ sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/nginx-module-http-voms-*.x86_64.rpm
```
## How to manage this project
If you want to understand how this project works, start from the CI. Three stages are defined:
### 1. build-rpms
Starting from a clear AlmaLinux 9, we install all the useful packages to compile nginx and to build a rpm package. The bash steps that achieves these results are defined in the `.devcontainer/assets/build-library.sh` file, so you can read that bash script to learn which nginx version we use, how to download it, how to set up the environment and how to build the rpm.
It is important to underline that to build the nginx rpm we use the spec file in the `rpm` repo, that is the official nginx 1.24.0 spec file increased by the HTTPG patch. To build the `ngx_http_voms_module` we have defined an appropriate spec file indeed. The files that are used to build the rpm module are written, called and collocated following the common practices of the nginx modules: a source file is defined in the `src` folder, the `config` and the `config.make` files are in the root project directory.
At the end of this stage, all the useful rpms are saved as job artifacts.
### 2. docker-build-rpms
In this stage we set up a docker image with nginx, the httpg patch and the `ngx_http_voms_module`. To do this, we use a set of scripts in the [`helper-scripts`](https://baltig.infn.it/mw-devel/helper-scripts.git) project.
The dockerfile and all the files needed for its compilation are in the `docker` directory. The image starts from AlmaLinux 9, defines a user and installs a set of useful packages. After that we import the nginx repo file, in this way we can download a lot of packages provided by nginx, including its last stable version. In the end we install the rpm packages that we build in the previous stage and the njs module.
### 3. push-to-dockerhub
In this last stage we push on dockerhub the image that we have builded in the previous stage. Note that this stage is run only when we push something in the master branch.
.devcontainer/assets/build-library.sh 0 → 100644
View file @ 6d052991
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
downloadNginx() {
# check if ~/rpmbuild exists and is not empty
if [ -d ${HOME}/rpmbuild ] && [ "$(ls -A ${HOME}/rpmbuild)" ]; then
>&2 echo "Error: ${HOME}/rpmbuild already exists and is not empty"
return 1
fi
# set nginx version
if [ -z ${NGINX_VERSION} ]; then
>&2 echo "Error: NGINX_VERSION variable not set"
return 1
fi
elVersion=$(rpmbuild --eval %{rhel})
echo "Downloading nginx version ${NGINX_VERSION} (EL${elVersion})"
src_package_name="nginx-${NGINX_VERSION}.el${elVersion}.ngx.src.rpm"
src_package_url="https://nginx.org/packages/centos/${elVersion}/SRPMS/${src_package_name}"
curl -O ${src_package_url}
rpm -i ${src_package_name}
}
buildHttpgNginxRPM() {
if ! printenv CI_PROJECT_DIR > /dev/null; then
>&2 echo "CI_PROJECT_DIR is not set in the environment, assuming the current working directory '${PWD}'"
export CI_PROJECT_DIR="${PWD}"
fi
sh ${CI_PROJECT_DIR}/rpm/addPatchToNginxSpec.sh
# build rpm
rpmlint ~/rpmbuild/SPECS/nginx.spec
rpmbuild -ba ~/rpmbuild/SPECS/nginx.spec
}
buildVomsModuleRPM() {
if [ -z ${CI_PROJECT_DIR} ]; then
CI_PROJECT_DIR="/workspaces/ngx_http_voms_module"
fi
# set voms modules sources
cd ~/rpmbuild/SOURCES/
mkdir ngx-http-voms-module
cp ${CI_PROJECT_DIR}/config ngx-http-voms-module/
cp ${CI_PROJECT_DIR}/config.make ngx-http-voms-module/
cp -r ${CI_PROJECT_DIR}/src ngx-http-voms-module/
cp ${CI_PROJECT_DIR}/rpm/nginx-module-http-voms.spec ~/rpmbuild/SPECS
# build rpm
rpmlint ~/rpmbuild/SPECS/nginx-module-http-voms.spec
rpmbuild --define "base_version ${VERSION}" --define "nginx_version ${NGINX_VERSION%-*}" -ba ~/rpmbuild/SPECS/nginx-module-http-voms.spec
cd ${CI_PROJECT_DIR}
}
.devcontainer/devcontainer.json 0 → 100644
View file @ 6d052991
// SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
// SPDX-License-Identifier: EUPL-1.2
// For format details, see https://aka.ms/vscode-remote/devcontainer.json or this file's README at:
// https://github.com/microsoft/vscode-dev-containers/tree/v0.159.0/containers/cpp
{
"name": "C++",
"build": {
"dockerfile": "Dockerfile",
},
"runArgs": [
"--cap-add=SYS_PTRACE",
"--security-opt",
"seccomp=unconfined"
],
// Set *default* container specific settings.json values on container create.
"settings": {
"terminal.integrated.defaultProfile.linux": "bash"
},
// Add the IDs of extensions you want installed when the container is created.
"extensions": [
"ms-vscode.cpptools",
],
// Use 'forwardPorts' to make a list of ports inside the container available locally.
// "forwardPorts": [],
// Use 'postCreateCommand' to run commands after the container is created.
//"postCreateCommand": "sudo debuginfo-install -y voms",
// Comment out this line to run as root instead.
"remoteUser": "vscode",
"remoteEnv": {"NGX_HTTP_VOMS_MODULE_ROOT": "${containerWorkspaceFolder}"}
}
.devcontainer/library-scripts/provide-dev-deps.sh 0 → 100644
View file @ 6d052991
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
set -ex
dnf install -y epel-release
dnf update -y
# https://openresty.org/en/linux-packages.html#centos
curl -o /etc/yum.repos.d/openresty.repo https://openresty.org/package/centos/openresty2.repo
dnf config-manager --set-enabled crb
dnf install -y --setopt=tsflags=nodocs \
boost-devel \
ccache \
file \
gcc-c++ \
gd-devel \
gettext \
git \
lcov \
libxslt-devel \
make \
patch \
pcre2-devel \
perl-Digest-SHA \
perl-ExtUtils-Embed \
perl-Test-Nginx \
procps-ng \
readline-devel \
rpmdevtools \
rpmlint \
sudo \
voms-clients-cpp \
voms-devel \
which \
zlib-devel
.devcontainer/library-scripts/provide-user.sh 0 → 100644
View file @ 6d052991
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
USERNAME=${1}
USER_UID=${2}
USER_GID=${3}
set -e
if [ "$(id -u)" -ne 0 ]; then
echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.'
exit 1
fi
groupadd --gid $USER_GID $USERNAME
useradd --uid $USER_UID --gid $USER_GID -m $USERNAME
echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME
chmod 0440 /etc/sudoers.d/$USERNAME
CODESPACES_BASH="$(cat \
<<'EOF'
# Codespaces bash prompt theme
__bash_prompt() {
local userpart='`export XIT=$? \
&& [ ! -z "${GITHUB_USER}" ] && echo -n "\[\033[0;32m\]@${GITHUB_USER} " || echo -n "\[\033[0;32m\]\u " \
&& [ "$XIT" -ne "0" ] && echo -n "\[\033[1;31m\]➜" || echo -n "\[\033[0m\]➜"`'
local gitbranch='`\
export BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null); \
if [ "${BRANCH}" = "HEAD" ]; then \
export BRANCH=$(git describe --contains --all HEAD 2>/dev/null); \
fi; \
if [ "${BRANCH}" != "" ]; then \
echo -n "\[\033[0;36m\](\[\033[1;31m\]${BRANCH}" \
&& if git ls-files --error-unmatch -m --directory --no-empty-directory -o --exclude-standard ":/*" > /dev/null 2>&1; then \
echo -n " \[\033[1;33m\]✗"; \
fi \
&& echo -n "\[\033[0;36m\]) "; \
fi`'
local lightblue='\[\033[1;34m\]'
local removecolor='\[\033[0m\]'
PS1="${userpart} ${lightblue}\w ${gitbranch}${removecolor}\$ "
unset -f __bash_prompt
}
__bash_prompt
EOF
)"
USER_RC_PATH="/home/${USERNAME}"
echo "${CODESPACES_BASH}" >> "${USER_RC_PATH}/.bashrc"
chown ${USERNAME}:${USER_GID} "${USER_RC_PATH}/.bashrc"
echo "Done!"
.gitignore 0 → 100644
View file @ 6d052991
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
.vscode
servroot*
nginx
docker/artifacts
node_modules
t/*
!t/README.md
!t/*.t
!t/setup.sh
!t/conf.d
!t/proxies.d
!t/openssl.conf
!t/socket.js
.gitlab-ci.yml 0 → 100644
View file @ 6d052991
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
variables:
NGINX_VERSION: "1.26.3-1"
calculate-version:
stage: build
image: almalinux:latest
variables:
GIT_STRATEGY: clone
GIT_DEPTH: 0
script:
- |
if [[ -n ${CI_COMMIT_TAG} ]]; then
# In case is a tag, check if the tag matches v<x>.<y>.<z>+<a>.<b>.<c>(-[0-9A-Za-z-]+)?
if [[ ${CI_COMMIT_TAG} =~ ^v([0-9]+\.[0-9]+\.[0-9]+)\+([0-9]+\.[0-9]+\.[0-9]+)(-[[:alnum:]-]+)?$ ]]; then
if [[ -z ${BASH_REMATCH[3]} ]]; then
REPO='stable'
VERSION="${BASH_REMATCH[1]}"
if [[ ${BASH_REMATCH[1]} != ${NGINX_VERSION%-*} ]]; then
echo "NGINX version mismatch between tag (${BASH_REMATCH[1]}) and .gitlab-ci.yml file (${NGINX_VERSION%-*})"
exit 1
fi
if [[ ${BASH_REMATCH[2]} != "$(cat version.txt)" ]]; then
echo "Module version mismatch between tag (${BASH_REMATCH[2]}) and version.txt file ($(cat version.txt))"
exit 1
fi
VERSION="${BASH_REMATCH[1]}+${BASH_REMATCH[2]}"
else
# If the tag includes a "-" is a beta, substitute the first "-" with "~" and any other ones with "_"
REPO='beta'
PRERELEASE=$(echo ${BASH_REMATCH[3]:1} | sed 's/-/_/g')
VERSION="${BASH_REMATCH[1]}+${BASH_REMATCH[2]}~${PRERELEASE}"
fi
fi
else
dnf install -y git
# Use the output of "git describe" to create version dropping the leading "v" and substituting:
# - the last "-" with "."
# - the now last "-" with "^"
# - the first remaining "-" (if any) with "~"
# - all possible remaining "-" with "_"
VERSION=$(git describe --tags --long | sed 's/^v//' | sed -r 's/(.*)-/\1./' | sed -r 's/(.*)-/\1^/' | sed 's/-/~/' | sed 's/-/_/g')
if [[ ${CI_COMMIT_REF_NAME} = "${CI_DEFAULT_BRANCH}" ]]; then
REPO='nightly'
fi
fi
echo "VERSION=${VERSION}" >> build.env
echo "REPO=${REPO}" >> build.env
echo "Version: ${VERSION}"
echo "Repo: ${REPO:-none}"
artifacts:
reports:
dotenv: build.env
build-rpms:
stage: build
needs: ["calculate-version"]
parallel:
matrix:
- EL_VERSION: ["8", "9"]
image: almalinux:${EL_VERSION}
script:
- dnf -y install epel-release
- dnf install -y openssl-devel zlib-devel pcre2-devel make rpmdevtools rpmlint boost-devel voms-devel gcc-c++
- source .devcontainer/assets/build-library.sh
- CI_PROJECT_DIR=$PWD
- downloadNginx
- buildHttpgNginxRPM
- buildVomsModuleRPM
- mkdir artifacts
- cp ~/rpmbuild/SRPMS/* artifacts/
- cp ~/rpmbuild/RPMS/x86_64/* artifacts/
artifacts:
paths:
- artifacts/
build-devcontainer:
stage: build
image: docker:latest
services:
- docker:dind
variables:
IMAGE_TAG: $CI_REGISTRY_IMAGE/devcontainer:$CI_COMMIT_REF_SLUG
script:
- |
cd .devcontainer
echo "$CI_REGISTRY_PASSWORD" | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
docker build -t $IMAGE_TAG .
docker push $IMAGE_TAG
rules:
- changes:
- .devcontainer/**/*
reuse:
stage: build
image:
name: fsfe/reuse:latest
entrypoint: [""]
script:
- reuse lint
run-tests:
stage: test
image: $CI_REGISTRY_IMAGE/devcontainer:$CI_COMMIT_REF_SLUG
script:
- |
elVersion=$(rpmbuild --eval %{rhel})
sudo dnf install -y artifacts/nginx-*.el${elVersion}.httpg.x86_64.rpm
sudo dnf install -y artifacts/nginx-module-http-voms-*.el${elVersion}.x86_64.rpm
git clone https://baltig.infn.it/mw-devel/helper-scripts.git
PATH=$(pwd)/helper-scripts/x509-scripts/scripts:$PATH
(cd t && ./setup.sh)
prove
upload-rpms:
stage: deploy
image: almalinux:latest
script:
- |
if [[ -n ${REPO} ]]; then
for file in artifacts/*.rpm; do
if [[ ${file} =~ \.el([0-9]+)\. ]]; then
curl --fail --user "${NEXUS_USERNAME}:${NEXUS_PASSWORD}" --upload-file "${file}" https://repo.cloud.cnaf.infn.it/repository/nginx-rpm-${REPO}/redhat${BASH_REMATCH[1]}/
fi
done
fi
docker-image:
stage: deploy
image: docker:latest
services:
- docker:dind
variables:
IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
DOCKERHUB_IMAGE: cnafsd/nginx-httpg-voms
script:
- |
rm ${CI_PROJECT_DIR}/artifacts/*-debuginfo*.rpm
echo "$CI_REGISTRY_PASSWORD" | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
docker build -t $IMAGE_TAG .
docker push $IMAGE_TAG
if [ "${REPO}" = 'stable' ]; then
echo "$DOCKERHUB_PASSWORD" | docker login -u $DOCKERHUB_USER --password-stdin
# Tag latest
docker image tag $IMAGE_TAG $CI_REGISTRY_IMAGE
docker push $CI_REGISTRY_IMAGE
docker image tag $IMAGE_TAG $DOCKERHUB_IMAGE
docker push $DOCKERHUB_IMAGE
# Commit tag
docker image tag $IMAGE_TAG $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG
docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG
docker image tag $IMAGE_TAG $DOCKERHUB_IMAGE:$CI_COMMIT_TAG
docker push $DOCKERHUB_IMAGE:$CI_COMMIT_TAG
fi
Dockerfile 0 → 100644
View file @ 6d052991
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
ARG EL_VERSION=9
FROM almalinux:${EL_VERSION}
# https://docs.docker.com/reference/dockerfile/#understand-how-arg-and-from-interact
ARG EL_VERSION
# Allow customization of nginx user ID and name
ARG USERNAME=nginx
ARG USER_UID=1000
ARG USER_GID=${USER_UID}
# install dependencies and create user
RUN dnf update -y && \
dnf install -y epel-release && \
groupadd --gid $USER_GID $USERNAME && \
useradd --uid $USER_UID --gid $USER_GID -m $USERNAME && \
mkdir /pkgs
COPY artifacts/*.rpm /pkgs/
# install nginx httpg + voms and njs dynamic module
COPY <<'EOF' /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
EOF
RUN dnf install -y /pkgs/nginx-*.el${EL_VERSION}.httpg.x86_64.rpm && \
dnf install -y /pkgs/nginx-module-http-voms-*.el${EL_VERSION}.x86_64.rpm && \
dnf install -y nginx-module-njs-$(rpm -q --qf %{VERSION} nginx)* \
&& rm -rf /pkgs \
&& dnf clean all && rm -rf /var/cache/dnf \
&& sed -i '1i load_module modules/ngx_http_voms_module.so;' /etc/nginx/nginx.conf \
# forward request and error logs to docker log collector
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log
STOPSIGNAL SIGQUIT
CMD ["nginx", "-g", "daemon off;"]
LICENSES/EUPL-1.2.txt 0 → 100644
View file @ 6d052991
EUROPEAN UNION PUBLIC LICENCE v. 1.2
EUPL © the European Union 2007, 2016
This European Union Public Licence (the ‘EUPL’) applies to the Work (as defined below) which is provided under the
terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such
use is covered by a right of the copyright holder of the Work).
The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following
notice immediately following the copyright notice for the Work:
Licensed under the EUPL
or has expressed by any other means his willingness to license under the EUPL.
1.Definitions
In this Licence, the following terms have the following meaning:
— ‘The Licence’:this Licence.
— ‘The Original Work’:the work or software distributed or communicated by the Licensor under this Licence, available
as Source Code and also as Executable Code as the case may be.
— ‘Derivative Works’:the works or software that could be created by the Licensee, based upon the Original Work or
modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work
required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
the country mentioned in Article 15.
— ‘The Work’:the Original Work or its Derivative Works.
— ‘The Source Code’:the human-readable form of the Work which is the most convenient for people to study and
modify.
— ‘The Executable Code’:any code which has generally been compiled and which is meant to be interpreted by
a computer as a program.
— ‘The Licensor’:the natural or legal person that distributes or communicates the Work under the Licence.
— ‘Contributor(s)’:any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
the creation of a Derivative Work.
— ‘The Licensee’ or ‘You’:any natural or legal person who makes any usage of the Work under the terms of the
Licence.
— ‘Distribution’ or ‘Communication’:any act of selling, giving, lending, renting, distributing, communicating,
transmitting, or otherwise making available, online or offline, copies of the Work or providing access to its essential
functionalities at the disposal of any other natural or legal person.
2.Scope of the rights granted by the Licence
The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for
the duration of copyright vested in the Original Work:
— use the Work in any circumstance and for all usage,
— reproduce the Work,
— modify the Work, and make Derivative Works based upon the Work,
— communicate to the public, including the right to make available or display the Work or copies thereof to the public
and perform publicly, as the case may be, the Work,
— distribute the Work or copies thereof,
— lend and rent the Work or copies thereof,
— sublicense rights in the Work or copies thereof.
Those rights can be exercised on any media, supports and formats, whether now known or later invented, as far as the
applicable law permits so.
In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed
by law in order to make effective the licence of the economic rights here above listed.
The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the
extent necessary to make use of the rights granted on the Work under this Licence.
3.Communication of the Source Code
The Licensor may provide the Work either in its Source Code form, or as Executable Code. If the Work is provided as
Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with
each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to
the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to
distribute or communicate the Work.
4.Limitations on copyright
Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the
exclusive rights of the rights owners in the Work, of the exhaustion of those rights or of other applicable limitations
thereto.
5.Obligations of the Licensee
The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those
obligations are the following:
Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to
the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices and a copy of the
Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
to carry prominent notices stating that the Work has been modified and the date of modification.
Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this
Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless
the Original Work is expressly distributed only under this version of the Licence — for example by communicating
‘EUPL v. 1.2 only’. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
Work or Derivative Work that alter or restrict the terms of the Licence.
Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both
the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done
under the terms of this Compatible Licence. For the sake of this clause, ‘Compatible Licence’ refers to the licences listed
in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with
his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
Provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available
for as long as the Licensee continues to distribute or communicate the Work.
Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names
of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
reproducing the content of the copyright notice.
