Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
# Install dependencies
#
# * checkinstall: package the .deb
# * libpcre3, libpcre3-dev: required for HTTP rewrite module
# * zlib1g zlib1g-dbg zlib1g-dev: required for HTTP gzip module
apt-get install checkinstall libpcre3 libpcre3-dev zlib1g zlib1g-dbg zlib1g-dev && \
mkdir -p ~/sources/ && \
# Compile against OpenSSL to enable NPN
cd ~/sources && \
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz && \
tar -xzvf openssl-1.0.1g.tar.gz && \
# Download the Cache Purge module
cd ~/sources/ && \
git clone https://github.com/FRiCKLE/ngx_cache_purge.git && \
cd ~/sources && \
# Download PageSpeed
cd ~/sources && \
wget https://github.com/pagespeed/ngx_pagespeed/archive/v1.7.30.4-beta.zip && \
unzip v1.7.30.4-beta.zip && \
cd ngx_pagespeed-1.7.30.4-beta && \
wget https://dl.google.com/dl/page-speed/psol/1.7.30.4.tar.gz && \
tar -xzvf 1.7.30.4.tar.gz && \
# Get the Nginx source.
#
# Best to get the latest mainline release. Of course, your mileage may
# vary depending on future changes
cd ~/sources/ && \
wget http://nginx.org/download/nginx-1.5.12.tar.gz && \
tar zxf nginx-1.5.12.tar.gz && \
cd nginx-1.5.12 && \
# Configure nginx.
#
# This is based on the default package in Debian. Additional flags have
# been added:
#
# * --with-debug: adds helpful logs for debugging
# * --with-openssl=$HOME/sources/openssl-1.0.1e: compile against newer version
# of openssl
# * --with-http_spdy_module: include the SPDY module
./configure --prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--user=www-data \
--group=www-data \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-file-aio \
--with-http_spdy_module \
--with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' \
--with-ld-opt='-Wl,-z,relro -Wl,--as-needed' \
--with-ipv6 \
--with-debug \
--with-openssl=$HOME/sources/openssl-1.0.1g \
--add-module=$HOME/sources/ngx_pagespeed-1.7.30.4-beta \
--add-module=$HOME/sources/ngx_cache_purge && \
# Make the package.
make && \
# Create a .deb package.
#
# Instead of running `make install`, create a .deb and install from there. This
# allows you to easily uninstall the package if there are issues.
checkinstall --install=no -y && \
# Install the package.
dpkg -i nginx_1.5.12-1_amd64.deb
@DaveCLowe

This comment has been minimized.

Copy link

commented Apr 8, 2014

Awesome stuff, thanks!

@MarkGavalda

This comment has been minimized.

Copy link

commented Apr 8, 2014

Thanks for sharing this, Zack!

@kjprince

This comment has been minimized.

Copy link

commented Apr 11, 2014

This is pretty awesome but I couldn't make it work.

Though I see the parameters define in the script, many of them didn't produce the outcome I was expecting.

For instance:

--error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --pid-path=/var/run/nginx.pid \
I had no errors logs, and can't find a pid file anywhere on my system.

--user=www-data \ --group=www-data \
My default nginx.conf file show 'no-user' as the user.

A few other things were strange. Anyone else have this problem?

@tollmanz

This comment has been minimized.

Copy link
Owner Author

commented Apr 12, 2014

@kjprince - One of the issues I did face with this was making sure that you create the initial error logs and set appropriate permissions. nginx -t will usually reveal any issues after compiling. I seem to remember that there was a cache directory that needed to be set as well. Be sure that the error/access log are read/writeable by the user (in this case www-data).

I really do not know why no-user is the user. That's interesting.

It's definitely better if you can use a precompiled script because you do not run into these issues; however, to get fancy features like SPDY, PageSpeed, and Heartbleedlessness, sometimes you need to dip your toes into compiling.

@monasor28

This comment has been minimized.

Copy link

commented Jun 13, 2014

dont frget libssl-dev

@chriswallace

This comment has been minimized.

Copy link

commented Jul 23, 2014

@tollmanz Have you updated this script to include the fix for the CCS Injection vulnerability? http://www.liquidweb.com/kb/update-and-patch-openssl-on-ubuntu-for-the-ccs-injection-vulnerability/

@TangRufus

This comment has been minimized.

Copy link

commented Dec 13, 2014

Is it possible to upgrade it after installed?
Do i need to recompile everything and dpkg -i again?
Plus, do i need to uninstall the old version first?

@vastbinderj

This comment has been minimized.

Copy link

commented Jul 27, 2015

Tang,

You cannot upgrade it. You do need to compile everything again and re-install with dpkg if you want to update it. Yes, you would want to uninstall the older version before installing.

@collinbarrett

This comment has been minimized.

Copy link

commented Sep 1, 2015

I am trying to do a very similar process on Ubuntu, but continue to get a weird error when compiling in OpenSSL. I am having a very hard time finding much info regarding a solution on the interwebs. Does anyone here have any ideas? Thanks.

collinbarrett/wp-vps-build-guide#2

@frankyw

This comment has been minimized.

Copy link

commented Oct 20, 2015

Yes Collin... apt-get install libssl-dev

@CrazyHackGUT

This comment has been minimized.

Copy link

commented May 14, 2016

Awesome! Thanks!

@JoeUX

This comment has been minimized.

Copy link

commented May 29, 2016

Does it help to leverage modern CPU instructions? I've never used gcc before and was looking at this: https://gcc.gnu.org/onlinedocs/gcc/x86-Options.html#x86-Options

When compiling with gcc, I thought it was normal to specify a SIMD architecture baseline, like SSE 4.2 or AVX if you know you'll be running on Sandy Bridge and up for example. That would leverage a bunch of vector instructions as well as the AES crypto instructions. Does this make on a difference for nginx? It seems like it would for TLS performance, but I never see anyone include any modern CPU flags on the "with-cc-opt" line. Has anyone tried the SIMD options?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.