-
-
Save leonklingele/a669803060fa92817f64 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -eufo pipefail | |
| SUDO="" | |
| if [ "$EUID" -ne 0 ]; then | |
| SUDO="sudo" | |
| if ! [ -x "$(command -v $SUDO)" ]; then | |
| echo "Error: Running script as non-root and $SUDO is not installed. Exiting." >&2 | |
| exit 1 | |
| fi | |
| fi | |
| main() { | |
| # names of latest versions of each package | |
| local NGINX_VERSION=1.21.4 | |
| local VERSION_NGINX=nginx-$NGINX_VERSION | |
| local VERSION_LIBRESSL=libressl-3.4.1 | |
| local VERSION_PCRE=pcre-8.45 | |
| # URLs to the source directories | |
| local SOURCE_NGINX=https://nginx.org/download/ | |
| local SOURCE_LIBRESSL=https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ | |
| local SOURCE_PCRE=https://ftp.pcre.org/pub/pcre/ | |
| # set where LibreSSL and nginx will be built | |
| local BPATH=$(pwd)/build | |
| local STATICLIBSSL=$BPATH/$VERSION_LIBRESSL | |
| # clean out any files from previous runs of this script | |
| rm -rf build | |
| mkdir build | |
| # ensure that we have the required software to compile our own nginx | |
| $SUDO apt-get update \ | |
| && $SUDO apt-get -y install --no-install-recommends ca-certificates wget build-essential libgd-dev libgeoip-dev checkinstall libxslt1-dev make gcc zlib1g-dev | |
| # grab the source files | |
| echo "Download sources" | |
| download "$SOURCE_NGINX$VERSION_NGINX.tar.gz" ./build "d1f72f474e71bcaaf465dcc7e6f7b6a4705e4b1ed95c581af31df697551f3bfe" | |
| download "$SOURCE_LIBRESSL$VERSION_LIBRESSL.tar.gz" ./build "107ceae6ca800e81cb563584c16afa36d6c7138fade94a2b3e9da65456f7c61c" | |
| download "$SOURCE_PCRE$VERSION_PCRE.tar.gz" ./build "4e6ce03e0336e8b4a3d6c2b70b1c5e18590a5673a98186da90d4f33c23defc09" | |
| # expand the source files | |
| cd build | |
| tar xzf $VERSION_NGINX.tar.gz | |
| tar xzf $VERSION_LIBRESSL.tar.gz | |
| tar xzf $VERSION_PCRE.tar.gz | |
| cd ../ | |
| # build static LibreSSL | |
| echo "Configure & Build LibreSSL" | |
| cd $STATICLIBSSL | |
| ./config LDFLAGS=-lrt --prefix=${STATICLIBSSL}/.openssl/ \ | |
| && make install-strip | |
| # make the current live nginx the new back-up nginx | |
| if [ -d /etc/nginx ] | |
| then | |
| mv /etc/nginx /etc/nginx-bk | |
| mkdir /etc/nginx | |
| fi | |
| # build nginx, with various modules included/excluded | |
| echo "Configure & Build Nginx" | |
| cd $BPATH/$VERSION_NGINX | |
| ./configure \ | |
| --prefix=/etc/nginx \ | |
| --sbin-path=/usr/sbin/nginx \ | |
| --conf-path=/etc/nginx/nginx.conf \ | |
| --error-log-path=/var/log/nginx/error.log \ | |
| --http-log-path=/var/log/nginx/access.log \ | |
| --pid-path=/run/nginx.pid \ | |
| --lock-path=/var/run/nginx.lock \ | |
| --http-client-body-temp-path=/var/cache/nginx/client_temp \ | |
| --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ | |
| --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ | |
| --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ | |
| --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ | |
| --user=nginx \ | |
| --group=nginx \ | |
| --with-http_ssl_module \ | |
| --with-http_realip_module \ | |
| --with-http_addition_module \ | |
| --with-http_sub_module \ | |
| --with-http_dav_module \ | |
| --with-http_gunzip_module \ | |
| --with-http_gzip_static_module \ | |
| --with-http_secure_link_module \ | |
| --with-http_stub_status_module \ | |
| --with-http_auth_request_module \ | |
| --with-file-aio \ | |
| --with-http_v2_module \ | |
| --with-ld-opt="-lrt" \ | |
| --with-openssl=$STATICLIBSSL \ | |
| --with-pcre=$BPATH/$VERSION_PCRE \ | |
| --with-pcre-jit | |
| touch $STATICLIBSSL/.openssl/include/openssl/ssl.h | |
| make \ | |
| && $SUDO checkinstall --pkgname="nginx-libressl" --pkgversion="$NGINX_VERSION" \ | |
| --provides="nginx" --requires="libc6, libpcre3, zlib1g" --strip=yes \ | |
| --stripso=yes --backup=yes -y --install=yes | |
| if [ -d /etc/nginx-bk ] | |
| then | |
| # remove the old default nginx config directories generated by previous runs of this script | |
| rm -rf /etc/nginx-default | |
| # rename the compiled default /etc/nginx directory so it's accessible as a reference to the new nginx defaults | |
| mv /etc/nginx /etc/nginx-default | |
| # now restore /etc/nginx-bk to /etc/nginx so the old configuration is kept | |
| mv /etc/nginx-bk /etc/nginx | |
| fi | |
| echo "All done."; | |
| echo "This build has not edited your existing /etc/nginx directory."; | |
| echo "If things aren't working now you may need to refer to the"; | |
| echo "configuration files the new nginx ships with as defaults,"; | |
| echo "which are available at /etc/nginx-default"; | |
| $SUDO mkdir -p /var/log/nginx /var/cache/nginx | |
| $SUDO adduser --system --group --disabled-login --no-create-home --shell /bin/false nginx | |
| upgrade_binary | |
| } | |
| download() { | |
| local url=$1 | |
| local target=$2 | |
| local expected_checksum=$3 | |
| local filename=${url##*/} | |
| echo "Downloading $url" | |
| wget --quiet -P $target $url | |
| local checksum=$(<"$target/$filename" sha256sum --binary | cut --bytes=1-64) | |
| if [ "${checksum}" != "${expected_checksum}" ]; then | |
| echo "Checksum for ${filename} did not match" | |
| exit | |
| fi | |
| echo "Checksum ok" | |
| } | |
| upgrade_binary() { | |
| if [ ! -f /run/nginx.pid ] | |
| then | |
| return | |
| fi | |
| echo "Sending USR2 to old binary" | |
| kill -USR2 $(cat /run/nginx.pid) | |
| echo "Sleeping 3 seconds before pid-files checking" | |
| sleep 3 | |
| if [ ! -f /run/nginx.pid.oldbin ]; then | |
| echo "File with old pid not found" | |
| exit | |
| fi | |
| if [ ! -f /run/nginx.pid ]; then | |
| echo "New binary failed to start" | |
| exit | |
| fi | |
| echo "Sleeping 3 seconds before WINCH" | |
| sleep 3 | |
| kill -WINCH $(cat /run/nginx.pid.oldbin) | |
| echo "Sending QUIT to old binary" | |
| kill -QUIT $(cat /run/nginx.pid.oldbin) | |
| echo "Upgrade completed. New binary up and running." | |
| } | |
| main "$@" |
BoringSSL is no longer nginx-compatible.
Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
See https://trac.nginx.org/nginx/ticket/993
I have compiled nginx + BoringSSL before, but it's rather unstable. Can't recommend it.
Hi,
my question is if you could implement the ngx_brotli_filter_module into this script here, please. Link here.
So nginx, after compiling, would be able to handle brotli compressed files on the fly (useful for Chrome and Firefox Browsers!)
Thank you!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Would it be possible for you to fork the following script that is linked to the BoringSSL crypto library? https://github.com/ajhaydock/BoringNginx/