mirror of https://github.com/VirtuBox/nginx-ee.git
1064 lines
34 KiB
Bash
Executable File
1064 lines
34 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# -------------------------------------------------------------------------
|
|
# Nginx-ee - Automated Nginx compilation from source
|
|
# -------------------------------------------------------------------------
|
|
# Website: https://virtubox.net
|
|
# GitHub: https://github.com/VirtuBox/nginx-ee
|
|
# Copyright (c) 2019-2024 VirtuBox <contact@virtubox.net>
|
|
# This script is licensed under M.I.T
|
|
# -------------------------------------------------------------------------
|
|
# Version 3.8.1 - 2024-04-24
|
|
# -------------------------------------------------------------------------
|
|
|
|
##################################
|
|
# Check requirements
|
|
##################################
|
|
|
|
# Check if user is root
|
|
[ "$(id -u)" != "0" ] && {
|
|
echo "Error: You must be root or use sudo to run this script"
|
|
exit 1
|
|
}
|
|
|
|
_help() {
|
|
echo " -------------------------------------------------------------------- "
|
|
echo " Nginx-ee : automated Nginx compilation with additional modules "
|
|
echo " -------------------------------------------------------------------- "
|
|
echo ""
|
|
echo "Usage: ./nginx-ee <options> [modules]"
|
|
echo "By default, Nginx-ee will compile the latest Nginx mainline release without Naxsi or RTMP module"
|
|
echo " Options:"
|
|
echo " -h, --help ..... display this help"
|
|
echo " -i, --interactive ....... interactive installation"
|
|
echo " --stable ..... Nginx stable release"
|
|
echo " --full ..... Nginx with Nasxi and RTMP module"
|
|
echo " --dynamic ..... Compile Nginx modules as dynamic"
|
|
echo " --noconf ..... Compile Nginx without any configuring. Useful when you use devops tools like ansible."
|
|
echo " Modules:"
|
|
echo " --naxsi ..... Naxsi WAF module"
|
|
echo " --rtmp ..... RTMP video streaming module"
|
|
echo " --libressl ..... Compile Nginx with LibreSSL"
|
|
echo ""
|
|
return 0
|
|
}
|
|
|
|
##################################
|
|
# Use config.inc if available
|
|
##################################
|
|
|
|
if [ -f ./config.inc ]; then
|
|
|
|
. ./config.inc
|
|
|
|
else
|
|
|
|
##################################
|
|
# Parse script arguments
|
|
##################################
|
|
|
|
while [ "$#" -gt 0 ]; do
|
|
case "$1" in
|
|
--full)
|
|
NAXSI="y"
|
|
RTMP="y"
|
|
;;
|
|
--noconf)
|
|
NOCONF="y"
|
|
;;
|
|
--naxsi)
|
|
NAXSI="y"
|
|
;;
|
|
--libressl)
|
|
LIBRESSL="y"
|
|
;;
|
|
--rtmp)
|
|
RTMP="y"
|
|
;;
|
|
--latest | --mainline)
|
|
NGINX_RELEASE="1"
|
|
;;
|
|
--stable)
|
|
NGINX_RELEASE="2"
|
|
;;
|
|
-i | --interactive)
|
|
INTERACTIVE_SETUP="1"
|
|
;;
|
|
--dynamic)
|
|
DYNAMIC_MODULES="y"
|
|
;;
|
|
--cron | --cronjob)
|
|
CRON_SETUP="y"
|
|
;;
|
|
--travis)
|
|
TRAVIS_BUILD="1"
|
|
;;
|
|
-h | --help)
|
|
_help
|
|
exit 1
|
|
;;
|
|
*) ;;
|
|
esac
|
|
shift
|
|
done
|
|
|
|
fi
|
|
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
|
|
# check if a command exist
|
|
command_exists() {
|
|
command -v "$@" >/dev/null 2>&1
|
|
}
|
|
|
|
# updating packages list
|
|
[ -z "$TRAVIS_BUILD" ] && {
|
|
if [ -f "/etc/apt/sources.list.d/nginx-ee.list" ]; then
|
|
rm /etc/apt/sources.list.d/nginx-ee.list -f
|
|
fi
|
|
apt-get update -qq
|
|
}
|
|
|
|
# check if required packages are installed
|
|
required_packages="curl tar jq"
|
|
for package in $required_packages; do
|
|
if ! command_exists "$package"; then
|
|
apt-get install "$package" -qq >/dev/null 2>&1
|
|
fi
|
|
done
|
|
|
|
# Checking if lsb_release is installed
|
|
if ! command_exists lsb_release; then
|
|
apt-get -qq install lsb-release >/dev/null 2>&1
|
|
fi
|
|
|
|
##################################
|
|
# Variables
|
|
##################################
|
|
|
|
DIR_SRC="/usr/local/src"
|
|
NGINX_EE_VER=$(curl -m 5 --retry 3 -sL https://api.github.com/repos/VirtuBox/nginx-ee/releases/latest 2>&1 | jq -r '.tag_name')
|
|
NGINX_MAINLINE="$(curl -sL https://nginx.org/en/download.html 2>&1 | grep -E -o 'nginx\-[0-9.]+\.tar[.a-z]*' | awk -F "nginx-" '/.tar.gz$/ {print $2}' | sed -e 's|.tar.gz||g' | head -n 1 2>&1)"
|
|
NGINX_STABLE="$(curl -sL https://nginx.org/en/download.html 2>&1 | grep -E -o 'nginx\-[0-9.]+\.tar[.a-z]*' | awk -F "nginx-" '/.tar.gz$/ {print $2}' | sed -e 's|.tar.gz||g' | head -n 2 | grep 1.26 2>&1)"
|
|
LIBRESSL_VER="$(curl https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ 2>&1 | grep -E -o 'libressl\-[0-9.]+\.tar[.a-z]*' | awk -F "libressl-" '/.tar.gz$/ {print $2}' | sed -e 's|.tar.gz||g' | sort -r | head -n 1)"
|
|
if command_exists openssl; then
|
|
OPENSSL_BIN_VER=$(openssl version)
|
|
OPENSSL_VER=${OPENSSL_BIN_VER:0:15}
|
|
else
|
|
OPENSSL_VER="From system"
|
|
fi
|
|
TLS13_CIPHERS="TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES"
|
|
readonly OS_ARCH="$(uname -m)"
|
|
OS_DISTRO_FULL="$(lsb_release -ds)"
|
|
readonly DISTRO_ID="$(lsb_release -si)"
|
|
|
|
# Colors
|
|
CSI='\033['
|
|
CRED="${CSI}1;31m"
|
|
CGREEN="${CSI}1;32m"
|
|
CEND="${CSI}0m"
|
|
|
|
##################################
|
|
# Initial check & cleanup
|
|
##################################
|
|
|
|
# clean previous install log
|
|
|
|
echo "" >/tmp/nginx-ee.log
|
|
|
|
# detect Plesk
|
|
[ -d /etc/psa ] && {
|
|
PLESK_VALID="YES"
|
|
}
|
|
|
|
# detect easyengine
|
|
[ -f /var/lib/ee/ee.db ] && {
|
|
EE_VALID="YES"
|
|
}
|
|
|
|
[ -f /var/lib/wo/dbase.db ] && {
|
|
WO_VALID="YES"
|
|
}
|
|
|
|
[ -z "$(command -v nginx)" ] && {
|
|
NGINX_FROM_SCRATCH="1"
|
|
}
|
|
|
|
##################################
|
|
# Installation menu
|
|
##################################
|
|
|
|
echo ""
|
|
echo "Welcome to the nginx-ee bash script ${NGINX_EE_VER}"
|
|
echo ""
|
|
|
|
# interactive
|
|
if [ "$INTERACTIVE_SETUP" = "1" ]; then
|
|
clear
|
|
echo ""
|
|
echo "Do you want to compile the latest Nginx [1] Mainline v${NGINX_MAINLINE} or [2] Stable v${NGINX_STABLE} Release ?"
|
|
while [[ "$NGINX_RELEASE" != "1" && "$NGINX_RELEASE" != "2" ]]; do
|
|
echo -e "Select an option [1-2]: " && read -r NGINX_RELEASE
|
|
done
|
|
echo -e '\nDo you prefer to compile Nginx with OpenSSL [1] or LibreSSL [2] ? (y/n)'
|
|
echo -e ' [1] OpenSSL'
|
|
echo -e ' [2] LibreSSL\n'
|
|
while [[ "$SSL_LIB_CHOICE" != "1" && "$SSL_LIB_CHOICE" != "2" ]]; do
|
|
echo -e "Select an option [1-2]: " && read -r SSL_LIB_CHOICE
|
|
done
|
|
if [ "$SSL_LIB_CHOICE" = "2" ]; then
|
|
LIBRESSL="y"
|
|
fi
|
|
echo -e '\nDo you want NAXSI WAF (still experimental)? (y/n)'
|
|
while [[ "$NAXSI" != "y" && "$NAXSI" != "n" ]]; do
|
|
echo -e "Select an option [y/n]: " && read -r NAXSI
|
|
done
|
|
echo -e '\nDo you want RTMP streaming module (used for video streaming) ? (y/n)'
|
|
while [[ "$RTMP" != "y" && "$RTMP" != "n" ]]; do
|
|
echo -e "Select an option [y/n]: " && read -r RTMP
|
|
done
|
|
echo -e '\nDo you want to build modules as dynamic modules? (y/n)'
|
|
while [[ "$DYNAMIC_MODULES" != "y" && "$DYNAMIC_MODULES" != "n" ]]; do
|
|
echo -e "Select an option [y/n]: " && read -r DYNAMIC_MODULES
|
|
done
|
|
echo -e '\nDo you want to setup nginx-ee auto-update cronjob ? (y/n)'
|
|
while [[ "$CRON_SETUP" != "y" && "$CRON_SETUP" != "n" ]]; do
|
|
echo -e "Select an option [y/n]: " && read -r CRON_SETUP
|
|
done
|
|
echo ""
|
|
fi
|
|
|
|
##################################
|
|
# Set nginx release and HPACK
|
|
##################################
|
|
|
|
if [ "$NGINX_RELEASE" = "2" ]; then
|
|
NGINX_VER="$NGINX_STABLE"
|
|
NGX_QUIC="--with-http_v3_module"
|
|
else
|
|
NGINX_VER="$NGINX_MAINLINE"
|
|
NGX_QUIC="--with-http_v3_module"
|
|
fi
|
|
|
|
##################################
|
|
# Set RTMP module
|
|
##################################
|
|
|
|
if [ "$RTMP" = "y" ]; then
|
|
NGX_RTMP="--add-module=../nginx-rtmp-module "
|
|
RTMP_VALID="YES"
|
|
else
|
|
NGX_RTMP=""
|
|
RTMP_VALID="NO"
|
|
fi
|
|
|
|
##################################
|
|
# Set Naxsi module
|
|
##################################
|
|
|
|
if [ "$NAXSI" = "y" ]; then
|
|
NGX_NAXSI="--add-module=../naxsi/naxsi_src "
|
|
NAXSI_VALID="YES"
|
|
else
|
|
NGX_NAXSI=""
|
|
NAXSI_VALID="NO"
|
|
fi
|
|
|
|
##################################
|
|
# Set OPENSSL/LIBRESSL lib
|
|
##################################
|
|
|
|
if [ "$LIBRESSL" = "y" ]; then
|
|
NGX_SSL_LIB="--with-openssl=../libressl"
|
|
QUIC_VALID="YES"
|
|
LIBRESSL_VALID="YES"
|
|
OPENSSL_OPT=""
|
|
else
|
|
if [ "$OS_ARCH" = 'x86_64' ]; then
|
|
if [ "$DISTRO_ID" = "Ubuntu" ]; then
|
|
OPENSSL_OPT="enable-ec_nistp_64_gcc_128 enable-tls1_3 no-ssl3-method -march=native -ljemalloc"
|
|
else
|
|
OPENSSL_OPT="enable-tls1_3"
|
|
fi
|
|
fi
|
|
NGX_SSL_LIB=""
|
|
OPENSSL_VALID="from system"
|
|
LIBSSL_DEV="libssl-dev"
|
|
|
|
fi
|
|
|
|
##################################
|
|
# Set Plesk configuration
|
|
##################################
|
|
|
|
if [ "$PLESK_VALID" = "YES" ]; then
|
|
NGX_USER="--user=nginx --group=nginx"
|
|
else
|
|
NGX_USER=""
|
|
fi
|
|
|
|
if [ "$DYNAMIC_MODULES" = "y" ]; then
|
|
DYNAMIC_MODULES_VALID="YES"
|
|
else
|
|
DYNAMIC_MODULES_VALID="NO"
|
|
fi
|
|
|
|
##################################
|
|
# Display Compilation Summary
|
|
##################################
|
|
|
|
echo ""
|
|
echo -e "${CGREEN}##################################${CEND}"
|
|
echo " Compilation summary "
|
|
echo -e "${CGREEN}##################################${CEND}"
|
|
echo ""
|
|
echo " Detected OS : $OS_DISTRO_FULL"
|
|
echo " Detected Arch : $OS_ARCH"
|
|
echo ""
|
|
echo -e " - Nginx release : $NGINX_VER"
|
|
[ -n "$OPENSSL_VALID" ] && {
|
|
echo -e " - OPENSSL : $OPENSSL_VER"
|
|
echo -e " - with HTTP/3 : YES"
|
|
|
|
}
|
|
[ -n "$LIBRESSL_VALID" ] && {
|
|
echo -e " - LIBRESSL : $LIBRESSL_VALID"
|
|
echo -e " - HTTP/3 QUIC : YES"
|
|
|
|
}
|
|
echo " - Dynamic modules $DYNAMIC_MODULES_VALID"
|
|
echo " - Naxsi : $NAXSI_VALID"
|
|
echo " - RTMP : $RTMP_VALID"
|
|
[ -n "$EE_VALID" ] && {
|
|
echo " - EasyEngine : $EE_VALID"
|
|
}
|
|
[ -n "$WO_VALID" ] && {
|
|
echo " - WordOps : $WO_VALID"
|
|
}
|
|
[ -n "$PLESK_VALID" ] && {
|
|
echo " - Plesk : $PLESK_VALID"
|
|
}
|
|
echo ""
|
|
|
|
##################################
|
|
# Install dependencies
|
|
##################################
|
|
|
|
_gitget() {
|
|
REPO="$1"
|
|
repodir=$(echo "$REPO" | awk -F "/" '{print $2}')
|
|
if [ -d "/usr/local/src/${repodir}/.git" ]; then
|
|
git -C "/usr/local/src/${repodir}" pull &
|
|
else
|
|
if [ -d "/usr/local/src/${repodir}" ]; then
|
|
rm -rf "/usr/local/src/${repodir}"
|
|
fi
|
|
git clone --depth 1 "https://github.com/${REPO}.git" "/usr/local/src/${repodir}" &
|
|
|
|
fi
|
|
}
|
|
|
|
_install_dependencies() {
|
|
echo -ne ' Installing dependencies [..]\r'
|
|
if {
|
|
apt-get -o Dpkg::Options::="--force-confmiss" -o Dpkg::Options::="--force-confold" -y install \
|
|
git build-essential libtool automake autoconf \
|
|
libgd-dev dpkg-dev libgeoip-dev libjemalloc-dev \
|
|
libbz2-1.0 libreadline-dev libbz2-dev libbz2-ocaml libbz2-ocaml-dev software-properties-common tar \
|
|
libgoogle-perftools-dev perl libperl-dev libpam0g-dev libbsd-dev gnupg gnupg2 \
|
|
libgmp-dev autotools-dev libxml2-dev libpcre3-dev uuid-dev libbrotli-dev libpcre2-dev "$LIBSSL_DEV"
|
|
} >>/tmp/nginx-ee.log 2>&1; then
|
|
echo -ne " Installing dependencies [${CGREEN}OK${CEND}]\\r"
|
|
echo -ne '\n'
|
|
else
|
|
echo -e " Installing dependencies [${CRED}FAIL${CEND}]"
|
|
echo -e '\n Please look at /tmp/nginx-ee.log\n'
|
|
exit 1
|
|
|
|
fi
|
|
}
|
|
|
|
##################################
|
|
# Setup Nginx from scratch
|
|
##################################
|
|
|
|
_nginx_from_scratch_setup() {
|
|
|
|
echo -ne ' Setting Up Nginx configurations [..]\r'
|
|
if {
|
|
# clone custom nginx configuration
|
|
[ ! -d /etc/nginx ] && {
|
|
git clone --depth 50 https://github.com/VirtuBox/nginx-config.git /etc/nginx
|
|
} >>/tmp/nginx-ee.log 2>&1
|
|
|
|
# create nginx temp directory
|
|
mkdir -p /var/lib/nginx/{body,fastcgi,proxy,scgi,uwsgi}
|
|
# create nginx cache directory
|
|
[ ! -d /var/cache/nginx ] && {
|
|
mkdir -p /var/cache/nginx
|
|
}
|
|
[ ! -d /var/run/nginx-cache ] && {
|
|
mkdir -p /var/run/nginx-cache
|
|
}
|
|
[ ! -d /var/log/nginx ] && {
|
|
mkdir -p /var/log/nginx
|
|
chmod 640 /var/log/nginx
|
|
chown -R www-data:adm /var/log/nginx
|
|
}
|
|
|
|
# set proper permissions
|
|
chown -R www-data:root /var/lib/nginx /var/cache/nginx /var/run/nginx-cache
|
|
|
|
# create websites directory
|
|
[ ! -d /var/www/html ] && {
|
|
mkdir -p /var/www/html
|
|
}
|
|
|
|
{
|
|
# download default nginx page
|
|
wget -O /var/www/html/index.nginx-debian.html https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/var/www/html/index.nginx-debian.html
|
|
mkdir -p /etc/nginx/sites-enabled
|
|
ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/
|
|
# download nginx systemd service
|
|
[ ! -f /lib/systemd/system/nginx.service ] && {
|
|
wget -O /lib/systemd/system/nginx.service https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/etc/systemd/system/nginx.service
|
|
systemctl enable nginx.service
|
|
}
|
|
|
|
# download logrotate configuration
|
|
wget -O /etc/logrotate.d/nginx https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/etc/logrotate.d/nginx
|
|
|
|
} >>/tmp/nginx-ee.log 2>&1
|
|
|
|
}; then
|
|
echo -ne " Setting Up Nginx configurations [${CGREEN}OK${CEND}]\\r"
|
|
echo -ne '\n'
|
|
else
|
|
echo -e " Setting Up Nginx configurations [${CRED}FAIL${CEND}]"
|
|
echo -e '\n Please look at /tmp/nginx-ee.log\n'
|
|
exit 1
|
|
fi
|
|
|
|
}
|
|
|
|
##################################
|
|
# Dynamic modules
|
|
##################################
|
|
|
|
_dynamic_setup() {
|
|
if [ -d /usr/share/nginx/modules ]; then
|
|
rm -rf /usr/share/nginx/modules/*.old
|
|
mkdir -p /etc/nginx/{modules.available.d,modules.conf.d}
|
|
rm -rf /etc/nginx/modules.conf.d/*
|
|
modules_list=$(basename -a /usr/share/nginx/modules/*)
|
|
for module in $modules_list; do
|
|
echo "load_module /usr/share/nginx/modules/${module};" >"/etc/nginx/modules.available.d/${module%.so}.load"
|
|
ln -s "/etc/nginx/modules.available.d/${module%.so}.load" "/etc/nginx/modules.conf.d/${module%.so}.conf"
|
|
done
|
|
fi
|
|
}
|
|
|
|
##################################
|
|
# Install gcc
|
|
##################################
|
|
|
|
_gcc_setup() {
|
|
echo -ne ' Installing gcc [..]\r'
|
|
if {
|
|
echo "### installing gcc ###"
|
|
apt-get install gcc g++ -y
|
|
} >>/dev/null 2>&1; then
|
|
echo -ne " Installing gcc [${CGREEN}OK${CEND}]\\r"
|
|
echo -ne '\n'
|
|
else
|
|
echo -e " Installing gcc [${CRED}FAIL${CEND}]"
|
|
echo -e '\n Please look at /tmp/nginx-ee.log\n'
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
##################################
|
|
# Install ffmpeg for rtmp module
|
|
##################################
|
|
|
|
_rtmp_setup() {
|
|
echo -ne ' Installing FFMPEG for RTMP module [..]\r'
|
|
if {
|
|
apt-get install ffmpeg -y
|
|
} >>/dev/null 2>&1; then
|
|
echo -ne " Installing FFMPEG for RMTP module [${CGREEN}OK${CEND}]\\r"
|
|
echo -ne '\n'
|
|
else
|
|
echo -e " Installing FFMPEG for RMTP module [${CRED}FAIL${CEND}]"
|
|
echo -e '\n Please look at /tmp/nginx-ee.log\n'
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
##################################
|
|
# Cleanup modules
|
|
##################################
|
|
|
|
_cleanup_modules() {
|
|
|
|
cd "$DIR_SRC" || exit 1
|
|
rm -rf /usr/local/src/{*.tar.gz,nginx,nginx-1.*,pcre,zlib,incubator-pagespeed-*,build_ngx_pagespeed.sh,install,ngx_http_redis,naxsi}
|
|
|
|
}
|
|
|
|
##################################
|
|
# Download additional modules
|
|
##################################
|
|
|
|
_download_modules() {
|
|
|
|
echo -ne ' Downloading additionals modules [..]\r'
|
|
if {
|
|
echo "### downloading additionals modules ###"
|
|
MODULES='openresty/memc-nginx-module
|
|
simpl/ngx_devel_kit openresty/headers-more-nginx-module
|
|
openresty/echo-nginx-module yaoweibin/ngx_http_substitutions_filter_module
|
|
openresty/redis2-nginx-module openresty/srcache-nginx-module
|
|
openresty/set-misc-nginx-module sto/ngx_http_auth_pam_module
|
|
vozlt/nginx-module-vts centminmod/ngx_http_redis nginx-modules/ngx_cache_purge'
|
|
for MODULE in $MODULES; do
|
|
_gitget "$MODULE"
|
|
done
|
|
if [ "$RTMP" = "y" ]; then
|
|
{ [ -d "$DIR_SRC/nginx-rtmp-module" ] && {
|
|
git -C "$DIR_SRC/nginx-rtmp-module" pull &
|
|
} } || {
|
|
git clone --depth=1 https://github.com/arut/nginx-rtmp-module.git &
|
|
}
|
|
fi
|
|
|
|
# ipscrub module
|
|
{ [ -d "$DIR_SRC/ipscrubtmp" ] && {
|
|
git -C "$DIR_SRC/ipscrubtmp" pull origin master &
|
|
} } || {
|
|
git clone --depth=1 https://github.com/masonicboom/ipscrub.git ipscrubtmp &
|
|
}
|
|
wait
|
|
echo "### additionals modules downloaded ###"
|
|
} >>/tmp/nginx-ee.log 2>&1; then
|
|
echo -ne " Downloading additionals modules [${CGREEN}OK${CEND}]\\r"
|
|
echo -ne '\n'
|
|
else
|
|
echo -e " Downloading additionals modules [${CRED}FAIL${CEND}]"
|
|
echo -e '\n Please look at /tmp/nginx-ee.log\n'
|
|
exit 1
|
|
fi
|
|
|
|
}
|
|
|
|
##################################
|
|
# Download zlib
|
|
##################################
|
|
|
|
_download_zlib() {
|
|
|
|
echo -ne ' Downloading zlib [..]\r'
|
|
|
|
if {
|
|
cd "$DIR_SRC" || exit 1
|
|
if [ "$OS_ARCH" = 'x86_64' ]; then
|
|
{ [ -d /usr/local/src/zlib-cf ] && {
|
|
echo "### git pull zlib-cf ###"
|
|
git -c /usr/local/src/zlib-cf pull
|
|
}; } || {
|
|
echo "### cloning zlib-cf ###"
|
|
git clone --depth=1 https://github.com/cloudflare/zlib.git -b gcc.amd64 /usr/local/src/zlib-cf
|
|
}
|
|
cd /usr/local/src/zlib-cf || exit 1
|
|
echo "### make distclean ###"
|
|
make -f Makefile.in distclean
|
|
echo "### configure zlib-cf ###"
|
|
./configure --prefix=/usr/local/zlib-cf
|
|
else
|
|
echo "### downloading zlib latest ###"
|
|
rm -rf zlib
|
|
curl -sL http://zlib.net/current/zlib.tar.gz | /bin/tar zxf - -C "$DIR_SRC"
|
|
mv zlib-1.2.13 zlib
|
|
fi
|
|
|
|
} >>/tmp/nginx-ee.log 2>&1; then
|
|
echo -ne " Downloading zlib [${CGREEN}OK${CEND}]\\r"
|
|
echo -ne '\n'
|
|
else
|
|
echo -e " Downloading zlib [${CRED}FAIL${CEND}]"
|
|
echo -e '\n Please look at /tmp/nginx-ee.log\n'
|
|
exit 1
|
|
fi
|
|
|
|
}
|
|
|
|
##################################
|
|
# Download ngx_broti
|
|
##################################
|
|
|
|
_download_brotli() {
|
|
|
|
cd "$DIR_SRC" || exit 1
|
|
if {
|
|
echo -ne ' Downloading brotli [..]\r'
|
|
{
|
|
rm /usr/local/src/ngx_brotli -rf
|
|
git clone --recursive --depth=1 https://github.com/google/ngx_brotli /usr/local/src/ngx_brotli -q
|
|
cd /usr/local/src/ngx_brotli || exit 1
|
|
git submodule update --init
|
|
} >>/tmp/nginx-ee.log 2>&1
|
|
|
|
}; then
|
|
echo -ne " Downloading brotli [${CGREEN}OK${CEND}]\\r"
|
|
echo -ne '\n'
|
|
else
|
|
echo -e " Downloading brotli [${CRED}FAIL${CEND}]"
|
|
echo -e '\n Please look at /tmp/nginx-ee.log\n'
|
|
exit 1
|
|
fi
|
|
|
|
}
|
|
|
|
##################################
|
|
# Download LibreSSL
|
|
##################################
|
|
|
|
_download_libressl() {
|
|
|
|
cd "$DIR_SRC" || exit 1
|
|
if {
|
|
echo -ne ' Downloading LibreSSL [..]\r'
|
|
|
|
{
|
|
rm -rf /usr/local/src/libressl
|
|
curl -sL "http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-$LIBRESSL_VER.tar.gz" | /bin/tar xzf - -C "$DIR_SRC"
|
|
mv "/usr/local/src/libressl-$LIBRESSL_VER" /usr/local/src/libressl
|
|
} >>/tmp/nginx-ee.log 2>&1
|
|
|
|
}; then
|
|
echo -ne " Downloading LibreSSL [${CGREEN}OK${CEND}]\\r"
|
|
echo -ne '\n'
|
|
else
|
|
echo -e " Downloading LibreSSL [${CRED}FAIL${CEND}]"
|
|
echo -e '\n Please look at /tmp/nginx-ee.log\n'
|
|
exit 1
|
|
fi
|
|
|
|
}
|
|
|
|
##################################
|
|
# Download Naxsi
|
|
##################################
|
|
|
|
_download_naxsi() {
|
|
|
|
cd "$DIR_SRC" || exit 1
|
|
if {
|
|
echo -ne ' Downloading naxsi [..]\r'
|
|
{
|
|
|
|
git clone --depth=50 --recurse-submodules https://github.com/wargio/naxsi.git /usr/local/src/naxsi -q
|
|
|
|
if [ "$NOCONF" != "y" ]; then
|
|
cp -f /usr/local/src/naxsi/naxsi_rules/naxsi_core.rules /etc/nginx/naxsi_core.rules
|
|
fi
|
|
|
|
} >>/tmp/nginx-ee.log 2>&1
|
|
|
|
}; then
|
|
echo -ne " Downloading naxsi [${CGREEN}OK${CEND}]\\r"
|
|
echo -ne '\n'
|
|
else
|
|
echo -e " Downloading naxsi [${CRED}FAIL${CEND}]"
|
|
echo -e '\n Please look at /tmp/nginx-ee.log\n'
|
|
exit 1
|
|
fi
|
|
|
|
}
|
|
|
|
##################################
|
|
# Download Nginx
|
|
##################################
|
|
|
|
_download_nginx() {
|
|
|
|
cd "$DIR_SRC" || exit 1
|
|
if {
|
|
echo -ne ' Downloading nginx [..]\r'
|
|
|
|
{
|
|
rm -rf /usr/local/src/nginx
|
|
curl -sL "http://nginx.org/download/nginx-${NGINX_VER}.tar.gz" | /bin/tar xzf - -C "$DIR_SRC"
|
|
mv "/usr/local/src/nginx-${NGINX_VER}" /usr/local/src/nginx
|
|
} >>/tmp/nginx-ee.log 2>&1
|
|
|
|
}; then
|
|
echo -ne " Downloading nginx [${CGREEN}OK${CEND}]\\r"
|
|
echo -ne '\n'
|
|
else
|
|
echo -e " Downloading nginx [${CRED}FAIL${CEND}]"
|
|
echo -e '\n Please look at /tmp/nginx-ee.log\n'
|
|
exit 1
|
|
fi
|
|
|
|
}
|
|
|
|
##################################
|
|
# Apply Nginx patches
|
|
##################################
|
|
|
|
_patch_nginx() {
|
|
|
|
cd /usr/local/src/nginx || exit 1
|
|
if {
|
|
echo -ne ' Applying nginx patches [..]\r'
|
|
|
|
{
|
|
curl -sL https://raw.githubusercontent.com/kn007/patch/master/nginx_dynamic_tls_records.patch | patch -p1
|
|
} >>/tmp/nginx-ee.log 2>&1
|
|
|
|
}; then
|
|
echo -ne " Applying nginx patches [${CGREEN}OK${CEND}]\\r"
|
|
echo -ne '\n'
|
|
else
|
|
echo -e " Applying nginx patches [${CRED}FAIL${CEND}]"
|
|
echo -e '\n Please look at /tmp/nginx-ee.log\n'
|
|
exit 1
|
|
fi
|
|
|
|
}
|
|
|
|
##################################
|
|
# Configure Nginx
|
|
##################################
|
|
|
|
_configure_nginx() {
|
|
local DEB_CFLAGS
|
|
local DEB_LFLAGS
|
|
DEB_CFLAGS="$(dpkg-buildflags --get CPPFLAGS) -Wno-error=date-time"
|
|
DEB_LFLAGS="$(dpkg-buildflags --get LDFLAGS)"
|
|
|
|
if {
|
|
echo -ne ' Configuring nginx build [..]\r'
|
|
|
|
# main configuration
|
|
NGINX_BUILD_OPTIONS="--prefix=/usr/share \
|
|
--conf-path=/etc/nginx/nginx.conf \
|
|
--http-log-path=/var/log/nginx/access.log \
|
|
--error-log-path=/var/log/nginx/error.log \
|
|
--lock-path=/var/lock/nginx.lock \
|
|
--pid-path=/var/run/nginx.pid \
|
|
--http-client-body-temp-path=/var/lib/nginx/body \
|
|
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
|
|
--http-proxy-temp-path=/var/lib/nginx/proxy \
|
|
--http-scgi-temp-path=/var/lib/nginx/scgi \
|
|
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
|
|
--modules-path=/usr/share/nginx/modules"
|
|
|
|
# built-in modules
|
|
if [ -z "$OVERRIDE_NGINX_MODULES" ]; then
|
|
NGINX_INCLUDED_MODULES="--with-http_stub_status_module \
|
|
--with-http_realip_module \
|
|
--with-http_auth_request_module \
|
|
--with-http_addition_module \
|
|
--with-http_gzip_static_module \
|
|
--with-http_gunzip_module \
|
|
--with-http_mp4_module \
|
|
--with-http_sub_module"
|
|
else
|
|
NGINX_INCLUDED_MODULES="$OVERRIDE_NGINX_MODULES"
|
|
fi
|
|
|
|
# third party modules
|
|
if [ -z "$OVERRIDE_NGINX_ADDITIONAL_MODULES" ]; then
|
|
if [ "$DYNAMIC_MODULES" = "y" ]; then
|
|
NGINX_THIRD_MODULES="--with-compat \
|
|
--add-module=../ngx_http_substitutions_filter_module \
|
|
--add-dynamic-module=../srcache-nginx-module \
|
|
--add-dynamic-module=../redis2-nginx-module \
|
|
--add-dynamic-module=../memc-nginx-module \
|
|
--add-module=../ngx_devel_kit \
|
|
--add-module=../ngx_http_redis \
|
|
--add-module=../set-misc-nginx-module \
|
|
--add-dynamic-module=../ngx_http_auth_pam_module \
|
|
--add-module=../nginx-module-vts \
|
|
--add-dynamic-module=../ipscrubtmp/ipscrub"
|
|
else
|
|
NGINX_THIRD_MODULES="--add-module=../ngx_http_substitutions_filter_module \
|
|
--add-module=../srcache-nginx-module \
|
|
--add-module=../redis2-nginx-module \
|
|
--add-module=../ngx_http_redis \
|
|
--add-module=../memc-nginx-module \
|
|
--add-module=../ngx_devel_kit \
|
|
--add-module=../set-misc-nginx-module \
|
|
--add-module=../ngx_http_auth_pam_module \
|
|
--add-module=../nginx-module-vts \
|
|
--add-module=../ipscrubtmp/ipscrub"
|
|
fi
|
|
else
|
|
NGINX_THIRD_MODULES="$OVERRIDE_NGINX_ADDITIONAL_MODULES"
|
|
fi
|
|
|
|
if [ "$OS_ARCH" = 'x86_64' ]; then
