[HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8 Topic is solved

Section with modification and patches for Vesta
huloza
Posts: 22
Joined: Thu Jul 28, 2016 5:15 am

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Postby huloza » Fri Sep 30, 2016 2:10 pm

baijianpeng wrote:When I follow this tutorial on CentOS 7 and run the "./configure" command, I got several errors about certain libraries not found. For example:

checking for C compiler ... not found

./configure: error: C compiler cc is not found


and

checking for PCRE library ... not found


and

checking for zlib library ... not found


and

checking for libxslt ... not found
checking for libxslt in /usr/local/ ... not found
checking for libxslt in /usr/pkg/ ... not found
checking for libxslt in /opt/local/ ... not found

./configure: error: the HTTP XSLT module requires the libxml2/libxslt
libraries. You can either do not enable the module or install the libraries.


... etc.

Then after some Googling, I got this solution:

Just Install prerequisite packages require for Nginx installation before running "./configure" command:

Code: Select all

# yum install gc gcc gcc-c++ pcre-devel zlib-devel make wget openssl-devel libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel gperftools gperftools-devel libatomic_ops-devel perl-ExtUtils-Embed -y


Then there will be no errors about ".... not found" . Great!



Thanks! added to the HowTo.

Regards!

huloza
Posts: 22
Joined: Thu Jul 28, 2016 5:15 am

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Postby huloza » Fri Sep 30, 2016 2:21 pm

baijianpeng wrote:We celebrate too early. Read this post: https://imququ.com/post/nginx-http2-post-bug.html .

It said, NginX before v1.11 has POST bug which will cause form submission failed. So we need to upgrade nginx to v1.11 .

But the NginX installed by VestaCP is v1.10.1 . So we need to modify the repo file to do it:

Code: Select all

# vim /etc/yum.repos.d/nginx.repo


Change the baseurl line to :

baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/


Then we can upgrade to nginx by:

Code: Select all

# systemctl stop nginx
# yum clean all & yum upgrade nginx
# systemctl restart nginx


This command will upgrade current nginx 1.10.1 to v1.11, but, it will be "built with OpenSSL 1.0.1e-fips" again .

Then, we have to use above steps , again, to re-compile nginx 1.11.4 with openssl 1.0.2j , finally we still got "built with OpenSSL 1.0.2j".


I readed about this and found a lot of interesting things:

1: Affected Browsers

https://trac.nginx.org/nginx/ticket/959#comment:19

Some clients (notably MS IE/Edge, Safari, iOS applications) show an error or even crash if a stream is rejected;


2: NOT an NGINX bug

https://trac.nginx.org/nginx/ticket/959#comment:20

But please note that this isn't an nginx bug and the affected clients should be fixed.


Now, about your workaround, as said it only affects iOs Browsers mostly, so another solution will be to download nginx 1.11 from source and recompile with that version, i will try this tonight and post the results.

Regards

ctqui
Posts: 2
Joined: Tue Jan 10, 2017 5:11 pm

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Postby ctqui » Thu Feb 02, 2017 8:14 pm

Hi,
I'm on Debian 8 and 2 days ago I've got an Nginx update (1.10.3).
Solution was working nicely till 2 days, now I can't recompile with OpenSSLn I always have this error:

Code: Select all

objs/ngx_modules.o \
-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -ldl -lpthread -lpthread -lcrypt -lpcre /usr/local/src/openssl-1.0.2h/.openssl/lib/libssl.a /usr/local/src/openssl-1                       .0.2h/.openssl/lib/libcrypto.a -ldl -lz \
-Wl,-E
/usr/bin/ld: /usr/local/src/openssl-1.0.2h/.openssl/lib/libssl.a(s23_meth.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared objec                       t; recompile with -fPIC
/usr/local/src/openssl-1.0.2h/.openssl/lib/libssl.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
objs/Makefile:310: recipe for target 'objs/nginx' failed
make[1]: *** [objs/nginx] Error 1
make[1]: Leaving directory '/usr/local/src/nginx-1.10.3'
Makefile:8: recipe for target 'build' failed
make: *** [build] Error 2

Did somebody try since last apt-get update && apt-get upgrade ?

Thanks -
Eric

baijianpeng
Posts: 289
Joined: Tue Dec 22, 2015 2:06 pm

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Postby baijianpeng » Thu Feb 02, 2017 11:18 pm

I had already found a perfect solution to build a "PHP7 + openssl 1.0.2 + nginx 1.11" web environment with VestaCP, it is so simple:

Just use Ubuntu server 16.04 as the OS of your server, then install VestaCP on Ubuntu, all above issues solved!

skurudo
VestaCP Team
Posts: 7776
Joined: Fri Dec 26, 2014 2:23 pm
Location: Moscow
Contact:

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Postby skurudo » Thu Feb 09, 2017 2:04 pm

baijianpeng wrote:Just use Ubuntu server 16.04 as the OS of your server, then install VestaCP on Ubuntu, all above issues solved!


Ha-ha! It's really nice solution, but not for everybody ;-)
-> DigitalOcean competition - please, support us
-> fix for phpmyadmin - nice and sweet now

shanjie
Posts: 35
Joined: Thu Jan 14, 2016 12:02 pm

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Postby shanjie » Sun Jun 25, 2017 12:18 pm

baijianpeng wrote:I had already found a perfect solution to build a "PHP7 + openssl 1.0.2 + nginx 1.11" web environment with VestaCP, it is so simple:

Just use Ubuntu server 16.04 as the OS of your server, then install VestaCP on Ubuntu, all above issues solved!


Whenever I use the "Lets Encrypt Support", I always get PUB_KEY: 4096 bit.
From where can I set so that I will get the 2048 instead of 4096 PUB_KEY?

Cloudfront is not supporting 4096 bit private key.


Return to “Modification & Patches”



Who is online

Users browsing this forum: No registered users and 3 guests