|# names of latest versions of each package|
|# URLs to the source directories|
|# make a 'today' variable for use in back-up filenames later|
|# clean out any files from previous runs of this script|
|rm -rf build|
|rm -rf /etc/nginx-default|
|# ensure that we have the required software to compile our own nginx|
|apt-get -y install curl wget build-essential|
|# grab the source files|
|wget -P ./build $SOURCE_PCRE$VERSION_PCRE.tar.gz|
|wget -P ./build $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz --no-check-certificate|
|wget -P ./build $SOURCE_NGINX$VERSION_NGINX.tar.gz|
|# expand the source files|
|tar xzf $VERSION_NGINX.tar.gz|
|tar xzf $VERSION_OPENSSL.tar.gz|
|tar xzf $VERSION_PCRE.tar.gz|
|# set where OpenSSL and nginx will be built|
|# build static openssl|
|rm -rf "$STATICLIBSSL"|
|./config --prefix=$STATICLIBSSL no-shared \|
|&& make depend \|
|&& make \|
|&& make install_sw|
|# rename the existing /etc/nginx directory so it's saved as a back-up|
|mv /etc/nginx /etc/nginx-$today|
|# build nginx, with various modules included/excluded|
|mkdir -p $BPATH/nginx|
|./configure --with-cc-opt="-I $STATICLIBSSL/include -I/usr/include" \|
|--with-ld-opt="-L $STATICLIBSSL/lib -Wl,-rpath -lssl -lcrypto -ldl -lz" \|
|&& make && make install|
|# rename the compiled 'default' /etc/nginx directory so its accessible as a reference to the new nginx defaults|
|mv /etc/nginx /etc/nginx-default|
|# now restore the previous version of /etc/nginx to /etc/nginx so the old settings are kept|
|mv /etc/nginx-$today /etc/nginx|
|echo "All done.";|
|echo "This build has not edited your existing /etc/nginx directory.";|
|echo "If things aren't working now you may need to refer to the";|
|echo "configuration files the new nginx ships with as defaults,";|
|echo "which are available at /etc/nginx-default";|
Jun 15, 2014
I had the same problem with the enable-ec_nistp_64_gcc_128 option. I used the latest (2014-01-07) Raspbian Image (http://www.raspberrypi.org/downloads/) an not the noobs method as Matt described in his post. Maybe that makes a difference.
As a workaround I removed the enable-ec_nistp_64_gcc_128 option and it went just fine. As Matt said, it's meant for performance optimizations.
Elliptic Curve algorithms are suspect be weakened on purpose anyway (http://www.wired.com/2013/09/nsa-backdoor/all/ and http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/3/)
Oct 10, 2014
According to http://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options the enable-ec_nistp_64_gcc_128 option should only be enabled on x64 systems. I believe Raspberry does not qualify for that just yet.
Oct 11, 2014
I'm facing issues with the script... Honestly, I don't know what to do here... It seems that when it's trying to compile nginx, it fails somehow... Any clues?
ecp_nistp224.c:574:2: warning: right shift count >= width of type [enabled by default] ecp_nistp224.c:577:2: warning: right shift count >= width of type [enabled by default] <builtin>: recipe for target 'ecp_nistp224.o' failed make: *** [ecp_nistp224.o] Error 1 make: Leaving directory '/home/pi/Install/nginx/build/openssl-1.0.1i/crypto/ec' Makefile:91: recipe for target 'subdirs' failed make: *** [subdirs] Error 1 make: Leaving directory '/home/pi/Install/nginx/build/openssl-1.0.1i/crypto' Makefile:278: recipe for target 'build_crypto' failed make: *** [build_crypto] Error 1 checking for OS + Linux 3.12.28+ armv6l checking for C compiler ... found + using GNU C compiler + gcc version: 4.6.3 (Debian 4.6.3-14+rpi1) checking for gcc -pipe switch ... found checking for --with-ld-opt="-L /home/pi/Install/nginx/build/staticlibssl/lib -Wl,-rpath -lssl -lcrypto -ldl -lz" ... not found ./configure: error: the invalid value in --with-ld-opt="-L /home/pi/Install/nginx/build/staticlibssl/lib -Wl,-rpath -lssl -lcrypto -ldl -lz" mv: cannot stat `/etc/nginx': No such file or directory All done. This build has not edited your existing /etc/nginx directory. If things aren't working now you may need to refer to the configuration files the new nginx ships with as defaults, which are available at /etc/nginx-default root@raspberrypi:/home/pi/Install/nginx#
Nov 2, 2014
Hi Toborrow: looks like you're running the script without having read the accompanying blog post - this script is expecting /etc/nginx to already exist because it's expecting to have had the apt-get version installed (and then removed) in the past. I did it that way so that a few init scripts and behaviours are set up for you. Have a look through https://mattwilcox.net/archives/setting-up-a-recent-version-of-nginx-with-https-and-spdy-support-on-a-raspberry-pi/ and hopefully that should help.
Nov 7, 2014
The error is not a missing /etc/nginx (the script moved it before calling configure on nginx), configure is failing. The problem is related to the linker options given to configure, hence the './configure: error: ' line. In my case, a 64bit zlib was missing from my system.
I would suggest running the configure line from the script directly in the shell removing options till you find which one is causing the error.
The stat on /etc/nginx fails because 'make install' called after configure did not run due to configure erroring out.
The script moves /etc/nginx back when finishing so it is there after the script completes.
Dec 18, 2014
@MattWilcox, thanks for the blog post, I didn't read it in the first place, mainly because I landed on this Gist right from my google query... I'll have a look!
@rgyger, I'll try that and keep you informed if this solved my issue, thanks!
I could build Nginx to the latest version using your advice @rgyger, when I removed
--with-ld-opt, build passed. However, how does this affect Nginx? I read elsewhere that I should probably specify the path to the lib (which is located in my case at
/home/pi/Install/nginx/build/staticlibssl/lib, but I'm not quite sure what's the right way).
Thanks for your help!
Jan 21, 2015
Can confirm problems with enable-ec_nistp_64_gcc_128 when compiling openssl.
ecp_nistp224.c:43:3: error: unknown type name ‘__uint128_t’
ecp_nistp224.c: In function ‘widefelem_diff’:
ecp_nistp224.c:422:2: warning: left shift count >= width of type [enabled by default]
Running Raspbian Debian Wheezy December 2014
Don't get any compilation errors with openssl when enable-ec_nistp_64_gcc_128 is removed
Jan 23, 2015
Hi, thanks for the script. Here my changes which are necessary on Bananian (version: 15.01 (released 2015-01-11))
build done with pcre-8.36 / openssl-1.0.2 / nginx-1.7.9
- remove 'enable-ec_nistp_64_gcc_128' parameter within openssl build
- change the '-rpath' option within the nginx build from '-Wl,-rpath' to '-Wl,-rpath=$STATICLIBSSL/lib'
- install libz-dev
Feb 12, 2015
I'm new to all this, but I've followed the instructions. Fresh install on Raspbian on Pi 2, ran sudo apt-get install nginx and then once installed ran sudo apt-get remove nginx
I then put on this script, made it executable and changed the version of OpenSSL to 1.0.2
It seems to run ok, and once it's complete I get the basic webpage. But, if I run nginx -v on my Pi, it still shows the version of 1.2.1. I'm not sure what I've done wrong. Is this the same for you?
Feb 16, 2015
Just wanted to let you know, I tried the script on my brand new Raspberry Pi2 and it works like a charm (without any edits though, instead of my try on RPi1).
@bkev: Did you run the script as root ?
sudo ./build_nginx.sh and tell us if this does changes anything. I also made the mistake and forgot the
sudo at first.
Feb 19, 2015
Thanks for this script!
libcrypto was missing on my RPi2 clean Raspbian install. Fixed it by installing libssl-dev
Feb 20, 2015
Thanks for the help!
@zucht doing a sudo apt-get install libssl-dev and running the script again meant that when I run nginx -v now, I get 1.7.9. but if I run an openssl version command, I still get 1.0.1e.
Is this correct? Does the script build nginx with the new version of openssl but not replace the version found on the Pi?
EDIT: I too had to remove the "enable-ec_nistp_64_gcc_128" option as it kept failing.
Mar 14, 2015
Awesome! I've been having problems getting all the dependencies sorted out, as the repo versions are horribly out-of-date with tons of vulnerabilities. I'll give this a try. Thanks.
Mar 21, 2015
@bkev - The script makes a version of openssl for nginx to use, but does not replace the system one. If you're worried about security, the system ones will usually have security patches applied but still be based on an older version of OpennSSL. That's why some packages in the repositories have stuff like 'deb10.1' or similar appended to the actual software version.
Aug 5, 2015
If you're tired of manually updating the latest versions of each package, feel free to use my fork of this script :)
Sep 30, 2015
Trying this with the new 2015-09-24-raspbian-jessie.img on Rasp Pi 2. Getting a compile error in crypto. I'm not strong in this area, so a suggestion is welcome.
Also, Nginx 1.9.5 no longer supports SPDY. You either need to use the new HTTP/2, or fall back to Ngnix 1.9.4. Info on Nginx HTTP/2: http://nginx.org/en/docs/http/ngx_http_v2_module.html
making all in crypto... make: Entering directory '/home/pi/build/openssl-1.0.2d/crypto' /usr/bin/perl ../util/mkbuildinf.pl "gcc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -march=armv7-a -Wa,--noexecstack -O3 -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM" "linux-armv4" >buildinf.h gcc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -march=armv7-a -Wa,--noexecstack -O3 -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -c -o cryptlib.o cryptlib.c In file included from /usr/include/stdlib.h:41:0, from cryptlib.h:62, from cryptlib.c:117: /usr/include/arm-linux-gnueabihf/bits/waitflags.h:52:3: internal compiler error: Segmentation fault P_ALL, /* Wait for any child. */ ^ Please submit a full bug report, with preprocessed source if appropriate. See <file:///usr/share/doc/gcc-4.9/README.Bugs> for instructions. Preprocessed source stored into /tmp/cc5Vn7ij.out file, please attach this to your bugreport. <builtin>: recipe for target 'cryptlib.o' failed make: *** [cryptlib.o] Error 1 make: Leaving directory '/home/pi/build/openssl-1.0.2d/crypto' Makefile:283: recipe for target 'build_crypto' failed make: *** [build_crypto] Error 1 checking for OS + Linux 4.1.7-v7+ armv7l checking for C compiler ... not found ./configure: error: C compiler cc is not found mv: cannot stat ‘/etc/nginx’: No such file or directory All done.
Oct 4, 2015
For the latest version, 1.9.5, Spdy had been replaced by HTTP/2.
--with-http_spdy_module \ to
--with-http_v2_module \ works.
Oct 4, 2015
Just run the script on my Rasp-jessie. Everything goes well despite the upgrade of openssl. The openssl version is stuck at 1.0.1k even if I put the 1.0.2 version in the script. Any idea ?
Oct 5, 2015
The script only provides OpenSSL for compiling into Nginx. It does not install the new OpenSSL into the system. Read the Mar 21 comment by MattWilcox above.
With the seg fault I posted above during creation of the OpenSSL files, I grabbed the OpenSSL 1.0.2d directory created on a Wheezy version of Raspbian and inserted it into the "build" directory on Jessie and modded the script to use it. Seems to have worked, but I don't know what monster I might have created. I'm going to try it again fresh in a couple of days.
Oct 9, 2015
@habovh I ran into the same problem when trying this script on Ubuntu as you did:
./configure: error: the invalid value in --with-ld-opt . Did you ever find out what to do to fix it? Removing
-lcrypto does not do the trick.
libssl-dev which made the above error disappear, but then I got some sort of OpenSSL error. Added
--with-openssl=$BPATH/$VERSION_OPENSSL \ to the script and now it seems to run all the way instead of stopping early. Think I'm good now?
Dec 7, 2015
It seems like something changed with Debian 8, and the 'enable-ec_nistp_64_gcc_128' option on line 45 now causes a failure when configuring the crypto. I have removed this from the script and it now compiles correctly. Tested on a Pi2 with Jessie based Raspbian.
If anyone knows a better solution, I'd be all ears - it's a performance enhancement flag that the Pi would benefit from.
Dec 22, 2015
Sorry to chime in as well, but I too was wondering where exactly the updated versions of OpenSSL and PCRE are actually playing their part.
Shouldn't I at least see the updated version numbers in
How would I make use of the updated versions otherwise?
Thanks for clarifying, I'm still new to this home server party
Jan 30, 2016
First off, thanks for this script. I'm not sure how or if it's possible to send pull requests to Gists so I wanted to let you know about some changes I made to my fork you may want to add in. You won't want to include all my changes because I added some modules not everyone will want, but some of my other updates may be useful:
- Bumped OpenSSL and NGINX to latest versions
set -e -xso script prints commands being executed and exits if a single command fails
- Made script verify checksums
- Removed wget dependency
- Compiled without SSLv3 support
Feel free to take or not take any of those changes from my fork.
@noplanman you're not seeing the updated versions of OpenSSL and PCRE in
phpinfo(); because this build script only compiles NGINX using the statically linked versions of those tools, but does not touch any versions of those tools installed on your system. As such, PHP still uses/sees the system version. However, you can confirm, for OpenSSL at least, that NGINX was built with the version of OpenSSL within the script by running the following command:
Apr 9, 2016
After removing Nginx and re-installing using this along with the Google Pagespeed module, although Nginx version 1.9.7 is installed I am unable to access it as a service - with the error of 'no such file or directory'.
Jun 13, 2016
Hi @MattWilcox and thanks for sharing the script!
what exactly is the directory "
$BPATH/nginx" for? (Line 55:
mkdir -p $BPATH/nginx)
Jan 23, 2017
PCRE 8.38 is not working anymore, 8.39 is though. (https://gist.github.com/wouterds/f676815659147a262cf77e41c704419f)
Oct 16, 2017
have tried ur script but got error about missing openssl for SSL usage, so you've to also add:
Hmm, that's interesting: Are you trying this on a Raspberry Pi running Raspbian? Or have you got Debian Wheezy installed on the Pi?
I've tried this on Raspbian on the Pi without issue, and I've tried this on Debian Wheezy running on a Linode, again without problem.
It sounds like you've got Debian running on your Pi though, which is a configuration I've not tested, and which might well throw up problems - from what I know, Debian is not best suited to the processor that the Pi uses (It's an older ARM processor, not an x86 processor). Which is one reason why Raspbian came into being in the first place; it's Debian, fettled to work nicely on Pi hardware.
I'm not sure what to suggest to get that issue fixed for you, I'm not overly familiar with the intricacies of OpenSSL nor the Pi itself, but you could try removing the option entirely (I think it's just an option to give a faster end result (using 64bit code) rather than anything of a functional change; see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698447 )