Forked from neilstuartcraig/nginx-boringssl-build-script-debian.sh
Created
April 24, 2021 15:58
-
-
Save bendo01/0450980587ed3369a00affc05c1df364 to your computer and use it in GitHub Desktop.
This builds NGINX from source with BoringSSL for Debian (alike?) systems with systemd (e.g. Debian Jessie)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
LATESTNGINX="1.11.10" | |
BUILDROOT="/tmp/boring-nginx" | |
# Pre-req | |
sudo apt-get update | |
sudo apt-get upgrade -y | |
# Install deps | |
sudo apt-get install -y \ | |
build-essential \ | |
cmake \ | |
git \ | |
gnupg \ | |
gnupg-curl \ | |
golang \ | |
libpcre3-dev \ | |
curl \ | |
zlib1g-dev \ | |
libcurl4-openssl-dev | |
# make build root dir | |
mkdir -p $BUILDROOT | |
cd $BUILDROOT | |
# Build BoringSSL | |
git clone https://boringssl.googlesource.com/boringssl | |
cd boringssl | |
mkdir build | |
cd $BUILDROOT/boringssl/build | |
cmake .. | |
make | |
# Make an .openssl directory for nginx and then symlink BoringSSL's include directory tree | |
mkdir -p "$BUILDROOT/boringssl/.openssl/lib" | |
cd "$BUILDROOT/boringssl/.openssl" | |
ln -s ../include include | |
# Copy the BoringSSL crypto libraries to .openssl/lib so nginx can find them | |
cd "$BUILDROOT/boringssl" | |
cp "build/crypto/libcrypto.a" ".openssl/lib" | |
cp "build/ssl/libssl.a" ".openssl/lib" | |
# Prep nginx | |
mkdir -p "$BUILDROOT/nginx" | |
cd $BUILDROOT/nginx | |
curl -L -O https://nginx.org/keys/nginx_signing.key | |
sudo apt-key add nginx_signing.key | |
curl -L -O "http://nginx.org/download/nginx-$LATESTNGINX.tar.gz" | |
tar xzf "nginx-$LATESTNGINX.tar.gz" | |
cd "$BUILDROOT/nginx/nginx-$LATESTNGINX" | |
# Run the config with default options and append any additional options specified by the above section | |
sudo ./configure --prefix=/usr/share/nginx \ | |
--sbin-path=/usr/sbin/nginx \ | |
--conf-path=/etc/nginx/nginx.conf \ | |
--error-log-path=/var/log/nginx/error.log \ | |
--http-log-path=/var/log/nginx/access.log \ | |
--pid-path=/run/nginx.pid \ | |
--lock-path=/run/lock/subsys/nginx \ | |
--user=www-data \ | |
--group=www-data \ | |
--with-threads \ | |
--with-file-aio \ | |
--with-http_ssl_module \ | |
--with-http_v2_module \ | |
--with-http_realip_module \ | |
--with-http_gunzip_module \ | |
--with-http_gzip_static_module \ | |
--with-http_slice_module \ | |
--with-http_stub_status_module \ | |
--without-select_module \ | |
--without-poll_module \ | |
--without-mail_pop3_module \ | |
--without-mail_imap_module \ | |
--without-mail_smtp_module \ | |
--with-openssl="$BUILDROOT/boringssl" \ | |
--with-cc-opt="-g -O2 -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -I $BUILDROOT/boringssl/.openssl/include/" \ | |
--with-ld-opt="-Wl,-Bsymbolic-functions -Wl,-z,relro -L $BUILDROOT/boringssl/.openssl/lib/" \ | |
# Fix "Error 127" during build | |
touch "$BUILDROOT/boringssl/.openssl/include/openssl/ssl.h" | |
# Build nginx | |
sudo make | |
sudo make install | |
# Add systemd service | |
cat >/lib/systemd/system/nginx.service <<EOL | |
[Unit] | |
Description=NGINX with BoringSSL | |
Documentation=http://nginx.org/en/docs/ | |
After=network.target remote-fs.target nss-lookup.target | |
[Service] | |
Type=forking | |
PIDFile=/var/run/nginx.pid | |
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf | |
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf | |
ExecReload=/usr/sbin/nginx -s reload | |
ExecStop=/usr/bin/nginx -s stop | |
PrivateTmp=true | |
[Install] | |
WantedBy=multi-user.target | |
EOL | |
# NOTE: The below fails on Docker containers but i *think* will work elsewhere | |
# Enable & start service | |
sudo systemctl enable nginx.service | |
sudo systemctl start nginx.service | |
# Finish script | |
sudo systemctl reload nginx.service |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment