RPM build Nginx 1.13.0 with ALPN on CentOS 6/7 using static LibreSSL 2.5.4 (http/2 support in Chrome & ChaCha20-Poly1305 cipher suite)

Nginx_1.13_Mainline_Cent_6_7_Static_LibreSSL_2.4.5.sh

# Based on CentOS7 fork of @smartmadsoft: https://gist.github.com/moneytoo/ab3f34e4fddc2110675952f8280f49c5

# "6" for CentOS6 or Amazon Linux, "7" for CentOS7
CENTVER="6"

$LIBRESSL="libressl-2.5.4"
NGINX="nginx-1.13.0-1"

yum clean all
# Install epel packages (required for GeoIP-devel)
yum -y install http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum -y groupinstall 'Development Tools'
yum -y install wget openssl-devel libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel pcre-devel

useradd builder
groupadd builder

mkdir -p /opt/lib

# Untar, but don't compile libressl to /opt/lib
wget https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$LIBRESSL.tar.gz -O /opt/lib/$LIBRESSL.tar.gz
tar -zxvf /opt/lib/$LIBRESSL.tar.gz -C /opt/lib

# Build source nginx (no auto-updates), statically link to /opt/lib/libressl* (no OS effects)
rpm -ivh https://nginx.org/packages/mainline/centos/$CENTVER/SRPMS/$NGINX.el$CENTVER.ngx.src.rpm
sed -i "s|--with-http_ssl_module|--with-http_ssl_module --with-openssl=/opt/lib/$LIBRESSL|g" /root/rpmbuild/SPECS/nginx.spec
sed -i "s|WITH_LD_OPT -Wl,-z,relro -Wl,-z,now -pie|WITH_LD_OPT -lrt|g" /root/rpmbuild/SPECS/nginx.spec

# Compile it
rpmbuild -ba /root/rpmbuild/SPECS/nginx.spec
# Install it
rpm -ivh /root/rpmbuild/RPMS/x86_64/$NGINX.el$CENTVER.ngx.x86_64.rpm

mkdir -p /etc/nginx/ssl

# You can just accept defaults, but make sure to use a "real" local dev Common Name, eg: localdev
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

# *** Add /etc/hosts on OSX for localhost godev (eg, )

cp -p /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf-orig

cat <<'EOT' > /etc/nginx/conf.d/default.conf 
server {
   listen 80 default_server;
   listen 443 ssl http2;
   root /usr/share/nginx/html;
   index index.html index.htm;

   # LOCALDEV-COMMON-NAME is whatever you gave in the certificate setup for Common Name 
   server_name LOCALDEV-COMMON-NAME;

   ssl_certificate /etc/nginx/ssl/nginx.crt;
   ssl_certificate_key /etc/nginx/ssl/nginx.key;
   ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
   ssl_prefer_server_ciphers on;

   location / {
      try_files $uri $uri/ =404;
   }
}
EOT

/opt/lib/openssl*/apps/openssl version -a

nginx -V # 2>&1 | sed -r -e 's/\s+--/\n/g' | grep -E 'version|v2' --color=never

service iptables stop
service nginx start

# Other useful queries:
# /opt/lib/openssl*/apps/openssl ciphers | tr ':' '\n' | sort | less
# /opt/lib/openssl*/apps/openssl ecparam -list_curves | less