scriptbox/nginx_build_script/README.md

6.2 KiB
Raw Permalink Blame History

nginx_build_script is spin-off from minoplhy/nginquic@ModSecurity_incl branch.

The script here is entirely copied from minoplhy/nginquic@ModSecurity_incl. Which included ModSecurity for my own using.

export Nginx_Install=yes  # This variable is required if you want Nginx to be installed scriptibly (on Debian-based systems).
curl https://raw.githubusercontent.com/minoplhy/scriptbox/main/nginx_build_script/build.sh > ~/nginx_scriptbox.sh
bash ~/nginx_scriptbox.sh

new way to run! :

# With install Nginx
curl https://raw.githubusercontent.com/minoplhy/scriptbox/main/nginx_build_script/build.sh | bash -s -- --install

Arguments

while [ ${#} -gt 0 ]; do
    case "$1" in
        --modsecurity )                     WITH_MODSECURITY=true       ;;  # Include ModSecurity in building
        --lua )                             WITH_LUA=true               ;;  # Include Lua in building
        --no-modsecurity | -nm )            WITH_MODSECURITY=false      ;;  # LEGACY: Not include ModSecurity in building
        --no-lua | -nl )                    WITH_LUA=false              ;;  # LEGACY: Not include Lua in building
        --install | -i )                    INSTALL=true                ;;  # Install Nginx
        --ssl=* )
            SSL_LIB="${1#*=}"
            SSL_LIB="${SSL_LIB,,}"
            case $SSL_LIB in                # Re-define SSL_LIB
                "quictls")                  SSL_LIB="quictls"   ;;
                "boringssl")                SSL_LIB="boringssl" ;;
                "libressl")                 SSL_LIB="libressl"  ;;
                "")
                    echo "ERROR : --ssl= is empty!"
                    exit 1
                    ;;
                *)
                    echo "ERROR : Vaild values for --ssl are -> quictls, boringssl, libressl"
                    exit 1
                    ;;
            esac
            ;;
        --type=* )
            BUILD_TYPE="${1#*=}"
            BUILD_TYPE="${BUILD_TYPE,,}"
            case $BUILD_TYPE in
                "nginx")                    BUILD_TYPE="nginx"      ;;
                "freenginx")                BUILD_TYPE="freenginx"  ;;
                "")
                    echo "ERROR : --type= is empty!"
                    exit 1
                    ;;
                *)
                    echo "ERROR :  Vaild values for --type are -> nginx, freenginx"
                    exit 1
                    ;;
            esac
            ;;
        --nginx-tag=* )
            NGINX_TAG="${1#*=}"             # Specify Nginx/freenginx Tag
            case $NGINX_TAG in
                "")
                    echo "ERROR: --nginx-tag= is empty!"
                    exit 1
                    ;;
                *)
                    ;;
            esac
            ;;
        *)
            ;;
    esac
    shift
done

Note :

  • don't forgot to add necessary lua_package_path directive to nginx.conf, in the http context. else Nginx won't run.
lua_package_path "/usr/local/lua/?.lua;;";
  • LibreSSL is broken when compile with Nginx Lua taken from compiler:
error: implicit declaration of function SSL_client_hello_get0_ext [-Werror=implicit-function-declaration]

systemd Template: Location : /lib/systemd/system/nginx.service

# Stop dance for nginx
# =======================
#
# ExecStop sends SIGSTOP (graceful stop) to the nginx process.
# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
# and sends SIGTERM (fast shutdown) to the main process.
# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
#
# nginx signals reference doc:
# http://nginx.org/en/docs/control.html
#
[Unit]
Description=A high performance web server and a reverse proxy server
Documentation=man:nginx(8)
After=network.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
TimeoutStopSec=5
KillMode=mixed

[Install]
WantedBy=multi-user.target

Nginx init.d

#!/sbin/openrc-run

description="Nginx http and reverse proxy server"
extra_commands="checkconfig"
extra_started_commands="reload reopen upgrade"

cfgfile=${cfgfile:-/etc/nginx/nginx.conf}
pidfile=/run/nginx.pid
command=${command:-/usr/sbin/nginx}
command_args="-c $cfgfile"
required_files="$cfgfile"

depend() {
        need net
        use dns logger netmount
}

start_pre() {
        checkpath --directory --owner www-data:www-data ${pidfile%/*}
        $command $command_args -t -q
}

checkconfig() {
        ebegin "Checking $RC_SVCNAME configuration"
        start_pre
        eend $?
}

reload() {
        ebegin "Reloading $RC_SVCNAME configuration"
        start_pre && start-stop-daemon --signal HUP --pidfile $pidfile
        eend $?
}

reopen() {
        ebegin "Reopening $RC_SVCNAME log files"
        start-stop-daemon --signal USR1 --pidfile $pidfile
        eend $?
}

upgrade() {
        start_pre || return 1

        ebegin "Upgrading $RC_SVCNAME binary"

        einfo "Sending USR2 to old binary"
        start-stop-daemon --signal USR2 --pidfile $pidfile

        einfo "Sleeping 3 seconds before pid-files checking"
        sleep 3

        if [ ! -f $pidfile.oldbin ]; then
                eerror "File with old pid ($pidfile.oldbin) not found"
                return 1
        fi

        if [ ! -f $pidfile ]; then
                eerror "New binary failed to start"
                return 1
        fi

        einfo "Sleeping 3 seconds before WINCH"
        sleep 3 ; start-stop-daemon --signal 28 --pidfile $pidfile.oldbin

        einfo "Sending QUIT to old binary"
        start-stop-daemon --signal QUIT --pidfile $pidfile.oldbin

        einfo "Upgrade completed"

        eend $? "Upgrade failed"
}

# modified from https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/nginx/nginx.initd