I am trying to compile ModSecurity for the Nginx OSS web server. I have followed all of the instructions from their "Quick Start Guide", but am running into an issue. After linking up the new module, the config test fails.
Error output from /var/log/nginx/error.log is:
2018/02/10 00:47:51 [emerg] 6026#6026: module "/usr/share/nginx/modules/ngx_http_modsecurity_module.so" is not binary compatible in /etc/nginx/modules-enabled/50-mod-http-modsecurity.conf:1
originally the dynamic module was compiled with
sh
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
but this results in the error.
from what I've read, I need to compile the module with identical options as the existing Nginx instance.
I found the current options using nginx -V, and then re-ran the ./configure using all of the output options, but this gives the same error.
Can anyone point me down the right path here?
Thanks for any help.
UPDATE 10/29/18
It seems the original binary also needs to be compiled with the --with-compat flag. I have submitted a bug report on the issue that can be found here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897926
Maybe it can get some traction.
I had a similar issue. I was using Nginx 1.10.3 which is the default for Debian Stretch. This version does not seem to work with the latest Nginx ModSecurity connector.
I removed the default Nginx version and installed the latest stable Nginx from http://nginx.org/en/linux_packages.html. After that I was able to install and load the ModSecurity module for Nginx without problems. I followed this guide: https://www.linuxjournal.com/content/modsecurity-and-nginx for installing the ModSecurity module for Nginx.
The latest stable version of Nginx which is 1.14.2 supports the --with-compat flag. When compiling Nginx source code make sure to use the same compiler options that were used with your running Nginx. To find out which compile time options were used to build your currently running Nginx, run the command: nginx -V
Related
I updated nginx from version 1.14 to 1.18 (Ubuntu) on Ubuntu 18.04.
Doing so appeared to break passenger. So I uninstalled and attempted to reinstall the Open Source Passenger version via the Passenger installation Ubuntu 18.04 instructions.
I got to this line:
sudo apt-get install -y libnginx-mod-http-passenger
Which throws this error
libnginx-mod-http-passenger : Depends: nginx-common (< 1.14.1) but 1.18.0-3ubuntu1+bionic1 is to be installed
Update I also attempted with the enterprise version. Following the enterprise version installation instructions, I received a similar error message:
libnginx-mod-http-passenger-enterprise : Depends: nginx-common (< 1.14.1) but 1.18.0-3ubuntu1+bionic1 is to be installed
I did attempt to research the issue and I found this issue on Phusion's GitHub as well as this more recent issue. It appears that what most people are doing is rolling back their nginx version to 1.14.
It is not deprecated, no. The problem is that the packaged module you are trying to install was made for an older Nginx version that is distributed through the system default repository. This appears in the installation guide that you've mentioned:
At this point we assume that you already have Nginx installed from your system repository.
What this means is that the following instructions assume that you have Nginx specific version (1.14.0 in your case) installed, for which the packaged module was built. This is emphasised in the new passenger documentation:
If you want to use our packaged Nginx module, you must use your distro's provided Nginx package. If for example you have the repo provided by NGINX setup, you will instead need to compile a dynamic module compatible with that Nginx.
The link in the last quote will bring you to the guide on how to compile a dynamic passenger module and enable it in Nginx configuration. I will not repeat the whole process to keep the answer short but the general approach is this:
Get passenger module for Nginx source code.
Get Nginx source code for the version you have installed.
Compile Nginx with the passenger module:
cd /path-to-nginx-source-dir
./configure --prefix=/opt/nginx \
--with-some-configure-flag \
--add-dynamic-module=$(passenger-config --nginx-addon-dir) \
--add-module=/path-to-some-other-nginx-module
make
sudo make install
Make Nginx to load the module by adding this line to nginx.conf:
load_module modules/ngx_http_passenger_module.so;
Personally, I'd rather chosen the 'nginx-behind-nginx' approach than building the module. That is you have Nginx any version you like but it runs as a reverse proxy for another Nginx with passenger enabled (Passenger Standalone). With an unnoticeable penalty to performance this will be much easier to maintain (install, update). See this guide for details.
When running nginx -t I get this error:
nginx: [emerg] unknown directive "subs_filter_types" in /etc/nginx/sites-enabled/my.site.com.conf:285
nginx: configuration file /etc/nginx/nginx.conf test failed
So I need to install the substitution filter module and in the nginx documentation https://www.nginx.com/resources/wiki/modules/substitutions/#subs-filter-types
Which says to run these commands:
git clone git://github.com/yaoweibin/ngx_http_substitutions_filter_module.git
./configure --add-module=/path/to/module
The problem is I don't have the configure script anywhere in my nginx installation nor in the
git repository. I really don't understand.
At the very least I want to know the content of that nginx configure script.
The instructions you are referring to are for compiled installation.
Assuming you want to add the module to your existing NGINX install, below are the generic steps that will get things running.
Fetch exactly matching version of NGINX as the one you have installed, from nginx.org onto your system and extract it to, say, /usr/local/src/nginx
git clone NGINX module's source code onto your system, to e.g. /usr/local/src/nginx-module-foo
cd /usr/local/src/nginx. This is where you will find the configure script. You will basically configure NGINX with the location of the config of specific module in question, thus next step:
./configure --add-dynamic-module=../nginx-module-foo --with-compat
make
As a resulf of the compilation you will have module's .so file somewhere in objs directory of your NGINX sources. You will then copy it over to e.g. /usr/lib64/nginx/modules/ directory.
To make your existing NGINX load the module, add load_module modules/foo.so; at the very top of /etc/nginx/nginx.conf.
You can decipher the many downsides to the whole compiled approach: one is having compilation software (gcc) on a production system, other is having to re-do all those steps any time you upgrade NGINX or the module.
For the reasons mentioned, you might want to search for a packaged install of third-party modules.
For CentOS/RHEL systems, you might want to look at GetPageSpeed repos (subscription-ware, and I'm biased to mention it, because I'm the maintainer. But this is free for CentOS/RHEL 8 at the time of this writing. Installing the module you want, goes down to a couple of commands:
yum -y install https://extras.getpagespeed.com/release-latest.rpm
yum -y install nginx-module-substitutions
For Debian-based systems, probably there are alternative PPAs existing for the same.
Just replace prefix subs with sub.
For default nginx 1.10.3 installation (Ubuntu 16.04.5 LTS)
nginx -V should have flag --with-http_sub_module to use sub_* directives.
Usage example:
sub_filter_types text/html text/css text/xml;
sub_filter 'needle' 'replacement';
sub_filter_once off;
NGINX documentation link
I have installed nginx/1.12.1 and Phusion Passenger by APT from https://oss-binaries.phusionpassenger.com repository. It's configured correctly within my Rails apps.
Thereafter, I want to improve nginx by adding nginx pagespeed module dynamically following this https://www.modpagespeed.com/doc/build_ngx_pagespeed_from_source to build ngx_pagespeed module and following this https://www.nginx.com/blog/compiling-dynamic-modules-nginx-plus/ to compile dynamic module, by running :
$ ./configure --with-compat --add-dynamic-module=$HOME/ngx_pagespeed-${NPS_VERSION} ${PS_NGX_EXTRA_FLAGS}
$ make modules
After that, I copied ngx_pagespeed.so from objs/ folder into /etc/nginx/modules and of course loading the module into nginx.conf by adding load_module modules/ngx_pagespeed.so; on it. But when I reload nginx it's reproduced following error:
nginx: [emerg] module "/usr/share/nginx/modules/ngx_pagespeed.so" is not binary compatible in /etc/nginx/nginx.conf:5
My question is:
How do I add ngx_pagespeed module on nginx from PhusionPassenger APT?
What is the right ./configure flags for compiling additional module without forgetting previous installed nginx (from PhusionPassenger APT) modules?
Thank you
On ubuntu xenial, you'll have an easier time adding your configure flags to the passenger-install-nginx-module script like so: passenger-install-nginx-module --extra-configure-flags="--with-compat --add-dynamic-module=$HOME/ngx_pagespeed-${NPS_VERSION} ${PS_NGX_EXTRA_FLAGS}" instead of using the nginx-extras package, as matching the flags from the packaging process at phusion is a pain. You can read more about it here: https://www.phusionpassenger.com/library/install/nginx/customizing_compilation_process.html
Currently I'm using nginx with HHVM but for some reasons HHVM crashs alot
What I'm trying to do is:
Rplace HHVM with php-fpm
OR
Add php-fpm as fallback
PS: I used this to install nginx + HHVM:
https://github.com/facebook/hhvm/wiki/Getting-Started
I have made this simple script to install latest HHVM/Nginx/MySQL, at once, depending on different Ubuntu Distros. Binaries that are used, come from the official repos that the HHVM team uses. Check var/log/hhvm, error.log file and create issue if you think it is a HHVM.
I use HHVM on servers, and it rarely crashes.
I installed Nginx via apt-get on Debian a while ago, and I've got a couple of sites live on it. Now I need to install some additional modules, and as I don't want to mess anything up I'd like to double check my process before I perform it. Hopefully this will also help others that are unsure about this part.
As I've understood it I have to do the following to minimize the downtime:
Download the source for Nginx
Add the additional modules with ./configure --additional-module
Compile Nginx with make
Stop the current server (service nginx stop)
Install Nginx with make install
Start the new server (service nginx start)
Or do I have to uninstall Nginx first, as it's not compiled from source at this point?
Having done something similar on Ubuntu before, the installation should overwrite the existing nginx binaries with the newly compiled ones, so long as yes, you ensure nginx isn't running on the system at the time.
I'd recommend trying to install nginx elsewhere on the system, so in case you can't get it to work quickly, you can restart your web server with the old nginx binaries and not have significant downtime.
nginx -V - helpful command which shows options for .\configure which was used to make nginx, which is actually working.
Helpful to get detail imagination about.
apt-get source nginx - to get source
install will automatically substitute actual installed version by new one
Keep also in mind that some nginx-modules can require additional libs on server. geoip module is classical example of it