说明

最新版本的宝塔自带的 Nginx 选择编译安装时虽然也可以自定义,但还是不够灵活,它只能自定义模块,其它的还是宝塔默认的。而我想要扩展 Nginx 的其它功能,就要额外做些工作了。所以才有了本文章。本文以 CentOS7.8 x64为操作系统,Nginx 目前最新版本 1.19.4 ,会实现的 Nginx 额外特性有支持 TLS1.3 + Early-Data (0-RTT)、 通过第三方打补丁的方式可以使https加密支持ChaCha20算法、Brotli压缩等。

本文同样适用于非宝塔用户!

操作环境

CentOS 7.8

安装依赖

    # CentOS 7
    yum install -y git gcc gcc-c gcc-c++ clang automake make autoconf libtool zlib-devel libatomic_ops-devel pcre-devel openssl-devel libxml2-devel libxslt-devel gd-devel GeoIP-devel gperftools-devel  perl-devel perl-ExtUtils-Embed build-essential liblua5.1-dev libluajit-5.1-dev libgeoip-dev libbrotli-dev
     
    # CentOS 8
    dnf install -y git gcc gcc-c++ clang automake make autoconf libtool zlib-devel libatomic_ops-devel pcre-devel openssl-devel libxml2-devel libxslt-devel gd-devel GeoIP-devel gperftools-devel  perl-devel perl-ExtUtils-Embed lua

编译安装
----

# 进入宝塔默认 Nginx 安装目录
cd /www/server/nginx
# NGINX 1.19.4
wget https://nginx.org/download/nginx-1.19.4.tar.gz
tar zxf nginx-1.19.4.tar.gz
# HPACK Patch and PUSH ERROR Patch
pushd nginx-1.19.4
curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push_1.15.3.patch | patch -p1
popd
# Strict-SNI Patch
# 使用方式见下文
pushd nginx-1.19.4
curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_strict-sni_1.15.10.patch | patch -p1
popd
# OpenSSL 1.1.1d (LTS)
wget https://www.openssl.org/source/openssl-1.1.1d.tar.gz
tar zxf openssl-1.1.1d.tar.gz
# OpenSSL Patch
# BoringSSL's Equal Preference Patch
# Weak 3DES and not using ECDHE ciphers is not used in TLSv1.1 or later.
# 根据 OpenSSL 版本决定, 具体见 https://github.com/hakasenyang/openssl-patch
pushd openssl-1.1.1d
curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/openssl-equal-1.1.1d_ciphers.patch | patch -p1
popd
# CHACHA20-POLY1305-OLD Patch
pushd openssl-1.1.1d
curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/openssl-1.1.1d-chacha_draft.patch | patch -p1
popd
# jemalloc
git clone https://github.com/jemalloc/jemalloc.git
pushd jemalloc
./autogen.sh
make -j$(nproc --all)
touch doc/jemalloc.html
touch doc/jemalloc.3
sudo make install
echo '/usr/local/lib' | sudo tee /etc/ld.so.conf.d/local.conf
sudo ldconfig
popd
# zlib (Cloudflare)
git clone https://github.com/cloudflare/zlib.git
pushd zlib
./configure
popd
# libatomic_ops
git clone https://github.com/ivmai/libatomic_ops.git
pushd libatomic_ops
./autogen.sh
./configure
make -j$(nproc --all)
make install
sudo ldconfig
popd
# pcre
wget https://ftp.pcre.org/pub/pcre/pcre-8.44.zip
unzip pcre-8.44.zip&&rm pcre-8.44.zip
pushd pcre-8.44
./configure
popd
# ngx_brotli
# 支持使用包管理器安装的 brotli 库
git clone https://github.com/eustas/ngx_brotli.git
pushd ngx_brotli
git submodule update --init
popd
# ngx_pegespeed
git clone https://github.com/apache/incubator-pagespeed-ngx.git
mv incubator-pagespeed-ngx ngx-pagespeed
pushd ngx-pagespeed
wget https://dl.google.com/dl/page-speed/psol/1.13.35.2-x64.tar.gz
tar -xzvf 1.13.35.2-x64.tar.gz
popd
# 安装LuaJIT
wget http://luajit.org/download/LuaJIT-2.0.2.tar.gz
tar -xzvf LuaJIT-2.0.2.tar.gz
pushd LuaJIT-2.0.2
make && make install
ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2
sudo ldconfig
popd
# redis2-nginx-module
wget https://github.com/openresty/redis2-nginx-module/archive/v0.14.tar.gz
tar xf v0.14.tar.gz
mv redis2-nginx-module-0.14 redis2-nginx-module
# 编译 ModSecurit,ModSecurity-nginx 必需
git clone https://github.com/SpiderLabs/ModSecurity.git
cd ModSecurity
./build.sh
./configure
make
sudo make install
cd ..
# 编译 sregex,replace-filter-nginx-module 必需
git clone https://github.com/openresty/sregex.git
cd sregex
make
sudo make install
cd ..
# 其它杂项
git clone https://github.com/arut/nginx-python-module.git
git clone https://github.com/alibaba/nginx-http-footer-filter.git
git clone https://github.com/ioppermann/modjpeg-nginx.git
git clone https://github.com/openresty/replace-filter-nginx-module.git
git clone https://github.com/mikewest/nginx-static-etags.git
git clone https://github.com/XOS/ngx_webp.git
git clone https://github.com/AirisX/nginx_cookie_flag_module
git clone https://github.com/aperezdc/ngx-fancyindex.git
git clone https://github.com/simplresty/ngx_devel_kit.git
git clone https://github.com/arut/nginx-dav-ext-module.git
git clone https://github.com/leev/ngx_http_geoip2_module.git
git clone https://github.com/sto/ngx_http_auth_pam_module.git
git clone https://github.com/openresty/headers-more-nginx-module.git
git clone https://github.com/wandenberg/nginx-sorted-querystring-module.git
git clone https://github.com/yaoweibin/ngx_http_substitutions_filter_module.git
git clone https://github.com/SpiderLabs/ModSecurity-nginx
# 现在正在用的
./configure --user=www --group=www --prefix=/www/server/nginx --with-openssl=/www/server/nginx/src/openssl --with-openssl-opt=enable-weak-ssl-ciphers  --add-module=/www/server/nginx/src/lua_nginx_module --add-module=/www/server/nginx/src/redis2-nginx-module --add-module=/www/server/nginx/src/ngx_devel_kit --add-module=/www/server/nginx/src/ngx_cache_purge --add-module=/www/server/nginx/src/nginx_sticky_module --add-module=/www/server/nginx/src/ngx_brotli --add-module=/www/server/nginx/src/nginx-http-concat --add-module=/www/server/nginx/src/nginx-sorted-querystring-module --add-module=/www/server/nginx/src/ngx_http_substitutions_filter_module --add-module=/www/server/nginx/src/nginx_cookie_flag_module --add-module=/www/server/nginx/src/ModSecurity-nginx --add-module=/www/server/nginx/src/ngx_webp -add-module=/www/server/nginx/src/nginx-python-module --add-module=/www/server/nginx/src/nginx-http-footer-filter --add-module=/www/server/nginx/src/modjpeg-nginx  --add-module=/www/server/nginx/src/replace-filter-nginx-module --add-module=/www/server/nginx/src/nginx-static-etags --with-http_stub_status_module --with-pcre=/www/server/nginx/src/pcre-8.44 --with-zlib=/www/server/nginx/src/zlib --with-http_ssl_module --with-http_v2_module --with-http_image_filter_module --with-http_gzip_static_module --with-http_gunzip_module --with-stream --with-stream_ssl_module --with-ipv6 --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld-opt=-Wl,-E --with-openssl-opt='zlib -march=native -ljemalloc -Wl,-flto' --with-http_v2_hpack_enc --with-google_perftools_module --with-http_geoip_module --with-ld-opt=-ljemalloc
# 编译,这一步完成后,不要执行sudo make install
make -j$(nproc --all)
# 测试一下
sudo objs/nginx -t
# 复制新的编译好的执行文件 nginx,覆盖替换旧版本执行文件 nginx
mv /www/server/nginx/sbin/nginx /www/server/nginx/sbin/nginx.bak
cp /www/server/nginx/nginx-1.19.4/objs/nginx /www/server/nginx/sbin/nginx
# 无痛升级
make upgrade
# 若有报错可以尝试使用如下命令重启下Nginx,当然如果是配置错误那就得另外检查了
killall -9 nginx && /www/server/nginx/sbin/nginx

配置Nginx

# 修改 ssl_ciphers ( openssl-patch 参考 )
ssl_ciphers [TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES;
 
# Early data (0-RTT) (推荐开启)
ssl_early_data on;
 
# 另外请添加 Early-Data 头告知后端, 防止重放攻击
proxy_set_header Early-Data $ssl_early_data;
 
# Strict SNI 仅可用在 http 块内
# 开启关闭 Strict SNI
strict_sni on/off;
# 开启关闭无效域名的检查
strict_sni_header on/off;
# Strict SNI 最少需要两个 SSL 站点, 无所谓用什么证书.
server { listen 443 ssl;}
 
# Brotli 在 http 块中加入
brotli on;
brotli_static on;
brotli_min_length 20;
brotli_buffers 32 8k;
brotli_comp_level 6;
brotli_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml application/atom+xml image/svg+xml;
 
# 测试
sudo nginx -t