build_nginx.sh

#!/usr/bin/env bash

set -eufo pipefail

SUDO=""
if [ "$EUID" -ne 0 ]; then
  SUDO="sudo"
  if ! [ -x "$(command -v $SUDO)" ]; then
    echo "Error: Running script as non-root and $SUDO is not installed. Exiting." >&2
    exit 1
  fi
fi

main() {
  # names of latest versions of each package
  local NGINX_VERSION=1.21.3
  local VERSION_NGINX=nginx-$NGINX_VERSION
  local VERSION_LIBRESSL=libressl-3.3.4
  local VERSION_PCRE=pcre-8.45

  # URLs to the source directories
  local SOURCE_NGINX=https://nginx.org/download/
  local SOURCE_LIBRESSL=https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/
  local SOURCE_PCRE=https://ftp.pcre.org/pub/pcre/

  # set where LibreSSL and nginx will be built
  local BPATH=$(pwd)/build
  local STATICLIBSSL=$BPATH/$VERSION_LIBRESSL

  # clean out any files from previous runs of this script
  rm -rf build
  mkdir build

  # ensure that we have the required software to compile our own nginx
  $SUDO apt-get update \
  && $SUDO apt-get -y install --no-install-recommends ca-certificates wget build-essential libgd-dev libgeoip-dev checkinstall libxslt1-dev make gcc zlib1g-dev

  # grab the source files
  echo "Download sources"
  download "$SOURCE_NGINX$VERSION_NGINX.tar.gz" ./build "14774aae0d151da350417efc4afda5cce5035056e71894836797e1f6e2d1175a"
  download "$SOURCE_LIBRESSL$VERSION_LIBRESSL.tar.gz" ./build "bcce767a3fed252bfd1210f8a7e3505a2b54d3008f66e43d9b95e3f30c072931"
  download "$SOURCE_PCRE$VERSION_PCRE.tar.gz" ./build "4e6ce03e0336e8b4a3d6c2b70b1c5e18590a5673a98186da90d4f33c23defc09"

  # expand the source files
  cd build
  tar xzf $VERSION_NGINX.tar.gz
  tar xzf $VERSION_LIBRESSL.tar.gz
  tar xzf $VERSION_PCRE.tar.gz
  cd ../

  # build static LibreSSL
  echo "Configure & Build LibreSSL"
  cd $STATICLIBSSL
  ./config LDFLAGS=-lrt --prefix=${STATICLIBSSL}/.openssl/ \
  && make install-strip

  # make the current live nginx the new back-up nginx
  if [ -d /etc/nginx ]
  then
    mv /etc/nginx /etc/nginx-bk
    mkdir /etc/nginx
  fi

  # build nginx, with various modules included/excluded
  echo "Configure & Build Nginx"
  cd $BPATH/$VERSION_NGINX
  ./configure \
    --prefix=/etc/nginx \
    --sbin-path=/usr/sbin/nginx \
    --conf-path=/etc/nginx/nginx.conf \
    --error-log-path=/var/log/nginx/error.log \
    --http-log-path=/var/log/nginx/access.log \
    --pid-path=/run/nginx.pid \
    --lock-path=/var/run/nginx.lock \
    --http-client-body-temp-path=/var/cache/nginx/client_temp \
    --http-proxy-temp-path=/var/cache/nginx/proxy_temp \
    --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
    --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
    --http-scgi-temp-path=/var/cache/nginx/scgi_temp \
    --user=nginx \
    --group=nginx \
    --with-http_ssl_module \
    --with-http_realip_module \
    --with-http_addition_module \
    --with-http_sub_module \
    --with-http_dav_module \
    --with-http_gunzip_module \
    --with-http_gzip_static_module \
    --with-http_secure_link_module \
    --with-http_stub_status_module \
    --with-http_auth_request_module \
    --with-file-aio \
    --with-http_v2_module \
    --with-ld-opt="-lrt" \
    --with-openssl=$STATICLIBSSL \
    --with-pcre=$BPATH/$VERSION_PCRE \
    --with-pcre-jit

  touch $STATICLIBSSL/.openssl/include/openssl/ssl.h
  make \
  && $SUDO checkinstall --pkgname="nginx-libressl" --pkgversion="$NGINX_VERSION" \
  --provides="nginx" --requires="libc6, libpcre3, zlib1g" --strip=yes \
  --stripso=yes --backup=yes -y --install=yes

  if [ -d /etc/nginx-bk ]
  then
    # remove the old default nginx config directories generated by previous runs of this script
    rm -rf /etc/nginx-default
    # rename the compiled default /etc/nginx directory so it's accessible as a reference to the new nginx defaults
    mv /etc/nginx /etc/nginx-default
    # now restore /etc/nginx-bk to /etc/nginx so the old configuration is kept
    mv /etc/nginx-bk /etc/nginx
  fi

  echo "All done.";
  echo "This build has not edited your existing /etc/nginx directory.";
  echo "If things aren't working now you may need to refer to the";
  echo "configuration files the new nginx ships with as defaults,";
  echo "which are available at /etc/nginx-default";

  $SUDO mkdir -p /var/log/nginx /var/cache/nginx
  $SUDO adduser --system --group --disabled-login --no-create-home --shell /bin/false nginx

  upgrade_binary
}

download() {
  local url=$1
  local target=$2
  local expected_checksum=$3
  local filename=${url##*/}
  echo "Downloading $url"
  wget --quiet -P $target $url
  local checksum=$(<"$target/$filename" sha256sum --binary | cut --bytes=1-64)
  if [ "${checksum}" != "${expected_checksum}" ]; then
    echo "Checksum for ${filename} did not match"
    exit
  fi
  echo "Checksum ok"
}

upgrade_binary() {
  if [ ! -f /run/nginx.pid ]
  then
    return
  fi

  echo "Sending USR2 to old binary"
  kill -USR2 $(cat /run/nginx.pid)

  echo "Sleeping 3 seconds before pid-files checking"
  sleep 3
  if [ ! -f /run/nginx.pid.oldbin ]; then
    echo "File with old pid not found"
    exit
  fi
  if [ ! -f /run/nginx.pid ]; then
    echo "New binary failed to start"
    exit
  fi

  echo "Sleeping 3 seconds before WINCH"
  sleep 3
  kill -WINCH $(cat /run/nginx.pid.oldbin)

  echo "Sending QUIT to old binary"
  kill -QUIT $(cat /run/nginx.pid.oldbin)

  echo "Upgrade completed. New binary up and running."
}

main "$@"