[HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8 Topic is solved

Section with modification and patches for Vesta
huloza
Posts: 17
Joined: Thu Jul 28, 2016 5:15 am

[HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8  Topic is solved

Postby huloza » Mon Aug 29, 2016 12:33 am

Since Chrome has dropped HTTP/2 via NPN we need to support HTTP/2 via ALPN.

NGINX on Debian 8, Centos 6.8, Centos 7 and Ubuntu 14.04 has been compiled with OpenSSL 1.0.1 which does not support ALPN, so "NO HTTP/2"

ALPN support starts from OpenSSL 1.0.2

This is the official statement from google about drooping NPN support : http://blog.chromium.org/2016/02/transitioning-from-spdy-to-http2.html

to check the OpenSSL version compiled with your nginx server type:

Code: Select all

nginx -V


Code: Select all

[root@test ~]# nginx -V
nginx version: nginx/1.10.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'


from that you can check:

built with OpenSSL 1.0.1e-fips 11 Feb 2013

We are NOT going to upgrade the system OpenSSL version as i see in other tutorials over the Internet, because that is not recomended, we are only going to recompile nginx with custom openssl version.

ok. lets do it.

Tested on debian 8 jessie and VestaCP 0.9.8-16

1. copy the compile arguments from nginx -V to a text file

should look like this(maybe little diferent in yours):

Code: Select all

--prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'


2. Install dependencies

Code: Select all

apt-get install dpkg-dev libpcrecpp0 libgd2-xpm-dev libgeoip-dev libperl-dev


Note: if you are using Centos 7 install this dependencies(thanks to baijianpeng):

Code: Select all

 # yum install gc gcc gcc-c++ pcre-devel zlib-devel make wget openssl-devel libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel gperftools gperftools-devel libatomic_ops-devel perl-ExtUtils-Embed -y



3. change to src folder

Code: Select all

 cd /usr/local/src/


4. download required files:

Code: Select all

 
 
  wget https://www.openssl.org/source/openssl-1.0.2h.tar.gz
  tar -xzvf openssl-1.0.2h.tar.gz

  NGINX_VERSION=1.10.1
  wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz
  tar -xvzf nginx-${NGINX_VERSION}.tar.gz
 
  wget http://hg.nginx.org/njs/archive/1c50334fbea6.zip
  unzip 1c50334fbea6.zip

  cd nginx-${NGINX_VERSION}/


Note that im using 1c50334fbea6.zip because that comes compiled with nginx acording the parameters, in the rare case yours in diferent(check your parameters: --add-dynamic-module=njs-1c50334fbea6/nginx ) you will need to download from here: http://hg.nginx.org/njs/

5. change parameters

in step 1 you copied the arguments from nginx -V, at the end put :

--with-openssl=/usr/local/src/openssl-1.0.2h

and modify this argument:

--add-dynamic-module=njs-1c50334fbea6/nginx

with:

--add-dynamic-module=/usr/local/src/njs-1c50334fbea6/nginx

should look like this:

Code: Select all

--prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=/usr/local/src/njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' -–with-openssl=/usr/local/src/openssl-1.0.2h



6. Compile.


STOP THE NGINX SERVICE:

Code: Select all

service nginx stop


ok now check again if you are in the nginx1.10.1 folder and run the ./configure comand with the parameters of your file DONT FORGET TO USE YOUR OWN PARAMETERS, YOU COPIED TO A FILE IN STEP 1.

Code: Select all

./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=/usr/local/src/njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' -–with-openssl=/usr/local/src/openssl-1.0.2h


now

Code: Select all

make
make install


should take some minutes to complete, after finished restart nginx

Code: Select all

service nginx restart


7. check version

Code: Select all

nginx -V


Code: Select all

root@test:/usr/local/src/nginx-1.10.1# nginx -V
nginx version: nginx/1.10.1
built by gcc 4.9.2 (Debian 4.9.2-10)
built with OpenSSL 1.0.2h  3 May 2016
TLS SNI support enabled



there you can see the new OpenSSL Version built with OpenSSL 1.0.2h 3 May 2016

thats all, enjoy! now you can use http2 in chrome.
Last edited by huloza on Fri Sep 30, 2016 2:15 pm, edited 2 times in total.

edica
Posts: 101
Joined: Tue May 26, 2015 7:31 pm

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Postby edica » Wed Aug 31, 2016 4:49 pm

Excellent! :)

I use Debian 8.5. I installed before OpenSSL 1.0.2h:
apt-get -t jessie-backports install openssl

So no need to download OpenSSL 1.0.2h and use:
-–with-openssl=/usr/local/src/openssl-1.0.2h

Thank you so much.

huloza
Posts: 17
Joined: Thu Jul 28, 2016 5:15 am

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Postby huloza » Tue Sep 06, 2016 12:57 am

edica wrote:Excellent! :)

I use Debian 8.5. I installed before OpenSSL 1.0.2h:
apt-get -t jessie-backports install openssl

So no need to download OpenSSL 1.0.2h and use:
-–with-openssl=/usr/local/src/openssl-1.0.2h

Thank you so much.


hi :)

Is not recommended to change your OS OpenSSL version, thats why i download the package and use in the compilation, Debian 8.5 comes with OpenSSL 1.0.1t.

Regards!

edica
Posts: 101
Joined: Tue May 26, 2015 7:31 pm

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Postby edica » Thu Sep 08, 2016 11:14 pm

Yes. But because it is not recommended?

