👻
nginx-quic with libressl-3.7.0
Manjaro Linuxでnginx-quicを利用しています。
また圧縮ライブラリにはbrotliを導入しています。
aurのパッケージではboringsslが利用されているところを、libresslに変更して、ビルドしました。
下がmakepkg.confで指定しているコンパイルオプション。
CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions \
-Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security \
-Wtautological-compare -Wsign-compare \
-gfull -fstandalone-debug -gdwarf-5 -gz \
-flto=full \
-fPIE -fpie \
-flto=full -fwhole-program-vtables -fforce-emit-vtables -fvirtual-function-elimination \
-ffunction-sections -fdata-sections \
-fintegrated-as -fintegrated-cc1 \
-fstack-clash-protection -fcf-protection \
-fstack-protector-all \
-fno-sanitize-recover=all"
CXXFLAGS="$CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS"
LDFLAGS="-Wl,-O1,--sort-common \
-flto=full \
-fPIE -fpie \
-Wl,-z,noexecstack \
-Wl,--gc-sections \
-fno-plt -Wl,-z,relro,-z,now \
-fuse-ld=ld"
LTOFLAGS="-flto=full"
なるべくFULL RELROになるように、オプション指定しています。
コンパイラはclangです。リンカがlldだとPartial RELROになるみたいなので、ldを利用しています。
./checksec --file=pkg/nginx-quic/usr/bin/nginx
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols
Manjaro向けパッケージ作成用のPKGBUILDファイル
nginx-quic
# Maintainer: DasSkelett <dasskelett@dasskelett.dev>
# Contributor: Kasei Wang <kasei@kasei.im>
# Contributor: Bartłomiej Piotrowski <bpiotrowski@archlinux.org>
# Contributor: Sébastien Luttringer
# Contributor: Drew DeVault
_pkgbase=nginx
_commit=6bb884dc7291
pkgbase=nginx-quic
pkgname=(nginx-quic nginx-quic-src)
pkgver=1.23.4
pkgrel=3
pkgdesc='Lightweight HTTP server and IMAP/POP3 proxy server, HTTP/3 QUIC branch'
arch=('i686' 'x86_64')
url='https://nginx.org'
license=('custom')
depends=('geoip' 'libxcrypt' 'pcre2')
makedepends=('cmake' 'git' 'go' 'mercurial')
backup=('etc/nginx/fastcgi.conf'
'etc/nginx/fastcgi_params'
'etc/nginx/koi-win'
'etc/nginx/koi-utf'
'etc/nginx/nginx.conf'
'etc/nginx/scgi_params'
'etc/nginx/uwsgi_params'
'etc/nginx/win-utf'
'etc/logrotate.d/nginx')
install=nginx.install
provides=('nginx' 'nginx-mainline')
conflicts=('nginx')
source=("hg+https://hg.nginx.org/nginx-quic#revision=$_commit"
"https://cdn.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.7.0.tar.gz"
"service"
"logrotate")
sha256sums=('SKIP'
'3fc1290f4007ec75f6e9acecbb25512630d1b9ab8c53ba79844e395868c3e006'
'05fdc0c0483410944b988d7f4beabb00bec4a44a41bd13ebc9b78585da7d3f9b'
'b9af19a75bbeb1434bba66dd1a11295057b387a2cbff4ddf46253133909c311e')
_common_flags=(
--with-compat
--with-debug
--with-file-aio
--with-http_addition_module
--with-http_auth_request_module
--with-http_dav_module
--with-http_degradation_module
--with-http_flv_module
--with-http_geoip_module
--with-http_gunzip_module
--with-http_gzip_static_module
--with-http_mp4_module
--with-http_realip_module
--with-http_secure_link_module
--with-http_slice_module
--with-http_ssl_module
--with-http_stub_status_module
--with-http_sub_module
--with-http_v2_module
--with-mail
--with-mail_ssl_module
--with-pcre-jit
--with-stream
--with-stream_geoip_module
--with-stream_realip_module
--with-stream_ssl_module
--with-stream_ssl_preread_module
--with-threads
)
_mainline_flags=(
)
_quic_flags=(
--with-http_v3_module
--with-stream_quic_module
)
prepare() {
# Backup pristine version of nginx source for -src package
test -d ${srcdir}/${pkgname}-src && rm -r ${srcdir}/${pkgname}-src
cp -r ${srcdir}/${pkgname} ${srcdir}/${pkgname}-src
}
build() {
# Clear -D_FORTIFY_SOURCE from C++ build flags, it causes Boringssl tests to fail to compile
#export CPPFLAGS=${CPPFLAGS/-D_FORTIFY_SOURCE=[1-9]/-D_FORTIFY_SOURCE=0}
#export CXXFLAGS=${CXXFLAGS/-D_FORTIFY_SOURCE=[1-9]/-D_FORTIFY_SOURCE=0}
export CXXFLAGS="$CXXFLAGS -fPIC"
export CFLAGS="$CFLAGS -fPIC"
if [[ $CC == "clang" ]];then
_cc_opt="-flto"
_ld_opt="$LDFLAGS -flto -fuse-ld=ld"
else
_cc_opt=""
_ld_opt=""
# Disable some warnings that make Boringssl fail to compile due to a forced -Werror in CMakeLists.txt
# -Wno-array-bounds: 2022-05-21 for compatiblity with GCC 12.1 (https://bugs.chromium.org/p/boringssl/issues/detail?id=492&sort=-modified)
#export CFLAGS="$CFLAGS -Wno-stringop-overflow -Wno-array-parameter -Wno-array-bounds"
fi
#cd ${srcdir}/boringssl
#mkdir build && cd build && cmake -DCMAKE_BUILD_TYPE=Release ../ && make crypto ssl
#cd ${srcdir}/boringssl
#mkdir -p .openssl/lib && cd .openssl && ln -s ../include . && cd ../
#cp ${srcdir}/boringssl/build/crypto/libcrypto.a ${srcdir}/boringssl/build/ssl/libssl.a .openssl/lib && cd ..
cd ${srcdir}/$pkgname
./auto/configure \
--prefix=/etc/nginx \
--conf-path=/etc/nginx/nginx.conf \
--sbin-path=/usr/bin/nginx \
--pid-path=/run/nginx.pid \
--lock-path=/run/lock/nginx.lock \
--user=http \
--group=http \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=stderr \
--http-client-body-temp-path=/var/lib/nginx/client-body \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--with-openssl=${srcdir}/libressl-3.7.0 \
--with-cc-opt="${_cc_opt}" \
--with-ld-opt="${_ld_opt}" \
${_common_flags[@]} \
${_mainline_flags[@]} \
${_quic_flags[@]}
make
}
package_nginx-quic() {
cd $pkgname
make DESTDIR="$pkgdir" install
sed -e 's|\<user\s\+\w\+;|user html;|g' \
-e '44s|html|/usr/share/nginx/html|' \
-e '54s|html|/usr/share/nginx/html|' \
-i "$pkgdir"/etc/nginx/nginx.conf
rm "$pkgdir"/etc/nginx/*.default
rm "$pkgdir"/etc/nginx/mime.types # in mailcap
install -d "$pkgdir"/var/lib/nginx
install -dm700 "$pkgdir"/var/lib/nginx/proxy
chmod 755 "$pkgdir"/var/log/nginx
chown root:root "$pkgdir"/var/log/nginx
install -d "$pkgdir"/usr/share/nginx
mv "$pkgdir"/etc/nginx/html/ "$pkgdir"/usr/share/nginx
install -Dm644 ../logrotate "$pkgdir"/etc/logrotate.d/nginx
install -Dm644 ../service "$pkgdir"/usr/lib/systemd/system/nginx.service
install -Dm644 docs/text/LICENSE "$pkgdir"/usr/share/licenses/$provides/LICENSE
install -d "$pkgdir"/usr/share/licenses/$pkgname
ln -s /usr/share/licenses/$provides/LICENSE "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
rmdir "$pkgdir"/run
install -d "$pkgdir"/usr/share/man/man8/
gzip -9c docs/man/nginx.8 > "$pkgdir"/usr/share/man/man8/nginx.8.gz
for i in ftdetect indent syntax; do
install -Dm644 contrib/vim/${i}/nginx.vim \
"${pkgdir}/usr/share/vim/vimfiles/${i}/nginx.vim"
done
}
package_nginx-quic-src() {
pkgdesc="Source code of nginx-quic $pkgver, useful for building modules"
arch=('any')
provides=('nginx-src' 'nginx-mainline-src')
conflicts=($_pkgbase-src)
depends=('perl')
backup=()
install -d "$pkgdir/usr/src"
test -d "$pkgdir/usr/src/nginx" && rm -r "$pkgdir/usr/src/nginx"
cp -r ${srcdir}/${pkgname} "$pkgdir/usr/src/nginx"
# Delete the .hg directory, it is huge and not needed
rm -r ${pkgdir}/usr/src/nginx/{.hg,.hgtags}
# Link the 'configure' script to its location in release tarballs,
# as this is where modules expect it
ln -s /usr/src/nginx/auto/configure "$pkgdir/usr/src/nginx"
cd $pkgname
install -d "$pkgdir"/usr/share/licenses/$pkgname
ln -s /usr/src/nginx/docs/text/LICENSE "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
}
# vim:set ts=2 sw=2 et:
Manjaro向けパッケージ作成用のPKGBUILDファイル
nginx-quic-mod-brotliパッケージ
# Maintainer: Masato Toyoshima <phoepsilonix@gmail.com>
pkgname=nginx-quic-mod-brotli
epoch=1
pkgver=1.0.9
pkgrel=5
_commit=6e975bcb015f62e1f303054897783355e2a877dc
_modname="ngx_${pkgname#nginx-quic-mod-}"
if [[ $CC=="clang" ]];then
_cc_opt="-fPIC"
_ld_opt="$LDFLAGS -fPIC -fuse-ld=ld"
fi
pkgdesc="Brotli compression filter module for nginx"
arch=('x86_64')
depends=("nginx" 'brotli')
makedepends=("nginx-quic-src" "git")
url="https://github.com/google/ngx_brotli"
license=('CUSTOM')
source=(
"git+https://github.com/google/$_modname#commit=$_commit"
)
validpgpkeys=(536487F1470D7187) # <phoepsilonix@gmail.com>
sha256sums=('SKIP')
prepare() {
echo $_modname
mkdir -p build
cd build
ln -sf /usr/src/nginx/auto
ln -sf /usr/src/nginx/src
cd "$srcdir"/$_modname
sed 's@/usr/local@/usr@' -i config
}
build() {
cd build
/usr/src/nginx/configure --with-compat --add-dynamic-module=../$_modname --with-cc-opt="$_cc_opt" --with-ld-opt="$_ld_opt"
make modules
}
package() {
install -Dm644 "$srcdir"/$_modname/LICENSE \
"$pkgdir"/usr/share/licenses/$pkgname/LICENSE
cd build/objs
for mod in ngx_*.so; do
install -Dm755 $mod "$pkgdir"/usr/lib/nginx/modules/$mod
done
}
nginx.confの設定例、一部抜粋。
# Load module section
load_module "/usr/lib/nginx/modules/ngx_http_brotli_static_module.so";
load_module "/usr/lib/nginx/modules/ngx_http_brotli_filter_module.so";
#gzip on;
#Brotli
brotli on;
brotli_comp_level 6;
brotli_static on;
brotli_types application/octec-stream text/xml image/svg+xml application/x-font-ttf image/vnd.microsoft.icon application/x-font-opentype application/json font/eot application/vnd.ms-fontobject application/javascript font/otf application/xml application/xhtml+xml text/javascript application/x-javascript text/plain application/x-font-trutype application/xml+rss image/x-icon font/opentype text/css image/x-win-bitmap application/x-web-app-manifest+json;
brotli_min_length 1024;
# h3(http3 over quic)
# To enable address validation:
quic_retry on;
# To enable 0-RTT:
ssl_early_data on;
# To enable GSO (Generic Segmentation Offloading):
quic_gso on;
add_header Alt-Svc 'h3=":443"';
Discussion