Last active
October 23, 2019 08:42
-
-
Save bsemot/6c26621a5c1efc9e87f1d348bc37f536 to your computer and use it in GitHub Desktop.
Ubuntu 16.04 - Nginx Build Script ( http2, page-speed, pcre, headers-more, geoip )
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -e | |
| # directory config | |
| SRC_ROOT=/tmp | |
| SERVICE_ROOT=/lib/systemd/system | |
| NGINX_ROOT=/etc/nginx | |
| REDIS_ROOT=/etc/redis | |
| # versions config | |
| NPS_VERSION=1.12.34.1 # nginx_pagespeed module | |
| NHM_VERSION=0.32 # nginx_headers_more module | |
| PCRE_VERSION=8.40 # pcre perl regex module for regex rules on location directive | |
| NGINX_VERSION=1.12.0 | |
| PHP_VERSION=7.1 | |
| TIMEZONE=Europe/Amsterdam | |
| # url config | |
| NPS_DOWNLOAD_URL=https://github.com/pagespeed/ngx_pagespeed/archive/v${NPS_VERSION}-beta.zip | |
| HEADERS_MODULE_DOWNLOAD_URL=https://github.com/openresty/headers-more-nginx-module/archive/v${NHM_VERSION}.tar.gz | |
| PCRE_MODULE_DOWNLOAD_URL=https://ftp.pcre.org/pub/pcre/pcre-${PCRE_VERSION}.tar.gz | |
| NGINX_DOWNLOAD_URL=http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz | |
| REDIS_DOWNLOAD_URL=http://download.redis.io/redis-stable.tar.gz | |
| install_pkg() | |
| { | |
| echo "Updating Repository" | |
| apt-get update | |
| apt-get upgrade | |
| echo "Installing base / required packages & libs" | |
| apt-get install -y openssl libssl-dev build-essential zlib1g-dev libpcre3 libpcre3-dev libgeoip-dev unzip git | |
| } | |
| install_nginx() | |
| { | |
| echo "Start downloading resources" | |
| echo "Sources will be downloaded to ${SRC_ROOT}" | |
| cd ${SRC_ROOT} | |
| # download nginx_pagespeed module source & unzip it | |
| echo "Downloading file v${NPS_VERSION}-beta.zip for google page speed module" | |
| wget ${NPS_DOWNLOAD_URL} | |
| unzip v${NPS_VERSION}-beta.zip | |
| cd ngx_pagespeed-${NPS_VERSION}-beta/ | |
| # download psol / page speed optimization library | |
| psol_url=https://dl.google.com/dl/page-speed/psol/${NPS_VERSION}.tar.gz | |
| [ -e scripts/format_binary_url.sh ] && psol_url=$(scripts/format_binary_url.sh PSOL_BINARY_URL) | |
| wget ${psol_url} | |
| tar -xzvf $(basename ${psol_url}) # extracts to psol/ | |
| # download nginx_headers_more module | |
| cd ${SRC_ROOT} | |
| echo "Downloading file v${NHM_VERSION}.tar.gz for headers more module" | |
| wget ${HEADERS_MODULE_DOWNLOAD_URL} | |
| tar -zxvf v${NHM_VERSION}.tar.gz | |
| # download pcre module | |
| cd ${SRC_ROOT} | |
| echo "Downloading file pcre-${PCRE_VERSION}.tar.gz for pcre module" | |
| wget ${PCRE_MODULE_DOWNLOAD_URL} | |
| tar -zxvf pcre-${PCRE_VERSION}.tar.gz | |
| # download nginx itself | |
| cd ${SRC_ROOT} | |
| echo "Downloading file nginx-${NGINX_VERSION}.tar.gz" | |
| wget ${NGINX_DOWNLOAD_URL} | |
| tar -xvzf nginx-${NGINX_VERSION}.tar.gz | |
| cd nginx-${NGINX_VERSION}/ | |
| # TODO:// Add libmodsecurity | |
| # https://www.howtoforge.com/tutorial/nginx-with-libmodsecurity-and-owasp-modsecurity-core-rule-set-on-ubuntu-1604/ | |
| echo "Configuring Nginx" | |
| ./configure \ | |
| --prefix=${NGINX_ROOT} \ | |
| --conf-path=${NGINX_ROOT}/nginx.conf \ | |
| --sbin-path=/usr/sbin/nginx \ | |
| --pid-path=/var/run/nginx.pid \ | |
| --lock-path=/var/run/nginx.lock \ | |
| --error-log-path=/var/log/nginx/error.log \ | |
| --http-log-path=/var/log/nginx/access.log \ | |
| --with-http_v2_module \ | |
| --with-http_ssl_module \ | |
| --with-http_realip_module \ | |
| --with-http_gzip_static_module \ | |
| --with-http_stub_status_module \ | |
| --with-http_sub_module \ | |
| --with-file-aio \ | |
| --with-http_addition_module \ | |
| --with-http_geoip_module \ | |
| --with-pcre=${SRC_ROOT}/pcre-${PCRE_VERSION} \ | |
| --add-module=${SRC_ROOT}/ngx_pagespeed-${NPS_VERSION}-beta \ | |
| --add-module=${SRC_ROOT}/headers-more-nginx-module-${NHM_VERSION} | |
| echo "Compiling Nginx" | |
| make | |
| echo "Installing Nginx" | |
| make install | |
| } | |
| service_nginx() | |
| { | |
| echo "Setting Nginx as a service" | |
| cd ${SERVICE_ROOT} | |
| # create nginx service file and write into it | |
| touch nginx.service | |
| echo "[Unit]" >> nginx.service | |
| echo "Description=The NGINX HTTP and reverse proxy server" >> nginx.service | |
| echo "After=syslog.target network.target remote-fs.target nss-lookup.target" >> nginx.service | |
| echo "" >> nginx.service | |
| echo "[Service]" >> nginx.service | |
| echo "Type=forking" >> nginx.service | |
| echo "PIDFile=/run/nginx.pid" >> nginx.service | |
| echo "ExecStartPre=/usr/sbin/nginx -t" >> nginx.service | |
| echo "ExecStart=/usr/sbin/nginx" >> nginx.service | |
| echo "ExecReload=/bin/kill -s HUP $MAINPID" >> nginx.service | |
| echo "ExecStop=/bin/kill -s QUIT $MAINPID" >> nginx.service | |
| echo "PrivateTmp=true" >> nginx.service | |
| echo "" >> nginx.service | |
| echo "[Install]" >> nginx.service | |
| echo "WantedBy=multi-user.target" >> nginx.service | |
| systemctl enable nginx.service | |
| systemctl start nginx.service | |
| } | |
| configure_nginx() | |
| { | |
| # we need binary ip-country .dat files to gather country information of user from his/her ip | |
| # download maxmind geoip binary database files from https://dev.maxmind.com/geoip/legacy/geolite/ | |
| # if you need city information, change the below files with the city ones which are relatively bigger | |
| cd ${SRC_ROOT} | |
| wget -N http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz # ipv4 | |
| gunzip GeoIP.dat.gz | |
| mkdir ${NGINX_ROOT}/geoip | |
| mv GeoIP.dat ${NGINX_ROOT}/geoip/GeoIP.dat | |
| wget -N http://geolite.maxmind.com/download/geoip/database/GeoIPv6.dat.gz # ipv6 | |
| gunzip GeoIPv6.dat.gz | |
| mv GeoIPv6.dat ${NGINX_ROOT}/geoip/GeoIPv6.dat | |
| } | |
| secure_nginx() | |
| { | |
| echo "Securing nginx" | |
| mkdir ${NGINX_ROOT}/ssl | |
| # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
| sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 | |
| # TODO:// we need to add the following line into nginx.conf | |
| # ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
| } | |
| install_redis() | |
| { | |
| echo "Installing latest stable Redis-server" | |
| cd ${SERVICE_ROOT} | |
| # download and extract redis | |
| wget ${REDIS_DOWNLOAD_URL} | |
| tar xzvf redis-stable.tar.gz | |
| cd redis-stable | |
| echo "Compiling Redis" | |
| make | |
| echo "Installing Redis" | |
| make install | |
| mkdir ${REDIS_ROOT} | |
| cp ${SERVICE_ROOT}/redis-stable/redis.conf ${REDIS_ROOT} | |
| # edit redis config file | |
| sed -i "s/supervised no/supervised systemd/g" ${REDIS_ROOT}/redis.conf | |
