Skip to content

Instantly share code, notes, and snippets.

@MattWilcox
Last active March 6, 2022 18:01
Show Gist options
  • Save MattWilcox/402e2e8aa2e1c132ee24 to your computer and use it in GitHub Desktop.
Save MattWilcox/402e2e8aa2e1c132ee24 to your computer and use it in GitHub Desktop.
Fetch, build, and install the latest nginx with the latest OpenSSL for RaspberryPi
#!/usr/bin/env bash
# names of latest versions of each package
export VERSION_PCRE=pcre-8.38
export VERSION_OPENSSL=openssl-1.0.2d
export VERSION_NGINX=nginx-1.9.7
# URLs to the source directories
export SOURCE_OPENSSL=https://www.openssl.org/source/
export SOURCE_PCRE=ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
export SOURCE_NGINX=http://nginx.org/download/
# make a 'today' variable for use in back-up filenames later
today=$(date +"%Y-%m-%d")
# clean out any files from previous runs of this script
rm -rf build
rm -rf /etc/nginx-default
mkdir build
# ensure that we have the required software to compile our own nginx
apt-get -y install curl wget build-essential
# grab the source files
wget -P ./build $SOURCE_PCRE$VERSION_PCRE.tar.gz
wget -P ./build $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz --no-check-certificate
wget -P ./build $SOURCE_NGINX$VERSION_NGINX.tar.gz
# expand the source files
cd build
tar xzf $VERSION_NGINX.tar.gz
tar xzf $VERSION_OPENSSL.tar.gz
tar xzf $VERSION_PCRE.tar.gz
cd ../
# set where OpenSSL and nginx will be built
export BPATH=$(pwd)/build
export STATICLIBSSL="$BPATH/staticlibssl"
# build static openssl
cd $BPATH/$VERSION_OPENSSL
rm -rf "$STATICLIBSSL"
mkdir "$STATICLIBSSL"
make clean
./config --prefix=$STATICLIBSSL no-shared \
&& make depend \
&& make \
&& make install_sw
# rename the existing /etc/nginx directory so it's saved as a back-up
mv /etc/nginx /etc/nginx-$today
# build nginx, with various modules included/excluded
cd $BPATH/$VERSION_NGINX
mkdir -p $BPATH/nginx
./configure --with-cc-opt="-I $STATICLIBSSL/include -I/usr/include" \
--with-ld-opt="-L $STATICLIBSSL/lib -Wl,-rpath -lssl -lcrypto -ldl -lz" \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-pcre=$BPATH/$VERSION_PCRE \
--with-http_ssl_module \
--with-http_v2_module \
--with-file-aio \
--with-ipv6 \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--without-mail_pop3_module \
--without-mail_smtp_module \
--without-mail_imap_module \
&& make && make install
# rename the compiled 'default' /etc/nginx directory so its accessible as a reference to the new nginx defaults
mv /etc/nginx /etc/nginx-default
# now restore the previous version of /etc/nginx to /etc/nginx so the old settings are kept
mv /etc/nginx-$today /etc/nginx
echo "All done.";
echo "This build has not edited your existing /etc/nginx directory.";
echo "If things aren't working now you may need to refer to the";
echo "configuration files the new nginx ships with as defaults,";
echo "which are available at /etc/nginx-default";
@MattWilcox
Copy link
Author

Hmm, that's interesting: Are you trying this on a Raspberry Pi running Raspbian? Or have you got Debian Wheezy installed on the Pi?

I've tried this on Raspbian on the Pi without issue, and I've tried this on Debian Wheezy running on a Linode, again without problem.

It sounds like you've got Debian running on your Pi though, which is a configuration I've not tested, and which might well throw up problems - from what I know, Debian is not best suited to the processor that the Pi uses (It's an older ARM processor, not an x86 processor). Which is one reason why Raspbian came into being in the first place; it's Debian, fettled to work nicely on Pi hardware.

I'm not sure what to suggest to get that issue fixed for you, I'm not overly familiar with the intricacies of OpenSSL nor the Pi itself, but you could try removing the option entirely (I think it's just an option to give a faster end result (using 64bit code) rather than anything of a functional change; see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698447 )

@henrythasler
Copy link

I had the same problem with the enable-ec_nistp_64_gcc_128 option. I used the latest (2014-01-07) Raspbian Image (http://www.raspberrypi.org/downloads/) an not the noobs method as Matt described in his post. Maybe that makes a difference.
As a workaround I removed the enable-ec_nistp_64_gcc_128 option and it went just fine. As Matt said, it's meant for performance optimizations.
Elliptic Curve algorithms are suspect be weakened on purpose anyway (http://www.wired.com/2013/09/nsa-backdoor/all/ and http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/3/)

@kjetilbmoe
Copy link

According to http://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options the enable-ec_nistp_64_gcc_128 option should only be enabled on x64 systems. I believe Raspberry does not qualify for that just yet.

@habovh
Copy link

habovh commented Oct 11, 2014

I'm facing issues with the script... Honestly, I don't know what to do here... It seems that when it's trying to compile nginx, it fails somehow... Any clues?

ecp_nistp224.c:574:2: warning: right shift count >= width of type [enabled by default]
ecp_nistp224.c:577:2: warning: right shift count >= width of type [enabled by default]
<builtin>: recipe for target 'ecp_nistp224.o' failed
make[2]: *** [ecp_nistp224.o] Error 1
make[2]: Leaving directory '/home/pi/Install/nginx/build/openssl-1.0.1i/crypto/ec'
Makefile:91: recipe for target 'subdirs' failed
make[1]: *** [subdirs] Error 1
make[1]: Leaving directory '/home/pi/Install/nginx/build/openssl-1.0.1i/crypto'
Makefile:278: recipe for target 'build_crypto' failed
make: *** [build_crypto] Error 1
checking for OS
 + Linux 3.12.28+ armv6l
checking for C compiler ... found
 + using GNU C compiler
 + gcc version: 4.6.3 (Debian 4.6.3-14+rpi1)
checking for gcc -pipe switch ... found
checking for --with-ld-opt="-L /home/pi/Install/nginx/build/staticlibssl/lib -Wl,-rpath -lssl -lcrypto -ldl -lz" ... not found
./configure: error: the invalid value in --with-ld-opt="-L /home/pi/Install/nginx/build/staticlibssl/lib -Wl,-rpath -lssl -lcrypto -ldl -lz"

mv: cannot stat `/etc/nginx': No such file or directory
All done.
This build has not edited your existing /etc/nginx directory.
If things aren't working now you may need to refer to the
configuration files the new nginx ships with as defaults,
which are available at /etc/nginx-default
root@raspberrypi:/home/pi/Install/nginx#

@MattWilcox
Copy link
Author

Hi Toborrow: looks like you're running the script without having read the accompanying blog post - this script is expecting /etc/nginx to already exist because it's expecting to have had the apt-get version installed (and then removed) in the past. I did it that way so that a few init scripts and behaviours are set up for you. Have a look through https://mattwilcox.net/archives/setting-up-a-recent-version-of-nginx-with-https-and-spdy-support-on-a-raspberry-pi/ and hopefully that should help.

@rgyger
Copy link

rgyger commented Nov 7, 2014

The error is not a missing /etc/nginx (the script moved it before calling configure on nginx), configure is failing. The problem is related to the linker options given to configure, hence the './configure: error: ' line. In my case, a 64bit zlib was missing from my system.

I would suggest running the configure line from the script directly in the shell removing options till you find which one is causing the error.

The stat on /etc/nginx fails because 'make install' called after configure did not run due to configure erroring out.

The script moves /etc/nginx back when finishing so it is there after the script completes.

@habovh
Copy link

habovh commented Dec 18, 2014

@MattWilcox, thanks for the blog post, I didn't read it in the first place, mainly because I landed on this Gist right from my google query... I'll have a look!

@rgyger, I'll try that and keep you informed if this solved my issue, thanks!

EDIT :
I could build Nginx to the latest version using your advice @rgyger, when I removed -lcrypto from --with-ld-opt, build passed. However, how does this affect Nginx? I read elsewhere that I should probably specify the path to the lib (which is located in my case at /home/pi/Install/nginx/build/staticlibssl/lib, but I'm not quite sure what's the right way).
Thanks for your help!

@PePaPossum
Copy link

Can confirm problems with enable-ec_nistp_64_gcc_128 when compiling openssl.

ecp_nistp224.c:43:3: error: unknown type name ‘__uint128_t’
ecp_nistp224.c: In function ‘widefelem_diff’:
ecp_nistp224.c:422:2: warning: left shift count >= width of type [enabled by default]

Running Raspbian Debian Wheezy December 2014
Don't get any compilation errors with openssl when enable-ec_nistp_64_gcc_128 is removed

@bergerf
Copy link

bergerf commented Jan 23, 2015

Hi, thanks for the script. Here my changes which are necessary on Bananian (version: 15.01 (released 2015-01-11))
build done with pcre-8.36 / openssl-1.0.2 / nginx-1.7.9

  • remove 'enable-ec_nistp_64_gcc_128' parameter within openssl build
  • change the '-rpath' option within the nginx build from '-Wl,-rpath' to '-Wl,-rpath=$STATICLIBSSL/lib'
  • install libz-dev

@bkev
Copy link

bkev commented Feb 12, 2015

I'm new to all this, but I've followed the instructions. Fresh install on Raspbian on Pi 2, ran sudo apt-get install nginx and then once installed ran sudo apt-get remove nginx
I then put on this script, made it executable and changed the version of OpenSSL to 1.0.2

It seems to run ok, and once it's complete I get the basic webpage. But, if I run nginx -v on my Pi, it still shows the version of 1.2.1. I'm not sure what I've done wrong. Is this the same for you?

@habovh
Copy link

habovh commented Feb 16, 2015

Just wanted to let you know, I tried the script on my brand new Raspberry Pi2 and it works like a charm (without any edits though, instead of my try on RPi1).
@bkev: Did you run the script as root ?
Try sudo ./build_nginx.sh and tell us if this does changes anything. I also made the mistake and forgot the sudo at first.

@zucht
Copy link

zucht commented Feb 19, 2015

Thanks for this script!

libcrypto was missing on my RPi2 clean Raspbian install. Fixed it by installing libssl-dev

@bkev
Copy link

bkev commented Feb 20, 2015

Thanks for the help!

@zucht doing a sudo apt-get install libssl-dev and running the script again meant that when I run nginx -v now, I get 1.7.9. but if I run an openssl version command, I still get 1.0.1e.

Is this correct? Does the script build nginx with the new version of openssl but not replace the version found on the Pi?

Thanks again.

EDIT: I too had to remove the "enable-ec_nistp_64_gcc_128" option as it kept failing.

@CaptainRewind
Copy link

Awesome! I've been having problems getting all the dependencies sorted out, as the repo versions are horribly out-of-date with tons of vulnerabilities. I'll give this a try. Thanks.

@MattWilcox
Copy link
Author

@bkev - The script makes a version of openssl for nginx to use, but does not replace the system one. If you're worried about security, the system ones will usually have security patches applied but still be based on an older version of OpennSSL. That's why some packages in the repositories have stuff like 'deb10.1' or similar appended to the actual software version.

@Linkaan
Copy link

Linkaan commented Aug 5, 2015

If you're tired of manually updating the latest versions of each package, feel free to use my fork of this script :)

@rammjet
Copy link

rammjet commented Sep 30, 2015

Trying this with the new 2015-09-24-raspbian-jessie.img on Rasp Pi 2. Getting a compile error in crypto. I'm not strong in this area, so a suggestion is welcome.

Also, Nginx 1.9.5 no longer supports SPDY. You either need to use the new HTTP/2, or fall back to Ngnix 1.9.4. Info on Nginx HTTP/2: http://nginx.org/en/docs/http/ngx_http_v2_module.html

making all in crypto...
make[1]: Entering directory '/home/pi/build/openssl-1.0.2d/crypto'
/usr/bin/perl ../util/mkbuildinf.pl "gcc -I. -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -march=armv7-a -Wa,--noexecstack -O3 -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM" "linux-armv4" >buildinf.h
gcc -I. -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -march=armv7-a -Wa,--noexecstack -O3 -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM   -c -o cryptlib.o cryptlib.c
In file included from /usr/include/stdlib.h:41:0,
                 from cryptlib.h:62,
                 from cryptlib.c:117:
/usr/include/arm-linux-gnueabihf/bits/waitflags.h:52:3: internal compiler error: Segmentation fault
   P_ALL,  /* Wait for any child.  */
   ^
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-4.9/README.Bugs> for instructions.
Preprocessed source stored into /tmp/cc5Vn7ij.out file, please attach this to your bugreport.
<builtin>: recipe for target 'cryptlib.o' failed
make[1]: *** [cryptlib.o] Error 1
make[1]: Leaving directory '/home/pi/build/openssl-1.0.2d/crypto'
Makefile:283: recipe for target 'build_crypto' failed
make: *** [build_crypto] Error 1
checking for OS
 + Linux 4.1.7-v7+ armv7l
checking for C compiler ... not found

./configure: error: C compiler cc is not found

mv: cannot stat ‘/etc/nginx’: No such file or directory
All done.

@Tralapo
Copy link

Tralapo commented Oct 4, 2015

For the latest version, 1.9.5, Spdy had been replaced by HTTP/2.

Changing --with-http_spdy_module \ to --with-http_v2_module \ works.

@fademar
Copy link

fademar commented Oct 4, 2015

Hello,
Just run the script on my Rasp-jessie. Everything goes well despite the upgrade of openssl. The openssl version is stuck at 1.0.1k even if I put the 1.0.2 version in the script. Any idea ?

@rammjet
Copy link

rammjet commented Oct 5, 2015

The script only provides OpenSSL for compiling into Nginx. It does not install the new OpenSSL into the system. Read the Mar 21 comment by MattWilcox above.

With the seg fault I posted above during creation of the OpenSSL files, I grabbed the OpenSSL 1.0.2d directory created on a Wheezy version of Raspbian and inserted it into the "build" directory on Jessie and modded the script to use it. Seems to have worked, but I don't know what monster I might have created. I'm going to try it again fresh in a couple of days.

@Tralapo
Copy link

Tralapo commented Oct 9, 2015

@habovh I ran into the same problem when trying this script on Ubuntu as you did: ./configure: error: the invalid value in --with-ld-opt . Did you ever find out what to do to fix it? Removing -lcrypto does not do the trick.

Edit

I installed libssl-dev which made the above error disappear, but then I got some sort of OpenSSL error. Added --with-openssl=$BPATH/$VERSION_OPENSSL \ to the script and now it seems to run all the way instead of stopping early. Think I'm good now?

@MattWilcox
Copy link
Author

It seems like something changed with Debian 8, and the 'enable-ec_nistp_64_gcc_128' option on line 45 now causes a failure when configuring the crypto. I have removed this from the script and it now compiles correctly. Tested on a Pi2 with Jessie based Raspbian.

If anyone knows a better solution, I'd be all ears - it's a performance enhancement flag that the Pi would benefit from.

/cc @Tralapo @rammjet

@noplanman
Copy link

Sorry to chime in as well, but I too was wondering where exactly the updated versions of OpenSSL and PCRE are actually playing their part.
Shouldn't I at least see the updated version numbers in phpinfo();?
How would I make use of the updated versions otherwise?
Thanks for clarifying, I'm still new to this home server party 🎉

@shmick
Copy link

shmick commented Jan 30, 2016

Newer versions:

export VERSION_OPENSSL=openssl-1.0.2f
export VERSION_NGINX=nginx-1.9.9

@MatthewVance
Copy link

First off, thanks for this script. I'm not sure how or if it's possible to send pull requests to Gists so I wanted to let you know about some changes I made to my fork you may want to add in. You won't want to include all my changes because I added some modules not everyone will want, but some of my other updates may be useful:

  • Bumped OpenSSL and NGINX to latest versions
  • Added set -e -x so script prints commands being executed and exits if a single command fails
  • Made script verify checksums
  • Removed wget dependency
  • Compiled without SSLv3 support

Feel free to take or not take any of those changes from my fork.

@MatthewVance
Copy link

@noplanman you're not seeing the updated versions of OpenSSL and PCRE in phpinfo(); because this build script only compiles NGINX using the statically linked versions of those tools, but does not touch any versions of those tools installed on your system. As such, PHP still uses/sees the system version. However, you can confirm, for OpenSSL at least, that NGINX was built with the version of OpenSSL within the script by running the following command: nginx -V.

@tayler-king
Copy link

@MattWilcox

After removing Nginx and re-installing using this along with the Google Pagespeed module, although Nginx version 1.9.7 is installed I am unable to access it as a service - with the error of 'no such file or directory'.

Any ideas?

@veeblefetzer
Copy link

Hi @MattWilcox and thanks for sharing the script!

what exactly is the directory "$BPATH/nginx" for? (Line 55: mkdir -p $BPATH/nginx)

@wouterds
Copy link

PCRE 8.38 is not working anymore, 8.39 is though. (https://gist.github.com/wouterds/f676815659147a262cf77e41c704419f)

@mincaeuro
Copy link

Hi,
have tried ur script but got error about missing openssl for SSL usage, so you've to also add:
--with-openssl=$BPATH/$VERSION_OPENSSL \

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment