Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save bendo01/0450980587ed3369a00affc05c1df364 to your computer and use it in GitHub Desktop.
Save bendo01/0450980587ed3369a00affc05c1df364 to your computer and use it in GitHub Desktop.
This builds NGINX from source with BoringSSL for Debian (alike?) systems with systemd (e.g. Debian Jessie)
#!/bin/bash
LATESTNGINX="1.11.10"
BUILDROOT="/tmp/boring-nginx"
# Pre-req
sudo apt-get update
sudo apt-get upgrade -y
# Install deps
sudo apt-get install -y \
build-essential \
cmake \
git \
gnupg \
gnupg-curl \
golang \
libpcre3-dev \
curl \
zlib1g-dev \
libcurl4-openssl-dev
# make build root dir
mkdir -p $BUILDROOT
cd $BUILDROOT
# Build BoringSSL
git clone https://boringssl.googlesource.com/boringssl
cd boringssl
mkdir build
cd $BUILDROOT/boringssl/build
cmake ..
make
# Make an .openssl directory for nginx and then symlink BoringSSL's include directory tree
mkdir -p "$BUILDROOT/boringssl/.openssl/lib"
cd "$BUILDROOT/boringssl/.openssl"
ln -s ../include include
# Copy the BoringSSL crypto libraries to .openssl/lib so nginx can find them
cd "$BUILDROOT/boringssl"
cp "build/crypto/libcrypto.a" ".openssl/lib"
cp "build/ssl/libssl.a" ".openssl/lib"
# Prep nginx
mkdir -p "$BUILDROOT/nginx"
cd $BUILDROOT/nginx
curl -L -O https://nginx.org/keys/nginx_signing.key
sudo apt-key add nginx_signing.key
curl -L -O "http://nginx.org/download/nginx-$LATESTNGINX.tar.gz"
tar xzf "nginx-$LATESTNGINX.tar.gz"
cd "$BUILDROOT/nginx/nginx-$LATESTNGINX"
# Run the config with default options and append any additional options specified by the above section
sudo ./configure --prefix=/usr/share/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/run/nginx.pid \
--lock-path=/run/lock/subsys/nginx \
--user=www-data \
--group=www-data \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_slice_module \
--with-http_stub_status_module \
--without-select_module \
--without-poll_module \
--without-mail_pop3_module \
--without-mail_imap_module \
--without-mail_smtp_module \
--with-openssl="$BUILDROOT/boringssl" \
--with-cc-opt="-g -O2 -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -I $BUILDROOT/boringssl/.openssl/include/" \
--with-ld-opt="-Wl,-Bsymbolic-functions -Wl,-z,relro -L $BUILDROOT/boringssl/.openssl/lib/" \
# Fix "Error 127" during build
touch "$BUILDROOT/boringssl/.openssl/include/openssl/ssl.h"
# Build nginx
sudo make
sudo make install
# Add systemd service
cat >/lib/systemd/system/nginx.service <<EOL
[Unit]
Description=NGINX with BoringSSL
Documentation=http://nginx.org/en/docs/
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/usr/bin/nginx -s stop
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOL
# NOTE: The below fails on Docker containers but i *think* will work elsewhere
# Enable & start service
sudo systemctl enable nginx.service
sudo systemctl start nginx.service
# Finish script
sudo systemctl reload nginx.service
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment