Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Fetch, build, and install the latest nginx with the latest OpenSSL for RaspberryPi
#!/usr/bin/env bash
# make script exit if a simple command fails and
# make script print commands being executed
set -e -x
# names of latest versions of each package
export VERSION_PCRE=pcre-8.38
export VERSION_OPENSSL=openssl-1.0.2f
export VERSION_NGINX=nginx-1.9.11
# checksums of latest versions of each package
export SHA256_PCRE=9883e419c336c63b0cb5202b09537c140966d585e4d0da66147dc513da13e629
export SHA256_OPENSSL=932b4ee4def2b434f85435d9e3e19ca8ba99ce9a065a61524b429a9d5e9b2e9c
export SHA256_NGINX=6a5c72f4afaf57a6db064bba0965d72335f127481c5d4e64ee8714e7b368a51f
# URLs to the source directories
export SOURCE_OPENSSL=https://www.openssl.org/source/
export SOURCE_PCRE=ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
export SOURCE_NGINX=http://nginx.org/download/
# make a 'today' variable for use in back-up filenames later
today=$(date +"%Y-%m-%d")
# clean out any files from previous runs of this script
rm -rf build
rm -rf /etc/nginx-default
mkdir build
# ensure that we have the required software to compile our own nginx
apt-get update && apt-get -y install \
build-essential \
curl \
libssl-dev \
libxslt1-dev
# grab the source files
curl -L $SOURCE_PCRE$VERSION_PCRE.tar.gz -o ./build/PCRE.tar.gz && \
echo "${SHA256_PCRE} ./build/PCRE.tar.gz" | sha256sum -c -
curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz -o ./build/OPENSSL.tar.gz && \
echo "${SHA256_OPENSSL} ./build/OPENSSL.tar.gz" | sha256sum -c -
curl -L $SOURCE_NGINX$VERSION_NGINX.tar.gz -o ./build/NGINX.tar.gz && \
echo "${SHA256_NGINX} ./build/NGINX.tar.gz" | sha256sum -c -
# expand the source files
cd build
tar xzf PCRE.tar.gz
tar xzf OPENSSL.tar.gz
tar xzf NGINX.tar.gz
cd ../
# set where OpenSSL and nginx will be built
export BPATH=$(pwd)/build
export STATICLIBSSL="$BPATH/staticlibssl"
# build static openssl
cd $BPATH/$VERSION_OPENSSL
rm -rf "$STATICLIBSSL"
mkdir "$STATICLIBSSL"
make clean
./config --prefix=$STATICLIBSSL no-shared no-ssl2 no-ssl3 no-idea \
&& make depend \
&& make \
&& make install_sw
# rename the existing /etc/nginx directory so it's saved as a back-up
mv /etc/nginx /etc/nginx-$today
# build nginx, with various modules included/excluded
cd $BPATH/$VERSION_NGINX
mkdir -p $BPATH/nginx
./configure --with-cc-opt="-I $STATICLIBSSL/include -I/usr/include" \
--with-ld-opt="-L $STATICLIBSSL/lib -Wl,-rpath -lssl -lcrypto -ldl -lz" \
--with-pcre=$BPATH/$VERSION_PCRE \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_sub_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_secure_link_module \
--with-http_stub_status_module \
--with-http_auth_request_module \
--with-file-aio \
--without-mail_imap_module \
--without-mail_pop3_module \
--without-mail_smtp_module \
--with-http_v2_module \
--with-ipv6 \
--with-threads \
--with-stream \
--with-stream_ssl_module \
--with-http_slice_module \
&& make && make install
# rename the compiled 'default' /etc/nginx directory so its accessible as a reference to the new nginx defaults
mv /etc/nginx /etc/nginx-default
# now restore the previous version of /etc/nginx to /etc/nginx so the old settings are kept
mv /etc/nginx-$today /etc/nginx
echo "All done.";
echo "This build has not edited your existing /etc/nginx directory.";
echo "If things aren't working now you may need to refer to the";
echo "configuration files the new nginx ships with as defaults,";
echo "which are available at /etc/nginx-default";
@harrygg

This comment has been minimized.

Copy link

harrygg commented Feb 10, 2016

Thanks. This is the first time these type of scripts actually work without any modifications from my side. Nginx is already 1.9.11.

@MatthewVance

This comment has been minimized.

Copy link
Owner Author

MatthewVance commented Feb 12, 2016

You're welcome @harrygg though the original author deserves most of the credit. I've updated this to NGINX 1.9.11. I also removed a few modules I didn't need/want so be cognizant of that if you update with the latest version of the script. With the new dynamic modules feature introduced in 1.9.11, adding modules back in should be easier (at least for ones that have been converted to support it).

@MatthewVance

This comment has been minimized.

Copy link
Owner Author

MatthewVance commented Feb 12, 2016

I should also mention I copied this over to a traditional repo because I prefer to work from there than on Gist (I didn't know a way to fork from a gist to a repo or I would have done it). I plan to make future updates on the new repo at https://github.com/MatthewVance/nginx-build. At the current moment, they're essentially the same. One difference is I forgot to remove the libssl-dev and libxslt1-dev packages when removing the xslt module from this version, but did not in the other one.

@Tralapo

This comment has been minimized.

Copy link

Tralapo commented Feb 27, 2016

Hello Matthew, I'm using the gist from Matt for a while now, works fine. Added some custom modules to it. But I do have a question. Building takes a very long time, mostly because of OpenSSL. What exactly is the reason to build OpenSSL with it, instead of the already installed versions on the server?

If I wanted to leave that part out, which parts should I change?

@MatthewVance

This comment has been minimized.

Copy link
Owner Author

MatthewVance commented Jun 14, 2016

Hi @Tralapo, I apologize for the slow response. I missed the notification and it hasn't helped that I quit paying attention to this gist after moving this script to a full repo at https://github.com/MatthewVance/nginx-build.

To answer your question, the reason to build OpenSSL with it is to ensure NGINX has the latest version of OpenSSL with some basic security options (e.g., no SSLv2 and SSLv3 protocol support...which proved prudent given the recent DROWN attack). This means if NGINX is built without statically compiling and linking OpenSSL, NGINX would make use of the system version. Most traditional distros (i.e., non-rolling releases) usually only have an older version of OpenSSL available in their repos. For example, my install of Ubuntu 16.04 has OpenSSL 1.0.2g-fips (openssl version) installed on it whereas the current version of this script would allow NGINX to use OpenSSL 1.0.2h (nginx -V). My up-to-date install of Raspbian Jessie Lite OpenSSL 1.0.1t.

All that being said, removing the OpenSSL parts of the script and having NGINX use the system version of OpenSSL isn't necessarily a bad thing since most distros back port security updates, but you won't be able to use all the latest ciphers, etc. You'd have to check the OpenSSL change logs and your distros OpenSSL compile options to see if you care about any of the OpenSSL features you'd miss (most likely not if you're not a security geek like me).

Since it sounds like compile time is a concern (I agree it is slow, especially on the Raspbery Pi), be sure to look into NGINX's recently added support for dynamic modules. At least for some third-party and native modules, you don't have to recompile NGINX to add new features.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.