We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
[HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
[HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
Since Chrome has dropped HTTP/2 via NPN we need to support HTTP/2 via ALPN.
NGINX on Debian 8, Centos 6.8, Centos 7 and Ubuntu 14.04 has been compiled with OpenSSL 1.0.1 which does not support ALPN, so "NO HTTP/2"
ALPN support starts from OpenSSL 1.0.2
This is the official statement from google about drooping NPN support : http://blog.chromium.org/2016/02/transi ... http2.html
to check the OpenSSL version compiled with your nginx server type:
from that you can check:
built with OpenSSL 1.0.1e-fips 11 Feb 2013
We are NOT going to upgrade the system OpenSSL version as i see in other tutorials over the Internet, because that is not recomended, we are only going to recompile nginx with custom openssl version.
ok. lets do it.
Tested on debian 8 jessie and VestaCP 0.9.8-16
1. copy the compile arguments from nginx -V to a text file
should look like this(maybe little diferent in yours):
2. Install dependencies
Note: if you are using Centos 7 install this dependencies(thanks to baijianpeng):
3. change to src folder
4. download required files:
Note that im using 1c50334fbea6.zip because that comes compiled with nginx acording the parameters, in the rare case yours in diferent(check your parameters: --add-dynamic-module=njs-1c50334fbea6/nginx ) you will need to download from here: http://hg.nginx.org/njs/
5. change parameters
in step 1 you copied the arguments from nginx -V, at the end put :
--with-openssl=/usr/local/src/openssl-1.0.2h
and modify this argument:
--add-dynamic-module=njs-1c50334fbea6/nginx
with:
--add-dynamic-module=/usr/local/src/njs-1c50334fbea6/nginx
should look like this:
6. Compile.
STOP THE NGINX SERVICE:
ok now check again if you are in the nginx1.10.1 folder and run the ./configure comand with the parameters of your file DONT FORGET TO USE YOUR OWN PARAMETERS, YOU COPIED TO A FILE IN STEP 1.
now
should take some minutes to complete, after finished restart nginx
7. check version
there you can see the new OpenSSL Version built with OpenSSL 1.0.2h 3 May 2016
thats all, enjoy! now you can use http2 in chrome.
NGINX on Debian 8, Centos 6.8, Centos 7 and Ubuntu 14.04 has been compiled with OpenSSL 1.0.1 which does not support ALPN, so "NO HTTP/2"
ALPN support starts from OpenSSL 1.0.2
This is the official statement from google about drooping NPN support : http://blog.chromium.org/2016/02/transi ... http2.html
to check the OpenSSL version compiled with your nginx server type:
Code: Select all
nginx -V
Code: Select all
[root@test ~]# nginx -V
nginx version: nginx/1.10.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
built with OpenSSL 1.0.1e-fips 11 Feb 2013
We are NOT going to upgrade the system OpenSSL version as i see in other tutorials over the Internet, because that is not recomended, we are only going to recompile nginx with custom openssl version.
ok. lets do it.
Tested on debian 8 jessie and VestaCP 0.9.8-16
1. copy the compile arguments from nginx -V to a text file
should look like this(maybe little diferent in yours):
Code: Select all
--prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
Code: Select all
apt-get install dpkg-dev libpcrecpp0 libgd2-xpm-dev libgeoip-dev libperl-dev
Code: Select all
# yum install gc gcc gcc-c++ pcre-devel zlib-devel make wget openssl-devel libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel gperftools gperftools-devel libatomic_ops-devel perl-ExtUtils-Embed -y
3. change to src folder
Code: Select all
cd /usr/local/src/
Code: Select all
wget https://www.openssl.org/source/openssl-1.0.2h.tar.gz
tar -xzvf openssl-1.0.2h.tar.gz
NGINX_VERSION=1.10.1
wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz
tar -xvzf nginx-${NGINX_VERSION}.tar.gz
wget http://hg.nginx.org/njs/archive/1c50334fbea6.zip
unzip 1c50334fbea6.zip
cd nginx-${NGINX_VERSION}/
5. change parameters
in step 1 you copied the arguments from nginx -V, at the end put :
--with-openssl=/usr/local/src/openssl-1.0.2h
and modify this argument:
--add-dynamic-module=njs-1c50334fbea6/nginx
with:
--add-dynamic-module=/usr/local/src/njs-1c50334fbea6/nginx
should look like this:
Code: Select all
--prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=/usr/local/src/njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' -–with-openssl=/usr/local/src/openssl-1.0.2h
6. Compile.
STOP THE NGINX SERVICE:
Code: Select all
service nginx stop
Code: Select all
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=/usr/local/src/njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' -–with-openssl=/usr/local/src/openssl-1.0.2h
Code: Select all
make
make install
Code: Select all
service nginx restart
Code: Select all
nginx -V
Code: Select all
root@test:/usr/local/src/nginx-1.10.1# nginx -V
nginx version: nginx/1.10.1
built by gcc 4.9.2 (Debian 4.9.2-10)
built with OpenSSL 1.0.2h 3 May 2016
TLS SNI support enabled
there you can see the new OpenSSL Version built with OpenSSL 1.0.2h 3 May 2016
thats all, enjoy! now you can use http2 in chrome.
Last edited by huloza on Fri Sep 30, 2016 2:15 pm, edited 2 times in total.
Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
Excellent! :)
I use Debian 8.5. I installed before OpenSSL 1.0.2h:
apt-get -t jessie-backports install openssl
So no need to download OpenSSL 1.0.2h and use:
-–with-openssl=/usr/local/src/openssl-1.0.2h
Thank you so much.
I use Debian 8.5. I installed before OpenSSL 1.0.2h:
apt-get -t jessie-backports install openssl
So no need to download OpenSSL 1.0.2h and use:
-–with-openssl=/usr/local/src/openssl-1.0.2h
Thank you so much.
Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
hi :)edica wrote:Excellent! :)
I use Debian 8.5. I installed before OpenSSL 1.0.2h:
apt-get -t jessie-backports install openssl
So no need to download OpenSSL 1.0.2h and use:
-–with-openssl=/usr/local/src/openssl-1.0.2h
Thank you so much.
Is not recommended to change your OS OpenSSL version, thats why i download the package and use in the compilation, Debian 8.5 comes with OpenSSL 1.0.1t.
Regards!
Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
Yes. But because it is not recommended?
Thank you so much.
Thank you so much.
Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
edica wrote:Yes. But because it is not recommended?
Thank you so much.
Because some compatibilities issues, your system is using a tested version(and stable with your OS), im not saying you will broke your system but in production scenarios you cannot play with this.
Regards!
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
hi, @huloza,huloza wrote: 5. change parameters
in step 1 you copied the arguments from nginx -V, at the end put :
-–with-openssl=/usr/local/src/openssl-1.0.2h
Thank you for this tutorial. However, when I copy above mentioned line of your code and use it in my arguments (of course with my own path of openssl 1.0.2j), I got following errror when running the "./configure" command:
That is weird. It make me very confusing. After a long time checking, I found out that it is because the second dash symbol in that option, which was copied from your code. In fact, it is not a real dash (-) symbol, maybe it was entered with wrong encoding. After I replace that one with correct dash symbol, this error message disaapeared../configure: error: invalid option "-–with-openssl=/usr/local/src/openssl-1.0.2j"
So, please modify your post to correct the second dash symbol in that option.
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
When I follow this tutorial on CentOS 7 and run the "./configure" command, I got several errors about certain libraries not found. For example:
Then after some Googling, I got this solution:
Just Install prerequisite packages require for Nginx installation before running "./configure" command:
Then there will be no errors about ".... not found" . Great!
andchecking for C compiler ... not found
./configure: error: C compiler cc is not found
andchecking for PCRE library ... not found
andchecking for zlib library ... not found
... etc.checking for libxslt ... not found
checking for libxslt in /usr/local/ ... not found
checking for libxslt in /usr/pkg/ ... not found
checking for libxslt in /opt/local/ ... not found
./configure: error: the HTTP XSLT module requires the libxml2/libxslt
libraries. You can either do not enable the module or install the libraries.
Then after some Googling, I got this solution:
Just Install prerequisite packages require for Nginx installation before running "./configure" command:
Code: Select all
# yum install gc gcc gcc-c++ pcre-devel zlib-devel make wget openssl-devel libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel gperftools gperftools-devel libatomic_ops-devel perl-ExtUtils-Embed -y
Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
huloza wrote:Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN
The great tutorial! Thank you very much!baijianpeng wrote:When I follow this tutorial on CentOS 7...
Install prerequisite packages require for Nginx installation before running "./configure" command:Code: Select all
# yum install gc gcc gcc-c++ pcre-devel zlib-devel make wget openssl-devel libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel gperftools gperftools-devel libatomic_ops-devel perl-ExtUtils-Embed -y
Centos 7, kvm, nginx+php-fpm, vesta 0.9.8, nginx/1.10.1
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
We celebrate too early. Read this post: https://imququ.com/post/nginx-http2-post-bug.html .
It said, NginX before v1.11 has POST bug which will cause form submission failed. So we need to upgrade nginx to v1.11 .
But the NginX installed by VestaCP is v1.10.1 . So we need to modify the repo file to do it:
Change the baseurl line to :
This command will upgrade current nginx 1.10.1 to v1.11, but, it will be "built with OpenSSL 1.0.1e-fips" again .
Then, we have to use above steps , again, to re-compile nginx 1.11.4 with openssl 1.0.2j , finally we still got "built with OpenSSL 1.0.2j".
It said, NginX before v1.11 has POST bug which will cause form submission failed. So we need to upgrade nginx to v1.11 .
But the NginX installed by VestaCP is v1.10.1 . So we need to modify the repo file to do it:
Code: Select all
# vim /etc/yum.repos.d/nginx.repo
Then we can upgrade to nginx by:
Code: Select all
# systemctl stop nginx
# yum clean all & yum upgrade nginx
# systemctl restart nginx
Then, we have to use above steps , again, to re-compile nginx 1.11.4 with openssl 1.0.2j , finally we still got "built with OpenSSL 1.0.2j".
Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
Thanks, corrected!baijianpeng wrote:hi, @huloza,huloza wrote: 5. change parameters
in step 1 you copied the arguments from nginx -V, at the end put :
-–with-openssl=/usr/local/src/openssl-1.0.2h
Thank you for this tutorial. However, when I copy above mentioned line of your code and use it in my arguments (of course with my own path of openssl 1.0.2j), I got following errror when running the "./configure" command:
That is weird. It make me very confusing. After a long time checking, I found out that it is because the second dash symbol in that option, which was copied from your code. In fact, it is not a real dash (-) symbol, maybe it was entered with wrong encoding. After I replace that one with correct dash symbol, this error message disaapeared../configure: error: invalid option "-–with-openssl=/usr/local/src/openssl-1.0.2j"
So, please modify your post to correct the second dash symbol in that option.
Regards!