-
-
Save subhanshuja/ca95a9193247f9cecf6c8f2a9beb1bb9 to your computer and use it in GitHub Desktop.
Compiling NGiNX with OpenSSL TLS1.3, Brotli, more_headers, NAXSI - Ubuntu 18.04 x64
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Check if user is root | |
| if [ $(id -u) != "0" ]; then | |
| echo "Error: You must be root to run this script, please use the root user to install the software." | |
| exit 1 | |
| fi | |
| # Make script exit if a simple command fails and | |
| # Make script print commands being executed | |
| set -e -x | |
| # Latest versions of each package. | |
| export VERSION_PCRE=pcre-8.42 | |
| export VERSION_ZLIB=zlib-1.2.11 | |
| export VERSION_OPENSSL=openssl-1.1.1-pre8 | |
| # Automatically grab the latest nginx version. | |
| VERSION_NGINX=$(curl 'https://nginx.org/download/' | grep -oP 'href="nginx-\K[0-9]+\.[0-9]+\.[0-9]+' | sort -t. -rn -k1,1 -k2,2 -k3,3 | head -1) | |
| # URLs to the source directories | |
| export SOURCE_PCRE=https://ftp.pcre.org/pub/pcre/ | |
| export SOURCE_ZLIB=http://zlib.net/ | |
| export SOURCE_OPENSSL=https://www.openssl.org/source/ | |
| export BPATH=$(pwd)/build | |
| # proc for building faster | |
| NB_PROC=$(grep -c ^processor /proc/cpuinfo) | |
| # Make a 'today' variable for use in back-up filenames later | |
| today=$(date +"%Y-%m-%d") | |
| # Clean out any files from previous runs of this script | |
| rm -rf build | |
| mkdir build | |
| # Rename the existing /etc/nginx directory so it's saved as a back-up | |
| if [ -d /etc/nginx ] | |
| then | |
| mv /etc/nginx /etc/nginx-$today | |
| fi | |
| # Ensure that we have the required software to compile our own nginx | |
| apt-get -y install libgeoip-dev libxslt-dev libpcre3 libpcre3-dev build-essential zlib1g-dev libbz2-dev libssl-dev tar unzip curl git wget autoconf python2.7 python-dev libgd-dev | |
| # Test to see if our version of gcc supports __SIZEOF_INT128__ | |
| if gcc -dM -E - </dev/null | grep -q __SIZEOF_INT128__ | |
| then | |
| ECFLAG="enable-ec_nistp_64_gcc_128" | |
| else | |
| ECFLAG="" | |
| fi | |
| # Create NGINX cache directories if they do not already exist | |
| if [ ! -d "/var/cache/nginx/" ]; then | |
| mkdir -p \ | |
| /var/cache/nginx/client_temp \ | |
| /var/cache/nginx/proxy_temp \ | |
| /var/cache/nginx/fastcgi_temp \ | |
| /var/cache/nginx/uwsgi_temp \ | |
| /var/cache/nginx/scgi_temp | |
| fi | |
| # Grab the source files. | |
| wget -P $BPATH $SOURCE_PCRE$VERSION_PCRE.tar.gz | |
| wget -P $BPATH $SOURCE_ZLIB$VERSION_ZLIB.tar.gz | |
| wget -P $BPATH $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz --no-check-certificate | |
| wget -P $BPATH "https://nginx.org/download/nginx-${VERSION_NGINX}.tar.gz" | |
| # Extract the source files | |
| cd $BPATH | |
| tar -xaf "nginx-${VERSION_NGINX}.tar.gz" | |
| tar -xzf $VERSION_PCRE.tar.gz | |
| tar -xzf $VERSION_ZLIB.tar.gz | |
| tar -xzf $VERSION_OPENSSL.tar.gz | |
| # Grab and install Brotli. | |
| git clone https://github.com/google/brotli.git $BPATH/brotli | |
| cd $BPATH/brotli | |
| mkdir out && cd out | |
| ../configure-cmake | |
| make && make test && make install | |
| git clone https://github.com/bagder/libbrotli $BPATH/libbrotli | |
| cd $BPATH/libbrotli | |
| ./autogen.sh | |
| ./configure | |
| make && make install | |
| git clone https://github.com/eustas/ngx_brotli $BPATH/ngx_brotli | |
| #git clone https://github.com/google/ngx_brotli $BPATH/ngx_brotli | |
| cd $BPATH/ngx_brotli | |
| git submodule update --init --recursive | |
| # Grab misc modules. | |
| git clone https://github.com/openresty/headers-more-nginx-module.git $BPATH/headers-more-nginx-module | |
| git clone https://github.com/nbs-system/naxsi.git $BPATH/naxsi | |
| git clone https://github.com/simpl/ngx_devel_kit $BPATH/ngx_devel_kit | |
| git clone https://github.com/nulab/nginx-length-hiding-filter-module $BPATH/nginx-length-hiding-filter-module | |
| cd $BPATH/nginx-${VERSION_NGINX} | |
