[HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
Posted: Mon Aug 29, 2016 12:33 am
Since Chrome has dropped HTTP/2 via NPN we need to support HTTP/2 via ALPN.
NGINX on Debian 8, Centos 6.8, Centos 7 and Ubuntu 14.04 has been compiled with OpenSSL 1.0.1 which does not support ALPN, so "NO HTTP/2"
ALPN support starts from OpenSSL 1.0.2
This is the official statement from google about drooping NPN support : http://blog.chromium.org/2016/02/transi ... http2.html
to check the OpenSSL version compiled with your nginx server type:
from that you can check:
built with OpenSSL 1.0.1e-fips 11 Feb 2013
We are NOT going to upgrade the system OpenSSL version as i see in other tutorials over the Internet, because that is not recomended, we are only going to recompile nginx with custom openssl version.
ok. lets do it.
Tested on debian 8 jessie and VestaCP 0.9.8-16
1. copy the compile arguments from nginx -V to a text file
should look like this(maybe little diferent in yours):
2. Install dependencies
Note: if you are using Centos 7 install this dependencies(thanks to baijianpeng):
3. change to src folder
4. download required files:
Note that im using 1c50334fbea6.zip because that comes compiled with nginx acording the parameters, in the rare case yours in diferent(check your parameters: --add-dynamic-module=njs-1c50334fbea6/nginx ) you will need to download from here: http://hg.nginx.org/njs/
5. change parameters
in step 1 you copied the arguments from nginx -V, at the end put :
--with-openssl=/usr/local/src/openssl-1.0.2h
and modify this argument:
--add-dynamic-module=njs-1c50334fbea6/nginx
with:
--add-dynamic-module=/usr/local/src/njs-1c50334fbea6/nginx
should look like this:
6. Compile.
STOP THE NGINX SERVICE:
ok now check again if you are in the nginx1.10.1 folder and run the ./configure comand with the parameters of your file DONT FORGET TO USE YOUR OWN PARAMETERS, YOU COPIED TO A FILE IN STEP 1.
now
should take some minutes to complete, after finished restart nginx
7. check version
there you can see the new OpenSSL Version built with OpenSSL 1.0.2h 3 May 2016
thats all, enjoy! now you can use http2 in chrome.
NGINX on Debian 8, Centos 6.8, Centos 7 and Ubuntu 14.04 has been compiled with OpenSSL 1.0.1 which does not support ALPN, so "NO HTTP/2"
ALPN support starts from OpenSSL 1.0.2
This is the official statement from google about drooping NPN support : http://blog.chromium.org/2016/02/transi ... http2.html
to check the OpenSSL version compiled with your nginx server type:
Code: Select all
nginx -V
Code: Select all
[root@test ~]# nginx -V
nginx version: nginx/1.10.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
built with OpenSSL 1.0.1e-fips 11 Feb 2013
We are NOT going to upgrade the system OpenSSL version as i see in other tutorials over the Internet, because that is not recomended, we are only going to recompile nginx with custom openssl version.
ok. lets do it.
Tested on debian 8 jessie and VestaCP 0.9.8-16
1. copy the compile arguments from nginx -V to a text file
should look like this(maybe little diferent in yours):
Code: Select all
--prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
Code: Select all
apt-get install dpkg-dev libpcrecpp0 libgd2-xpm-dev libgeoip-dev libperl-dev
Code: Select all
# yum install gc gcc gcc-c++ pcre-devel zlib-devel make wget openssl-devel libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel gperftools gperftools-devel libatomic_ops-devel perl-ExtUtils-Embed -y
3. change to src folder
Code: Select all
cd /usr/local/src/
Code: Select all
wget https://www.openssl.org/source/openssl-1.0.2h.tar.gz
tar -xzvf openssl-1.0.2h.tar.gz
NGINX_VERSION=1.10.1
wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz
tar -xvzf nginx-${NGINX_VERSION}.tar.gz
wget http://hg.nginx.org/njs/archive/1c50334fbea6.zip
unzip 1c50334fbea6.zip
cd nginx-${NGINX_VERSION}/
5. change parameters
in step 1 you copied the arguments from nginx -V, at the end put :
--with-openssl=/usr/local/src/openssl-1.0.2h
and modify this argument:
--add-dynamic-module=njs-1c50334fbea6/nginx
with:
--add-dynamic-module=/usr/local/src/njs-1c50334fbea6/nginx
should look like this:
Code: Select all
--prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=/usr/local/src/njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' -–with-openssl=/usr/local/src/openssl-1.0.2h
6. Compile.
STOP THE NGINX SERVICE:
Code: Select all
service nginx stop
Code: Select all
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=/usr/local/src/njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' -–with-openssl=/usr/local/src/openssl-1.0.2h
Code: Select all
make
make install
Code: Select all
service nginx restart
Code: Select all
nginx -V
Code: Select all
root@test:/usr/local/src/nginx-1.10.1# nginx -V
nginx version: nginx/1.10.1
built by gcc 4.9.2 (Debian 4.9.2-10)
built with OpenSSL 1.0.2h 3 May 2016
TLS SNI support enabled
there you can see the new OpenSSL Version built with OpenSSL 1.0.2h 3 May 2016
thats all, enjoy! now you can use http2 in chrome.