Thank you so much.

huloza
Posts: 17
Joined: Thu Jul 28, 2016 5:15 am

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Postby huloza » Tue Sep 27, 2016 10:37 pm

edica wrote:Yes. But because it is not recommended?

Thank you so much.



Because some compatibilities issues, your system is using a tested version(and stable with your OS), im not saying you will broke your system but in production scenarios you cannot play with this.

Regards!

baijianpeng
Posts: 289
Joined: Tue Dec 22, 2015 2:06 pm

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Postby baijianpeng » Wed Sep 28, 2016 11:11 am

huloza wrote:5. change parameters

in step 1 you copied the arguments from nginx -V, at the end put :

-–with-openssl=/usr/local/src/openssl-1.0.2h



hi, @huloza,

Thank you for this tutorial. However, when I copy above mentioned line of your code and use it in my arguments (of course with my own path of openssl 1.0.2j), I got following errror when running the "./configure" command:

./configure: error: invalid option "-–with-openssl=/usr/local/src/openssl-1.0.2j"


That is weird. It make me very confusing. After a long time checking, I found out that it is because the second dash symbol in that option, which was copied from your code. In fact, it is not a real dash (-) symbol, maybe it was entered with wrong encoding. After I replace that one with correct dash symbol, this error message disaapeared.

So, please modify your post to correct the second dash symbol in that option.

baijianpeng
Posts: 289
Joined: Tue Dec 22, 2015 2:06 pm

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Postby baijianpeng » Wed Sep 28, 2016 11:16 am

When I follow this tutorial on CentOS 7 and run the "./configure" command, I got several errors about certain libraries not found. For example:

checking for C compiler ... not found

./configure: error: C compiler cc is not found


and

checking for PCRE library ... not found


and

checking for zlib library ... not found


and

checking for libxslt ... not found
checking for libxslt in /usr/local/ ... not found
checking for libxslt in /usr/pkg/ ... not found
checking for libxslt in /opt/local/ ... not found

./configure: error: the HTTP XSLT module requires the libxml2/libxslt
libraries. You can either do not enable the module or install the libraries.


... etc.

Then after some Googling, I got this solution:

Just Install prerequisite packages require for Nginx installation before running "./configure" command:

Code: Select all

# yum install gc gcc gcc-c++ pcre-devel zlib-devel make wget openssl-devel libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel gperftools gperftools-devel libatomic_ops-devel perl-ExtUtils-Embed -y


Then there will be no errors about ".... not found" . Great!

Brainstem
Posts: 19
Joined: Tue Sep 27, 2016 11:42 am

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Postby Brainstem » Thu Sep 29, 2016 9:10 am

huloza wrote:Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN

baijianpeng wrote:When I follow this tutorial on CentOS 7...
Install prerequisite packages require for Nginx installation before running "./configure" command:

Code: Select all

# yum install gc gcc gcc-c++ pcre-devel zlib-devel make wget openssl-devel libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel gperftools gperftools-devel libatomic_ops-devel perl-ExtUtils-Embed -y

The great tutorial! Thank you very much!
Centos 7, kvm, nginx+php-fpm, vesta 0.9.8, nginx/1.10.1

baijianpeng
Posts: 289
Joined: Tue Dec 22, 2015 2:06 pm

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Postby baijianpeng » Fri Sep 30, 2016 12:54 am

We celebrate too early. Read this post: https://imququ.com/post/nginx-http2-post-bug.html .

It said, NginX before v1.11 has POST bug which will cause form submission failed. So we need to upgrade nginx to v1.11 .

But the NginX installed by VestaCP is v1.10.1 . So we need to modify the repo file to do it:

Code: Select all

# vim /etc/yum.repos.d/nginx.repo


Change the baseurl line to :

baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/


Then we can upgrade to nginx by:

Code: Select all

# systemctl stop nginx
# yum clean all & yum upgrade nginx
# systemctl restart nginx


This command will upgrade current nginx 1.10.1 to v1.11, but, it will be "built with OpenSSL 1.0.1e-fips" again .

Then, we have to use above steps , again, to re-compile nginx 1.11.4 with openssl 1.0.2j , finally we still got "built with OpenSSL 1.0.2j".

huloza
Posts: 17
Joined: Thu Jul 28, 2016 5:15 am

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Postby huloza » Fri Sep 30, 2016 2:09 pm

baijianpeng wrote:
huloza wrote:5. change parameters

in step 1 you copied the arguments from nginx -V, at the end put :

-–with-openssl=/usr/local/src/openssl-1.0.2h



hi, @huloza,

Thank you for this tutorial. However, when I copy above mentioned line of your code and use it in my arguments (of course with my own path of openssl 1.0.2j), I got following errror when running the "./configure" command:

./configure: error: invalid option "-–with-openssl=/usr/local/src/openssl-1.0.2j"


That is weird. It make me very confusing. After a long time checking, I found out that it is because the second dash symbol in that option, which was copied from your code. In fact, it is not a real dash (-) symbol, maybe it was entered with wrong encoding. After I replace that one with correct dash symbol, this error message disaapeared.

So, please modify your post to correct the second dash symbol in that option.


Thanks, corrected!

Regards!


Return to “Modification & Patches”



Who is online

Users browsing this forum: No registered users and 3 guests