nginx: upgrade pcre to pcre2

[de11n]

Nginx builds with pcre2 by default as of version 1.21.5.

I've tested with both nginx and nginxMainline.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[emilazy]

Do we have a tracking issue for this? I learned the other day that Debian is phasing out PCRE because of security concerns, so we should probably follow suit.

[de11n]

If there is, I'm not aware of it.

[Izorkin]

Do the lua modules work?

[emilazy]

I’ve opened #356387 to track this.

[emilazy]

@Izorkin Debian already started working on removing PCRE in 2021 and the library is EOL. The latest Debian stable release doesn’t ship it at all. I doubt anything significant is broken by this (and anything that is broken by it is probably in a dire maintenance state).

[emilazy]

@ofborg build nginx.passthru.tests

[ulrikstrid]

Should we wait for after the stable release?

[emilazy]

I think the opposite – we should backport this to 24.11 because we’re exposing a library that went EOL in 2021 and hasn’t been updated since to untrusted user input. My previous comment was wrong on the timeline: Debian considered it too risky for that purpose at the time, which is why they’ve already removed it. It’s concerning that we’ve fallen so far behind, especially for something as security‐critical as Nginx.

[ulrikstrid]

Then I think we should go for it

[emilazy]

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 355989

---

x86_64-linux

❌ 2 packages failed to build:

• openresty
• openresty.doc

✅ 17 packages built:

• angie
• angie.doc
• angieQuic
• angieQuic.doc
• devpi-client
• devpi-client.dist
• devpi-server
• devpi-server.dist
• nginx (nginxStable)
• nginx.doc (nginxStable.doc)
• nginxMainline
• nginxMainline.doc
• nginxQuic
• nginxQuic.doc
• nginxShibboleth
• nginxShibboleth.doc
• tests.testers.lycheeLinkCheck.network

Looks like this breaks OpenResty:

./configure: error: the HTTP rewrite module requires the PCRE library.

We can probably backport the upstream fix. (Or just bump to 1.27?)

[emilazy]

cc @thoughtpolice @lblasc @kalekseev for OpenResty

[emilazy]

(Pinging because this would break OpenResty unless we presumably backport a patch from upstream Nginx or perhaps bump the version 😅)

[de11n]

I'll look today.

[de11n]

Upgrading openresty to 1.27.1.1 fixed the build. The NixOS tests also pass.

[emilazy]

Sounds good to me! Looks like it should be backwards‐compatible enough for the backport. I’ll let @lblasc take another look before merging.

[lblasc]

@emilazy sorry, I've reacted too fast on your comment, best way to handle openresty is to bump the version, they don't brake compatibility, should be safe for backporting.

@de11n thx for doing the bump.

[github-actions]

Successfully created backport PR for release-24.11:

• [Backport release-24.11] nginx: upgrade pcre to pcre2 #357304

[SuperSandro2000]

With this change my nginx fails to start with bad system call. I confirmed this by deploying it with an override on pcre2 to pcre.

systemd[1]: nginx.service: Control process exited, code=exited, status=159/n/a
nginx-pre-start[4083150]: /nix/store/pjw413fdjq9fmnr718c6y3mai5v1bgng-unit-script-nginx-pre-start/bin/nginx-pre-start: line 7: 4083151 Bad system call         (core
 dumped) /nix/store/gs6s5r211gbd2banxkfxq80j4nmx6jbh-nginxQuic-1.27.2/bin/nginx -c /etc/nginx/nginx.conf -t
systemd[1]: nginx.service: Failed with result 'exit-code'.

dmesg contains:

audit: type=1326 audit(1732833069.740:14): auid=4294967295 uid=60 gid=60 ses=4294967295 subj=kernel pid=4082877 comm="nginx" exe="/nix/store/gs6s5r211gbd2banxkfxq
80j4nmx6jbh-nginxQuic-1.27.2/bin/nginx" sig=31 arch=c000003e syscall=319 compat=0 ip=0x7fc61bf4ddcb code=0x80000000
audit: type=1326 audit(1732833080.876:15): auid=4294967295 uid=60 gid=60 ses=4294967295 subj=kernel pid=4083151 comm="nginx" exe="/nix/store/gs6s5r211gbd2banxkfxq
80j4nmx6jbh-nginxQuic-1.27.2/bin/nginx" sig=31 arch=c000003e syscall=319 compat=0 ip=0x7f7a0ba68dcb code=0x80000000

syscall 319 maps to memfd_create.

It feels similar to #179444 but neither disabling MemoryDenyWriteExecute nor allowing memfd_create fixed the crash.

[SuperSandro2000]

I did a fix in #360008