Input Bash script to compile Nginx from source with additional modules on Plesk Onyx

[virtubox]

Bash script to compile the latest Nginx stable/mainline release with additional modules

--------------------------------------------------------------------------------------------------------------

Github Page : Plesk Nginx

Github Repository : VirtuBox/plesk-nginx

--------------------------------------------------------------------------------------------------------------


Main Features

• Compile the latest Nginx mainline or stable release
• Ngx_Pagespeed
• TLS v1.3 Support (draft 28)
• Brotli
• Naxsi WAF

--------------------------------------------------------------------------------------------------------------

Nginx current mainline release : v1.15.3
Nginx current stable release : v1.14.0

others modules included :

• ngx_cache_purge
• memc-nginx-module
• headers-more-nginx-module
• ngx_devel_kit
• echo-nginx-module
• redis2-nginx-module
• ngx_http_redis-0.3.8
• srcache-nginx-module
• set-misc-nginx-module
• Openssl 1.1.1
• ngx_brotli (v1.0.2)
• ngx_http_substitutions_filter_module
• nginx-dynamic-tls-records-patch_1.13.0
• ngx_http_auth_pam_module
• ngx_vts_module

optional modules :

• ngx_pagespeed
• naxsi WAF
• RTMP module

--------------------------------------------------------------------------------------------------------------

Compatibility :

• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS
• Debian 8 Jessie

Changelog :

v3.0 :

- added Plesk support
- added install from scratch support
- added non-interactive install
- added nginx configuration check

v2.15.2

- nginx updated to 1.15.2
- Nginx Mainline release automated download (without having to update the script)
- Openssl version bump to 1.1.1-pre8
- TLS 1.3 support updated (draft 28)
- Compilation performed with gcc7 or gcc8.1 (gcc8.1 only available with Mainline release)
- RTMP module for streaming added (Optional)
- Modules download optimized (folders in /usr/local/src are not removed anymore)

Feel free to report me any issue , here or directly on github.
This script is also available for centos 6 : here
and for Centos 7 : here

 

[IgorG]

Thank you, @virtubox for your input! I have tried to adapt your script for CentOS7. Unfortunately, there was not much time, but in general the script works. There was some problems on following final step:

# nginx -t && service nginx reload
nginx: [emerg] "load_module" directive is specified too late in /etc/nginx/modules.conf.d/phusion-passenger.conf:1
nginx: configuration file /etc/nginx/nginx.conf test failed

# nginx -t && service nginx reload
nginx: [emerg] unknown directive "passenger_root" in /etc/nginx/conf.d/phusion-passenger.conf:1

I just temporary disabled it with

# mv /etc/nginx/modules.conf.d/phusion-passenger.conf /etc/nginx/modules.conf.d/phusion-passenger.conf_
# mv /etc/nginx/conf.d/phusion-passenger.conf /etc/nginx/conf.d/phusion-passenger.conf_

and now I see:

# systemctl status nginx
● nginx.service - Startup script for nginx service
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2017-10-10 05:28:56 NOVT; 4h 49min ago
Main PID: 1361 (nginx)
CGroup: /system.slice/nginx.service
├─1361 nginx: master process /usr/sbin/nginx
├─9278 Passenger watchdog
├─9281 Passenger core
├─9290 Passenger ust-router
└─9312 nginx: worker process

My partially adapted script:

#!/bin/bash
yum groupinstall "Development Tools"
yum install -y git libtool automake autoconf zlib-devel pcre-devel openssl-devel libxslt-devel libxml2-devel libXpm-devel geoip-devel google-perftools-devel perl-devel gd-devel

cd /usr/local/src
wget http://nginx.org/download/nginx-1.13.5.tar.gz
tar -xzvf nginx-1.13.5.tar.gz
mv nginx-1.13.5 nginx

git clone https://github.com/FRiCKLE/ngx_cache_purge.git
git clone https://github.com/openresty/memc-nginx-module.git
git clone https://github.com/simpl/ngx_devel_kit.git
git clone https://github.com/openresty/headers-more-nginx-module.git
git clone https://github.com/openresty/echo-nginx-module.git
git clone https://github.com/yaoweibin/ngx_http_substitutions_filter_module.git
git clone https://github.com/openresty/redis2-nginx-module.git
git clone https://github.com/openresty/srcache-nginx-module.git
git clone https://github.com/openresty/set-misc-nginx-module.git
git clone https://github.com/FRiCKLE/ngx_coolkit.git
git clone https://github.com/FRiCKLE/ngx_slowfs_cache.git
wget https://people.freebsd.org/~osa/ngx_http_redis-0.3.8.tar.gz
tar -zxf ngx_http_redis-0.3.8.tar.gz
mv ngx_http_redis-0.3.8 ngx_http_redis

