Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/env bash
set -eufo pipefail
main() {
# names of latest versions of each package
local NGINX_VERSION=1.17.3
local VERSION_NGINX=nginx-$NGINX_VERSION
local VERSION_LIBRESSL=libressl-3.0.0
local VERSION_PCRE=pcre-8.43
# URLs to the source directories
local SOURCE_NGINX=https://nginx.org/download/
local SOURCE_LIBRESSL=https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/
local SOURCE_PCRE=https://ftp.pcre.org/pub/pcre/
# set where LibreSSL and nginx will be built
local BPATH=$(pwd)/build
local STATICLIBSSL=$BPATH/$VERSION_LIBRESSL
# clean out any files from previous runs of this script
rm -rf build
mkdir build
# ensure that we have the required software to compile our own nginx
sudo apt-get update \
&& sudo apt-get -y install wget build-essential libgd2-xpm-dev libgeoip-dev checkinstall libxslt-dev make gcc zlib1g-dev
# grab the source files
echo "Download sources"
download "$SOURCE_NGINX$VERSION_NGINX.tar.gz" ./build "3b84fe1c2cf9ca22fde370e486a9ab16b6427df1b6ea62cdb61978c9f34d0f3c"
download "$SOURCE_LIBRESSL$VERSION_LIBRESSL.tar.gz" ./build "01d9100457d373947d3164a73cc285438bb12fe28ab065cbe2835ad64dcc3c76"
download "$SOURCE_PCRE$VERSION_PCRE.tar.gz" ./build "0b8e7465dc5e98c757cc3650a20a7843ee4c3edf50aaf60bb33fd879690d2c73"
# expand the source files
cd build
tar xzf $VERSION_NGINX.tar.gz
tar xzf $VERSION_LIBRESSL.tar.gz
tar xzf $VERSION_PCRE.tar.gz
cd ../
# build static LibreSSL
echo "Configure & Build LibreSSL"
cd $STATICLIBSSL
./config LDFLAGS=-lrt --prefix=${STATICLIBSSL}/.openssl/ \
&& make install-strip
# make the current live nginx the new back-up nginx
if [ -d /etc/nginx ]
then
mv /etc/nginx /etc/nginx-bk
mkdir /etc/nginx
fi
# build nginx, with various modules included/excluded
echo "Configure & Build Nginx"
cd $BPATH/$VERSION_NGINX
./configure \
--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--user=nginx \
--group=nginx \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_secure_link_module \
--with-http_stub_status_module \
--with-http_auth_request_module \
--with-file-aio \
--with-http_v2_module \
--with-ld-opt="-lrt" \
--with-openssl=$STATICLIBSSL \
--with-pcre=$BPATH/$VERSION_PCRE \
--with-pcre-jit
touch $STATICLIBSSL/.openssl/include/openssl/ssl.h
make \
&& sudo checkinstall --pkgname="nginx-libressl" --pkgversion="$NGINX_VERSION" \
--provides="nginx" --requires="libc6, libpcre3, zlib1g" --strip=yes \
--stripso=yes --backup=yes -y --install=yes
if [ -d /etc/nginx-bk ]
then
# remove the old default nginx config directories generated by previous runs of this script
rm -rf /etc/nginx-default
# rename the compiled default /etc/nginx directory so it's accessible as a reference to the new nginx defaults
mv /etc/nginx /etc/nginx-default
# now restore /etc/nginx-bk to /etc/nginx so the old configuration is kept
mv /etc/nginx-bk /etc/nginx
fi
echo "All done.";
echo "This build has not edited your existing /etc/nginx directory.";
echo "If things aren't working now you may need to refer to the";
echo "configuration files the new nginx ships with as defaults,";
echo "which are available at /etc/nginx-default";
upgrade_binary
}
download() {
local url=$1
local target=$2
local expected_checksum=$3
local filename=${url##*/}
echo "Downloading $url"
wget --quiet -P $target $url
local checksum=$(<"$target/$filename" sha256sum --binary | cut --bytes=1-64)
if [ "${checksum}" != "${expected_checksum}" ]; then
echo "Checksum for ${filename} did not match"
exit
fi
echo "Checksum ok"
}
upgrade_binary() {
if [ ! -f /run/nginx.pid ]
then
return
fi
echo "Sending USR2 to old binary"
kill -USR2 $(cat /run/nginx.pid)
echo "Sleeping 3 seconds before pid-files checking"
sleep 3
if [ ! -f /run/nginx.pid.oldbin ]; then
echo "File with old pid not found"
exit
fi
if [ ! -f /run/nginx.pid ]; then
echo "New binary failed to start"
exit
fi
echo "Sleeping 3 seconds before WINCH"
sleep 3
kill -WINCH $(cat /run/nginx.pid.oldbin)
echo "Sending QUIT to old binary"
kill -QUIT $(cat /run/nginx.pid.oldbin)
echo "Upgrade completed. New binary up and running."
}
main "$@"
@Henrocker

This comment has been minimized.

Copy link

commented Aug 11, 2016

Would it be possible for you to fork the following script that is linked to the BoringSSL crypto library? https://github.com/ajhaydock/BoringNginx/

@leonklingele

This comment has been minimized.

Copy link
Owner Author

commented Aug 25, 2016

BoringSSL is no longer nginx-compatible.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

See https://trac.nginx.org/nginx/ticket/993

I have compiled nginx + BoringSSL before, but it's rather unstable. Can't recommend it.

@Henrocker

This comment has been minimized.

Copy link

commented Dec 12, 2016

Hi,

my question is if you could implement the ngx_brotli_filter_module into this script here, please. Link here.

So nginx, after compiling, would be able to handle brotli compressed files on the fly (useful for Chrome and Firefox Browsers!)

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.