|
|
if [ "$DISTRO_ID" = "Ubuntu" ]; then
|
|
DEB_CFLAGS='-m64 -march=native -mtune=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -ffat-lto-objects -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wp,-D_FORTIFY_SOURCE=2 -gsplit-dwarf'
|
|
DEB_LFLAGS='-lrt -ljemalloc -Wl,-z,relro -Wl,-z,now -fPIC -flto -ffat-lto-objects'
|
|
fi
|
|
ZLIB_PATH='../zlib-cf'
|
|
else
|
|
ZLIB_PATH='../zlib'
|
|
fi
|
|
bash -c "./configure \
|
|
${NGX_NAXSI} \
|
|
--with-cc-opt='$DEB_CFLAGS' \
|
|
--with-ld-opt='$DEB_LFLAGS' \
|
|
$NGINX_BUILD_OPTIONS \
|
|
--build='VirtuBox Nginx-ee' \
|
|
$NGX_USER \
|
|
--with-file-aio \
|
|
--with-threads \
|
|
$NGX_QUIC \
|
|
--with-http_v2_module \
|
|
--with-http_ssl_module \
|
|
--with-pcre-jit \
|
|
$NGINX_INCLUDED_MODULES \
|
|
$NGINX_THIRD_MODULES \
|
|
$NGX_RTMP \
|
|
--add-module=../echo-nginx-module \
|
|
--add-module=../headers-more-nginx-module \
|
|
--add-module=../ngx_cache_purge \
|
|
--add-module=../ngx_brotli \
|
|
--with-zlib=$ZLIB_PATH \
|
|
$NGX_SSL_LIB \
|
|
--with-openssl-opt='$OPENSSL_OPT' \
|
|
--sbin-path=/usr/sbin/nginx >> /tmp/nginx-ee.log 2>&1;"
|
|
|
|
}; then
|
|
echo -ne " Configuring nginx build [${CGREEN}OK${CEND}]\\r"
|
|
echo -ne '\n'
|
|
else
|
|
echo -e " Configuring nginx build [${CRED}FAIL${CEND}]"
|
|
echo -e '\n Please look at /tmp/nginx-ee.log\n'
|
|
exit 1
|
|
fi
|
|
|
|
}
|
|
|
|
##################################
|
|
# Compile Nginx
|
|
##################################
|
|
|
|
_compile_nginx() {
|
|
if {
|
|
echo -ne ' Compiling nginx [..]\r'
|
|
|
|
{
|
|
# compile Nginx
|
|
make -j "$(nproc)"
|
|
# Strip debug symbols
|
|
strip --strip-unneeded /usr/local/src/nginx/objs/nginx
|
|
if [ "$DYNAMIC_MODULES" = "y" ]; then
|
|
strip --strip-unneeded /usr/local/src/nginx/objs/*.so
|
|
fi
|
|
# install Nginx
|
|
make install
|
|
|
|
} >>/tmp/nginx-ee.log 2>&1
|
|
}; then
|
|
echo -ne " Compiling nginx [${CGREEN}OK${CEND}]\\r"
|
|
echo -ne '\n'
|
|
else
|
|
echo -e " Compiling nginx [${CRED}FAIL${CEND}]"
|
|
echo -e '\n Please look at /tmp/nginx-ee.log\n'
|
|
exit 1
|
|
fi
|
|
|
|
}
|
|
|
|
##################################
|
|
# Perform final tasks
|
|
##################################
|
|
|
|
_updating_nginx_manual() {
|
|
|
|
echo -ne ' Updating Nginx manual [..]\r'
|
|
if {
|
|
# update nginx manual
|
|
[ -f /usr/share/man/man8/nginx.8.gz ] && {
|
|
rm /usr/share/man/man8/nginx.8.gz
|
|
}
|
|
|
|
{
|
|
cp -f ${DIR_SRC}/nginx/man/nginx.8 /usr/share/man/man8
|
|
gzip /usr/share/man/man8/nginx.8
|
|
|
|
} >>/tmp/nginx-ee.log
|
|
|
|
# update mime.types
|
|
cp -f ${DIR_SRC}/nginx/conf/mime.types /etc/nginx/mime.types
|
|
|
|
}; then
|
|
echo -ne " Updating Nginx manual [${CGREEN}OK${CEND}]\\r"
|
|
echo -ne '\n'
|
|
else
|
|
echo -e " Updating Nginx manual [${CRED}FAIL${CEND}]"
|
|
echo -e '\n Please look at /tmp/nginx-ee.log\n'
|
|
exit 1
|
|
fi
|
|
|
|
}
|
|
|
|
_cron_setup() {
|
|
echo -ne ' Installing Nginx-ee Cronjob [..]\r'
|
|
if {
|
|
wget -O /etc/cron.daily/nginx-ee https://raw.githubusercontent.com/VirtuBox/nginx-ee/develop/etc/cron.daily/nginx-ee >>/tmp/nginx-ee.log
|
|
chmod +x /etc/cron.daily/nginx-ee
|
|
|
|
}; then
|
|
echo -ne " Installing Nginx-ee Cronjob [${CGREEN}OK${CEND}]\\r"
|
|
echo -ne '\n'
|
|
else
|
|
echo -e " Installing Nginx-ee Cronjob [${CRED}FAIL${CEND}]"
|
|
echo -e '\n Please look at /tmp/nginx-ee.log\n'
|
|
exit 1
|
|
fi
|
|
|
|
}
|
|
|
|
_cron_update() {
|
|
if [ -f /etc/cron.daily/nginx-ee ]; then
|
|
wget -O /etc/cron.daily/nginx-ee https://raw.githubusercontent.com/VirtuBox/nginx-ee/develop/etc/cron.daily/nginx-ee >>/tmp/nginx-ee.log
|
|
chmod +x /etc/cron.daily/nginx-ee
|
|
fi
|
|
}
|
|
|
|
_final_tasks() {
|
|
|
|
echo -ne ' Performing final steps [..]\r'
|
|
if {
|
|
# block Nginx package update from APT repository
|
|
if [ "$PLESK_VALID" = "YES" ]; then
|
|
{
|
|
# update nginx ciphers_suites
|
|
# sed -i "s/ssl_ciphers\ \(\"\|.\|'\)\(.*\)\(\"\|.\|'\);/ssl_ciphers \"$TLS13_CIPHERS\";/" /etc/nginx/conf.d/ssl.conf
|
|
# update nginx ssl_protocols
|
|
# sed -i "s/ssl_protocols\ \(.*\);/ssl_protocols TLSv1.2 TLSv1.3;/" /etc/nginx/conf.d/ssl.conf
|
|
# block sw-nginx package updates from APT repository
|
|
echo -e 'Package: sw-nginx*\nPin: release *\nPin-Priority: -1' >/etc/apt/preferences.d/nginx-block
|
|
apt-mark hold sw-nginx
|
|
} >>/tmp/nginx-ee.log
|
|
elif [ "$EE_VALID" = "YES" ]; then
|
|
{
|
|
# update nginx ssl_protocols
|
|
sed -i "s/ssl_protocols\ \(.*\);/ssl_protocols TLSv1.2 TLSv1.3;/" /etc/nginx/nginx.conf
|
|
# update nginx ciphers_suites
|
|
sed -i "s/ssl_ciphers\ \(\"\|'\)\(.*\)\(\"\|'\)/ssl_ciphers \"$TLS13_CIPHERS\"/" /etc/nginx/nginx.conf
|
|
# block nginx package updates from APT repository
|
|
echo -e 'Package: nginx*\nPin: release *\nPin-Priority: -1' >/etc/apt/preferences.d/nginx-block
|
|
apt-mark hold nginx-ee nginx-common nginx-custom
|
|
} >>/tmp/nginx-ee.log
|
|
elif [ "$WO_VALID" = "YES" ]; then
|
|
{
|
|
# update nginx ssl_protocols
|
|
# sed -i "s/ssl_protocols\ \(.*\);/ssl_protocols TLSv1.2 TLSv1.3;/" /etc/nginx/nginx.conf
|
|
# update nginx ciphers_suites
|
|
# sed -i "s/ssl_ciphers\ \(\"\|.\|'\)\(.*\)\(\"\|.\|'\);/ssl_ciphers \"$TLS13_CIPHERS\";/" /etc/nginx/nginx.conf
|
|
# block nginx package updates from APT repository
|
|
echo -e 'Package: nginx*\nPin: release *\nPin-Priority: -1' >/etc/apt/preferences.d/nginx-block
|
|
CHECK_NGINX_WO=$(dpkg --list | grep nginx-wo)
|
|
if [ -n "$CHECK_NGINX_WO" ]; then
|
|
apt-mark hold nginx-wo nginx-common nginx-custom
|
|
else
|
|
apt-mark hold nginx-ee nginx-common nginx-custom
|
|
fi
|
|
} >>/tmp/nginx-ee.log 2>&1
|
|
fi
|
|
|
|
if [ "$NOCONF" != "y" ]; then
|
|
{
|
|
# enable nginx service
|
|
systemctl unmask nginx.service
|
|
systemctl enable nginx.service
|
|
systemctl start nginx.service
|
|
# remove default configuration
|
|
rm -f /etc/nginx/{*.default,*.dpkg-dist}
|
|
} >/dev/null 2>&1
|
|
fi
|
|
|
|
}; then
|
|
echo -ne " Performing final steps [${CGREEN}OK${CEND}]\\r"
|
|
echo -ne '\n'
|
|
else
|
|
echo -e " Performing final steps [${CRED}FAIL${CEND}]"
|
|
echo -e '\n Please look at /tmp/nginx-ee.log\n'
|
|
exit 1
|
|
fi
|
|
|
|
echo -ne ' Checking nginx configuration [..]\r'
|
|
|
|
if [ "$NOCONF" != "y" ]; then
|
|
# check if nginx -t do not return errors
|
|
VERIFY_NGINX_CONFIG=$(nginx -t 2>&1 | grep failed)
|
|
if [ -z "$VERIFY_NGINX_CONFIG" ]; then
|
|
{
|
|
systemctl stop nginx
|
|
systemctl start nginx
|
|
} >>/tmp/nginx-ee.log 2>&1
|
|
echo -ne " Checking nginx configuration [${CGREEN}OK${CEND}]\\r"
|
|
echo ""
|
|
echo -e " ${CGREEN}Nginx-ee was compiled successfully !${CEND}"
|
|
echo -e '\n Installation log : /tmp/nginx-ee.log\n'
|
|
else
|
|
echo -e " Checking nginx configuration [${CRED}FAIL${CEND}]"
|
|
echo -e " Nginx-ee was compiled successfully but there is an error in your nginx configuration"
|
|
echo -e '\nPlease look at /tmp/nginx-ee.log or use the command nginx -t to find the issue\n'
|
|
fi
|
|
else
|
|
echo -e " ${CGREEN}Nginx-ee was compiled successfully !${CEND}"
|
|
echo -e '\nAs you requested not to configure it, you must do it manually or using your favourite devops tools.\n'
|
|
fi
|
|
|
|
}
|
|
|
|
##################################
|
|
# Main Setup
|
|
##################################
|
|
|
|
_install_dependencies
|
|
if [ "$NGINX_FROM_SCRATCH" = "1" ]; then
|
|
if [ "$NOCONF" != "y" ]; then
|
|
_nginx_from_scratch_setup
|
|
fi
|
|
fi
|
|
_gcc_setup
|
|
if [ "$RTMP" = "y" ]; then
|
|
_rtmp_setup
|
|
fi
|
|
_cleanup_modules
|
|
_download_modules
|
|
_download_zlib
|
|
_download_brotli
|
|
if [ "$NAXSI" = "y" ]; then
|
|
_download_naxsi
|
|
fi
|
|
if [ "$LIBRESSL" = "y" ]; then
|
|
_download_libressl
|
|
else
|
|
sleep 1
|
|
fi
|
|
_download_nginx
|
|
_patch_nginx
|
|
_configure_nginx
|
|
_compile_nginx
|
|
_updating_nginx_manual
|
|
_cron_update
|
|
if [ "$CRON_SETUP" = "y" ]; then
|
|
_cron_setup
|
|
fi
|
|
if [ "$DYNAMIC_MODULES" = "y" ]; then
|
|
if [ "$NOCONF" != "y" ]; then
|
|
_dynamic_setup
|
|
fi
|
|
fi
|
|
_final_tasks
|
|
echo "Give Nginx-ee a GitHub star : https://github.com/VirtuBox/nginx-ee"
|