-
-
Save MatthewVance/dcc377523ca1b1159ded to your computer and use it in GitHub Desktop.
| #!/usr/bin/env bash | |
| # make script exit if a simple command fails and | |
| # make script print commands being executed | |
| set -e -x | |
| # names of latest versions of each package | |
| export VERSION_PCRE=pcre-8.38 | |
| export VERSION_OPENSSL=openssl-1.0.2f | |
| export VERSION_NGINX=nginx-1.9.11 | |
| # checksums of latest versions of each package | |
| export SHA256_PCRE=9883e419c336c63b0cb5202b09537c140966d585e4d0da66147dc513da13e629 | |
| export SHA256_OPENSSL=932b4ee4def2b434f85435d9e3e19ca8ba99ce9a065a61524b429a9d5e9b2e9c | |
| export SHA256_NGINX=6a5c72f4afaf57a6db064bba0965d72335f127481c5d4e64ee8714e7b368a51f | |
| # URLs to the source directories | |
| export SOURCE_OPENSSL=https://www.openssl.org/source/ | |
| export SOURCE_PCRE=ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/ | |
| export SOURCE_NGINX=http://nginx.org/download/ | |
| # make a 'today' variable for use in back-up filenames later | |
| today=$(date +"%Y-%m-%d") | |
| # clean out any files from previous runs of this script | |
| rm -rf build | |
| rm -rf /etc/nginx-default | |
| mkdir build | |
| # ensure that we have the required software to compile our own nginx | |
| apt-get update && apt-get -y install \ | |
| build-essential \ | |
| curl \ | |
| libssl-dev \ | |
| libxslt1-dev | |
| # grab the source files | |
| curl -L $SOURCE_PCRE$VERSION_PCRE.tar.gz -o ./build/PCRE.tar.gz && \ | |
| echo "${SHA256_PCRE} ./build/PCRE.tar.gz" | sha256sum -c - | |
| curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz -o ./build/OPENSSL.tar.gz && \ | |
| echo "${SHA256_OPENSSL} ./build/OPENSSL.tar.gz" | sha256sum -c - | |
| curl -L $SOURCE_NGINX$VERSION_NGINX.tar.gz -o ./build/NGINX.tar.gz && \ | |
| echo "${SHA256_NGINX} ./build/NGINX.tar.gz" | sha256sum -c - | |
| # expand the source files | |
| cd build | |
| tar xzf PCRE.tar.gz | |
| tar xzf OPENSSL.tar.gz | |
| tar xzf NGINX.tar.gz | |
| cd ../ | |
| # set where OpenSSL and nginx will be built | |
| export BPATH=$(pwd)/build | |
| export STATICLIBSSL="$BPATH/staticlibssl" | |
| # build static openssl | |
| cd $BPATH/$VERSION_OPENSSL | |
| rm -rf "$STATICLIBSSL" | |
| mkdir "$STATICLIBSSL" | |
| make clean | |
| ./config --prefix=$STATICLIBSSL no-shared no-ssl2 no-ssl3 no-idea \ | |
| && make depend \ | |
| && make \ | |
| && make install_sw | |
| # rename the existing /etc/nginx directory so it's saved as a back-up | |
| mv /etc/nginx /etc/nginx-$today | |
| # build nginx, with various modules included/excluded | |
| cd $BPATH/$VERSION_NGINX | |
| mkdir -p $BPATH/nginx | |
| ./configure --with-cc-opt="-I $STATICLIBSSL/include -I/usr/include" \ | |
| --with-ld-opt="-L $STATICLIBSSL/lib -Wl,-rpath -lssl -lcrypto -ldl -lz" \ | |
| --with-pcre=$BPATH/$VERSION_PCRE \ | |
| --sbin-path=/usr/sbin/nginx \ | |
| --conf-path=/etc/nginx/nginx.conf \ | |
| --error-log-path=/var/log/nginx/error.log \ | |
| --http-log-path=/var/log/nginx/access.log \ | |
| --pid-path=/var/run/nginx.pid \ | |
| --lock-path=/var/run/nginx.lock \ | |
| --http-client-body-temp-path=/var/cache/nginx/client_temp \ | |
| --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ | |
| --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ | |
| --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ | |
| --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ | |
| --with-http_ssl_module \ | |
| --with-http_realip_module \ | |
| --with-http_sub_module \ | |
| --with-http_mp4_module \ | |
| --with-http_gunzip_module \ | |
| --with-http_gzip_static_module \ | |
| --with-http_secure_link_module \ | |
| --with-http_stub_status_module \ | |
| --with-http_auth_request_module \ | |
| --with-file-aio \ | |
| --without-mail_imap_module \ | |
| --without-mail_pop3_module \ | |
| --without-mail_smtp_module \ | |
