Afficher/cacher Sommaire
Compilation Nginx OU Openresty sur Debian Buster
ATTENTION !!!
Les compilations se font sur une base "Debian Buster" pour valider le TLS1.3
Compilation nginx Debian Buster
Les modules ajoutés à la compilation nginx
- Headers More : Set and clear input and output headers… more than “add”!(openresty/headers-more-nginx-module)
- PAM Authentication : HTTP Basic Authentication using PAM (stogh/ngx_http_auth_pam_module)
- Cache Purge : Adds ability to purge content from FastCGI, proxy, and uWSGI caches (FRiCKLE/ngx_cache_purge)
- Development Kit : An extension to the core functionality of NGINX (simpl/ngx_devel_kit)
- HTTP Echo : Provides familiar shell-style commands to NGINX HTTP servers (openresty/echo-nginx-module)
- Fancy Index : Like the built-in autoindex module, but fancier (aperezdc/ngx-fancyindex)
- Nchan ex HTTP Push Stream
- HTTP Lua : Embed the power of Lua into NGINX HTTP servers.(openresty/lua-nginx-module)
- NGINX Upload Progress Module : Tracks and reports upload progress (masterzen/nginx-upload-progress-module)
- Substitutions : Performs regular expression and string substitutions on response bodies (yaoweibin/ngx_http_substitutions_filter_module)
- Encrypted Session : Encrypt NGINX variables for light-weight session-based authentication (openresty/encrypted-session-nginx-module)
- HTTP Set Misc : Various set_xxx directives added to NGINX’s rewrite module (openresty/set-misc-nginx-module)
- Upstream Fair Balancer : Distributes incoming requests to least-busy servers
Prérequis compilation nginx
Passage en mode super utilisateur
sudo -s
REMARQUE : Dans le cas Raspberry PI et raspbian lite Jessie
apt install apt-transport-https
Bash compilation nginx Debian Buster
Ce script installe nginx openssl TLSv1.3 PHP7.3 et les services nginx (init.d et systemd) pour le démarrage
Fichier bash pouvant être exécuté ,copier le contenu ci dessous dans une fenêtre terminal
nano compil.sh
#!/bin/bash
#
# Rev. 23 août 2019
# debian10-compilation-nginx-lua-tls1.3-php7.3-MariaDB.sh
# Vérifier si utilisateur "root"
if [ $(id -u) != "0" ]; then
echo "Erreur : Vous devez être root pour exécuter ce script"
exit 1
fi
# Version "Stable" nginx (http://nginx.org/en/download.html)
stable_nginx="nginx-1.16.1"
# répertoire de compilation
mkdir -p /usr/src/nginx-custom
#logiciels pour compilation
apt update
apt install dpkg-dev build-essential zlib1g-dev libpcre3 libpcre3-dev unzip curl libcurl4-openssl-dev libossp-uuid-dev libssl-dev libxslt-dev libgd-dev libgeoip-dev libperl-dev libpam0g-dev libbz2-dev tar unzip curl git -y
# Aller dans le dossier nginx-custom
cd /usr/src/nginx-custom
# Effacer les sources
rm -rf nginx*
#
# Téléchargement des sources nginx
cd /usr/src/nginx-custom
if wget -q --method=HEAD http://nginx.org/download/$stable_nginx.tar.gz;
then
echo "version existante."
wget http://nginx.org/download/$stable_nginx.tar.gz
tar -xaf $stable_nginx.tar.gz
rm *tar.gz
else
echo "version nginx inexistante."
exit 0
fi
# Luajit (fork OpenResty)
git clone https://github.com/openresty/luajit2
cd luajit2/
make
make install
# modules
mkdir -p /usr/src/nginx-custom/modules
cd /usr/src/nginx-custom/modules
#Clonage des modules externes avant compilation
# headers-more-nginx-module
git clone https://github.com/openresty/headers-more-nginx-module
# ngx_http_auth_pam_module
git clone https://github.com/stogh/ngx_http_auth_pam_module nginx-auth-pam
#ngx_cache_purge
git clone https://github.com/FRiCKLE/ngx_cache_purge.git nginx-cache-purge
#
git clone https://github.com/aviafelix/nginx-dav-ext-module
#ngx_devel_kit
git clone https://github.com/simplresty/ngx_devel_kit
#echo-nginx-module
git clone https://github.com/openresty/echo-nginx-module nginx-echo
#ngx-fancyindex
git clone https://github.com/aperezdc/ngx-fancyindex
# modification fancyindex pour avoir la ligne complète
#nchan ex nginx-push-stream-module
git clone https://github.com/slact/nchan
#lua-nginx-module
git clone https://github.com/openresty/lua-nginx-module
#nginx-upload-progress-module
git clone https://github.com/masterzen/nginx-upload-progress-module nginx-upload-progress
#ngx_http_substitutions_filter_module
git clone https://github.com/yaoweibin/ngx_http_substitutions_filter_module
#Nginx Upstream Fair Proxy Load Balancer
git clone https://github.com/itoffshore/nginx-upstream-fair
#Configuration , compilation et installation nginx
cd /usr/src/nginx-custom/$stable_nginx
# indiquer au système de compilation de nginx où trouver LuaJIT 2.1
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.1
#
./configure \
--with-cc-opt='-g -O2 -fdebug-prefix-map=/usr/src/nginx-custom/$stable_nginx=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' \
--with-ld-opt='-Wl,-z,relro -Wl,-z,now,-rpath,/usr/local/lib' \
--prefix=/usr/share/nginx \
--conf-path=/etc/nginx/nginx.conf \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx.pid \
--modules-path=/usr/lib/nginx/modules \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--with-debug \
--with-pcre-jit \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_realip_module \
--with-http_auth_request_module \
--with-http_v2_module \
--with-http_dav_module \
--with-http_slice_module \
--with-threads \
--with-http_addition_module \
--with-http_flv_module \
--with-http_geoip_module=dynamic \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_image_filter_module=dynamic \
--with-http_mp4_module \
--with-http_perl_module=dynamic \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_sub_module \
--with-http_xslt_module=dynamic \
--with-mail=dynamic \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-http_ssl_module \
--add-dynamic-module=../modules/headers-more-nginx-module \
--add-dynamic-module=../modules/nginx-auth-pam \
--add-dynamic-module=../modules/nginx-dav-ext-module \
--add-dynamic-module=../modules/ngx_devel_kit \
--add-dynamic-module=../modules/nginx-echo \
--add-dynamic-module=../modules/ngx-fancyindex \
--add-dynamic-module=../modules/nchan \
--add-dynamic-module=../modules/lua-nginx-module \
--add-dynamic-module=../modules/nginx-upload-progress \
--add-dynamic-module=../modules/nginx-upstream-fair \
--add-dynamic-module=../modules/nginx-cache-purge \
--add-dynamic-module=../modules/ngx_http_substitutions_filter_module
make
make install
#Copier le binaire pour le PATH
cp /usr/share/nginx/sbin/nginx /usr/sbin/
#Effacement compilation
#make clean
#Dossier temporaire
mkdir -p /var/lib/nginx
#Dossier config
mkdir -p /etc/nginx/conf.d/
#dossier vhost
mkdir -p /var/www
# Modules configuration nginx
mkdir -p /etc/nginx/modules-enabled
for file in $(find "/usr/lib/nginx/modules/" -type f -name "*.so")
do
tempfile="${file##*/}"
prefix="50-mod"
if [ $tempfile = "ndk_http_module.so" ]
then
prefix="10-mod"
fi
echo "load_module /usr/lib/nginx/modules/$tempfile;" | tee /etc/nginx/modules-enabled/$prefix-$tempfile-upload.conf
done
# service nginx
# /etc/init.d/nginx
cat > /etc/init.d/nginx << EOF
#!/bin/sh
### BEGIN INIT INFO
# Provides: nginx
# Required-Start: $local_fs $remote_fs $network $syslog $named
# Required-Stop: $local_fs $remote_fs $network $syslog $named
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts the nginx web server
# Description: starts nginx using start-stop-daemon
### END INIT INFO
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/nginx
NAME=nginx
DESC=nginx
# Include nginx defaults if available
if [ -r /etc/default/nginx ]; then
. /etc/default/nginx
fi
STOP_SCHEDULE="${STOP_SCHEDULE:-QUIT/5/TERM/5/KILL/5}"
test -x $DAEMON || exit 0
. /lib/init/vars.sh
. /lib/lsb/init-functions
# Try to extract nginx pidfile
PID=$(cat /etc/nginx/nginx.conf | grep -Ev '^\s*#' | awk 'BEGIN { RS="[;{}]" } { if ($1 == "pid") print $2 }' | head -n1)
if [ -z "$PID" ]; then
PID=/run/nginx.pid
fi
if [ -n "$ULIMIT" ]; then
# Set ulimit if it is set in /etc/default/nginx
ulimit $ULIMIT
fi
start_nginx() {
# Start the daemon/service
#
# Returns:
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --start --quiet --pidfile $PID --exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet --pidfile $PID --exec $DAEMON -- \
$DAEMON_OPTS 2>/dev/null \
|| return 2
}
test_config() {
# Test the nginx configuration
$DAEMON -t $DAEMON_OPTS >/dev/null 2>&1
}
stop_nginx() {
# Stops the daemon/service
#
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=$STOP_SCHEDULE --pidfile $PID --name $NAME
RETVAL="$?"
sleep 1
return "$RETVAL"
}
reload_nginx() {
# Function that sends a SIGHUP to the daemon/service
start-stop-daemon --stop --signal HUP --quiet --pidfile $PID --name $NAME
return 0
}
rotate_logs() {
# Rotate log files
start-stop-daemon --stop --signal USR1 --quiet --pidfile $PID --name $NAME
return 0
}
upgrade_nginx() {
# Online upgrade nginx executable
# http://nginx.org/en/docs/control.html
#
# Return
# 0 if nginx has been successfully upgraded
# 1 if nginx is not running
# 2 if the pid files were not created on time
# 3 if the old master could not be killed
if start-stop-daemon --stop --signal USR2 --quiet --pidfile $PID --name $NAME; then
# Wait for both old and new master to write their pid file
while [ ! -s "${PID}.oldbin" ] || [ ! -s "${PID}" ]; do
cnt=`expr $cnt + 1`
if [ $cnt -gt 10 ]; then
return 2
fi
sleep 1
done
# Everything is ready, gracefully stop the old master
if start-stop-daemon --stop --signal QUIT --quiet --pidfile "${PID}.oldbin" --name $NAME; then
return 0
else
return 3
fi
else
return 1
fi
}
case "$1" in
start)
log_daemon_msg "Starting $DESC" "$NAME"
start_nginx
case "$?" in
0|1) log_end_msg 0 ;;
2) log_end_msg 1 ;;
esac
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
stop_nginx
case "$?" in
0|1) log_end_msg 0 ;;
2) log_end_msg 1 ;;
esac
;;
restart)
log_daemon_msg "Restarting $DESC" "$NAME"
# Check configuration before stopping nginx
if ! test_config; then
log_end_msg 1 # Configuration error
exit $?
fi
stop_nginx
case "$?" in
0|1)
start_nginx
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
reload|force-reload)
log_daemon_msg "Reloading $DESC configuration" "$NAME"
# Check configuration before stopping nginx
#
# This is not entirely correct since the on-disk nginx binary
# may differ from the in-memory one, but that's not common.
# We prefer to check the configuration and return an error
# to the administrator.
if ! test_config; then
log_end_msg 1 # Configuration error
exit $?
fi
reload_nginx
log_end_msg $?
;;
configtest|testconfig)
log_daemon_msg "Testing $DESC configuration"
test_config
log_end_msg $?
;;
status)
status_of_proc -p $PID "$DAEMON" "$NAME" && exit 0 || exit $?
;;
upgrade)
log_daemon_msg "Upgrading binary" "$NAME"
upgrade_nginx
log_end_msg $?
;;
rotate)
log_daemon_msg "Re-opening $DESC log files" "$NAME"
rotate_logs
log_end_msg $?
;;
*)
echo "Usage: $NAME {start|stop|restart|reload|force-reload|status|configtest|rotate|upgrade}" >&2
exit 3
;;
esac
EOF
# droits en exécution
chmod u+x /etc/init.d/nginx
# Création systemd nginx.service
cat > /etc/systemd/system/nginx.service << EOF
[Unit]
Description=A high performance web server and a reverse proxy server
After=network.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
TimeoutStopSec=5
KillMode=mixed
[Install]
WantedBy=multi-user.target
EOF
# Fichier de configuration nginx
rm /etc/nginx/nginx.conf
cat > /etc/nginx/nginx.conf << EOF
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
EOF
# PHP7.3
apt-get -y install apt-transport-https lsb-release ca-certificates
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
apt update
# Le paquet php7.3-mcrypt est inexistant (si besoin ,installer php7.1-mcrypt)
apt install php7.3 php7.3-fpm php7.3-mysql php7.3-curl php7.3-json php7.3-gd php7.3-tidy php7.3-intl php7.3-imagick php7.3-xml php7.3-mbstring php7.3-zip -y
# Contenu fichier /etc/nginx/conf.d/default.conf
# back slash pour prise en compte request_filename
cat > /etc/nginx/conf.d/default.conf << EOF
server {
listen 80;
listen [::]:80;
root /var/www/ ;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php7.3-fpm.sock; # PHP7.3
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME \$request_filename;
}
}
EOF
# Contenu fichier /var/www/index.html
cat > /var/www/index.html << EOF
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx on Debian!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx on Debian!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working on Debian. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a></p>
<p>
Please use the <tt>reportbug</tt> tool to report bugs in the
nginx package with Debian. However, check <a
href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=nginx;repeatmerged=0">existing
bug reports</a> before reporting a new bug.
</p>
<p><em>Thank you for using debian and nginx.</em></p>
</body>
</html>
EOF
# test php
echo "<?php phpinfo(); ?>" > /var/www/info.php
# Réinitialiser
systemctl daemon-reload
# Activer nginx
systemctl enable nginx
# Relancer les services
systemctl restart nginx php7.3-fpm
# Installer MariaDb
apt install mariadb-server -y
# Générer un mot de passe pour mysql
echo $(head -c 12 /dev/urandom | openssl enc -base64) > /etc/mysql/mdp
# fichier sql
cat > /tmp/mysql_secure.sql << EOF
GRANT ALL ON *.* TO 'admin'@'localhost' IDENTIFIED BY '$(cat /etc/mysql/mdp)' WITH GRANT OPTION;
FLUSH PRIVILEGES; /* Applique les changements effectués précédemment concernant la gestion des droits */
EOF
# Exécuter la requête sql
mysql -uroot < /tmp/mysql_secure.sql
echo "Versions Nginx OpenSSL MariaDB et PHP"
nginx -v
openssl version
mysql --version
echo "Mot de passe MySql/MariaDB : /etc/mysql/mdp"
php -v
echo "********** FIN EXECUTION SCRIPT ************"
Le rendre exécutable
chmod +x compil.sh
Exécution
./compil.sh
Script téléchargeable pour compiler nginx
Ce script bash compile et installe nginx,lua, TLSV1.3 , PHP7.3 et MariaDB. Téléchargement
Après téléchargement mettre à jour dans le fichier ,si nécessaire , la variable latest_nginx
Résumé des commandes
sudo -s # Passer en mode super utilisateur (su ou sudo)
wget -O compil.sh "https://yann.cinay.eu/files/debian10-compilation-nginx-lua-tls1.3-php7.3-MariaDB.sh" # Télécharger le script
chmod +x compil.sh # Rendre le script exécutable
./compil.sh # Exécuter le script
#******** Patienter **********
Tester sur le lien de type http://votre-ip/info.php
Compilation OpenResty
OpenResty embarque le module HttpLuaModule permettant l’exécution de script Lua. Plusieurs directives permettent de lancer un script à différents moments de la requête, elles sont toutes de la forme « *_by_lua ». Les fonctions disponibles dans ces directives sont limitées :
- init_by_lua: le code sera exécuté au démarrage quand le serveur NGINX lit la configuration. Il est utile pour déclarer des variables globales ou précharger des modules
- set_by_lua: permet d’effectuer un traitement et de récupérer le résultat dans un variable. Le code exécuté bloque la boucle d’événement de NGINX et doit donc être rapide
- rewrite_by_lua: le code est exécuté pour chaque requête et après l’exécution du module HttpRewrite
- access_by_lua: le code est exécuté pour chaque requête et après l’exécution du module HttpAccess
- header_filter_by_lua: utilisé uniquement pour filtrer les headers de la requête
- content_by_lua: utilisé lorsqu’un script renvoie du contenu via par exemple ngx.say
- body_filter_by_lua: le code est exécuté après réception de données de réponse et permet de modifier le contenu renvoyé au client. Il peut être lancé plusieurs fois par requête selon le volume de données
- log_by_lua: le code est exécuté après l’écriture dans le access log.
Les modules ajoutés à la compilation OpenResty
Vous trouverez ici la liste de tous les composants inclus dans OpenResty. Tous les composants peuvent être activés ou désactivés selon les besoins.
Prérequis à la compilation OpenResty
Passage en mode super utilisateur
sudo -s
REMARQUE : Dans le cas Raspberry PI et raspbian lite
apt install apt-transport-https
Bash de compilation OpenResty
Ce script compile et installe openresty (nginx + openssl TLSv1.3 + modules dynamiques) ,le service nginx (systemd) pour le démarrage, PHP7.3 et mariadb
Fichier bash pouvant être exécuté ,copier le contenu ci dessous dans une fenêtre terminal
nano compil
#!/bin/bash
#
# 10 septembre 2019
#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Nginx est un serveur HTTP et reverse proxy utilisé par de nombreux sites.
# OpenResty est une surcouche construite avec de nombreux modules par défaut, ils permettent par exemple
# la personnalisation via des scripts Lua ou des accès simplifiés à des bases de données.
#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Vérifier si utilisateur "root"
if [ $(id -u) != "0" ]; then
echo "Erreur : Vous devez être root pour exécuter ce script"
exit 1
fi
#logiciels pour compilation
apt update
apt install dpkg-dev build-essential zlib1g-dev libpcre3 libpcre3-dev libcurl4-openssl-dev libossp-uuid-dev libssl-dev libxslt-dev libgd-dev libgeoip-dev libperl-dev libpam0g-dev libbz2-dev tar unzip curl git -y
#
# openresty voir https://openresty.org/en/download.html pour la dernière version
wget https://openresty.org/download/openresty-1.15.8.1.tar.gz
tar -xvf openresty-1.15.8.1.tar.gz
cd openresty-1.15.8.1
# les modules
mkdir -p modules
cd modules
#### Clonage des modules externes avant compilation ####
# headers-more-nginx-module
git clone https://github.com/openresty/headers-more-nginx-module
# ngx_http_auth_pam_module
git clone https://github.com/stogh/ngx_http_auth_pam_module nginx-auth-pam
#ngx_cache_purge
git clone https://github.com/FRiCKLE/ngx_cache_purge.git nginx-cache-purge
#
git clone https://github.com/aviafelix/nginx-dav-ext-module
#echo-nginx-module
git clone https://github.com/openresty/echo-nginx-module nginx-echo
#ngx-fancyindex
git clone https://github.com/aperezdc/ngx-fancyindex
# modification fancyindex pour avoir la ligne complète
#nchan ex nginx-push-stream-module
git clone https://github.com/slact/nchan
#nginx-upload-progress-module
git clone https://github.com/masterzen/nginx-upload-progress-module nginx-upload-progress
#ngx_http_substitutions_filter_module
git clone https://github.com/yaoweibin/ngx_http_substitutions_filter_module
#Nginx Upstream Fair Proxy Load Balancer
git clone https://github.com/itoffshore/nginx-upstream-fair
# configurer
cd ..
