👻

nginx-quic with libressl-3.7.0

2023/01/19に公開

Manjaro Linuxでnginx-quicを利用しています。
また圧縮ライブラリにはbrotliを導入しています。
aurのパッケージではboringsslが利用されているところを、libresslに変更して、ビルドしました。
下がmakepkg.confで指定しているコンパイルオプション。

CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions \
-Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security \
-Wtautological-compare -Wsign-compare \
-gfull -fstandalone-debug -gdwarf-5 -gz \
-flto=full \
-fPIE -fpie \
-flto=full -fwhole-program-vtables -fforce-emit-vtables -fvirtual-function-elimination \
-ffunction-sections -fdata-sections \
-fintegrated-as -fintegrated-cc1 \
-fstack-clash-protection -fcf-protection \
-fstack-protector-all \
-fno-sanitize-recover=all"

CXXFLAGS="$CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS"
LDFLAGS="-Wl,-O1,--sort-common \
-flto=full \
-fPIE -fpie \
-Wl,-z,noexecstack \
-Wl,--gc-sections \
-fno-plt -Wl,-z,relro,-z,now \
-fuse-ld=ld"
LTOFLAGS="-flto=full"

なるべくFULL RELROになるように、オプション指定しています。
コンパイラはclangです。リンカがlldだとPartial RELROになるみたいなので、ldを利用しています。

./checksec --file=pkg/nginx-quic/usr/bin/nginx 
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	Symbols		FORTIFY	Fortified	Fortifiable	FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   No Symbols

Manjaro向けパッケージ作成用のPKGBUILDファイル
nginx-quic

# Maintainer:  DasSkelett <dasskelett@dasskelett.dev>
# Contributor: Kasei Wang <kasei@kasei.im>
# Contributor: Bartłomiej Piotrowski <bpiotrowski@archlinux.org>
# Contributor: Sébastien Luttringer
# Contributor: Drew DeVault

_pkgbase=nginx
_commit=6bb884dc7291

pkgbase=nginx-quic
pkgname=(nginx-quic nginx-quic-src)
pkgver=1.23.4
pkgrel=3
pkgdesc='Lightweight HTTP server and IMAP/POP3 proxy server, HTTP/3 QUIC branch'
arch=('i686' 'x86_64')
url='https://nginx.org'
license=('custom')
depends=('geoip' 'libxcrypt' 'pcre2')
makedepends=('cmake' 'git' 'go' 'mercurial')
backup=('etc/nginx/fastcgi.conf'
        'etc/nginx/fastcgi_params'
        'etc/nginx/koi-win'
        'etc/nginx/koi-utf'
        'etc/nginx/nginx.conf'
        'etc/nginx/scgi_params'
        'etc/nginx/uwsgi_params'
        'etc/nginx/win-utf'
        'etc/logrotate.d/nginx')
install=nginx.install
provides=('nginx' 'nginx-mainline')
conflicts=('nginx')
source=("hg+https://hg.nginx.org/nginx-quic#revision=$_commit"
        "https://cdn.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.7.0.tar.gz"
        "service"
        "logrotate")
sha256sums=('SKIP'
            '3fc1290f4007ec75f6e9acecbb25512630d1b9ab8c53ba79844e395868c3e006'
            '05fdc0c0483410944b988d7f4beabb00bec4a44a41bd13ebc9b78585da7d3f9b'
            'b9af19a75bbeb1434bba66dd1a11295057b387a2cbff4ddf46253133909c311e')

_common_flags=(
  --with-compat
  --with-debug
  --with-file-aio
  --with-http_addition_module
  --with-http_auth_request_module
  --with-http_dav_module
  --with-http_degradation_module
  --with-http_flv_module
  --with-http_geoip_module
  --with-http_gunzip_module
  --with-http_gzip_static_module
  --with-http_mp4_module
  --with-http_realip_module
  --with-http_secure_link_module
  --with-http_slice_module
  --with-http_ssl_module
  --with-http_stub_status_module
  --with-http_sub_module
  --with-http_v2_module
  --with-mail
  --with-mail_ssl_module
  --with-pcre-jit
  --with-stream
  --with-stream_geoip_module
  --with-stream_realip_module
  --with-stream_ssl_module
  --with-stream_ssl_preread_module
  --with-threads
)

_mainline_flags=(
)

_quic_flags=(
  --with-http_v3_module
  --with-stream_quic_module
)

prepare() {
  # Backup pristine version of nginx source for -src package
  test -d ${srcdir}/${pkgname}-src && rm -r ${srcdir}/${pkgname}-src
  cp -r ${srcdir}/${pkgname} ${srcdir}/${pkgname}-src
}

build() {
  # Clear -D_FORTIFY_SOURCE from C++ build flags, it causes Boringssl tests to fail to compile
  #export CPPFLAGS=${CPPFLAGS/-D_FORTIFY_SOURCE=[1-9]/-D_FORTIFY_SOURCE=0}
  #export CXXFLAGS=${CXXFLAGS/-D_FORTIFY_SOURCE=[1-9]/-D_FORTIFY_SOURCE=0}

  export CXXFLAGS="$CXXFLAGS -fPIC"
  export CFLAGS="$CFLAGS -fPIC"

  if [[ $CC == "clang" ]];then
    _cc_opt="-flto"
    _ld_opt="$LDFLAGS -flto -fuse-ld=ld"
  else
    _cc_opt=""
    _ld_opt=""

    # Disable some warnings that make Boringssl fail to compile due to a forced -Werror in CMakeLists.txt
    # -Wno-array-bounds: 2022-05-21 for compatiblity with GCC 12.1 (https://bugs.chromium.org/p/boringssl/issues/detail?id=492&sort=-modified)
    #export CFLAGS="$CFLAGS -Wno-stringop-overflow -Wno-array-parameter -Wno-array-bounds"
  fi

  #cd ${srcdir}/boringssl
  #mkdir build && cd build && cmake -DCMAKE_BUILD_TYPE=Release ../ && make crypto ssl
  #cd ${srcdir}/boringssl
  #mkdir -p .openssl/lib && cd .openssl && ln -s ../include . && cd ../
  #cp ${srcdir}/boringssl/build/crypto/libcrypto.a ${srcdir}/boringssl/build/ssl/libssl.a .openssl/lib && cd ..

  cd ${srcdir}/$pkgname
  ./auto/configure \
    --prefix=/etc/nginx \
    --conf-path=/etc/nginx/nginx.conf \
    --sbin-path=/usr/bin/nginx \
    --pid-path=/run/nginx.pid \
    --lock-path=/run/lock/nginx.lock \
    --user=http \
    --group=http \
    --http-log-path=/var/log/nginx/access.log \
    --error-log-path=stderr \
    --http-client-body-temp-path=/var/lib/nginx/client-body \
    --http-proxy-temp-path=/var/lib/nginx/proxy \
    --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
    --http-scgi-temp-path=/var/lib/nginx/scgi \
    --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
    --with-openssl=${srcdir}/libressl-3.7.0 \
    --with-cc-opt="${_cc_opt}" \
    --with-ld-opt="${_ld_opt}" \
    ${_common_flags[@]} \
    ${_mainline_flags[@]} \
    ${_quic_flags[@]}

  make
}

package_nginx-quic() {
  cd $pkgname
  make DESTDIR="$pkgdir" install

  sed -e 's|\<user\s\+\w\+;|user html;|g' \
    -e '44s|html|/usr/share/nginx/html|' \
    -e '54s|html|/usr/share/nginx/html|' \
    -i "$pkgdir"/etc/nginx/nginx.conf

  rm "$pkgdir"/etc/nginx/*.default
  rm "$pkgdir"/etc/nginx/mime.types  # in mailcap

  install -d "$pkgdir"/var/lib/nginx
  install -dm700 "$pkgdir"/var/lib/nginx/proxy

  chmod 755 "$pkgdir"/var/log/nginx
  chown root:root "$pkgdir"/var/log/nginx

  install -d "$pkgdir"/usr/share/nginx
  mv "$pkgdir"/etc/nginx/html/ "$pkgdir"/usr/share/nginx

  install -Dm644 ../logrotate "$pkgdir"/etc/logrotate.d/nginx
  install -Dm644 ../service "$pkgdir"/usr/lib/systemd/system/nginx.service
  install -Dm644 docs/text/LICENSE "$pkgdir"/usr/share/licenses/$provides/LICENSE
  install -d "$pkgdir"/usr/share/licenses/$pkgname
  ln -s /usr/share/licenses/$provides/LICENSE "$pkgdir"/usr/share/licenses/$pkgname/LICENSE