| sed -i "s/dir .\//dir \/var\/lib\/redis/g" ${REDIS_ROOT}/redis.conf | |
| # create user for redis | |
| adduser --system --group --no-create-home redis | |
| # create a redis writable directory for dump persistant data | |
| mkdir /var/lib/redis | |
| chown redis:redis /var/lib/redis | |
| } | |
| service_redis() | |
| { | |
| echo "Setting Redis as a service" | |
| cd ${SERVICE_ROOT} | |
| # create nginx service file and write into it | |
| touch redis.service | |
| echo "[Unit]" >> redis.service | |
| echo "Description=Redis In-Memory Data Store" >> redis.service | |
| echo "After=network.target" >> redis.service | |
| echo "" >> redis.service | |
| echo "[Service]" >> redis.service | |
| echo "User=redis" >> redis.service | |
| echo "Group=redis" >> redis.service | |
| echo "ExecStart=/usr/local/bin/redis-server ${REDIS_ROOT}/redis.conf" >> redis.service | |
| echo "ExecStop=/usr/local/bin/redis-cli shutdown" >> redis.service | |
| echo "Restart=always" >> redis.service | |
| echo "" >> redis.service | |
| echo "[Install]" >> redis.service | |
| echo "WantedBy=multi-user.target" >> redis.service | |
| systemctl enable redis.service | |
| systemctl start redis.service | |
| } | |
| install_php() | |
| { | |
| echo "Installing php version ${PHP_VERSION}" | |
| # adding php 7 repository and updating the the source list | |
| add-apt-repository ppa:ondrej/php | |
| apt-get update | |
| # install the php packages | |
| apt-get install -y php${PHP_VERSION}-fpm \ | |
| php${PHP_VERSION}-cli \ | |
| php${PHP_VERSION}-curl \ | |
| php${PHP_VERSION}-mbstring \ | |
| php${PHP_VERSION}-mcrypt \ | |
| php${PHP_VERSION}-mysql \ | |
| php${PHP_VERSION}-pgsql \ | |
| php${PHP_VERSION}-xml \ | |
| php${PHP_VERSION}-zip \ | |
| php${PHP_VERSION}-intl \ | |
| php${PHP_VERSION}-gd \ | |
| php${PHP_VERSION}-soap \ | |
| php${PHP_VERSION}-json \ | |
| php${PHP_VERSION}-opcache \ | |
| php${PHP_VERSION}-xdebug \ | |
| php${PHP_VERSION}-redis | |
| # Install composer | |
| cd ${SRC_ROOT} | |
| curl -sS http://getcomposer.org/installer | php | |
| mv composer.phar /usr/local/bin/composer | |
| # some additional php settings if you care | |
| sed -i "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g" /etc/php/{PHP_VERSION}/cli/php.ini | |
| sed -i "s/opcache.enable=0/opcache.enable=1/g" /etc/php/{PHP_VERSION}/cli/php.ini | |
| sed -i "s/;date.timezone =/date.timezone = ${TIMEZONE}/g" /etc/php/{PHP_VERSION}/cli/php.ini | |
| sed -i "s/memory_limit = 128M/memory_limit = 512M /g" /etc/php/{PHP_VERSION}/fpm/php.ini | |
| #TODO:// set the session_save_handler to redis | |
| # session.save_handler = redis | |
| # session.save_path = "tcp://127.0.0.1:6379" | |
| # restart php-fpm | |
| sudo service php{PHP_VERSION}-fpm restart | |
| } | |
| cleanup() | |
| { | |
| echo "Cleaning directory ${SRC_ROOT}" | |
| rm -rf ${SRC_ROOT}/* | |
| } | |
| #-- Function calls and flow of execution --# | |
| # install packages | |
| install_pkg | |
| # install, configure and secure nginx | |
| install_nginx | |
| configure_nginx | |
| secure_nginx | |
| # install and service redis | |
| install_redis | |
| service_redis | |
| # install php | |
| install_php | |
| # set nginx service | |
| service_nginx | |
| # clean downloads | |
| cleanup |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment