Debian Build Nginx From Source for aapanel

by

Install Dependencies

apt-get install build-essential libpcre3 libpcre3-dev zlib1g zlib1g-dev libssl-dev libgd-dev libxml2 libxml2-dev uuid-dev libxslt1-dev

Download Nginx And Extension Source Code

Install_Directory=/www/mod
mkdir -p ${Install_Directory} && cd ${Install_Directory}
wget -c https://nginx.org/download/nginx-1.25.5.tar.gz -O - | tar -xz
wget -c https://www.openssl.org/source/openssl-3.1.5.tar.gz -O - | tar -xz
wget -c https://www.openssl.org/source/openssl-3.2.1.tar.gz -O - | tar -xz
wget -c https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.9.1.tar.gz -O - | tar -xz
git clone --depth=1 --recursive https://github.com/google/ngx_brotli.git
git clone --depth=1 https://github.com/FRiCKLE/ngx_cache_purge.git
git clone --depth=1 https://github.com/vision5/ngx_devel_kit.git
git clone --depth=1 https://github.com/arut/nginx-dav-ext-module.git
git clone --depth=1 https://github.com/yaoweibin/ngx_http_substitutions_filter_module.git
git clone --depth=1 https://github.com/cloudflare/zlib.git
git clone --depth=1 https://github.com/libgd/libgd.git

Extension Dependencies

  • zlib 
cd ${Install_Directory}/zlib
./configure && make -j $(nproc)
  • libgd
mkdir ${Install_Directory}/libgd/build && cd ${Install_Directory}/libgd/build && cmake ..
make -j $(nproc)

Generate Nginx Build Configuration With OpenSSL/LibreSSL

  • Build With OpenSSL
cd ${Install_Directory}/nginx-1.25.5
sed -i 's@CFLAGS="$CFLAGS -g"@#CFLAGS="$CFLAGS -g"@' auto/cc/gcc
./configure --user=www --group=www \
--prefix=/www/server/nginx \
--with-compat \
--with-file-aio \
--with-http_addition_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_image_filter_module \
--with-http_mp4_module \
--with-http_realip_module \
--with-http_slice_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_sub_module \
--with-http_v2_module \
--with-http_v3_module \
--with-mail \
--with-mail_ssl_module \
--with-openssl=../openssl-3.2.1 \
--with-openssl-opt=enable-ktls \
--with-pcre-jit \
--with-stream \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-threads \
--with-zlib=../zlib \
--add-module=../ngx_brotli \
--add-module=../ngx_cache_purge \
--add-module=../ngx_devel_kit \
--add-module=../nginx-dav-ext-module \
--add-module=../ngx_http_substitutions_filter_module \
--with-cc-opt='-O2 -march=native -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2 -DTCP_FASTOPEN=23 -I../libgd/src' \
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--strip-all -fPIC' \
--with-ld-opt='-ljemalloc' \
--with-ld-opt='-L../libgd/build/Bin'
  • Build With LibreSSL
cd ${Install_Directory}/nginx-1.25.5
./configure --user=www --group=www \
--prefix=/www/server/nginx \
--with-compat \
--with-file-aio \
--with-http_addition_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_image_filter_module \
--with-http_mp4_module \
--with-http_realip_module \
--with-http_slice_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_sub_module \
--with-http_v2_module \
--with-http_v3_module \
--with-mail \
--with-mail_ssl_module \
--with-openssl=../libressl-3.9.1 \
--with-openssl-opt=enable-ktls \
--with-pcre-jit \
--with-stream \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-threads \
--with-zlib=../zlib \
--add-module=../ngx_brotli \
--add-module=../ngx_cache_purge \
--add-module=../ngx_devel_kit \
--add-module=../nginx-dav-ext-module \
--add-module=../ngx_http_substitutions_filter_module \
--with-cc-opt='-O2 -march=native -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2 -DTCP_FASTOPEN=23 -I../libgd/src -I../libressl-3.8.2/build/include' \
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--strip-all -fPIC' \
--with-ld-opt='-ljemalloc' \
--with-ld-opt='-L../libgd/build/Bin' \
--with-ld-opt="-L../libressl-3.8.2/build/lib"

Build & Install Nginx

make -j $(nproc) && make install

Configure Nginx

  • Require dhparam To Reinforce Weak Diffie-Hellman
    • openssl dhparam -out /www/server/panel/vhost/ssl/dhparam.pem 4096
      To Generate dhparam.pem
  • Require Kernel TLS Modules To Use ssl_conf_command Options KTLS;
    • ls /lib/modules/$(uname -r)/kernel/net/tls
      To Check Whether Has The tls.ko Modules File
    • lsmod | grep tls
      To Check Modules Whether Loaded, If Not Try modprobe tls
nano /www/server/nginx/conf/nginx.conf
http{
...
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
        ssl_prefer_server_ciphers off;
        ssl_dhparam /www/server/panel/vhost/ssl/dhparam.pem;
        ssl_conf_command Options KTLS;

        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_session_tickets off;

        ssl_early_data on;
        proxy_set_header Early-Data $ssl_early_data;

        ssl_stapling           on;
        ssl_stapling_verify    on;
        resolver               1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
        resolver_timeout       2s;

#        real_ip_header proxy_protocol;
#        real_ip_recursive on;
#        include cloudflare_ip.conf;
...
}

Leave a Comment