Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/env bash
# Names of latest versions of each package
export VERSION_PCRE=pcre-8.39
export VERSION_ZLIB=zlib-1.2.8
export VERSION_LIBRESSL=libressl-2.4.2
export VERSION_NGINX=nginx-1.11.3
# URLs to the source directories
export SOURCE_LIBRESSL=http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/
export SOURCE_PCRE=http://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
export SOURCE_NGINX=http://nginx.org/download/
export SOURCE_ZLIB=http://zlib.net/
# Path to local build
export BUILD_DIR=/tmp/nginx-static-libressl/build
# Path for libressl
export STATICLIBSSL="${BUILD_DIR}/${VERSION_LIBRESSL}"
function setup() {
# create and clean build directory
mkdir -p ${BUILD_DIR}
rm -Rf ${BUILD_DIR}/*
# install build environment tools
yum -y groupinstall "Development Tools"
}
function download_sources() {
# todo: verify checksum / integrity of downloads!
echo "Download sources"
pushd ${BUILD_DIR}
curl -sSLO "${SOURCE_ZLIB}${VERSION_ZLIB}.tar.gz"
curl -sSLO "${SOURCE_PCRE}${VERSION_PCRE}.tar.gz"
curl -sSLO "${SOURCE_LIBRESSL}${VERSION_LIBRESSL}.tar.gz"
curl -sSLO "${SOURCE_NGINX}${VERSION_NGINX}.tar.gz"
popd
}
function extract_sources() {
echo "Extracting sources"
pushd ${BUILD_DIR}
tar -xf "${VERSION_PCRE}.tar.gz"
tar -xf "${VERSION_LIBRESSL}.tar.gz"
tar -xf "${VERSION_NGINX}.tar.gz"
tar -xf "${VERSION_ZLIB}.tar.gz"
popd
}
function compile_nginx() {
echo "Configure & Build nginx"
pushd "${BUILD_DIR}/${VERSION_NGINX}"
make clean
./configure \
--prefix=/usr/share/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body \
--http-proxy-temp-path=/var/lib/nginx/tmp/proxy \
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi \
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi \
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi \
--pid-path=/run/nginx.pid \
--lock-path=/run/lock/subsys/nginx \
--user=nginx \
--group=nginx \
--with-threads \
--with-file-aio \
--with-ipv6 \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_slice_module \
--with-http_stub_status_module \
--without-select_module \
--without-poll_module \
--without-mail_pop3_module \
--without-mail_imap_module \
--without-mail_smtp_module \
--with-stream \
--with-stream_ssl_module \
--with-pcre="${BUILD_DIR}/${VERSION_PCRE}" \
--with-pcre-jit \
--with-openssl="${STATICLIBSSL}" \
--with-zlib="${BUILD_DIR}/${VERSION_ZLIB}" \
--with-cc-opt="-fPIC -pie -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic" \
--with-ld-opt="-Wl,-z,now -lrt"
make -j1
popd
}
echo "Building ${VERSION_NGINX} with static ${VERSION_LIBRESSL}, ${VERSION_PCRE}, and ${VERSION_ZLIB} ..."
setup && download_sources && extract_sources && compile_nginx
retval=$?
echo ""
if [ $retval -eq 0 ]; then
echo "Your nginx binary is located at ${BUILD_DIR}/${VERSION_NGINX}/objs/nginx."
echo "Listing dynamically linked libraries ..."
ldd ${BUILD_DIR}/${VERSION_NGINX}/objs/nginx
echo ""
${BUILD_DIR}/${VERSION_NGINX}/objs/nginx -V
else
echo "Ooops, build failed. Check output!"
fi
@macedigital

This comment has been minimized.

Owner

macedigital commented Feb 25, 2016

Note: Since nginx v1.9.12 compilation with LibreSSL without patching a makefile is broken, due to https://trac.nginx.org/nginx/changeset/6404/nginx/auto/lib/openssl/make#file0.

@macedigital

This comment has been minimized.

Owner

macedigital commented Mar 30, 2016

Since LibreSSL release 2.3.3. patching nginx sources is no longer necessary. See http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.3-relnotes.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment