Skip to content

Instantly share code, notes, and snippets.

@nshtg

nshtg/nginx_libressl.sh

Last active April 1, 2024 16:47
Show Gist options
  • Star 8 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save nshtg/059b2db767cbc92bc566085100e662f6 to your computer and use it in GitHub Desktop.
Save nshtg/059b2db767cbc92bc566085100e662f6 to your computer and use it in GitHub Desktop.
Download ZIP
Build nginx statically against modern OpenSSL/LibreSSL
Raw
nginx_libressl.sh
#!/usr/bin/env bash
set -e
# names of latest versions of each package
export NGINX_VERSION=1.13.5
export VERSION_ZLIB=zlib-1.2.11
export VERSION_PCRE=pcre-8.41
export VERSION_LIBRESSL=libressl-2.6.1
export VERSION_NGINX=nginx-$NGINX_VERSION
# URLs to the source directories
export SOURCE_LIBRESSL=https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/
export SOURCE_PCRE=https://ftp.pcre.org/pub/pcre/
export SOURCE_NGINX=https://nginx.org/download/
export SOURCE_ZLIB=https://zlib.net/
# clean out any files from previous runs of this script
sudo rm -rf build
mkdir build
# proc for building faster
NB_PROC=$(grep -c ^processor /proc/cpuinfo)
# ensure that we have the required software to compile our own nginx
sudo apt-get -y install curl wget build-essential libgd-dev libgeoip-dev checkinstall git
# grab the source files
echo "Download sources"
wget -P ./build $SOURCE_PCRE$VERSION_PCRE.tar.gz
wget -P ./build $SOURCE_LIBRESSL$VERSION_LIBRESSL.tar.gz
wget -P ./build $SOURCE_NGINX$VERSION_NGINX.tar.gz
wget -P ./build $SOURCE_ZLIB$VERSION_ZLIB.tar.gz
# expand the source files
echo "Extract Packages"
cd build
tar xzf $VERSION_NGINX.tar.gz
tar xzf $VERSION_LIBRESSL.tar.gz
tar xzf $VERSION_PCRE.tar.gz
tar xzf $VERSION_ZLIB.tar.gz
rm -rf *.tar.gz
# build nginx, with various modules included/excluded
echo "Configure & Build Nginx"
cd ./$VERSION_NGINX
./configure --prefix=/usr/share/nginx \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/run/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--user=www-data \
--group=www-data \
--build=Ubuntu \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--with-openssl=../$VERSION_LIBRESSL \
--with-pcre=../$VERSION_PCRE \
--with-pcre-jit \
--with-zlib=../$VERSION_ZLIB \
--with-compat \
--with-file-aio \
--with-threads \
--with-http_addition_module \
--with-http_auth_request_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_mp4_module \
--with-http_random_index_module \
--with-http_realip_module \
--with-http_slice_module \
--with-http_ssl_module \
--with-http_sub_module \
--with-http_stub_status_module \
--with-http_v2_module \
--with-http_secure_link_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-debug \
--with-cc-opt='-g -O2 -fPIC -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' \
--with-ld-opt='-Wl,-Bsymbolic-functions -fPIC -Wl,-z,relro -Wl,-z,now'
make -j $NB_PROC && sudo checkinstall --pkgname="nginx-libressl" --pkgversion="$NGINX_VERSION" \
--provides="nginx" --requires="libc6" --strip=yes \
--stripso=yes --backup=yes -y --install=yes
echo "All done.";
echo "This build has not edited your existing /etc/nginx directory.";
echo "If things aren't working now you may need to refer to the";
echo "configuration files the new nginx ships with as defaults,";
echo "which are available at /etc/nginx-default";
cat <<EOF | sudo tee /etc/systemd/system/nginx.service 1> /dev/null
[Unit]
Description=A high performance web server and a reverse proxy server
After=network.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
TimeoutStopSec=5
KillMode=mixed
[Install]
WantedBy=multi-user.target
EOF
sudo chmod 644 /etc/systemd/system/nginx.service
sudo rm -f /etc/nginx/*.default
sudo mkdir -p /var/lib/nginx/body
sudo mkdir -p /etc/nginx/conf.d
sudo chown -Rh www-data:www-data /var/lib/nginx/body
sudo chown -Rh www-data:www-data /etc/nginx/conf.d
sudo systemctl daemon-reload
sudo systemctl enable nginx.service
sudo systemctl start nginx.service
sudo systemctl status nginx.service
Raw
nginx_openssl.sh
#!/usr/bin/env bash
set -e
# names of latest versions of each package
export NGINX_VERSION=1.13.5
export VERSION_ZLIB=zlib-1.2.11
export VERSION_PCRE=pcre-8.41
export VERSION_OPENSSL=openssl-1.1.0f
export VERSION_NGINX=nginx-$NGINX_VERSION
# URLs to the source directories
export SOURCE_OPENSSL=https://www.openssl.org/source/
export SOURCE_PCRE=https://ftp.pcre.org/pub/pcre/
export SOURCE_NGINX=https://nginx.org/download/
export SOURCE_ZLIB=https://zlib.net/
# clean out any files from previous runs of this script
sudo rm -rf build
mkdir build
# proc for building faster
NB_PROC=$(grep -c ^processor /proc/cpuinfo)
# ensure that we have the required software to compile our own nginx
sudo apt-get -y install curl wget build-essential libgd-dev libgeoip-dev checkinstall git
# grab the source files
echo "Download sources"
wget -P ./build $SOURCE_PCRE$VERSION_PCRE.tar.gz
wget -P ./build $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz
wget -P ./build $SOURCE_NGINX$VERSION_NGINX.tar.gz
wget -P ./build $SOURCE_ZLIB$VERSION_ZLIB.tar.gz
# expand the source files
echo "Extract Packages"
cd build
tar xzf $VERSION_NGINX.tar.gz
tar xzf $VERSION_OPENSSL.tar.gz
tar xzf $VERSION_PCRE.tar.gz
tar xzf $VERSION_ZLIB.tar.gz
rm -rf *.tar.gz
# build nginx, with various modules included/excluded
echo "Configure & Build Nginx"
cd ./$VERSION_NGINX
./configure --prefix=/usr/share/nginx \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/run/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--user=www-data \
--group=www-data \
--build=Ubuntu \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--with-openssl=../$VERSION_OPENSSL \
--with-openssl-opt=enable-ec_nistp_64_gcc_128 \
--with-openssl-opt=no-nextprotoneg \
--with-openssl-opt=no-weak-ssl-ciphers \
--with-openssl-opt=no-ssl3 \
--with-pcre=../$VERSION_PCRE \
--with-pcre-jit \
--with-zlib=../$VERSION_ZLIB \
--with-compat \
--with-file-aio \
--with-threads \
--with-http_addition_module \
--with-http_auth_request_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_mp4_module \
--with-http_random_index_module \
--with-http_realip_module \
--with-http_slice_module \
--with-http_ssl_module \
--with-http_sub_module \
--with-http_stub_status_module \
--with-http_v2_module \
--with-http_secure_link_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-debug \
--with-cc-opt='-g -O2 -fPIC -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' \
--with-ld-opt='-Wl,-Bsymbolic-functions -fPIC -Wl,-z,relro -Wl,-z,now'
make -j $NB_PROC && sudo checkinstall --pkgname="nginx-openssl" --pkgversion="$NGINX_VERSION" \
--provides="nginx" --requires="libc6" --strip=yes \
--stripso=yes --backup=yes -y --install=yes
echo "All done.";
echo "This build has not edited your existing /etc/nginx directory.";
echo "If things aren't working now you may need to refer to the";
echo "configuration files the new nginx ships with as defaults,";
echo "which are available at /etc/nginx-default";
cat <<EOF | sudo tee /etc/systemd/system/nginx.service 1> /dev/null
[Unit]
Description=A high performance web server and a reverse proxy server
After=network.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
TimeoutStopSec=5
KillMode=mixed
[Install]
WantedBy=multi-user.target
EOF
sudo chmod 644 /etc/systemd/system/nginx.service
sudo rm -f /etc/nginx/*.default
sudo mkdir -p /var/lib/nginx/body
sudo mkdir -p /etc/nginx/conf.d
sudo chown -Rh www-data:www-data /var/lib/nginx/body
sudo chown -Rh www-data:www-data /etc/nginx/conf.d
sudo systemctl daemon-reload
sudo systemctl enable nginx.service
sudo systemctl start nginx.service
sudo systemctl status nginx.service
@Xavantex
Copy link

Xavantex commented Nov 26, 2023
edited

Great code sharing, love it!

By the way, I have been looking all over for something which directs me to making nginx link statically against OpenSSL/libreSSL, could you tell me what does it? Is it simply specifying the path? If no path is used with the --with-openssl is not static?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment