feat: update NGINX version to 1.26.3

.github/workflows/test-core-linux.yml

@@ -76,7 +76,7 @@ jobs:
           curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
           echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
           sudo apt update
-          sudo -E apt install -y nginx=1.26.2-1~noble
+          sudo -E apt install -y nginx=1.26.3-1~noble
       - name: Fix version without a starting number
         if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == '1.5'
         run: echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg

.github/workflows/tests-ui-linux.yml

@@ -76,7 +76,7 @@ jobs:
           curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
           echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
           sudo apt update
-          sudo -E apt install -y nginx=1.26.2-1~noble
+          sudo -E apt install -y nginx=1.26.3-1~noble
       - name: Fix version without a starting number
         if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui' || inputs.RELEASE == '1.5'
         run: echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg

CHANGELOG.md

@@ -7,6 +7,7 @@
 - [AUTOCONF] Increase retry limit and improve stability of Kubernetes watch stream
 - [UI] Add caching for GitHub buttons to improve performance
 - [UI] Fix shenanigans with multiples
+- [DEPS] Updated NGINX version to 1.26.3
 - [DEPS] Updated lua-resty-openssl version to 1.5.2
 
 ## v1.6.0-rc4 - 2025/01/29

docs/integrations.md

@@ -316,13 +316,14 @@ Supported Linux distributions for BunkerWeb (amd64/x86_64 and arm64/aarch64 arch
 - Debian 12 "Bookworm"
 - Ubuntu 22.04 "Jammy"
 - Ubuntu 24.04 "Noble"
+- Fedora 40
 - Fedora 41
 - Red Hat Enterprise Linux (RHEL) 8.9
 - Red Hat Enterprise Linux (RHEL) 9.4
 
 ### Installation using package manager
 
-Please ensure that you have **NGINX 1.26.2 installed before installing BunkerWeb**. For all distributions, except Fedora, it is mandatory to use prebuilt packages from the [official NGINX repository](https://nginx.org/en/linux_packages.html). Compiling NGINX from source or using packages from different repositories will not work with the official prebuilt packages of BunkerWeb. However, you have the option to build BunkerWeb from source.
+Please ensure that you have **NGINX 1.26.3 installed before installing BunkerWeb**. For all distributions, except Fedora, it is mandatory to use prebuilt packages from the [official NGINX repository](https://nginx.org/en/linux_packages.html). Compiling NGINX from source or using packages from different repositories will not work with the official prebuilt packages of BunkerWeb. However, you have the option to build BunkerWeb from source.
 
 === "Debian"
 
@@ -337,11 +338,11 @@ Please ensure that you have **NGINX 1.26.2 installed before installing BunkerWeb
     | sudo tee /etc/apt/sources.list.d/nginx.list
     ```
 
-    You should now be able to install NGINX 1.26.2 :
+    You should now be able to install NGINX 1.26.3 :
 
     ```shell
     sudo apt update && \
-    sudo apt install -y nginx=1.26.2-1~$(lsb_release -cs)
+    sudo apt install -y nginx=1.26.3-1~$(lsb_release -cs)
     ```
 
     !!! warning "Testing/dev version"
@@ -385,11 +386,11 @@ Please ensure that you have **NGINX 1.26.2 installed before installing BunkerWeb
     | sudo tee /etc/apt/sources.list.d/nginx.list
     ```
 
-    You should now be able to install NGINX 1.26.2 :
+    You should now be able to install NGINX 1.26.3 :
 
     ```shell
     sudo apt update && \
-    sudo apt install -y nginx=1.26.2-1~$(lsb_release -cs)
+    sudo apt install -y nginx=1.26.3-1~$(lsb_release -cs)
     ```
 
     !!! warning "Testing/dev version"
@@ -429,10 +430,10 @@ Please ensure that you have **NGINX 1.26.2 installed before installing BunkerWeb
         sudo dnf config-manager --set-enabled updates-testing
         ```
 
-    Fedora already provides NGINX 1.26.2 that we support :
+    Fedora already provides NGINX 1.26.3 that we support :
 
     ```shell
-    sudo dnf install -y nginx-1.26.2
+    sudo dnf install -y nginx-1.26.3
     ```
 
     !!! example "Disable the setup wizard"
@@ -481,10 +482,10 @@ Please ensure that you have **NGINX 1.26.2 installed before installing BunkerWeb
     module_hotfixes=true
     ```
 
-    You should now be able to install NGINX 1.26.2 :
+    You should now be able to install NGINX 1.26.3 :
 
     ```shell
-    sudo dnf install nginx-1.26.2
+    sudo dnf install nginx-1.26.3
     ```
 
     !!! example "Disable the setup wizard"

docs/quickstart-guide.md

@@ -16,7 +16,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.0-rc4
 
 === "Linux"
 
-    Please ensure that you have **NGINX 1.26.2 installed before installing BunkerWeb**. For all distributions, except Fedora, it is mandatory to use prebuilt packages from the [official NGINX repository](https://nginx.org/en/linux_packages.html). Compiling NGINX from source or using packages from different repositories will not work with the official prebuilt packages of BunkerWeb. However, you have the option to build BunkerWeb from source.
+    Please ensure that you have **NGINX 1.26.3 installed before installing BunkerWeb**. For all distributions, except Fedora, it is mandatory to use prebuilt packages from the [official NGINX repository](https://nginx.org/en/linux_packages.html). Compiling NGINX from source or using packages from different repositories will not work with the official prebuilt packages of BunkerWeb. However, you have the option to build BunkerWeb from source.
 
     === "Debian"
 
@@ -31,11 +31,11 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.0-rc4
         | sudo tee /etc/apt/sources.list.d/nginx.list
         ```
 
-        You should now be able to install NGINX 1.26.2 :
+        You should now be able to install NGINX 1.26.3 :
 
         ```shell
         sudo apt update && \
-        sudo apt install -y nginx=1.26.2-1~$(lsb_release -cs)
+        sudo apt install -y nginx=1.26.3-1~$(lsb_release -cs)
         ```
 
         !!! warning "Testing/dev version"
@@ -72,11 +72,11 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.0-rc4
         | sudo tee /etc/apt/sources.list.d/nginx.list
         ```
 
-        You should now be able to install NGINX 1.26.2 :
+        You should now be able to install NGINX 1.26.3 :
 
         ```shell
         sudo apt update && \
-        sudo apt install -y nginx=1.26.2-1~$(lsb_release -cs)
+        sudo apt install -y nginx=1.26.3-1~$(lsb_release -cs)
         ```
 
         !!! warning "Testing/dev version"
@@ -102,10 +102,17 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.0-rc4
 
     === "Fedora"
 
-        Fedora already provides NGINX 1.26.2 that we support :
+        !!! info "Fedora Update Testing"
+            If you can't find the NGINX version listed in the stable repository, you can enable the `updates-testing` repository :
+
+            ```shell
+            sudo dnf config-manager --set-enabled updates-testing
+            ```
+
+        Fedora already provides NGINX 1.26.3 that we support :
 
         ```shell
-        sudo dnf install -y nginx-1.26.2
+        sudo dnf install -y nginx-1.26.3
         ```
 
         And finally install BunkerWeb 1.6.0-rc4 :
@@ -147,10 +154,10 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.0-rc4
         module_hotfixes=true
         ```
 
-        You should now be able to install NGINX 1.26.2 :
+        You should now be able to install NGINX 1.26.3 :
 
         ```shell
-        sudo dnf install nginx-1.26.2
+        sudo dnf install nginx-1.26.3
         ```
 
         And finally install BunkerWeb 1.6.0-rc4 :

src/bw/Dockerfile

@@ -1,4 +1,4 @@
-FROM nginx:1.26.2-alpine-slim@sha256:1d541dc68a99c4da7923e88b8e184f85034804a1ff59ee838a81d83c319267d8 AS builder
+FROM nginx:1.26.3-alpine-slim@sha256:e22e10bd833136245b39ffeb1a0d7c672f5597c18df4c462f327cc44fe0aa7a8 AS builder
 
 # Install temporary requirements for the dependencies
 RUN apk add --no-cache bash autoconf libtool automake geoip-dev g++ gcc curl-dev libxml2-dev pcre-dev make linux-headers musl-dev gd-dev gnupg brotli-dev openssl-dev patch readline-dev yajl yajl-dev yajl-tools py3-pip
@@ -42,7 +42,7 @@ COPY src/common/utils utils
 COPY src/VERSION VERSION
 COPY misc/*.ascii misc/
 
-FROM nginx:1.26.2-alpine-slim@sha256:1d541dc68a99c4da7923e88b8e184f85034804a1ff59ee838a81d83c319267d8
+FROM nginx:1.26.3-alpine-slim@sha256:e22e10bd833136245b39ffeb1a0d7c672f5597c18df4c462f327cc44fe0aa7a8
 
 # Set default umask to prevent huge recursive chmod increasing the final image size
 RUN umask 027
@@ -51,9 +51,7 @@ RUN umask 027
 RUN apk add --no-cache openssl pcre bash python3 yajl geoip libxml2 libgd curl tzdata
 
 # Fix CVEs
-RUN apk add --no-cache "curl>=8.12.0-r0" "libcurl>=8.12.0-r0" # CVE-2025-0167 CVE-2025-0665 CVE-2025-0725
-RUN apk add --no-cache "openssl>=3.3.2-r2" "libssl3>=3.3.2-r2" "libcrypto3>=3.3.2-r2" # CVE-2024-13176 CVE-2024-9143
-RUN apk add --no-cache "pyc>=3.12.9-r0" "python3>=3.12.9-r0" "python3-pyc>=3.12.9-r0" "python3-pycache-pyc0>=3.12.9-r0" # CVE-2025-0938
+# There are no CVEs for the following packages
 
 # Copy dependencies
 COPY --from=builder --chown=0:101 /usr/share/bunkerweb /usr/share/bunkerweb

src/deps/deps.json

@@ -241,9 +241,9 @@
     },
     {
       "id": "nginx",
-      "name": "Nginx v1.26.2",
+      "name": "Nginx v1.26.3",
       "url": "https://github.com/nginx/nginx.git",
-      "commit": "37fe98355461d2f03d73e6a8e82ac4e4cd85d711",
+      "commit": "1be0fb0c9f9bc3489c7b40576efd6afe6b2eccd5",
       "post_install": "rm -r src/deps/src/nginx/docs"
     },
     {

src/deps/src/nginx/.hgtags

@@ -480,3 +480,4 @@ f8134640e8615448205785cf00b0bc810489b495 release-1.25.1
 8618e4d900cc71082fbe7dc72af087937d64faf5 release-1.25.5
 a58202a8c41bf0bd97eef1b946e13105a105520d release-1.26.0
 a63c124e34bcf2d1d1feb8d40ff075103b967c4c release-1.26.1
+e4c5da06073ca24e2ffc5c8f8b8d7833a926356f release-1.26.2

src/deps/src/nginx/LICENSE

@@ -0,0 +1,26 @@
+/* 
+ * Copyright (C) 2002-2021 Igor Sysoev
+ * Copyright (C) 2011-2024 Nginx, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */

src/deps/src/nginx/README

@@ -0,0 +1,3 @@
+
+Documentation is available at http://nginx.org
+

src/deps/src/nginx/auto/lib/libatomic/conf

@@ -7,8 +7,8 @@ if [ $NGX_LIBATOMIC != YES ]; then
 
     have=NGX_HAVE_LIBATOMIC . auto/have
     CORE_INCS="$CORE_INCS $NGX_LIBATOMIC/src"
-    LINK_DEPS="$LINK_DEPS $NGX_LIBATOMIC/src/libatomic_ops.a"
-    CORE_LIBS="$CORE_LIBS $NGX_LIBATOMIC/src/libatomic_ops.a"
+    LINK_DEPS="$LINK_DEPS $NGX_LIBATOMIC/build/lib/libatomic_ops.a"
+    CORE_LIBS="$CORE_LIBS $NGX_LIBATOMIC/build/lib/libatomic_ops.a"
 
 else
 

src/deps/src/nginx/auto/lib/libatomic/make

@@ -3,14 +3,19 @@
 # Copyright (C) Nginx, Inc.
 
 
+    case $NGX_LIBATOMIC in
+        /*) ngx_prefix="$NGX_LIBATOMIC/build" ;;
+        *)  ngx_prefix="$PWD/$NGX_LIBATOMIC/build" ;;
+    esac
+
     cat << END                                            >> $NGX_MAKEFILE
 
-$NGX_LIBATOMIC/src/libatomic_ops.a:	$NGX_LIBATOMIC/Makefile
-	cd $NGX_LIBATOMIC && \$(MAKE)
+$NGX_LIBATOMIC/build/lib/libatomic_ops.a:	$NGX_LIBATOMIC/Makefile
+	cd $NGX_LIBATOMIC && \$(MAKE) && \$(MAKE) install
 
 $NGX_LIBATOMIC/Makefile:	$NGX_MAKEFILE
 	cd $NGX_LIBATOMIC \\
 	&& if [ -f Makefile ]; then \$(MAKE) distclean; fi \\
-	&& ./configure
+	&& ./configure --prefix=$ngx_prefix
 
 END

src/deps/src/nginx/auto/lib/pcre/make

@@ -36,7 +36,8 @@ if [ $PCRE_LIBRARY = PCRE2 ]; then
                        pcre2_valid_utf.c \
                        pcre2_xclass.c"
 
-        ngx_pcre_test="pcre2_convert.c \
+        ngx_pcre_test="pcre2_chkdint.c \
+                       pcre2_convert.c \
                        pcre2_extuni.c \
                        pcre2_find_bracket.c \
                        pcre2_script_run.c \

src/deps/src/nginx/misc/GNUmakefile

@@ -6,7 +6,7 @@ TEMP =		tmp
 
 CC =		cl
 OBJS =		objs.msvc8
-OPENSSL =	openssl-3.0.14
+OPENSSL =	openssl-3.0.15
 ZLIB =		zlib-1.3.1
 PCRE =		pcre2-10.39
 
@@ -15,8 +15,6 @@ release: export
 
 	mv $(TEMP)/$(NGINX)/auto/configure $(TEMP)/$(NGINX)
 
-	mv $(TEMP)/$(NGINX)/docs/text/LICENSE $(TEMP)/$(NGINX)
-	mv $(TEMP)/$(NGINX)/docs/text/README $(TEMP)/$(NGINX)
 	mv $(TEMP)/$(NGINX)/docs/html $(TEMP)/$(NGINX)
 	mv $(TEMP)/$(NGINX)/docs/man $(TEMP)/$(NGINX)
 
@@ -30,12 +28,12 @@ release: export
 
 export:
 	rm -rf $(TEMP)
-	hg archive -X '.hg*' $(TEMP)/$(NGINX)
+	git archive --prefix=$(TEMP)/$(NGINX)/ HEAD | tar -x -f - --exclude '.git*'
 
 
 RELEASE:
-	hg ci -m nginx-$(VER)-RELEASE
-	hg tag -m "release-$(VER) tag" release-$(VER)
+	git commit -m nginx-$(VER)-RELEASE
+	git tag -m "release-$(VER) tag" release-$(VER)
 
 	$(MAKE) -f misc/GNUmakefile release
 
@@ -93,8 +91,8 @@ zip: export
 
 	sed -i '' -e "s/$$/`printf '\r'`/" $(TEMP)/$(NGINX)/conf/*
 
-	mv $(TEMP)/$(NGINX)/docs/text/LICENSE $(TEMP)/$(NGINX)/docs.new
-	mv $(TEMP)/$(NGINX)/docs/text/README $(TEMP)/$(NGINX)/docs.new
+	mv $(TEMP)/$(NGINX)/LICENSE $(TEMP)/$(NGINX)/docs.new
+	mv $(TEMP)/$(NGINX)/README $(TEMP)/$(NGINX)/docs.new
 	mv $(TEMP)/$(NGINX)/docs/html $(TEMP)/$(NGINX)
 
 	rm -r $(TEMP)/$(NGINX)/docs

src/deps/src/nginx/src/core/nginx.h

@@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version      1026002
-#define NGINX_VERSION      "1.26.2"
+#define nginx_version      1026003
+#define NGINX_VERSION      "1.26.3"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #ifdef NGX_BUILD

src/deps/src/nginx/src/event/quic/ngx_event_quic_openssl_compat.c

@@ -391,6 +391,7 @@ SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method)
 
     wbio = BIO_new(BIO_s_null());
     if (wbio == NULL) {
+        BIO_free(rbio);
         return 0;
     }
 

src/deps/src/nginx/src/event/quic/ngx_event_quic_output.c

@@ -411,7 +411,7 @@ ngx_quic_send_segments(ngx_connection_t *c, u_char *buf, size_t len,
     ngx_memzero(msg_control, sizeof(msg_control));
 
     iov.iov_len = len;
-    iov.iov_base = buf;
+    iov.iov_base = (void *) buf;
 
     msg.msg_iov = &iov;
     msg.msg_iovlen = 1;
@@ -699,7 +699,7 @@ ngx_quic_send(ngx_connection_t *c, u_char *buf, size_t len,
     ngx_memzero(&msg, sizeof(struct msghdr));
 
     iov.iov_len = len;
-    iov.iov_base = buf;
+    iov.iov_base = (void *) buf;
 
     msg.msg_iov = &iov;
     msg.msg_iovlen = 1;