From f21da7115a80d6f44e3fdf014f57ad6c2efc4f85 Mon Sep 17 00:00:00 2001 From: minoplhy Date: Sat, 27 Apr 2024 22:38:20 +0700 Subject: [PATCH] nginx_build_script build_gitea : refactor: nginx_build_script -> add: arguments to include/not include ModSecurity Lua in build. add: Ninja for BoringSSL build. refactor: use seperated params for ./auto/configure arguments. refactor: build modules.conf directly instead of curl from internet. fix: BoringSSL is disappeared from code for some reason. build_gitea -> refactor: arguments handling. fix: correctly handle BUILD_STATIC as boolean. --- build_gitea/Linux/build.sh | 29 +++-- build_gitea/README.md | 26 +++- nginx_build_script/README.md | 19 ++- nginx_build_script/build.sh | 224 +++++++++++++++++++++++------------ 4 files changed, 206 insertions(+), 92 deletions(-) diff --git a/build_gitea/Linux/build.sh b/build_gitea/Linux/build.sh index ceef03d..a0ca4ee 100644 --- a/build_gitea/Linux/build.sh +++ b/build_gitea/Linux/build.sh @@ -7,14 +7,27 @@ rm -rf $DESTINATION mkdir -p $DESTINATION cd $MAKE_DIR -while getopts 'v:g:n:s' flag -do - case "${flag}" in - v) GITEA_GIT_TAG=${OPTARG};; # Gitea Git Tag - g) GO_VERSION=${OPTARG};; # GOLANG Version - n) NODEJS_VERSION=${OPTARG};; # NodeJS Version - s) BUILD_STATIC="True";; # Build as Static Assets file +while [ ${#} -gt 0 ]; do + case "$1" in + --git-tag | -v) + shift + GITEA_GIT_TAG=$1 + ;; # Gitea Git Tag + --golang-version | -g) + shift + GO_VERSION=$1 + ;; # GOLANG Version + --nodejs-version | -n) + shift + NODEJS_VERSION=$1 + ;; # NodeJS Version + --static | -s) + BUILD_STATIC=true + ;; # Build as Static Assets file + *) + ;; esac + shift # Shift to next response for parsing done # GITEA_GIT_TAG is being process below @@ -72,7 +85,7 @@ fi export NODE_MAX_CONCURRENCY=1 export GOMAXPROCS=1 -if [[ "$BUILD_STATIC" == "True" ]] +if [[ "$BUILD_STATIC" == true ]] then mkdir -p $DESTINATION/gitea-static LDFLAGS="-X \"code.gitea.io/gitea/modules/setting.AppWorkPath=/var/lib/gitea/\" -X \"code.gitea.io/gitea/modules/setting.CustomConf=/etc/gitea/app.ini\"" TAGS="bindata sqlite sqlite_unlock_notify" GOOS=linux GOARCH=amd64 make frontend diff --git a/build_gitea/README.md b/build_gitea/README.md index e2089e4..cea6a7e 100644 --- a/build_gitea/README.md +++ b/build_gitea/README.md @@ -13,10 +13,28 @@ curl -L https://github.com/minoplhy/scriptbox/raw/main/build_gitea/Linux/build.s # Arguments ```bash - v) GITEA_GIT_TAG=${OPTARG};; # Gitea Git Tag - g) GO_VERSION=${OPTARG};; # GOLANG Version - n) NODEJS_VERSION=${OPTARG};; # NodeJS Version - s) BUILD_STATIC="True";; # Build as Static Assets file +while [ ${#} -gt 0 ]; do + case "$1" in + --git-tag | -v) + shift + GITEA_GIT_TAG=$1 + ;; # Gitea Git Tag + --golang-version | -g) + shift + GO_VERSION=$1 + ;; # GOLANG Version + --nodejs-version | -n) + shift + NODEJS_VERSION=$1 + ;; # NodeJS Version + --static | -s) + BUILD_STATIC=true + ;; # Build as Static Assets file + *) + ;; + esac + shift # Shift to next response for parsing +done ``` # Known Issues diff --git a/nginx_build_script/README.md b/nginx_build_script/README.md index 474f1c2..239fb06 100644 --- a/nginx_build_script/README.md +++ b/nginx_build_script/README.md @@ -2,12 +2,29 @@ The script here is entirely copied from [minoplhy/nginquic](https://github.com/minoplhy/nginquic)@ModSecurity_incl. Which included ModSecurity for my own using. -```shell +```bash export Nginx_Install=yes # This variable is required if you want Nginx to be installed scriptibly (on Debian-based systems). curl https://raw.githubusercontent.com/minoplhy/scriptbox/main/nginx_build_script/build.sh > ~/nginx_scriptbox.sh bash ~/nginx_scriptbox.sh ``` +# Arguments +```bash +while [ ${#} -gt 0 ]; do + case "$1" in + --no-modsecurity | -nm ) + DISABLE_MODSECURITY=true # Not include ModSecurity in building + ;; + --no-lua | -nl ) + DISABLE_LUA=true # Not include Lua in building + ;; + *) + ;; + esac + shift +done +``` + #### Note : don't forgot to add necessary `lua_package_path` directive to `nginx.conf`, in the http context. else Nginx won't run. ```lua lua_package_path "/usr/local/lua/?.lua;;'; diff --git a/nginx_build_script/build.sh b/nginx_build_script/build.sh index 0cad944..a246b05 100644 --- a/nginx_build_script/build.sh +++ b/nginx_build_script/build.sh @@ -1,5 +1,19 @@ #!/bin/bash +while [ ${#} -gt 0 ]; do + case "$1" in + --no-modsecurity | -nm ) + DISABLE_MODSECURITY=true # Not include ModSecurity in building + ;; + --no-lua | -nl ) + DISABLE_LUA=true # Not include Lua in building + ;; + *) + ;; + esac + shift +done + HOMEDIRECTORY=~/nginx_scriptbox rm -rf $HOMEDIRECTORY @@ -22,15 +36,23 @@ ln -s /usr/local/go/bin /usr/bin/go cd $HOMEDIRECTORY hg clone -b default https://hg.nginx.org/nginx +# BoringSSL +git clone --depth=1 https://github.com/google/boringssl $HOMEDIRECTORY/boringssl +cd $HOMEDIRECTORY/boringssl +cmake -GNinja -B build +ninja -C build + # ModSecurity -git clone --depth=1 https://github.com/SpiderLabs/ModSecurity $HOMEDIRECTORY/ModSecurity -cd $HOMEDIRECTORY/ModSecurity -git submodule init -git submodule update -./build.sh -./configure -make -sudo make install +if [ ! "${DISABLE_MODSECURITY}" == true ]; then + git clone --depth=1 https://github.com/SpiderLabs/ModSecurity $HOMEDIRECTORY/ModSecurity + cd $HOMEDIRECTORY/ModSecurity + git submodule init + git submodule update + ./build.sh + ./configure + make + sudo make install +fi # Get Nginx Modules mkdir $HOMEDIRECTORY/nginx/mosc @@ -39,10 +61,16 @@ git clone https://github.com/sto/ngx_http_auth_pam_module $HOMEDIRECTORY/nginx/m git clone https://github.com/arut/nginx-dav-ext-module $HOMEDIRECTORY/nginx/mosc/nginx-dav-ext-module git clone https://github.com/openresty/echo-nginx-module $HOMEDIRECTORY/nginx/mosc/echo-nginx-module git clone https://github.com/nginx-modules/ngx_cache_purge $HOMEDIRECTORY/nginx/mosc/ngx_cache_purge -git clone https://github.com/SpiderLabs/ModSecurity-nginx $HOMEDIRECTORY/nginx/mosc/ModSecurity-nginx -git clone https://github.com/openresty/lua-nginx-module $HOMEDIRECTORY/nginx/mosc/lua-nginx-module git clone https://github.com/vision5/ngx_devel_kit $HOMEDIRECTORY/nginx/mosc/ngx_devel_kit +if [ ! "${DISABLE_MODSECURITY}" == true ]; then + git clone https://github.com/SpiderLabs/ModSecurity-nginx $HOMEDIRECTORY/nginx/mosc/ModSecurity-nginx +fi + +if [ ! "${DISABLE_LUA}" == true ]; then + git clone https://github.com/openresty/lua-nginx-module $HOMEDIRECTORY/nginx/mosc/lua-nginx-module +fi + # Nginx Module: ngx_brotli git clone --recurse-submodules -j8 https://github.com/google/ngx_brotli $HOMEDIRECTORY/nginx/mosc/ngx_brotli cd $HOMEDIRECTORY/nginx/mosc/ngx_brotli/deps/brotli @@ -54,83 +82,102 @@ cmake --build . --config Release --target brotlienc # # lua resty core,lrucache,luajit2 -mkdir $HOMEDIRECTORY/nginx-lua && cd $HOMEDIRECTORY/nginx-lua -mkdir -p /opt/nginx-lua-module/ -git clone https://github.com/openresty/lua-resty-core $HOMEDIRECTORY/nginx-lua/lua-resty-core -git clone https://github.com/openresty/lua-resty-lrucache $HOMEDIRECTORY/nginx-lua/lua-resty-lrucache -git clone https://github.com/openresty/luajit2 $HOMEDIRECTORY/nginx-lua/luajit2 -git clone https://github.com/openresty/lua-resty-string $HOMEDIRECTORY/nginx-lua/lua-resty-string +if [ ! "${DISABLE_LUA}" == true ]; then + mkdir $HOMEDIRECTORY/nginx-lua && cd $HOMEDIRECTORY/nginx-lua + mkdir -p /opt/nginx-lua-module/ + git clone https://github.com/openresty/lua-resty-core $HOMEDIRECTORY/nginx-lua/lua-resty-core + git clone https://github.com/openresty/lua-resty-lrucache $HOMEDIRECTORY/nginx-lua/lua-resty-lrucache + git clone https://github.com/openresty/luajit2 $HOMEDIRECTORY/nginx-lua/luajit2 + git clone https://github.com/openresty/lua-resty-string $HOMEDIRECTORY/nginx-lua/lua-resty-string -cd $HOMEDIRECTORY/nginx-lua/luajit2 && make && make install PREFIX=/opt/nginx-lua-module/luajit2 -cd $HOMEDIRECTORY/nginx-lua/lua-resty-core && make install PREFIX=/usr/local/lua LUA_LIB_DIR=/usr/local/lua -cd $HOMEDIRECTORY/nginx-lua/lua-resty-lrucache && make install PREFIX=/usr/local/lua LUA_LIB_DIR=/usr/local/lua -cd $HOMEDIRECTORY/nginx-lua/lua-resty-string && make install PREFIX=/usr/local/lua LUA_LIB_DIR=/usr/local/lua + cd $HOMEDIRECTORY/nginx-lua/luajit2 && make && make install PREFIX=/opt/nginx-lua-module/luajit2 + cd $HOMEDIRECTORY/nginx-lua/lua-resty-core && make install PREFIX=/usr/local/lua LUA_LIB_DIR=/usr/local/lua + cd $HOMEDIRECTORY/nginx-lua/lua-resty-lrucache && make install PREFIX=/usr/local/lua LUA_LIB_DIR=/usr/local/lua + cd $HOMEDIRECTORY/nginx-lua/lua-resty-string && make install PREFIX=/usr/local/lua LUA_LIB_DIR=/usr/local/lua -export LUAJIT_LIB=/opt/nginx-lua-module/luajit2/lib -export LUAJIT_INC=/opt/nginx-lua-module/luajit2/include/luajit-2.1 + export LUAJIT_LIB=/opt/nginx-lua-module/luajit2/lib + export LUAJIT_INC=/opt/nginx-lua-module/luajit2/include/luajit-2.1 +fi # Build Nginx # # Why "--with-cc=c++"? # see -> https://trac.nginx.org/nginx/ticket/2605#comment:8 +NGINX_CONFIG_PARAMS=( + --with-cc=c++ + --with-cc-opt="-I../boringssl/include -x c" + --prefix=/usr/share/nginx + --conf-path=/etc/nginx/nginx.conf + --http-log-path=/var/log/nginx/access.log + --error-log-path=/var/log/nginx/error.log + --lock-path=/var/lock/nginx.lock + --pid-path=/run/nginx.pid + --modules-path=/usr/lib/nginx/modules + --http-client-body-temp-path=/var/lib/nginx/body + --http-fastcgi-temp-path=/var/lib/nginx/fastcgi + --http-proxy-temp-path=/var/lib/nginx/proxy + --http-scgi-temp-path=/var/lib/nginx/scgi + --http-uwsgi-temp-path=/var/lib/nginx/uwsgi + --with-compat + --with-debug + --with-pcre-jit + --with-http_ssl_module + --with-http_stub_status_module + --with-http_realip_module + --with-http_auth_request_module + --with-http_v2_module + --with-http_v3_module + --with-http_dav_module + --with-http_slice_module + --with-threads + --with-http_addition_module + --with-http_flv_module + --with-http_gunzip_module + --with-http_gzip_static_module + --with-http_image_filter_module=dynamic + --with-http_mp4_module + --with-http_perl_module=dynamic + --with-http_random_index_module + --with-http_secure_link_module + --with-http_sub_module + --with-http_xslt_module=dynamic + --with-mail=dynamic + --with-mail_ssl_module + --with-stream + --with-stream_realip_module + --with-stream_ssl_module + --with-stream_ssl_preread_module + --add-dynamic-module=mosc/headers-more-nginx-module + --add-dynamic-module=mosc/ngx_http_auth_pam_module + --add-dynamic-module=mosc/ngx_cache_purge + --add-dynamic-module=mosc/nginx-dav-ext-module + --add-dynamic-module=mosc/echo-nginx-module + --add-dynamic-module=mosc/ngx_brotli + --add-dynamic-module=mosc/ngx_devel_kit + --with-http_geoip_module + --with-stream_geoip_module +) + +# NGINX Config Params configuration +if [ ! "${DISABLE_MODSECURITY}" == true ]; then + NGINX_CONFIG_PARAMS+=(--add-dynamic-module=mosc/ModSecurity-nginx) +fi + +## with-ld-opt is implemented here +if [ ! "${DISABLE_LUA}" == true ]; then + NGINX_CONFIG_PARAMS+=( + --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto -Wl,-rpath,$LUAJIT_LIB" + --add-dynamic-module=mosc/lua-nginx-module + ) +else + NGINX_CONFIG_PARAMS+=( + --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto" + ) +fi + cd $HOMEDIRECTORY/nginx -./auto/configure \ ---with-cc=c++ \ ---with-cc-opt="-I../boringssl/include -x c" \ ---with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto -Wl,-rpath,$LUAJIT_LIB" \ ---prefix=/usr/share/nginx \ ---conf-path=/etc/nginx/nginx.conf \ ---http-log-path=/var/log/nginx/access.log \ ---error-log-path=/var/log/nginx/error.log \ ---lock-path=/var/lock/nginx.lock \ ---pid-path=/run/nginx.pid \ ---modules-path=/usr/lib/nginx/modules \ ---http-client-body-temp-path=/var/lib/nginx/body \ ---http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ ---http-proxy-temp-path=/var/lib/nginx/proxy \ ---http-scgi-temp-path=/var/lib/nginx/scgi \ ---http-uwsgi-temp-path=/var/lib/nginx/uwsgi \ ---with-compat \ ---with-debug \ ---with-pcre-jit \ ---with-http_ssl_module \ ---with-http_stub_status_module \ ---with-http_realip_module \ ---with-http_auth_request_module \ ---with-http_v2_module \ ---with-http_v3_module \ ---with-http_dav_module \ ---with-http_slice_module \ ---with-threads \ ---with-http_addition_module \ ---with-http_flv_module \ ---with-http_gunzip_module \ ---with-http_gzip_static_module \ ---with-http_image_filter_module=dynamic \ ---with-http_mp4_module \ ---with-http_perl_module=dynamic \ ---with-http_random_index_module \ ---with-http_secure_link_module \ ---with-http_sub_module \ ---with-http_xslt_module=dynamic \ ---with-mail=dynamic \ ---with-mail_ssl_module \ ---with-stream \ ---with-stream_realip_module \ ---with-stream_ssl_module \ ---with-stream_ssl_preread_module \ ---add-dynamic-module=mosc/headers-more-nginx-module \ ---add-dynamic-module=mosc/ngx_http_auth_pam_module \ ---add-dynamic-module=mosc/ngx_cache_purge \ ---add-dynamic-module=mosc/nginx-dav-ext-module \ ---add-dynamic-module=mosc/echo-nginx-module \ ---add-dynamic-module=mosc/ModSecurity-nginx \ ---add-dynamic-module=mosc/ngx_brotli \ ---add-dynamic-module=mosc/lua-nginx-module \ ---add-dynamic-module=mosc/ngx_devel_kit \ ---with-http_geoip_module \ ---with-stream_geoip_module +./auto/configure "${NGINX_CONFIG_PARAMS[@]}" make @@ -140,7 +187,26 @@ if [[ $Nginx_Install == "yes" ]]; then cp $HOMEDIRECTORY/nginx/objs/*.so /lib/nginx/modules rm /usr/sbin/nginx cp $HOMEDIRECTORY/nginx/objs/nginx /usr/sbin/nginx - curl -sSL https://raw.githubusercontent.com/minoplhy/scriptbox/main/nginx_build_script/modules.conf > modules.conf + + cat >modules.conf <> modules.conf + fi + + if [ ! "${DISABLE_LUA}" == true ]; then + echo "load_module /lib/nginx/modules/ngx_http_lua_module.so;" >> modules.conf + fi + cp modules.conf /etc/nginx/modules-enabled else echo "Nginx_Install variable isn't set/vaild. Your Nginx assets location is : '$HOMEDIRECTORY'/nginx/objs"