Compiling Nginx on Debian and Ubuntu

Most of the time, there is no need to compile Nginx manually as Debian and Ubuntu provide several packages being compiled with a different set of modules (for details, see : Nginx packages in Debian stable). However, when performing more specific testing tasks, I sometimes need an exact particular version and have to compile it manually.

So here are the required steps to build Nginx with SSL and SPDY modules enabled.

Installing development packages :

apt-get install build-essential libpcre3-dev libssl-dev zlib1g-dev

Compiling Nginx :

wget http://nginx.org/download/nginx-1.6.1.tar.gz
tar xvfz nginx-1.6.1.tar.gz
cd nginx-1.6.1
./configure --with-http_ssl_module --with-http_spdy_module
make && make install

Checking compile time options :

nginx -V
nginx version: nginx/1.6.1
built by gcc 4.7.2 (Debian 4.7.2-5)
TLS SNI support enabled
configure arguments: --with-http_ssl_module --with-http_spdy_module

Lastly, here is a guide on how to compile Nginx on FreeBSD.

NetBSD ASCII logos

Since I’ve been more and more interested about NetBSD lately, I decided to draw some ASCII logos to be used as MOTD and/or as /etc/issue. So here are the two variants I came up with, rendered with Amiga Topaz font.

Feel free to use them on your systems, and change the NetBSD port in the information boxes accordingly. I currently use mainly NetBSD/evbarm, so the logos reflect that.

The files can be downloaded here and here. Enjoy.

NetBSD ASCII Logo - One-line variant

NetBSD ASCII Logo - Box variant

Cross building NetBSD on Linux

Known for its portability, it might come at no surprise that NetBSD (and pkgsrc as well) is also easy to cross build on other platforms and even other hosts. Building NetBSD on Linux can be very conveniant, as it’s far easier to get access to high-performance Linux powered machines than to NetBSD ones. So let’s go through the process and build a NetBSD/amd64 release on a Debian host, using an unprivileged user account.

First, we will need to install some development packages on the host machine :

apt-get install build-essential zlib1g-dev flex

Then, we can download and extract source sets for the NetBSD version we want to build. At the time of writing, latest NetBSD release is 6.1.4 :

wget ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-6.1.4/source/sets/gnusrc.tgz
wget ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-6.1.4/source/sets/sharesrc.tgz
wget ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-6.1.4/source/sets/src.tgz 
wget ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-6.1.4/source/sets/syssrc.tgz

for file in *.tgz
do
	tar xfz $file
done

We can now build the cross compiler :

cd usr/src
./build.sh -U -u -m amd64 tools

Compilation results :

===> Summary of results:
	 build.sh command:    ./build.sh -U -u -m amd64 tools
	 build.sh started:    Thu Aug 28 21:49:19 UTC 2014
	 NetBSD version:      6.1.4
	 MACHINE:             amd64
	 MACHINE_ARCH:        x86_64
	 Build platform:      Linux 3.2.0-4-amd64 x86_64
	 HOST_SH:             /bin/sh
	 No $TOOLDIR/bin/nbmake, needs building.
	 Bootstrapping nbmake
	 TOOLDIR path:        /home/admin/usr/src/obj/tooldir.Linux-3.2.0-4-amd64-x86_64
	 DESTDIR path:        /home/admin/usr/src/obj/destdir.amd64
	 RELEASEDIR path:     /home/admin/usr/src/obj/releasedir
	 Created /home/admin/usr/src/obj/tooldir.Linux-3.2.0-4-amd64-x86_64/bin/nbmake
	 Updated makewrapper: /home/admin/usr/src/obj/tooldir.Linux-3.2.0-4-amd64-x86_64/bin/nbmake-amd64
	 Tools built to /home/admin/usr/src/obj/tooldir.Linux-3.2.0-4-amd64-x86_64
	 build.sh ended:      Thu Aug 28 21:56:48 UTC 2014

Here is more information about configuration options used in those examples :

-U             Set MKUNPRIVED=yes; build without requiring root privileges,
               install from an UNPRIVED build with proper file permissions.
-u             Set MKUPDATE=yes; do not run "make cleandir" first.
               Without this, everything is rebuilt, including the tools.
-m mach        Set MACHINE to mach; not required if NetBSD native.

Once our toolchain is ready, we can now build NetBSD itself :

./build.sh -U -u -m amd64 release

Compilation results :

===> Summary of results:
         build.sh command:    ./build.sh -U -u -m amd64 release
         build.sh started:    Thu Aug 28 21:57:54 UTC 2014
         NetBSD version:      6.1.4
         MACHINE:             amd64
         MACHINE_ARCH:        x86_64
         Build platform:      Linux 3.2.0-4-amd64 x86_64
         HOST_SH:             /bin/sh
         TOOLDIR path:        /home/admin/usr/src/obj/tooldir.Linux-3.2.0-4-amd64-x86_64
         DESTDIR path:        /home/admin/usr/src/obj/destdir.amd64
         RELEASEDIR path:     /home/admin/usr/src/obj/releasedir
         Updated makewrapper: /home/admin/usr/src/obj/tooldir.Linux-3.2.0-4-amd64-x86_64/bin/nbmake-amd64
         Successful make release
         build.sh ended:      Thu Aug 28 23:21:28 UTC 2014

From there, building an ISO image takes only a few seconds :

./build.sh -U -u -m amd64 iso-image

We can now try to boot the resulting ISO image :

NetBSD Primary Bootstrap
NetBSD Installer

Unsurprisingly, it works as expected! Welcome to NetBSD :-)

Installing CA certificates on NetBSD

Using SSL-aware programs which expect a CA certificate path on NetBSD (such as cURL, Git or Wget) without installing CA certificates will result in the following SSL certificate error messages.

Please note that this also happens when using pkgsrc on other systems, and the same installation instructions can be used.

cURL error message :

curl https://www.netbsd.org
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Git error message :

git clone https://github.com/jsonn/pkgsrc.git
Cloning into 'pkgsrc'...
fatal: unable to access 'https://github.com/jsonn/pkgsrc.git/': SSL certificate problem: unable to get local issuer certificate

Wget error message :

wget https://www.netbsd.org
--2014-08-25 16:48:11--  https://www.netbsd.org/
Resolving www.netbsd.org (www.netbsd.org)... 149.20.53.86, 2001:4f8:3:7:14::25
Connecting to www.netbsd.org (www.netbsd.org)|149.20.53.86|:443... connected.
ERROR: cannot verify www.netbsd.org's certificate, issued by ‘/C=US/O=GeoTrust, Inc./CN=RapidSSL CA’:
  Self-signed certificate encountered.
To connect to www.netbsd.org insecurely, use `--no-check-certificate'.

In order to fix this issue, we need to install CA certificates distributed by the Mozilla Project (mozilla-rootcerts package), using either pkgsrc or pkgin :

Using pkgsrc :

cd /usr/pkgsrc/security/mozilla-rootcerts
make install clean clean-depends

Using pkgin :

pkgin install mozilla-rootcerts

We can then extract and rehash all CA root certificates :

mozilla-rootcerts install

The combined certificate file will be created in /etc/ssl/certs, and we can now connect safely to secure endpoints.

Nginx on FreeBSD

The purprose of this article is mostly to show how easy it is to compile and run custom builds of Nginx on FreeBSD, including third party modules which will be automatically fetched and built.

For a comprehensive list of compile time options and included modules for Debian and Ubuntu packages, check the following article : Nginx packages in Debian stable.

Installing Nginx via pkg :

pkg install nginx

By default, Nginx is compiled with the following options :

nginx version: nginx/1.6.0
TLS SNI support enabled
configure arguments:
--prefix=/usr/local/etc/nginx
--with-cc-opt='-I /usr/local/include'
--with-ld-opt='-L /usr/local/lib'
--conf-path=/usr/local/etc/nginx/nginx.conf
--sbin-path=/usr/local/sbin/nginx
--pid-path=/var/run/nginx.pid
--error-log-path=/var/log/nginx-error.log
--user=www
--group=www
--with-ipv6
--http-client-body-temp-path=/var/tmp/nginx/client_body_temp
--http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp
--http-proxy-temp-path=/var/tmp/nginx/proxy_temp
--http-scgi-temp-path=/var/tmp/nginx/scgi_temp
--http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp
--http-log-path=/var/log/nginx-access.log
--with-http_stub_status_module
--with-pcre
--with-http_ssl_module

Installing Nginx using the ports collection :

cd /usr/ports/www/nginx
make config

Below is a list of all available configuration options and third party modules, showing the Lua module highlighted and selected for compilation.

Nginx on FreeBSD

Once configured, we can launch installation and clean dependencies :

make install clean-depends

Starting Nginx :

After adding the nginx_enable directive in rc.conf :

echo 'nginx_enable="YES"' >> /etc/rc.conf

We can launch the server manually :

service nginx start

Nginx is now up and running and should be launched automatically at boot time.