Skip to content

Instantly share code, notes, and snippets.

@bsemot
Last active October 23, 2019 08:42
Show Gist options
  • Save bsemot/6c26621a5c1efc9e87f1d348bc37f536 to your computer and use it in GitHub Desktop.
Save bsemot/6c26621a5c1efc9e87f1d348bc37f536 to your computer and use it in GitHub Desktop.
Ubuntu 16.04 - Nginx Build Script ( http2, page-speed, pcre, headers-more, geoip )
#!/bin/bash
set -e
# directory config
SRC_ROOT=/tmp
SERVICE_ROOT=/lib/systemd/system
NGINX_ROOT=/etc/nginx
REDIS_ROOT=/etc/redis
# versions config
NPS_VERSION=1.12.34.1 # nginx_pagespeed module
NHM_VERSION=0.32 # nginx_headers_more module
PCRE_VERSION=8.40 # pcre perl regex module for regex rules on location directive
NGINX_VERSION=1.12.0
PHP_VERSION=7.1
TIMEZONE=Europe/Amsterdam
# url config
NPS_DOWNLOAD_URL=https://github.com/pagespeed/ngx_pagespeed/archive/v${NPS_VERSION}-beta.zip
HEADERS_MODULE_DOWNLOAD_URL=https://github.com/openresty/headers-more-nginx-module/archive/v${NHM_VERSION}.tar.gz
PCRE_MODULE_DOWNLOAD_URL=https://ftp.pcre.org/pub/pcre/pcre-${PCRE_VERSION}.tar.gz
NGINX_DOWNLOAD_URL=http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz
REDIS_DOWNLOAD_URL=http://download.redis.io/redis-stable.tar.gz
install_pkg()
{
echo "Updating Repository"
apt-get update
apt-get upgrade
echo "Installing base / required packages & libs"
apt-get install -y openssl libssl-dev build-essential zlib1g-dev libpcre3 libpcre3-dev libgeoip-dev unzip git
}
install_nginx()
{
echo "Start downloading resources"
echo "Sources will be downloaded to ${SRC_ROOT}"
cd ${SRC_ROOT}
# download nginx_pagespeed module source & unzip it
echo "Downloading file v${NPS_VERSION}-beta.zip for google page speed module"
wget ${NPS_DOWNLOAD_URL}
unzip v${NPS_VERSION}-beta.zip
cd ngx_pagespeed-${NPS_VERSION}-beta/
# download psol / page speed optimization library
psol_url=https://dl.google.com/dl/page-speed/psol/${NPS_VERSION}.tar.gz
[ -e scripts/format_binary_url.sh ] && psol_url=$(scripts/format_binary_url.sh PSOL_BINARY_URL)
wget ${psol_url}
tar -xzvf $(basename ${psol_url}) # extracts to psol/
# download nginx_headers_more module
cd ${SRC_ROOT}
echo "Downloading file v${NHM_VERSION}.tar.gz for headers more module"
wget ${HEADERS_MODULE_DOWNLOAD_URL}
tar -zxvf v${NHM_VERSION}.tar.gz
# download pcre module
cd ${SRC_ROOT}
echo "Downloading file pcre-${PCRE_VERSION}.tar.gz for pcre module"
wget ${PCRE_MODULE_DOWNLOAD_URL}
tar -zxvf pcre-${PCRE_VERSION}.tar.gz
# download nginx itself
cd ${SRC_ROOT}
echo "Downloading file nginx-${NGINX_VERSION}.tar.gz"
wget ${NGINX_DOWNLOAD_URL}
tar -xvzf nginx-${NGINX_VERSION}.tar.gz
cd nginx-${NGINX_VERSION}/
# TODO:// Add libmodsecurity
# https://www.howtoforge.com/tutorial/nginx-with-libmodsecurity-and-owasp-modsecurity-core-rule-set-on-ubuntu-1604/
echo "Configuring Nginx"
./configure \
--prefix=${NGINX_ROOT} \
--conf-path=${NGINX_ROOT}/nginx.conf \
--sbin-path=/usr/sbin/nginx \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-http_v2_module \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-http_sub_module \
--with-file-aio \
--with-http_addition_module \
--with-http_geoip_module \
--with-pcre=${SRC_ROOT}/pcre-${PCRE_VERSION} \
--add-module=${SRC_ROOT}/ngx_pagespeed-${NPS_VERSION}-beta \
--add-module=${SRC_ROOT}/headers-more-nginx-module-${NHM_VERSION}
echo "Compiling Nginx"
make
echo "Installing Nginx"
make install
}
service_nginx()
{
echo "Setting Nginx as a service"
cd ${SERVICE_ROOT}
# create nginx service file and write into it
touch nginx.service
echo "[Unit]" >> nginx.service
echo "Description=The NGINX HTTP and reverse proxy server" >> nginx.service
echo "After=syslog.target network.target remote-fs.target nss-lookup.target" >> nginx.service
echo "" >> nginx.service
echo "[Service]" >> nginx.service
echo "Type=forking" >> nginx.service
echo "PIDFile=/run/nginx.pid" >> nginx.service
echo "ExecStartPre=/usr/sbin/nginx -t" >> nginx.service
echo "ExecStart=/usr/sbin/nginx" >> nginx.service
echo "ExecReload=/bin/kill -s HUP $MAINPID" >> nginx.service
echo "ExecStop=/bin/kill -s QUIT $MAINPID" >> nginx.service
echo "PrivateTmp=true" >> nginx.service
echo "" >> nginx.service
echo "[Install]" >> nginx.service
echo "WantedBy=multi-user.target" >> nginx.service
systemctl enable nginx.service
systemctl start nginx.service
}
configure_nginx()
{
# we need binary ip-country .dat files to gather country information of user from his/her ip
# download maxmind geoip binary database files from https://dev.maxmind.com/geoip/legacy/geolite/
# if you need city information, change the below files with the city ones which are relatively bigger
cd ${SRC_ROOT}
wget -N http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz # ipv4
gunzip GeoIP.dat.gz
mkdir ${NGINX_ROOT}/geoip
mv GeoIP.dat ${NGINX_ROOT}/geoip/GeoIP.dat
wget -N http://geolite.maxmind.com/download/geoip/database/GeoIPv6.dat.gz # ipv6
gunzip GeoIPv6.dat.gz
mv GeoIPv6.dat ${NGINX_ROOT}/geoip/GeoIPv6.dat
}
secure_nginx()
{
echo "Securing nginx"
mkdir ${NGINX_ROOT}/ssl
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
# TODO:// we need to add the following line into nginx.conf
# ssl_dhparam /etc/nginx/ssl/dhparam.pem;
}
install_redis()
{
echo "Installing latest stable Redis-server"
cd ${SERVICE_ROOT}
# download and extract redis
wget ${REDIS_DOWNLOAD_URL}
tar xzvf redis-stable.tar.gz
cd redis-stable
echo "Compiling Redis"
make
echo "Installing Redis"
make install
mkdir ${REDIS_ROOT}
cp ${SERVICE_ROOT}/redis-stable/redis.conf ${REDIS_ROOT}
# edit redis config file
sed -i "s/supervised no/supervised systemd/g" ${REDIS_ROOT}/redis.conf
sed -i "s/dir .\//dir \/var\/lib\/redis/g" ${REDIS_ROOT}/redis.conf
# create user for redis
adduser --system --group --no-create-home redis
# create a redis writable directory for dump persistant data
mkdir /var/lib/redis
chown redis:redis /var/lib/redis
}
service_redis()
{
echo "Setting Redis as a service"
cd ${SERVICE_ROOT}
# create nginx service file and write into it
touch redis.service
echo "[Unit]" >> redis.service
echo "Description=Redis In-Memory Data Store" >> redis.service
echo "After=network.target" >> redis.service
echo "" >> redis.service
echo "[Service]" >> redis.service
echo "User=redis" >> redis.service
echo "Group=redis" >> redis.service
echo "ExecStart=/usr/local/bin/redis-server ${REDIS_ROOT}/redis.conf" >> redis.service
echo "ExecStop=/usr/local/bin/redis-cli shutdown" >> redis.service
echo "Restart=always" >> redis.service
echo "" >> redis.service
echo "[Install]" >> redis.service
echo "WantedBy=multi-user.target" >> redis.service
systemctl enable redis.service
systemctl start redis.service
}
install_php()
{
echo "Installing php version ${PHP_VERSION}"
# adding php 7 repository and updating the the source list
add-apt-repository ppa:ondrej/php
apt-get update
# install the php packages
apt-get install -y php${PHP_VERSION}-fpm \
php${PHP_VERSION}-cli \
php${PHP_VERSION}-curl \
php${PHP_VERSION}-mbstring \
php${PHP_VERSION}-mcrypt \
php${PHP_VERSION}-mysql \
php${PHP_VERSION}-pgsql \
php${PHP_VERSION}-xml \
php${PHP_VERSION}-zip \
php${PHP_VERSION}-intl \
php${PHP_VERSION}-gd \
php${PHP_VERSION}-soap \
php${PHP_VERSION}-json \
php${PHP_VERSION}-opcache \
php${PHP_VERSION}-xdebug \
php${PHP_VERSION}-redis
# Install composer
cd ${SRC_ROOT}
curl -sS http://getcomposer.org/installer | php
mv composer.phar /usr/local/bin/composer
# some additional php settings if you care
sed -i "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g" /etc/php/{PHP_VERSION}/cli/php.ini
sed -i "s/opcache.enable=0/opcache.enable=1/g" /etc/php/{PHP_VERSION}/cli/php.ini
sed -i "s/;date.timezone =/date.timezone = ${TIMEZONE}/g" /etc/php/{PHP_VERSION}/cli/php.ini
sed -i "s/memory_limit = 128M/memory_limit = 512M /g" /etc/php/{PHP_VERSION}/fpm/php.ini
#TODO:// set the session_save_handler to redis
# session.save_handler = redis
# session.save_path = "tcp://127.0.0.1:6379"
# restart php-fpm
sudo service php{PHP_VERSION}-fpm restart
}
cleanup()
{
echo "Cleaning directory ${SRC_ROOT}"
rm -rf ${SRC_ROOT}/*
}
#-- Function calls and flow of execution --#
# install packages
install_pkg
# install, configure and secure nginx
install_nginx
configure_nginx
secure_nginx
# install and service redis
install_redis
service_redis
# install php
install_php
# set nginx service
service_nginx
# clean downloads
cleanup
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment