Page 1 of 2

[HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Posted: Mon Aug 29, 2016 12:33 am
by huloza
Since Chrome has dropped HTTP/2 via NPN we need to support HTTP/2 via ALPN.

NGINX on Debian 8, Centos 6.8, Centos 7 and Ubuntu 14.04 has been compiled with OpenSSL 1.0.1 which does not support ALPN, so "NO HTTP/2"

ALPN support starts from OpenSSL 1.0.2

This is the official statement from google about drooping NPN support : http://blog.chromium.org/2016/02/transi ... http2.html

to check the OpenSSL version compiled with your nginx server type:

Code: Select all

nginx -V

Code: Select all

[root@test ~]# nginx -V
nginx version: nginx/1.10.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
from that you can check:

built with OpenSSL 1.0.1e-fips 11 Feb 2013

We are NOT going to upgrade the system OpenSSL version as i see in other tutorials over the Internet, because that is not recomended, we are only going to recompile nginx with custom openssl version.

ok. lets do it.

Tested on debian 8 jessie and VestaCP 0.9.8-16

1. copy the compile arguments from nginx -V to a text file

should look like this(maybe little diferent in yours):

Code: Select all

--prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
2. Install dependencies

Code: Select all

apt-get install dpkg-dev libpcrecpp0 libgd2-xpm-dev libgeoip-dev libperl-dev
Note: if you are using Centos 7 install this dependencies(thanks to baijianpeng):

Code: Select all

 # yum install gc gcc gcc-c++ pcre-devel zlib-devel make wget openssl-devel libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel gperftools gperftools-devel libatomic_ops-devel perl-ExtUtils-Embed -y 

3. change to src folder

Code: Select all

 cd /usr/local/src/
4. download required files:

Code: Select all

  
  
  wget https://www.openssl.org/source/openssl-1.0.2h.tar.gz
  tar -xzvf openssl-1.0.2h.tar.gz

  NGINX_VERSION=1.10.1
  wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz
  tar -xvzf nginx-${NGINX_VERSION}.tar.gz
  
  wget http://hg.nginx.org/njs/archive/1c50334fbea6.zip
  unzip 1c50334fbea6.zip

  cd nginx-${NGINX_VERSION}/
Note that im using 1c50334fbea6.zip because that comes compiled with nginx acording the parameters, in the rare case yours in diferent(check your parameters: --add-dynamic-module=njs-1c50334fbea6/nginx ) you will need to download from here: http://hg.nginx.org/njs/

5. change parameters

in step 1 you copied the arguments from nginx -V, at the end put :

--with-openssl=/usr/local/src/openssl-1.0.2h

and modify this argument:

--add-dynamic-module=njs-1c50334fbea6/nginx

with:

--add-dynamic-module=/usr/local/src/njs-1c50334fbea6/nginx

should look like this:

Code: Select all

--prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=/usr/local/src/njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' -–with-openssl=/usr/local/src/openssl-1.0.2h

6. Compile.


STOP THE NGINX SERVICE:

Code: Select all

service nginx stop
ok now check again if you are in the nginx1.10.1 folder and run the ./configure comand with the parameters of your file DONT FORGET TO USE YOUR OWN PARAMETERS, YOU COPIED TO A FILE IN STEP 1.

Code: Select all

./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=/usr/local/src/njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' -–with-openssl=/usr/local/src/openssl-1.0.2h
now

Code: Select all

make
make install
should take some minutes to complete, after finished restart nginx

Code: Select all

service nginx restart
7. check version

Code: Select all

nginx -V

Code: Select all

root@test:/usr/local/src/nginx-1.10.1# nginx -V
nginx version: nginx/1.10.1
built by gcc 4.9.2 (Debian 4.9.2-10)
built with OpenSSL 1.0.2h  3 May 2016
TLS SNI support enabled

there you can see the new OpenSSL Version built with OpenSSL 1.0.2h 3 May 2016

thats all, enjoy! now you can use http2 in chrome.

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Posted: Wed Aug 31, 2016 4:49 pm
by edica
Excellent! :)

I use Debian 8.5. I installed before OpenSSL 1.0.2h:
apt-get -t jessie-backports install openssl

So no need to download OpenSSL 1.0.2h and use:
-–with-openssl=/usr/local/src/openssl-1.0.2h

Thank you so much.

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Posted: Tue Sep 06, 2016 12:57 am
by huloza
edica wrote:Excellent! :)

I use Debian 8.5. I installed before OpenSSL 1.0.2h:
apt-get -t jessie-backports install openssl

So no need to download OpenSSL 1.0.2h and use:
-–with-openssl=/usr/local/src/openssl-1.0.2h

Thank you so much.
hi :)

Is not recommended to change your OS OpenSSL version, thats why i download the package and use in the compilation, Debian 8.5 comes with OpenSSL 1.0.1t.