  rmdir "$pkgdir"/run

  install -d "$pkgdir"/usr/share/man/man8/
  gzip -9c docs/man/nginx.8 > "$pkgdir"/usr/share/man/man8/nginx.8.gz

  for i in ftdetect indent syntax; do
    install -Dm644 contrib/vim/${i}/nginx.vim \
      "${pkgdir}/usr/share/vim/vimfiles/${i}/nginx.vim"
  done
}

package_nginx-quic-src() {
  pkgdesc="Source code of nginx-quic $pkgver, useful for building modules"
  arch=('any')
  provides=('nginx-src' 'nginx-mainline-src')
  conflicts=($_pkgbase-src)
  depends=('perl')
  backup=()
  install -d "$pkgdir/usr/src"
  test -d "$pkgdir/usr/src/nginx" && rm -r "$pkgdir/usr/src/nginx"
  cp -r ${srcdir}/${pkgname} "$pkgdir/usr/src/nginx"
  # Delete the .hg directory, it is huge and not needed
  rm -r ${pkgdir}/usr/src/nginx/{.hg,.hgtags}
  # Link the 'configure' script to its location in release tarballs,
  # as this is where modules expect it
  ln -s /usr/src/nginx/auto/configure "$pkgdir/usr/src/nginx"
  cd $pkgname
  install -d "$pkgdir"/usr/share/licenses/$pkgname
  ln -s /usr/src/nginx/docs/text/LICENSE "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
}

# vim:set ts=2 sw=2 et:

Manjaro向けパッケージ作成用のPKGBUILDファイル
nginx-quic-mod-brotliパッケージ

# Maintainer: Masato Toyoshima <phoepsilonix@gmail.com>

pkgname=nginx-quic-mod-brotli
epoch=1
pkgver=1.0.9
pkgrel=5

_commit=6e975bcb015f62e1f303054897783355e2a877dc
_modname="ngx_${pkgname#nginx-quic-mod-}"
if [[ $CC=="clang" ]];then
    _cc_opt="-fPIC"
    _ld_opt="$LDFLAGS -fPIC -fuse-ld=ld"
fi

pkgdesc="Brotli compression filter module for nginx"
arch=('x86_64')
depends=("nginx" 'brotli')
makedepends=("nginx-quic-src" "git")
url="https://github.com/google/ngx_brotli"
license=('CUSTOM')

source=(
	"git+https://github.com/google/$_modname#commit=$_commit"
)
validpgpkeys=(536487F1470D7187) # <phoepsilonix@gmail.com>
sha256sums=('SKIP')

prepare() {
        echo $_modname
	mkdir -p build
	cd build
	ln -sf /usr/src/nginx/auto
	ln -sf /usr/src/nginx/src

	cd "$srcdir"/$_modname
	sed 's@/usr/local@/usr@' -i config
}

build() {
	cd build
	/usr/src/nginx/configure --with-compat --add-dynamic-module=../$_modname --with-cc-opt="$_cc_opt" --with-ld-opt="$_ld_opt"
	make modules
}

package() {
	install -Dm644 "$srcdir"/$_modname/LICENSE \
	               "$pkgdir"/usr/share/licenses/$pkgname/LICENSE

	cd build/objs
	for mod in ngx_*.so; do
		install -Dm755 $mod "$pkgdir"/usr/lib/nginx/modules/$mod
	done
}

nginx.confの設定例、一部抜粋。

# Load module section
load_module "/usr/lib/nginx/modules/ngx_http_brotli_static_module.so";
load_module "/usr/lib/nginx/modules/ngx_http_brotli_filter_module.so";

    #gzip  on;
    #Brotli
    brotli on;
    brotli_comp_level 6;
    brotli_static on;
    brotli_types application/octec-stream text/xml image/svg+xml application/x-font-ttf image/vnd.microsoft.icon application/x-font-opentype application/json font/eot application/vnd.ms-fontobject application/javascript font/otf application/xml application/xhtml+xml text/javascript application/x-javascript text/plain application/x-font-trutype application/xml+rss image/x-icon font/opentype text/css image/x-win-bitmap application/x-web-app-manifest+json;
    brotli_min_length 1024;

        # h3(http3 over quic)
        #   To enable address validation:
        quic_retry on;
        #   To enable 0-RTT:
        ssl_early_data on;
        #   To enable GSO (Generic Segmentation Offloading):
        quic_gso on;

        add_header Alt-Svc 'h3=":443"';
  

Discussion