Nginx Build Skript

Submitted by admin on So, 11.12.2016 - 11:50

Das folgende Skript baut einen Nginx Server aus dem Nginx GIT Source, erstellt einen systemd service und startet den Nginx. Wichtig: Unbedingt die OpenSSL Version prüfen! Alte OpenSSL Versionen haben z.T. böse Securityprobleme

#!/bin/sh

#################################################################################
# Build script for Nginx with TLSv1.3 support
# Copyright 2017 by Christian Felsing <support@ip6.li>
#################################################################################

DO_START=1

failed() {
	echo "$@ failed"
	exit 1
}


PKG_INSTALL=""
if [ -f /etc/redhat-release ]; then
  echo "found RedHat/CentOS"
  YUM=dnf
  which dnf > /dev/null 2> /dev/null
  if [ $? -ne 0 ]; then
    YUM=yum
  fi
  PKG_INSTALL="${YUM} install wget git automake autoconf wget git pcre-devel zlib-devel GeoIP-devel gcc-c++ make"
fi
if [ -f /etc/debian_version ]; then
  echo "found Debian/Ubuntu"
  PKG_INSTALL="apt -y install autotools-dev build-essential wget git-core libpcre3-dev zlib1g-dev libgeoip-dev"
fi
if [ -z "$PKG_INSTALL" ]; then
  echo "Unknown platform, your milage may vary"
fi

$PKG_INSTALL


NGINX_DIR="nginx"
NGINX_LOGDIR="/var/log/nginx"
NGINX_RUNDIR="/var/run/nginx"
NGINX_USER=nginx
NGINX_GROUP=nginx

OPENSSL_DIR="openssl"

if [ ! -d "${OPENSSL_DIR}" ]; then
  git clone https://github.com/openssl/openssl.git "${OPENSSL_DIR}"
  cd "${OPENSSL_DIR}" || failed
  git checkout OpenSSL_1_1_1-pre2 || failed # Draft 23
  cd ..
fi

if [ ! -d "${NGINX_DIR}" ]; then
  git clone --depth 10 https://github.com/nginx/nginx.git
fi

getent group $NGINX_GROUP
if [ $? -ne 0 ]; then
  groupadd -r $NGINX_GROUP
fi

getent passwd $NGINX_USER
if [ $? -ne 0 ]; then
  useradd -r -g $NGINX_GROUP -s /bin/false $NGINX_USER
fi

# OpenSSL aktualisieren
cd "${OPENSSL_DIR}" || failed
git pull
cd ..

# Nginx erstellen
cd "${NGINX_DIR}" || failed
git pull

# Brotli
if [ ! -d ngx_brotli ]; then
  git clone https://github.com/google/ngx_brotli
fi
cd ngx_brotli || failed
git pull && git submodule update --init 
cd ..

auto/configure \
  --with-openssl=/usr/src/${OPENSSL_DIR} \
  --with-http_ssl_module \
  --with-http_v2_module \
  --with-file-aio \
  --with-threads \
  --with-http_realip_module \
  --with-http_geoip_module \
  --with-http_stub_status_module \
  --http-log-path=${NGINX_LOGDIR}/access.log \
  --error-log-path=${NGINX_LOGDIR}/error.log \
  --pid-path=${NGINX_RUNDIR}/nginx.pid \
  --lock-path=${NGINX_RUNDIR}/nginx.lock \
  --user=$NGINX_USER \
  --group=$NGINX_GROUP \
  --with-openssl-opt="enable-tls1_3 no-weak-ssl-ciphers" \
  --with-cc-opt="-g -O2 -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -DSSL_CTRL_SET_CURVES_LIST" \
  --with-ld-opt="-Wl,-Bsymbolic-functions -Wl,-z,relro" \
  --add-module=ngx_brotli \
  || failed

CORES=$(LANG=C lscpu | grep "^CPU(s):"|awk '{print $2}')
if [ ! -z "$CORES" ]; then
  THREADS="-j $CORES"
fi
make $THREADS || failed

make install || failed

if [ ! -d "${NGINX_LOGDIR}" ]; then
  mkdir "${NGINX_LOGDIR}"
fi
if [ ! -d "${NGINX_RUNDIR}" ]; then
  mkdir "${NGINX_RUNDIR}"
fi


SERVICE="cf-nginx"
SERVICE_FILE="/etc/systemd/system/${SERVICE}.service"
if [ ! -f "$SERVICE_FILE" ]; then
cat > "$SERVICE_FILE" << EOF
[Unit]
Description=The nginx HTTP and reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
 
[Service]
PIDFile=/var/run/nginx/nginx.pid
ExecStartPre=-/bin/mkdir /var/run/nginx
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/bin/kill -s HUP \$MAINPID
ExecStop=/bin/kill -s QUIT \$MAINPID
PrivateTmp=false
Restart=always

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable $SERVICE
fi


if [ $DO_START -eq 1 ]; then
  echo -n "restarting cf-nginx... "
  systemctl stop $SERVICE
  sleep 2
  systemctl start $SERVICE || failed
fi

echo "success"

DocumentRoot ist per Default unter /usr/local/nginx/html/ zu finden.

Konfiguration

Damit die neuen Features TLS 1.3 und Brotli auch funktionieren, müssen diese konfiguriert werden.

Im Abschnitt "http":

    brotli on;
    brotli_static on;
    brotli_buffers 16 8k;
    brotli_comp_level 6;
    brotli_types *;

Im Abschnutt "server":

    ssl_protocols  TLSv1.2 TLSv1.3;
    ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
    ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:PSK-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;