git clone https://github.com/google/ngx_brotli.git
cd ngx_brotli
git submodule update --init --recursive
cd /usr/local/src

git clone https://github.com/openssl/openssl.git
cd openssl
git checkout tls1.3-draft-18

cd /usr/local/src/nginx/
wget https://raw.githubusercontent.com/cujanovic/nginx-dynamic-tls-records-patch/master/nginx__dynamic_tls_records_1.11.5%2B.patch
patch -p1 < nginx__dynamic_tls_records_1.11.5*.patch

./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --user=nginx --group=nginx --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-threads --add-module=/usr/local/src/ngx_cache_purge --add-module=/usr/local/src/memc-nginx-module --add-module=/usr/local/src/ngx_devel_kit --add-module=/usr/local/src/headers-more-nginx-module --add-module=/usr/local/src/echo-nginx-module --add-module=/usr/local/src/ngx_http_substitutions_filter_module --add-module=/usr/local/src/redis2-nginx-module --add-module=/usr/local/src/srcache-nginx-module --add-module=/usr/local/src/set-misc-nginx-module --add-module=/usr/local/src/ngx_http_redis --add-module=/usr/local/src/ngx_brotli --with-openssl=/usr/local/src/openssl --with-openssl-opt=enable-tls1_3

make -j $(nproc)
make install

systemctl unmask sw-nginx
systemctl enable nginx
systemctl start nginx
wget -O /etc/nginx/nginx.conf https://raw.githubusercontent.com/VirtuBox/plesk-nginx/master/etc/nginx/nginx.conf
wget -O /etc/nginx/conf.d/ssl.conf https://raw.githubusercontent.com/VirtuBox/plesk-nginx/master/etc/nginx/conf.d/ssl.conf
nginx -t && service nginx reload
systemctl restart nginx

Please feel free to make it better!

 

[virtubox]

Thank you @IgorG . I will check how to proceed to verify if passenger is installed on the server before reloading nginx, and to move configuration files if needed.

 

[virtubox]

I have updated my script for Ubuntu/Debian , here the changelog

• New script with pagespeed is available
• Last Nginx release v1.13.7
  
• Nginx configuration replacement removed from the script , but directly available on github
  
• /usr/local/src is removed by the script before the compilation. So you can run the script to install and/or update nginx

 

[Jaco]

this is cool stuff but how do i install this Archive - Script for building replacement of default sw-nginx Plesk package (CentOS7 Only!)
from IgorG.
I can not find an explanation on the forum and google
Thx
greetz
Jaco

 

[IgorG]

this is cool stuff but how do i install this Archive - Script for building replacement of default sw-nginx Plesk package (CentOS7 Only!)
from IgorG.
I can not find an explanation on the forum and google
Thx
greetz
Jaco

Just download, unzip and run this script.

 

[Jaco]

Thank you, IgorG

 

[learning_curve]

this is cool stuff but how do i install this Archive - Script for building replacement of default sw-nginx Plesk package (CentOS7 Only!) from @IgorG

Is this script a replacement for the earlier version posted by @UFHH01 that we ran very successfully @IgorG ?

We're on CentOS7 so obviously the script option appeals - a lot and running a script is a lot less work. If the answer is "yes" our only other question is... would the script happily overwrite the setup we achieved using the earlier non-scripted method?

 

[IgorG]

Is this script a replacement for the earlier version posted by @UFHH01 that we ran very successfully @IgorG ?

We're on CentOS7 so obviously the script option appeals - a lot and running a script is a lot less work. If the answer is "yes" our only other question is... would the script happily overwrite the setup we achieved using the earlier non-scripted method?

Let's just say, this script is written based on the contributions from @UFHH01 and @virtubox and adapted by me specifically for CentOS How it will behave in combination with the previous custom installation I can not say. But, I think that there should not be any critical problems, and that the main thing is your working nginx.conf file.

 

[learning_curve]

Thanks! We'll have a very close look soon. We think we'll remove a couple of items in advance (e.g. Google Pagespeed which doesn't suit other items that we run) and then go from there. The earlier version has been updated by other users too, so we'll study both and then proceed carefully...

 

[virtubox]

New release available !

Changelog :

• new unified script
• added menu to choose modules
• added installation log
• Naxsi WAF available
• add files aio support

 

[learning_curve]

Let's just say, this script is written based on the contributions from @UFHH01 and @virtubox and adapted by me specifically for CentOS How it will behave in combination with the previous custom installation I can not say. But, I think that there should not be any critical problems, and that the main thing is your working nginx.conf file.

To follow up on this very helpful post... but in a different context now. We're looking forward to our next big Plesk upgrade i.e. 17.5.3 > 17.8.11 once it's provided as a general release, not an early adopter release.

Two quick questions:
1) Where is the Plesk 17.8.11 full specification to be found? (...as we're assuming that there will be some duplications (content changes etc) provided by this script and the general Plesk release?)
2) If there aren't any duplications... Has anybody run this script on 17.8.11 yet and if so, how did it go?

 

[virtubox]

To follow up on this very helpful post... but in a different context now. We're looking forward to our next big Plesk upgrade i.e. 17.5.3 > 17.8.11 once it's provided as a general release, not an early adopter release.

Two quick questions:
1) Where is the Plesk 17.8.11 full specification to be found? (...as we're assuming that there will be some duplications (content changes etc) provided by this script and the general Plesk release?)
2) If there aren't any duplications... Has anybody run this script on 17.8.11 yet and if so, how did it go?

Scripts written by @IgorG or me only compile and replace the Nginx package shipped with Plesk. It will install usual packages needed to build a program from source, and required dev-libraries, but nothing directly related to Plesk.
The most part of my servers are running with Plesk 17.8.11 and Nginx built from source using my bash script. Everything is working properly

 

[learning_curve]

Well your experience with Plesk 17.8.11 so far, is reassuring news. Thank you @virtubox
Our question about Plesk etc was also in-directly related to Nginx, which we may not have made clear... As you can see (sig) we are currenty running a setup with the Nginx package shipped with Plesk 17.5.3 having been replaced by us. Are we saying, that even with the new Plesk 17.8.11 upgrade, the default Nginx package is still a long, long way out of date? Hence our question about the Plesk 17.8.11 full specification. We're interested in the spec of things like sw-cp-server in 17.8.11 as well

 

[virtubox]

Well your experience with Plesk 17.8.11 so far, is reassuring news. Thank you @virtubox
Our question about Plesk etc was also in-directly related to Nginx, which we may not have made clear... As you can see (sig) we are currenty running a setup with the Nginx package shipped with Plesk 17.5.3 having been replaced by us. Are we saying, that even with the new Plesk 17.8.11 upgrade, the default Nginx package is still a long, long way out of date? Hence our question about the Plesk 17.8.11 full specification. We're interested in the spec of things like sw-cp-server in 17.8.11 as well

My servers running with Plesk 17.8.11 are shipped with Nginx 1.13.8 by default, so it's almost the last release available.
Here the Nginx -V :

nginx version: nginx/1.13.8
built with OpenSSL 1.0.2g  1 Mar 2016
TLS SNI support enabled
configure arguments: --prefix=/usr/share --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --modules-path=/usr/share/nginx/modules --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --user=nginx --group=nginx --with-ipv6 --with-file-aio --with-http_v2_module --with-compat --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_dav_module --with-http_gzip_static_module --with-http_stub_status_module --add-dynamic-module=/usr/share/passenger/ngx_http_passenger_module

And here the nginx -V after using my bash script :

nginx version: nginx/1.13.9
built by gcc 4.9.2 (Debian 4.9.2-10+deb8u1)
built with OpenSSL 1.1.1-dev  xx XXX xxxx
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --user=nginx --group=nginx --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-file-aio --with-threads --add-module=/usr/local/src/ngx_cache_purge --add-module=/usr/local/src/memc-nginx-module --add-module=/usr/local/src/ngx_devel_kit --add-module=/usr/local/src/headers-more-nginx-module --add-module=/usr/local/src/echo-nginx-module --add-module=/usr/local/src/ngx_http_substitutions_filter_module --add-module=/usr/local/src/redis2-nginx-module --add-module=/usr/local/src/srcache-nginx-module --add-module=/usr/local/src/set-misc-nginx-module --add-module=/usr/local/src/ngx_http_redis --add-module=/usr/local/src/ngx_brotli --add-module=/usr/local/src/ngx_http_auth_pam_module --with-openssl=/usr/local/src/openssl --with-openssl-opt=enable-tls1_3

But sw-cp-server seems to be the same, here the sw-cp-serverd -V

nginx version: nginx/1.11.10
built with OpenSSL 1.0.2g  1 Mar 2016
TLS SNI support enabled
configure arguments: --prefix=/usr/share --sbin-path=/usr/sbin/sw-cp-serverd --conf-path=/etc/sw-cp-server/config --error-log-path=/var/log/sw-cp-server/error_log --http-log-path=/var/log/sw-cp-server/access.log --lock-path=/var/lock/sw-cp-server.lock --pid-path=/run/sw-cp-server.pid --http-client-body-temp-path=/var/lib/sw-cp-server/body --http-fastcgi-temp-path=/var/lib/sw-cp-server/fastcgi --http-proxy-temp-path=/var/lib/sw-cp-server/proxy --http-scgi-temp-path=/var/lib/sw-cp-server/scgi --http-uwsgi-temp-path=/var/lib/sw-cp-server/uwsgi --user=sw-cp-server --group=sw-cp-server --with-ipv6 --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_auth_request_module --add-module=/home/builder/buildbot/sw-cp-server-trunk-bubt1604x64/build/sw-cp-server/work/lua-nginx-module-0.10.7 --add-module=/home/builder/buildbot/sw-cp-server-trunk-bubt1604x64/build/sw-cp-server/work/ngx_devel_kit-0.2.19

 

[learning_curve]

It's great news that Plesk have played catch up with Nginx for 17.8.11 but sw-cp-server still being so far out of date is quote a shocker We have previously upgraded our own (which will get overwritten no problem as / when / if Plesk finally release their own, well overdue upgrade...
How has sw-cp-server been completely missed with the all the other work that's gone into 17.8.11?

sw-cp-serverd -V
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
built with OpenSSL 1.0.2l  25 May 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/share --sbin-path=/usr/sbin/sw-cp-serverd --conf-path=/etc/sw-cp-server/config --error-log-path=/var/log/sw-cp-server/error_log --http-log-path=/var/log/sw-cp-server/access.log --lock-path=/var/lock/sw-cp-server.lock --pid-path=/run/sw-cp-server.pid --http-client-body-temp-path=/var/lib/sw-cp-server/body --http-fastcgi-temp-path=/var/lib/sw-cp-server/fastcgi --http-proxy-temp-path=/var/lib/sw-cp-server/proxy --http-scgi-temp-path=/var/lib/sw-cp-server/scgi --http-uwsgi-temp-path=/var/lib/sw-cp-server/uwsgi --user=sw-cp-server --group=sw-cp-server --with-openssl=/__temp/openssl-1.0.2l --with-openssl-opt=enable-ec_nistp_64_gcc_128 --with-openssl-opt=no-nextprotoneg --with-openssl-opt=no-weak-ssl-ciphers --with-openssl-opt=no-ssl3 --with-pcre=/__temp/pcre-8.41 --with-pcre-jit --with-zlib=/__temp/zlib-1.2.11 --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-ipv6 --add-module=/__temp/lua-nginx-module --add-module=/__temp/ngx_devel_kit-0.3.0 --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'

 

[IgorG]

I suppose, that sw-cp-server was not updated because it is used only for Plesk interface and does not require any specific new modern hosting features, which are required for sites hosting. In the scope of security and stability, all necessary latest security patches were applied and they will be applied further.
Most probably that sw-cp-server will be updated later but this is not considered as a priority.

 

[learning_curve]

I suppose, that sw-cp-server was not updated because it is used only for Plesk interface....

Fully understand all of the reply, but as a Plesk customer (others may agree) still think it's a big oversight which could / should have been carried out at the same time as the upgrade to17.8.11. Having to run different verions of Nginx etc and having to carry out extra work ourselves, to ensure that security is as high as it possibly can be for the Plesk interface, isn't ideal and to be fair, the amount of work involved compared to the amount of work that's been put in for 17.8.11 is minimal by comparison. Here's hoping for an Easter Bunny sw-cp-server upgrade

 

[learning_curve]

Back to thtread topic... Looking forward to the General Release of 17.8.11 and then running your CentOS script @IgorG
The mods we have carried out to sw-cp-server shouldn't be affected by this upgrade process as we understand it anyway. If they are (say sw-cp-server is overwritten by the default version) then we can run those mods again from within 17.8.11 whilst waiting for Easter...

 

[IgorG]

Actually, I should note that I have not updated this script since the first version