宝塔自定义编译安装 Nginx 并配置 TLS1.3

说明

最新版本的宝塔自带的 Nginx 选择编译安装时虽然也可以自定义，但还是不够灵活，它只能自定义模块，其它的还是宝塔默认的。而我想要扩展 Nginx 的其它功能，就要额外做些工作了。所以才有了本文章。本文以 CentOS7.7 x64为操作系统，Nginx 目前最新版本 1.19.4 ，会实现的 Nginx 额外特性有支持 TLS1.3 + Early-Data (0-RTT)、 通过第三方打补丁的方式可以使https加密支持ChaCha20算法、Brotli压缩等。

操作环境

• CentOS 7.8
• Ubuntu 20.04.2 LTS

安装依赖

# CentOS 7
yum install -y git gcc gcc-c gcc-c++ clang automake make autoconf libtool zlib-devel libatomic_ops-devel pcre-devel openssl-devel libxml2-devel libxslt-devel gd-devel GeoIP-devel gperftools-devel  perl-devel perl-ExtUtils-Embed build-essential liblua5.1-dev libluajit-5.1-dev libgeoip-dev libbrotli-dev

# CentOS 8
dnf install -y git gcc gcc-c++ clang automake make autoconf libtool zlib-devel libatomic_ops-devel pcre-devel openssl-devel libxml2-devel libxslt-devel gd-devel GeoIP-devel gperftools-devel  perl-devel perl-ExtUtils-Embed lua

# Ubuntu
sudo apt install -y build-essential cmake autoconf automake libjemalloc-dev libatomic-ops-dev libgeoip-dev libmaxminddb-dev libpcre3-dev libxslt-dev libpam0g-dev golang libgeoip-dev libunwind-dev libgoogle-perftools-dev uthash-dev webp

编译安装

# 进入宝塔默认 Nginx 安装目录
cd /www/server/nginx

# NGINX 1.19.4
wget https://nginx.org/download/nginx-1.19.4.tar.gz
tar zxf nginx-1.19.4.tar.gz

# HPACK Patch and PUSH ERROR Patch
pushd nginx-1.19.4
curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push_1.15.3.patch | patch -p1
popd

# Strict-SNI Patch
# 使用方式见下文
pushd nginx-1.19.4
curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_strict-sni_1.15.10.patch | patch -p1
popd

# OpenSSL 1.1.1d (LTS)
wget https://www.openssl.org/source/openssl-1.1.1d.tar.gz
tar zxf openssl-1.1.1d.tar.gz

# OpenSSL Patch
# BoringSSL's Equal Preference Patch
# Weak 3DES and not using ECDHE ciphers is not used in TLSv1.1 or later.
# 根据 OpenSSL 版本决定, 具体见 https://github.com/hakasenyang/openssl-patch
pushd openssl-1.1.1d
curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/openssl-equal-1.1.1d_ciphers.patch | patch -p1
popd

# CHACHA20-POLY1305-OLD Patch
pushd openssl-1.1.1d
curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/openssl-1.1.1d-chacha_draft.patch | patch -p1
popd

# jemalloc
git clone https://github.com/jemalloc/jemalloc.git
pushd jemalloc
./autogen.sh
make -j$(nproc --all)
touch doc/jemalloc.html
touch doc/jemalloc.3
sudo make install
echo '/usr/local/lib' | sudo tee /etc/ld.so.conf.d/local.conf
sudo ldconfig
popd

# zlib (Cloudflare)
git clone https://github.com/cloudflare/zlib.git
pushd zlib
./configure
popd

# libatomic_ops
git clone https://github.com/ivmai/libatomic_ops.git
pushd libatomic_ops
./autogen.sh
./configure
make -j$(nproc --all)
make install
sudo ldconfig
popd

# pcre
wget https://ftp.pcre.org/pub/pcre/pcre-8.44.zip
unzip pcre-8.44.zip&&rm pcre-8.44.zip
pushd pcre-8.44
./configure
popd

# ngx_brotli
# 支持使用包管理器安装的 brotli 库
git clone https://github.com/eustas/ngx_brotli.git
pushd ngx_brotli
git submodule update --init
popd

# ngx_pegespeed
git clone https://github.com/apache/incubator-pagespeed-ngx.git
mv incubator-pagespeed-ngx ngx-pagespeed
pushd ngx-pagespeed
wget https://dl.google.com/dl/page-speed/psol/1.13.35.2-x64.tar.gz
tar -xzvf 1.13.35.2-x64.tar.gz
popd

# 安装LuaJIT
wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
tar -xzvf LuaJIT-2.0.5.tar.gz
pushd LuaJIT-2.0.5
make && make install
popd

# redis2-nginx-module
wget https://github.com/openresty/redis2-nginx-module/archive/v0.14.tar.gz
tar xf v0.14.tar.gz
mv redis2-nginx-module-0.14 redis2-nginx-module

# 编译 ModSecurit，ModSecurity-nginx 必需
git clone https://github.com/SpiderLabs/ModSecurity.git
cd ModSecurity
./build.sh
./configure
make
sudo make install
cd ..

# 编译 sregex，replace-filter-nginx-module 必需
git clone https://github.com/openresty/sregex.git
cd sregex
make
sudo make install
cd ..

# waf 模块
git clone -b master https://github.com/ADD-SP/ngx_waf.git
cd ngx_waf
git clone https://github.com/client9/libinjection.git inc/libinjection
cd ..

# 其它杂项
git clone https://github.com/arut/nginx-python-module.git
git clone https://github.com/aperezdc/ngx-fancyindex.git
git clone https://github.com/simplresty/ngx_devel_kit.git
git clone https://github.com/arut/nginx-dav-ext-module.git
git clone https://github.com/leev/ngx_http_geoip2_module.git
git clone https://github.com/sto/ngx_http_auth_pam_module.git
git clone https://github.com/openresty/headers-more-nginx-module.git
git clone https://github.com/wandenberg/nginx-sorted-querystring-module.git
git clone https://github.com/yaoweibin/ngx_http_substitutions_filter_module.git
git clone https://github.com/SpiderLabs/ModSecurity-nginx

# 现在正在用的
./configure --user=www --group=www --prefix=/www/server/nginx --with-openssl=/www/server/nginx/src/openssl --with-openssl-opt=enable-weak-ssl-ciphers  --add-module=/www/server/nginx/src/lua_nginx_module --add-module=/www/server/nginx/src/redis2-nginx-module --add-module=/www/server/nginx/src/ngx_devel_kit --add-module=/www/server/nginx/src/ngx_cache_purge --add-module=/www/server/nginx/src/nginx_sticky_module --add-module=/www/server/nginx/src/ngx_brotli --add-module=/www/server/nginx/src/nginx-http-concat --add-module=/www/server/nginx/src/nginx-sorted-querystring-module --add-module=/www/server/nginx/src/ngx_http_substitutions_filter_module --add-module=/www/server/nginx/src/nginx_cookie_flag_module --add-module=/www/server/nginx/src/ModSecurity-nginx --add-module=/www/server/nginx/src/ngx_webp -add-module=/www/server/nginx/src/nginx-python-module --add-module=/www/server/nginx/src/nginx-http-footer-filter --add-module=/www/server/nginx/src/modjpeg-nginx  --add-module=/www/server/nginx/src/replace-filter-nginx-module --add-module=/www/server/nginx/src/nginx-static-etags --with-http_stub_status_module --with-pcre=/www/server/nginx/src/pcre-8.44 --with-zlib=/www/server/nginx/src/zlib --with-http_ssl_module --with-http_v2_module --with-http_image_filter_module --with-http_gzip_static_module --with-http_gunzip_module --with-stream --with-stream_ssl_module --with-ipv6 --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld-opt=-Wl,-E --with-openssl-opt='zlib -march=native -ljemalloc -Wl,-flto' --with-http_v2_hpack_enc --with-google_perftools_module --with-http_geoip_module --with-ld-opt=-ljemalloc

# 编译，这一步完成后，不要执行sudo make install
make -j$(nproc --all)

# 测试一下
sudo objs/nginx -t

# 复制新的编译好的执行文件 nginx，覆盖替换旧版本执行文件 nginx
mv /www/server/nginx/sbin/nginx /www/server/nginx/sbin/nginx.bak
cp /www/server/nginx/nginx-1.19.4/objs/nginx /www/server/nginx/sbin/nginx

# 无痛升级
make upgrade

# 若有报错可以尝试使用如下命令重启下Nginx，当然如果是配置错误那就得另外检查了
killall -9 nginx && /www/server/nginx/sbin/nginx

配置Nginx

# 修改 ssl_ciphers ( openssl-patch 参考 )
ssl_ciphers [TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES;

# Early data (0-RTT) (推荐开启)
ssl_early_data on;

# 另外请添加 Early-Data 头告知后端, 防止重放攻击
proxy_set_header Early-Data $ssl_early_data;

# Strict SNI 仅可用在 http 块内
# 开启关闭 Strict SNI
strict_sni on/off;
# 开启关闭无效域名的检查
strict_sni_header on/off;
# Strict SNI 最少需要两个 SSL 站点, 无所谓用什么证书.
server { listen 443 ssl;}

# Brotli 在 http 块中加入
brotli on;
brotli_static on;
brotli_min_length 20;
brotli_buffers 32 8k;
brotli_comp_level 6;
brotli_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml application/atom+xml image/svg+xml;

# 测试
sudo nginx -t

测试

# testssl.sh 测试方式
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
cd testssl.sh
./testssl.sh --full https://your_domain

参考来源

• 给 NGINX 添加 TLSv1.3 支持
• 本博客开始支持 TLS 1.3
• 升级Nginx1.9.5以上版本，开启博客网站http2.0时代

祝大家使用愉快！