From f21da7115a80d6f44e3fdf014f57ad6c2efc4f85 Mon Sep 17 00:00:00 2001 From: minoplhy Date: Sat, 27 Apr 2024 22:38:20 +0700 Subject: [PATCH 1/8] nginx_build_script build_gitea : refactor: nginx_build_script -> add: arguments to include/not include ModSecurity Lua in build. add: Ninja for BoringSSL build. refactor: use seperated params for ./auto/configure arguments. refactor: build modules.conf directly instead of curl from internet. fix: BoringSSL is disappeared from code for some reason. build_gitea -> refactor: arguments handling. fix: correctly handle BUILD_STATIC as boolean. --- build_gitea/Linux/build.sh | 29 +++-- build_gitea/README.md | 26 +++- nginx_build_script/README.md | 19 ++- nginx_build_script/build.sh | 224 +++++++++++++++++++++++------------ 4 files changed, 206 insertions(+), 92 deletions(-) diff --git a/build_gitea/Linux/build.sh b/build_gitea/Linux/build.sh index ceef03d..a0ca4ee 100644 --- a/build_gitea/Linux/build.sh +++ b/build_gitea/Linux/build.sh @@ -7,14 +7,27 @@ rm -rf $DESTINATION mkdir -p $DESTINATION cd $MAKE_DIR -while getopts 'v:g:n:s' flag -do - case "${flag}" in - v) GITEA_GIT_TAG=${OPTARG};; # Gitea Git Tag - g) GO_VERSION=${OPTARG};; # GOLANG Version - n) NODEJS_VERSION=${OPTARG};; # NodeJS Version - s) BUILD_STATIC="True";; # Build as Static Assets file +while [ ${#} -gt 0 ]; do + case "$1" in + --git-tag | -v) + shift + GITEA_GIT_TAG=$1 + ;; # Gitea Git Tag + --golang-version | -g) + shift + GO_VERSION=$1 + ;; # GOLANG Version + --nodejs-version | -n) + shift + NODEJS_VERSION=$1 + ;; # NodeJS Version + --static | -s) + BUILD_STATIC=true + ;; # Build as Static Assets file + *) + ;; esac + shift # Shift to next response for parsing done # GITEA_GIT_TAG is being process below @@ -72,7 +85,7 @@ fi export NODE_MAX_CONCURRENCY=1 export GOMAXPROCS=1 -if [[ "$BUILD_STATIC" == "True" ]] +if [[ "$BUILD_STATIC" == true ]] then mkdir -p $DESTINATION/gitea-static LDFLAGS="-X \"code.gitea.io/gitea/modules/setting.AppWorkPath=/var/lib/gitea/\" -X \"code.gitea.io/gitea/modules/setting.CustomConf=/etc/gitea/app.ini\"" TAGS="bindata sqlite sqlite_unlock_notify" GOOS=linux GOARCH=amd64 make frontend diff --git a/build_gitea/README.md b/build_gitea/README.md index e2089e4..cea6a7e 100644 --- a/build_gitea/README.md +++ b/build_gitea/README.md @@ -13,10 +13,28 @@ curl -L https://github.com/minoplhy/scriptbox/raw/main/build_gitea/Linux/build.s # Arguments ```bash - v) GITEA_GIT_TAG=${OPTARG};; # Gitea Git Tag - g) GO_VERSION=${OPTARG};; # GOLANG Version - n) NODEJS_VERSION=${OPTARG};; # NodeJS Version - s) BUILD_STATIC="True";; # Build as Static Assets file +while [ ${#} -gt 0 ]; do + case "$1" in + --git-tag | -v) + shift + GITEA_GIT_TAG=$1 + ;; # Gitea Git Tag + --golang-version | -g) + shift + GO_VERSION=$1 + ;; # GOLANG Version + --nodejs-version | -n) + shift + NODEJS_VERSION=$1 + ;; # NodeJS Version + --static | -s) + BUILD_STATIC=true + ;; # Build as Static Assets file + *) + ;; + esac + shift # Shift to next response for parsing +done ``` # Known Issues diff --git a/nginx_build_script/README.md b/nginx_build_script/README.md index 474f1c2..239fb06 100644 --- a/nginx_build_script/README.md +++ b/nginx_build_script/README.md @@ -2,12 +2,29 @@ The script here is entirely copied from [minoplhy/nginquic](https://github.com/minoplhy/nginquic)@ModSecurity_incl. Which included ModSecurity for my own using. -```shell +```bash export Nginx_Install=yes # This variable is required if you want Nginx to be installed scriptibly (on Debian-based systems). curl https://raw.githubusercontent.com/minoplhy/scriptbox/main/nginx_build_script/build.sh > ~/nginx_scriptbox.sh bash ~/nginx_scriptbox.sh ``` +# Arguments +```bash +while [ ${#} -gt 0 ]; do + case "$1" in + --no-modsecurity | -nm ) + DISABLE_MODSECURITY=true # Not include ModSecurity in building + ;; + --no-lua | -nl ) + DISABLE_LUA=true # Not include Lua in building + ;; + *) + ;; + esac + shift +done +``` + #### Note : don't forgot to add necessary `lua_package_path` directive to `nginx.conf`, in the http context. else Nginx won't run. ```lua lua_package_path "/usr/local/lua/?.lua;;'; diff --git a/nginx_build_script/build.sh b/nginx_build_script/build.sh index 0cad944..a246b05 100644 --- a/nginx_build_script/build.sh +++ b/nginx_build_script/build.sh @@ -1,5 +1,19 @@ #!