Last active
October 22, 2023 12:16
-
-
Save macedigital/9a26365c2f63f2aa0324 to your computer and use it in GitHub Desktop.
Buildscript for nginx with static libressl, zlib, and pcre. Inspired by https://gist.github.com/nlindblad/9709182, https://gist.github.com/rjeczalik/7057434 and https://gist.github.com/Belphemur/3c022598919e6a1788fc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# Names of latest versions of each package | |
export VERSION_PCRE=pcre-8.39 | |
export VERSION_ZLIB=zlib-1.2.8 | |
export VERSION_LIBRESSL=libressl-2.4.2 | |
export VERSION_NGINX=nginx-1.11.3 | |
# URLs to the source directories | |
export SOURCE_LIBRESSL=http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ | |
export SOURCE_PCRE=http://ftp.csx.cam.ac.uk/pub/software/programming/pcre/ | |
export SOURCE_NGINX=http://nginx.org/download/ | |
export SOURCE_ZLIB=http://zlib.net/ | |
# Path to local build | |
export BUILD_DIR=/tmp/nginx-static-libressl/build | |
# Path for libressl | |
export STATICLIBSSL="${BUILD_DIR}/${VERSION_LIBRESSL}" | |
function setup() { | |
# create and clean build directory | |
mkdir -p ${BUILD_DIR} | |
rm -Rf ${BUILD_DIR}/* | |
# install build environment tools | |
yum -y groupinstall "Development Tools" | |
} | |
function download_sources() { | |
# todo: verify checksum / integrity of downloads! | |
echo "Download sources" | |
pushd ${BUILD_DIR} | |
curl -sSLO "${SOURCE_ZLIB}${VERSION_ZLIB}.tar.gz" | |
curl -sSLO "${SOURCE_PCRE}${VERSION_PCRE}.tar.gz" | |
curl -sSLO "${SOURCE_LIBRESSL}${VERSION_LIBRESSL}.tar.gz" | |
curl -sSLO "${SOURCE_NGINX}${VERSION_NGINX}.tar.gz" | |
popd | |
} | |
function extract_sources() { | |
echo "Extracting sources" | |
pushd ${BUILD_DIR} | |
tar -xf "${VERSION_PCRE}.tar.gz" | |
tar -xf "${VERSION_LIBRESSL}.tar.gz" | |
tar -xf "${VERSION_NGINX}.tar.gz" | |
tar -xf "${VERSION_ZLIB}.tar.gz" | |
popd | |
} | |
function compile_nginx() { | |
echo "Configure & Build nginx" | |
pushd "${BUILD_DIR}/${VERSION_NGINX}" | |
make clean | |
./configure \ | |
--prefix=/usr/share/nginx \ | |
--sbin-path=/usr/sbin/nginx \ | |
--conf-path=/etc/nginx/nginx.conf \ | |
--error-log-path=/var/log/nginx/error.log \ | |
--http-log-path=/var/log/nginx/access.log \ | |
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body \ | |
--http-proxy-temp-path=/var/lib/nginx/tmp/proxy \ | |
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi \ | |
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi \ | |
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi \ | |
--pid-path=/run/nginx.pid \ | |
--lock-path=/run/lock/subsys/nginx \ | |
--user=nginx \ | |
--group=nginx \ | |
--with-threads \ | |
--with-file-aio \ | |
--with-ipv6 \ | |
--with-http_ssl_module \ | |
--with-http_v2_module \ | |
--with-http_realip_module \ | |
--with-http_gunzip_module \ | |
--with-http_gzip_static_module \ | |
--with-http_slice_module \ | |
--with-http_stub_status_module \ | |
--without-select_module \ | |
--without-poll_module \ | |
--without-mail_pop3_module \ | |
--without-mail_imap_module \ | |
--without-mail_smtp_module \ | |
--with-stream \ | |
--with-stream_ssl_module \ | |
--with-pcre="${BUILD_DIR}/${VERSION_PCRE}" \ | |
--with-pcre-jit \ | |
--with-openssl="${STATICLIBSSL}" \ | |
--with-zlib="${BUILD_DIR}/${VERSION_ZLIB}" \ | |
--with-cc-opt="-fPIC -pie -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic" \ | |
--with-ld-opt="-Wl,-z,now -lrt" | |
make -j1 | |
popd | |
} | |
echo "Building ${VERSION_NGINX} with static ${VERSION_LIBRESSL}, ${VERSION_PCRE}, and ${VERSION_ZLIB} ..." | |
setup && download_sources && extract_sources && compile_nginx | |
retval=$? | |
echo "" | |
if [ $retval -eq 0 ]; then | |
echo "Your nginx binary is located at ${BUILD_DIR}/${VERSION_NGINX}/objs/nginx." | |
echo "Listing dynamically linked libraries ..." | |
ldd ${BUILD_DIR}/${VERSION_NGINX}/objs/nginx | |
echo "" | |
${BUILD_DIR}/${VERSION_NGINX}/objs/nginx -V | |
else | |
echo "Ooops, build failed. Check output!" | |
fi |
Since LibreSSL release 2.3.3. patching nginx sources is no longer necessary. See http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.3-relnotes.txt
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Note: Since nginx v1.9.12 compilation with LibreSSL without patching a makefile is broken, due to https://trac.nginx.org/nginx/changeset/6404/nginx/auto/lib/openssl/make#file0.