6.Chain of Authorship
The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence.
Each Contributor warrants that the copyright in the modifications he/she brings to the Work are owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence.
Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions
to the Work, under the terms of this Licence.
7.Disclaimer of Warranty
The Work is a work in progress, which is continuously improved by numerous Contributors. It is not a finished work
and may therefore contain defects or ‘bugs’ inherent to this type of development.
For the above reason, the Work is provided under the Licence on an ‘as is’ basis and without warranties of any kind
concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or
errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this
Licence.
This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work.
8.Disclaimer of Liability
Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be
liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the
Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss
of data or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
the Licensor will be liable under statutory product liability laws as far such laws apply to the Work.
9.Additional agreements
While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services
consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole
responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such Contributor by
the fact You have accepted any warranty or additional liability.
10.Acceptance of the Licence
The provisions of this Licence can be accepted by clicking on an icon ‘I agree’ placed under the bottom of a window
displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of
applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms
and conditions.
Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You
by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
or Communication by You of the Work or copies thereof.
11.Information to the public
In case of any Distribution or Communication of the Work by means of electronic communication by You (for example,
by offering to download the Work from a remote location) the distribution channel or media (for example, a website)
must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence
and the way it may be accessible, concluded, stored and reproduced by the Licensee.
12.Termination of the Licence
The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
of the Licence.
Such a termination will not terminate the licences of any person who has received the Work from the Licensee under
the Licence, provided such persons remain in full compliance with the Licence.
13.Miscellaneous
Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the
Work.
If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or
enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid
and enforceable.
The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of
the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence.
New versions of the Licence will be published with a unique version number.
All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take
advantage of the linguistic version of their choice.
14.Jurisdiction
Without prejudice to specific agreement between parties,
— any litigation resulting from the interpretation of this License, arising between the European Union institutions,
bodies, offices or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union,
— any litigation arising between other parties and resulting from the interpretation of this License, will be subject to
the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business.
15.Applicable Law
Without prejudice to specific agreement between parties,
— this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat,
resides or has his registered office,
— this licence shall be governed by Belgian law if the Licensor has no seat, residence or registered office inside
a European Union Member State.
Appendix
‘Compatible Licences’ according to Article 5 EUPL are:
— GNU General Public License (GPL) v. 2, v. 3
— GNU Affero General Public License (AGPL) v. 3
— Open Software License (OSL) v. 2.1, v. 3.0
— Eclipse Public License (EPL) v. 1.0
— CeCILL v. 2.0, v. 2.1
— Mozilla Public Licence (MPL) v. 2
— GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3
— Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software
— European Union Public Licence (EUPL) v. 1.1, v. 1.2
— Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).
The European Commission may update this Appendix to later versions of the above licences without producing
a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the
covered Source Code from exclusive appropriation.
All other changes or additions to this Appendix require the production of a new EUPL version.
README.md
View file @ 6d052991
# ngx_http_voms_module
<!--
SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
SPDX-License-Identifier: EUPL-1.2
-->
# `ngx_http_voms_module`
[![pipeline status](https://baltig.infn.it/cnafsd/ngx_http_voms_module/badges/master/pipeline.svg)](https://baltig.infn.it/cnafsd/ngx_http_voms_module/commits/master)
## Description
_ngx_http_voms_module_ is a module for the [NGINX web server](https://www.nginx.org/) that enables client-side authentication based on X.509 proxies augmented with Attribute Certificates, typically obtained through a [Virtual Organization Membership Service](https://italiangrid.github.io/voms/) (VOMS).
`ngx_http_voms_module` is a module for the [Nginx web server](https://www.nginx.org/) that enables client-side authentication based on X.509 proxy certificates augmented with VOMS Attribute Certificates, typically obtained from a [Virtual Organization Membership Service](https://italiangrid.github.io/voms/) (VOMS) server.
## Installation
The module defines a set of *embedded* variables, whose values are extracted from the first Attribute Certificate found in the certificate chain.
The generic installation instructions are:
### Embedded Variables
The module makes the following embedded variables available for use in an Nginx configuration file:
#### voms_user
The Subject of the End-Entity certificate, used to sign the proxy.
_Example_: ``/C=IT/O=IGI/CN=test0``
#### ssl_client_ee_s_dn
Like `voms_user`, the Subject of the End-Entity certificate. Unlike `voms_user`, it is available even for non-VOMS proxies and is formatted according to RFC 2253.
_Example_: `CN=test0,O=IGI,C=IT`
#### voms_user_ca
The Issuer (Certificate Authority) of the End-Entity certificate.
_Example_: `/C=IT/O=IGI/CN=Test CA`
#### ssl_client_ee_i_dn
Like `voms_user_ca`, the Issuer of the End-Entity certificate. Unlike `voms_user_ca`, it is available even for non-VOMS proxies and is formatted according to RFC 2253.
_Example_: `CN=Test CA,O=IGI,C=IT`
#### voms_fqans
A comma-separated list of Fully Qualified Attribute Names. See [The VOMS Attribute Certificate Format](http://ogf.org/documents/GFD.182.pdf) for more details.
_Example_: `/test.vo/exp1,/test.vo/exp2,/test.vo/exp3/Role=PIPPO`
#### voms_server
The Subject of the VOMS server certificate, used to sign the Attribute Certificate.
_Example_: `/C=IT/O=IGI/CN=voms.example`
$ cd nginx-1.x.y
$ ./configure --add-module=/path/to/ngx_http_voms_module
$ make && make install
#### voms_server_ca
A Docker image is available for use in the context of the StoRM2 project, where the OpenResty distribution is used:
The Issuer (Certificate Authority) of the VOMS server certificate.
$ docker run --rm -it -v /path/to/ngx_http_voms_module:/home/build/ngx_http_voms_module storm2/ngx-voms-build
% cd openresty-1.x.y
% ./configure ${resty_config_options} --add-module=../ngx_http_voms_module
% make && make install
_Example_: `/C=IT/O=IGI/CN=Test CA`
## Variables
#### voms_vo
The module makes the following variables available for use in an NGINX configuration file:
The name of the Virtual Organization (VO) to which the End Entity belongs.
_Example_: `test.vo`
#### voms_server_uri
The hostname and port of the VOMS network service that issued the Attribute Certificate, in the form _hostname_ :_port_.
_Example_: `voms.example:15000`
#### voms_not_before
The date before which the Attribute Certificate is not yet valid, in the form _YYYYMMDDhhmmss_ `Z`.
_Example_: `20180101000000Z`
#### voms_not_after
The date after which the Attribute Certificate is not valid anymore, in the form _YYYYMMDDhhmmss_ `Z`.
_Example_: `20180101120000Z`
#### voms_generic_attributes
A comma-separated list of attributes, each defined by three properties and formatted as `n=`_name_ `v=`_value_ `q=`_qualifier_. The qualifier typically coincides with the name of the VO.
_Example_: `n=nickname v=newland q=test.vo,n=nickname v=giaco q=test.vo`
#### voms_serial
The serial number of the Attribute Certificate in hexadecimal format.
_Example_: `7B`
## Installation
### prerequisites
The software dependencies are listed in the [provide-dev-deps](.devcontainer/library-scripts/provide-dev-deps.sh) script in the `.devcontainer` directory.
The nginx source files are also needed. To download them in `/tmp/nginx-x.y.z` you can execute:
```shell
$ ngxVersion=<version>
$ curl -o /tmp/nginx-$ngxVersion.tar.gz https://nginx.org/download/nginx-$ngxVersion.tar.gz
$ cd /tmp && tar -xzvf /tmp/nginx-$ngxVersion.tar.gz && cd -
```
### Generic installation
The generic installation instructions are:
### voms_fqans
```shell
$ cd /tmp/nginx-x.y.z
$ ./configure --add-module=/path/to/ngx_http_voms_module
$ make && make install
```
A comma-separated list of _Fully Qualified Attribute Names_
### Docker container
### voms_user
A Docker image with nginx and the `ngx_http_voms_module` is available, you can find it [here](https://hub.docker.com/r/cnafsd/nginx-httpg-voms).
### For the developers
A [.devcontainer](.devcontainer) is provided for the developers with all the instructions on how to use it, how to build the rpm module and how to install it.
## Testing
Setup and files to test the *ngx\_http\_voms\_module* are contained in the `t` folder.
Setup and files to test the `ngx_http_voms_module` are contained in the [`t`](t) folder.
REUSE.toml 0 → 100644
View file @ 6d052991
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
version = 1
[[annotations]]
path = ["nginx-httpg_no_delegation.patch", "version.txt", "t/proxies.d/*"]
SPDX-FileCopyrightText = "2018 Istituto Nazionale di Fisica Nucleare"
SPDX-License-Identifier = "EUPL-1.2"
config
View file @ 6d052991
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
ngx_addon_name=ngx_http_voms_module
ngx_module_type=HTTP
ngx_addon_name=voms
ngx_module_name=ngx_http_voms_module
ngx_module_srcs="$ngx_addon_dir/src/ngx_http_voms_module.cpp"
ngx_module_libs="-lvomsapi -lstdc++"
......
