Welcome! Log In Create A New Profile

Advanced

Re: Deploying newly compiled nginx from test server to production

June 15, 2015 11:59PM
Thanks ryd994.

I eventually build the RPM ok.

I am attempting to build a stripped down nginx RPM with minimal modules, but also with modsec. I found a suggested config at -

https://www.digitalocean.com/community/tutorials/how-to-compile-nginx-from-source-on-a-centos-6-4-x64-vps

./configure \
--user=nginx \
--group=nginx \
--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-pcre \
--with-file-aio \
--with-http_realip_module \
--without-http_scgi_module \
--without-http_uwsgi_module \
--without-http_fastcgi_module


I was able to build the RPM with the following in the nginx.spec file -

%build
./configure \
--prefix=%{_sysconfdir}/nginx \
--sbin-path=%{_sbindir}/nginx \
--conf-path=%{_sysconfdir}/nginx/nginx.conf \
--error-log-path=%{_localstatedir}/log/nginx/error.log \
--http-log-path=%{_localstatedir}/log/nginx/access.log \
--pid-path=%{_localstatedir}/run/nginx.pid \
--lock-path=%{_localstatedir}/run/nginx.lock \
--user=%{nginx_user} \
--group=%{nginx_group} \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-pcre \
--with-file-aio \
--with-http_realip_module \
--without-http_scgi_module \
--without-http_uwsgi_module \
--without-http_fastcgi_module \
%{?with_spdy:--with-http_spdy_module} \
--with-cc-opt="%{optflags} $(pcre-config --cflags)" \
--add-module=%{_builddir}/%{name}-%{version}/modsecurity-2.9.0/nginx/modsecurity
$*


I am unsure on the a couple of lines at the bottom -

%{?with_spdy:--with-http_spdy_module} \
--with-cc-opt="%{optflags} $(pcre-config --cflags)" \


The RPM installs fine (apr-devel rpm dependency).

Version outputs the following -

nginx -V
nginx version: nginx/1.8.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --with-http_gzip_static_module --with-http_stub_status_module --with-http_ssl_module --with-pcre --with-file-aio --with-http_realip_module --without-http_scgi_module --without-http_uwsgi_module --without-http_fastcgi_module --with-http_spdy_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --add-module=/home/test/rpmbuild/BUILD/nginx-1.8.0/modsecurity-2.9.0/nginx/modsecurity


Basically I want a minimal nginx install to serve static files over SSL. Might you have any suggestions to improve this?


I also found a separate issue which I discovered when modsec is compiled -

"configure: WARNING: APR util was not compiled with crypto support. SecRemoteRule will not support the parameter 'crypto'"

Basically the rhel6 apr-devel rpm does not have crypto support. Trying to determine what are the ramifications are here.
Subject Author Posted

Deploying newly compiled nginx from test server to production

ajjH6 June 15, 2015 05:59AM

Re: Deploying newly compiled nginx from test server to production

ryd994 June 15, 2015 08:40AM

Re: Deploying newly compiled nginx from test server to production

ajjH6 June 15, 2015 11:59PM

Re: Deploying newly compiled nginx from test server to production

ryd994 June 16, 2015 11:56AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 180
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready