Skip to content

Instantly share code, notes, and snippets.

Last active May 3, 2024 12:06
Show Gist options
  • Save tollmanz/8662688 to your computer and use it in GitHub Desktop.
Save tollmanz/8662688 to your computer and use it in GitHub Desktop.
# Install dependencies
# * checkinstall: package the .deb
# * libpcre3, libpcre3-dev: required for HTTP rewrite module
# * zlib1g zlib1g-dbg zlib1g-dev: required for HTTP gzip module
apt-get install checkinstall libpcre3 libpcre3-dev zlib1g zlib1g-dbg zlib1g-dev && \
mkdir -p ~/sources/ && \
# Compile against OpenSSL to enable NPN
cd ~/sources && \
wget && \
tar -xzvf openssl-1.0.1g.tar.gz && \
# Download the Cache Purge module
cd ~/sources/ && \
git clone && \
cd ~/sources && \
# Download PageSpeed
cd ~/sources && \
wget && \
unzip && \
cd ngx_pagespeed- && \
wget && \
tar -xzvf && \
# Get the Nginx source.
# Best to get the latest mainline release. Of course, your mileage may
# vary depending on future changes
cd ~/sources/ && \
wget && \
tar zxf nginx-1.5.12.tar.gz && \
cd nginx-1.5.12 && \
# Configure nginx.
# This is based on the default package in Debian. Additional flags have
# been added:
# * --with-debug: adds helpful logs for debugging
# * --with-openssl=$HOME/sources/openssl-1.0.1e: compile against newer version
# of openssl
# * --with-http_spdy_module: include the SPDY module
./configure --prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/ \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--user=www-data \
--group=www-data \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-file-aio \
--with-http_spdy_module \
--with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' \
--with-ld-opt='-Wl,-z,relro -Wl,--as-needed' \
--with-ipv6 \
--with-debug \
--with-openssl=$HOME/sources/openssl-1.0.1g \
--add-module=$HOME/sources/ngx_pagespeed- \
--add-module=$HOME/sources/ngx_cache_purge && \
# Make the package.
make && \
# Create a .deb package.
# Instead of running `make install`, create a .deb and install from there. This
# allows you to easily uninstall the package if there are issues.
checkinstall --install=no -y && \
# Install the package.
dpkg -i nginx_1.5.12-1_amd64.deb
Copy link

Awesome stuff, thanks!

Copy link

Thanks for sharing this, Zack!

Copy link

This is pretty awesome but I couldn't make it work.

Though I see the parameters define in the script, many of them didn't produce the outcome I was expecting.

For instance:

--error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --pid-path=/var/run/ \
I had no errors logs, and can't find a pid file anywhere on my system.

--user=www-data \ --group=www-data \
My default nginx.conf file show 'no-user' as the user.

A few other things were strange. Anyone else have this problem?

Copy link

@kjprince - One of the issues I did face with this was making sure that you create the initial error logs and set appropriate permissions. nginx -t will usually reveal any issues after compiling. I seem to remember that there was a cache directory that needed to be set as well. Be sure that the error/access log are read/writeable by the user (in this case www-data).

I really do not know why no-user is the user. That's interesting.

It's definitely better if you can use a precompiled script because you do not run into these issues; however, to get fancy features like SPDY, PageSpeed, and Heartbleedlessness, sometimes you need to dip your toes into compiling.

Copy link

dont frget libssl-dev

Copy link

@tollmanz Have you updated this script to include the fix for the CCS Injection vulnerability?

Copy link

Is it possible to upgrade it after installed?
Do i need to recompile everything and dpkg -i again?
Plus, do i need to uninstall the old version first?

Copy link


You cannot upgrade it. You do need to compile everything again and re-install with dpkg if you want to update it. Yes, you would want to uninstall the older version before installing.

Copy link

I am trying to do a very similar process on Ubuntu, but continue to get a weird error when compiling in OpenSSL. I am having a very hard time finding much info regarding a solution on the interwebs. Does anyone here have any ideas? Thanks.


Copy link

frankyw commented Oct 20, 2015

Yes Collin... apt-get install libssl-dev

Copy link

Awesome! Thanks!

Copy link

JoeUX commented May 29, 2016

Does it help to leverage modern CPU instructions? I've never used gcc before and was looking at this:

When compiling with gcc, I thought it was normal to specify a SIMD architecture baseline, like SSE 4.2 or AVX if you know you'll be running on Sandy Bridge and up for example. That would leverage a bunch of vector instructions as well as the AES crypto instructions. Does this make on a difference for nginx? It seems like it would for TLS performance, but I never see anyone include any modern CPU flags on the "with-cc-opt" line. Has anyone tried the SIMD options?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment