Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Install nginx-1.17.4 with OpenSSL on Debian (including Raspbian)
#!/usr/bin/env bash
# Run as root or with sudo
# Make script exit if a simple command fails and
# Make script print commands being executed
set -e -x
# Set names of latest versions of each package
export VERSION_PCRE=pcre-8.43
export VERSION_ZLIB=zlib-1.2.11
export VERSION_OPENSSL=openssl-1.1.1d
export VERSION_NGINX=nginx-1.17.4
export VERSION_RTMP=rtmp
# Set checksums of latest versions
export SHA256_PCRE=0b8e7465dc5e98c757cc3650a20a7843ee4c3edf50aaf60bb33fd879690d2c73
export SHA256_ZLIB=c3e5e9fdd5004dcb542feda5ee4f0ff0744628baf8ed2dd5d66f8ca1197cb1a1
export SHA256_OPENSSL=1e3a91bc1f9dfce01af26026f856e064eab4c8ee0a8f457b5ae30b40b8b711f2
export SHA256_NGINX=62854b365e66670ef4f1f8cc79124f914551444da974207cd5fe22d85710e555
# Set GPG keys used to sign downloads
export GPG_OPENSSL=8657ABB260F056B1E5190839D9C4D26D0E604491
export GPG_NGINX=B0F4253373F8F6F510D42178520A9993A1C052F8
# Set URLs to the source directories
export SOURCE_OPENSSL=https://www.openssl.org/source/
export SOURCE_PCRE=https://ftp.pcre.org/pub/pcre/
export SOURCE_ZLIB=https://zlib.net/
export SOURCE_NGINX=https://nginx.org/download/
export SOURCE_RTMP=https://github.com/arut/nginx-rtmp-module.git
# Set where OpenSSL and nginx will be built
export BPATH=$(pwd)/build
# Make a 'today' variable for use in back-up filenames later
today=$(date +"%Y-%m-%d")
# Clean out any files from previous runs of this script
rm -rf build
rm -rf /etc/nginx-default
mkdir $BPATH
# Ensure the required software to compile nginx is installed
apt update && apt -y install \
binutils \
build-essential \
curl \
dirmngr \
libgeoip-dev \
libssl-dev \
git
# Download the source files
curl -L $SOURCE_PCRE$VERSION_PCRE.tar.gz -o ./build/PCRE.tar.gz && \
echo "${SHA256_PCRE} ./build/PCRE.tar.gz" | sha256sum -c -
curl -L $SOURCE_ZLIB$VERSION_ZLIB.tar.gz -o ./build/ZLIB.tar.gz && \
echo "${SHA256_ZLIB} ./build/ZLIB.tar.gz" | sha256sum -c -
curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz -o ./build/OPENSSL.tar.gz && \
echo "${SHA256_OPENSSL} ./build/OPENSSL.tar.gz" | sha256sum -c -
curl -L $SOURCE_NGINX$VERSION_NGINX.tar.gz -o ./build/NGINX.tar.gz && \
echo "${SHA256_NGINX} ./build/NGINX.tar.gz" | sha256sum -c -
# Clone the rtmp repo
git clone $SOURCE_RTMP ./build/rtmp
# Download the signature files
curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz.asc -o ./build/OPENSSL.tar.gz.asc
curl -L $SOURCE_NGINX$VERSION_NGINX.tar.gz.asc -o ./build/NGINX.tar.gz.asc
# Verify GPG signature of downloads
cd $BPATH
export GNUPGHOME="$(mktemp -d)"
gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$GPG_OPENSSL"
gpg --batch --verify OPENSSL.tar.gz.asc OPENSSL.tar.gz
gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$GPG_NGINX"
gpg --batch --verify NGINX.tar.gz.asc NGINX.tar.gz
rm -rf "$GNUPGHOME" OPENSSL.tar.gz.asc NGINX.tar.gz.asc
# Expand the source files
tar xzf PCRE.tar.gz
tar xzf ZLIB.tar.gz
tar xzf OPENSSL.tar.gz
tar xzf NGINX.tar.gz
# Clean up
rm -r \
PCRE.tar.gz \
ZLIB.tar.gz \
OPENSSL.tar.gz \
NGINX.tar.gz
cd ../
# Rename the existing /etc/nginx directory so it's saved as a back-up
if [ -d "/etc/nginx" ]; then
mv /etc/nginx /etc/nginx-$today
fi
# Create NGINX cache directories if they do not already exist
if [ ! -d "/var/cache/nginx/" ]; then
mkdir -p \
/var/cache/nginx/client_temp \
/var/cache/nginx/proxy_temp \
/var/cache/nginx/fastcgi_temp \
/var/cache/nginx/uwsgi_temp \
/var/cache/nginx/scgi_temp
fi
# Add nginx group and user if they do not already exist
id -g nginx &>/dev/null || addgroup --system nginx
id -u nginx &>/dev/null || adduser --disabled-password --system --home /var/cache/nginx --shell /sbin/nologin --group nginx
# Test to see if our version of gcc supports __SIZEOF_INT128__
if gcc -dM -E - </dev/null | grep -q __SIZEOF_INT128__
then
ECFLAG="enable-ec_nistp_64_gcc_128"
else
ECFLAG=""
fi
# Build nginx, with various modules included/excluded
cd $BPATH/$VERSION_NGINX
./configure \
--prefix=/etc/nginx \
--with-cc-opt="-Wimplicit-fallthrough=0" \
--with-ld-opt='-lrt' \
--with-pcre=$BPATH/$VERSION_PCRE \
--with-zlib=$BPATH/$VERSION_ZLIB \
--with-openssl-opt="no-weak-ssl-ciphers no-ssl3 no-shared no-err $ECFLAG -DOPENSSL_NO_HEARTBEATS" \
--with-openssl=$BPATH/$VERSION_OPENSSL \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--user=nginx \
--group=nginx \
--with-file-aio \
--with-http_geoip_module \
--with-http_auth_request_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_mp4_module \
--with-http_realip_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_sub_module \
--with-http_v2_module \
--with-pcre-jit \
--with-stream \
--with-stream_ssl_module \
--with-threads \
--without-http_empty_gif_module \
--without-http_split_clients_module \
--without-http_ssi_module \
--without-mail_imap_module \
--without-mail_pop3_module \
--without-mail_smtp_module \
--add-module=$BPATH/$VERSION_RTMP
make
make install
make clean
strip -s /usr/sbin/nginx*
if [ -d "/etc/nginx-$today" ]; then
# Rename the compiled 'default' /etc/nginx directory so its accessible as a reference to the new nginx defaults
mv /etc/nginx /etc/nginx-default
# Restore the previous version of /etc/nginx to /etc/nginx so the old settings are kept
mv /etc/nginx-$today /etc/nginx
fi
# Create NGINX systemd service file if it does not already exist
if [ ! -e "/lib/systemd/system/nginx.service" ]; then
# Control will enter here if $DIRECTORY doesn't exist.
FILE="/lib/systemd/system/nginx.service"
/bin/cat >$FILE <<'EOF'
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
fi
echo "All done.";
echo "Start with sudo systemctl start nginx"
echo "or with sudo nginx"
@khanh-nt
Copy link

khanh-nt commented Feb 25, 2019

It do not work on Raspberry Pi 3+ :( Any suggestion?

@karudonaldson
Copy link

karudonaldson commented Jun 25, 2019

Handy little script thanks, much appreciated.

Tested it on Debian 9 and installs perfectly fine. Is there a way I can install it completely unattended without the prompts for overwriting config files? Basically, it's a clean system and I'm trying to deploy this via ansible. Maybe I'm just going about it the wrong way and should compile it myself from source perhaps?

@olivier-defrance
Copy link

olivier-defrance commented Apr 18, 2020

Nice script !
It works very well on Raspberry Pi 4 B on Raspbian Buster (used to reinstall nginx 1.14.2)
Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment