In this guide we will help you to build the latest stable version of nginx from source for Let's Encrypt. This guide is primarily aimed for users who are running nginx on ARM devices, like Raspberry Pi, and running Minibian or Raspbian (which is based off Debian 8). For x64/86 CPU architectures nginx provides the latest version in their repository, both for Ubuntu and Debian, but unfortunately they don't provide builds for ARM devices. We created a script that will help you to build latest stable nginx, and get a default configuration that you can start from to create your own reverse proxy with Let's Encrypt certificates and hardened security.
Why Build nginx from Source?
As usual, the Debian repository is heavily outdated, and the support for up-to-date versions of some software is not available for ARM based devices. The best way is to build nginx from source. This way you can ensure both compatibility with latest requirements and features while addressing the vulnerabilities. By building nginx from source using our script, you can ensure that you will have:
- Latest stable version of nginx
- Full compatibility with latest security standards supported by nginx (like http v2, required for hardened nginx configuration)
- Up-to-date version that includes all the known fixes for discovered security vulnerabilities, just as the bug fixes
- Version built by our script includes full WebDAV support, required for ownCloud, or any WebDAV use
- Same configuration as if you were installing from official repository (root location, conf files replaced)
Build nginx for Raspberry Pi for Let's Encrypt
We did our best to find the proper balance between automating the build process with the script, still keeping the version control in hand of the user. By version control I mean that one can set the version of nginx (and OpenSSL, zlib, PCRE) in the script. I recommend to use the latest stable version of nginx, unless you have a specific reason to go with mainline.
Prepare the System for Build Process
In order to use the script, you will first need to add the Debian contrib
and non-free
components to your apt sources. You will need to be root or have root privileges (in this guide we will assume that you are root). If you are not root, then enter
su
followed by your password.
Now add the following to your apt sources
echo "deb http://httpredir.debian.org/debian jessie main contrib non-free" >> /etc/apt/sources.list.d/deb-contribnonfree.list
echo "deb-src http://httpredir.debian.org/debian jessie main contrib non-free" >> /etc/apt/sources.list.d/deb-contribnonfree.list
echo "deb http://httpredir.debian.org/debian jessie-updates main contrib non-free" >> /etc/apt/sources.list.d/deb-contribnonfree.list
echo "deb-src http://httpredir.debian.org/debian jessie-updates main contrib non-free" >> /etc/apt/sources.list.d/deb-contribnonfree.list
Both Minibian and Raspbian will require the public key, proceed with
apt-get install debian-keyring -y
Now run an update
apt-get update
If everything went fine, then you have the correct keys. If you receive a GPG error that a public key is not available, then you will need to install the archive keyring too
apt-get install debian-archive-keyring -y
Remove Previous nginx Version
I recommend to use the script on a system where nginx from repository is not installed. If you already have nginx installed, it is the best to remove it.
Important: if you have configuration files you want to keep, then make sure you backup these (default location /etc/nginx/sites-available/
)
You only need to do this step if you have nginx already installed from the repository, otherwise on a clean system just skip this step.
To completely remove nginx installed from Debian repository run.
apt-get purge nginx* -y
Get the nginx Build Script
The script and the default configuration files are located at HTPC Guides GitHub repository. Feel free to check the script and the configuration files. The script you need is called build_nginx.sh
, and for each line you have the description. The script will do the following:
- Install the required build dependencies
- Download the latest version of nginx (1.10.2), OpenSSL (1.1.0c), zlib, and PCRE library (8.40)
- Create the require nginx directories
- Configure nginx to be built with the required modules, using static OpenSSL, including the external module dav-ext-module required for full WebDAV support
- Create the required default configuration files and set the correct permissions
- Create the default root at
/var/www/html/
with default nginxindex.html
- Create the systemd unit file for nginx (nginx.service), enable the service, and stat the service
Note: using this script nginx needs to be built with static OpenSSL, and the version needs to be higher then OpenSSL 1.0.2. Version 1.0.2 and below requires make depend command on configuration options change, which is not supported by nginx directly. If for some reason you need to use LTS version of OpenSSL, then you will need to modify the script and build OpenSSL separately.
Update: changed the way the latest version of zlib source code is downloaded, now the script will always download the latest version of zlib source, no need to update version number.
If you don't have wget installed, just install with
apt-get install wget -y
Download the build_nginx.sh
script
wget https://raw.githubusercontent.com/HTPCGuides/nginx_configurations/master/build_nginx.sh
Set the script executable
chmod +x build_nginx.sh
and still as root, run the script
./build_nginx.sh
The script will start the build process, if any errors occur, then the script will exit, you should note the error message. The whole build process should take around 20 minutes on a Raspberry Pi 2B. If everything completed successfully, then you will have the latest stable nginx running.
Note: we configured nginx to be run by user and group www-data
Open a web browser and enter the ip address of the device where you built nginx. You should see the default nginx welcome message
Congratulations, you have successfully built the latest stable nginx, you can now proceed with the Secure nginx Reverse Proxy with Let’s Encrypt on Ubuntu 16.04 LTS guide, leaving out the install nginx from Ubuntu PPA.