-
Notifications
You must be signed in to change notification settings - Fork 1
Custom Compile
I have been compiling Nginx and OpenSSL from source for several years now, its the best way to install the latest Nginx with the most up to date security features. Unfortunately most Linux distro repos are far behind in OpenSSL versions and this is not good. People say you shouldn't jump ahead to releases that are not tested and officially released by the developers, well this is not always true. When it comes to security you can never wait to make sure your software is as secure as the most recent versions can provide. I have never had a problem installing Nginx using this method and I am confident in knowing I have the latest OpenSSL features compiled with my Nginx webserver.
A nice benefit from doing it this way is you can choose which functions and modules you want to compile Nginx with. Want a custom module then this is the way to do it.
- Do not use this method if you have Nginx installed already via apt, this is for a fresh server with no Nginx installed whatsoever.
- This does not install OpenSSL on your system it uses the latest OpenSSL binary source for compilation with Nginx.
- Because we are compiling from source we will need to create some directories manually as well as the NGINX systemd / init service files.
- At the time of this post the latest versions are:
- Nginx 1.13.6 Check for latest version
- OpenSSL 1.1.0g Check for latest version
Its a simple and straight forward install and takes about 5-8 minutes or so.
This install MUST be done as root so sudo su to your server and lets get started
- First grab dependencies needed to build
apt install build-essential libpcre3 libpcre3-dev zlib1g-dev libxslt1-dev libgd-dev libgeoip-dev libperl-dev
- Now grab the sources
cd /opt
wget https://www.openssl.org/source/openssl-1.1.0g.tar.gz
wget http://nginx.org/download/nginx-1.13.6.tar.gz
tar -zxvf openssl-1.1.0g.tar.gz
tar -zxvf nginx-1.13.6.tar.gz
cd nginx-1.13.6/
- The following configuration will suit most needs but if you have other modules you want to include or custom paths feel free to add them. Most important is path to OpenSSL source and http2 module
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_v2_module --with-openssl=/opt/openssl-1.1.0f --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed'
make
make install
nginx -V
- You should see the latest version of Nginx compiled with the latest OpenSSL.
nano /lib/systemd/system/nginx.service
- Insert the following
chmod 0644 /lib/systemd/system/nginx.service
systemctl enable nginx.service
nano /etc/init.d/nginx
- Insert the following
cd /etc/init.d/
sudo chmod u+x nginx
update-rc.d nginx defaults
mkdir /etc/nginx/conf.d
nano /etc/nginx/conf.d/vhosts.conf
- Insert the following