-
-
Save MattWilcox/402e2e8aa2e1c132ee24 to your computer and use it in GitHub Desktop.
#!/usr/bin/env bash | |
# names of latest versions of each package | |
export VERSION_PCRE=pcre-8.38 | |
export VERSION_OPENSSL=openssl-1.0.2d | |
export VERSION_NGINX=nginx-1.9.7 | |
# URLs to the source directories | |
export SOURCE_OPENSSL=https://www.openssl.org/source/ | |
export SOURCE_PCRE=ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/ | |
export SOURCE_NGINX=http://nginx.org/download/ | |
# make a 'today' variable for use in back-up filenames later | |
today=$(date +"%Y-%m-%d") | |
# clean out any files from previous runs of this script | |
rm -rf build | |
rm -rf /etc/nginx-default | |
mkdir build | |
# ensure that we have the required software to compile our own nginx | |
apt-get -y install curl wget build-essential | |
# grab the source files | |
wget -P ./build $SOURCE_PCRE$VERSION_PCRE.tar.gz | |
wget -P ./build $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz --no-check-certificate | |
wget -P ./build $SOURCE_NGINX$VERSION_NGINX.tar.gz | |
# expand the source files | |
cd build | |
tar xzf $VERSION_NGINX.tar.gz | |
tar xzf $VERSION_OPENSSL.tar.gz | |
tar xzf $VERSION_PCRE.tar.gz | |
cd ../ | |
# set where OpenSSL and nginx will be built | |
export BPATH=$(pwd)/build | |
export STATICLIBSSL="$BPATH/staticlibssl" | |
# build static openssl | |
cd $BPATH/$VERSION_OPENSSL | |
rm -rf "$STATICLIBSSL" | |
mkdir "$STATICLIBSSL" | |
make clean | |
./config --prefix=$STATICLIBSSL no-shared \ | |
&& make depend \ | |
&& make \ | |
&& make install_sw | |
# rename the existing /etc/nginx directory so it's saved as a back-up | |
mv /etc/nginx /etc/nginx-$today | |
# build nginx, with various modules included/excluded | |
cd $BPATH/$VERSION_NGINX | |
mkdir -p $BPATH/nginx | |
./configure --with-cc-opt="-I $STATICLIBSSL/include -I/usr/include" \ | |
--with-ld-opt="-L $STATICLIBSSL/lib -Wl,-rpath -lssl -lcrypto -ldl -lz" \ | |
--sbin-path=/usr/sbin/nginx \ | |
--conf-path=/etc/nginx/nginx.conf \ | |
--pid-path=/var/run/nginx.pid \ | |
--error-log-path=/var/log/nginx/error.log \ | |
--http-log-path=/var/log/nginx/access.log \ | |
--with-pcre=$BPATH/$VERSION_PCRE \ | |
--with-http_ssl_module \ | |
--with-http_v2_module \ | |
--with-file-aio \ | |
--with-ipv6 \ | |
--with-http_gzip_static_module \ | |
--with-http_stub_status_module \ | |
--without-mail_pop3_module \ | |
--without-mail_smtp_module \ | |
--without-mail_imap_module \ | |
&& make && make install | |
# rename the compiled 'default' /etc/nginx directory so its accessible as a reference to the new nginx defaults | |
mv /etc/nginx /etc/nginx-default | |
# now restore the previous version of /etc/nginx to /etc/nginx so the old settings are kept | |
mv /etc/nginx-$today /etc/nginx | |
echo "All done."; | |
echo "This build has not edited your existing /etc/nginx directory."; | |
echo "If things aren't working now you may need to refer to the"; | |
echo "configuration files the new nginx ships with as defaults,"; | |
echo "which are available at /etc/nginx-default"; |
@bkev - The script makes a version of openssl for nginx to use, but does not replace the system one. If you're worried about security, the system ones will usually have security patches applied but still be based on an older version of OpennSSL. That's why some packages in the repositories have stuff like 'deb10.1' or similar appended to the actual software version.
If you're tired of manually updating the latest versions of each package, feel free to use my fork of this script :)
Trying this with the new 2015-09-24-raspbian-jessie.img on Rasp Pi 2. Getting a compile error in crypto. I'm not strong in this area, so a suggestion is welcome.
Also, Nginx 1.9.5 no longer supports SPDY. You either need to use the new HTTP/2, or fall back to Ngnix 1.9.4. Info on Nginx HTTP/2: http://nginx.org/en/docs/http/ngx_http_v2_module.html
making all in crypto...
make[1]: Entering directory '/home/pi/build/openssl-1.0.2d/crypto'
/usr/bin/perl ../util/mkbuildinf.pl "gcc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -march=armv7-a -Wa,--noexecstack -O3 -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM" "linux-armv4" >buildinf.h
gcc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -march=armv7-a -Wa,--noexecstack -O3 -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -c -o cryptlib.o cryptlib.c
In file included from /usr/include/stdlib.h:41:0,
from cryptlib.h:62,
from cryptlib.c:117:
/usr/include/arm-linux-gnueabihf/bits/waitflags.h:52:3: internal compiler error: Segmentation fault
P_ALL, /* Wait for any child. */
^
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-4.9/README.Bugs> for instructions.
Preprocessed source stored into /tmp/cc5Vn7ij.out file, please attach this to your bugreport.
<builtin>: recipe for target 'cryptlib.o' failed
make[1]: *** [cryptlib.o] Error 1
make[1]: Leaving directory '/home/pi/build/openssl-1.0.2d/crypto'
Makefile:283: recipe for target 'build_crypto' failed
make: *** [build_crypto] Error 1
checking for OS
+ Linux 4.1.7-v7+ armv7l
checking for C compiler ... not found
./configure: error: C compiler cc is not found
mv: cannot stat ‘/etc/nginx’: No such file or directory
All done.
For the latest version, 1.9.5, Spdy had been replaced by HTTP/2.
Changing --with-http_spdy_module \
to --with-http_v2_module \
works.
Hello,
Just run the script on my Rasp-jessie. Everything goes well despite the upgrade of openssl. The openssl version is stuck at 1.0.1k even if I put the 1.0.2 version in the script. Any idea ?
The script only provides OpenSSL for compiling into Nginx. It does not install the new OpenSSL into the system. Read the Mar 21 comment by MattWilcox above.
With the seg fault I posted above during creation of the OpenSSL files, I grabbed the OpenSSL 1.0.2d directory created on a Wheezy version of Raspbian and inserted it into the "build" directory on Jessie and modded the script to use it. Seems to have worked, but I don't know what monster I might have created. I'm going to try it again fresh in a couple of days.
@habovh I ran into the same problem when trying this script on Ubuntu as you did: ./configure: error: the invalid value in --with-ld-opt
. Did you ever find out what to do to fix it? Removing -lcrypto
does not do the trick.
Edit
I installed libssl-dev
which made the above error disappear, but then I got some sort of OpenSSL error. Added --with-openssl=$BPATH/$VERSION_OPENSSL \
to the script and now it seems to run all the way instead of stopping early. Think I'm good now?
It seems like something changed with Debian 8, and the 'enable-ec_nistp_64_gcc_128' option on line 45 now causes a failure when configuring the crypto. I have removed this from the script and it now compiles correctly. Tested on a Pi2 with Jessie based Raspbian.
If anyone knows a better solution, I'd be all ears - it's a performance enhancement flag that the Pi would benefit from.
Sorry to chime in as well, but I too was wondering where exactly the updated versions of OpenSSL and PCRE are actually playing their part.
Shouldn't I at least see the updated version numbers in phpinfo();
?
How would I make use of the updated versions otherwise?
Thanks for clarifying, I'm still new to this home server party 🎉
Newer versions:
export VERSION_OPENSSL=openssl-1.0.2f
export VERSION_NGINX=nginx-1.9.9
First off, thanks for this script. I'm not sure how or if it's possible to send pull requests to Gists so I wanted to let you know about some changes I made to my fork you may want to add in. You won't want to include all my changes because I added some modules not everyone will want, but some of my other updates may be useful:
- Bumped OpenSSL and NGINX to latest versions
- Added
set -e -x
so script prints commands being executed and exits if a single command fails - Made script verify checksums
- Removed wget dependency
- Compiled without SSLv3 support
Feel free to take or not take any of those changes from my fork.
@noplanman you're not seeing the updated versions of OpenSSL and PCRE in phpinfo();
because this build script only compiles NGINX using the statically linked versions of those tools, but does not touch any versions of those tools installed on your system. As such, PHP still uses/sees the system version. However, you can confirm, for OpenSSL at least, that NGINX was built with the version of OpenSSL within the script by running the following command: nginx -V
.
After removing Nginx and re-installing using this along with the Google Pagespeed module, although Nginx version 1.9.7 is installed I am unable to access it as a service - with the error of 'no such file or directory'.
Any ideas?
Hi @MattWilcox and thanks for sharing the script!
what exactly is the directory "$BPATH/nginx
" for? (Line 55: mkdir -p $BPATH/nginx
)
PCRE 8.38 is not working anymore, 8.39 is though. (https://gist.github.com/wouterds/f676815659147a262cf77e41c704419f)
Hi,
have tried ur script but got error about missing openssl for SSL usage, so you've to also add:
--with-openssl=$BPATH/$VERSION_OPENSSL \
Awesome! I've been having problems getting all the dependencies sorted out, as the repo versions are horribly out-of-date with tons of vulnerabilities. I'll give this a try. Thanks.