Updates

PDowney · web-flow · commit 952f714de8e1 · 2025-10-10T17:58:14.000-04:00
diff --git a/.github/workflows/software-version-check.yml b/.github/workflows/software-version-check.yml
@@ -259,27 +259,27 @@ jobs:
             echo "::warning::Failed to fetch NGINX Cache Purge Module version, keeping current version"
           fi
           
-          # NGINX Dynamic TLS Records Patch
-          echo "::debug::Fetching NGINX Dynamic TLS Records Patch SHA..."
-          LATEST_NGINX_DYN_TLS_PATCH_SHA=$(curl -sL https://github.com/kn007/patch/raw/master/nginx_dynamic_tls_records.patch | sha256sum | awk '{print $1}')
-          echo "::debug::Fetched patch SHA: '$LATEST_NGINX_DYN_TLS_PATCH_SHA'"
+          # NGINX Dynamic TLS Records Patch - Track repository commits
+          echo "::debug::Fetching NGINX Dynamic TLS Records Patch latest commit..."
+          LATEST_NGINX_DYN_TLS_PATCH_COMMIT_SHA=$(curl -sL https://api.github.com/repos/nginx-modules/ngx_http_tls_dyn_size/commits/master | jq -r '.sha')
+          echo "::debug::Fetched commit SHA: '$LATEST_NGINX_DYN_TLS_PATCH_COMMIT_SHA'"
           
-          CURRENT_NGINX_DYN_TLS_PATCH_SHA=$(get_current_version "NGINX_DYN_TLS_PATCH_SHA")
+          CURRENT_NGINX_DYN_TLS_PATCH_COMMIT_SHA=$(get_current_version "NGINX_DYN_TLS_PATCH_COMMIT_SHA")
           
-          if [[ "$CURRENT_NGINX_DYN_TLS_PATCH_SHA" != "$LATEST_NGINX_DYN_TLS_PATCH_SHA" ]]; then
-            sed -i "s/^NGINX_DYN_TLS_PATCH_SHA=\"[^\"]*\"/NGINX_DYN_TLS_PATCH_SHA=\"$LATEST_NGINX_DYN_TLS_PATCH_SHA\"/" enginescript-variables.txt
+          if [[ -n "$LATEST_NGINX_DYN_TLS_PATCH_COMMIT_SHA" && "$LATEST_NGINX_DYN_TLS_PATCH_COMMIT_SHA" != "null" && "$CURRENT_NGINX_DYN_TLS_PATCH_COMMIT_SHA" != "$LATEST_NGINX_DYN_TLS_PATCH_COMMIT_SHA" ]]; then
+            sed -i "s/^NGINX_DYN_TLS_PATCH_COMMIT_SHA=\"[^\"]*\"/NGINX_DYN_TLS_PATCH_COMMIT_SHA=\"$LATEST_NGINX_DYN_TLS_PATCH_COMMIT_SHA\"/" enginescript-variables.txt
             SOFTWARE_VERSIONS_CHANGED=true
-            echo "::notice::NGINX_DYN_TLS_PATCH_SHA update detected: $CURRENT_NGINX_DYN_TLS_PATCH_SHA -> $LATEST_NGINX_DYN_TLS_PATCH_SHA"
+            echo "::notice::NGINX_DYN_TLS_PATCH_COMMIT_SHA update detected: $CURRENT_NGINX_DYN_TLS_PATCH_COMMIT_SHA -> $LATEST_NGINX_DYN_TLS_PATCH_COMMIT_SHA"
             
             # Add to changelog
             if [[ -z "$CHANGELOG_CONTENT" ]]; then
-              CHANGELOG_CONTENT="| NGINX_DYN_TLS_PATCH | ${CURRENT_NGINX_DYN_TLS_PATCH_SHA:0:12}... | **${LATEST_NGINX_DYN_TLS_PATCH_SHA:0:12}...** |"
+              CHANGELOG_CONTENT="| NGINX_DYN_TLS_PATCH | ${CURRENT_NGINX_DYN_TLS_PATCH_COMMIT_SHA:0:7} | **${LATEST_NGINX_DYN_TLS_PATCH_COMMIT_SHA:0:7}** |"
             else
-              CHANGELOG_CONTENT="${CHANGELOG_CONTENT}\n| NGINX_DYN_TLS_PATCH | ${CURRENT_NGINX_DYN_TLS_PATCH_SHA:0:12}... | **${LATEST_NGINX_DYN_TLS_PATCH_SHA:0:12}...** |"
+              CHANGELOG_CONTENT="${CHANGELOG_CONTENT}\n| NGINX_DYN_TLS_PATCH | ${CURRENT_NGINX_DYN_TLS_PATCH_COMMIT_SHA:0:7} | **${LATEST_NGINX_DYN_TLS_PATCH_COMMIT_SHA:0:7}** |"
             fi
           else
-            if [[ -z "$LATEST_NGINX_DYN_TLS_PATCH_SHA" ]]; then
-              echo "::warning::Failed to fetch NGINX Dynamic TLS Records Patch, keeping current SHA"
+            if [[ -z "$LATEST_NGINX_DYN_TLS_PATCH_COMMIT_SHA" || "$LATEST_NGINX_DYN_TLS_PATCH_COMMIT_SHA" == "null" ]]; then
+              echo "::warning::Failed to fetch NGINX Dynamic TLS Records Patch commit SHA, keeping current SHA"
             fi
           fi
           
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,16 @@ Changes are organized by date, with the most recent changes listed first.
 
 - **Static Files Cache Control**: Enhanced cache control headers for static assets
 - **Plugin Installation Options**: Added granular control over WordPress plugin installation
+  - **INSTALL_ENGINESCRIPT_PLUGINS**: New option to control EngineScript custom plugins (Simple WP Optimizer, Simple Site Exporter)
+  - **INSTALL_EXTRA_WP_PLUGINS**: New option to control optional recommended plugins (action-scheduler, app-for-cf, autodescription, etc.)
+  - **Core Plugins Always Installed**: Essential plugins (nginx-helper, redis-cache, flush-opcache, mariadb-health-checks) remain mandatory
+  - **Enhanced Flexibility**: Allows customization while maintaining critical functionality
+
+### 🔄 NGINX PATCH SOURCE UPDATE
+
+- **Dynamic TLS Records Patch Source**: Updated to use nginx-modules/ngx_http_tls_dyn_size repository
+  - **New Source**: Changed from `https://github.com/kn007/patch` to `https://github.com/nginx-modules/ngx_http_tls_dyn_size`
+  - **Documentation**: Updated README.md and patch file comments to reflect the correct upstream source
 
 ## 2025-10-02
 
diff --git a/README.md b/README.md
@@ -225,7 +225,7 @@ Once configured, your uptime monitoring data will automatically appear in the ad
 |NGINX MAINLINE|1.29.1|<https://nginx.org/en/download.html>|
 |NGINX CACHE PURGE|2.5.3|<https://github.com/nginx-modules/ngx_cache_purge>|
 |NGINX HEADERS MORE|0.39|<https://github.com/openresty/headers-more-nginx-module>|
-|NGINX PATCH: Dynamic TLS Records||<https://github.com/kn007/patch>|
+|NGINX PATCH: Dynamic TLS Records||<https://github.com/nginx-modules/ngx_http_tls_dyn_size>|
 |OPENSSL|3.5.2|<https://www.openssl.org/source/>|
 |PCRE2|10.46|<https://github.com/PCRE2Project/pcre2/releases>|
 |ZLIB-Cloudflare||<https://github.com/cloudflare/zlib>|
diff --git a/enginescript-variables.txt b/enginescript-variables.txt
@@ -8,7 +8,7 @@
 # Software Versions
 LIBURING_VER="2.12"
 MARIADB_VER="11.8.3"
-NGINX_DYN_TLS_PATCH_SHA="1eeff69434585b2417e5d5c49e0479c8b22b205192f60b638a5b6c589152c40b"
+NGINX_DYN_TLS_PATCH_COMMIT_SHA="1eeff69434585b2417e5d5c49e0479c8b22b205192f60b638a5b6c589152c40b"
 NGINX_HEADER_VER="0.39"
 NGINX_PURGE_VER="2.5.3"
 NGINX_VER="1.29.1"
diff --git a/patches/nginx/nginx_dyn_tls.patch b/patches/nginx/nginx_dyn_tls.patch
@@ -22,19 +22,22 @@ In case the connection idles for a given amount of time (1s,
 ssl_dyn_rec_timeout), the process repeats itself (i.e. begin sending small
 records again).
 
+Upstream source:
+https://github.com/nginx-modules/ngx_http_tls_dyn_size/blob/master/nginx__dynamic_tls_records_1.29.2+.patch
 
-diff --color -uNr a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
---- a/src/event/ngx_event_openssl.c	2025-04-16 20:01:11.000000000 +0800
-+++ b/src/event/ngx_event_openssl.c	2025-04-17 02:43:15.616511714 +0800
-@@ -1620,6 +1620,7 @@
+diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
+index 2b1d107df..88ae40ecc 100644
+--- a/src/event/ngx_event_openssl.c
++++ b/src/event/ngx_event_openssl.c
+@@ -1594,6 +1594,7 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
  
      sc->buffer = ((flags & NGX_SSL_BUFFER) != 0);
      sc->buffer_size = ssl->buffer_size;
 +    sc->dyn_rec = ssl->dyn_rec;
  
      sc->session_ctx = ssl->ctx;
  
-@@ -2591,6 +2592,41 @@
+@@ -2565,6 +2566,41 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit)
  
      for ( ;; ) {
  
@@ -76,7 +79,7 @@ diff --color -uNr a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.
          while (in && buf->last < buf->end && send < limit) {
              if (in->buf->last_buf || in->buf->flush) {
                  flush = 1;
-@@ -2730,6 +2766,9 @@
+@@ -2704,6 +2740,9 @@ ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size)
  
      if (n > 0) {
  
@@ -86,10 +89,11 @@ diff --color -uNr a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.
          if (c->ssl->saved_read_handler) {
  
              c->read->handler = c->ssl->saved_read_handler;
-diff --color -uNr a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
---- a/src/event/ngx_event_openssl.h	2025-04-16 20:01:11.000000000 +0800
-+++ b/src/event/ngx_event_openssl.h	2025-04-17 02:44:10.578945187 +0800
-@@ -86,6 +86,14 @@
+diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
+index 6d171229c..246413fbb 100644
+--- a/src/event/ngx_event_openssl.h
++++ b/src/event/ngx_event_openssl.h
+@@ -86,10 +86,19 @@
  typedef struct ngx_ssl_ocsp_s   ngx_ssl_ocsp_t;
  
  
@@ -104,27 +108,23 @@ diff --color -uNr a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.
  struct ngx_ssl_s {
      SSL_CTX                    *ctx;
      ngx_log_t                  *log;
-@@ -95,6 +103,8 @@
- 
-     ngx_rbtree_t                staple_rbtree;
-     ngx_rbtree_node_t           staple_sentinel;
-+
+     size_t                      buffer_size;
 +    ngx_ssl_dyn_rec_t           dyn_rec;
- };
  
+     ngx_array_t                 certs;
  
-@@ -133,6 +143,10 @@
-     unsigned                    in_ocsp:1;
+@@ -133,6 +142,10 @@ struct ngx_ssl_connection_s {
      unsigned                    early_preread:1;
      unsigned                    write_blocked:1;
+     unsigned                    sni_accepted:1;
 +
 +    ngx_ssl_dyn_rec_t           dyn_rec;
 +    ngx_msec_t                  dyn_rec_last_write;
 +    ngx_uint_t                  dyn_rec_records_sent;
  };
  
  
-@@ -142,7 +156,7 @@
+@@ -142,7 +155,7 @@ struct ngx_ssl_connection_s {
  #define NGX_SSL_DFLT_BUILTIN_SCACHE  -5
  
  
@@ -133,10 +133,11 @@ diff --color -uNr a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.
  
  typedef struct ngx_ssl_sess_id_s  ngx_ssl_sess_id_t;
  
-diff --color -uNr a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
---- a/src/http/modules/ngx_http_ssl_module.c	2025-04-16 20:01:11.000000000 +0800
-+++ b/src/http/modules/ngx_http_ssl_module.c	2025-04-17 02:43:15.618511766 +0800
-@@ -299,6 +299,41 @@
+diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
+index abc8d49ab..3a614ab9c 100644
+--- a/src/http/modules/ngx_http_ssl_module.c
++++ b/src/http/modules/ngx_http_ssl_module.c
+@@ -290,6 +290,41 @@ static ngx_command_t  ngx_http_ssl_commands[] = {
        offsetof(ngx_http_ssl_srv_conf_t, reject_handshake),
        NULL },
  
@@ -178,7 +179,7 @@ diff --color -uNr a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ng
        ngx_null_command
  };
  
-@@ -639,6 +674,11 @@
+@@ -629,6 +664,11 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
      sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR;
      sscf->stapling = NGX_CONF_UNSET;
      sscf->stapling_verify = NGX_CONF_UNSET;
@@ -190,11 +191,11 @@ diff --color -uNr a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ng
  
      return sscf;
  }
-@@ -705,6 +745,20 @@
+@@ -694,6 +734,20 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
      ngx_conf_merge_str_value(conf->stapling_responder,
                           prev->stapling_responder, "");
  
-+    ngx_conf_merge_value(conf->dyn_rec_enable, prev->dyn_rec_enable, 0);
++   ngx_conf_merge_value(conf->dyn_rec_enable, prev->dyn_rec_enable, 0);
 +    ngx_conf_merge_msec_value(conf->dyn_rec_timeout, prev->dyn_rec_timeout,
 +                             1000);
 +    /* Default sizes for the dynamic record sizes are defined to fit maximal
@@ -211,9 +212,9 @@ diff --color -uNr a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ng
      conf->ssl.log = cf->log;
  
      if (conf->certificates) {
-@@ -905,6 +959,28 @@
-         return NGX_CONF_ERROR;
-     }
+@@ -709,6 +763,28 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
+             return NGX_CONF_ERROR;
+         }
  
 +    if (conf->dyn_rec_enable) {
 +        conf->ssl.dyn_rec.timeout = conf->dyn_rec_timeout;
@@ -237,13 +238,14 @@ diff --color -uNr a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ng
 +        conf->ssl.dyn_rec.timeout = 0;
 +    }
 +
-     return NGX_CONF_OK;
- }
- 
-diff --color -uNr a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h
---- a/src/http/modules/ngx_http_ssl_module.h	2025-04-16 20:01:11.000000000 +0800
-+++ b/src/http/modules/ngx_http_ssl_module.h	2025-04-17 02:43:15.618511766 +0800
-@@ -64,6 +64,12 @@
+     } else if (!conf->reject_handshake) {
+         return NGX_CONF_OK;
+     }
+diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h
+index c69c8ffd2..1d7e63e2b 100644
+--- a/src/http/modules/ngx_http_ssl_module.h
++++ b/src/http/modules/ngx_http_ssl_module.h
+@@ -62,6 +62,12 @@ typedef struct {
      ngx_flag_t                      stapling_verify;
      ngx_str_t                       stapling_file;
      ngx_str_t                       stapling_responder;
@@ -254,3 +256,5 @@ diff --color -uNr a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ng
 +    size_t                          dyn_rec_size_hi;
 +    ngx_uint_t                      dyn_rec_threshold;
  } ngx_http_ssl_srv_conf_t;
+ 
+ 
diff --git a/patches/nginx/nginx_io_uring.patch b/patches/nginx/nginx_io_uring.patch
diff --git a/scripts/install/nginx/nginx-patch.sh b/scripts/install/nginx/nginx-patch.sh
