Last active
December 4, 2022 15:59
-
-
Save kerus1024/e1af0ddc810ccb64d3d2d4d9617d34ac to your computer and use it in GitHub Desktop.
Openresty Install on Debian/Ubuntu
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Openresty Installation | |
| # working on debian 11, ubuntu 22.04 | |
| # | |
| # Define Some Variables | |
| set -ex | |
| ORIGIN_WORK_DIRECTORY="$(pwd)" | |
| SOURCE_WORK_DIRECTORY="/opt" | |
| VER_PCRE="8.45" | |
| VER_OPENSSL="1.1.1i" | |
| VER_OPENRESTY="1.21.4.1" | |
| DOWNLOAD_URL_PCRE_TGZ="http://ftp.cs.stanford.edu/mirrors/exim/pcre/pcre-${VER_PCRE}.tar.gz" | |
| DOWNLOAD_URL_OPENSSL_TGZ="https://www.openssl.org/source/openssl-${VER_OPENSSL}.tar.gz" | |
| DOWNLOAD_URL_OPENRESTY_TGZ="https://openresty.org/download/openresty-${VER_OPENRESTY}.tar.gz" | |
| if [ "$UID" -ne 0 ]; then | |
| echo "Please run as root user" | |
| exit 1 | |
| fi | |
| # Preinstall Required Packages | |
| apt-get update -y && apt-get upgrade -y | |
| apt-get install -y libgeoip-dev \ | |
| lib32readline-dev \ | |
| libreadline-dev \ | |
| make \ | |
| build-essential \ | |
| zlib1g-dev \ | |
| libperl-dev \ | |
| git \ | |
| wget | |
| # Kill NGINX | |
| apt-get remove -y nginx | |
| # BZIP2 Build and install | |
| cd $SOURCE_WORK_DIRECTORY | |
| mkdir -p bzip2 | |
| git clone git://sourceware.org/git/bzip2.git && cd bzip2 && make && make install | |
| # PCRE Build and install | |
| mkdir -p $SOURCE_WORK_DIRECTORY/pcre_${VER_PCRE} | |
| wget -qO- $DOWNLOAD_URL_PCRE_TGZ | tar xvz --strip 1 -C $SOURCE_WORK_DIRECTORY/pcre_${VER_PCRE} | |
| cd $SOURCE_WORK_DIRECTORY/pcre_${VER_PCRE} | |
| ./configure --prefix=/usr \ | |
| --docdir=/usr/share/doc/pcre-8.42 \ | |
| --enable-unicode-properties \ | |
| --enable-pcre16 \ | |
| --enable-pcre32 \ | |
| --enable-pcregrep-libz \ | |
| --enable-pcregrep-libbz2 \ | |
| --enable-pcretest-libreadline \ | |
| --disable-static | |
| make -j$(nproc) && make install | |
| # OpenSSL Build and install | |
| mkdir -p $SOURCE_WORK_DIRECTORY/openssl_${VER_OPENSSL} | |
| wget -qO- $DOWNLOAD_URL_OPENSSL_TGZ | tar xvz --strip 1 -C $SOURCE_WORK_DIRECTORY/openssl_${VER_OPENSSL} | |
| cd $SOURCE_WORK_DIRECTORY/openssl_${VER_OPENSSL} | |
| ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib | |
| make -j$(nproc) && make install | |
| echo "/usr/local/ssl/lib" | tee /etc/ld.so.conf.d/openssl.conf | |
| ldconfig -v | |
| ln -sf /usr/local/ssl/bin/openssl /usr/bin/openssl | |
| cat <<EOF | tee /etc/profile.d/openssl.sh | |
| export OPENSSL_CONF="/usr/local/ssl/openssl.cnf" | |
| export OPENSSL_PATH="/usr/local/ssl/bin" | |
| export OPENSSL_ROOT_DIR="/usr/local/ssl" | |
| export OPENSSL_LIBRARIES="/usr/local/ssl/lib" | |
| export OPENSSL_INCLUDE_DIR="/usr/local/ssl/include" | |
| export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt | |
| export SSL_CERT_DIR=/etc/ssl/certs | |
| PATH=$PATH:$OPENSSL_PATH | |
| EOF | |
| chmod 755 /etc/profile.d/openssl.sh | |
| source /etc/profile.d/openssl.sh | |
| # Openresty Build and install | |
| mkdir -p $SOURCE_WORK_DIRECTORY/openresty_${VER_OPENRESTY} | |
| wget -qO- $DOWNLOAD_URL_OPENRESTY_TGZ | tar xvz --strip 1 -C $SOURCE_WORK_DIRECTORY/openresty_${VER_OPENRESTY} | |
| cd $SOURCE_WORK_DIRECTORY/openresty_${VER_OPENRESTY} | |
| git clone --recursive https://github.com/google/ngx_brotli | |
| ./configure --prefix=/usr/local/openresty \ | |
| --with-cc-opt="-I /usr/local/ssl/include" \ | |
| --with-ld-opt="-L /usr/local/ssl/lib" \ | |
| --with-compat \ | |
| --add-module=./ngx_brotli \ | |
| --with-pcre-jit \ | |
| --with-http_realip_module \ | |
| --with-http_geoip_module=dynamic \ | |
| --with-http_v2_module \ | |
| --with-http_gzip_static_module \ | |
| --with-http_slice_module \ | |
| --with-stream \ | |
| --with-stream_ssl_module | |
| make -j$(nproc) && make install | |
| cat <<EOF | tee /lib/systemd/system/openresty.service | |
| [Unit] | |
| Description=The NGINX HTTP and reverse proxy server | |
| After=syslog.target network-online.target remote-fs.target nss-lookup.target | |
| Wants=network-online.target | |
| [Service] | |
| Type=forking | |
| PIDFile=/run/nginx.pid | |
| ExecStartPre=/usr/sbin/nginx -t | |
| ExecStart=/usr/sbin/nginx | |
| ExecReload=/usr/sbin/nginx -s reload | |
| ExecStop=/bin/kill -s QUIT $MAINPID | |
| PrivateTmp=true | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOF | |
| chmod 755 /lib/systemd/system/openresty.service | |
| ln -sf /usr/local/openresty/bin/openresty /usr/sbin/nginx | |
| ln -sf /usr/local/openresty/bin/openresty /usr/bin/nginx | |
| ln -sf /usr/local/openresty/bin/openresty /usr/local/bin/nginx | |
| ln -sf /lib/systemd/system/openresty.service /lib/systemd/system/nginx.service | |
| systemctl daemon-reload | |
| # Nginx Setting for Openresty | |
| useradd -r -s /bin/false nginx || true | |
| mkdir -p /var/log/nginx | |
| # default fakessl | |
| mkdir -p /usr/local/openresty/nginx/ssl | |
| openssl req -subj "/CN=localhost" -x509 -nodes -newkey rsa:4096 -keyout /usr/local/openresty/nginx/ssl/localhost.key -out /usr/local/openresty/nginx/ssl/localhost.crt -sha256 -days 365 | |
| openssl dhparam -out /usr/local/openresty/nginx/ssl/dhparam.pem 4096 | |
| cat <<EOF | tee /usr/local/openresty/nginx/conf/nginx.conf | |
| user nginx; | |
| worker_processes $(nproc); | |
| error_log /var/log/nginx/error.log; | |
| pid /run/nginx.pid; | |
| events { | |
| worker_connections 4096; | |
| } | |
| http { | |
| include mime.types; | |
| include koi-utf; | |
| default_type application/octet-stream; | |
| log_format main '\$remote_addr : \$remote_port to \$server_addr : \$server_port [\$time_local] ' | |
| '"\$request_method \$scheme://\$host\$request_uri \$server_protocol" ' | |
| '\$status \$body_bytes_sent "\$http_referer" ' | |
| '"\$http_user_agent" \$request_time'; | |
| access_log /var/log/nginx/access.log main; | |
| server_tokens off; | |
| sendfile on; | |
| tcp_nopush on; | |
| tcp_nodelay off; | |
| keepalive_timeout 65; | |
| charset utf-8; | |
| charset_types text/xml text/plain text/vnd.wap.wml | |
| application/javascript application/x-javascript | |
| application/rss+xml text/css; | |
| override_charset on; | |
| map_hash_bucket_size 256; | |
| map_hash_max_size 4096; | |
| server_names_hash_bucket_size 128; | |
| server_names_hash_max_size 2048; | |
| variables_hash_max_size 2048; | |
| # OCSP Stapling | |
| resolver 1.1.1.1 1.0.0.1 valid=86400s ipv6=off; | |
| resolver_timeout 5s; | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| # SSL/TLS Hardening | |
| ssl_protocols TLSv1.2 TLSv1.3; | |
| ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; | |
| ssl_prefer_server_ciphers on; | |
| ssl_ecdh_curve X25519:P-521:P-384:P-256; | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_session_timeout 10m; | |
| ssl_early_data on; | |
| ssl_dhparam /usr/local/openresty/nginx/ssl/dhparam.pem; | |
| # HTTP/2 Push | |
| http2_push on; | |
| http2_push_preload on; | |
| # Client Timeout | |
| client_header_timeout 15s; | |
| client_body_timeout 60s; | |
| send_timeout 60s; | |
| # Something | |
| log_not_found off; | |
| open_file_cache max=50000 inactive=60s; | |
| open_file_cache_valid 120s; | |
| open_file_cache_min_uses 2; | |
| open_file_cache_errors off; | |
| open_log_file_cache max=10000 inactive=30s min_uses=2; | |
| # Keepalive | |
| #keepalive_timeout 24h; | |
| #keepalive_requests 15000; | |
| #lingering_time 60s; | |
| #lingering_close on; | |
| #lingering_timeout 10s; | |
| #keepalive_disable msie6; | |
| # Default Body Size | |
| client_max_body_size 1m; | |
| # GZIP Compression | |
| gzip on; | |
| gzip_comp_level 9; | |
| gzip_static on; | |
| gzip_vary on; | |
| gzip_proxied any; | |
| gzip_min_length 150; | |
| gzip_buffers 2048 4k; | |
| gzip_http_version 1.1; | |
| gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; | |
| gzip_types text/richtext | |
| text/plain | |
| text/css | |
| text/x-script | |
| text/x-component | |
| text/x-java-source | |
| application/javascript | |
| application/x-javascript | |
| text/javascript | |
| text/js | |
| image/x-icon | |
| application/x-perl | |
| application/x-httpd-cgi | |
| text/xml | |
| application/xml | |
| application/rss+xml | |
| application/json | |
| multipart/bag | |
| multipart/mixed | |
| application/xhtml+xml | |
| font/ttf | |
| font/otf | |
| font/woff | |
| font/woff2 | |
| image/svg+xml | |
| application/vnd.ms-fontobject | |
| application/ttf | |
| application/x-ttf | |
| application/otf | |
| application/x-otf | |
| application/x-font-ttf | |
| application/x-font-truetype | |
| application/x-font-opentype | |
| application/x-opentype | |
| application/woff | |
| application/eot | |
| application/font | |
| application/font-woff | |
| application/font-woff2 | |
| application/x-font-woff2 | |
| application/font-sfnt; | |
| gzip_disable "MSIE [1-6].(?!.*SV1)"; | |
| # GeoIP2 | |
| #geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb { | |
| # $geoip2_metadata_country_build metadata build_epoch; | |
| # $geoip2_data_country_code default=US source=$remote_addr country iso_code; | |
| # $geoip2_data_country_name country names en; | |
| #} | |
| #geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb { | |
| # $geoip2_data_city_name default=London city names en; | |
| # $geoip2_data_continent_name default=Europe continent names en; | |
| # $geoip2_data_subdivisions_name default=London subdivisions 0 names en; | |
| #} | |
| # Default Index | |
| index index.html; | |
| # CloudFlare Client-IP | |
| include /etc/nginx/include.d/cloudflare.conf; | |
| # Default Server Directive | |
| server { | |
| listen 80; | |
| server_name _ localhost; | |
| location / { | |
| root /usr/local/openresty/nginx/html; | |
| default_type text/html; | |
| } | |
| } | |
| server { | |
| listen 443 ssl http2; | |
| server_name _ localhost; | |
| ssl_certificate /usr/local/openresty/nginx/ssl/localhost.crt; | |
| ssl_certificate_key /usr/local/openresty/nginx/ssl/localhost.key; | |
| location / { | |
| root /usr/local/openresty/nginx/html; | |
| default_type text/html; | |
| } | |
| } | |
| include /etc/nginx/conf.d/*.conf; | |
| } | |
| include /etc/nginx/stream.d/*.conf; | |
| EOF | |
| mkdir -p /etc/nginx | |
| ln -sf /usr/local/openresty/nginx/conf/nginx.conf /etc/nginx/nginx.conf | |
| mkdir -p /etc/nginx/conf.d | |
| mkdir -p /etc/nginx/stream.d | |
| mkdir -p /etc/nginx/include.d | |
| cat <<EOF | tee /etc/nginx/include.d/__cloudflare-20221126.conf | |
| # https://www.cloudflare.com/ips/ | |
| set_real_ip_from 103.21.244.0/22; | |
| set_real_ip_from 103.22.200.0/22; | |
| set_real_ip_from 103.31.4.0/22; | |
| set_real_ip_from 104.16.0.0/13; | |
| set_real_ip_from 104.24.0.0/14; | |
| set_real_ip_from 108.162.192.0/18; | |
| set_real_ip_from 131.0.72.0/22; | |
| set_real_ip_from 141.101.64.0/18; | |
| set_real_ip_from 162.158.0.0/15; | |
| set_real_ip_from 172.64.0.0/13; | |
| set_real_ip_from 173.245.48.0/20; | |
| set_real_ip_from 188.114.96.0/20; | |
| set_real_ip_from 190.93.240.0/20; | |
| set_real_ip_from 197.234.240.0/22; | |
| set_real_ip_from 198.41.128.0/17; | |
| set_real_ip_from 2400:cb00::/32; | |
| set_real_ip_from 2606:4700::/32; | |
| set_real_ip_from 2803:f800::/32; | |
| set_real_ip_from 2405:b500::/32; | |
| set_real_ip_from 2405:8100::/32; | |
| set_real_ip_from 2a06:98c0::/29; | |
| set_real_ip_from 2c0f:f248::/32; | |
| real_ip_header CF-Connecting-IP; | |
| EOF | |
| ln -sf /etc/nginx/include.d/__cloudflare-20221126.conf /etc/nginx/include.d/cloudflare.conf | |
| /usr/sbin/nginx -V | |
| /usr/sbin/nginx -t | |
| systemctl enable --now openresty | |
| cd ${ORIGIN_WORK_DIRECTORY} | |
| echo 'Enjoy Openresty !' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment