Skip to content

Instantly share code, notes, and snippets.

@publicarray

publicarray/Nginx.md

Last active September 29, 2020 21:12
Show Gist options
  • Save publicarray/26749a3e3bdc3181f3b6af467f485942 to your computer and use it in GitHub Desktop.
Save publicarray/26749a3e3bdc3181f3b6af467f485942 to your computer and use it in GitHub Desktop.
Download ZIP
Nginx with modules and latest OpenSSL [CentOS]
Raw
Nginx.md

Nginx/OpenSSL on CentOS

Many thanks to Scott Helme and his excellent blog posts:

https://scotthelme.co.uk/brotli-compression/

https://scotthelme.co.uk/doing-the-chacha-with-nginx/

yum install git python python-devel gcc zlib perl libxml2 libxslt
mkdir nginx
cd nginx

git clone https://github.com/openssl/openssl
#cd openssl
# git describe --abbrev=0 --tags
#git checkout tls1.3-draft-18
#git checkout tls1.3-draft-19
#make clean
#./config shared enable-tls1_3 --prefix=/usr/local/ssl --openssldir=/usr/local/ssl -Wl,-rpath,'$(LIBRPATH)'

#cd ..
git clone https://github.com/google/brotli.git
cd brotli
sudo python setup.py install
cd tests
make

cd ..
git clone https://github.com/bagder/libbrotli
cd libbrotli
./autogen.sh
./configure
make
sudo make install

cd ..
git clone https://github.com/google/ngx_brotli
cd ngx_brotli
git submodule update --init

cd ..
git clone https://github.com/openresty/headers-more-nginx-module

copy current nginx compile flags

yum install nginx
nginx -V

cd /usr/local/src/
wget http://nginx.org/download/nginx-1.13.3.tar.gz
tar -xzvf nginx-1.13.3.tar.gz
rm nginx-1.13.3.tar.gz
cd nginx-1.13.3
./configure (existing configure arguments) --with-openssl=/usr/local/src/openssl-1.1.0f --add-module=/root/nginx/
ngx_brotli

#./configure (existing configure arguments) --with-openssl=/root/nginx/openssl --with-openssl-opt=enable-tls1_3 --add-module=/root/nginx/ngx_brotli --add-dynamic-module=/root/nginx/headers-more-nginx-module
make

make install
service nginx restart

nginx -V

sudo nano /etc/nginx/nginx.conf

#load_module /root/nginx/headers-more-nginx-modules/ngx_http_headers_more_filter_module.so;

http {
    ...
    brotli on;
    brotli_static on;
    brotli_types *;

    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305";
    ssl_protocols TLSv1.2 TLSv1.3;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    ...
}

server {
    listen 443 ssl http2;
    ssl_certificate /path/to/fullchain.pem;
    ssl_certificate_key /path/to/privkey.pem;
    ...
}

Pre-compress files

~/nginx/brotli/bin/bro --input main.min.css --output main.min.css.br
Raw
update.sh
#!/usr/bin/env bash
set -e
# usage: cd nginx
# ./update.sh
#cd nginx
cd openssl
git reset --hard
git checkout master
git pull
./config enable-tls1_3 -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)'
#./config shared enable-tls1_3 --prefix=/usr/local/ssl --openssldir=/usr/local/ssl -Wl,-rpath,'$(LIBRPATH)'
make clean
make
make install
cd ..
# yum install python2-pip
# pip install --upgrade pip
#pip install brotli --upgrade
cd brotli
git reset --hard
git pull
#sudo python setup.py install
#make
cd ..
cd libbrotli
git reset --hard
git pull
git submodule update
./autogen.sh
./configure
make
make install
cd ..
cd ngx_brotli
git pull
git submodule update --init
#git submodule foreach git pull origin master
cd ..
cd ngx-fancyindex
git pull
cd ..
cd headers-more-nginx-module
git pull
cd ..
cd /usr/local/src/
wget https://seby.io/nginx.tar.gz
#wget https://nginx.org/download/nginx-1.13.4.tar.gz
rm -rdf nginx-*
tar -xzvf nginx.tar.gz
rm -f nginx.tar.gz
cd nginx-*
./configure --prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib64/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--user=nginx \
--group=nginx \
--with-compat \
--with-file-aio \
--with-threads \
--with-http_addition_module \
--with-http_auth_request_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_mp4_module \
--with-http_random_index_module \
--with-http_realip_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_sub_module \
--with-http_v2_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' \
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' \
--with-openssl=/root/nginx/openssl \
--with-openssl-opt=enable-tls1_3 \
--add-module=/root/nginx/ngx_brotli \
--add-dynamic-module=/root/nginx/ngx-fancyindex
# --add-module=/root/nginx/ngx-fancyindex
# --add-module=/root/nginx/headers-more-nginx-module
make || true
make
make install
service nginx restart
nginx -V
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment