From 163e239580d507be72513bc6e9b56240952b7a24 Mon Sep 17 00:00:00 2001 From: minoplhy Date: Sun, 25 Jun 2023 17:16:07 +0700 Subject: [PATCH] nginx_build_script : init --- nginx_build_script/README.md | 45 +++++++++++++++++++++++++++ nginx_build_script/build.sh | 45 +++++++++++++++++++++++++++ nginx_build_script/configure.sh | 54 +++++++++++++++++++++++++++++++++ nginx_build_script/modules.conf | 6 ++++ nginx_build_script/modules.sh | 6 ++++ nginx_build_script/packages.sh | 2 ++ 6 files changed, 158 insertions(+) create mode 100644 nginx_build_script/README.md create mode 100644 nginx_build_script/build.sh create mode 100644 nginx_build_script/configure.sh create mode 100644 nginx_build_script/modules.conf create mode 100644 nginx_build_script/modules.sh create mode 100644 nginx_build_script/packages.sh diff --git a/nginx_build_script/README.md b/nginx_build_script/README.md new file mode 100644 index 0000000..3060d14 --- /dev/null +++ b/nginx_build_script/README.md @@ -0,0 +1,45 @@ +# nginx_build_script is spin-off from [minoplhy/nginquic](https://github.com/minoplhy/nginquic)@ModSecurity_incl branch. + +The script here is entirely copied from [minoplhy/nginquic](https://github.com/minoplhy/nginquic)@ModSecurity_incl. Which included ModSecurity for my own using. + +```shell +export Nginx_Install=yes # This variable is required if you want Nginx to be installed scriptibly (on Debian-based systems). +curl https://raw.githubusercontent.com/minoplhy/scriptbox/main/nginx_build_script/build.sh > ~/nginx_scriptbox.sh +bash ~/nginx_scriptbox.sh +``` + +systemd Template: +`Location : /lib/systemd/system/nginx.service` + +``` +# Stop dance for nginx +# ======================= +# +# ExecStop sends SIGSTOP (graceful stop) to the nginx process. +# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control +# and sends SIGTERM (fast shutdown) to the main process. +# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends +# SIGKILL to all the remaining processes in the process group (KillMode=mixed). +# +# nginx signals reference doc: +# http://nginx.org/en/docs/control.html +# +[Unit] +Description=A high performance web server and a reverse proxy server +Documentation=man:nginx(8) +After=network.target nss-lookup.target + +[Service] +Type=forking +PIDFile=/run/nginx.pid +ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;' +ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;' +ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload +ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid +TimeoutStopSec=5 +KillMode=mixed + +[Install] +WantedBy=multi-user.target + +``` diff --git a/nginx_build_script/build.sh b/nginx_build_script/build.sh new file mode 100644 index 0000000..e1fa672 --- /dev/null +++ b/nginx_build_script/build.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +cd ~/ +rm -rf nginx_scriptbox +curl -sSL https://raw.githubusercontent.com/minoplhy/scriptbox/main/nginx_build_script/packages.sh | bash +mkdir nginx_scriptbox && cd nginx_scriptbox + +# Install Golang +unlink /usr/bin/go +wget https://go.dev/dl/go1.19.3.linux-amd64.tar.gz +rm -rf /usr/local/go && tar -C /usr/local -xzf go1.19.3.linux-amd64.tar.gz +export PATH=$PATH:/usr/local/go/bin +ln -s /usr/local/go/bin /usr/bin/go + +hg clone -b default https://hg.nginx.org/nginx +git clone --depth=1 https://github.com/google/boringssl +cd boringssl +mkdir build && cd build && cmake .. && make +cd .. && cd .. + +# ModSecurity Part +git clone --depth=1 https://github.com/SpiderLabs/ModSecurity +cd ModSecurity/ +git submodule init +git submodule update +./build.sh +./configure +make +sudo make install +cd .. + +cd nginx +mkdir mosc && cd mosc && curl -sSL https://raw.githubusercontent.com/minoplhy/scriptbox/main/nginx_build_script/modules.sh | bash && cd .. +curl -sSL https://raw.githubusercontent.com/minoplhy/scriptbox/main/nginx_build_script/configure.sh | bash && make + +if [[ $Nginx_Install == "yes" ]]; then + mkdir /lib/nginx/ && mkdir /lib/nginx/modules + cd objs && cp *.so /lib/nginx/modules + rm /usr/sbin/nginx + cp nginx /usr/sbin/nginx + curl -sSL https://raw.githubusercontent.com/minoplhy/scriptbox/main/nginx_build_script/modules.conf > modules.conf + cp modules.conf /etc/nginx/modules-enabled +else + echo "Nginx_Install variable isn't set/vaild. Your Nginx assets location is : ~/nginx_scriptbox/nginx-quic/objs" +fi \ No newline at end of file diff --git a/nginx_build_script/configure.sh b/nginx_build_script/configure.sh new file mode 100644 index 0000000..0b769c0 --- /dev/null +++ b/nginx_build_script/configure.sh @@ -0,0 +1,54 @@ +./auto/configure \ +--with-cc-opt="-I../boringssl/include" \ +--with-ld-opt="-L../boringssl/build/ssl \ +-L../boringssl/build/crypto" \ +--prefix=/usr/share/nginx \ +--conf-path=/etc/nginx/nginx.conf \ +--http-log-path=/var/log/nginx/access.log \ +--error-log-path=/var/log/nginx/error.log \ +--lock-path=/var/lock/nginx.lock \ +--pid-path=/run/nginx.pid \ +--modules-path=/usr/lib/nginx/modules \ +--http-client-body-temp-path=/var/lib/nginx/body \ +--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ +--http-proxy-temp-path=/var/lib/nginx/proxy \ +--http-scgi-temp-path=/var/lib/nginx/scgi \ +--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \ +--with-compat \ +--with-debug \ +--with-pcre-jit \ +--with-http_ssl_module \ +--with-http_stub_status_module \ +--with-http_realip_module \ +--with-http_auth_request_module \ +--with-http_v2_module \ +--with-http_dav_module \ +--with-http_slice_module \ +--with-threads \ +--with-http_addition_module \ +--with-http_flv_module \ +--with-http_gunzip_module \ +--with-http_gzip_static_module \ +--with-http_image_filter_module=dynamic \ +--with-http_mp4_module \ +--with-http_perl_module=dynamic \ +--with-http_random_index_module \ +--with-http_secure_link_module \ +--with-http_sub_module \ +--with-http_xslt_module=dynamic \ +--with-mail=dynamic \ +--with-mail_ssl_module \ +--with-stream \ +--with-stream_realip_module \ +--with-stream_ssl_module \ +--with-stream_ssl_preread_module \ +--add-dynamic-module=mosc/headers-more-nginx-module \ +--add-dynamic-module=mosc/ngx_http_auth_pam_module \ +--add-dynamic-module=mosc/ngx_cache_purge \ +--add-dynamic-module=mosc/nginx-dav-ext-module \ +--add-dynamic-module=mosc/echo-nginx-module \ +--add-dynamic-module=mosc/ModSecurity-nginx \ +--with-http_v3_module \ +--with-stream_quic_module \ +--with-http_geoip_module \ +--with-stream_geoip_module \ No newline at end of file diff --git a/nginx_build_script/modules.conf b/nginx_build_script/modules.conf new file mode 100644 index 0000000..4dfc872 --- /dev/null +++ b/nginx_build_script/modules.conf @@ -0,0 +1,6 @@ +load_module /lib/nginx/modules/ngx_http_auth_pam_module.so; +load_module /lib/nginx/modules/ngx_http_cache_purge_module.so; +load_module /lib/nginx/modules/ngx_http_dav_ext_module.so; +load_module /lib/nginx/modules/ngx_http_echo_module.so; +load_module /lib/nginx/modules/ngx_http_headers_more_filter_module.so; +load_module /lib/nginx/modules/ngx_http_modsecurity_module.so; \ No newline at end of file diff --git a/nginx_build_script/modules.sh b/nginx_build_script/modules.sh new file mode 100644 index 0000000..0cb4436 --- /dev/null +++ b/nginx_build_script/modules.sh @@ -0,0 +1,6 @@ +git clone https://github.com/openresty/headers-more-nginx-module +git clone https://github.com/sto/ngx_http_auth_pam_module +git clone https://github.com/arut/nginx-dav-ext-module/ +git clone https://github.com/openresty/echo-nginx-module +git clone https://github.com/nginx-modules/ngx_cache_purge +git clone https://github.com/SpiderLabs/ModSecurity-nginx \ No newline at end of file diff --git a/nginx_build_script/packages.sh b/nginx_build_script/packages.sh new file mode 100644 index 0000000..16bf039 --- /dev/null +++ b/nginx_build_script/packages.sh @@ -0,0 +1,2 @@ +sudo apt-get install mercurial libunwind-dev libpcre3 libpcre3-dev zlib1g-dev cmake make libxslt1-dev libgd-dev libssl-dev libperl-dev libpam0g-dev libgeoip-dev git g++ -y +sudo apt-get install apt-utils autoconf automake build-essential libcurl4-openssl-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget -y