Override default nginx http configuration without changing default nginx.conf
Or should I completely abandon the idea and rampage the nginx.conf?
Yes, you should.
The only changes that are ever done by package maintainers are either
- more sensible defaults for parameters you should have setup yourself a looong time ago anyway
-
#
-prefixed examples that would not be used without your action anyway
In the past, the only significant changes were ssl_protocols
, ssl_prefer_server_ciphers
and worker_processes
. You should have been overriding those anyway years before setting them in the deb package seemed like a reasonable thing to do for the package maintainers.
In the past, the only real mitigation that could have been shipped with a system-wide nginx.conf, adding max_ranges 1;
for CVE-2017-7529 was not shipped by any distribution i know of, they released the fix for he vulnerability before most admins even applied the mitigation.
You cannot expect package maintainers to be faster than you are in adding potentially breaking changes, thus you will probably not profit from inheriting their config. Package maintainers cannot know whats best for the millions of use cases out there and thus will be extremely conservative in changing values here.
As long as your backup system works properly, its likely still a good idea to keep the config in place, so that apt will ask you during interactive updates how to act upon maintainer changes to the config file.
How do you figure out what changes were applied between different releases? You can compare all (unverified, insecurely downloaded) available package versions like this:
(cd "$(mktemp -d)"; rmadison --url=debian nginx-common | awk '{print $3}' | while read a; do curl "http://ftp.debian.org/debian/pool/main/n/nginx/nginx-common_${a}_all.deb" | dpkg -x - x${a}; done; for a in x*/etc/nginx/nginx.conf; do [ -z "$la" ] && la="$a" && continue; diff -wus "$la" "$a";la="$a" ; done; pwd)