[HOWTO] Recompile NGINX with OpenSSL 1.0.2+ for HTTP/2 via ALPN on Debian 8

[huloza]

When I follow this tutorial on CentOS 7 and run the "./configure" command, I got several errors about certain libraries not found. For example:

checking for C compiler ... not found

./configure: error: C compiler cc is not found

and

checking for PCRE library ... not found

and

checking for zlib library ... not found

and

checking for libxslt ... not found
checking for libxslt in /usr/local/ ... not found
checking for libxslt in /usr/pkg/ ... not found
checking for libxslt in /opt/local/ ... not found

./configure: error: the HTTP XSLT module requires the libxml2/libxslt
libraries. You can either do not enable the module or install the libraries.

... etc.

Then after some Googling, I got this solution:

Just Install prerequisite packages require for Nginx installation before running "./configure" command:

Code: Select all

# yum install gc gcc gcc-c++ pcre-devel zlib-devel make wget openssl-devel libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel gperftools gperftools-devel libatomic_ops-devel perl-ExtUtils-Embed -y

Then there will be no errors about ".... not found" . Great!

Thanks! added to the HowTo.

Regards!

[huloza]

We celebrate too early. Read this post: https://imququ.com/post/nginx-http2-post-bug.html .

It said, NginX before v1.11 has POST bug which will cause form submission failed. So we need to upgrade nginx to v1.11 .

But the NginX installed by VestaCP is v1.10.1 . So we need to modify the repo file to do it:

Code: Select all

# vim /etc/yum.repos.d/nginx.repo

Change the baseurl line to :

baseurl=http://nginx.org/packages/mainline/cent ... $basearch/

Then we can upgrade to nginx by:

Code: Select all

# systemctl stop nginx
# yum clean all & yum upgrade nginx
# systemctl restart nginx

This command will upgrade current nginx 1.10.1 to v1.11, but, it will be "built with OpenSSL 1.0.1e-fips" again .

Then, we have to use above steps , again, to re-compile nginx 1.11.4 with openssl 1.0.2j , finally we still got "built with OpenSSL 1.0.2j".

I readed about this and found a lot of interesting things:

1: Affected Browsers

https://trac.nginx.org/nginx/ticket/959#comment:19

Some clients (notably MS IE/Edge, Safari, iOS applications) show an error or even crash if a stream is rejected;

2: NOT an NGINX bug

https://trac.nginx.org/nginx/ticket/959#comment:20

But please note that this isn't an nginx bug and the affected clients should be fixed.

Now, about your workaround, as said it only affects iOs Browsers mostly, so another solution will be to download nginx 1.11 from source and recompile with that version, i will try this tonight and post the results.

Regards

[ctqui]

Hi,
I'm on Debian 8 and 2 days ago I've got an Nginx update (1.10.3).
Solution was working nicely till 2 days, now I can't recompile with OpenSSLn I always have this error:

Code: Select all

objs/ngx_modules.o \
-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -ldl -lpthread -lpthread -lcrypt -lpcre /usr/local/src/openssl-1.0.2h/.openssl/lib/libssl.a /usr/local/src/openssl-1                       .0.2h/.openssl/lib/libcrypto.a -ldl -lz \
-Wl,-E
/usr/bin/ld: /usr/local/src/openssl-1.0.2h/.openssl/lib/libssl.a(s23_meth.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared objec                       t; recompile with -fPIC
/usr/local/src/openssl-1.0.2h/.openssl/lib/libssl.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
objs/Makefile:310: recipe for target 'objs/nginx' failed
make[1]: *** [objs/nginx] Error 1
make[1]: Leaving directory '/usr/local/src/nginx-1.10.3'
Makefile:8: recipe for target 'build' failed
make: *** [build] Error 2

Did somebody try since last apt-get update && apt-get upgrade ?

Thanks -
Eric

[baijianpeng]

I had already found a perfect solution to build a "PHP7 + openssl 1.0.2 + nginx 1.11" web environment with VestaCP, it is so simple:

Just use Ubuntu server 16.04 as the OS of your server, then install VestaCP on Ubuntu, all above issues solved!

[skurudo]

Just use Ubuntu server 16.04 as the OS of your server, then install VestaCP on Ubuntu, all above issues solved!

Ha-ha! It's really nice solution, but not for everybody ;-)

[shanjie]

I had already found a perfect solution to build a "PHP7 + openssl 1.0.2 + nginx 1.11" web environment with VestaCP, it is so simple:

Just use Ubuntu server 16.04 as the OS of your server, then install VestaCP on Ubuntu, all above issues solved!

Whenever I use the "Lets Encrypt Support", I always get PUB_KEY: 4096 bit.
From where can I set so that I will get the 2048 instead of 4096 PUB_KEY?

Cloudfront is not supporting 4096 bit private key.

[ouchdigital]

viewtopic.php?f=11&t=14821&p=71170&hili ... bit#p71170

Here is the answer for you :)

[kaavain]

Hi all! Thanks for great and clear manual... I have the same version of NGINX and parameters line is the same. But while ./configure I've got a lot of "not found"... Is it safe to continue?

checking for sys/filio.h ... not found
checking for O_PATH ... not found
checking for /dev/poll ... not found
checking for kqueue ... not found
checking for crypt() ... not found
checking for F_READAHEAD ... not found
checking for F_NOCACHE ... not found
checking for directio() ... not found
checking for dlopen() ... not found
checking for SO_SETFIB ... not found
checking for SO_ACCEPTFILTER ... not found
checking for IP_RECVDSTADDR ... not found
checking for TCP_FASTOPEN ... not found
checking for kqueue AIO support ... not found
checking for setproctitle() ... not found
checking for PCRE JIT support ... not found

My parameters are:

./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=/usr/local/src/njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --with-openssl=/usr/local/src/openssl-1.0.2h