Regards!

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Posted: Thu Sep 08, 2016 11:14 pm
by edica
Yes. But because it is not recommended?

Thank you so much.

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Posted: Tue Sep 27, 2016 10:37 pm
by huloza
edica wrote:Yes. But because it is not recommended?

Thank you so much.

Because some compatibilities issues, your system is using a tested version(and stable with your OS), im not saying you will broke your system but in production scenarios you cannot play with this.

Regards!

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Posted: Wed Sep 28, 2016 11:11 am
by baijianpeng
huloza wrote: 5. change parameters

in step 1 you copied the arguments from nginx -V, at the end put :

-–with-openssl=/usr/local/src/openssl-1.0.2h
hi, @huloza,

Thank you for this tutorial. However, when I copy above mentioned line of your code and use it in my arguments (of course with my own path of openssl 1.0.2j), I got following errror when running the "./configure" command:
./configure: error: invalid option "-–with-openssl=/usr/local/src/openssl-1.0.2j"
That is weird. It make me very confusing. After a long time checking, I found out that it is because the second dash symbol in that option, which was copied from your code. In fact, it is not a real dash (-) symbol, maybe it was entered with wrong encoding. After I replace that one with correct dash symbol, this error message disaapeared.

So, please modify your post to correct the second dash symbol in that option.

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Posted: Wed Sep 28, 2016 11:16 am
by baijianpeng
When I follow this tutorial on CentOS 7 and run the "./configure" command, I got several errors about certain libraries not found. For example:
checking for C compiler ... not found

./configure: error: C compiler cc is not found
and
checking for PCRE library ... not found
and
checking for zlib library ... not found
and
checking for libxslt ... not found
checking for libxslt in /usr/local/ ... not found
checking for libxslt in /usr/pkg/ ... not found
checking for libxslt in /opt/local/ ... not found

./configure: error: the HTTP XSLT module requires the libxml2/libxslt
libraries. You can either do not enable the module or install the libraries.
... etc.

Then after some Googling, I got this solution:

Just Install prerequisite packages require for Nginx installation before running "./configure" command:

Code: Select all

# yum install gc gcc gcc-c++ pcre-devel zlib-devel make wget openssl-devel libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel gperftools gperftools-devel libatomic_ops-devel perl-ExtUtils-Embed -y
Then there will be no errors about ".... not found" . Great!

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Posted: Thu Sep 29, 2016 9:10 am
by Brainstem
huloza wrote:Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN
baijianpeng wrote:When I follow this tutorial on CentOS 7...
Install prerequisite packages require for Nginx installation before running "./configure" command:

Code: Select all

# yum install gc gcc gcc-c++ pcre-devel zlib-devel make wget openssl-devel libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel gperftools gperftools-devel libatomic_ops-devel perl-ExtUtils-Embed -y
The great tutorial! Thank you very much!
Centos 7, kvm, nginx+php-fpm, vesta 0.9.8, nginx/1.10.1

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Posted: Fri Sep 30, 2016 12:54 am
by baijianpeng
We celebrate too early. Read this post: https://imququ.com/post/nginx-http2-post-bug.html .

It said, NginX before v1.11 has POST bug which will cause form submission failed. So we need to upgrade nginx to v1.11 .

But the NginX installed by VestaCP is v1.10.1 . So we need to modify the repo file to do it:

Code: Select all

# vim /etc/yum.repos.d/nginx.repo
Change the baseurl line to :
Then we can upgrade to nginx by:

Code: Select all

# systemctl stop nginx
# yum clean all & yum upgrade nginx
# systemctl restart nginx
This command will upgrade current nginx 1.10.1 to v1.11, but, it will be "built with OpenSSL 1.0.1e-fips" again .

Then, we have to use above steps , again, to re-compile nginx 1.11.4 with openssl 1.0.2j , finally we still got "built with OpenSSL 1.0.2j".

Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

Posted: Fri Sep 30, 2016 2:09 pm
by huloza
baijianpeng wrote:
huloza wrote: 5. change parameters

in step 1 you copied the arguments from nginx -V, at the end put :

-–with-openssl=/usr/local/src/openssl-1.0.2h
hi, @huloza,

Thank you for this tutorial. However, when I copy above mentioned line of your code and use it in my arguments (of course with my own path of openssl 1.0.2j), I got following errror when running the "./configure" command:
./configure: error: invalid option "-–with-openssl=/usr/local/src/openssl-1.0.2j"
That is weird. It make me very confusing. After a long time checking, I found out that it is because the second dash symbol in that option, which was copied from your code. In fact, it is not a real dash (-) symbol, maybe it was entered with wrong encoding. After I replace that one with correct dash symbol, this error message disaapeared.

So, please modify your post to correct the second dash symbol in that option.
Thanks, corrected!

Regards!