SilentImp
Reputation: 2015
Building Nginx and OpenSSL from sources
I am trying to configure nginx to use ALPN for http2. I need to update openssl to do this.
At the moment standalone openssl is updated, but nginx don't use it for some reason.
# /etc/nginx $ nginx -V
nginx version: nginx/1.10.3
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -fPIC -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-wa6Kgn/nginx-1.10.3/debian/modules/nginx-auth-pam --add-dynamic-module=/build/nginx-wa6Kgn/nginx-1.10.3/debian/modules/nginx-dav-ext-module --add-dynamic-module=/build/nginx-wa6Kgn/nginx-1.10.3/debian/modules/nginx-echo --add-dynamic-module=/build/nginx-wa6Kgn/nginx-1.10.3/debian/modules/nginx-upstream-fair --add-dynamic-module=/build/nginx-wa6Kgn/nginx-1.10.3/debian/modules/ngx_http_substitutions_filter_module
# /etc/nginx $ openssl version -a
OpenSSL 1.1.1-dev xx XXX xxxx
built on: reproducible build, date unspecified
platform: linux-x86_64
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/lib/\"" -DENGINESDIR="\"/usr/local/lib/engines-1.1\"" -Wa,--noexecstack
OPENSSLDIR: "/usr/local/lib/"
ENGINESDIR: "/usr/local/lib/engines-1.1"
natural idea: to rebuild nginx, configure and make run without errors, but nginx never change it version.
./configure --with-http_ssl_module --with-openssl=~/openssl/ --with-http_v2_module
make
https://gist.github.com/SilentImp/be9c088298a94e0dba6cbaf3c51b9ad0
but nothing have changed
~/nginx-1.11.13 $ nginx -V
nginx version: nginx/1.10.3
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -fPIC -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-wa6Kgn/nginx-1.10.3/debian/modules/nginx-auth-pam --add-dynamic-module=/build/nginx-wa6Kgn/nginx-1.10.3/debian/modules/nginx-dav-ext-module --add-dynamic-module=/build/nginx-wa6Kgn/nginx-1.10.3/debian/modules/nginx-echo --add-dynamic-module=/build/nginx-wa6Kgn/nginx-1.10.3/debian/modules/nginx-upstream-fair --add-dynamic-module=/build/nginx-wa6Kgn/nginx-1.10.3/debian/modules/ngx_http_substitutions_filter_module
What could have go wrong? And is there any way to change nginx openssl version without rebuilding nginx?
Upvotes: 1
Views: 3186
Answers (3)
EverybodyGetsHurt
Reputation: 1
I often run into this when I installed my compiled Nginx+OpenSSL into a user's environment (on Ubuntu 23.04). And then compile a default location installation later on my root account next to that. So I got 2 Nginx/Openssl combinations on the same VPS. If you want to make 2 installations, do this as a user. Then you can reinstall openssl or compile it on your root account after the steps.
Then I run the 2 export commands below, both! (It can still error with only 1).
The install and library versions then run from the location you set. This works with both Nginx and OpenSSL.
# - Download an OpenSSL source
git clone https://github.com/openssl/openssl/releases/download/openssl-3.1.1/openssl-3.1.1.tar.gz
cd openssl-3.1.1
# - (NO-SUDO) to be sure nothing is loaded from the default locations because there is no access and it would error. Configure, Create and Install OpenSSL:
./config --prefix=/home/benginx/openssl-3.1.1 --openssldir=/home/benginx/openssl-3.1.1 --libdir=/home/benginx/openssl-3.1.1 enable-buildtest-c++ enable-external-tests enable-crypto-mdebug enable-crypto-mdebug-backtrace enable-acvp-tests enable-trace enable-weak-ssl-ciphers enable-ec_nistp_64_gcc_128 enable-fips no-fips-securitychecks enable-ssl3 enable-ssl3-method enable-md2 enable-rc5 enable-ec enable-ecdh enable-ecdsa enable-zlib enable-zlib-dynamic enable-egd enable-ktls enable-sctp enable-threads
make -j6
make install -j6
# - UPDATE THE SYSTEM PATH: Check your system's environment variable PATH to ensure that it includes the directory where the newly compiled OpenSSL binaries are located:
export PATH=/home/benginx/openssl-3.1.1/bin:$PATH
# - Update the openssl library version PATH: - If it did not show the new library, set the environment variable:
export LD_LIBRARY_PATH=/home/benginx/openssl-3.1.1/lib:$LD_LIBRARY_PATH
Upvotes: 0
SilentImp
Reputation: 2015
Always check path to nginx
$ /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.11.13
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
built with OpenSSL 1.1.1-dev xx XXX xxxx
TLS SNI support enabled
configure arguments: --with-http_ssl_module --with-openssl=~/openssl/ --with-http_v2_module
$ which nginx
/usr/sbin/nginx
Upvotes: 1
wormi4ok
Reputation: 632
Do you want to use another repository, which has nginx with built-in ALPN support?
https://launchpad.net/~fxr/+archive/ubuntu/nginx-alpn
If this is not an option, you should double check paths of nginx binary you use, binary you build and directory with opensslsources you use at --with-openssl=~/openssl/
Upvotes: 1
Related Questions
- Installing NGINX from source with pcre and openssl throws error on make
- Get Nginx work with updated openssl
- recompile NGINX with upgraded openssl
- Installed updated Openssl on Centos 7 before compiling new updated nginx, but where to put source directory?
- OpenSSL - compile out of source
- Building openssl and libcurl for linux from source
- Nginx Cannot Find OpenSSL Development Headers
- How to install nginx from source;: Got SSL_OP_MSIE_SSLV2_RSA_PADDING error
- Error building nginx and OpenSSL
- Nginx - Building from source - not working