| --with-http_v2_module \ | |
| --with-ipv6 \ | |
| --with-threads \ | |
| --with-stream \ | |
| --with-stream_ssl_module \ | |
| --with-http_slice_module \ | |
| && make && make install | |
| # rename the compiled 'default' /etc/nginx directory so its accessible as a reference to the new nginx defaults | |
| mv /etc/nginx /etc/nginx-default | |
| # now restore the previous version of /etc/nginx to /etc/nginx so the old settings are kept | |
| mv /etc/nginx-$today /etc/nginx | |
| echo "All done."; | |
| echo "This build has not edited your existing /etc/nginx directory."; | |
| echo "If things aren't working now you may need to refer to the"; | |
| echo "configuration files the new nginx ships with as defaults,"; | |
| echo "which are available at /etc/nginx-default"; | |
You're welcome @harrygg though the original author deserves most of the credit. I've updated this to NGINX 1.9.11. I also removed a few modules I didn't need/want so be cognizant of that if you update with the latest version of the script. With the new dynamic modules feature introduced in 1.9.11, adding modules back in should be easier (at least for ones that have been converted to support it).
I should also mention I copied this over to a traditional repo because I prefer to work from there than on Gist (I didn't know a way to fork from a gist to a repo or I would have done it). I plan to make future updates on the new repo at https://github.com/MatthewVance/nginx-build. At the current moment, they're essentially the same. One difference is I forgot to remove the libssl-dev and libxslt1-dev packages when removing the xslt module from this version, but did not in the other one.
Hello Matthew, I'm using the gist from Matt for a while now, works fine. Added some custom modules to it. But I do have a question. Building takes a very long time, mostly because of OpenSSL. What exactly is the reason to build OpenSSL with it, instead of the already installed versions on the server?
If I wanted to leave that part out, which parts should I change?
Hi @Tralapo, I apologize for the slow response. I missed the notification and it hasn't helped that I quit paying attention to this gist after moving this script to a full repo at https://github.com/MatthewVance/nginx-build.
To answer your question, the reason to build OpenSSL with it is to ensure NGINX has the latest version of OpenSSL with some basic security options (e.g., no SSLv2 and SSLv3 protocol support...which proved prudent given the recent DROWN attack). This means if NGINX is built without statically compiling and linking OpenSSL, NGINX would make use of the system version. Most traditional distros (i.e., non-rolling releases) usually only have an older version of OpenSSL available in their repos. For example, my install of Ubuntu 16.04 has OpenSSL 1.0.2g-fips (openssl version) installed on it whereas the current version of this script would allow NGINX to use OpenSSL 1.0.2h (nginx -V). My up-to-date install of Raspbian Jessie Lite OpenSSL 1.0.1t.
All that being said, removing the OpenSSL parts of the script and having NGINX use the system version of OpenSSL isn't necessarily a bad thing since most distros back port security updates, but you won't be able to use all the latest ciphers, etc. You'd have to check the OpenSSL change logs and your distros OpenSSL compile options to see if you care about any of the OpenSSL features you'd miss (most likely not if you're not a security geek like me).
Since it sounds like compile time is a concern (I agree it is slow, especially on the Raspbery Pi), be sure to look into NGINX's recently added support for dynamic modules. At least for some third-party and native modules, you don't have to recompile NGINX to add new features.
Thanks. This is the first time these type of scripts actually work without any modifications from my side. Nginx is already 1.9.11.