Deploying newly compiled nginx from test server to production

musicdenotation · June 15, 2015, 11:59am

Hello

What is a good method for deploying a newly compiled nginx binary with
an
extra module? (mod_security)

I can get all to compile ok. However, I do not want to compile on my
production server. There are two many dependencies (ie HTTPD for
mod_sec).

In the case of mod_security, it seems only the Apache Portable Runtime
(apr-util) is required if I manually move the binary over.

I tried building my own RPM but hit some issues.

Posted at Nginx Forum:

ajjH6 · June 15, 2015, 2:39pm

I would prefer RPM. Just patching the official one.

RPM patching process is pretty standardized and shouldn’t take more than
a
few minutes. Could you explain what problem you have?

ajjH6 · June 16, 2015, 5:59am

Thanks ryd994.

I eventually build the RPM ok.

I am attempting to build a stripped down nginx RPM with minimal modules,
but
also with modsec. I found a suggested config at -

./configure
–user=nginx
–group=nginx
–prefix=/etc/nginx
–sbin-path=/usr/sbin/nginx
–conf-path=/etc/nginx/nginx.conf
–pid-path=/var/run/nginx.pid
–lock-path=/var/run/nginx.lock
–error-log-path=/var/log/nginx/error.log
–http-log-path=/var/log/nginx/access.log
–with-http_gzip_static_module
–with-http_stub_status_module
–with-http_ssl_module
–with-pcre
–with-file-aio
–with-http_realip_module
–without-http_scgi_module
–without-http_uwsgi_module
–without-http_fastcgi_module

I was able to build the RPM with the following in the nginx.spec file -

%build
./configure
–prefix=%{_sysconfdir}/nginx
–sbin-path=%{_sbindir}/nginx
–conf-path=%{_sysconfdir}/nginx/nginx.conf
–error-log-path=%{_localstatedir}/log/nginx/error.log
–http-log-path=%{_localstatedir}/log/nginx/access.log
–pid-path=%{_localstatedir}/run/nginx.pid
–lock-path=%{_localstatedir}/run/nginx.lock
–user=%{nginx_user}
–group=%{nginx_group}
–with-http_gzip_static_module
–with-http_stub_status_module
–with-http_ssl_module
–with-pcre
–with-file-aio
–with-http_realip_module
–without-http_scgi_module
–without-http_uwsgi_module
–without-http_fastcgi_module
%{?with_spdy:–with-http_spdy_module}
–with-cc-opt=“%{optflags} $(pcre-config --cflags)” \

–add-module=%{_builddir}/%{name}-%{version}/modsecurity-2.9.0/nginx/modsecurity
$*

I am unsure on the a couple of lines at the bottom -

    %{?with_spdy:--with-http_spdy_module} \
    --with-cc-opt="%{optflags} $(pcre-config --cflags)" \

The RPM installs fine (apr-devel rpm dependency).

Version outputs the following -

nginx -V
nginx version: nginx/1.8.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
–conf-path=/etc/nginx/nginx.conf
–error-log-path=/var/log/nginx/error.log
–http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
–lock-path=/var/run/nginx.lock --user=nginx --group=nginx
–with-http_gzip_static_module --with-http_stub_status_module
–with-http_ssl_module --with-pcre --with-file-aio
–with-http_realip_module
–without-http_scgi_module --without-http_uwsgi_module
–without-http_fastcgi_module --with-http_spdy_module --with-cc-opt=‘-O2
-g
-pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
–param=ssp-buffer-size=4 -m64 -mtune=generic’
–add-module=/home/test/rpmbuild/BUILD/nginx-1.8.0/modsecurity-2.9.0/nginx/modsecurity

Basically I want a minimal nginx install to serve static files over SSL.
Might you have any suggestions to improve this?

I also found a separate issue which I discovered when modsec is compiled

“configure: WARNING: APR util was not compiled with crypto support.
SecRemoteRule will not support the parameter ‘crypto’”

Basically the rhel6 apr-devel rpm does not have crypto support. Trying
to
determine what are the ramifications are here.

Posted at Nginx Forum:

ajjH6 · June 16, 2015, 5:55pm

Congratulations for get the RPM.

If you search in spec file for “with_spdy”, you should find that tag
(think
it as some variable) around.
I’m not quite sure about --with-cc-opt=“%{optflags} $(pcre-config
–cflags)”. Seems it is there to keep nginx compiled with same options
of
pcre lib.

If all you need is a static file server, I guess you can remove
follwing:
–with-http_gzip_static_module (pre compressed file)
–with-http_stub_status_module (stub page might be used by some
monitoring tools, like longview)
–with-http_realip_module (parse X-Forwarded-For)
–with-pcre (regex)
If you want to rip off more, you can try add --without-* options:
http://wiki.nginx.org/Modules
Wiki is somewhat outdated. If you get invalid options, that module might
already excluded from default build. Don’t worry for that. Also, You can
always recompile again if you cut off too much. Shouldn’t take long.

I never used modsec before, so I can’t help with the APR issue. Maybe
you
should rebuild and install apr first.

Regards,