Merge pull request #155 from VirtuBox/dev

Update Nginx stable and few improvements

Author: VirtuBox

CHANGELOG.md

@@ -6,6 +6,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ## [Unreleased] - XX-XX-XX
 
+## [3.8.1] - 2024-04-24
+
+### Changed
+
+- Nginx stable release bumped to 1.26.0
+- HTTP/3 now available on both mainline and stable release
+- Always download latest zlib library if zlib-cf not supported
+- Always download the latest libressl release
+- HTTP/2 HPACK removed
+
 ## [3.8.0] - 2024-04-23
 
 ### Added

README.md

@@ -7,7 +7,7 @@
 </h1>
 
 <h4 align="center">
-Automated Nginx compilation from sources with additional modules support
+Automated Nginx compilation from sources with HTTP/3 QUIC and additional modules support
 </h4>
 
 ---
@@ -45,7 +45,7 @@ Automated Nginx compilation from sources with additional modules support
 * Nginx built-in modules selection
 * Nginx Third-party modules selection
 * Dynamic modules support
-* HTTP/3 QUIC Support with Mainline Release
+* HTTP/3 QUIC Support
 * Brotli Support
 * TLS v1.3 support
 * OpenSSL or LibreSSL
@@ -59,7 +59,7 @@ Automated Nginx compilation from sources with additional modules support
 ## Additional Third-party modules
 
 Nginx current mainline release : **v1.25.5** with HTTP/3 QUIC
-Nginx current stable release : **v1.24.0** with Cloudflare HTTP/2 HPACK
+Nginx current stable release : **v1.26.0** with HTTP/3 QUIC
 
 * [ngx_cache_purge](https://github.com/FRiCKLE/ngx_cache_purge)
 * [headers-more-nginx-module](https://github.com/openresty/headers-more-nginx-module)
@@ -121,7 +121,7 @@ Optional modules :
 
 ### HTTP/3 QUIC
 
-**Full support of HTTP/3 QUIC is only available with Nginx mainline release and compiled with LibreSSL**. More information [here](https://nginx.org/en/docs/http/ngx_http_v3_module.html).
+**Full support of HTTP/3 QUIC is only available with LibreSSL**. More information [here](https://nginx.org/en/docs/http/ngx_http_v3_module.html).
 
 ---
 
@@ -158,7 +158,7 @@ bash <(wget -O - vtb.cx/nginx-ee || curl -sL vtb.cx/nginx-ee) --interactive
 
 ### Custom installation
 
-Example : Nginx stable release HTTP/2 with naxsi
+Example : Nginx stable release HTTP/3 with naxsi
 
 ```bash
 bash <(wget -O - vtb.cx/nginx-ee || curl -sL vtb.cx/nginx-ee) --stable --naxsi
@@ -168,7 +168,7 @@ bash <(wget -O - vtb.cx/nginx-ee || curl -sL vtb.cx/nginx-ee) --stable --naxsi
 
 Nginx build options :
 
-* `--stable` : compile Nginx stable release with HTTP/2
+* `--stable` : compile Nginx stable release with HTTP/3
 * `--full` : Naxsi + RTMP
 * `--dynamic` : Compile Nginx modules as dynamic modules
 * `--noconf` : Compile Nginx without any configuring. Useful when you use devops tools like ansible.

docs/index.md

@@ -42,7 +42,7 @@ Automated Nginx compilation from sources with additional modules support
 <li>Nginx built-in modules selection</li>
 <li>Nginx Third-party modules selection</li>
 <li>Dynamic modules support</li>
-<li>HTTP/3 QUIC Support with Mainline Release</li>
+<li>HTTP/3 QUIC Support</li>
 <li>Brotli Support</li>
 <li>TLS v1.3 support (Final)</li>
 <li>OpenSSL or LibreSSL</li>
@@ -52,8 +52,8 @@ Automated Nginx compilation from sources with additional modules support
 </ul>
 <hr />
 <h2 id="additional-third-party-modules">Additional Third-party modules</h2>
-<p>Nginx current mainline release : <strong>v1.25.5</strong> with HTTP/3 QUIC
-Nginx current stable release : <strong>v1.24.0</strong></p> with Cloudflare HTTP/2 HPACK
+<p>Nginx current mainline release : <strong>v1.25.5</strong> with HTTP/3 QUIC</p>
+<p>Nginx current stable release : <strong>v1.26.0</strong> with HTTP/3 QUIC</p>
 <ul>
 <li><a href="https://github.com/FRiCKLE/ngx_cache_purge">ngx_cache_purge</a></li>
 <li><a href="https://github.com/openresty/headers-more-nginx-module">headers-more-nginx-module</a></li>
@@ -109,7 +109,7 @@ Nginx current stable release : <strong>v1.24.0</strong></p> with Cloudflare HTTP
 <li>18.x (Obsidian)</li>
 </ul>
 <h3>### HTTP/3 QUIC</h3>
-<p><strong>Full support of HTTP/3 QUIC is only available with Nginx mainline release and compiled with LibreSSL**</strong>. More information [here](https://nginx.org/en/docs/http/ngx_http_v3_module.html).</p>
+<p><strong>Full support of HTTP/3 QUIC is only available with LibreSSL**</strong>. More information [here](https://nginx.org/en/docs/http/ngx_http_v3_module.html).</p>
 
 <hr />
 <h2 id="usage">Usage</h2>
@@ -133,7 +133,7 @@ sudo bash nginx-build.sh
 <pre><code class="language-bash">bash &lt;(wget -O - vtb.cx/nginx-ee || curl -sL vtb.cx/nginx-ee) --interactive
 </code></pre>
 <h3 id="custom-installation">Custom installation</h3>
-<p>Example : Nginx stable release with HTTP/2 HPACK with naxsi</p>
+<p>Example : Nginx stable release with HTTP/3 with naxsi</p>
 <pre><code class="language-bash">bash &lt;(wget -O - vtb.cx/nginx-ee || curl -sL vtb.cx/nginx-ee) --stable --naxsi
 </code></pre>
 <h4 id="options-available">Options available</h4>

etc/nginx/nginx.conf

@@ -36,7 +36,7 @@ http
 
     server_tokens off;
     reset_timedout_connection on;
-    add_header X-Powered-By "Nginx-ee v3.5.2 - Optimized by VirtuBox";
+    add_header X-Powered-By "Nginx-ee v3.8.1 - Optimized by VirtuBox";
     add_header rt-Fastcgi-Cache $upstream_cache_status;
 
     # Limit Request

nginx-build.sh

@@ -7,7 +7,7 @@
 # Copyright (c) 2019-2024 VirtuBox <[email protected]>
 # This script is licensed under M.I.T
 # -------------------------------------------------------------------------
-# Version 3.8.0 - 2024-04-23
+# Version 3.8.1 - 2024-04-24
 # -------------------------------------------------------------------------
 
 ##################################
@@ -26,7 +26,7 @@ _help() {
     echo " -------------------------------------------------------------------- "
     echo ""
     echo "Usage: ./nginx-ee <options> [modules]"
-    echo "By default, Nginx-ee will compile the latest Nginx mainline release with HTTP/3 and without Naxsi or RTMP module"
+    echo "By default, Nginx-ee will compile the latest Nginx mainline release without Naxsi or RTMP module"
     echo "  Options:"
     echo "       -h, --help ..... display this help"
     echo "       -i, --interactive ....... interactive installation"
@@ -138,8 +138,8 @@ fi
 DIR_SRC="/usr/local/src"
 NGINX_EE_VER=$(curl -m 5 --retry 3 -sL https://api.github.com/repos/VirtuBox/nginx-ee/releases/latest 2>&1 | jq -r '.tag_name')
 NGINX_MAINLINE="$(curl -sL https://nginx.org/en/download.html 2>&1 | grep -E -o 'nginx\-[0-9.]+\.tar[.a-z]*' | awk -F "nginx-" '/.tar.gz$/ {print $2}' | sed -e 's|.tar.gz||g' | head -n 1 2>&1)"
-NGINX_STABLE="$(curl -sL https://nginx.org/en/download.html 2>&1 | grep -E -o 'nginx\-[0-9.]+\.tar[.a-z]*' | awk -F "nginx-" '/.tar.gz$/ {print $2}' | sed -e 's|.tar.gz||g' | head -n 2 | grep 1.24 2>&1)"
-LIBRESSL_VER="3.8.4"
+NGINX_STABLE="$(curl -sL https://nginx.org/en/download.html 2>&1 | grep -E -o 'nginx\-[0-9.]+\.tar[.a-z]*' | awk -F "nginx-" '/.tar.gz$/ {print $2}' | sed -e 's|.tar.gz||g' | head -n 2 | grep 1.26 2>&1)"
+LIBRESSL_VER="$(curl https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ 2>&1 | grep -E -o 'libressl\-[0-9.]+\.tar[.a-z]*' | awk -F "libressl-" '/.tar.gz$/ {print $2}' | sed -e 's|.tar.gz||g' | sort -r | head -n 1)"
 if command_exists openssl; then
     OPENSSL_BIN_VER=$(openssl version)
     OPENSSL_VER=${OPENSSL_BIN_VER:0:15}
@@ -150,7 +150,6 @@ TLS13_CIPHERS="TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+CHAC
 readonly OS_ARCH="$(uname -m)"
 OS_DISTRO_FULL="$(lsb_release -ds)"
 readonly DISTRO_ID="$(lsb_release -si)"
-readonly DISTRO_CODENAME="$(lsb_release -sc)"
 
 # Colors
 CSI='\033['
@@ -206,9 +205,7 @@ if [ "$INTERACTIVE_SETUP" = "1" ]; then
     while [[ "$SSL_LIB_CHOICE" != "1" && "$SSL_LIB_CHOICE" != "2" ]]; do
         echo -e "Select an option [1-2]: " && read -r SSL_LIB_CHOICE
     done
-    if [ "$SSL_LIB_CHOICE" = "1" ]; then
-        OPENSSL_LIB=3
-    else
+    if [ "$SSL_LIB_CHOICE" = "2" ]; then
         LIBRESSL="y"
     fi
     echo -e '\nDo you want NAXSI WAF (still experimental)? (y/n)'
@@ -236,11 +233,9 @@ fi
 
 if [ "$NGINX_RELEASE" = "2" ]; then
     NGINX_VER="$NGINX_STABLE"
-    NGX_HPACK="--with-http_v2_hpack_enc"
-    NGX_QUIC=""
+    NGX_QUIC="--with-http_v3_module"
 else
     NGINX_VER="$NGINX_MAINLINE"
-    NGX_HPACK=""
     NGX_QUIC="--with-http_v3_module"
 fi
 
@@ -285,7 +280,6 @@ else
             OPENSSL_OPT="enable-tls1_3"
         fi
     fi
-    QUIC_VALID="NO"
     NGX_SSL_LIB=""
     OPENSSL_VALID="from system"
     LIBSSL_DEV="libssl-dev"
@@ -323,20 +317,13 @@ echo ""
 echo -e "  - Nginx release : $NGINX_VER"
 [ -n "$OPENSSL_VALID" ] && {
     echo -e "  - OPENSSL : $OPENSSL_VER"
-    if [ "$NGINX_RELEASE" = "2" ]; then
-        echo -e "  - HTTP/2 HPACK : YES"
-    else
-        echo -e "  - with HTTP/3 : YES"
-    fi
+    echo -e "  - with HTTP/3 : YES"
 
 }
 [ -n "$LIBRESSL_VALID" ] && {
     echo -e "  - LIBRESSL : $LIBRESSL_VALID"
-    if [ "$NGINX_RELEASE" = "2" ]; then
-        echo -e "  - HTTP/2 HPACK : YES"
-    else
-        echo -e "  - HTTP/3 QUIC : YES"
-    fi
+    echo -e "  - HTTP/3 QUIC : YES"
+
 }
 echo "  - Dynamic modules $DYNAMIC_MODULES_VALID"
 echo "  - Naxsi : $NAXSI_VALID"
@@ -471,10 +458,8 @@ _dynamic_setup() {
 }
 
 ##################################
-# Install gcc7 or gcc8 from PPA
+# Install gcc
 ##################################
-# gcc7 if Nginx is compiled with RTMP module
-# otherwise gcc8 is used
 
 _gcc_setup() {
     echo -ne '       Installing gcc                         [..]\r'
@@ -529,12 +514,12 @@ _download_modules() {
     echo -ne '       Downloading additionals modules        [..]\r'
     if {
         echo "### downloading additionals modules ###"
-        MODULES='FRiCKLE/ngx_cache_purge openresty/memc-nginx-module
+        MODULES='openresty/memc-nginx-module
         simpl/ngx_devel_kit openresty/headers-more-nginx-module
         openresty/echo-nginx-module yaoweibin/ngx_http_substitutions_filter_module
         openresty/redis2-nginx-module openresty/srcache-nginx-module
         openresty/set-misc-nginx-module sto/ngx_http_auth_pam_module
-        vozlt/nginx-module-vts centminmod/ngx_http_redis'
+        vozlt/nginx-module-vts centminmod/ngx_http_redis nginx-modules/ngx_cache_purge'
         for MODULE in $MODULES; do
             _gitget "$MODULE"
         done
@@ -589,9 +574,9 @@ _download_zlib() {
             echo "### configure zlib-cf ###"
             ./configure --prefix=/usr/local/zlib-cf
         else
-            echo "### downloading zlib 1.2.13 ###"
+            echo "### downloading zlib latest ###"
             rm -rf zlib
-            curl -sL http://zlib.net/zlib-1.2.13.tar.gz | /bin/tar zxf - -C "$DIR_SRC"
+            curl -sL http://zlib.net/current/zlib.tar.gz | /bin/tar zxf - -C "$DIR_SRC"
             mv zlib-1.2.13 zlib
         fi
 
@@ -633,67 +618,6 @@ _download_brotli() {
 
 }
 
-##################################
-# Download and patch OpenSSL
-##################################
-
-_download_openssl_dev() {
-
-    cd "$DIR_SRC" || exit 1
-    if {
-        echo -ne '       Downloading openssl                    [..]\r'
-
-        {
-            if [ -d /usr/local/src/openssl ]; then
-                if [ ! -d /usr/local/src/openssl/.git ]; then
-                    echo "### removing openssl extracted archive ###"
-                    rm -rf /usr/local/src/openssl
-                    echo "### cloning openssl ###"
-                    git clone --depth=50 https://github.com/openssl/openssl.git /usr/local/src/openssl
-                    cd /usr/local/src/openssl || exit 1
-                    echo "### git checkout commit ###"
-                    #git checkout $OPENSSL_COMMIT
-                else
-                    cd /usr/local/src/openssl || exit 1
-                    echo "### reset openssl to master and clean patches ###"
-                    git fetch --all
-                    git reset --hard origin/master
-                    git clean -f
-                    #git checkout $OPENSSL_COMMIT
-                fi
-            else
-                echo "### cloning openssl ###"
-                git clone --depth=50 https://github.com/openssl/openssl.git /usr/local/src/openssl
-                cd /usr/local/src/openssl || exit 1
-                echo "### git checkout commit ###"
-                #git checkout $OPENSSL_COMMIT
-            fi
-        } >>/tmp/nginx-ee.log 2>&1
-
-        {
-            if [ -d /usr/local/src/openssl-patch/.git ]; then
-                cd /usr/local/src/openssl-patch || exit 1
-                git pull origin master
-            else
-                git clone --depth=50 https://github.com/VirtuBox/openssl-patch.git /usr/local/src/openssl-patch
-            fi
-            cd /usr/local/src/openssl || exit 1
-            # apply openssl ciphers patch
-            echo "### openssl ciphers patch ###"
-            #patch -p1 <../openssl-patch/openssl-equal-3.0.0-dev_ciphers.patch
-        } >>/tmp/nginx-ee.log 2>&1
-
-    }; then
-        echo -ne "       Downloading openssl                    [${CGREEN}OK${CEND}]\\r"
-        echo -ne '\n'
-    else
-        echo -e "       Downloading openssl      [${CRED}FAIL${CEND}]"
-        echo -e '\n      Please look at /tmp/nginx-ee.log\n'
-        exit 1
-    fi
-
-}
-
 ##################################
 # Download LibreSSL
 ##################################
@@ -706,8 +630,8 @@ _download_libressl() {
 
         {
             rm -rf /usr/local/src/libressl
-            curl -sL http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${LIBRESSL_VER}.tar.gz | /bin/tar xzf - -C "$DIR_SRC"
-            mv /usr/local/src/libressl-${LIBRESSL_VER} /usr/local/src/libressl
+            curl -sL "http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-$LIBRESSL_VER.tar.gz" | /bin/tar xzf - -C "$DIR_SRC"
+            mv "/usr/local/src/libressl-$LIBRESSL_VER" /usr/local/src/libressl
         } >>/tmp/nginx-ee.log 2>&1
 
     }; then
@@ -789,12 +713,7 @@ _patch_nginx() {
         echo -ne '       Applying nginx patches                 [..]\r'
 
         {
-            if [ "$NGINX_RELEASE" = "2" ]; then
-                curl -sL https://raw.githubusercontent.com/kn007/patch/master/nginx_for_1.23.4.patch | patch -p1
-            else
-                curl -sL https://raw.githubusercontent.com/kn007/patch/master/nginx_dynamic_tls_records.patch | patch -p1
-            fi
-            #curl -sL https://raw.githubusercontent.com/kn007/patch/master/nginx_auto_using_PRIORITIZE_CHACHA.patch | patch -p1
+            curl -sL https://raw.githubusercontent.com/kn007/patch/master/nginx_dynamic_tls_records.patch | patch -p1
         } >>/tmp/nginx-ee.log 2>&1
 
     }; then
@@ -897,7 +816,6 @@ _configure_nginx() {
                     $NGX_USER \
                     --with-file-aio \
                     --with-threads \
-                    $NGX_HPACK \
                     $NGX_QUIC \
                     --with-http_v2_module \
                     --with-http_ssl_module \
@@ -1125,13 +1043,7 @@ fi
 if [ "$LIBRESSL" = "y" ]; then
     _download_libressl
 else
-    if [ "$OPENSSL_LIB" = "2" ]; then
-        _download_openssl_dev
-    elif [ "$OPENSSL_LIB" = "3" ]; then
-        sleep 1
-    else
-        sleep 1
-    fi
+    sleep 1
 fi
 _download_nginx
 _patch_nginx