mikecb/install.sh

## install.sh
#!/bin/env bash

set -e -o pipefail

latest_nginx=$(curl -L http://nginx.org/en/download.html | egrep -o "nginx\-[0-9.]+\.tar[.a-z]*" | head -n 1)

cd /tmp
git clone --depth=1 https://boringssl.googlesource.com/boringssl &
(curl -fLRO "http://nginx.org/download/${latest_nginx}" && tar -xaf "${latest_nginx}") &
wait

cd boringssl
sed -i \
  -e    's:-ggdb -std=c89:-std=c89 -march=sandybridge -O2 -pipe -fdiagnostics-color=always:' \
  -e 's:-ggdb -std=c++0x:-std=c++0x -march=sandybridge -O2 -pipe -fdiagnostics-color=always:' \
  -e '/^add_subdirectory(ssl\/test)/d' \
  -e '/^add_subdirectory(tool)/d' \
  CMakeLists.txt
# compile
mkdir build && cd build && cmake ../ && make && cd ..
# OpenSSL-like structure which Nginx understands
mkdir -p .compat/lib && cd .compat && ln -s ../include && cp -a ../build/{crypto/libcrypto.a,ssl/libssl.a} lib/ && cd ..
cd ..

cd "${latest_nginx//.tar*}"
CFLAGS="-march=sandybridge -O2 -pipe -fdiagnostics-color=always" \
./configure \
  --with-http_ssl_module --with-http_spdy_module \
  --with-cc-opt="-I ../boringssl/.compat/include -I/usr/include" \
  --with-ld-opt="-L ../boringssl/.compat/lib -L/usr/lib" \
  --with-cpu-opt=amd64 \
  --user=nginx --group=nginx \
&& make -j5 \
&& ldd objs/nginx

# make install

## nginx.conf
# Excerpt!
# Ask your security engineer for suitable settings.

# If you did use OpenSSL this might have been your old cipher list, which is still good:
#   set $ssl_ciphers_old ECDH+HIGH:DH+HIGH:-AES256:ECDH+HIGH:DH+HIGH:-3DES:-CAMELLIA:!aNULL:!eNULL:!PSK:!kECDH;
# BoringSSL knows "equal-preference cipher groups", of which we move two to the front:
ssl_ciphers [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]:[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:$ssl_ciphers_old;

ssl_prefer_server_ciphers on;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam         /etc/ssl/dhparam-3072;

ssl_buffer_size     1300; # 1360 is even better; Google uses 1300 though
ssl_session_cache   shared:SSL:64m;
ssl_session_timeout 26h;

add_header          Strict-Transport-Security "max-age=315360000; includeSubdomains";
	#!/bin/env bash

	set -e -o pipefail

	latest_nginx=$(curl -L http://nginx.org/en/download.html \| egrep -o "nginx\-[0-9.]+\.tar[.a-z]*" \| head -n 1)

	cd /tmp
	git clone --depth=1 https://boringssl.googlesource.com/boringssl &
	(curl -fLRO "http://nginx.org/download/${latest_nginx}" && tar -xaf "${latest_nginx}") &
	wait

	cd boringssl
	sed -i \
	-e 's:-ggdb -std=c89:-std=c89 -march=sandybridge -O2 -pipe -fdiagnostics-color=always:' \
	-e 's:-ggdb -std=c++0x:-std=c++0x -march=sandybridge -O2 -pipe -fdiagnostics-color=always:' \
	-e '/^add_subdirectory(ssl\/test)/d' \
	-e '/^add_subdirectory(tool)/d' \
	CMakeLists.txt
	# compile
	mkdir build && cd build && cmake ../ && make && cd ..
	# OpenSSL-like structure which Nginx understands
	mkdir -p .compat/lib && cd .compat && ln -s ../include && cp -a ../build/{crypto/libcrypto.a,ssl/libssl.a} lib/ && cd ..
	cd ..

	cd "${latest_nginx//.tar*}"
	CFLAGS="-march=sandybridge -O2 -pipe -fdiagnostics-color=always" \
	./configure \
	--with-http_ssl_module --with-http_spdy_module \
	--with-cc-opt="-I ../boringssl/.compat/include -I/usr/include" \
	--with-ld-opt="-L ../boringssl/.compat/lib -L/usr/lib" \
	--with-cpu-opt=amd64 \
	--user=nginx --group=nginx \
	&& make -j5 \
	&& ldd objs/nginx

	# make install
	# Excerpt!
	# Ask your security engineer for suitable settings.

	# If you did use OpenSSL this might have been your old cipher list, which is still good:
	# set $ssl_ciphers_old ECDH+HIGH:DH+HIGH:-AES256:ECDH+HIGH:DH+HIGH:-3DES:-CAMELLIA:!aNULL:!eNULL:!PSK:!kECDH;
	# BoringSSL knows "equal-preference cipher groups", of which we move two to the front:
	ssl_ciphers [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]:[ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]:$ssl_ciphers_old;

	ssl_prefer_server_ciphers on;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_dhparam /etc/ssl/dhparam-3072;

	ssl_buffer_size 1300; # 1360 is even better; Google uses 1300 though
	ssl_session_cache shared:SSL:64m;
	ssl_session_timeout 26h;

	add_header Strict-Transport-Security "max-age=315360000; includeSubdomains";