config.make 0 → 100644
View file @ 6d052991
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
echo "objs/addon/src/ngx_http_voms_module.o: CFLAGS += -Werror" >> $NGX_MAKEFILE
nginx-httpg_no_delegation.patch 0 → 100644
View file @ 6d052991
diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index d9a1dbed..7438816e 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -149,7 +149,13 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
break;
}
- if ((ch < 'A' || ch > 'Z') && ch != '_' && ch != '-') {
+ if (ch == '0') {
+ // httpg with no delegation
+ // eat the character and continue with the rest of the request
+ ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "httpg request w/o delegation");
+ r->request_start++;
+ // httpg with a delegation request would fail for an unknown method
+ } else if ((ch < 'A' || ch > 'Z') && ch != '_' && ch != '-') {
return NGX_HTTP_PARSE_INVALID_METHOD;
}
rpm/addPatchToNginxSpec.sh 0 → 100755
View file @ 6d052991
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
set -ex
# Add the httpg patch
# Set the nginx spec file with the httpg patch
PATCH_NAME="nginx-httpg_no_delegation.patch"
SPEC_FILE="${HOME}/rpmbuild/SPECS/nginx.spec"
if grep --extended-regexp --quiet "^Patch.*: $PATCH_NAME" "$SPEC_FILE"; then
>&2 echo "The patch $PATCH_NAME is already included in the spec file $SPEC_FILE"
exit 0
fi
# Copy the patch in the rpmbuild directory
cp ${CI_PROJECT_DIR}/${PATCH_NAME} ~/rpmbuild/SOURCES/
pushd ~/rpmbuild/SOURCES/
# Find the highest existing Patch number in the spec file
LAST_PATCH_NUM=$(grep -oP "^Patch\K[0-9]+" $SPEC_FILE | sort -n | tail -1)
if [ -z "$LAST_PATCH_NUM" ]; then
# There are no existing patches: find the highest Source number in the spec file
LAST_SOURCE_NUM=$(grep -oP "^Source\K[0-9]+" $SPEC_FILE | sort -n | tail -1)
# Add the patch to the spec file after the last Source
sed -i.backup "/^Source${LAST_SOURCE_NUM}/a Patch0: ${PATCH_NAME}" "${SPEC_FILE}"
else
# Add the new patch to the spec file after the last Patch
sed -i.backup "/^Patch${LAST_PATCH_NUM}/a Patch$((LAST_PATCH_NUM + 1)): ${PATCH_NAME}" "${SPEC_FILE}"
fi
# Add httpg to release
sed -i '/%define base_release/ s/ngx/httpg/' "${SPEC_FILE}"
diff "${SPEC_FILE}.backup" "${SPEC_FILE}" || true
popd
rpm/nginx-module-http-voms.spec 0 → 100644
View file @ 6d052991
# SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
#
# SPDX-License-Identifier: EUPL-1.2
# Remember to define the base_version and nginx_version macros
%{!?base_version: %global base_version 0.0.0}
%{!?nginx_version: %global nginx_version 1.26.3}
%define nginx_user nginx
%define nginx_group nginx
%define bdir %{_builddir}/%{name}-%{base_version}
Name: nginx-module-http-voms
Version: %{base_version}
Release: 1%{?dist}
Summary: nginx http voms dynamic modules
License: EUPL-1.2
URL: https://baltig.infn.it/cnafsd/ngx_http_voms_module
Source0: https://nginx.org/download/nginx-%{nginx_version}.tar.gz
Source1: ngx-http-voms-module
BuildRequires: gcc, make
BuildRequires: voms-devel
BuildRequires: boost-devel
BuildRequires: openssl-devel
BuildRequires: zlib-devel
BuildRequires: pcre2-devel
Requires: nginx-r%{nginx_version}
Requires: zlib
Requires: openssl
Requires: pcre2
Requires: voms
%description
nginx http voms dynamic modules.
%prep
%setup -qcTn %{name}-%{base_version}
tar --strip-components=1 -zxf %{SOURCE0}
%define CONFIG_PATH %(echo "--prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp")
%define CONFIG_ARGS %(echo "--user=nginx --group=nginx --with-compat --with-http_ssl_module")
%define MODULE_CONFIG_ARGS %(echo "--add-dynamic-module=%SOURCE1")
%build
cd %{bdir}
./configure %{CONFIG_PATH} %{CONFIG_ARGS} %{MODULE_CONFIG_ARGS}
make %{?_smp_mflags} modules
%install
cd %{bdir}
%{__rm} -rf $RPM_BUILD_ROOT
%{__mkdir} -p $RPM_BUILD_ROOT%{_libdir}/nginx/modules
for so in `find %{bdir}/objs/ -maxdepth 2 -type f -name "*.so"`; do
%{__install} -m755 $so \
$RPM_BUILD_ROOT%{_libdir}/nginx/modules/
done
%clean
%{__rm} -rf $RPM_BUILD_ROOT
%files
%{_libdir}/nginx/modules/*
%post
if [ $1 -eq 1 ]; then
cat <<BANNER
----------------------------------------------------------------------
The http voms dynamic modules for nginx have been installed.
To enable these modules, add the following to /etc/nginx/nginx.conf
and reload nginx:
load_module modules/ngx_http_voms_module.so;
Please refer to the modules documentation for further details:
https://baltig.infn.it/cnafsd/ngx_http_voms_module
----------------------------------------------------------------------
BANNER
fi
%changelog
src/ngx_http_voms_module.cpp
View file @ 6d052991
This diff is collapsed.
t/README.md
View file @ 6d052991
# ngx\_http\_voms\_module Testing
<!--
SPDX-FileCopyrightText: 2018 Istituto Nazionale di Fisica Nucleare
## Description
Setup and files to test the *ngx\_http\_voms\_module* are contained in the `t` folder. The [Openresty data-driven testsuite](https://openresty.gitbooks.io/programming-openresty/content/testing/) has been adopted for testing.
