huge refactoring

fix (minor) inconsistences
improve dynamic configuration snippets
2024-07-24 22:47:53 +03:00 · 2024-07-23 22:43:52 +03:00 · 2024-07-23 21:59:49 +03:00
114 changed files with 1103 additions and 518 deletions
--- a/24
+++ b/24
@ -51,7 +51,7 @@ RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
 ## Python cache warmup
 RUN j2cfg-single /usr/local/lib/j2cfg/test.j2 /tmp/test ; \
-    cat /tmp/test ; echo ; \
+    cat /tmp/test ; echo ; echo ; \
    rm -f /tmp/test
 ## Python cache adjustments
@ -99,13 +99,9 @@ RUN apt-install.sh angie ; \
    if [ "${NGX_DEBUG}" = 0 ] ; then \
        rm -fv "$n-debug" ; \
        mv -fv "$n-nodebug" "$n" ; \
        ln -fsv "${n##*/}" "$n-nodebug" ; \
        ln -fsv /bin/false "$n-debug" ; \
    else \
        rm -fv "$n-nodebug" ; \
        mv -fv "$n-debug" "$n" ; \
        ln -fsv "${n##*/}" "$n-debug" ; \
        ln -fsv /bin/false "$n-nodebug" ; \
    fi
 ## preserve snippets from Angie config directory
@ -138,10 +134,11 @@ RUN install -d -o angie -g angie -m 03777 /angie /run/angie ; \
    ## adjust paths in config directory
    cd /etc/angie || exit 1 ; \
    ln -sv /run/angie            run ; \
-    ln -sv /run/angie/lock       lock.d ; \
+    ln -sv /run/angie/load       load ; \
    ln -sv /run/angie/lock       lock ; \
    ln -sv ${ANGIE_MODULES_DIR}  modules.dist ; \
    ## hyper-modular paths:
-    data='conf j2cfg mod modules site snip static' ; \
+    data='autoconf conf j2cfg mod modules site snip static' ; \
    vardata='cache lib log' ; \
    for n in ${data} ; do \
        for d in "$n" "$n.dist" ; do \
@ -152,6 +149,17 @@ RUN install -d -o angie -g angie -m 03777 /angie /run/angie ; \
        ln -sv "/run/angie/$n" "$n.d" ; \
    done
 ## future quirk for angie-module-modsecurity >:)
 RUN n='modsecurity' ; \
    d="/etc/angie/$n" ; \
    ln -sv "/run/angie/$n" "$d.d" ; \
    dpkg-divert --divert "$d.dist" --rename "$d" ; \
    for p in modsecurity.conf unicode.mapping ; do \
        dpkg-divert --divert "$d.dist/$p" --rename "$d/$p" ; \
    done ; \
    p='rules.conf' ; \
    dpkg-divert --divert "$d.dist/$p.dist" --rename "$d/$p"
 VOLUME [ "/run/angie" ]
 COPY /angie/ /etc/angie/
@ -161,7 +169,7 @@ RUN find /etc/angie/ -name .gitkeep -delete ; \
 ## preseed builtin modules list
 RUN x='angie-builtin-modules.sh' ; \
    "$x" ; \
-    chmod a-x "$(which "$x")"
+    rm -fv "$(which "$x")"
 ## misc tools
 RUN apt-install.sh \
--- a/angie/angie.conf
+++ b/angie/angie.conf
@ -1,23 +1,22 @@
 daemon off;
 pid run/angie.pid;
 lock_file lock.d/angie.lock;
 ## almost useless
-include mod.d/core-*.load;
+include load/mod-core-*.conf;
-# mod-http.conf.in
+# mod-http.conf
-# mod-mail.conf.in
+# mod-mail.conf
-# mod-stream.conf.in
+# mod-stream.conf
 include run/mod-*.conf;
 events {
-    include conf.d/core_ev-*.conf;
+    include autoconf.d/core_ev-*.conf;
-    include snip.d/core_ev-*.load;
+    include load/core_ev-*.conf;
 }
-include conf.d/core-*.conf;
+include autoconf.d/core-*.conf;
-include snip.d/core-*.load;
+include load/core-*.conf;
-# ctx-http.conf.in
+# ctx-http.conf
-# ctx-mail.conf.in
+# ctx-mail.conf
-# ctx-stream.conf.in
+# ctx-stream.conf
 include run/ctx-*.conf;
--- a/angie/autoconf.dist/core-error-log.conf
+++ b/angie/autoconf.dist/core-error-log.conf
--- a/angie/autoconf.dist/core-lock-file.conf
+++ b/angie/autoconf.dist/core-lock-file.conf
@ -0,0 +1 @@
 lock_file lock/angie.lock;
--- a/angie/autoconf.dist/core-pcre-jit.conf
+++ b/angie/autoconf.dist/core-pcre-jit.conf
--- a/angie/autoconf.dist/core-user.conf.in
+++ b/angie/autoconf.dist/core-user.conf.in
@ -0,0 +1,3 @@
 ## if container is running in non-privileged mode,
 ## then this file is going to be removed by /image-entry.d/76-adjust-core-user.sh
 user ${NGX_USER} ${NGX_GROUP};
--- a/angie/autoconf.dist/core-worker-env.conf.j2
+++ b/angie/autoconf.dist/core-worker-env.conf.j2
@ -1,15 +1,19 @@
 {#- prologue -#}
 {#- NB: "TZ" is always provided by Angie itself -#}
 {%- set s_vars = ['MALLOC_ARENA_MAX', 'GLIBC_TUNABLES', 'MALLOC_CONF'] -%}
 {%- set c_env = ( j2cfg.core_worker_env or [] ) | any_to_env_dict -%}
 {%- set c_vars = c_env | dict_keys -%}
-{%- set c_vars_preserve = c_env | dict_empty_keys -%}
+{%- set c_vars_passthrough = c_env | dict_empty_keys -%}
 {%- set c_vars_override = c_env | dict_non_empty_keys -%}
-{%- set vars_preserve = ( c_vars_preserve + s_vars ) | uniq | sort -%}
+{%- set vars_passthrough = (env_passthrough + c_vars_passthrough) | uniq | list_intersect(env | dict_keys) -%}
 {#- main part -#}
 ## preserve
-{%- for k in vars_preserve %}
+{%- for k in env_preserve %}
 env {{ k }};
 {%- endfor %}
 ## passthrough
 {%- for k in vars_passthrough %}
 env {{ k }};
 {%- endfor %}
--- a/angie/autoconf.dist/core-worker.conf.j2
+++ b/angie/autoconf.dist/core-worker.conf.j2
@ -0,0 +1,10 @@
 worker_processes {{ env.NGX_WORKER_PROCESSES }};
 {%- if env.NGX_WORKER_CPU_AFFINITY %}
 worker_cpu_affinity {{ env.NGX_WORKER_CPU_AFFINITY }};
 {%- endif %}
 {%- if env.NGX_WORKER_PRIORITY %}
 worker_priority {{ env.NGX_WORKER_PRIORITY }};
 {%- endif %}
 {%- if env.NGX_WORKER_RLIMIT_NOFILE %}
 worker_rlimit_nofile {{ env.NGX_WORKER_RLIMIT_NOFILE }};
 {%- endif %}
--- a/angie/autoconf.dist/core_ev-worker.conf.j2
+++ b/angie/autoconf.dist/core_ev-worker.conf.j2
@ -0,0 +1,7 @@
 worker_connections {{ env.NGX_WORKER_CONNECTIONS }};
 {%- if env.NGX_WORKER_AIO_REQUESTS %}
 worker_aio_requests {{ env.NGX_WORKER_AIO_REQUESTS }};
 {%- endif %}
 {%- if env.NGX_WORKER_PRIORITY %}
 worker_priority {{ env.NGX_WORKER_PRIORITY }};
 {%- endif %}
--- a/angie/autoconf.dist/http-access-log.conf
+++ b/angie/autoconf.dist/http-access-log.conf
--- a/angie/autoconf.dist/http-buffers.conf
+++ b/angie/autoconf.dist/http-buffers.conf
--- a/angie/autoconf.dist/http-max-ranges.conf.j2
+++ b/angie/autoconf.dist/http-max-ranges.conf.j2
@ -0,0 +1,3 @@
 {%- if env.NGX_HTTP_MAX_RANGES %}
 max_ranges {{ env.NGX_HTTP_MAX_RANGES }};
 {%- endif %}
--- a/angie/autoconf.dist/http-mime-types.conf
+++ b/angie/autoconf.dist/http-mime-types.conf
--- a/angie/autoconf.dist/http-webroot.conf.in
+++ b/angie/autoconf.dist/http-webroot.conf.in
@ -0,0 +1 @@
 root ${NGX_HTTP_WEBROOT};
--- a/angie/conf.dist/brotli/buffers.conf
+++ b/angie/conf.dist/brotli/buffers.conf
--- a/angie/conf.dist/brotli/types.conf.j2
+++ b/angie/conf.dist/brotli/types.conf.j2
@ -0,0 +1,9 @@
 {%- set mime_types = j2cfg.brotli_compress_types or j2cfg.compress_types or [] -%}
 {%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
 {%- if mime_types -%}
 brotli_types
 {%- for t in mime_types %}
    {{ t }}
 {%- endfor %}
 ;
 {%- endif -%}
--- a/angie/conf.dist/core-quic-bpf.conf
+++ b/angie/conf.dist/core-quic-bpf.conf
--- a/angie/conf.dist/core-user.conf.in
+++ b/angie/conf.dist/core-user.conf.in
@ -1 +0,0 @@
 user ${NGX_USER} ${NGX_GROUP};
--- a/angie/conf.dist/core-worker.conf.in
+++ b/angie/conf.dist/core-worker.conf.in
@ -1,3 +0,0 @@
 worker_processes ${NGX_WORKER_PROCESSES};
 worker_priority ${NGX_WORKER_PRIORITY};
 worker_rlimit_nofile ${NGX_WORKER_RLIMIT_NOFILE};
--- a/angie/conf.dist/core_ev-accept-mutex-delay.conf
+++ b/angie/conf.dist/core_ev-accept-mutex-delay.conf
--- a/angie/conf.dist/core_ev-accept-mutex.conf
+++ b/angie/conf.dist/core_ev-accept-mutex.conf
--- a/angie/conf.dist/core_ev-multi-accept.conf
+++ b/angie/conf.dist/core_ev-multi-accept.conf
--- a/angie/conf.dist/core_ev-worker.conf.in
+++ b/angie/conf.dist/core_ev-worker.conf.in
@ -1 +0,0 @@
 worker_connections ${NGX_WORKER_CONNECTIONS};
--- a/angie/conf.dist/fastcgi/buffers.conf
+++ b/angie/conf.dist/fastcgi/buffers.conf
@ -0,0 +1,4 @@
 fastcgi_buffers           16  16k;
 fastcgi_buffer_size           16k;
 fastcgi_busy_buffers_size     32k;
 fastcgi_temp_file_write_size  32k;
--- a/angie/conf.dist/fastcgi/headers.conf.j2
+++ b/angie/conf.dist/fastcgi/headers.conf.j2
@ -0,0 +1,13 @@
 ## hide/remove request headers
 {%- set req_hdr_list = j2cfg.fastcgi_remove_request_headers or j2cfg.remove_request_headers or [] -%}
 {%- set req_hdr_list = req_hdr_list | any_to_str_list | as_cgi_header -%}
 {%- for h in req_hdr_list %}
 fastcgi_param  {{ h }}  "";
 {%- endfor %}
 ## hide response headers
 {%- set resp_hdr_list = j2cfg.fastcgi_remove_response_headers or j2cfg.remove_response_headers or [] -%}
 {%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
 {%- for h in resp_hdr_list %}
 fastcgi_hide_header  {{ h }};
 {%- endfor %}
--- a/angie/conf.dist/fastcgi/param.conf
+++ b/angie/conf.dist/fastcgi/param.conf
@ -0,0 +1,7 @@
 include snip.d/fastcgi.conf;
 fastcgi_param  PATH_INFO    $path_info;
 fastcgi_param  AUTH_USER    $remote_user;
 fastcgi_param  REMOTE_USER  $remote_user;
 fastcgi_param  HTTP_HOST    $host;
--- a/angie/conf.dist/grpc/buffers.conf
+++ b/angie/conf.dist/grpc/buffers.conf
@ -0,0 +1 @@
 grpc_buffer_size  16k;
--- a/angie/conf.dist/grpc/headers.conf.j2
+++ b/angie/conf.dist/grpc/headers.conf.j2
@ -0,0 +1,13 @@
 ## hide/remove request headers
 {%- set req_hdr_list = j2cfg.grpc_remove_request_headers or j2cfg.remove_request_headers or [] -%}
 {%- set req_hdr_list = req_hdr_list | any_to_str_list | uniq_str_list -%}
 {%- for h in req_hdr_list %}
 grpc_set_header  {{ h }}  "";
 {%- endfor %}
 ## hide response headers
 {%- set resp_hdr_list = j2cfg.grpc_remove_response_headers or j2cfg.remove_response_headers or [] -%}
 {%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
 {%- for h in resp_hdr_list %}
 grpc_hide_header  {{ h }};
 {%- endfor %}
--- a/angie/conf.dist/gzip/buffers.conf
+++ b/angie/conf.dist/gzip/buffers.conf
--- a/angie/conf.dist/gzip/proxied.conf
+++ b/angie/conf.dist/gzip/proxied.conf
--- a/angie/conf.dist/gzip/types.conf.j2
+++ b/angie/conf.dist/gzip/types.conf.j2
@ -0,0 +1,9 @@
 {%- set mime_types = j2cfg.gzip_compress_types or j2cfg.compress_types or [] -%}
 {%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
 {%- if mime_types -%}
 gzip_types
 {%- for t in mime_types %}
    {{ t }}
 {%- endfor %}
 ;
 {%- endif -%}
--- a/angie/conf.dist/gzip/vary.conf
+++ b/angie/conf.dist/gzip/vary.conf
--- a/angie/conf.dist/http-brotli-static.conf
+++ b/angie/conf.dist/http-brotli-static.conf
--- a/angie/conf.dist/http-brotli.conf
+++ b/angie/conf.dist/http-brotli.conf
@ -0,0 +1,2 @@
 include conf.d/brotli/*.conf;
 brotli on;
--- a/angie/conf.dist/http-fastcgi.conf
+++ b/angie/conf.dist/http-fastcgi.conf
@ -0,0 +1 @@
 include conf.d/fastcgi/*.conf;
--- a/angie/conf.dist/http-grpc.conf
+++ b/angie/conf.dist/http-grpc.conf
@ -0,0 +1,4 @@
 ## this should be enabled explicitly to avoid config mess
 # include conf.d/http-v2.conf;
 include conf.d/grpc/*.conf;
--- a/angie/conf.dist/http-gunzip.conf
+++ b/angie/conf.dist/http-gunzip.conf
@ -0,0 +1,2 @@
 gunzip_buffers  16  16k;
 gunzip on;
--- a/angie/conf.dist/http-gzip-static.conf
+++ b/angie/conf.dist/http-gzip-static.conf
--- a/angie/conf.dist/http-gzip.conf
+++ b/angie/conf.dist/http-gzip.conf
@ -0,0 +1,2 @@
 include conf.d/gzip/*.conf;
 gzip on;
--- a/angie/conf.dist/http-max-ranges.conf.in
+++ b/angie/conf.dist/http-max-ranges.conf.in
@ -1 +0,0 @@
 max_ranges ${NGX_HTTP_MAX_RANGES};
--- a/angie/conf.dist/http-modsecurity.conf
+++ b/angie/conf.dist/http-modsecurity.conf
@ -0,0 +1,4 @@
 modsecurity_rules_file /etc/angie/modsecurity.d/rules.conf;
 ## NOT enabling ModSecurity by default!
 # modsecurity on;
--- a/angie/conf.dist/http-njs.conf
+++ b/angie/conf.dist/http-njs.conf
@ -0,0 +1 @@
 js_path /etc/angie/site.d;
--- a/angie/conf.dist/http-perl.conf
+++ b/angie/conf.dist/http-perl.conf
@ -0,0 +1 @@
 perl_modules /etc/angie/site.d;
--- a/angie/conf.dist/http-response-headers.conf.j2
+++ b/angie/conf.dist/http-response-headers.conf.j2
@ -0,0 +1,6 @@
 ## add response headers
 {%- set resp_hdr_list = ( j2cfg.add_response_headers or {} ) -%}
 {%- for h, v in resp_hdr_list.items() %}
 {#- TODO: precise quotation #}
 add_header  {{ h }}  {{ v.__repr__() }};
 {%- endfor %}
--- a/angie/conf.dist/http-scgi.conf
+++ b/angie/conf.dist/http-scgi.conf
@ -0,0 +1 @@
 include conf.d/scgi/*.conf;
--- a/angie/conf.dist/http-uwsgi.conf
+++ b/angie/conf.dist/http-uwsgi.conf
@ -0,0 +1 @@
 include conf.d/uwsgi/*.conf;
--- a/angie/conf.dist/http-v2.conf
+++ b/angie/conf.dist/http-v2.conf
@ -0,0 +1,2 @@
 http2_chunk_size 16k;
 http2 on;
--- a/angie/conf.dist/http-zstd-static.conf
+++ b/angie/conf.dist/http-zstd-static.conf
--- a/angie/conf.dist/http-zstd.conf
+++ b/angie/conf.dist/http-zstd.conf
@ -0,0 +1,2 @@
 include conf.d/zstd/*.conf;
 zstd on;
--- a/angie/conf.dist/proxy/headers.conf.j2
+++ b/angie/conf.dist/proxy/headers.conf.j2
@ -0,0 +1,13 @@
 ## hide/remove request headers
 {%- set req_hdr_list = j2cfg.proxy_remove_request_headers or j2cfg.remove_request_headers or [] -%}
 {%- set req_hdr_list = req_hdr_list | any_to_str_list | uniq_str_list -%}
 {%- for h in req_hdr_list %}
 proxy_set_header  {{ h }}  "";
 {%- endfor %}
 ## hide response headers
 {%- set resp_hdr_list = j2cfg.proxy_remove_response_headers or j2cfg.remove_response_headers or [] -%}
 {%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
 {%- for h in resp_hdr_list %}
 proxy_hide_header  {{ h }};
 {%- endfor %}
--- a/angie/conf.dist/scgi/buffers.conf
+++ b/angie/conf.dist/scgi/buffers.conf
@ -0,0 +1,4 @@
 scgi_buffers           16  16k;
 scgi_buffer_size           16k;
 scgi_busy_buffers_size     32k;
 scgi_temp_file_write_size  32k;
--- a/angie/conf.dist/scgi/headers.conf.j2
+++ b/angie/conf.dist/scgi/headers.conf.j2
@ -0,0 +1,13 @@
 ## hide/remove request headers
 {%- set req_hdr_list = j2cfg.scgi_remove_request_headers or j2cfg.remove_request_headers or [] -%}
 {%- set req_hdr_list = req_hdr_list | any_to_str_list | as_cgi_header -%}
 {%- for h in req_hdr_list %}
 scgi_param  {{ h }}  "";
 {%- endfor %}
 ## hide response headers
 {%- set resp_hdr_list = j2cfg.scgi_remove_response_headers or j2cfg.remove_response_headers or [] -%}
 {%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
 {%- for h in resp_hdr_list %}
 scgi_hide_header  {{ h }};
 {%- endfor %}
--- a/angie/conf.dist/scgi/param.conf
+++ b/angie/conf.dist/scgi/param.conf
@ -0,0 +1,7 @@
 include snip.d/scgi_params;
 scgi_param  PATH_INFO    $path_info;
 scgi_param  AUTH_USER    $remote_user;
 scgi_param  REMOTE_USER  $remote_user;
 scgi_param  HTTP_HOST    $host;
--- a/angie/conf.dist/uwsgi/buffers.conf
+++ b/angie/conf.dist/uwsgi/buffers.conf
@ -0,0 +1,4 @@
 uwsgi_buffers           16  16k;
 uwsgi_buffer_size           16k;
 uwsgi_busy_buffers_size     32k;
 uwsgi_temp_file_write_size  32k;
--- a/angie/conf.dist/uwsgi/headers.conf.j2
+++ b/angie/conf.dist/uwsgi/headers.conf.j2
@ -0,0 +1,13 @@
 ## hide/remove request headers
 {%- set req_hdr_list = j2cfg.uwsgi_remove_request_headers or j2cfg.remove_request_headers or [] -%}
 {%- set req_hdr_list = req_hdr_list | any_to_str_list | as_cgi_header -%}
 {%- for h in req_hdr_list %}
 uwsgi_param  {{ h }}  "";
 {%- endfor %}
 ## hide response headers
 {%- set resp_hdr_list = j2cfg.uwsgi_remove_response_headers or j2cfg.remove_response_headers or [] -%}
 {%- set resp_hdr_list = resp_hdr_list | any_to_str_list | uniq_str_list -%}
 {%- for h in resp_hdr_list %}
 uwsgi_hide_header  {{ h }};
 {%- endfor %}
--- a/angie/conf.dist/uwsgi/param.conf
+++ b/angie/conf.dist/uwsgi/param.conf
@ -0,0 +1,7 @@
 include snip.d/uwsgi_params;
 uwsgi_param  PATH_INFO    $path_info;
 uwsgi_param  AUTH_USER    $remote_user;
 uwsgi_param  REMOTE_USER  $remote_user;
 uwsgi_param  HTTP_HOST    $host;
--- a/angie/conf.dist/zstd/buffers.conf
+++ b/angie/conf.dist/zstd/buffers.conf
--- a/angie/conf.dist/zstd/types.conf.j2
+++ b/angie/conf.dist/zstd/types.conf.j2
@ -0,0 +1,9 @@
 {%- set mime_types = j2cfg.zstd_compress_types or j2cfg.compress_types or [] -%}
 {%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
 {%- if mime_types -%}
 zstd_types
 {%- for t in mime_types %}
    {{ t }}
 {%- endfor %}
 ;
 {%- endif -%}
--- a/angie/ctx-http.conf
+++ b/angie/ctx-http.conf
@ -1,5 +1,5 @@
 http {
-    include conf.d/http-*.conf;
+    include autoconf.d/http-*.conf;
-    include snip.d/http-*.load;
+    include load/http-*.conf;
    include site.d/http-*.conf;
 }
--- a/angie/ctx-mail.conf
+++ b/angie/ctx-mail.conf
@ -1,5 +1,5 @@
 mail {
-    include conf.d/mail-*.conf;
+    include autoconf.d/mail-*.conf;
-    include snip.d/mail-*.load;
+    include load/mail-*.conf;
    include site.d/mail-*.conf;
 }
--- a/angie/ctx-stream.conf
+++ b/angie/ctx-stream.conf
@ -1,5 +1,5 @@
 stream {
-    include conf.d/stream-*.conf;
+    include autoconf.d/stream-*.conf;
-    include snip.d/stream-*.load;
+    include load/stream-*.conf;
    include site.d/stream-*.conf;
 }
--- a/angie/j2cfg.dist/add-response-headers.yml
+++ b/angie/j2cfg.dist/add-response-headers.yml
@ -0,0 +1,11 @@
 add_response_headers:
  Access-Control-Allow-Origin: "*"
  Access-Control-Allow-Headers: "Origin, X-Requested-With, Content-Type, Accept, Authorization"
  Access-Control-Allow-Methods: "GET, HEAD, POST, PUT, DELETE, OPTIONS"
  Content-Security-Policy: "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self';"
  Permissions-Policy: "microphone=(), camera=(), geolocation=(), interest-cohort=()"
  Referrer-Policy: "no-referrer-when-downgrade"
  Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
  X-Content-Type-Options: "nosniff"
  X-Frame-Options: "SAMEORIGIN"
  X-XSS-Protection: "1; mode=block"
--- a/angie/j2cfg.dist/core-worker-env.txt.j2
+++ b/angie/j2cfg.dist/core-worker-env.txt.j2
@ -1,10 +1,9 @@
 {#- prologue -#}
 {%- set s_vars = ['MALLOC_ARENA_MAX', 'GLIBC_TUNABLES', 'MALLOC_CONF'] -%}
 {%- set c_env = ( j2cfg.core_worker_env or [] ) | any_to_env_dict -%}
 {%- set c_vars = c_env | dict_keys -%}
-{%- set c_vars_preserve = c_env | dict_empty_keys -%}
+{%- set c_vars_passthrough = c_env | dict_empty_keys -%}
-{%- set vars_preserve = ( c_vars_preserve + ( s_vars | list_diff(c_vars) )) | sort -%}
+{%- set vars_passthrough = ((env_passthrough | list_diff(c_vars)) + c_vars_passthrough) | uniq | list_intersect(env | dict_keys) -%}
 {#- main part -#}
-{%- for k in vars_preserve -%}
+{%- for k in vars_passthrough -%}
 {{ k }}
 {% endfor -%}
--- a/angie/j2cfg.dist/remove-request-headers.yml
+++ b/angie/j2cfg.dist/remove-request-headers.yml
@ -0,0 +1,3 @@
 remove_request_headers:
  ## do not pass Accept-Encoding to backend
 - Accept-Encoding
--- a/angie/j2cfg.dist/remove-response-headers.yml
+++ b/angie/j2cfg.dist/remove-response-headers.yml
@ -0,0 +1,12 @@
 remove_response_headers:
 - Access-Control-Allow-Headers
 - Access-Control-Allow-Methods
 - Access-Control-Allow-Origin
 - Content-Security-Policy
 - Permissions-Policy
 - Referrer-Policy
 - Strict-Transport-Security
 - Vary
 - X-Content-Type-Options
 - X-Frame-Options
 - X-XSS-Protection
--- a/angie/mod-http.conf
+++ b/angie/mod-http.conf
@ -1 +1 @@
-include mod.d/http-*.load;
+include load/mod-http-*.conf;
--- a/angie/mod-mail.conf
+++ b/angie/mod-mail.conf
@ -1 +1 @@
-include mod.d/mail-*.load;
+include load/mod-mail-*.conf;
--- a/angie/mod-stream.conf
+++ b/angie/mod-stream.conf
@ -1 +1 @@
-include mod.d/stream-*.load;
+include load/mod-stream-*.conf;
--- a/angie/modsecurity.dist/rules.conf
+++ b/angie/modsecurity.dist/rules.conf
@ -0,0 +1,33 @@
 Include modsecurity.conf
 # To enable the OWASP CRS, please perform the following steps:
 #
 # 1. Checkout Core Rule Set from GitHub and create config files as shown below:
 #
 #      version='v4.5.0'
 #      uri="https://github.com/coreruleset/coreruleset/archive/refs/tags/${version}.tar.gz"
 #      dst_dir='/etc/angie/modsecurity/coreruleset'
 #      w=$(mktemp -d) ; : "${w:?}"
 #      cd "$w/"
 #      tarball="coreruleset.tar.gz"
 #      /usr/lib/apt/apt-helper download-file "${uri}" "${tarball}"
 #      mkdir coreruleset
 #      tar -C ./coreruleset --strip-components=1 -xf "${tarball}"
 #      rm -f "${tarball}" ; unset tarball
 #      for p in \
 #        crs-setup.conf \
 #        rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf \
 #        rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf \
 #      ; do
 #          src="coreruleset/$p.example"
 #          dst="${dst_dir}/$p"
 #          [ -f "${src}" ] || continue
 #          [ -d "${dst%/*}" ] || mkdir -p "${dst%/*}"
 #          cp -nv "${src}" "${dst}"
 #      done
 #      rm -rf "${w:?}/" ; unset w
 #
 # 2. Uncomment both 'Include' directives below
 #Include coreruleset/crs-setup.conf
 #Include coreruleset/rules/*.conf
--- a/angie/snip.dist/brotli/gzip.conf
+++ b/angie/snip.dist/brotli/gzip.conf
@ -1 +0,0 @@
 include snip.d/gzip/vary.conf;
--- a/angie/snip.dist/brotli/types.conf.j2
+++ b/angie/snip.dist/brotli/types.conf.j2
@ -1,8 +0,0 @@
 {%- set mime_types = ( j2cfg.compress_types or [] )|any_to_str_list|uniq_str_list -%}
 {%- if mime_types %}
 brotli_types
 {%- for t in mime_types %}
    {{ t }}
 {%- endfor %}
 ;
 {%- endif %}
--- a/angie/snip.dist/deny-dotfiles
+++ b/angie/snip.dist/deny-dotfiles
@ -0,0 +1,3 @@
 location ~ /\. {
    include snip.d/internal-area;
 }
--- a/angie/snip.dist/disable-compression.j2
+++ b/angie/snip.dist/disable-compression.j2
@ -0,0 +1,8 @@
 {#- safe to specify all the time -#}
 gzip off;
 {%- set modules = ( env.NGX_HTTP_MODULES or '' ) | str_split_to_list -%}
 {%- for ext_comp in ['brotli', 'zstd'] %}
 {%- if ext_comp in modules %}
 {{ ext_comp }} off;
 {%- endif %}
 {%- endfor %}
--- a/angie/snip.dist/empty-favicon
+++ b/angie/snip.dist/empty-favicon
@ -0,0 +1,4 @@
 location = /favicon.ico {
    empty_gif;
    expires 1d;
 }
--- a/angie/snip.dist/fastcgi-location
+++ b/angie/snip.dist/fastcgi-location
@ -0,0 +1,5 @@
 try_files $fastcgi_script_name =444;
 ## bypass the fact that try_files resets $fastcgi_path_info
 ## see: https://trac.nginx.org/nginx/ticket/321
 set $path_info $fastcgi_path_info;
--- a/angie/snip.dist/gzip/types.conf.j2
+++ b/angie/snip.dist/gzip/types.conf.j2
@ -1,8 +0,0 @@
 {%- set mime_types = ( j2cfg.compress_types or [] )|any_to_str_list|uniq_str_list -%}
 {%- if mime_types %}
 gzip_types
 {%- for t in mime_types %}
    {{ t }}
 {%- endfor %}
 ;
 {%- endif %}
--- a/angie/snip.dist/http-brotli.conf
+++ b/angie/snip.dist/http-brotli.conf
@ -1,2 +0,0 @@
 include snip.d/brotli/*.conf;
 brotli on;
--- a/angie/snip.dist/http-gunzip.conf
+++ b/angie/snip.dist/http-gunzip.conf
@ -1,2 +0,0 @@
 include snip.d/http-gunzip.modconf;
 gunzip on;
--- a/angie/snip.dist/http-gunzip.modconf
+++ b/angie/snip.dist/http-gunzip.modconf
@ -1 +0,0 @@
 gunzip_buffers  16  16k;
--- a/angie/snip.dist/http-gzip.conf
+++ b/angie/snip.dist/http-gzip.conf
@ -1,2 +0,0 @@
 include snip.d/gzip/*.conf;
 gzip on;
--- a/angie/snip.dist/http-zstd.conf
+++ b/angie/snip.dist/http-zstd.conf
@ -1,2 +0,0 @@
 include snip.d/zstd/*.conf;
 zstd on;
--- a/angie/snip.dist/internal-area
+++ b/angie/snip.dist/internal-area
@ -0,0 +1,5 @@
 ## always sourced by snip.d/deny-dotfiles
 access_log     off;
 log_not_found  off;
 internal;
--- a/angie/snip.dist/zstd/gzip.conf
+++ b/angie/snip.dist/zstd/gzip.conf
@ -1 +0,0 @@
 include snip.d/gzip/vary.conf;
--- a/angie/snip.dist/zstd/types.conf.j2
+++ b/angie/snip.dist/zstd/types.conf.j2
@ -1,8 +0,0 @@
 {%- set mime_types = ( j2cfg.compress_types or [] )|any_to_str_list|uniq_str_list -%}
 {%- if mime_types %}
 zstd_types
 {%- for t in mime_types %}
    {{ t }}
 {%- endfor %}
 ;
 {%- endif %}
--- a/image-entry.d/00-common.envsh
+++ b/image-entry.d/00-common.envsh
@ -82,7 +82,7 @@ untemplate_path() {
 	"${volume_root}"/* | /etc/angie/run/* )
 		strip_suffix "$1" "$2"
 	;;
-	/etc/angie/conf.d/* | /etc/angie/j2cfg.d/* | /etc/angie/mod.d/* | /etc/angie/modules.d/* | /etc/angie/site.d/* | /etc/angie/snip.d/* )
+	/etc/angie/autoconf.d/* | /etc/angie/conf.d/* | /etc/angie/j2cfg.d/* | /etc/angie/mod.d/* | /etc/angie/modules.d/* | /etc/angie/site.d/* | /etc/angie/snip.d/* )
 		strip_suffix "$1" "$2"
 	;;
 	/etc/angie/static.d/* )
@ -212,6 +212,10 @@ remap_path() {
 	[ -n "$1" ] || return
 	case "$1" in
 	## autoconf
 	/etc/angie/autoconf.dist/* ) echo "${2:-/etc/angie/autoconf.d}${1#/etc/angie/autoconf.dist}" ;;
 	/etc/angie/autoconf/* )      echo "${2:-/etc/angie/autoconf.d}${1#/etc/angie/autoconf}" ;;
 	/angie/autoconf/* )          echo "${2:-/etc/angie/autoconf.d}${1#/angie/autoconf}" ;;
 	## conf
 	/etc/angie/conf.dist/* ) echo "${2:-/etc/angie/conf.d}${1#/etc/angie/conf.dist}" ;;
 	/etc/angie/conf/* )      echo "${2:-/etc/angie/conf.d}${1#/etc/angie/conf}" ;;
@ -277,6 +281,14 @@ is_builtin_module() {
 	grep -Fxq -e "$2" "/etc/angie/builtin.$1" || return 1
 }
 normalize_list() {
 	[ -n "$1" ] || return 0
 	printf '%s' "$1" \
 	| tr -s '[:space:]' ' ' \
 	| sed -zE 's/^ //;s/ $//'
 }
 sort_dedup_list() {
 	[ -n "$1" ] || return 0
--- a/image-entry.d/01-defaults.envsh
+++ b/image-entry.d/01-defaults.envsh
@ -19,7 +19,7 @@ if [ "${NGX_HTTP}${NGX_MAIL}${NGX_STREAM}" = '000' ] ; then
 fi
 unset default_dirs_merge default_dirs_link
-default_dirs_merge='conf j2cfg mod modules site snip'
+default_dirs_merge='autoconf conf j2cfg mod modules site snip'
 default_dirs_link=''
 if [ "${NGX_PROCESS_STATIC}" = 1 ] ; then
@ -34,3 +34,23 @@ NGX_DIRS_LINK=$(sort_dedup_list "${default_dirs_link} ${NGX_DIRS_LINK:-}")
 set +a
 unset default_dirs_merge default_dirs_link
 unset i dirs_link
 dirs_link=
 for i in ${NGX_DIRS_LINK:-} ; do
 	[ -n "$i" ] || continue
 	## naive deduplication
 	case " ${NGX_DIRS_MERGE} " in
 	*" $i "* )
 		log "$i is already specified in NGX_DIRS_MERGE - removing from NGX_DIRS_LINK"
 		continue
 	;;
 	esac
 	dirs_link="${dirs_link}${dirs_link:+ }$i"
 done
 unset i
 export NGX_DIRS_LINK="${dirs_link}"
 unset dirs_link
--- a/image-entry.d/02-detect-nonroot.envsh
+++ b/image-entry.d/02-detect-nonroot.envsh
--- a/image-entry.d/03-detect-local-override.envsh
+++ b/image-entry.d/03-detect-local-override.envsh
--- a/image-entry.d/04-detect-local-ip-addresses.envsh
+++ b/image-entry.d/04-detect-local-ip-addresses.envsh
--- a/image-entry.d/10-core.envsh
+++ b/image-entry.d/10-core.envsh
@ -3,7 +3,7 @@
 set -a
 NGX_CORE_MODULES="${NGX_CORE_MODULES:-}"
-NGX_CORE_EVENTS_SNIPPETS="${NGX_CORE_EVENTS_SNIPPETS:-}"
+NGX_CORE_CONFLOAD="${NGX_CORE_CONFLOAD:-}"
-NGX_CORE_SNIPPETS="${NGX_CORE_SNIPPETS:-}"
+NGX_CORE_EVENTS_CONFLOAD="${NGX_CORE_EVENTS_CONFLOAD:-}"
 set +a
--- a/image-entry.d/11-core-modules.envsh
+++ b/image-entry.d/11-core-modules.envsh
@ -1,17 +1,24 @@
 #!/bin/sh
-unset core_modules core_snippets
+unset core_modules core_confload
 core_modules=
-core_snippets="${NGX_CORE_SNIPPETS:-}"
+core_confload="${NGX_CORE_CONFLOAD:-}"
 ## filter out builtin core modules
 unset i
 for i in ${NGX_CORE_MODULES:-} ; do
 	[ -n "$i" ] || continue
 	case "$i" in
 	*/* | *\** | *\?* )
 		log_always "module '$i' is not legal, skipping"
 		continue
 	;;
 	esac
 	if is_builtin_module core "$i" ; then
-		log "$i is builtin module, moving to snippets"
+		log "$i is builtin module, moving to NGX_CORE_CONFLOAD"
-		core_snippets="${core_snippets} $i"
+		core_confload="${core_confload} $i"
 		continue
 	fi
@ -29,8 +36,8 @@ unset i
 set -a
 NGX_CORE_MODULES="${core_modules}"
-NGX_CORE_SNIPPETS=$(sort_dedup_list "${core_snippets}")
+NGX_CORE_CONFLOAD=$(sort_dedup_list "${core_confload}")
-NGX_CORE_EVENTS_SNIPPETS=$(sort_dedup_list "${NGX_CORE_EVENTS_SNIPPETS}")
+NGX_CORE_EVENTS_CONFLOAD=$(sort_dedup_list "${NGX_CORE_EVENTS_CONFLOAD}")
 set +a
-unset core_modules core_snippets
+unset core_modules core_confload
--- a/image-entry.d/13-core-worker-defaults.envsh
+++ b/image-entry.d/13-core-worker-defaults.envsh
@ -1,146 +0,0 @@
 #!/bin/sh
 unset _NGX_WORKER_PROCESSES _NGX_WORKER_PRIORITY _NGX_WORKER_RLIMIT_NOFILE _NGX_WORKER_CONNECTIONS
 ## here should be SANE defaults (!)
 _NGX_WORKER_PROCESSES=2
 _NGX_WORKER_PRIORITY=0
 _NGX_WORKER_RLIMIT_NOFILE=16384
 _NGX_WORKER_CONNECTIONS=4096
 [ -n "${NGX_WORKER_PROCESSES:-}" ] || NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
 case "${NGX_WORKER_PROCESSES}" in
 "${_NGX_WORKER_PROCESSES}" ) ;;
 ## allow values within [1;999]
 [1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
 [Aa][Uu][Tt][Oo] )
 	## adjust
 	NGX_WORKER_PROCESSES=auto
 	log_always "NGX_WORKER_PROCESSES: \"auto\" isn't supported by container yet"
 	log_always "offloading decision to Angie (this could be a problem!)"
 ;;
 0 )
 	log_always "NGX_WORKER_PROCESSES: \"0\" isn't supported by container yet"
 	log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
 	NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
 ;;
 * )
 	log_always "NGX_WORKER_PROCESSES: unrecognized value: ${NGX_WORKER_PROCESSES}"
 	log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
 	NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
 ;;
 esac
 [ -n "${NGX_WORKER_PRIORITY:-}" ] || NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}
 case "${NGX_WORKER_PRIORITY}" in
 "${_NGX_WORKER_PRIORITY}" ) ;;
 -[1-9] | -1[0-9] | -20 ) ;;
 [0-9] |  1[0-9] |  20 ) ;;
 -0 )
 	log_always "NGX_WORKER_PRIORITY: likely an error: '-0'"
 	log_always "adjusting NGX_WORKER_PRIORITY=0"
 	NGX_WORKER_PRIORITY=0
 ;;
 * )
 	log_always "NGX_WORKER_PRIORITY: unrecognized value: ${NGX_WORKER_PRIORITY}"
 	log_always "setting NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}"
 	NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}
 ;;
 esac
 [ -n "${NGX_WORKER_RLIMIT_NOFILE:-}" ] || NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
 case "${NGX_WORKER_RLIMIT_NOFILE}" in
 "${_NGX_WORKER_RLIMIT_NOFILE}" ) ;;
 [0-9] | [1-9][0-9] )
 	log_always "NGX_WORKER_RLIMIT_NOFILE: too low: ${NGX_WORKER_RLIMIT_NOFILE}"
 	log_always "setting NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}"
 	NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
 ;;
 ## allow values within [100;9999999]
 [1-9][0-9][0-9] ) ;;
 [1-9][0-9][0-9][0-9] ) ;;
 [1-9][0-9][0-9][0-9][0-9] ) ;;
 [1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
 [1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
 * )
 	log_always "NGX_WORKER_RLIMIT_NOFILE: unrecognized value: ${NGX_WORKER_RLIMIT_NOFILE}"
 	log_always "setting NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}"
 	NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
 ;;
 esac
 [ -n "${NGX_WORKER_CONNECTIONS:-}" ] || NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
 case "${NGX_WORKER_CONNECTIONS}" in
 "${_NGX_WORKER_CONNECTIONS}" ) ;;
 [0-9] | [1-9][0-9] )
 	log_always "NGX_WORKER_CONNECTIONS: too low: ${NGX_WORKER_CONNECTIONS}"
 	log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
 	NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
 ;;
 ## allow values within [100;9999999]
 [1-9][0-9][0-9] ) ;;
 [1-9][0-9][0-9][0-9] ) ;;
 [1-9][0-9][0-9][0-9][0-9] ) ;;
 [1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
 [1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
 * )
 	log_always "NGX_WORKER_CONNECTIONS: unrecognized value: ${NGX_WORKER_CONNECTIONS}"
 	log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
 	NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
 ;;
 esac
 nofile_soft=$(ulimit -Sn)
 nofile_hard=$(ulimit -Hn)
 if [ "${nofile_hard}" = unlimited ] ; then
 	## minor hack (if applicable) :)
 	nofile_hard=$((NGX_WORKER_RLIMIT_NOFILE * 2))
 fi
 nofile_ok=0
 while : ; do
 	[ ${nofile_hard} -ge ${NGX_WORKER_RLIMIT_NOFILE} ] || break
 	[ ${nofile_soft} -ge ${NGX_WORKER_RLIMIT_NOFILE} ] || break
 	nofile_ok=1
 break ; done
 if [ ${nofile_ok} = 0 ] ; then
 	log_always "adjusting 'nofile' limits"
 	log_always "Limits before:"
 	sed -En '1p;/open files/p' < /proc/$$/limits >&2
 	if [ ${nofile_hard} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
 		ulimit -Hn "${NGX_WORKER_RLIMIT_NOFILE}"
 		nofile_hard=$(ulimit -Hn)
 	fi
 	if [ ${nofile_hard} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
 		log_always "lowering NGX_WORKER_RLIMIT_NOFILE to ${nofile_hard} due to hard limit"
 		NGX_WORKER_RLIMIT_NOFILE=${nofile_hard}
 	fi
 	if [ ${nofile_soft} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
 		ulimit -Sn "${NGX_WORKER_RLIMIT_NOFILE}"
 	fi
 	log_always "Limits after:"
 	sed -En '1p;/open files/p' < /proc/$$/limits >&2
 fi
 unset nofile_soft nofile_hard nofile_ok
 export NGX_WORKER_PROCESSES NGX_WORKER_PRIORITY NGX_WORKER_RLIMIT_NOFILE NGX_WORKER_CONNECTIONS
 unset _NGX_WORKER_PROCESSES _NGX_WORKER_PRIORITY _NGX_WORKER_RLIMIT_NOFILE _NGX_WORKER_CONNECTIONS
 if [ ${NGX_WORKER_RLIMIT_NOFILE} -lt ${NGX_WORKER_CONNECTIONS} ] ; then
 	log_always "WARNING: NGX_WORKER_RLIMIT_NOFILE is less than NGX_WORKER_CONNECTIONS (${NGX_WORKER_RLIMIT_NOFILE} < ${NGX_WORKER_CONNECTIONS})"
 else
 	ratio=$(mawk -v "a=${NGX_WORKER_RLIMIT_NOFILE}" -v "b=${NGX_WORKER_CONNECTIONS}" 'BEGIN{print a/b;exit;}' </dev/null)
 	case "${ratio}" in
 	1 | 1.* )
 		log_always "WARNING: \"NGX_WORKER_RLIMIT_NOFILE/NGX_WORKER_CONNECTIONS\" ratio is too low (=${ratio})"
 	;;
 	esac
 	unset ratio
 fi
--- a/image-entry.d/13-core-worker.envsh
+++ b/image-entry.d/13-core-worker.envsh
@ -0,0 +1,195 @@
 #!/bin/sh
 unset _NGX_WORKER_PROCESSES _NGX_WORKER_PRIORITY _NGX_WORKER_RLIMIT_NOFILE _NGX_WORKER_CONNECTIONS _NGX_WORKER_AIO_REQUESTS
 ## here should be SANE defaults (!)
 _NGX_WORKER_PROCESSES=2
 _NGX_WORKER_PRIORITY=0
 _NGX_WORKER_RLIMIT_NOFILE=16384
 _NGX_WORKER_CONNECTIONS=4096
 _NGX_WORKER_AIO_REQUESTS=64
 [ -n "${NGX_WORKER_PROCESSES:-}" ] || NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
 case "${NGX_WORKER_PROCESSES}" in
 ## allow values within [1;999]
 [1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
 [Aa][Uu][Tt][Oo] )
 	## adjust
 	NGX_WORKER_PROCESSES=auto
 	log_always "NGX_WORKER_PROCESSES: \"auto\" isn't supported by container yet"
 	log_always "offloading decision to Angie (this could be a problem!)"
 ;;
 0 )
 	log_always "NGX_WORKER_PROCESSES: \"0\" isn't supported by container yet"
 	log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
 	NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
 ;;
 * )
 	log_always "NGX_WORKER_PROCESSES: unrecognized value: ${NGX_WORKER_PROCESSES}"
 	log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
 	NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
 ;;
 esac
 export NGX_WORKER_PROCESSES
 if [ -z "${NGX_WORKER_CPU_AFFINITY:-}" ] ; then
 	unset NGX_WORKER_CPU_AFFINITY
 else
 	## offload handling to Angie
 	set -a
 	NGX_WORKER_CPU_AFFINITY=$(normalize_list "${NGX_WORKER_CPU_AFFINITY}")
 	set +a
 fi
 [ -n "${NGX_WORKER_CONNECTIONS:-}" ] || NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
 case "${NGX_WORKER_CONNECTIONS}" in
 [0-9] | [1-9][0-9] )
 	log_always "NGX_WORKER_CONNECTIONS: too low: ${NGX_WORKER_CONNECTIONS}"
 	log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
 	NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
 ;;
 ## allow values within [100;9999999]
 [1-9][0-9][0-9] ) ;;
 [1-9][0-9][0-9][0-9] ) ;;
 [1-9][0-9][0-9][0-9][0-9] ) ;;
 [1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
 [1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
 * )
 	log_always "NGX_WORKER_CONNECTIONS: unrecognized value: ${NGX_WORKER_CONNECTIONS}"
 	log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
 	NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
 ;;
 esac
 export NGX_WORKER_CONNECTIONS
 if [ -z "${NGX_WORKER_PRIORITY:-}" ] ; then
 	unset NGX_WORKER_PRIORITY
 else
 	case "${NGX_WORKER_PRIORITY}" in
 	-[1-9] | -1[0-9] | -20 ) ;;
 	 [0-9] |  1[0-9] |  20 ) ;;
 	-0 )
 		log_always "NGX_WORKER_PRIORITY: likely an error: '-0'"
 		log_always "adjusting NGX_WORKER_PRIORITY=0"
 		NGX_WORKER_PRIORITY=0
 	;;
 	* )
 		log_always "NGX_WORKER_PRIORITY: unrecognized value: ${NGX_WORKER_PRIORITY}"
 		log_always "setting NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}"
 		NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}
 	;;
 	esac
 	export NGX_WORKER_PRIORITY
 fi
 if [ -z "${NGX_WORKER_RLIMIT_NOFILE:-}" ] ; then
 	unset NGX_WORKER_RLIMIT_NOFILE
 else
 	case "${NGX_WORKER_RLIMIT_NOFILE}" in
 	[0-9] | [1-9][0-9] )
 		log_always "NGX_WORKER_RLIMIT_NOFILE: too low: ${NGX_WORKER_RLIMIT_NOFILE}"
 		log_always "setting NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}"
 		NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
 	;;
 	## allow values within [100;9999999]
 	[1-9][0-9][0-9] ) ;;
 	[1-9][0-9][0-9][0-9] ) ;;
 	[1-9][0-9][0-9][0-9][0-9] ) ;;
 	[1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
 	[1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
 	* )
 		log_always "NGX_WORKER_RLIMIT_NOFILE: unrecognized value: ${NGX_WORKER_RLIMIT_NOFILE}"
 		log_always "setting NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}"
 		NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
 	;;
 	esac
 	export NGX_WORKER_RLIMIT_NOFILE
 fi
 if [ -z "${NGX_WORKER_AIO_REQUESTS:-}" ] ; then
 	unset NGX_WORKER_AIO_REQUESTS
 else
 	case "${NGX_WORKER_AIO_REQUESTS}" in
 	[0-9] )
 		log_always "NGX_WORKER_AIO_REQUESTS: too low: ${NGX_WORKER_AIO_REQUESTS}"
 		log_always "setting NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}"
 		NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}
 	;;
 	## allow values within [10;99999]
 	[1-9][0-9] ) ;;
 	[1-9][0-9][0-9] ) ;;
 	[1-9][0-9][0-9][0-9] ) ;;
 	[1-9][0-9][0-9][0-9][0-9] ) ;;
 	* )
 		log_always "NGX_WORKER_AIO_REQUESTS: unrecognized value: ${NGX_WORKER_AIO_REQUESTS}"
 		log_always "setting NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}"
 		NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}
 	;;
 	esac
 	export NGX_WORKER_AIO_REQUESTS
 fi
 if [ -n "${NGX_WORKER_RLIMIT_NOFILE:-}" ] ; then
 	nofile_soft=$(ulimit -Sn)
 	nofile_hard=$(ulimit -Hn)
 	if [ "${nofile_hard}" = unlimited ] ; then
 		## minor hack (if applicable) :)
 		nofile_hard=$((NGX_WORKER_RLIMIT_NOFILE + 1))
 	fi
 	nofile_ok=0
 	while : ; do
 		[ ${nofile_hard} -ge ${NGX_WORKER_RLIMIT_NOFILE} ] || break
 		[ ${nofile_soft} -ge ${NGX_WORKER_RLIMIT_NOFILE} ] || break
 		nofile_ok=1
 	break ; done
 	if [ ${nofile_ok} = 0 ] ; then
 		log_always "adjusting 'nofile' limits"
 		log_always "Limits before:"
 		sed -En '1p;/open files/p' < /proc/$$/limits >&2
 		if [ ${nofile_hard} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
 			ulimit -Hn "${NGX_WORKER_RLIMIT_NOFILE}"
 			nofile_hard=$(ulimit -Hn)
 		fi
 		if [ ${nofile_hard} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
 			log_always "lowering NGX_WORKER_RLIMIT_NOFILE to ${nofile_hard} due to hard limit"
 			NGX_WORKER_RLIMIT_NOFILE=${nofile_hard}
 		fi
 		if [ ${nofile_soft} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
 			ulimit -Sn "${NGX_WORKER_RLIMIT_NOFILE}"
 		fi
 		log_always "Limits after:"
 		sed -En '1p;/open files/p' < /proc/$$/limits >&2
 	fi
 	unset nofile_soft nofile_hard nofile_ok
 	export NGX_WORKER_RLIMIT_NOFILE
 fi
 if [ -z "${NGX_WORKER_RLIMIT_NOFILE:-}" ] ; then
 	nofile_limit=$(ulimit -Hn)
 	nofile_kind="'ulimit:nofile'"
 else
 	nofile_limit=${NGX_WORKER_RLIMIT_NOFILE}
 	nofile_kind='NGX_WORKER_RLIMIT_NOFILE'
 fi
 if [ ${nofile_limit} -lt ${NGX_WORKER_CONNECTIONS} ] ; then
 	log_always "WARNING: ${nofile_kind} is less than NGX_WORKER_CONNECTIONS (${nofile_limit} < ${NGX_WORKER_CONNECTIONS})"
 else
 	ratio=$(mawk -v "a=${nofile_limit}" -v "b=${NGX_WORKER_CONNECTIONS}" 'BEGIN{print a/b;exit;}' </dev/null)
 	case "${ratio}" in
 	1 | 1.* )
 		log_always "WARNING: \"${nofile_kind}/NGX_WORKER_CONNECTIONS\" ratio is too low (=${ratio})"
 	;;
 	esac
 	unset ratio
 fi
 unset nofile_limit nofile_kind
 unset _NGX_WORKER_PROCESSES _NGX_WORKER_PRIORITY _NGX_WORKER_RLIMIT_NOFILE _NGX_WORKER_CONNECTIONS _NGX_WORKER_AIO_REQUESTS
--- a/image-entry.d/20-http.envsh
+++ b/image-entry.d/20-http.envsh
@ -1,10 +1,17 @@
 #!/bin/sh
 if [ "${NGX_HTTP}" = 0 ] ; then
-	unset NGX_HTTP_MODULES NGX_HTTP_SNIPPETS
+	unset NGX_HTTP_MODULES NGX_HTTP_CONFLOAD NGX_HTTP_CACHES NGX_HTTP_WEBROOT
 else
 	unset default_caches
 	default_caches='client_temp fastcgi_temp proxy_temp scgi_temp uwsgi_temp'
 	set -a
 	NGX_HTTP_MODULES="${NGX_HTTP_MODULES:-}"
-	NGX_HTTP_SNIPPETS="${NGX_HTTP_SNIPPETS:-}"
+	NGX_HTTP_CONFLOAD="${NGX_HTTP_CONFLOAD:-}"
 	NGX_HTTP_CACHES=$(sort_dedup_list "${default_caches} ${NGX_HTTP_CACHES:-}")
 	NGX_HTTP_WEBROOT="${NGX_HTTP_WEBROOT:-/etc/angie/static.d}"
 	set +a
 	unset default_caches
 fi
--- a/image-entry.d/21-http-modules.envsh
+++ b/image-entry.d/21-http-modules.envsh
@ -1,9 +1,9 @@
 #!/bin/sh
 if [ "${NGX_HTTP}" = 1 ] ; then
-	unset http_modules http_snippets
+	unset http_modules http_confload
 	http_modules=
-	http_snippets="${NGX_HTTP_SNIPPETS:-}"
+	http_confload="${NGX_HTTP_CONFLOAD:-}"
 	if [ -n "${NGX_HTTP_MODULES}" ] ; then
 		## angie-module-lua: depends on angie-module-ndk
@ -19,9 +19,16 @@ if [ "${NGX_HTTP}" = 1 ] ; then
 	for i in ${NGX_HTTP_MODULES:-} ; do
 		[ -n "$i" ] || continue
 		case "$i" in
 		*/* | *\** | *\?* )
 			log_always "module '$i' is not legal, skipping"
 			continue
 		;;
 		esac
 		if is_builtin_module http "$i" ; then
-			log "$i is builtin module, moving to snippets"
+			log "$i is builtin module, moving to NGX_HTTP_CONFLOAD"
-			http_snippets="${http_snippets} $i"
+			http_confload="${http_confload} $i"
 			continue
 		fi
@ -39,8 +46,33 @@ if [ "${NGX_HTTP}" = 1 ] ; then
 	set -a
 	NGX_HTTP_MODULES="${http_modules}"
-	NGX_HTTP_SNIPPETS=$(sort_dedup_list "${http_snippets}")
+	NGX_HTTP_CONFLOAD=$(sort_dedup_list "${http_confload}")
 	set +a
-	unset http_modules http_snippets
+	unset http_modules http_confload
 	## quirk: angie-module-modsecurity
 	unset NGX_HTTP_WITH_MODSECURITY
 	NGX_HTTP_WITH_MODSECURITY=0
 	while : ; do
 		case " ${NGX_HTTP_MODULES} " in
 		*" modsecurity "* ) ;;
 		* ) break ;;
 		esac
 		for d in /angie/modules /etc/angie/modules /etc/angie/modules.dist ; do
 			[ -d "$d" ] || continue
 			if [ -f "$d/ngx_http_modsecurity_module.so" ] ; then
 				NGX_HTTP_WITH_MODSECURITY=1
 				break
 			fi
 		done ; unset d
 	break ; done
 	export NGX_HTTP_WITH_MODSECURITY
 	if [ "${NGX_HTTP_WITH_MODSECURITY}" = 1 ] ; then
 		set -a
 		NGX_DIRS_MERGE=$(sort_dedup_list "${NGX_DIRS_MERGE} modsecurity")
 		set +a
 	fi
 fi
--- a/image-entry.d/22-http-max-ranges.envsh
+++ b/image-entry.d/22-http-max-ranges.envsh
@ -7,22 +7,24 @@ else
 	## here should be SANE defaults (!)
 	_NGX_HTTP_MAX_RANGES=16
-	[ -n "${NGX_HTTP_MAX_RANGES:-}" ] || NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}
+	if [ -z "${NGX_HTTP_MAX_RANGES:-}" ] ; then
-	case "${NGX_HTTP_MAX_RANGES}" in
+		unset NGX_HTTP_MAX_RANGES
-	"${_NGX_HTTP_MAX_RANGES}" ) ;;
+	else
-	## allow values within [1;999]
+		case "${NGX_HTTP_MAX_RANGES}" in
-	[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
+		## allow values within [1;999]
-	0 )
+		[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
-		log_always "HTTP: Range/If-Range/Accept-Ranges support is disabled by NGX_HTTP_MAX_RANGES=0"
+		0 )
-	;;
+			log_always "HTTP: Range/If-Range/Accept-Ranges support is disabled by NGX_HTTP_MAX_RANGES=0"
-	* )
+		;;
-		log_always "NGX_HTTP_MAX_RANGES: unrecognized value: ${NGX_HTTP_MAX_RANGES}"
+		* )
-		log_always "setting NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}"
+			log_always "NGX_HTTP_MAX_RANGES: unrecognized value: ${NGX_HTTP_MAX_RANGES}"
-		NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}
+			log_always "setting NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}"
-	;;
+			NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}
-	esac
+		;;
 		esac
-	export NGX_HTTP_MAX_RANGES
+		export NGX_HTTP_MAX_RANGES
 	fi
 	unset _NGX_HTTP_MAX_RANGES
 fi
--- a/image-entry.d/30-mail.envsh
+++ b/image-entry.d/30-mail.envsh
@ -1,10 +1,10 @@
 #!/bin/sh
 if [ "${NGX_MAIL}" = 0 ] ; then
-	unset NGX_MAIL_MODULES NGX_MAIL_SNIPPETS
+	unset NGX_MAIL_MODULES NGX_MAIL_CONFLOAD
 else
 	set -a
 	NGX_MAIL_MODULES="${NGX_MAIL_MODULES:-}"
-	NGX_MAIL_SNIPPETS="${NGX_MAIL_SNIPPETS:-}"
+	NGX_MAIL_CONFLOAD="${NGX_MAIL_CONFLOAD:-}"
 	set +a
 fi
--- a/image-entry.d/31-mail-modules.envsh
+++ b/image-entry.d/31-mail-modules.envsh
@ -1,18 +1,25 @@
 #!/bin/sh
 if [ "${NGX_MAIL}" = 1 ] ; then
-	unset mail_modules mail_snippets
+	unset mail_modules mail_confload
 	mail_modules=
-	mail_snippets="${NGX_MAIL_SNIPPETS:-}"
+	mail_confload="${NGX_MAIL_CONFLOAD:-}"
 	## filter out builtin mail modules
 	unset i
 	for i in ${NGX_MAIL_MODULES:-} ; do
 		[ -n "$i" ] || continue
 		case "$i" in
 		*/* | *\** | *\?* )
 			log_always "module '$i' is not legal, skipping"
 			continue
 		;;
 		esac
 		if is_builtin_module mail "$i" ; then
-			log "$i is builtin module, moving to snippets"
+			log "$i is builtin module, moving to NGX_MAIL_CONFLOAD"
-			mail_snippets="${mail_snippets} $i"
+			mail_confload="${mail_confload} $i"
 			continue
 		fi
@ -30,8 +37,8 @@ if [ "${NGX_MAIL}" = 1 ] ; then
 	set -a
 	NGX_MAIL_MODULES="${mail_modules}"
-	NGX_MAIL_SNIPPETS=$(sort_dedup_list "${mail_snippets}")
+	NGX_MAIL_CONFLOAD=$(sort_dedup_list "${mail_confload}")
 	set +a
-	unset mail_modules mail_snippets
+	unset mail_modules mail_confload
 fi
--- a/image-entry.d/40-stream.envsh
+++ b/image-entry.d/40-stream.envsh
@ -1,10 +1,10 @@
 #!/bin/sh
 if [ "${NGX_STREAM}" = 0 ] ; then
-	unset NGX_STREAM_MODULES NGX_STREAM_SNIPPETS
+	unset NGX_STREAM_MODULES NGX_STREAM_CONFLOAD
 else
 	set -a
 	NGX_STREAM_MODULES="${NGX_STREAM_MODULES:-}"
-	NGX_STREAM_SNIPPETS="${NGX_STREAM_SNIPPETS:-}"
+	NGX_STREAM_CONFLOAD="${NGX_STREAM_CONFLOAD:-}"
 	set +a
 fi
--- a/image-entry.d/41-stream-modules.envsh
+++ b/image-entry.d/41-stream-modules.envsh
@ -1,18 +1,25 @@
 #!/bin/sh
 if [ "${NGX_STREAM}" = 1 ] ; then
-	unset stream_modules stream_snippets
+	unset stream_modules stream_confload
 	stream_modules=
-	stream_snippets="${NGX_STREAM_SNIPPETS:-}"
+	stream_confload="${NGX_STREAM_CONFLOAD:-}"
 	## filter out builtin stream modules
 	unset i
 	for i in ${NGX_STREAM_MODULES:-} ; do
 		[ -n "$i" ] || continue
 		case "$i" in
 		*/* | *\** | *\?* )
 			log_always "module '$i' is not legal, skipping"
 			continue
 		;;
 		esac
 		if is_builtin_module stream "$i" ; then
-			log "$i is builtin module, moving to snippets"
+			log "$i is builtin module, moving to NGX_STREAM_CONFLOAD"
-			stream_snippets="${stream_snippets} $i"
+			stream_confload="${stream_confload} $i"
 			continue
 		fi
@ -30,8 +37,8 @@ if [ "${NGX_STREAM}" = 1 ] ; then
 	set -a
 	NGX_STREAM_MODULES="${stream_modules}"
-	NGX_STREAM_SNIPPETS=$(sort_dedup_list "${stream_snippets}")
+	NGX_STREAM_CONFLOAD=$(sort_dedup_list "${stream_confload}")
 	set +a
-	unset stream_modules stream_snippets
+	unset stream_modules stream_confload
 fi
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Konstantin Demin	8fac571d20	huge refactoring	2024-07-24 22:47:53 +03:00
Konstantin Demin	985c42a7d2	fix (minor) inconsistences	2024-07-23 22:43:52 +03:00
Konstantin Demin	7425ac403a	improve dynamic configuration snippets	2024-07-23 21:59:49 +03:00
		`@ -1 +0,0 @@`
			`worker_connections ${NGX_WORKER_CONNECTIONS};`
		`@ -1 +1 @@`
			`include mod.d/http-*.load;`				`include load/mod-http-*.conf;`
		`@ -1 +1 @@`
			`include mod.d/mail-*.load;`				`include load/mod-mail-*.conf;`
		`@ -1 +1 @@`
			`include mod.d/stream-*.load;`				`include load/mod-stream-*.conf;`
		`@ -1,2 +0,0 @@`
			`include snip.d/http-gunzip.modconf;`
			`gunzip on;`