./configure \
--with-debug \
--with-pcre-jit \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_realip_module \
--with-http_auth_request_module \
--with-http_v2_module \
--with-http_dav_module \
--with-http_slice_module \
--with-threads \
--with-http_addition_module \
--with-http_flv_module \
--with-http_geoip_module=dynamic \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_image_filter_module=dynamic \
--with-http_mp4_module \
--with-http_perl_module=dynamic \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_sub_module \
--with-http_xslt_module=dynamic \
--with-mail=dynamic \
--with-mail_ssl_module \
--with-stream=dynamic \
--with-stream_ssl_module \
--add-dynamic-module=modules/nginx-auth-pam \
--add-dynamic-module=modules/nginx-cache-purge \
--add-dynamic-module=modules/nginx-dav-ext-module \
--add-dynamic-module=modules/ngx-fancyindex \
--add-dynamic-module=modules/nchan \
--add-dynamic-module=modules/nginx-upload-progress \
--add-dynamic-module=modules/nginx-upstream-fair \
--add-dynamic-module=modules/ngx_http_substitutions_filter_module
## Modules ci-dessous sont intégrés à openresty ##
# --add-dynamic-module=modules/headers-more-nginx-module \
# --add-dynamic-module=modules/nginx-echo \
# compilation installation
make && make install
# Configuration nginx pour le chargement des modules
mkdir -p /usr/local/openresty/nginx/modules-enabled
for file in $(find "/usr/local/openresty/nginx/modules/" -type f -name "*.so")
do
tempfile="${file##*/}"
prefix="50-mod"
if [ $tempfile = "ndk_http_module.so" ]
then
prefix="10-mod"
fi
echo 'load_module "/usr/local/openresty/nginx/modules/'$tempfile'";' | tee /usr/local/openresty/nginx/modules-enabled/$prefix-$tempfile-upload.conf
done
# Création des liens pour le dossier /usr/local/openresty/bin/
for file in /usr/local/openresty/bin/*
do
tempfile="${file##*/}"
rest=${tempfile%.*}
#convert $tempfile $rest".png"
ln -s $file /usr/local/bin/$tempfile
done
# Création systemd openresty.service
cat > /etc/systemd/system/openresty.service << EOF
# Stop dance for OpenResty
# A modification of the Nginx systemd script
# =======================
#
# ExecStop sends SIGSTOP (graceful stop) to the Nginx process.
# If, after 5s (--retry QUIT/5) OpenResty is still running, systemd takes control
# and sends SIGTERM (fast shutdown) to the main process.
# After another 5s (TimeoutStopSec=5), and if OpenResty is alive, systemd sends
# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
#
# Nginx signals reference doc:
# http://nginx.org/en/docs/control.html
#
[Unit]
Description=A dynamic web platform based on Nginx and LuaJIT.
After=network.target
[Service]
Type=forking
PIDFile=/run/openresty.pid
ExecStartPre=/usr/local/openresty/bin/openresty -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/local/openresty/bin/openresty -g 'daemon on; master_process on;'
ExecReload=/usr/local/openresty/bin/openresty -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/openresty.pid
TimeoutStopSec=5
KillMode=mixed
[Install]
WantedBy=multi-user.target
EOF
# le fichier de configuration /usr/local/openresty/nginx/conf/nginx.conf
rm /usr/local/openresty/nginx/conf/nginx.conf
cat > /usr/local/openresty/nginx/conf/nginx.conf << EOF
user www-data;
worker_processes auto;
pid /run/openresty.pid;
include ../modules-enabled/*.conf;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
variables_hash_max_size 2048;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
access_log /var/log/openresty/access.log;
error_log /var/log/openresty/error.log;
gzip on;
gzip_disable "msie6";
include ../sites/*.conf;
}
EOF
mkdir -p /var/log/openresty
systemctl daemon-reload
systemctl start openresty
systemctl enable openresty
# Ensuite, créez le nouveau répertoire de sites que nous avons spécifié dans la ligne d’ include , il contient les fichiers de configuration conf des sites virtuels VHOST
mkdir -p /usr/local/openresty/nginx/sites
# Création du dossier contenant les fichiers html, php, etc...
mkdir -p /usr/local/openresty/nginx/www/
# PHP7.3
apt-get -y install apt-transport-https lsb-release ca-certificates
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
apt update
# Le paquet php7.3-mcrypt est inexistant (si besoin ,installer php7.1-mcrypt)
apt install php7.3 php7.3-fpm php7.3-mysql php7.3-curl php7.3-json php7.3-gd php7.3-tidy php7.3-intl php7.3-imagick php7.3-xml php7.3-mbstring php7.3-zip -y
# Contenu fichier /usr/local/openresty/nginx/sites/default.conf
# back slash pour prise en compte request_filename
cat > /usr/local/openresty/nginx/sites/default.conf << EOF
server {
listen 80;
listen [::]:80;
root /usr/local/openresty/nginx/www/ ;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php7.3-fpm.sock; # PHP7.3
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME \$request_filename;
}
}
EOF
# DÉPLACEMENT fichier index.html
mv /usr/local/openresty/nginx/html/index.html /usr/local/openresty/nginx/www/
# test php
echo "<?php phpinfo(); ?>" > /usr/local/openresty/nginx/www/info.php
# Réinitialiser
systemctl daemon-reload
# Relancer les services
systemctl restart openresty php7.3-fpm
# Installer MariaDb
apt install mariadb-server -y
# Générer un mot de passe pour mysql
echo $(head -c 12 /dev/urandom | openssl enc -base64) > /etc/mysql/mdp
# fichier sql
cat > /tmp/mysql_secure.sql << EOF
GRANT ALL ON *.* TO 'admin'@'localhost' IDENTIFIED BY '$(cat /etc/mysql/mdp)' WITH GRANT OPTION;
FLUSH PRIVILEGES; /* Applique les changements effectués précédemment concernant la gestion des droits */
EOF
# Exécuter la requête sql
mysql -uroot < /tmp/mysql_secure.sql
clear
echo "**************************************"
echo "Versions Nginx OpenSSL MariaDB et PHP"
echo "**************************************"
openresty -v
openssl version
mysql --version
echo "Mot de passe MySql/MariaDB : /etc/mysql/mdp"
php -v
echo "********** FIN EXECUTION SCRIPT ************"
Le rendre exécutable
chmod +x compil
Exécution
./compil
Script téléchargeable pour compiler OpenResty
Ce script bash compile et installe openresty (nginx + openssl TLSv1.3 + modules dynamiques) ,le service nginx (systemd) pour le démarrage, PHP7.3 et mariadb. Téléchargement
Après téléchargement passer en mode super utilisateur (su ou sudo)
Exécuter les instructions suivantes pour lancer la compilation
sudo -s # Passer en mode super utilisateur (su ou sudo)
wget -O compil.sh "https://yann.cinay.eu/files/debian-compilation-openresty(nginx+lua+tls1.3)-php7.3-MariaDB.sh" # Télécharger le script
chmod +x compil.sh # Rendre le script exécutable
./compil.sh # Exécuter le script
Patienter de 5 à 10 minutes…
Résultat de la compilation
**************************************
Versions Nginx OpenSSL MariaDB et PHP
**************************************
nginx version: openresty/1.15.8.1
OpenSSL 1.1.1c 28 May 2019
mysql Ver 15.1 Distrib 10.3.17-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
Mot de passe MySql/MariaDB : /etc/mysql/mdp
PHP 7.3.4-2 (cli) (built: Apr 13 2019 19:05:48) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.4, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.3.4-2, Copyright (c) 1999-2018, by Zend Technologies
********** FIN EXECUTION SCRIPT ************
Tester avec le lien de type http://votre-ip/info.php