SPDX-License-Identifier: EUPL-1.2
-->
### Test fixture setup
# `ngx_http_voms_module` Testing
Proxy certificates are in the `certs` folder:
## Description
* 0.pem: long-lived proxy certificate, without Attribute Certificate (AC);
* 1.pem: long-lived proxy certificate, with an expired AC;
* 2.pem: expired proxy certificate.
Setup and files to test the *ngx_http_voms_module* are contained in the `t` folder. The [Openresty data-driven testsuite](https://openresty.gitbooks.io/programming-openresty/content/testing/) has been adopted for testing.
Proxy certificates are generated using [VOMS client 3.3.0](http://italiangrid.github.io/voms/documentation/voms-clients-guide/3.0.3/).
### Test fixture setup
The following command is used:
All the certificates, proxy certificates, trust-anchors directory, LSC files, etc., needed for the tests are automatically created by the `t/setup.sh` script. It uses utilities contained in the [helper-scripts](https://baltig.infn.it/mw-devel/helper-scripts) repo, in particulare in the `x509-scripts` subdirectory, and the VOMS clients. Certificates and proxies are described in configuration files `t/openssl.conf`, `t/conf.d/*` and `t/proxies.d/*`.
VOMS_CLIENTS_JAVA_OPTIONS="-Dvoms.fake.vo=test.vo -Dvoms.fake=true -Dvoms.fake.aaCert=<path_to_cert>/voms_example.cert.pem -Dvoms.fake.aaKey=<path_to_key>/voms_example.key.pem" voms-proxy-init3 -voms test.vo -cert <path_to_test0>/test0.p12 --valid <validity>
The `helper-scripts` repo needs to be cloned somewhere locally and its X509 scripts made available in the PATH:
*voms\_example.cert.pem* and *voms\_example.ket.pem* can be found in the `certs` folder.
```shell
$ git clone https://baltig.infn.it/mw-devel/helper-scripts.git
$ PATH=$(pwd)/helper-scripts/x509-scripts/scripts:$PATH
```
To perform correctly the VOMS AC validation, a \*.lsc or \*.pem file is needed in `/etc/grid-security/vomsdir`, see [VOMS client 3.3.0 User Guide](http://italiangrid.github.io/voms/documentation/voms-clients-guide/3.0.3/) for further details. An example of *voms.example.lsc* can be found in `vomsdir/test.vo`.
Then, to setup, just run:
Trust-anchors (igi-test-ca.pem) are contained in the `trust-anchors` folder. Nginx server certificate and key (nginx\_voms\_example.cert.pem and nginx\_voms\_example\_key.pem) are in the `certs` folder.
```shell
$ (cd t && ./setup.sh)
```
### Running Tests
To run the tests made available in the `t` folder just type
prove -v
Using the docker image provided to exploit Openresty in the Storm2 project:
cp -r t /tmp
cd /tmp
prove -v
A copy of the `t` folder is needed since the `prove` command creates a directory `servroot` in `t`.
To run the tests made available in `t` just type
```shell
$ prove
```
from `t`'s parent directory.
The `prove` command creates a directory called `servroot` in `t`, so if the `t` folder is accessible read-only, for
example in a docker container, just make a copy somewhere else and run the tests from there:
```shell
cp -r t /tmp
cd /tmp
prove
```
Note: the alert below is unavoidable, but it doesn't affect the tests.
```
[alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
```
### Testing directly the Nginx server
You can reuse the config file `t/servroot/conf/nginx.conf` produced by `test::Nginx`, which contains something like
```
...
http {
...
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server {
error_log logs/error.log debug;
listen 8443 ssl;
ssl_certificate ../../certs/star_test_example.cert.pem;
ssl_certificate_key ../../certs/star_test_example.key.pem;
ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
ssl_verify_depth 10;
ssl_verify_client on;
location = / {
default_type text/plain;
return 200 "$voms_user";
}
}
...
}
```
You may want to change the configuration so that the log goes to standard output instead of to a log file:
```
server {
error_log /dev/stdout debug;
...
```
Start nginx:
```shell
$ nginx -c conf/nginx.conf -p t/servroot/ -elogs/error.log
```
Modify (as root) `/etc/hosts` so that `nginx-voms.test.example` is an alias for `localhost`:
```
127.0.0.1 localhost nginx-voms.test.example
```
Then run for example `curl`, calling directly the HTTPS endpoint:
```shell
$ curl https://nginx-voms.test.example:8443 --cert t/certs/3.pem --capath t/trust-anchors --cacert t/certs/3.cert.pem
```