使用 BoringSSL 编译 NGINX _Nginx

学向勤中得，萤窗万卷书。这篇文章主要讲述使用 BoringSSL 编译 NGINX相关的知识，希望能为你提供帮助。
说明：gcc 版本大于6 编译BoringSSL 需要go环境支持 cmake 3版本以上
编译BoringSSL 编译BoringSSL 依赖安装

yum -y install epel-release yum install libunwind-devel libunwind gcc cmake make go git gcc-c++ # 使用ninja 编译 wget https://github.com/ninja-build/ninja/releases/download/v1.10.2/ninja-linux.zip unzip ninja-linux.zip mv ninja /usr/bin/ which ninja [root@node src]# which ninja /usr/bin/ninja

拉取BoringSSL源码

git clone https://github.com/google/boringssl.git

编译BoringSSL

cd boringssl # 建立一个专门用于编译的文件夹 mkdir build cd build cmake -GNinja .. [root@node build]# cmake -GNinja .. -- The CXX compiler identification is GNU 8.5.0 -- Detecting CXX compiler ABI info -- Detecting CXX compiler ABI info - done -- Check for working CXX compiler: /usr/bin/c++ - skipped -- Detecting CXX compile features -- Detecting CXX compile features - done -- Found Perl: /usr/bin/perl (found version "5.26.3") -- Checking for module libunwind-generic --Found libunwind-generic, version 1.3.1 -- The ASM compiler identification is GNU -- Found assembler: /usr/bin/cc -- Configuring done -- Generating done -- Build files have been written to: /usr/local/src/boringssl/build ninja

nginx 编译nginx 支持br 压缩 lua 使用jemalloc内存
nginx 编译依赖安装

yum install -ypcre pcre-devel zlib zlib-devel libtool lua-devel patch

luajit2编译

git clone https://github.com/openresty/luajit2.git cd luajit2 make -j$(nproc) & & make -j$(nproc) install ln -sf /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2

jemalloc 编译

git clone https://github.com/jemalloc/jemalloc.git cd jemalloc ./autogen.sh ./configure make -j$(nproc) & & make -j$(nproc) install_bin install_include install_lib echo /usr/local/lib > /etc/ld.so.conf.d/jemalloc.conf ldconfig ln -sf /usr/local/lib/libjemalloc.so /usr/lib64/

lua-cjson 编译

wget https://www.kyne.com.au/~mark/software/download/lua-cjson-2.1.0.tar.gz tar -xzvf lua-cjson-2.1.0.tar.gz cd lua-cjson-2.1.0 make -j$(nproc) & & make -j$(nproc) install

luasocket 编译

git clone https://github.com/diegonehab/luasocket.git cd luasocket make -j$(nproc) & & make -j$(nproc) install

libbrotli 编译

git clone https://github.com/bagder/libbrotli cd libbrotli/ ./autogen.sh ./configure make -j$(nproc) & & make -j$(nproc) install

下载nginx 插件

git clone https://github.com/FRiCKLE/ngx_cache_purge.git git clone https://github.com/weibocom/nginx-upsync-module.git git clone https://github.com/xiaokai-wang/nginx_upstream_check_module.git git clone https://github.com/openresty/echo-nginx-module.git git clone https://github.com/openresty/lua-nginx-module.git git clone https://github.com/openresty/stream-lua-nginx-module.git git clone https://github.com/openresty/lua-upstream-nginx-module.git git clone https://github.com/evanmiller/mod_zip.git git clone https://github.com/simplresty/ngx_devel_kit.git git clone https://github.com/wdaike/ngx_upstream_jdomain.git git clone https://github.com/GUI/nginx-upstream-dynamic-servers.git git clone https://github.com/openresty/headers-more-nginx-module.git git clone https://github.com/vozlt/nginx-module-vts.git git clone https://github.com/google/ngx_brotli cd ngx_brotli git submodule update --init

下载pcre 再centos8 或者 Rocky 系统报错

wget https://sourceforge.net/projects/pcre/files/pcre/8.39/pcre-8.39.tar.gz

下载nginx

wget http://nginx.org/download/nginx-1.21.6.tar.gz

编译nginx

tar -xvf nginx-1.21.6.tar.gz cd nginx-1.21.6 # nginx_upstream_check_module 模块打补丁 patch -p1 < ../nginx_upstream_check_module/check_1.12.1+.patch # check_1.12.1+.patch 根据版本号选择 [root@node nginx-1.21.6]# patch -p1 < ../nginx_upstream_check_module/check_1.12.1+.patch patching file src/http/modules/ngx_http_upstream_hash_module.c Hunk #2 succeeded at 241 (offset 3 lines). Hunk #3 succeeded at 571 (offset 22 lines). patching file src/http/modules/ngx_http_upstream_ip_hash_module.c Hunk #2 succeeded at 211 (offset 3 lines). patching file src/http/modules/ngx_http_upstream_least_conn_module.c patching file src/http/ngx_http_upstream_round_robin.c Hunk #1 succeeded at 9 with fuzz 2. Hunk #2 succeeded at 108 (offset 6 lines). Hunk #3 succeeded at 187 (offset 12 lines). Hunk #4 succeeded at 264 (offset 13 lines). Hunk #5 succeeded at 384 (offset 14 lines). Hunk #6 succeeded at 421 (offset 14 lines). Hunk #7 succeeded at 489 (offset 14 lines). Hunk #8 succeeded at 589 (offset 14 lines). patching file src/http/ngx_http_upstream_round_robin.h # 编译nginx # 创建nginx 账号 useradd nginx -s /sbin/nologin -M # 导入lua 环境变量 export LUAJIT_LIB=/usr/local/lib export LUAJIT_INC=/usr/local/include/luajit-2.1 # 创建工作目录 mkdir -pv /apps/nginx/cache/client_temp,proxy_temp,fastcgi_temp,uwsgi_temp,scgi_temp,proxy_cache,ngx_pagespeed_cache chown -R nginx:nginx /apps/nginx ./configure--prefix=/apps/nginx \\ --sbin-path=/usr/sbin/nginx \\ --conf-path=/etc/nginx/nginx.conf \\ --error-log-path=/apps/nginx/log/error.log \\ --http-log-path=/apps/nginx/log/access.log \\ --pid-path=/apps/nginx/run/nginx.pid \\ --lock-path=/apps/nginx/run/nginx.lock \\ --http-client-body-temp-path=/apps/nginx/cache/client_temp \\ --http-proxy-temp-path=/apps/nginx/cache/proxy_temp \\ --http-fastcgi-temp-path=/apps/nginx/cache/fastcgi_temp \\ --http-uwsgi-temp-path=/apps/nginx/cache/uwsgi_temp \\ --http-scgi-temp-path=/apps/nginx/cache/scgi_temp \\ --user=nginx \\ --group=nginx \\ --with-compat \\ --with-http_ssl_module \\ --with-http_realip_module \\ --with-http_addition_module \\ --with-http_sub_module \\ --with-http_dav_module \\ --with-http_flv_module \\ --with-http_mp4_module \\ --with-http_gunzip_module \\ --with-http_gzip_static_module \\ --with-http_random_index_module \\ --with-http_secure_link_module \\ --with-http_stub_status_module \\ --with-http_auth_request_module \\ --with-threads \\ --with-stream \\ --with-stream_ssl_module \\ --with-stream_realip_module \\ --with-stream_ssl_preread_module \\ --with-http_slice_module \\ --with-mail \\ --with-mail_ssl_module \\ --with-file-aio \\ --with-pcre-jit \\ --with-pcre=../pcre-8.39 \\ --with-http_v2_module \\ --with-openssl-opt=enable-tls1_3 \\ --add-module=../ngx_brotli \\ --add-module=../nginx-upsync-module \\ --add-module=../echo-nginx-module \\ --add-module=../nginx_upstream_check_module \\ --add-module=../lua-nginx-module \\ --add-module=../stream-lua-nginx-module \\ --add-module=../lua-upstream-nginx-module \\ --add-module=../ngx_devel_kit \\ --add-module=../mod_zip \\ --add-module=../ngx_cache_purge \\ --add-module=../headers-more-nginx-module \\ --add-module=../ngx_upstream_jdomain \\ --add-module=../nginx-upstream-dynamic-servers \\ --add-module=../nginx-module-vts \\ --with-cc-opt="-I../boringssl/include" \\ --with-ld-opt="-Wl,-rpath,$LUAJIT_LIB,-ljemalloc -L../boringssl/build/ssl -L../boringssl/build/crypto" # make make -j$(nproc) & & make -j$(nproc) install # 创建lua 目录 mkdir -p /apps/nginx/lua/resty git clone https://github.com/openresty/lua-resty-lrucache.git git clone https://github.com/openresty/lua-resty-core.git cp 文件到resty cp -pdr ./lua-resty-core/lib/resty/* /apps/nginx/lua/resty/ mv ./lua-resty-lrucache/lib/resty/* /apps/nginx/lua/resty/ # 创建nginx 启动脚本 vim /usr/lib/systemd/system/nginx.service [Unit] Description=nginx - high performance web server Documentation=http://nginx.org/en/docs/ After=network.target remote-fs.target nss-lookup.target[Service] Type=forking LimitCORE=infinity LimitNOFILE=100000 LimitNPROC=100000 PIDFile=/apps/nginx/run/nginx.pid ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf ExecReload=/bin/kill -s HUP $MAINPID ExecStop=/bin/kill -s QUIT $MAINPID PrivateTmp=true[Install] WantedBy=multi-user.target # 修改nginx.conf 不然找不到lua 相关文件报错 vim /etc/nginx/nginx.conf http 段加入 lua_need_request_body on; lua_package_path "/apps/nginx/lua/?.lua"; lua_shared_dict limit 100m; lua_shared_dict badGuys 100m; lua_code_cache on;

【使用 BoringSSL 编译 NGINX】nginx.conf

# /apps/nginx/lua/test.lua 测试是否支持lua # test.lua 内容 ngx.say("hello world"); cat /etc/nginx/nginx.conf #usernobody; worker_processes1; #error_loglogs/error.log; #error_loglogs/error.lognotice; #error_loglogs/error.loginfo; #pidlogs/nginx.pid; events worker_connections1024; http includemime.types; default_typeapplication/octet-stream; #log_formatmain$remote_addr - $remote_user [$time_local] "$request" #$status $body_bytes_sent "$http_referer" #"$http_user_agent" "$http_x_forwarded_for"; #access_loglogs/access.logmain; sendfileon; #tcp_nopushon; #keepalive_timeout0; keepalive_timeout65; #gzipon; # 设置lua 路径不然会报错 lua_need_request_body on; lua_package_path "/apps/nginx/lua/?.lua"; lua_shared_dict limit 100m; lua_shared_dict badGuys 100m; lua_code_cache on; server listen8880; server_namelocalhost; #charset koi8-r; #access_loglogs/host.access.logmain; location / roothtml; indexindex.html index.htm; #error_page404/404.html; # redirect server error pages to the static page /50x.html # error_page500 502 503 504/50x.html; location = /50x.html roothtml; location /hello default_type text/html; content_by_lua_block ngx.say("HelloWorld")location /lua default_type text/html; content_by_lua_file lua/test.lua; #相对于nginx安装目录 /apps/nginx/lua# proxy the php scripts to Apache listening on 127.0.0.1:80 # #location ~ \\.php$ #proxy_passhttp://127.0.0.1; ## pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \\.php$ #roothtml; #fastcgi_pass127.0.0.1:9000; #fastcgi_indexindex.php; #fastcgi_paramSCRIPT_FILENAME/scripts$fastcgi_script_name; #includefastcgi_params; ## deny access to .htaccess files, if Apaches document root # concurs with nginxs one # #location ~ /\\.ht #denyall; ## another virtual host using mix of IP-, name-, and port-based configuration # #server #listen8000; #listensomename:8080; #server_namesomenamealiasanother.alias; #location / #roothtml; #indexindex.html index.htm; # ## HTTPS server # #server #listen443 ssl; #server_namelocalhost; #ssl_certificatecert.pem; #ssl_certificate_keycert.key; #ssl_session_cacheshared:SSL:1m; #ssl_session_timeout5m; #ssl_ciphersHIGH:!aNULL:!MD5; #ssl_prefer_server_cipherson; #location / #roothtml; #indexindex.html index.htm; # #

nginx 相关优化及增加模块自行到github 对应仓库查看说明文档 nginx http3 编译

https://quic.nginx.org/readme.html wget https://hg.nginx.org/nginx-quic/archive/tip.zip unzip tip.zip #会生成一个 nginx-quic-55359b950132 55359b950132版本 cd nginx-quic-55359b950132 ./auto/configure \\ --prefix=/usr/share/nginx \\ --conf-path=/etc/nginx/nginx.conf \\ --http-log-path=/var/log/nginx/access.log \\ --error-log-path=/var/log/nginx/error.log \\ --lock-path=/var/lock/nginx.lock \\ --pid-path=/run/nginx.pid \\ --modules-path=/usr/lib/nginx/modules \\ --http-client-body-temp-path=/var/lib/nginx/body \\ --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \\ --http-proxy-temp-path=/var/lib/nginx/proxy \\ --http-scgi-temp-path=/var/lib/nginx/scgi \\ --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \\ --with-compat \\ --with-debug \\ --with-pcre-jit \\ --with-http_ssl_module \\ --with-http_stub_status_module \\ --with-http_realip_module \\ --with-http_auth_request_module \\ --with-http_v2_module \\ --with-http_dav_module \\ --with-http_slice_module \\ --with-threads \\ --with-http_addition_module \\ --with-http_gunzip_module \\ --with-http_gzip_static_module \\ --with-http_sub_module \\ --with-stream \\ --with-http_v3_module \\ --with-cc-opt="-I../boringssl/include" --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto" \\ --with-stream_quic_module \\ --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto" 编译 make-j4 安装 make install域名配置文件参考 server listen80; server_namexx.xxx.com; root /usr/share/nginx/html; indexindex.html index.htm; location / root/usr/share/nginx/html; indexindex.html index.htm; server listen 443 http3; listen 443 ssl http2; server_namexx.xxx.com; ssl_certificate /apps/nginx/sslkey/xxx.com/fullchain.crt; ssl_certificate_key /apps/nginx/sslkey/xxx.com/private.key; ssl_prefer_server_ciphers on; keepalive_timeout 60; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_early_data on; ssl_protocols TLSv1.3 TLSv1.2; ssl_ecdh_curve X25519:P-256:P-384; ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256; proxy_set_header Early-Data $ssl_early_data; add_header Alt-Svc h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; root /usr/share/nginx/html; indexindex.html index.htm; location / root/usr/share/nginx/html; indexindex.html index.htm;