compile-nginx.sh

# Install dependencies
# 
# * checkinstall: package the .deb
# * libpcre3, libpcre3-dev: required for HTTP rewrite module
# * zlib1g zlib1g-dbg zlib1g-dev: required for HTTP gzip module
apt-get install checkinstall libpcre3 libpcre3-dev zlib1g zlib1g-dbg zlib1g-dev && \

mkdir -p ~/sources/ && \

# Compile against OpenSSL to enable NPN
cd ~/sources && \
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz && \
tar -xzvf openssl-1.0.1g.tar.gz && \

# Download the Cache Purge module
cd ~/sources/ && \
git clone https://github.com/FRiCKLE/ngx_cache_purge.git && \
cd ~/sources && \

# Download PageSpeed
cd ~/sources && \
wget https://github.com/pagespeed/ngx_pagespeed/archive/v1.7.30.4-beta.zip && \
unzip v1.7.30.4-beta.zip && \
cd ngx_pagespeed-1.7.30.4-beta && \
wget https://dl.google.com/dl/page-speed/psol/1.7.30.4.tar.gz && \
tar -xzvf 1.7.30.4.tar.gz && \

# Get the Nginx source.
#
# Best to get the latest mainline release. Of course, your mileage may
# vary depending on future changes
cd ~/sources/ && \
wget http://nginx.org/download/nginx-1.5.12.tar.gz && \
tar zxf nginx-1.5.12.tar.gz && \
cd nginx-1.5.12 && \

# Configure nginx.
#
# This is based on the default package in Debian. Additional flags have
# been added:
#
# * --with-debug: adds helpful logs for debugging
# * --with-openssl=$HOME/sources/openssl-1.0.1e: compile against newer version
#   of openssl
# * --with-http_spdy_module: include the SPDY module
./configure --prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--user=www-data \
--group=www-data \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-file-aio \
--with-http_spdy_module \
--with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' \
--with-ld-opt='-Wl,-z,relro -Wl,--as-needed' \
--with-ipv6 \
--with-debug \
--with-openssl=$HOME/sources/openssl-1.0.1g \
--add-module=$HOME/sources/ngx_pagespeed-1.7.30.4-beta \
--add-module=$HOME/sources/ngx_cache_purge && \

# Make the package.
make && \

# Create a .deb package.
#
# Instead of running `make install`, create a .deb and install from there. This
# allows you to easily uninstall the package if there are issues.
checkinstall --install=no -y && \

# Install the package.
dpkg -i nginx_1.5.12-1_amd64.deb

Awesome stuff, thanks!

Thanks for sharing this, Zack!

This is pretty awesome but I couldn't make it work.

Though I see the parameters define in the script, many of them didn't produce the outcome I was expecting.

For instance:

--error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --pid-path=/var/run/nginx.pid \
I had no errors logs, and can't find a pid file anywhere on my system.

--user=www-data \ --group=www-data \
My default nginx.conf file show 'no-user' as the user.

A few other things were strange. Anyone else have this problem?

@kjprince - One of the issues I did face with this was making sure that you create the initial error logs and set appropriate permissions. nginx -t will usually reveal any issues after compiling. I seem to remember that there was a cache directory that needed to be set as well. Be sure that the error/access log are read/writeable by the user (in this case www-data).

I really do not know why no-user is the user. That's interesting.

It's definitely better if you can use a precompiled script because you do not run into these issues; however, to get fancy features like SPDY, PageSpeed, and Heartbleedlessness, sometimes you need to dip your toes into compiling.

dont frget libssl-dev

@tollmanz Have you updated this script to include the fix for the CCS Injection vulnerability? http://www.liquidweb.com/kb/update-and-patch-openssl-on-ubuntu-for-the-ccs-injection-vulnerability/

Is it possible to upgrade it after installed?
Do i need to recompile everything and dpkg -i again?
Plus, do i need to uninstall the old version first?

Tang,

You cannot upgrade it. You do need to compile everything again and re-install with dpkg if you want to update it. Yes, you would want to uninstall the older version before installing.

I am trying to do a very similar process on Ubuntu, but continue to get a weird error when compiling in OpenSSL. I am having a very hard time finding much info regarding a solution on the interwebs. Does anyone here have any ideas? Thanks.

collinbarrett/wp-vps-build-guide#2

Yes Collin... apt-get install libssl-dev

Awesome! Thanks!

Does it help to leverage modern CPU instructions? I've never used gcc before and was looking at this: https://gcc.gnu.org/onlinedocs/gcc/x86-Options.html#x86-Options

When compiling with gcc, I thought it was normal to specify a SIMD architecture baseline, like SSE 4.2 or AVX if you know you'll be running on Sandy Bridge and up for example. That would leverage a bunch of vector instructions as well as the AES crypto instructions. Does this make on a difference for nginx? It seems like it would for TLS performance, but I never see anyone include any modern CPU flags on the "with-cc-opt" line. Has anyone tried the SIMD options?