#!/bin/sh

# PROVIDE: nginx
# REQUIRE: LOGIN cleanvar
# KEYWORD: shutdown

#
# Add the following lines to /etc/rc.conf to enable nginx:
# nginx_enable (bool):		Set to "NO" by default.
#				Set it to "YES" to enable nginx
# nginx_profiles (str):		Set to "" by default.
#				Define your profiles here.
# nginx_pid_prefix (str):	Set to "" by default.
#				When using profiles manually assign value to "nginx_"
#				for prevent collision with other PIDs names.
# nginxlimits_enable (bool):	Set to "NO" by default.
#				Set it to yes to run `limits $limits_args`
#				just before nginx starts.
# nginx_flags (str):		Set to "" by default.
#				Extra flags passed to start command.
# nginxlimits_args (str):	Default to "-e -U www"
#				Arguments of pre-start limits run.

. /etc/rc.subr

name="nginx"
rcvar=nginx_enable

start_precmd="nginx_precmd"
restart_precmd="nginx_checkconfig"
reload_precmd="nginx_checkconfig"
configtest_cmd="nginx_checkconfig"
gracefulstop_cmd="nginx_gracefulstop"
upgrade_precmd="nginx_checkconfig"
upgrade_cmd="nginx_upgrade"
startdebug_cmd="nginx_startdebug"
stopdebug_cmd="nginx_stopdebug"
command="/usr/local/sbin/nginx"
_pidprefix="/var/run"
pidfile="${_pidprefix}/${name}.pid"
_tmpprefix="/var/tmp/nginx"
required_files=/usr/local/etc/nginx/nginx.conf
extra_commands="reload configtest upgrade gracefulstop startdebug stopdebug"

SUBS_CERT=/etc/ssl/nginx/nginx-repo.crt
OPENSSL=/usr/bin/openssl
CERT_EXT_CMD="$OPENSSL x509 -in $SUBS_CERT -text -certopt ca_default,no_sigdump,no_serial -noout"

CCA="-----BEGIN CERTIFICATE-----
MIIDjzCCAnegAwIBAgIJAIu3DxpkIGrqMA0GCSqGSIb3DQEBBQUAMF4xCzAJBgNV
BAYTAlJVMQ8wDQYDVQQIDAZNb3Njb3cxDzANBgNVBAcMBk1vc2NvdzESMBAGA1UE
CgwJTkdJTlggSW5jMRkwFwYDVQQDDBBuZ2lueCBjbGllbnRzIENBMB4XDTE0MDQx
MjE3MTIyN1oXDTIyMDQxMjE3MTIyN1owXjELMAkGA1UEBhMCUlUxDzANBgNVBAgM
Bk1vc2NvdzEPMA0GA1UEBwwGTW9zY293MRIwEAYDVQQKDAlOR0lOWCBJbmMxGTAX
BgNVBAMMEG5naW54IGNsaWVudHMgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDEPxQdivul86frKz1THqVDNjmFDWoX23w7ineOYJaCSR3e6SlXDM0B
8Rv1ideNtU4mGAhLL7UaCO7b4kRbLF8AKyNoTXj8xxEGUQosufd5xdAe8P/jXIIi
BqbCp9r8DtablLjzs81B9aXgMpoZgddDNsmIvHQn6qU6UerMLNUcB9LBOA2tbcCM
JkZz/A1bWB7jH2SPOh5nuIfZ8w0at+MKFAhsFMkk1Dtm04lvQamqboUA+whmBCAg
j85ReEOAf0WXMR+ADHfaLFvZ/zP5qhLYA+ebJ8frfbey3vs0DHS9AeKfKbvzBPlL
feTvr039/orWmvAPI3i/i1JdtC5ed4DvAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8w
HQYDVR0OBBYEFMV07soOaApznZzWDskzQAalCjB6MB8GA1UdIwQYMBaAFMV07soO
aApznZzWDskzQAalCjB6MA0GCSqGSIb3DQEBBQUAA4IBAQAkMsoWHFZCZO8G4yxj
IkfkUSV65JYo4BvvYUgQPwcEtTv8HNyj84Nwh3yXH62FyyZ0z0RMpzUwHkAm8o/y
LNeEeKoh7T4uClZIogTt/fMJ768aod0Ta6u3KAIElvhoFe68jvrjYH/f1JkSetyz
FNokgN1gkPSc9LU9ksquLORE8ooh33yucSr5yFTRnME1yDujPiXgiLjFBcFQ8mE3
2LuerFU1g3NN7ZiB3Tgj4b2iKVGL/nnm8Un8czxU/yekhbTMBEgNPm28770WjwLH
RhwnsNMWK0Wvv0X+xBoqad2ORnK6Yg91ka51NZWVA7EE3Q8EKaM9fX+VWL/JRB/X
R2o2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDTzCCAjegAwIBAgIJALe09gGoPNRsMA0GCSqGSIb3DQEBCwUAMD4xEjAQBgNV
BAoMCU5HSU5YIEluYzEoMCYGA1UEAwwfbmdpbnggY2xpZW50IGF1dGhlbnRpY2F0
aW9uIENBMjAeFw0xODExMjkxMTUzNTZaFw0yODA0MTIxMTUzNTZaMD4xEjAQBgNV
BAoMCU5HSU5YIEluYzEoMCYGA1UEAwwfbmdpbnggY2xpZW50IGF1dGhlbnRpY2F0
aW9uIENBMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXJxxHBV8XR
vgYD2ANRzWphLZu8ChDwFuycxHVyxZYLVp2xRklb5CqsNJUTX+Y/u+1qvhbRuzkK
MMDoLY6PA/Zhj3q/o0lf4KaS5VASbRi3JAW1EsyTs95amW6xpm0kvdV0sBBeOyih
tA6RzCvcaZb5po7cKb9l9S+lIq/dLvDAzxtkgfJN/b0bR+/WeGtTZxwglYK9uh8o
VVW/8IB+Ghm9cuf7JFQbVYdye4/oDy2lpCIdwO/YtBJP/QmwnFPjnEJhszoNPCMz
63brEwzW8f0PnL8LbO4X7x9Pl0llk2SVFO/R0EKV3+V/YvzIYzcPHsK2CGiZooRu
7IGPihFLUSkCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUt6TS69Lu
sK5/xRzb5xMF9qW3m2UwHwYDVR0jBBgwFoAUt6TS69LusK5/xRzb5xMF9qW3m2Uw
DQYJKoZIhvcNAQELBQADggEBAIuf3SBm72H3jDIdVap8I+W+/q/7BSEPUZmW5khq
RZ46Fa2391m+IM3BCTiap048Zj/lImcZZN+1Lk8BV+saPGzgaWE5TiX8s/fhj39V
AOuCw7nMjaXwjJfxDwvBv7sE1CoTLd6+m4vQHuzWNs/Pm9pwUwJpNsOCS1s+NeYC
uVGBuaW3BX3uMnSF4FqhVlmqk3UiYVJ+5TTzWI4sHbneT8H56b8+6LoZoGVz53+3
BQfIHLpWi/SnanN8jRuJtDSJ36AlhaNeeMCx1epAGj7Of1kTLF9KtVOKHOXeguOw
/XPb0/Cn4QCHZeyd9IcR8zTQIVxFz++ss2S021LCNvdTaM4=
-----END CERTIFICATE-----"

[ -z "$nginx_enable" ]		&& nginx_enable="NO"
[ -z "$nginxlimits_enable" ]	&& nginxlimits_enable="NO"
[ -z "$nginxlimits_args" ]	&& nginxlimits_args="-e -U www"

load_rc_config $name

if [ -n "$2" ]; then
	profile="$2"
	if [ "x${nginx_profiles}" != "x" ]; then
		pidfile="${_pidprefix}/${nginx_pid_prefix}${profile}.pid"
		eval nginx_configfile="\${nginx_${profile}_configfile:-}"
		if [ "x${nginx_configfile}" = "x" ]; then
			echo "You must define a configuration file (nginx_${profile}_configfile)"
			exit 1
		fi
		required_files="${nginx_configfile}"
		eval nginx_enable="\${nginx_${profile}_enable:-${nginx_enable}}"
		eval nginx_flags="\${nginx_${profile}_flags:-${nginx_flags}}"
		eval nginxlimits_enable="\${nginxlimits_${profile}_enable:-${nginxlimits_enable}}"
		eval nginxlimits_args="\${nginxlimits_${profile}_args:-${nginxlimits_args}}"
		nginx_flags="-c ${nginx_configfile} -g \"pid ${pidfile};\" ${nginx_flags}"
	else
		echo "$0: extra argument ignored"
	fi
else
	if [ "x${nginx_profiles}" != "x" -a "x$1" != "x" ]; then
		for profile in ${nginx_profiles}; do
			echo "===> nginx profile: ${profile}"
			/usr/local/etc/rc.d/nginx $1 ${profile}
			retcode="$?"
			if [ "0${retcode}" -ne 0 ]; then
				failed="${profile} (${retcode}) ${failed:-}"
			else
				success="${profile} ${success:-}"
			fi
		done
		exit 1
	fi
fi

# tmpfs(5)
nginx_checktmpdir()
{
	if [ ! -d ${_tmpprefix} ] ; then
		install -d -o www -g www -m 755 ${_tmpprefix}
	fi
}

nginx_checkconfig()
{
	nginx_checktmpdir

	echo "Performing sanity check on nginx configuration:"
	eval ${command} ${nginx_flags} -t
}

nginx_gracefulstop()
{
	echo "Performing a graceful stop:"
	sig_stop="QUIT"
	run_rc_command ${rc_prefix}stop $rc_extra_args || return 1
}

nginx_upgrade()
{
	echo "Upgrading nginx binary:"

	reload_precmd=""
	sig_reload="USR2"
	run_rc_command ${rc_prefix}reload $rc_extra_args || return 1

	sleep 1

	echo "Stopping old binary:"

	sig_reload="QUIT"
	pidfile="$pidfile.oldbin"
	run_rc_command ${rc_prefix}reload $rc_extra_args || return 1
}

nginx_startdebug()
{
        echo "Starting nginx-debug:"
        command="/usr/local/sbin/nginx-debug"
        run_rc_command ${rc_prefix}start $rc_extra_args || return 1
}

nginx_stopdebug()
{
        echo "Stopping nginx-debug:"
        command="/usr/local/sbin/nginx-debug"
        run_rc_command ${rc_prefix}stop $rc_extra_args || return 1
}

check_trial()
{
	test -x $OPENSSL || return 1
	test -f $SUBS_CERT || return 1
	verify_cert || return 1
	certext=`$CERT_EXT_CMD`
	echo $certext | fgrep 'Trial subscription' >/dev/null 2>&1
	subtrial=$?
	echo $certext | fgrep 'Developer subscription' >/dev/null 2>&1
	subtrialdev=$?
	[ $subtrial -eq 1 -a $subtrialdev -eq 1 ] && return 1
	ENDDATE=`openssl x509 -enddate -in $SUBS_CERT -noout 2>/dev/null` || return 1
	ENDDATE=`echo $ENDDATE | sed 's/.*=//'`
	ENDDATE=`LC_TIME=C date -j -f "%b %d %T %Y %Z" "$ENDDATE" +%s 2>/dev/null` || return 1
	CURDATE=`date +%s`

	case "$ENDDATE$CURDATE" in
		''|*[!0-9]*) return 1;;
	esac

	if [ $CURDATE -gt $ENDDATE ]; then
		echo
		if [ $subtrial -eq 0 ]; then
			echo "Your trial subscription of NGINX Plus has now expired."
			echo "Please see https://www.nginx.com/trial-expired/ for more information."
		fi
		if [ $subtrialdev -eq 0 ]; then
			echo "NGINX Plus - Developer Edition"
			echo "ERROR: cannot start, your subscription has expired"
		fi
		echo
		exit 0
	else
		EXPDAYS=$((($ENDDATE-$CURDATE)/86400))
		echo
		if [ $subtrial -eq 0 ]; then
			echo "Your trial subscription will expire in $EXPDAYS days"
		fi
		if [ $subtrialdev -eq 0 ]; then
			echo "NGINX Plus - Developer Edition - for non-production use only"
			echo "Your subscription will expire in $EXPDAYS days"
		fi
		echo
	fi
}

verify_cert()
{
	CCAFILE=`mktemp /tmp/ccafile.XXXXXX` || return 1
	printf "%s" "$CCA" >$CCAFILE
	$OPENSSL verify -CAfile $CCAFILE $SUBS_CERT >/dev/null 2>&1
	VALID=$?
	rm -f $CCAFILE
	return $VALID
}

nginx_precmd() 
{
	check_trial
	nginx_checkconfig

	if checkyesno nginxlimits_enable
	then
		eval `/usr/bin/limits ${nginxlimits_args}` 2>/dev/null
	else
		return 0
	fi
}

run_rc_command "$1"
