[HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
[HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
Since Chrome has dropped HTTP/2 via NPN we need to support HTTP/2 via ALPN.
NGINX on Debian 8, Centos 6.8, Centos 7 and Ubuntu 14.04 has been compiled with OpenSSL 1.0.1 which does not support ALPN, so "NO HTTP/2"
ALPN support starts from OpenSSL 1.0.2
This is the official statement from google about drooping NPN support : http://blog.chromium.org/2016/02/transi ... http2.html
to check the OpenSSL version compiled with your nginx server type:
from that you can check:
built with OpenSSL 1.0.1e-fips 11 Feb 2013
We are NOT going to upgrade the system OpenSSL version as i see in other tutorials over the Internet, because that is not recomended, we are only going to recompile nginx with custom openssl version.
ok. lets do it.
Tested on debian 8 jessie and VestaCP 0.9.8-16
1. copy the compile arguments from nginx -V to a text file
should look like this(maybe little diferent in yours):
2. Install dependencies
Note: if you are using Centos 7 install this dependencies(thanks to baijianpeng):
3. change to src folder
4. download required files:
Note that im using 1c50334fbea6.zip because that comes compiled with nginx acording the parameters, in the rare case yours in diferent(check your parameters: --add-dynamic-module=njs-1c50334fbea6/nginx ) you will need to download from here: http://hg.nginx.org/njs/
5. change parameters
in step 1 you copied the arguments from nginx -V, at the end put :
--with-openssl=/usr/local/src/openssl-1.0.2h
and modify this argument:
--add-dynamic-module=njs-1c50334fbea6/nginx
with:
--add-dynamic-module=/usr/local/src/njs-1c50334fbea6/nginx
should look like this:
6. Compile.
STOP THE NGINX SERVICE:
ok now check again if you are in the nginx1.10.1 folder and run the ./configure comand with the parameters of your file DONT FORGET TO USE YOUR OWN PARAMETERS, YOU COPIED TO A FILE IN STEP 1.
now
should take some minutes to complete, after finished restart nginx
7. check version
there you can see the new OpenSSL Version built with OpenSSL 1.0.2h 3 May 2016
thats all, enjoy! now you can use http2 in chrome.
NGINX on Debian 8, Centos 6.8, Centos 7 and Ubuntu 14.04 has been compiled with OpenSSL 1.0.1 which does not support ALPN, so "NO HTTP/2"
ALPN support starts from OpenSSL 1.0.2
This is the official statement from google about drooping NPN support : http://blog.chromium.org/2016/02/transi ... http2.html
to check the OpenSSL version compiled with your nginx server type:
Code: Select all
nginx -V
Code: Select all
[root@test ~]# nginx -V
nginx version: nginx/1.10.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
built with OpenSSL 1.0.1e-fips 11 Feb 2013
We are NOT going to upgrade the system OpenSSL version as i see in other tutorials over the Internet, because that is not recomended, we are only going to recompile nginx with custom openssl version.
ok. lets do it.
Tested on debian 8 jessie and VestaCP 0.9.8-16
1. copy the compile arguments from nginx -V to a text file
should look like this(maybe little diferent in yours):
Code: Select all
--prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
Code: Select all
apt-get install dpkg-dev libpcrecpp0 libgd2-xpm-dev libgeoip-dev libperl-dev
Code: Select all
# yum install gc gcc gcc-c++ pcre-devel zlib-devel make wget openssl-devel libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel gperftools gperftools-devel libatomic_ops-devel perl-ExtUtils-Embed -y
3. change to src folder
Code: Select all
cd /usr/local/src/
Code: Select all
wget https://www.openssl.org/source/openssl-1.0.2h.tar.gz
tar -xzvf openssl-1.0.2h.tar.gz
NGINX_VERSION=1.10.1
wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz
tar -xvzf nginx-${NGINX_VERSION}.tar.gz
wget http://hg.nginx.org/njs/archive/1c50334fbea6.zip
unzip 1c50334fbea6.zip
cd nginx-${NGINX_VERSION}/
5. change parameters
in step 1 you copied the arguments from nginx -V, at the end put :
--with-openssl=/usr/local/src/openssl-1.0.2h
and modify this argument:
--add-dynamic-module=njs-1c50334fbea6/nginx
with:
--add-dynamic-module=/usr/local/src/njs-1c50334fbea6/nginx
should look like this:
Code: Select all
--prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=/usr/local/src/njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' -–with-openssl=/usr/local/src/openssl-1.0.2h
6. Compile.
STOP THE NGINX SERVICE:
Code: Select all
service nginx stop
Code: Select all
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=/usr/local/src/njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' -–with-openssl=/usr/local/src/openssl-1.0.2h
Code: Select all
make
make install
Code: Select all
service nginx restart
Code: Select all
nginx -V
Code: Select all
root@test:/usr/local/src/nginx-1.10.1# nginx -V
nginx version: nginx/1.10.1
built by gcc 4.9.2 (Debian 4.9.2-10)
built with OpenSSL 1.0.2h 3 May 2016
TLS SNI support enabled
there you can see the new OpenSSL Version built with OpenSSL 1.0.2h 3 May 2016
thats all, enjoy! now you can use http2 in chrome.
Last edited by huloza on Fri Sep 30, 2016 2:15 pm, edited 2 times in total.
Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
Excellent! :)
I use Debian 8.5. I installed before OpenSSL 1.0.2h:
apt-get -t jessie-backports install openssl
So no need to download OpenSSL 1.0.2h and use:
-–with-openssl=/usr/local/src/openssl-1.0.2h
Thank you so much.
I use Debian 8.5. I installed before OpenSSL 1.0.2h:
apt-get -t jessie-backports install openssl
So no need to download OpenSSL 1.0.2h and use:
-–with-openssl=/usr/local/src/openssl-1.0.2h
Thank you so much.
Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
hi :)edica wrote:Excellent! :)
I use Debian 8.5. I installed before OpenSSL 1.0.2h:
apt-get -t jessie-backports install openssl
So no need to download OpenSSL 1.0.2h and use:
-–with-openssl=/usr/local/src/openssl-1.0.2h
Thank you so much.
Is not recommended to change your OS OpenSSL version, thats why i download the package and use in the compilation, Debian 8.5 comes with OpenSSL 1.0.1t.
Regards!
Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
Yes. But because it is not recommended?
Thank you so much.
Thank you so much.
Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
edica wrote:Yes. But because it is not recommended?
Thank you so much.
Because some compatibilities issues, your system is using a tested version(and stable with your OS), im not saying you will broke your system but in production scenarios you cannot play with this.
Regards!
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
hi, @huloza,huloza wrote: 5. change parameters
in step 1 you copied the arguments from nginx -V, at the end put :
-–with-openssl=/usr/local/src/openssl-1.0.2h
Thank you for this tutorial. However, when I copy above mentioned line of your code and use it in my arguments (of course with my own path of openssl 1.0.2j), I got following errror when running the "./configure" command:
That is weird. It make me very confusing. After a long time checking, I found out that it is because the second dash symbol in that option, which was copied from your code. In fact, it is not a real dash (-) symbol, maybe it was entered with wrong encoding. After I replace that one with correct dash symbol, this error message disaapeared../configure: error: invalid option "-–with-openssl=/usr/local/src/openssl-1.0.2j"
So, please modify your post to correct the second dash symbol in that option.
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
When I follow this tutorial on CentOS 7 and run the "./configure" command, I got several errors about certain libraries not found. For example:
Then after some Googling, I got this solution:
Just Install prerequisite packages require for Nginx installation before running "./configure" command:
Then there will be no errors about ".... not found" . Great!
andchecking for C compiler ... not found
./configure: error: C compiler cc is not found
andchecking for PCRE library ... not found
andchecking for zlib library ... not found
... etc.checking for libxslt ... not found
checking for libxslt in /usr/local/ ... not found
checking for libxslt in /usr/pkg/ ... not found
checking for libxslt in /opt/local/ ... not found
./configure: error: the HTTP XSLT module requires the libxml2/libxslt
libraries. You can either do not enable the module or install the libraries.
Then after some Googling, I got this solution:
Just Install prerequisite packages require for Nginx installation before running "./configure" command:
Code: Select all
# yum install gc gcc gcc-c++ pcre-devel zlib-devel make wget openssl-devel libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel gperftools gperftools-devel libatomic_ops-devel perl-ExtUtils-Embed -y
Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
huloza wrote:Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN
The great tutorial! Thank you very much!baijianpeng wrote:When I follow this tutorial on CentOS 7...
Install prerequisite packages require for Nginx installation before running "./configure" command:Code: Select all
# yum install gc gcc gcc-c++ pcre-devel zlib-devel make wget openssl-devel libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel gperftools gperftools-devel libatomic_ops-devel perl-ExtUtils-Embed -y
Centos 7, kvm, nginx+php-fpm, vesta 0.9.8, nginx/1.10.1
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
We celebrate too early. Read this post: https://imququ.com/post/nginx-http2-post-bug.html .
It said, NginX before v1.11 has POST bug which will cause form submission failed. So we need to upgrade nginx to v1.11 .
But the NginX installed by VestaCP is v1.10.1 . So we need to modify the repo file to do it:
Change the baseurl line to :
This command will upgrade current nginx 1.10.1 to v1.11, but, it will be "built with OpenSSL 1.0.1e-fips" again .
Then, we have to use above steps , again, to re-compile nginx 1.11.4 with openssl 1.0.2j , finally we still got "built with OpenSSL 1.0.2j".
It said, NginX before v1.11 has POST bug which will cause form submission failed. So we need to upgrade nginx to v1.11 .
But the NginX installed by VestaCP is v1.10.1 . So we need to modify the repo file to do it:
Code: Select all
# vim /etc/yum.repos.d/nginx.repo
Then we can upgrade to nginx by:
Code: Select all
# systemctl stop nginx
# yum clean all & yum upgrade nginx
# systemctl restart nginx
Then, we have to use above steps , again, to re-compile nginx 1.11.4 with openssl 1.0.2j , finally we still got "built with OpenSSL 1.0.2j".
Re: [HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8
Thanks, corrected!baijianpeng wrote:hi, @huloza,huloza wrote: 5. change parameters
in step 1 you copied the arguments from nginx -V, at the end put :
-–with-openssl=/usr/local/src/openssl-1.0.2h
Thank you for this tutorial. However, when I copy above mentioned line of your code and use it in my arguments (of course with my own path of openssl 1.0.2j), I got following errror when running the "./configure" command:
That is weird. It make me very confusing. After a long time checking, I found out that it is because the second dash symbol in that option, which was copied from your code. In fact, it is not a real dash (-) symbol, maybe it was entered with wrong encoding. After I replace that one with correct dash symbol, this error message disaapeared../configure: error: invalid option "-–with-openssl=/usr/local/src/openssl-1.0.2j"
So, please modify your post to correct the second dash symbol in that option.
Regards!