/bin/bash +while [ ${#} -gt 0 ]; do + case "$1" in + --no-modsecurity | -nm ) + DISABLE_MODSECURITY=true # Not include ModSecurity in building + ;; + --no-lua | -nl ) + DISABLE_LUA=true # Not include Lua in building + ;; + *) + ;; + esac + shift +done + HOMEDIRECTORY=~/nginx_scriptbox rm -rf $HOMEDIRECTORY @@ -22,15 +36,23 @@ ln -s /usr/local/go/bin /usr/bin/go cd $HOMEDIRECTORY hg clone -b default https://hg.nginx.org/nginx +# BoringSSL +git clone --depth=1 https://github.com/google/boringssl $HOMEDIRECTORY/boringssl +cd $HOMEDIRECTORY/boringssl +cmake -GNinja -B build +ninja -C build + # ModSecurity -git clone --depth=1 https://github.com/SpiderLabs/ModSecurity $HOMEDIRECTORY/ModSecurity -cd $HOMEDIRECTORY/ModSecurity -git submodule init -git submodule update -./build.sh -./configure -make -sudo make install +if [ ! "${DISABLE_MODSECURITY}" == true ]; then + git clone --depth=1 https://github.com/SpiderLabs/ModSecurity $HOMEDIRECTORY/ModSecurity + cd $HOMEDIRECTORY/ModSecurity + git submodule init + git submodule update + ./build.sh + ./configure + make + sudo make install +fi # Get Nginx Modules mkdir $HOMEDIRECTORY/nginx/mosc @@ -39,10 +61,16 @@ git clone https://github.com/sto/ngx_http_auth_pam_module $HOMEDIRECTORY/nginx/m git clone https://github.com/arut/nginx-dav-ext-module $HOMEDIRECTORY/nginx/mosc/nginx-dav-ext-module git clone https://github.com/openresty/echo-nginx-module $HOMEDIRECTORY/nginx/mosc/echo-nginx-module git clone https://github.com/nginx-modules/ngx_cache_purge $HOMEDIRECTORY/nginx/mosc/ngx_cache_purge -git clone https://github.com/SpiderLabs/ModSecurity-nginx $HOMEDIRECTORY/nginx/mosc/ModSecurity-nginx -git clone https://github.com/openresty/lua-nginx-module $HOMEDIRECTORY/nginx/mosc/lua-nginx-module git clone https://github.com/vision5/ngx_devel_kit $HOMEDIRECTORY/nginx/mosc/ngx_devel_kit +if [ ! "${DISABLE_MODSECURITY}" == true ]; then + git clone https://github.com/SpiderLabs/ModSecurity-nginx $HOMEDIRECTORY/nginx/mosc/ModSecurity-nginx +fi + +if [ ! "${DISABLE_LUA}" == true ]; then + git clone https://github.com/openresty/lua-nginx-module $HOMEDIRECTORY/nginx/mosc/lua-nginx-module +fi + # Nginx Module: ngx_brotli git clone --recurse-submodules -j8 https://github.com/google/ngx_brotli $HOMEDIRECTORY/nginx/mosc/ngx_brotli cd $HOMEDIRECTORY/nginx/mosc/ngx_brotli/deps/brotli @@ -54,83 +82,102 @@ cmake --build . --config Release --target brotlienc # # lua resty core,lrucache,luajit2 -mkdir $HOMEDIRECTORY/nginx-lua && cd $HOMEDIRECTORY/nginx-lua -mkdir -p /opt/nginx-lua-module/ -git clone https://github.com/openresty/lua-resty-core $HOMEDIRECTORY/nginx-lua/lua-resty-core -git clone https://github.com/openresty/lua-resty-lrucache $HOMEDIRECTORY/nginx-lua/lua-resty-lrucache -git clone https://github.com/openresty/luajit2 $HOMEDIRECTORY/nginx-lua/luajit2 -git clone https://github.com/openresty/lua-resty-string $HOMEDIRECTORY/nginx-lua/lua-resty-string +if [ ! "${DISABLE_LUA}" == true ]; then + mkdir $HOMEDIRECTORY/nginx-lua && cd $HOMEDIRECTORY/nginx-lua + mkdir -p /opt/nginx-lua-module/ + git clone https://github.com/openresty/lua-resty-core $HOMEDIRECTORY/nginx-lua/lua-resty-core + git clone https://github.com/openresty/lua-resty-lrucache $HOMEDIRECTORY/nginx-lua/lua-resty-lrucache + git clone https://github.com/openresty/luajit2 $HOMEDIRECTORY/nginx-lua/luajit2 + git clone https://github.com/openresty/lua-resty-string $HOMEDIRECTORY/nginx-lua/lua-resty-string -cd $HOMEDIRECTORY/nginx-lua/luajit2 && make && make install PREFIX=/opt/nginx-lua-module/luajit2 -cd $HOMEDIRECTORY/nginx-lua/lua-resty-core && make install PREFIX=/usr/local/lua LUA_LIB_DIR=/usr/local/lua -cd $HOMEDIRECTORY/nginx-lua/lua-resty-lrucache && make install PREFIX=/usr/local/lua LUA_LIB_DIR=/usr/local/lua -cd $HOMEDIRECTORY/nginx-lua/lua-resty-string && make install PREFIX=/usr/local/lua LUA_LIB_DIR=/usr/local/lua + cd $HOMEDIRECTORY/nginx-lua/luajit2 && make && make install PREFIX=/opt/nginx-lua-module/luajit2 + cd $HOMEDIRECTORY/nginx-lua/lua-resty-core && make install PREFIX=/usr/local/lua LUA_LIB_DIR=/usr/local/lua + cd $HOMEDIRECTORY/nginx-lua/lua-resty-lrucache && make install PREFIX=/usr/local/lua LUA_LIB_DIR=/usr/local/lua + cd $HOMEDIRECTORY/nginx-lua/lua-resty-string && make install PREFIX=/usr/local/lua LUA_LIB_DIR=/usr/local/lua -export LUAJIT_LIB=/opt/nginx-lua-module/luajit2/lib -export LUAJIT_INC=/opt/nginx-lua-module/luajit2/include/luajit-2.1 + export LUAJIT_LIB=/opt/nginx-lua-module/luajit2/lib + export LUAJIT_INC=/opt/nginx-lua-module/luajit2/include/luajit-2.1 +fi # Build Nginx # # Why "--with-cc=c++"? # see -> https://trac.nginx.org/nginx/ticket/2605#comment:8 +NGINX_CONFIG_PARAMS=( + --with-cc=c++ + --with-cc-opt="-I../boringssl/include -x c" + --prefix=/usr/share/nginx + --conf-path=/etc/nginx/nginx.conf + --http-log-path=/var/log/nginx/access.log + --error-log-path=/var/log/nginx/error.log + --lock-path=/var/lock/nginx.lock + --pid-path=/run/nginx.pid + --modules-path=/usr/lib/nginx/modules + --http-client-body-temp-path=/var/lib/nginx/body + --http-fastcgi-temp-path=/var/lib/nginx/fastcgi + --http-proxy-temp-path=/var/lib/nginx/proxy + --http-scgi-temp-path=/var/lib/nginx/scgi + --http-uwsgi-temp-path=/var/lib/nginx/uwsgi + --with-compat + --with-debug + --with-pcre-jit + --with-http_ssl_module + --with-http_stub_status_module + --with-http_realip_module + --with-http_auth_request_module + --with-http_v2_module + --with-http_v3_module + --with-http_dav_module + --with-http_slice_module + --with-threads + --with-http_addition_module + --with-http_flv_module + --with-http_gunzip_module + --with-http_gzip_static_module + --with-http_image_filter_module=dynamic + --with-http_mp4_module + --with-http_perl_module=dynamic + --with-http_random_index_module + --with-http_secure_link_module + --with-http_sub_module + --with-http_xslt_module=dynamic + --with-mail=dynamic + --with-mail_ssl_module + --with-stream + --with-stream_realip_module + --with-stream_ssl_module + --with-stream_ssl_preread_module + --add-dynamic-module=mosc/headers-more-nginx-module + --add-dynamic-module=mosc/ngx_http_auth_pam_module + --add-dynamic-module=mosc/ngx_cache_purge + --add-dynamic-module=mosc/nginx-dav-ext-module + --add-dynamic-module=mosc/echo-nginx-module + --add-dynamic-module=mosc/ngx_brotli + --add-dynamic-module=mosc/ngx_devel_kit + --with-http_geoip_module + --with-stream_geoip_module +) + +# NGINX Config Params configuration +if [ ! "${DISABLE_MODSECURITY}" == true ]; then + NGINX_CONFIG_PARAMS+=(--add-dynamic-module=mosc/ModSecurity-nginx) +fi + +## with-ld-opt is implemented here +if [ ! "${DISABLE_LUA}" == true ]; then + NGINX_CONFIG_PARAMS+=( + --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto -Wl,-rpath,$LUAJIT_LIB" + --add-dynamic-module=mosc/lua-nginx-module + ) +else + NGINX_CONFIG_PARAMS+=( + --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto" + ) +fi + cd $HOMEDIRECTORY/nginx -./auto/configure \ ---with-cc=c++ \ ---with-cc-opt="-I../boringssl/include -x c" \ ---with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto -Wl,-rpath,$LUAJIT_LIB" \ ---prefix=/usr/share/nginx \ ---conf-path=/etc/nginx/nginx.conf \ ---http-log-path=/var/log/nginx/access.log \ ---error-log-path=/var/log/nginx/error.log \ ---lock-path=/var/lock/nginx.lock \ ---pid-path=/run/nginx.pid \ ---modules-path=/usr/lib/nginx/modules \ ---http-client-body-temp-path=/var/lib/nginx/body \ ---http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ ---http-proxy-temp-path=/var/lib/nginx/proxy \ ---http-scgi-temp-path=/var/lib/nginx/scgi \ ---http-uwsgi-temp-path=/var/lib/nginx/uwsgi \ ---with-compat \ ---with-debug \ ---with-pcre-jit \ ---with-http_ssl_module \ ---with-http_stub_status_module \ ---with-http_realip_module \ ---with-http_auth_request_module \ ---with-http_v2_module \ ---with-http_v3_module \ ---with-http_dav_module \ ---with-http_slice_module \ ---with-threads \ ---with-http_addition_module \ ---with-http_flv_module \ ---with-http_gunzip_module \ ---with-http_gzip_static_module \ ---with-http_image_filter_module=dynamic \ ---with-http_mp4_module \ ---with-http_perl_module=dynamic \ ---with-http_random_index_module \ ---with-http_secure_link_module \ ---with-http_sub_module \ ---with-http_xslt_module=dynamic \ ---with-mail=dynamic \ ---with-mail_ssl_module \ ---with-stream \ ---with-stream_realip_module \ ---with-stream_ssl_module \ ---with-stream_ssl_preread_module \ ---add-dynamic-module=mosc/headers-more-nginx-module \ ---add-dynamic-module=mosc/ngx_http_auth_pam_module \ ---add-dynamic-module=mosc/ngx_cache_purge \ ---add-dynamic-module=mosc/nginx-dav-ext-module \ ---add-dynamic-module=mosc/echo-nginx-module \ ---add-dynamic-module=mosc/ModSecurity-nginx \ ---add-dynamic-module=mosc/ngx_brotli \ ---add-dynamic-module=mosc/lua-nginx-module \ ---add-dynamic-module=mosc/ngx_devel_kit \ ---with-http_geoip_module \ ---with-stream_geoip_module +./auto/configure "${NGINX_CONFIG_PARAMS[@]}" make @@ -140,7 +187,26 @@ if [[ $Nginx_Install == "yes" ]]; then cp $HOMEDIRECTORY/nginx/objs/*.so /lib/nginx/modules rm /usr/sbin/nginx cp $HOMEDIRECTORY/nginx/objs/nginx /usr/sbin/nginx - curl -sSL https://raw.githubusercontent.com/minoplhy/scriptbox/main/nginx_build_script/modules.conf > modules.conf + + cat >modules.conf <> modules.conf + fi + + if [ ! "${DISABLE_LUA}" == true ]; then + echo "load_module /lib/nginx/modules/ngx_http_lua_module.so;" >> modules.conf + fi + cp modules.conf /etc/nginx/modules-enabled else echo "Nginx_Install variable isn't set/vaild. Your Nginx assets location is : '$HOMEDIRECTORY'/nginx/objs" From 37c91ac0d724942d5e971fd7c9b073dc1ff6899b Mon Sep 17 00:00:00 2001 From: minoplhy Date: Sat, 27 Apr 2024 23:03:14 +0700 Subject: [PATCH 2/8] nginx_build_script: add: install via argument --- nginx_build_script/README.md | 8 ++++++++ nginx_build_script/build.sh | 5 ++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/nginx_build_script/README.md b/nginx_build_script/README.md index 239fb06..55fd596 100644 --- a/nginx_build_script/README.md +++ b/nginx_build_script/README.md @@ -7,6 +7,11 @@ export Nginx_Install=yes # This variable is required if you want Nginx to be in curl https://raw.githubusercontent.com/minoplhy/scriptbox/main/nginx_build_script/build.sh > ~/nginx_scriptbox.sh bash ~/nginx_scriptbox.sh ``` +new way to run! : +```bash +# With install Nginx +curl https://raw.githubusercontent.com/minoplhy/scriptbox/main/nginx_build_script/build.sh | bash -s -- --install +``` # Arguments ```bash @@ -18,6 +23,9 @@ while [ ${#} -gt 0 ]; do --no-lua | -nl ) DISABLE_LUA=true # Not include Lua in building ;; + --install | -i ) + INSTALL=true # Install Nginx + ;; *) ;; esac diff --git a/nginx_build_script/build.sh b/nginx_build_script/build.sh index a246b05..f3bede8 100644 --- a/nginx_build_script/build.sh +++ b/nginx_build_script/build.sh @@ -8,6 +8,9 @@ while [ ${#} -gt 0 ]; do --no-lua | -nl ) DISABLE_LUA=true # Not include Lua in building ;; + --install | -i ) + INSTALL=true # Install Nginx + ;; *) ;; esac @@ -181,7 +184,7 @@ cd $HOMEDIRECTORY/nginx make -if [[ $Nginx_Install == "yes" ]]; then +if [[ $Nginx_Install == "yes" || $INSTALL == true ]]; then mkdir -p /lib/nginx/ && mkdir -p /lib/nginx/modules mkdir -p /etc/nginx && mkdir -p /etc/nginx/sites-enabled && mkdir -p /etc/nginx/modules-enabled cp $HOMEDIRECTORY/nginx/objs/*.so /lib/nginx/modules From 57d32ceed591407d987cdb303c926c7375d6cf0e Mon Sep 17 00:00:00 2001 From: minoplhy Date: Sun, 28 Apr 2024 14:06:06 +0700 Subject: [PATCH 3/8] nginx_build_script: fix: Lua is broken on BoringSSL again --- nginx_build_script/build.sh | 47 +++++++++++++++++++++++++++---------- 1 file changed, 34 insertions(+), 13 deletions(-) diff --git a/nginx_build_script/build.sh b/nginx_build_script/build.sh index f3bede8..2fe0e8d 100644 --- a/nginx_build_script/build.sh +++ b/nginx_build_script/build.sh @@ -40,10 +40,20 @@ cd $HOMEDIRECTORY hg clone -b default https://hg.nginx.org/nginx # BoringSSL -git clone --depth=1 https://github.com/google/boringssl $HOMEDIRECTORY/boringssl -cd $HOMEDIRECTORY/boringssl -cmake -GNinja -B build -ninja -C build +#git clone --depth=1 https://github.com/google/boringssl $HOMEDIRECTORY/boringssl +#cd $HOMEDIRECTORY/boringssl +#cmake -GNinja -B build +#ninja -C build + +# QuicTLS OpenSSL +git clone --depth=1 https://github.com/quictls/openssl $HOMEDIRECTORY/openssl +cd $HOMEDIRECTORY/openssl +./Configure --prefix=/opt/quictls +make +make install +mkdir -p /opt/quictls/.openssl +cp -r /opt/quictls/include /opt/quictls/.openssl/include +cp -r /opt/quictls/lib64 /opt/quictls/.openssl/lib # ModSecurity if [ ! "${DISABLE_MODSECURITY}" == true ]; then @@ -64,13 +74,13 @@ git clone https://github.com/sto/ngx_http_auth_pam_module $HOMEDIRECTORY/nginx/m git clone https://github.com/arut/nginx-dav-ext-module $HOMEDIRECTORY/nginx/mosc/nginx-dav-ext-module git clone https://github.com/openresty/echo-nginx-module $HOMEDIRECTORY/nginx/mosc/echo-nginx-module git clone https://github.com/nginx-modules/ngx_cache_purge $HOMEDIRECTORY/nginx/mosc/ngx_cache_purge -git clone https://github.com/vision5/ngx_devel_kit $HOMEDIRECTORY/nginx/mosc/ngx_devel_kit if [ ! "${DISABLE_MODSECURITY}" == true ]; then git clone https://github.com/SpiderLabs/ModSecurity-nginx $HOMEDIRECTORY/nginx/mosc/ModSecurity-nginx fi if [ ! "${DISABLE_LUA}" == true ]; then + git clone https://github.com/vision5/ngx_devel_kit $HOMEDIRECTORY/nginx/mosc/ngx_devel_kit git clone https://github.com/openresty/lua-nginx-module $HOMEDIRECTORY/nginx/mosc/lua-nginx-module fi @@ -109,7 +119,8 @@ fi NGINX_CONFIG_PARAMS=( --with-cc=c++ - --with-cc-opt="-I../boringssl/include -x c" + --with-openssl="/opt/quictls" + --with-cc-opt="-I/opt/quictls/.openssl/include -x c" --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log @@ -157,31 +168,37 @@ NGINX_CONFIG_PARAMS=( --add-dynamic-module=mosc/nginx-dav-ext-module --add-dynamic-module=mosc/echo-nginx-module --add-dynamic-module=mosc/ngx_brotli - --add-dynamic-module=mosc/ngx_devel_kit --with-http_geoip_module --with-stream_geoip_module ) # NGINX Config Params configuration if [ ! "${DISABLE_MODSECURITY}" == true ]; then - NGINX_CONFIG_PARAMS+=(--add-dynamic-module=mosc/ModSecurity-nginx) + NGINX_CONFIG_PARAMS+=( + --add-dynamic-module=mosc/ModSecurity-nginx + ) fi ## with-ld-opt is implemented here if [ ! "${DISABLE_LUA}" == true ]; then NGINX_CONFIG_PARAMS+=( - --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto -Wl,-rpath,$LUAJIT_LIB" + --with-ld-opt="-L/opt/quictls/.openssl/lib -Wl,-rpath,$LUAJIT_LIB" + --add-dynamic-module=mosc/ngx_devel_kit --add-dynamic-module=mosc/lua-nginx-module ) else NGINX_CONFIG_PARAMS+=( - --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto" + --with-ld-opt="-L/opt/quictls/.openssl/lib" ) fi cd $HOMEDIRECTORY/nginx ./auto/configure "${NGINX_CONFIG_PARAMS[@]}" +# Prevent Error 127 +touch /opt/quictls/.openssl/include/openssl/ssl.h + + make if [[ $Nginx_Install == "yes" || $INSTALL == true ]]; then @@ -199,15 +216,19 @@ load_module /lib/nginx/modules/ngx_http_echo_module.so; load_module /lib/nginx/modules/ngx_http_headers_more_filter_module.so; load_module /lib/nginx/modules/ngx_http_brotli_filter_module.so; load_module /lib/nginx/modules/ngx_http_brotli_static_module.so; -load_module /lib/nginx/modules/ndk_http_module.so; EOL if [ ! "${DISABLE_MODSECURITY}" == true ]; then - echo "load_module /lib/nginx/modules/ngx_http_modsecurity_module.so;" >> modules.conf + cat >>modules.conf <> modules.conf + cat >>modules.conf < Date: Sun, 28 Apr 2024 23:15:45 +0700 Subject: [PATCH 4/8] nginx_build_script: add: building with LibreSSL, BoringSSL, QuicTLS add: give section a name note: building LibreSSL with Lua is broken, consider disabling it. --- nginx_build_script/README.md | 31 ++++-- nginx_build_script/build.sh | 188 ++++++++++++++++++++++++----------- 2 files changed, 153 insertions(+), 66 deletions(-) diff --git a/nginx_build_script/README.md b/nginx_build_script/README.md index 55fd596..48433ea 100644 --- a/nginx_build_script/README.md +++ b/nginx_build_script/README.md @@ -17,14 +17,24 @@ curl https://raw.githubusercontent.com/minoplhy/scriptbox/main/nginx_build_scrip ```bash while [ ${#} -gt 0 ]; do case "$1" in - --no-modsecurity | -nm ) - DISABLE_MODSECURITY=true # Not include ModSecurity in building - ;; - --no-lua | -nl ) - DISABLE_LUA=true # Not include Lua in building - ;; - --install | -i ) - INSTALL=true # Install Nginx + --no-modsecurity | -nm ) DISABLE_MODSECURITY=true;; # Not include ModSecurity in building + --no-lua | -nl ) DISABLE_LUA=true ;; # Not include Lua in building + --install | -i ) INSTALL=true ;; # Install Nginx + --ssl=* ) + SSL_LIB="${1#*=}" + case $SSL_LIB in # Re-define SSL_LIB + "quictls") SSL_LIB="quictls" ;; + "boringssl") SSL_LIB="boringssl" ;; + "libressl") SSL_LIB="libressl" ;; + "") + echo "ERROR : --ssl= is empty!" + exit 1 + ;; + *) + echo "ERROR : Vaild values for --ssl are -> quictls, boringssl, libressl" + exit 1 + ;; + esac ;; *) ;; @@ -33,7 +43,10 @@ while [ ${#} -gt 0 ]; do done ``` -#### Note : don't forgot to add necessary `lua_package_path` directive to `nginx.conf`, in the http context. else Nginx won't run. +#### Note : +* don't forgot to add necessary `lua_package_path` directive to `nginx.conf`, in the http context. else Nginx won't run. +* LibreSSL is broken when compile with Nginx Lua + ```lua lua_package_path "/usr/local/lua/?.lua;;'; ``` diff --git a/nginx_build_script/build.sh b/nginx_build_script/build.sh index 2fe0e8d..2d4d33f 100644 --- a/nginx_build_script/build.sh +++ b/nginx_build_script/build.sh @@ -2,14 +2,24 @@ while [ ${#} -gt 0 ]; do case "$1" in - --no-modsecurity | -nm ) - DISABLE_MODSECURITY=true # Not include ModSecurity in building - ;; - --no-lua | -nl ) - DISABLE_LUA=true # Not include Lua in building - ;; - --install | -i ) - INSTALL=true # Install Nginx + --no-modsecurity | -nm ) DISABLE_MODSECURITY=true;; # Not include ModSecurity in building + --no-lua | -nl ) DISABLE_LUA=true ;; # Not include Lua in building + --install | -i ) INSTALL=true ;; # Install Nginx + --ssl=* ) + SSL_LIB="${1#*=}" + case $SSL_LIB in # Re-define SSL_LIB + "quictls") SSL_LIB="quictls" ;; + "boringssl") SSL_LIB="boringssl" ;; + "libressl") SSL_LIB="libressl" ;; + "") + echo "ERROR : --ssl= is empty!" + exit 1 + ;; + *) + echo "ERROR : Vaild values for --ssl are -> quictls, boringssl, libressl" + exit 1 + ;; + esac ;; *) ;; @@ -17,43 +27,72 @@ while [ ${#} -gt 0 ]; do shift done -HOMEDIRECTORY=~/nginx_scriptbox +# if $SSL_LIB is null/empty +SSL_LIB=${SSL_LIB:-"boringssl"} -rm -rf $HOMEDIRECTORY +################################# +## ## +## Dependencies Setup ## +## ## +################################# +# Get Dependencies sudo apt-get install mercurial libunwind-dev libpcre3 libpcre3-dev zlib1g-dev cmake make libxslt1-dev libgd-dev libssl-dev libperl-dev libpam0g-dev libgeoip-dev git g++ -y sudo apt-get install apt-utils autoconf automake build-essential libcurl4-openssl-dev liblmdb-dev libtool libxml2-dev libyajl-dev pkgconf wget ninja-build -y +HOMEDIRECTORY=~/nginx_scriptbox + +# Remove old build directory +rm -rf $HOMEDIRECTORY + mkdir $HOMEDIRECTORY && cd $HOMEDIRECTORY -# Golang -GO_VERSION=1.22.1 - -unlink /usr/bin/go -wget https://go.dev/dl/go$GO_VERSION.linux-amd64.tar.gz -sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go$GO_VERSION.linux-amd64.tar.gz -export PATH=$PATH:/usr/local/go/bin -ln -s /usr/local/go/bin /usr/bin/go - # Nginx cd $HOMEDIRECTORY hg clone -b default https://hg.nginx.org/nginx -# BoringSSL -#git clone --depth=1 https://github.com/google/boringssl $HOMEDIRECTORY/boringssl -#cd $HOMEDIRECTORY/boringssl -#cmake -GNinja -B build -#ninja -C build +# Build SSL Library +case $SSL_LIB in + "quictls") + git clone --depth=1 https://github.com/quictls/openssl $HOMEDIRECTORY/openssl + cd $HOMEDIRECTORY/openssl + ./Configure --prefix=/opt/quictls + make + make install + mkdir -p /opt/quictls/.openssl + cp -r /opt/quictls/include /opt/quictls/.openssl/include + cp -r /opt/quictls/lib64 /opt/quictls/.openssl/lib + ;; + "boringssl") + # Golang + GO_VERSION=1.22.1 -# QuicTLS OpenSSL -git clone --depth=1 https://github.com/quictls/openssl $HOMEDIRECTORY/openssl -cd $HOMEDIRECTORY/openssl -./Configure --prefix=/opt/quictls -make -make install -mkdir -p /opt/quictls/.openssl -cp -r /opt/quictls/include /opt/quictls/.openssl/include -cp -r /opt/quictls/lib64 /opt/quictls/.openssl/lib + unlink /usr/bin/go + wget https://go.dev/dl/go$GO_VERSION.linux-amd64.tar.gz + sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go$GO_VERSION.linux-amd64.tar.gz + export PATH=$PATH:/usr/local/go/bin + ln -s /usr/local/go/bin /usr/bin/go + + git clone --depth=1 https://github.com/google/boringssl $HOMEDIRECTORY/boringssl + cd $HOMEDIRECTORY/boringssl + cmake -GNinja -B build + ninja -C build + ;; + "libressl") + git clone --depth=1 https://github.com/libressl/portable $HOMEDIRECTORY/libressl + cd $HOMEDIRECTORY/libressl + ./autogen.sh + ./configure + cmake -GNinja -B build + ninja -C build + export DESTDIR=$HOMEDIRECTORY/libressl/libressl-build + ninja install -C build + + mkdir -p /opt/libressl/.openssl + cp -r $HOMEDIRECTORY/libressl/libressl-build/usr/local/include /opt/libressl/.openssl + cp -r $HOMEDIRECTORY/libressl/libressl-build/usr/local/lib /opt/libressl/.openssl + ;; +esac # ModSecurity if [ ! "${DISABLE_MODSECURITY}" == true ]; then @@ -67,7 +106,12 @@ if [ ! "${DISABLE_MODSECURITY}" == true ]; then sudo make install fi -# Get Nginx Modules +################################# +## ## +## Nginx Modules ## +## ## +################################# + mkdir $HOMEDIRECTORY/nginx/mosc git clone https://github.com/openresty/headers-more-nginx-module $HOMEDIRECTORY/nginx/mosc/headers-more-nginx-module git clone https://github.com/sto/ngx_http_auth_pam_module $HOMEDIRECTORY/nginx/mosc/ngx_http_auth_pam_module @@ -112,15 +156,17 @@ if [ ! "${DISABLE_LUA}" == true ]; then export LUAJIT_INC=/opt/nginx-lua-module/luajit2/include/luajit-2.1 fi -# Build Nginx -# -# Why "--with-cc=c++"? -# see -> https://trac.nginx.org/nginx/ticket/2605#comment:8 +###################################################################### +## ## +## Build Nginx ## +## ## +## Why "--with-cc=c++"? ## +## see -> https://trac.nginx.org/nginx/ticket/2605#comment:8 ## +## ## +###################################################################### NGINX_CONFIG_PARAMS=( --with-cc=c++ - --with-openssl="/opt/quictls" - --with-cc-opt="-I/opt/quictls/.openssl/include -x c" --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log @@ -173,34 +219,69 @@ NGINX_CONFIG_PARAMS=( ) # NGINX Config Params configuration +case $SSL_LIB in + "quictls") + NGINX_CONFIG_PARAMS+=( + --with-openssl="/opt/quictls" + --with-cc-opt="-I/opt/quictls/.openssl/include -x c" + ) + WITH_LD_OPT="-L/opt/quictls/.openssl/lib" + ;; + "boringssl") + NGINX_CONFIG_PARAMS+=( + --with-cc-opt="-I../boringssl/include -x c" + ) + WITH_LD_OPT="-L../boringssl/build/ssl -L../boringssl/build/crypto" + ;; + "libressl") + NGINX_CONFIG_PARAMS+=( + --with-openssl="/opt/libressl" + --with-cc-opt="-x c" + ) + ;; +esac + if [ ! "${DISABLE_MODSECURITY}" == true ]; then NGINX_CONFIG_PARAMS+=( --add-dynamic-module=mosc/ModSecurity-nginx - ) + ) fi -## with-ld-opt is implemented here +# SomeHow, Nginx is broken when compiling as dynamic module with BoringSSL. +# Compiling as module seems to fix this. if [ ! "${DISABLE_LUA}" == true ]; then NGINX_CONFIG_PARAMS+=( - --with-ld-opt="-L/opt/quictls/.openssl/lib -Wl,-rpath,$LUAJIT_LIB" - --add-dynamic-module=mosc/ngx_devel_kit - --add-dynamic-module=mosc/lua-nginx-module + --add-module=mosc/ngx_devel_kit + --add-module=mosc/lua-nginx-module ) -else + WITH_LD_OPT+=" -Wl,-rpath,$LUAJIT_LIB" +fi + +# Build --with-ld-opt arguments here +if [[ -n ${WITH_LD_OPT} && ${WITH_LD_OPT} != "" ]]; then NGINX_CONFIG_PARAMS+=( - --with-ld-opt="-L/opt/quictls/.openssl/lib" + --with-ld-opt="${WITH_LD_OPT}" ) fi cd $HOMEDIRECTORY/nginx ./auto/configure "${NGINX_CONFIG_PARAMS[@]}" -# Prevent Error 127 -touch /opt/quictls/.openssl/include/openssl/ssl.h - +# Prevent Error 127, When building. +if [ $SSL_LIB == "quictls" ]; then + touch /opt/quictls/.openssl/include/openssl/ssl.h +elif [ $SSL_LIB == "libressl" ]; then + touch /opt/libressl/.openssl/include/openssl/ssl.h +fi make +################################# +## ## +## Install Nginx(optional) ## +## ## +################################# + if [[ $Nginx_Install == "yes" || $INSTALL == true ]]; then mkdir -p /lib/nginx/ && mkdir -p /lib/nginx/modules mkdir -p /etc/nginx && mkdir -p /etc/nginx/sites-enabled && mkdir -p /etc/nginx/modules-enabled @@ -224,13 +305,6 @@ load_module /lib/nginx/modules/ngx_http_modsecurity_module.so; EOL fi - if [ ! "${DISABLE_LUA}" == true ]; then - cat >>modules.conf < Date: Mon, 29 Apr 2024 00:41:40 +0700 Subject: [PATCH 5/8] nginx_build_script: fix: remove Nginx binary --- nginx_build_script/build.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/nginx_build_script/build.sh b/nginx_build_script/build.sh index 2d4d33f..1c65327 100644 --- a/nginx_build_script/build.sh +++ b/nginx_build_script/build.sh @@ -286,7 +286,6 @@ if [[ $Nginx_Install == "yes" || $INSTALL == true ]]; then mkdir -p /lib/nginx/ && mkdir -p /lib/nginx/modules mkdir -p /etc/nginx && mkdir -p /etc/nginx/sites-enabled && mkdir -p /etc/nginx/modules-enabled cp $HOMEDIRECTORY/nginx/objs/*.so /lib/nginx/modules - rm /usr/sbin/nginx cp $HOMEDIRECTORY/nginx/objs/nginx /usr/sbin/nginx cat >modules.conf < Date: Mon, 29 Apr 2024 01:37:10 +0700 Subject: [PATCH 6/8] nginx_build_script: fix: Incorrect build directory for luajit --- nginx_build_script/build.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nginx_build_script/build.sh b/nginx_build_script/build.sh index 1c65327..f4c38ce 100644 --- a/nginx_build_script/build.sh +++ b/nginx_build_script/build.sh @@ -87,6 +87,7 @@ case $SSL_LIB in ninja -C build export DESTDIR=$HOMEDIRECTORY/libressl/libressl-build ninja install -C build + export -n DESTDIR # unset to avoid problems with Luajit2/Lua* mkdir -p /opt/libressl/.openssl cp -r $HOMEDIRECTORY/libressl/libressl-build/usr/local/include /opt/libressl/.openssl @@ -140,7 +141,7 @@ cmake --build . --config Release --target brotlienc # lua resty core,lrucache,luajit2 if [ ! "${DISABLE_LUA}" == true ]; then - mkdir $HOMEDIRECTORY/nginx-lua && cd $HOMEDIRECTORY/nginx-lua + mkdir -p $HOMEDIRECTORY/nginx-lua && cd $HOMEDIRECTORY/nginx-lua mkdir -p /opt/nginx-lua-module/ git clone https://github.com/openresty/lua-resty-core $HOMEDIRECTORY/nginx-lua/lua-resty-core git clone https://github.com/openresty/lua-resty-lrucache $HOMEDIRECTORY/nginx-lua/lua-resty-lrucache From 12f1c84fa04f539a93f94114e629aabefb8e8079 Mon Sep 17 00:00:00 2001 From: minoplhy Date: Mon, 29 Apr 2024 01:52:59 +0700 Subject: [PATCH 7/8] nginx_build_script: enhance: LibreSSL note --- nginx_build_script/README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/nginx_build_script/README.md b/nginx_build_script/README.md index 48433ea..b2817c4 100644 --- a/nginx_build_script/README.md +++ b/nginx_build_script/README.md @@ -45,12 +45,16 @@ done #### Note : * don't forgot to add necessary `lua_package_path` directive to `nginx.conf`, in the http context. else Nginx won't run. -* LibreSSL is broken when compile with Nginx Lua - ```lua lua_package_path "/usr/local/lua/?.lua;;'; ``` +* LibreSSL is broken when compile with Nginx Lua +taken from compiler: +``` +error: implicit declaration of function ‘SSL_client_hello_get0_ext’ [-Werror=implicit-function-declaration] +``` + systemd Template: `Location : /lib/systemd/system/nginx.service` From 995750e42e5ff33f421338c874a5911e269d422b Mon Sep 17 00:00:00 2001 From: minoplhy Date: Wed, 1 May 2024 23:53:32 +0700 Subject: [PATCH 8/8] nginx_build_script: fix: lua_package_path --- nginx_build_script/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx_build_script/README.md b/nginx_build_script/README.md index b2817c4..10535b5 100644 --- a/nginx_build_script/README.md +++ b/nginx_build_script/README.md @@ -46,7 +46,7 @@ done #### Note : * don't forgot to add necessary `lua_package_path` directive to `nginx.conf`, in the http context. else Nginx won't run. ```lua -lua_package_path "/usr/local/lua/?.lua;;'; +lua_package_path "/usr/local/lua/?.lua;;"; ``` * LibreSSL is broken when compile with Nginx Lua