Update to Nginx 1.26, link against system images, strip nginx binary. (#122)

* clean up configure options list handling

* Link against system PCRE

Absolutely no need to compile this ourselves.

Because we have always built a custom libpcre3 (v8.x) and not the more modern PCRE2 (v10.x), we are enforcing usage of the old version for now.

This is to ensure that existing configs with regexes continue to work, as PCRE2 is more aggressive in its pattern validation.

To give a simple example, `/[\w-.]+/` now throws "Compilation failed: invalid range in character class at offset 3", and the `-` needs to be escaped, or moved to the end of the character class.

* Link against system zlib

* various little bash hardenings

* Strip nginx binary

We only need debug symbols in the nginx-debug variant.

Together with the slight improvement from the now system-linked PCRE and zlib, this helps a lot with overall size.

Before:

    % ls -la nginx-heroku-2*.tgz
    -rw-r--r--  1 dzuelke  staff  5638356 May 17 13:50 nginx-heroku-20.tgz
    -rw-r--r--  1 dzuelke  staff  4559004 May 17 13:50 nginx-heroku-22.tgz
    % tar tzvf nginx-heroku-20.tgz
    -rw-r--r--  0 root   root     5349 Feb 21 01:58 ./mime.types
    -rwxr-xr-x  0 root   root  6705408 Feb 21 01:58 ./nginx
    -rwxr-xr-x  0 root   root  6870296 Feb 21 01:58 ./nginx-debug
    % tar tzvf nginx-heroku-22.tgz
    -rw-r--r--  0 root   root     5349 Feb 21 02:00 ./mime.types
    -rwxr-xr-x  0 root   root  4937400 Feb 21 02:00 ./nginx
    -rwxr-xr-x  0 root   root  5094584 Feb 21 02:00 ./nginx-debug

After:

    % ls -la nginx-heroku-2*.tgz
    -rw-r--r--  1 dzuelke  staff  3181649 May 17 13:51 nginx-heroku-20.tgz
    -rw-r--r--  1 dzuelke  staff  2638964 May 17 13:51 nginx-heroku-22.tgz
    % tar tzvf nginx-heroku-20.tgz
    -rw-r--r--  0 root   root     5349 May 17 13:30 ./mime.types
    -rwxr-xr-x  0 root   root   973624 May 17 13:30 ./nginx
    -rwxr-xr-x  0 root   root  6746392 May 17 13:30 ./nginx-debug
    % tar tzvf nginx-heroku-22.tgz
    -rw-r--r--  0 root   root     5349 May 17 13:30 ./mime.types
    -rwxr-xr-x  0 root   root   973592 May 17 13:30 ./nginx
    -rwxr-xr-x  0 root   root  4974032 May 17 13:30 ./nginx-debug

* Update nginx to 1.26.0 (latest stable)

Also update headers-more-nginx-module to the latest 0.37 and pin nginx-uuid4-module to specific commit SHA

Author: dzuelke

changelog.md

@@ -8,7 +8,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changes
 - [heroku-18] Removed
 - Add documentation for migrating from heroku-community/static buildpack
-- Update zlib from 1.2.13 to 1.3.1
+- Link against system libpcre3
+- Link against system zlib
+- Update nginx to 1.26.0
+- Update headers-more-nginx-module to 0.37
 
 ## [1.10] - 2023-06-13
 ### Changes

nginx-heroku-20.tgz

@@ -4,73 +4,68 @@
 # image. More information on the Heroku Stack can be found
 # at https://devcenter.heroku.com/articles/stack
 
-NGINX_VERSION=${NGINX_VERSION-1.25.1}
-PCRE_VERSION=${PCRE_VERSION-8.45}
-HEADERS_MORE_VERSION=${HEADERS_MORE_VERSION-0.34}
-ZLIB_VERSION=${ZLIB_VERSION-1.3.1}
-UUID4_VERSION=${UUID4_VERSION-master}
+# fail hard
+set -o pipefail
+# fail harder
+set -eu
+
+NGINX_VERSION=${NGINX_VERSION-1.26.0}
+HEADERS_MORE_VERSION=${HEADERS_MORE_VERSION-0.37}
+UUID4_VERSION=${UUID4_VERSION-f8f7ff44e6a8c6cf75232ae4b63d011f2f3b34c1}
 
 nginx_tarball_url=https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz
-pcre_tarball_url=https://ftp.exim.org/pub/pcre/pcre-${PCRE_VERSION}.tar.gz
 headers_more_nginx_module_url=https://github.com/openresty/headers-more-nginx-module/archive/v${HEADERS_MORE_VERSION}.tar.gz
 uuid4_url=https://github.com/cybozu/nginx-uuid4-module/archive/${UUID4_VERSION}.tar.gz
-zlib_url=http://zlib.net/zlib-${ZLIB_VERSION}.tar.gz
 
 temp_dir=$(mktemp -d /tmp/nginx.XXXXXXXXXX)
 
-cd $temp_dir
-echo "Temp dir: $temp_dir"
+trap popd EXIT
+pushd "$temp_dir"
 
 echo "Downloading $nginx_tarball_url"
-curl -L $nginx_tarball_url | tar xzv
-
-echo "Downloading $pcre_tarball_url"
-(cd nginx-${NGINX_VERSION} && curl -L $pcre_tarball_url | tar xvz )
+curl -sSL "$nginx_tarball_url" | tar xzv
 
 echo "Downloading $headers_more_nginx_module_url"
-(cd nginx-${NGINX_VERSION} && curl -L $headers_more_nginx_module_url | tar xvz )
-
-echo "Downloading $zlib_url"
-(cd nginx-${NGINX_VERSION} && curl -L $zlib_url | tar xvz )
+curl -sSL "$headers_more_nginx_module_url" | tar xvz -C "nginx-${NGINX_VERSION}"
 
 echo "Downloading $uuid4_url"
-(cd nginx-${NGINX_VERSION} && curl -L $uuid4_url | tar xvz )
+curl -sSL "$uuid4_url" | tar xvz -C "nginx-${NGINX_VERSION}"
+
+configure_opts=(
+  --with-pcre
+  --without-pcre2
+  --with-http_gzip_static_module
+  --with-http_realip_module
+  --with-http_ssl_module
+  --add-module="${temp_dir}/nginx-${NGINX_VERSION}/headers-more-nginx-module-${HEADERS_MORE_VERSION}"
+  --add-module="${temp_dir}/nginx-${NGINX_VERSION}/nginx-uuid4-module-${UUID4_VERSION}"
+)
 
 # This will build `nginx`
 (
-  cd nginx-${NGINX_VERSION}
+  cd "nginx-${NGINX_VERSION}"
   ./configure \
-    --with-pcre=pcre-${PCRE_VERSION} \
-    --with-zlib=zlib-${ZLIB_VERSION} \
-    --with-http_gzip_static_module \
-    --with-http_realip_module \
-    --with-http_ssl_module \
     --prefix=/tmp/nginx \
-    --add-module=${temp_dir}/nginx-${NGINX_VERSION}/headers-more-nginx-module-${HEADERS_MORE_VERSION} \
-    --add-module=${temp_dir}/nginx-${NGINX_VERSION}/nginx-uuid4-module-${UUID4_VERSION}
+    "${configure_opts[@]}"
   make install
+  # strip binary (but not the nginx-debug variant further down)
+  find /tmp/nginx -type f \( -executable -o -name '*.a' \) -exec sh -c "file -i '{}' | grep -Eq 'application/x-(archive|(pie-)?executable|sharedlib); charset=binary'" \; -print | xargs strip --strip-unneeded
 )
 
 # This will build `nginx-debug`
 (
-  cd nginx-${NGINX_VERSION}
+  cd "nginx-${NGINX_VERSION}"
   ./configure \
     --with-debug \
-    --with-pcre=pcre-${PCRE_VERSION} \
-    --with-zlib=zlib-${ZLIB_VERSION} \
-    --with-http_gzip_static_module \
-    --with-http_realip_module \
-    --with-http_ssl_module \
     --prefix=/tmp/nginx-debug \
-    --add-module=${temp_dir}/nginx-${NGINX_VERSION}/headers-more-nginx-module-${HEADERS_MORE_VERSION} \
-    --add-module=${temp_dir}/nginx-${NGINX_VERSION}/nginx-uuid4-module-${UUID4_VERSION}
+    "${configure_opts[@]}"
   make install
 )
 
 release_dir=$(mktemp -d /tmp/nginx.XXXXXXXXXX)
 
-cp /tmp/nginx/sbin/nginx $release_dir/nginx
-cp /tmp/nginx-debug/sbin/nginx $release_dir/nginx-debug
-cp /tmp/nginx/conf/mime.types $release_dir/mime.types
-tar -zcvf /tmp/nginx-"${STACK}".tgz -C $release_dir .
-cp /tmp/nginx-"${STACK}".tgz $1
+cp /tmp/nginx/sbin/nginx "$release_dir/nginx"
+cp /tmp/nginx-debug/sbin/nginx "$release_dir/nginx-debug"
+cp /tmp/nginx/conf/mime.types "$release_dir/mime.types"
+tar -zcvf /tmp/nginx-"${STACK}".tgz -C "$release_dir" .
+cp /tmp/nginx-"${STACK}".tgz "$1"