• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Input How to compile NGINX with additional modules ( pagespeed / cache_purge / headers-more / and others )

Hi @Tobias Reinhard,
two weeks ago I did the update-job again here on page 5 of @UFHH01 tutorial with nginx 1.13.10 and all related modules.
BUT ! ! ! As I mentioned in another thread, in Qualys you get the successful result with these updated versions like usual. (e.g. draft-18 supported, A+, 390% of 400%).
Pagespeed is working fine with Redis 4.0.8 in my case.
But in real protocol TLSv1.2 is used instead of TLS 1.3.

Nginx log says: tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client

It is related to massive changes of OpenSSL by developers, you could see it in Github. Developers publish every few days a new pre-release. This week they renamed pre4 to beta, one day later they pulled it back again to pre4. They work hard to publish the official release of 1.1.1. next weeks.
I spent every day several hours to resolve this issue, but without a solution to fix it. I also compiled Nginx with draft-19 successfully, but again without running protocol 1.3.
Pagespeed and brotli compression work like a charm, the best since UFHH01 started his amazing tutorial, for the updated components - but only without TLSv1.3.
Greets
 
Last edited:
Hi @Tobias Reinhard,
two weeks ago I did the update-job again here on page 5 of @UFHH01 tutorial with nginx 1.13.10 and all related modules.
BUT ! ! ! As I mentioned in another thread, in Qualys you get the successful result with these updated versions like usual. (e.g. draft-18 supported, A+, 390% of 400%).
Pagespeed is working fine with Redis 4.0.8 in my case.
But in real protocol TLSv1.2 is used instead of TLS 1.3.

Nginx log says: tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client

It is related to massive changes of OpenSSL by developers, you could see it in Github. Developers publish every few days a new pre-release. This week they renamed pre4 to beta, one day later they pulled it back again to pre4. They work hard to publish the official release of 1.1.1. next weeks.
I spent every day several hours to resolve this issue, but without a solution to fix it. I also compiled Nginx with draft-19 successfully, but again without running protocol 1.3.
Pagespeed and brotli compression work like a charm, the best since UFHH01 started his amazing tutorial, for the updated components - but only without TLSv1.3.
Greets

There was too many draft releases of TLS v1.3, and the most part of them cannot be enabled in web browser even in hidden settings like chrome://flags :

Screenshot_247.png


But about Brotli, I was already using ngx_brotli in my bash script, and I have noticed there was no updates since August 2016. In fact this nginx module seems to use Brotli v0.4. So I have look for an up-to-date fork, and I have found this repository : eustas/ngx_brotli
 
Hi @virtubox,
I hoped a little that you and other involved or interested user of "self compiled nginx with additional modules" solution would join the recent discussions about OpenSSL, (+draft-xxx), Nginx, and also Pagespeed.
As we all know openssl is the heart of security of server systems. Nobody wants to make mistakes and misconfigurations.
Developers of openssl and also Plesk, OS's, Brotli & Pagespeed doing their best that everythings fits together in the end. I think this issue of fallbacking to TLSv1.2 is absolutely correct for security reasons.Guess, it's related to flags, like you wrote and which is well viewable around Github and OS maintainers, too.
I watch the progress of your Github solution, a pretty nice one (haven't yet installed it because I like to do it by myself, trying to develop my skills, learning and understanding).

Thanks and lots of greets
 
I use the nginx MIcrocache fastcgi_cache Function for Wordpress.
After the Guide i can use the fastcgi_cache_purge Plugin.
I installed on my Wordpress the nginx Helper Plugin.
The Cache itselfs works fine but the PHP User cant delete the Cache.
The cached Files own bei nginx:nginx and has rwx------.
What is the recomend Way to fix it or find a Solution for this?


Code:
PHP message: PHP Warning: opendir(/var/www/vhosts/domain.de/cache//f): failed to open dir: Permission denied in /var/www/vhosts/domain.de/httpdocs/wp-content/plugins/nginx-helper/purger.php on line 774" while reading response header from upstream, client: 2003
 
Thanks I know this Ubuntu Script, but I'm on Centos and I therefore would need to do steps manually.

So I just need the openssl part that basically received an update.
 
Thanks I know this Ubuntu Script, but I'm on Centos and I therefore would need to do steps manually. So I just need the openssl part that basically received an update.
There's a CentOS script in that thread if you read it all. We ran it ourselves when we used to be on CentOS. You'll need to update the script for the correct OpenSSL details, but it worked back then so can't immediately see why it won't now (i.e. just because of an updated OpenSSL component....)
 
Last edited:
Apart from the script which describes a good way to realize TLS 1.3 it would be nice to know how to compile nginx with OpenSSL 1.1.1 in Ubuntu18.04.2 and/or CentOS.
To have the possibility doing it manually too.
 
Apart from the script which describes a good way to realize TLS 1.3 it would be nice to know how to compile nginx with OpenSSL 1.1.1 in Ubuntu18.04.2 and/or CentOS. To have the possibility doing it manually too.
o_O Have you had chance to read all of the thread? Meaning THIS thread but specifically towards the end of it? Including; THIS link? In terms of Ubuntu 18.04 everything you've mentioned is indeed right there...
 
I just upgraded nginx. Everything went well but when I checked the nginx version it's show version 1.18 instead of 1.19.4. I am running it on Centos 7. Here is the log file.

Code:
 ./configure --prefix=/etc/nginx \
>     --sbin-path=/usr/sbin/nginx \
>     --conf-path=/etc/nginx/nginx.conf \
  >     --error-log-path=/var/log/nginx/error.log \
>     --http-log-path=/var/log/nginx/access.log \
  >     --lock-path=/var/lock/nginx.lock \
 >     --pid-path=/var/run/nginx.pid \
 >     --http-client-body-temp-path=/var/lib/nginx/body \
>     --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
>     --http-proxy-temp-path=/var/lib/nginx/proxy \
 >     --http-scgi-temp-path=/var/lib/nginx/scgi \
  >     --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
 >     --user=nginx \
  >     --group=nginx \
>     --with-debug \
>     --with-file-aio \
  >     --with-google_perftools_module \
  >     --with-mail \
 >     --with-mail_ssl_module \
>     --with-threads \
 >     --with-select_module \
 >     --with-stream \
>     --with-stream_ssl_module \
>     --with-http_addition_module \
>     --with-http_auth_request_module \
   >     --with-http_dav_module \
 >     --with-http_flv_module \
>     --with-http_geoip_module \
>     --with-http_gunzip_module \
>     --with-http_gzip_static_module \
-->     --with-http_image_filter_module \
  >     --with-http_mp4_module \
  >     --with-http_perl_module \
   >     --with-http_random_index_module \
 >     --with-http_realip_module \
  >     --with-http_secure_link_module \
 >     --with-http_stub_status_module \
 >     --with-http_sub_module \
>     --with-http_ssl_module \
>     --with-http_v2_module \
 >     --with-http_xslt_module \
   >     --with-poll_module \
>     --with-openssl=/usr/share/openssl \
  >     --with-openssl-opt=enable-tls1_3 \
  >     --add-module=/usr/share/nginx/modules/echo-nginx-module-0.62 \
   >     --add-module=/usr/share/nginx/modules/ngx_brotli \
>     --add-module=/usr/share/passenger/ngx_http_passenger_module \
>     --add-module=/usr/share/nginx/modules/ngx_cache_purge-2.3.1 \
>     --add-module=/usr/share/nginx/modules/ngx_coolkit-0.2 \
  >     --add-module=/usr/share/nginx/modules/ngx_pagespeed-1.13.35.2 \
>     --add-module=/usr/share/nginx/modules/ngx_headers-more-v0.33
checking for OS
 + Linux 3.10.0-1127.el7.x86_64 x86_64
checking for C compiler ... found
 + using GNU C compiler
 + gcc version: 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
checking for gcc -pipe switch ... found
checking for -Wl,-E switch ... found
checking for gcc builtin atomic operations ... found
checking for C99 variadic macros ... found
checking for gcc variadic macros ... found
checking for gcc builtin 64 bit byteswap ... found
checking for unistd.h ... found
checking for inttypes.h ... found
checking for limits.h ... found
checking for sys/filio.h ... not found
checking for sys/param.h ... found
checking for sys/mount.h ... found
checking for sys/statvfs.h ... found
checking for crypt.h ... found
checking for Linux specific features
checking for epoll ... found
checking for EPOLLRDHUP ... found
checking for EPOLLEXCLUSIVE ... not found
checking for O_PATH ... found
checking for sendfile() ... found
checking for sendfile64() ... found
checking for sys/prctl.h ... found
checking for prctl(PR_SET_DUMPABLE) ... found
checking for prctl(PR_SET_KEEPCAPS) ... found
checking for capabilities ... found
checking for crypt_r() ... found
checking for sys/vfs.h ... found
checking for poll() ... found
checking for /dev/poll ... not found
checking for kqueue ... not found
checking for crypt() ... not found
checking for crypt() in libcrypt ... found
checking for F_READAHEAD ... not found
checking for posix_fadvise() ... found
checking for O_DIRECT ... found
checking for F_NOCACHE ... not found
checking for directio() ... not found
checking for statfs() ... found
checking for statvfs() ... found
checking for dlopen() ... not found
checking for dlopen() in libdl ... found
checking for sched_yield() ... found
checking for sched_setaffinity() ... found
checking for SO_SETFIB ... not found
checking for SO_REUSEPORT ... found
checking for SO_ACCEPTFILTER ... not found
checking for SO_BINDANY ... not found
checking for IP_TRANSPARENT ... found
checking for IP_BINDANY ... not found
checking for IP_BIND_ADDRESS_NO_PORT ... found
checking for IP_RECVDSTADDR ... not found
checking for IP_SENDSRCADDR ... not found
checking for IP_PKTINFO ... found
checking for IPV6_RECVPKTINFO ... found
checking for TCP_DEFER_ACCEPT ... found
checking for TCP_KEEPIDLE ... found
checking for TCP_FASTOPEN ... found
checking for TCP_INFO ... found
checking for accept4() ... found
checking for kqueue AIO support ... not found
checking for Linux AIO support ... found
checking for int size ... 4 bytes
checking for long size ... 8 bytes
checking for long long size ... 8 bytes
checking for void * size ... 8 bytes
checking for uint32_t ... found
checking for uint64_t ... found
checking for sig_atomic_t ... found
checking for sig_atomic_t size ... 4 bytes
checking for socklen_t ... found
checking for in_addr_t ... found
checking for in_port_t ... found
checking for rlim_t ... found
checking for uintptr_t ... uintptr_t found
checking for system byte ordering ... little endian
checking for size_t size ... 8 bytes
checking for off_t size ... 8 bytes
checking for time_t size ... 8 bytes
checking for AF_INET6 ... found
checking for setproctitle() ... not found
checking for pread() ... found
checking for pwrite() ... found
checking for pwritev() ... found
checking for sys_nerr ... found
checking for localtime_r() ... found
checking for clock_gettime(CLOCK_MONOTONIC) ... found
checking for posix_memalign() ... found
checking for memalign() ... found
checking for mmap(MAP_ANON|MAP_SHARED) ... found
checking for mmap("/dev/zero", MAP_SHARED) ... found
checking for System V shared memory ... found
checking for POSIX semaphores ... not found
checking for POSIX semaphores in libpthread ... found
checking for struct msghdr.msg_control ... found
checking for ioctl(FIONBIO) ... found
checking for ioctl(FIONREAD) ... found
checking for struct tm.tm_gmtoff ... found
checking for struct dirent.d_namlen ... not found
checking for struct dirent.d_type ... found
checking for sysconf(_SC_NPROCESSORS_ONLN) ... found
checking for sysconf(_SC_LEVEL1_DCACHE_LINESIZE) ... found
checking for openat(), fstatat() ... found
checking for getaddrinfo() ... found
configuring additional modules
adding module in /usr/share/nginx/modules/echo-nginx-module-0.62
 + ngx_http_echo_module was configured
adding module in /usr/share/nginx/modules/ngx_brotli
 + ngx_brotli was configured
adding module in /usr/share/passenger/ngx_http_passenger_module
checking for Math library ... found
checking for POSIX realtime library ... found
 + ngx_http_passenger_module was configured
adding module in /usr/share/nginx/modules/ngx_cache_purge-2.3.1
 + ngx_http_cache_purge_module was configured
adding module in /usr/share/nginx/modules/ngx_coolkit-0.2
 + ngx_coolkit_module was configured
adding module in /usr/share/nginx/modules/ngx_pagespeed-1.13.35.2

You have set --with-debug for building nginx, but precompiled Debug binaries for
PSOL, which ngx_pagespeed depends on, aren't available.  If you're trying to
debug PSOL you need to build it from source.  If you just want to run nginx with
debug-level logging you can use the Release binaries.

Use the available Release binaries? [Y/n] Y
mod_pagespeed_dir=/usr/share/nginx/modules/ngx_pagespeed-1.13.35.2/psol/include
build_from_source=false
checking for psol ... found
List of modules (in reverse order of applicability): ngx_http_write_filter_module ngx_http_header_filter_module ngx_http_chunked_filter_module ngx_http_v2_filter_module ngx_http_range_header_filter_module ngx_pagespeed_etag_filter ngx_http_gzip_filter_module ngx_http_brotli_filter_module ngx_pagespeed ngx_http_postpone_filter_module ngx_http_ssi_filter_module ngx_http_charset_filter_module ngx_http_xslt_filter_module ngx_http_image_filter_module ngx_http_sub_filter_module ngx_http_addition_filter_module ngx_http_gunzip_filter_module ngx_http_userid_filter_module ngx_http_headers_filter_module
checking for psol-compiler-compat ... found
 + ngx_pagespeed was configured
adding module in /usr/share/nginx/modules/ngx_headers-more-v0.33
 + ngx_http_headers_more_filter_module was configured
checking for PCRE library ... found
checking for PCRE JIT support ... found
checking for zlib library ... found
checking for libxslt ... found
checking for libexslt ... found
checking for GD library ... found
checking for GD WebP support ... not found
checking for perl
 + perl version: This is perl 5, version 16, subversion 3 (v5.16.3) built for x86_64-linux-thread-multi
 + perl interpreter multiplicity found
checking for GeoIP library ... found
checking for GeoIP IPv6 support ... found
checking for Google perftools ... found
creating objs/Makefile

Configuration summary
  + using threads
  + using system PCRE library
  + using OpenSSL library: /usr/share/openssl
  + using system zlib library

  nginx path prefix: "/etc/nginx"
  nginx binary file: "/usr/sbin/nginx"
  nginx modules path: "/etc/nginx/modules"
  nginx configuration prefix: "/etc/nginx"
  nginx configuration file: "/etc/nginx/nginx.conf"
  nginx pid file: "/var/run/nginx.pid"
  nginx error log file: "/var/log/nginx/error.log"
  nginx http access log file: "/var/log/nginx/access.log"
  nginx http client request body temporary files: "/var/lib/nginx/body"
  nginx http proxy temporary files: "/var/lib/nginx/proxy"
  nginx http fastcgi temporary files: "/var/lib/nginx/fastcgi"
  nginx http uwsgi temporary files: "/var/lib/nginx/uwsgi"
  nginx http scgi temporary files: "/var/lib/nginx/scgi"
 
I had to reboot server and ran configure and make commands it worked fine. Now, I am struggling with disabling sw-nginx. Plesk support says even if I lock sw-nginx from plesk control panel it will still upgrade nginx. I used yum command to exclude sw-nginx but it says there is no repo. Can someone send me command or yum.conf how to exclude sw-nginx? Thank you
 
Here is how I solved this issue:

1. install plugin: yum install yum-plugin-versionlock
2. lock packages: yum versionlock passenger sw-nginx
 
Back
Top