I am using drupal 7, nginx with SSL, php-fpm to serve static pages. I would like to get the maximum security & speed from my nginx installation. Thats why I have decided to install it from source and leave unnecessary modules. can someone help me to select the modules please? here is what i am choosing...
./configure --user=nginx --group=nginx --prefix=/etc/nginx
--sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_geoip_module --with-http_ssl_module --with-http_gzip_static_module --with-http_secure_link_module --with-pcre --without-http_uwsgi_module --without-http_scgi_module --without-http_autoindex_module --without-http_ssi_module --add-module=pagespeed
Related
I am working on implementing http/2 for an ecommerce website my company made. I'm hosting it on debian jessie and found that it's now pretty easy to get nginx from the backports repo which was built against openssl 1.0.2 to support ALPN (which is necessary these days to work with chrome).
So I upgraded my libssl and then my nginx. To my great surprise, nginx now seems to be serving my content through http2 even though I didn't add that keyword to the config. Chrome's dev tools show h2 in the protocol column of the network tab.
Normally I would be happy about that, but I'd like to make some comparison measurements between http1.1 and http2. How can I force it to serve http1.1 again (temporarily) to make my measurements?
Edit: adding output of nginx -V to be specific about my version
$ nginx -V
nginx version: nginx/1.9.10
built with OpenSSL 1.0.2h 3 May 2016
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads --add-module=/build/nginx-1.9.10/debian/modules/nginx-auth-pam --add-module=/build/nginx-1.9.10/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-1.9.10/debian/modules/nginx-echo --add-module=/build/nginx-1.9.10/debian/modules/nginx-upstream-fair --add-module=/build/nginx-1.9.10/debian/modules/ngx_http_substitutions_filter_module
According to the documentation:
The http2 parameter (1.9.5) configures the port to accept HTTP/2 connections.
Thus any virtual server configured on this port will accept HTTP/2 connections. If you want to configure some hosts with HTTP/2 but other without, then you have to use different IP or ports.
I just compiled a custom version of nginx for our new project.
NGINX -V:
nginx version: nginx/1.9.15
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
built with OpenSSL 1.0.2g 1 Mar 2016
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-openssl=/usr/src/openssl-1.0.2g --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --add-module=/usr/local/src/naxsi-master/naxsi_src/ --add-module=/root/custom-nginx/nginx-1.9.15/src/http/modules/ngx_pagespeed-release-1.11.33.0-beta
On the browsers from my work office http2 works fine. When I go home and test on my pc, http2 does not work in any browser. I cannot understand where the problem is.
I have the same windows 7, same browsers, everything the same.
Can somebody point me out the problem I am facing ?
Many Thanks.
Can think of two reasons why this might happen:
You are using anti virus software at home which performs MITM interception to enable it to scan traffic. See here: https://serverfault.com/questions/752767/trying-to-setup-http2-on-apache.
You are using a LoadBalancer or other such infrastructure that sits in front of your nginx server, when accessed externally.
I need to install push stream module for nignx.
cd /
wget http://nginx.org/download/nginx-1.7.12.tar.gz
tar -xvf nginx-1.7.12.tar.gz
cd nginx-1.7.12
git clone http://github.com/wandenberg/nginx-push-stream-module.git
next...
./configure --sbin-path=/usr/local/sbin --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --user=nginx --group=nginx --with-http_gzip_static_module --add-module=nginx-push-stream-module
after result...
adding module in nginx-push-stream-module
checking for http_push_stream_module ... found
+ ngx_http_push_stream_module was configured
make && make install
make - OK
run command "nginx -V"
nginx version: nginx/1.7.12
built by gcc 4.8.2 20140120 (Red Hat 4.8.2-16) (GCC)
TLS SNI support enabled
configure arguments: --sbin-path=/usr/local/sbin --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --user=nginx --group=nginx --with-http_gzip_static_module --with-http_realip_module --with-http_mp4_module --with-http_flv_module --with-http_dav_module --with-http_secure_link_module --with-http_geoip_module --with-http_ssl_module --with-http_spdy_module --add-module=nginx-push-stream-module
service nginx start
[root#p11 nginx-1.7.12]# systemctl status nginx.service
апр 14 03:26:02 p11.ihc.ru nginx[31057]: Starting nginx: nginx: [emerg] unknown directive "push_stream_shared_memory_size" in /etc/nginx/nginx.conf:59
апр 14 03:26:02 p11.ihc.ru nginx[31057]: [FAILED]
[root#p11 nginx-1.7.12]# nginx -V
nginx version: nginx/1.7.12
built by gcc 4.8.2 20140120 (Red Hat 4.8.2-16) (GCC)
TLS SNI support enabled
configure arguments: --sbin-path=/usr/local/sbin --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --user=nginx --group=nginx --with-http_gzip_static_module --with-http_realip_module --with-http_mp4_module --with-http_flv_module --with-http_dav_module --with-http_secure_link_module --with-http_geoip_module --with-http_ssl_module --with-http_spdy_module --add-module=nginx-push-stream-module
Check you nginx install:
nginx -V
This command view all compile options etc.
You will can check nginx-push-stream-module module
Your build looks good so I'd be checking that you don't have multiple nginx binaries in your $PATH that your service could be executing instead of your new build.
whereis nginx
You've installed your new binary into /usr/local/sbin, so check you haven't forgotten to remove older nginx distributed packages that could interfere.
rpm -qa | grep ^nginx
If all else fails, move the git repo out of your nginx source and try again:
git clone https://github.com/wandenberg/nginx-push-stream-module.git
wget http://nginx.org/download/nginx-1.7.12.tar.gz
tar -xvf nginx-1.7.12.tar.gz
cd nginx-1.7.12
./configure --sbin-path=/usr/local/sbin --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --user=nginx --group=nginx --with-http_gzip_static_module --add-module=../nginx-push-stream-module
make && make install
Even better, if you want to automate builds this is what I use on my servers:
https://github.com/cubicdaiya/nginx-build
Hope it helps!
i have compiled nginx 1.5.10 with the spdy module on centos 6.5 and it is operating without a problem, as far as i know except, that spdy is apparently not being used.
i have added the 'spdy' option to the listen directive in nginx.conf and restarted the server, yet the various spdy checking methods, such as the firefox plugin that is available and also the website: https://spdycheck.org/
both show that spdy is not being used on my site.
the line in nginx.conf is:
listen 443 ssl spdy default_server;
i saw this thread: How to set up SPDY Protocol over Nginx?
and looked to see if i needed to change the DAEMON or PATH lines in /etc/init.d/nginx - yet in my versions those lines are not present at all.
the output of nginx -V is:
nginx version: nginx/1.5.10
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_spdy_module --with-cc-opt='-O2 -g'
any tips welcomed!
SPDY/3.1 isn't supported by Firefox 26. The support was added to Firefox in version 27, see release notes.
I have a rails app and want to set up the google SPDY protocol support. But after installing Nginx with SPDY patch and then enabling the spdy in virtual host it does not allow me to restart the nginx instead throws following error.
Restarting nginx: nginx: [emerg] invalid parameter "spdy" in /etc/nginx/sites-enabled/default:112
nginx: configuration file /etc/nginx/nginx.conf test failed
I have compiled latest nginx 1.3.13 with spdy patch, here I am mentioning my steps of install
wget http://nginx.org/download/nginx-1.3.13.tar.gz
tar xvfz nginx-1.3.13.tar.gz
cd nginx-1.3.13
# Fetch the SPDY patch and apply it
wget http://nginx.org/patches/spdy/patch.spdy.txt
patch -p1 < patch.spdy.txt
./configure \
--sbin-path=/usr/local/sbin/nginx \
--prefix=/etc/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-log-path=/var/log/nginx/access.log \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--lock-path=/var/lock/nginx.lock \
--pid-path=/var/run/nginx.pid \
--with-debug \
--with-http_addition_module \
--with-http_dav_module \
--with-http_gzip_static_module \
--with-http_realip_module \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_sub_module \
--with-http_xslt_module \
--with-http_spdy_module \
--with-ipv6 \
--with-sha1=/usr/include/openssl \
--with-md5=/usr/include/openssl \
--with-mail \
--with-mail_ssl_module \
# wget https://you.googlecode.com/files/ngx_cache_purge-1.6.tar.gz
--add-module=/software/ngx_cache_purge-1.6 \
#http://www.openssl.org/source/openssl-1.0.1e.tar.gz
--with-openssl='/software/openssl-1.0.1e'
# Build and install nginx
make && sudo make install
It compiles successfully without any error.
Result 0f nginx -V gives following
nginx version: nginx/1.3.13
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
TLS SNI support enabled
configure arguments: --sbin-path=/usr/local/sbin/nginx --prefix=/etc/nginx --conf- path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-debug --with-http_addition_module --with-http_dav_module --with-http_gzip_static_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-http_spdy_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=/software/ngx_cache_purge-1.6 --with-openssl=/software/openssl-1.0.1e
My /etc/nginx/site-enabled config has
server {
listen 443 ssl spdy;
ssl_certificate server.crt;
ssl_certificate_key server.key;
...
}
After all this successfull installation nginx does not restart with spdy param in server block of site-enabled file.
Any suggestions? I am sure of missing something here but can't figure out.
UPDATE (November 19th, 2013): Modified script for nginx 1.4.3 (Does not need spdy patch)
https://gist.github.com/deepak-kumar/7541199#file-compile_nginx_1-4-3_with-spdy-sh
I wrote Shell Script for the setup
https://gist.github.com/deepak-kumar/5069550#file-compile_nginx_with_spdy-sh
I have found the solution to the problem.
I already had nginx package installed on my ubuntu 12.04 even before compiling this 1.3.13 which was causing the problem.$ sudo apt-get install nginx
To solve this issue I made sure that /etc/init.d/nginx should use the correct binary.
I did following on terminal:
$ which nginx
$ /usr/local/sbin/nginx
Checked my existing /etc/init.d/nginx script it was using wrong DAEMON path so I changed it to look like this (works)
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/sbin/nginx # $which nginx
Earlier above values were (does not work)
#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#DAEMON=/usr/sbin/nginx
Rest of the file remains same. So essentially I used the correct version binary.
Update: This blog is also a very good reference point in case you guys are interested.
http://blog.bubbleideas.com/2012/08/How-to-set-up-SPDY-on-nginx-for-your-rails-app-and-test-it.html