NGINX (pronounced “engine x”) is an open source web server software designed with high concurrency in mind, that can be used as HTTP/HTTPS server, reverse proxy server, mail proxy server, software load balancer, TLS terminator, caching server…
It is an extremely modular piece of software. Even some of the seemingly “built-in” pieces of the software, such as GZIP or SSL, are actually built as modules that can be enabled and disabled during the build time.
It has core (native) modules and third-party (external) modules created by the community. Right now, there are over a hundred third-party modules that we can utilize.
Written in C language, it’s very fast and lightweight piece of software.
Installing NGINX from source code is relatively “easy” – download latest version of NGINX source code, configure, build and install it.
You’ll need to choose whether to download the mainline or stable version, but building them is exactly the same.
In this tutorial, we will build NGINX with all available modules in open source version of NGINX and we will use mainline version which is at 1.15.0 at the time of this writing. Update version numbers when newer versions become available.
Stable vs. mainline version
NGINX Open Source is available in two versions:
- Mainline – Includes the latest features and bug fixes and is always up to date. It is reliable, but it may include some experimental modules, and it may also have some number of new bugs.
- Stable – Doesn’t include all of the latest features, but has critical bug fixes that are always backported to the mainline version.
Core modules vs. third-party modules
NGINX has two types of modules that you can utilize: core modules and third-party modules.
Core modules are built by the core NGINX developers and they are part of the software itself.
Third party modules are built by the community and you can use them to extend NGINX functionality. There are a lot of helpful third-party modules, the most famous among them are: PageSpeed, ModSecurity, RTMP, Lua etc…
Static modules vs. dynamic modules
Static modules exist in NGINX from the very first version. Dynamic modules were introduced with NGINX 1.9.11+ in February 2016.
With static modules, set of modules that constitute an NGINX binary is fixed at compile time by the ./configure
script. Static modules use --with-foo_bar_module
or --add-module=PATH
syntax.
To compile core (standard) module as dynamic we add =dynamic
, for example
--with-http_image_filter_module=dynamic
.
To compile third-party module as dynamic we use --add-dynamic-module=/path/to/module
syntax and then we load them by using load_module
directive in the global context of the nginx.conf
file.
Requirements for building NGINX from source
In comparison with some other UNIX/Linux software, NGINX is pretty lightweight and doesn’t have many library dependencies. The default build configuration depends on only 3 libraries to be installed: OpenSSL/LibreSSL/BoringSSL, Zlib and PCRE.
- Mandatory requirements:
- Optional requirements:
NOTE: NGINX can also be compiled against LibreSSL and BoringSSL crypto libraries instead of OpenSSL.
Requirements
- A server running Ubuntu 18.04 LTS.
- A non-root user with sudo privileges.
Initial Steps
Check Ubuntu version:
lsb_release -ds
# Ubuntu 18.04 LTS
Set up the timezone:
timedatectl list-timezones
sudo timedatectl set-timezone 'Region/City'
Update your operating system’s packages:
sudo apt update && sudo apt upgrade -y
Build NGINX from source
NGINX is a program written in C, so you will first need to install a compiler tools. Install build-essential
, git
and tree
packages:
sudo apt install -y build-essential git tree
Download latest mainline version of NGINX source code and extract it. NGINX source code is distributed as compressed archive (gzipped tarball), as most Unix and Linux software:
wget https://nginx.org/download/nginx-1.15.0.tar.gz && tar zxvf nginx-1.15.0.tar.gz
Download the mandatory NGINX dependencies’ source code and extract them:
# PCRE version 8.42
wget https://ftp.pcre.org/pub/pcre/pcre-8.42.tar.gz && tar xzvf pcre-8.42.tar.gz
# zlib version 1.2.11
wget https://www.zlib.net/zlib-1.2.11.tar.gz && tar xzvf zlib-1.2.11.tar.gz
# OpenSSL version 1.1.0h
wget https://www.openssl.org/source/openssl-1.1.0h.tar.gz && tar xzvf openssl-1.1.0h.tar.gz
Install optional NGINX dependencies:
sudo add-apt-repository -y ppa:maxmind/ppa
sudo apt update && sudo apt upgrade -y
sudo apt install -y perl libperl-dev libgd3 libgd-dev libgeoip1 libgeoip-dev geoip-bin libxml2 libxml2-dev libxslt1.1 libxslt1-dev
Clean up all .tar.gz
files. We don’t need them anymore:
rm -rf *.tar.gz
Enter the NGINX source directory:
cd ~/nginx-1.15.0
For good measure list directories and files that compose NGINX source code with tree
utility:
tree -L 2 .
Copy NGINX manual page to /usr/share/man/man8/
directory:
sudo cp ~/nginx-1.15.0/man/nginx.8 /usr/share/man/man8
sudo gzip /usr/share/man/man8/nginx.8
ls /usr/share/man/man8/ | grep nginx.8.gz
# Check that Man page for NGINX is working:
man nginx
For help, you can see full list of up-to-date NGINX compile time options by running:
./configure --help
# To see want core modules can be build as dynamic run:
./configure --help | grep -F =dynamic
Configure, compile and install NGINX:
./configure --prefix=/etc/nginx
--sbin-path=/usr/sbin/nginx
--modules-path=/usr/lib/nginx/modules
--conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error.log
--pid-path=/var/run/nginx.pid
--lock-path=/var/run/nginx.lock
--user=nginx
--group=nginx
--build=Ubuntu
--builddir=nginx-1.15.0
--with-select_module
--with-poll_module
--with-threads
--with-file-aio
--with-http_ssl_module
--with-http_v2_module
--with-http_realip_module
--with-http_addition_module
--with-http_xslt_module=dynamic
--with-http_image_filter_module=dynamic
--with-http_geoip_module=dynamic
--with-http_sub_module
--with-http_dav_module
--with-http_flv_module
--with-http_mp4_module
--with-http_gunzip_module
--with-http_gzip_static_module
--with-http_auth_request_module
--with-http_random_index_module
--with-http_secure_link_module
--with-http_degradation_module
--with-http_slice_module
--with-http_stub_status_module
--with-http_perl_module=dynamic
--with-perl_modules_path=/usr/share/perl/5.26.1
--with-perl=/usr/bin/perl
--http-log-path=/var/log/nginx/access.log
--http-client-body-temp-path=/var/cache/nginx/client_temp
--http-proxy-temp-path=/var/cache/nginx/proxy_temp
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
--http-scgi-temp-path=/var/cache/nginx/scgi_temp
--with-mail=dynamic
--with-mail_ssl_module
--with-stream=dynamic
--with-stream_ssl_module
--with-stream_realip_module
--with-stream_geoip_module=dynamic
--with-stream_ssl_preread_module
--with-compat
--with-pcre=../pcre-8.42
--with-pcre-jit
--with-zlib=../zlib-1.2.11
--with-openssl=../openssl-1.1.0h
--with-openssl-opt=no-nextprotoneg
--with-debug
make
sudo make install
After building NGINX, navigate to home (~
) directory:
cd ~
Symlink /usr/lib/nginx/modules
to /etc/nginx/modules
directory. etc/nginx/modules
is a standard place for NGINX modules:
sudo ln -s /usr/lib/nginx/modules /etc/nginx/modules
Print the NGINX version, compiler version, and configure script parameters:
sudo nginx -V
# nginx version: nginx/1.15.0 (Ubuntu)
# built by gcc 7.3.0 (Ubuntu 7.3.0-16ubuntu3)
# built with OpenSSL 1.1.0h 27 Mar 2018
# TLS SNI support enabled
# configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
# . . .
# . . .
Create NGINX system group and user:
sudo adduser --system --home /nonexistent --shell /bin/false --no-create-home --disabled-login --disabled-password --gecos "nginx user" --group nginx
Check NGINX syntax and potential errors:
sudo nginx -t
# Will throw this error -> nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (2: No such file or directory)
# Create NGINX cache directories and set proper permissions
sudo mkdir -p /var/cache/nginx/client_temp /var/cache/nginx/fastcgi_temp /var/cache/nginx/proxy_temp /var/cache/nginx/scgi_temp /var/cache/nginx/uwsgi_temp
sudo chmod 700 /var/cache/nginx/*
sudo chown nginx:root /var/cache/nginx/*
# Re-check syntax and potential errors.
sudo nginx -t
Create NGINX systemd unit file:
sudo vim /etc/systemd/system/nginx.service
Copy/paste the below content into /etc/systemd/system/nginx.service
file:
[Unit]
Description=nginx - high performance web server
Documentation=https://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.target
Enable NGINX to start on boot and start NGINX immediately:sudo systemctl enable nginx.service
sudo systemctl start nginx.service
Check if NGINX will automatically initiate after a reboot:
sudo systemctl is-enabled nginx.service
# enabled
Check if NGINX is running by running one of the following commands:
sudo systemctl status nginx.service
# or
ps aux | grep nginx
# or
curl -I 127.0.0.1
You can also open your browser and navigate to your domain/IP address to see default NGINX page. That is an indicator that NGINX is up and running.
Create Uncomplicated Firewall (UFW) NGINX application profile:
sudo vim /etc/ufw/applications.d/nginx
Copy/paste the below content into /etc/ufw/applications.d/nginx
file:
[Nginx HTTP]
title=Web Server (Nginx, HTTP)
description=Small, but very powerful and efficient web server
ports=80/tcp
[Nginx HTTPS]
title=Web Server (Nginx, HTTPS)
description=Small, but very powerful and efficient web server
ports=443/tcp
[Nginx Full]
title=Web Server (Nginx, HTTP + HTTPS)
description=Small, but very powerful and efficient web server
ports=80,443/tcp
Verify that UFW application profiles are created and recognized:
sudo ufw app list
# Available applications:
# Nginx Full
# Nginx HTTP
# Nginx HTTPS
# OpenSSH
NGINX by default, generates backup .default
files in /etc/nginx
. Remove .default
files from /etc/nginx
directory:
sudo rm /etc/nginx/*.default
Place syntax highlighting of NGINX configuration for Vim editor into ~/.vim
:
# For regular non-root user
mkdir ~/.vim/
cp -r ~/nginx-1.15.0/contrib/vim/* ~/.vim/
# For root user
sudo mkdir /root/.vim/
sudo cp -r ~/nginx-1.15.0/contrib/vim/* /root/.vim/
NOTE: By doing the above step, you will get a nice syntax highlighting when editing NGINX configuration files in Vim editor.
Create conf.d
, snippets
, sites-available
and sites-enabled
directories in /etc/nginx
directory:
sudo mkdir /etc/nginx/{conf.d,snippets,sites-available,sites-enabled}
Change permissions and group ownership of NGINX log files:
sudo chmod 640 /var/log/nginx/*
sudo chown nginx:adm /var/log/nginx/access.log /var/log/nginx/error.log
Create logrotation config for NGINX.
sudo vim /etc/logrotate.d/nginx
Populate the file with the below text, then save and exit:
/var/log/nginx/*.log {
daily
missingok
rotate 52
compress
delaycompress
notifempty
create 640 nginx adm
sharedscripts
postrotate
if [ -f /var/run/nginx.pid ]; then
kill -USR1 `cat /var/run/nginx.pid`
fi
endscript
}
Remove all downloaded files from home directory:
cd ~
rm -rf nginx-1.15.0/ openssl-1.1.0h/ pcre-8.42/ zlib-1.2.11/
That’s it. Now, you have the latest version of NGINX installed by building it from source code. It is compiled statically against some important libraries like OpenSSL. Often, system-supplied version of OpenSSL is outdated. By using this method of installing with a newer version of OpenSSL, you can take advantage of new ciphers like CHACHA20_POLY1305
and protocols like TLS 1.3 that will be available in OpenSSL 1.1.1.
Also, by compiling your own binary, you are able to tailor what functionality your NGINX will provide, which is much more flexible than installing a pre-built binary.
Đăng ký liền tay Nhận Ngay Bài Mới
Subscribe ngay
Cám ơn bạn đã đăng ký !
Lỗi đăng ký !
Add Comment