| # Patch nginx with improvements | |
| wget -O- https://raw.githubusercontent.com/kn007/patch/master/nginx.patch | patch -p1 | |
| wget -O- https://raw.githubusercontent.com/kn007/patch/master/fix_nginx_hpack_push_error.patch | patch -p1 | |
| wget -O- https://raw.githubusercontent.com/kn007/patch/master/nginx_auto_using_PRIORITIZE_CHACHA.patch | patch -p1 | |
| # Build nginx, with various modules included/excluded | |
| ./configure \ | |
| --with-cc-opt='-g -O3 -fstack-protector-strong -fPIE -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2,-DTCP_FASTOPEN=23' \ | |
| --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' \ | |
| --with-openssl=../$VERSION_OPENSSL \ | |
| --with-openssl-opt="$ECFLAG no-async no-shared no-ssl3 no-comp no-idea no-weak-ssl-ciphers -DOPENSSL_NO_HEARTBEATS -O3 -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2" \ | |
| --prefix=/etc/nginx \ | |
| --sbin-path=/usr/sbin/nginx \ | |
| --modules-path=/usr/lib/nginx/modules \ | |
| --conf-path=/etc/nginx/nginx.conf \ | |
| --error-log-path=/var/log/nginx/error.log \ | |
| --http-log-path=/var/log/nginx/access.log \ | |
| --pid-path=/var/run/nginx.pid \ | |
| --lock-path=/var/run/nginx.lock \ | |
| --http-client-body-temp-path=/var/cache/nginx/client_temp \ | |
| --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ | |
| --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ | |
| --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ | |
| --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ | |
| --user=nginx \ | |
| --group=nginx \ | |
| --with-compat \ | |
| --with-file-aio \ | |
| --with-threads \ | |
| --with-http_addition_module \ | |
| --with-http_auth_request_module \ | |
| --with-http_flv_module \ | |
| --with-http_gunzip_module \ | |
| --with-http_gzip_static_module \ | |
| --with-http_image_filter_module \ | |
| --with-http_mp4_module \ | |
| --with-http_random_index_module \ | |
| --with-http_realip_module \ | |
| --with-http_secure_link_module \ | |
| --with-http_slice_module \ | |
| --with-http_ssl_module \ | |
| --with-http_stub_status_module \ | |
| --with-http_sub_module \ | |
| --with-http_v2_module \ | |
| --with-stream \ | |
| --with-stream_realip_module \ | |
| --with-stream_ssl_module \ | |
| --with-stream_ssl_preread_module \ | |
| --without-http_ssi_module \ | |
| --without-mail_pop3_module \ | |
| --without-mail_smtp_module \ | |
| --without-mail_imap_module \ | |
| --with-zlib=../$VERSION_ZLIB \ | |
| --with-pcre=../$VERSION_PCRE \ | |
| --with-pcre-jit \ | |
| --add-module=../naxsi/naxsi_src/ \ | |
| --add-module=../ngx_devel_kit \ | |
| --add-module=../ngx_brotli \ | |
| --add-module=../headers-more-nginx-module \ | |
| --add-module=../nginx-length-hiding-filter-module \ | |
| # build it and install. | |
| make -j $NB_PROC && make install | |
| # now restore the previous version of /etc/nginx to /etc/nginx so the old settings are kept | |
| if [ -d /etc/nginx-$today ] | |
| then | |
| # remove the old default nginx config directories generated by previous runs of this script | |
| rm -rf /etc/nginx-default | |
| # rename the compiled default /etc/nginx directory so it's accessible as a reference to the new nginx defaults | |
| mv /etc/nginx /etc/nginx-default | |
| # now restore the backup to /etc/nginx so the old configuration is kept | |
| mv /etc/nginx-$today /etc/nginx | |
| fi | |
| cp $BPATH/naxsi/naxsi_config/naxsi_core.rules /etc/nginx/naxsi_core.rules | |
| echo "============================================================="; | |
| echo "All done."; | |
| echo "This build has not edited your existing /etc/nginx directory."; | |
| echo "If things aren't working now you may need to refer to the"; | |
| echo "configuration files the new nginx ships with as defaults,"; | |
| echo "which are available at /etc/nginx-default"; | |
| echo "============================================================="; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment