Nginx Build Skript

Submitted by admin on So, 11.12.2016 - 11:50

Das folgende Skript baut einen Nginx Server aus dem Nginx GIT Source, erstellt einen systemd service und startet den Nginx. Wichtig: Unbedingt die OpenSSL Version prüfen! Alte OpenSSL Versionen haben z.T. böse Securityprobleme

#!/bin/sh


failed() {
	echo "$@ failed"
	exit 1
}


if [ -f /etc/redhat-release ]; then
  YUM=dnf
  which dnf > /dev/null 2> /dev/null
  if [ $? -ne 0 ]; then
    YUM=yum
  fi
  $YUM -y install automake autoconf gcc-c++ make wget git pcre-devel zlib-devel GeoIP-devel
else
  apt -y install autotools-dev build-essential wget git-core libpcre3-dev zlib1g-dev libgeoip-dev
fi

NGINX_DIR="nginx"
NGINX_LOGDIR="/var/log/nginx"
NGINX_RUNDIR="/var/run/nginx"
NGINX_USER=nginx
NGINX_GROUP=nginx

OPENSSL_DIR="openssl"

if [ ! -d "${OPENSSL_DIR}" ]; then
  #git clone --depth 10 https://github.com/openssl/openssl.git
  git clone https://github.com/openssl/openssl.git "${OPENSSL_DIR}"
  # 04.04.2017: Draft 19 not supported by browsers :-/
  #             see https://mta.openssl.org/pipermail/openssl-dev/2017-March/009146.html
  cd "${OPENSSL_DIR}" || failed
  git checkout tls1.3-draft-18 || failed
  cd ..
fi

if [ ! -d "${NGINX_DIR}" ]; then
  git clone --depth 10 https://github.com/nginx/nginx.git
fi

getent group $NGINX_GROUP
if [ $? -ne 0 ]; then
  groupadd -r $NGINX_GROUP
fi

getent passwd $NGINX_USER
if [ $? -ne 0 ]; then
  useradd -r -g $NGINX_GROUP -s /bin/false $NGINX_USER
fi

# OpenSSL aktualisieren
cd "${OPENSSL_DIR}" || failed
git pull
cd ..

# Nginx erstellen
cd "${NGINX_DIR}" || failed
git pull

auto/configure \
  --with-openssl=/usr/src/${OPENSSL_DIR} \
  --with-http_ssl_module \
  --with-http_v2_module \
  --with-file-aio \
  --with-threads \
  --with-http_realip_module \
  --with-http_geoip_module \
  --with-http_stub_status_module \
  --http-log-path=${NGINX_LOGDIR}/access.log \
  --error-log-path=${NGINX_LOGDIR}/error.log \
  --pid-path=${NGINX_RUNDIR}/nginx.pid \
  --lock-path=${NGINX_RUNDIR}/nginx.lock \
  --user=$NGINX_USER \
  --group=$NGINX_GROUP \
  --with-openssl-opt="enable-tls1_3 no-weak-ssl-ciphers" \
  --with-cc-opt="-g -O2 -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -DSSL_CTRL_SET_CURVES_LIST" \
  --with-ld-opt="-Wl,-Bsymbolic-functions -Wl,-z,relro" \
  || failed

CORES=$(LANG=C lscpu | grep "^CPU(s):"|awk '{print $2}')
if [ ! -z "$CORES" ]; then
  THREADS="-j $CORES"
fi
make $THREADS || failed

make install || failed

if [ ! -d "${NGINX_LOGDIR}" ]; then
  mkdir "${NGINX_LOGDIR}"
fi
if [ ! -d "${NGINX_RUNDIR}" ]; then
  mkdir "${NGINX_RUNDIR}"
fi

SERVICE="cf-nginx"
SERVICE_FILE="/etc/systemd/system/${SERVICE}.service"
if [ ! -f "$SERVICE_FILE" ]; then
cat > "$SERVICE_FILE" << EOF
[Unit]
Description=The nginx HTTP and reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
 
[Service]
PIDFile=/var/run/nginx/nginx.pid
ExecStartPre=-/bin/mkdir /var/run/nginx
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/bin/kill -s HUP \$MAINPID
ExecStop=/bin/kill -s QUIT \$MAINPID
PrivateTmp=false
Restart=always

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable $SERVICE
fi


echo -n "restarting cf-nginx... "
systemctl stop $SERVICE
sleep 2
systemctl start $SERVICE || failed
echo "success"

DocumentRoot ist per Default unter /usr/local/nginx/html/ zu finden.