Install from Source

This article describes how to install Nginx by compiling it from its source-code on a Ubuntu Server.

This is a little bit more complicated then a default install, but allows us to use the most current version and install additional 3rd-party modules like brotli compression, new ciphers with a more recent OpenSSL version and ngx_cache_purge.

Note

All the following steps are also available as downloadable shell script.

Software Package Repository

The Nginx project releases its own ready-made Ubuntu software packages.

The ‘mainline’ releases contain the latest stable code as recommended for use by the project.

Add these software repositories to the systems package list:

$ sudo -s
 echo "deb http://nginx.org/packages/mainline/ubuntu/ `lsb_release -sc` nginx" \
    > /etc/apt/sources.list.d/nginx.org-mainline.list
$ echo "deb-src http://nginx.org/packages/mainline/ubuntu/ `lsb_release -sc` nginx" \
    >> /etc/apt/sources.list.d/nginx.org-mainline.list
$ exit

All software packages released by the project are signed with a GPG key.

Add the signing key to the systems trusted keyring:

$ wget -O - http://nginx.org/keys/nginx_signing.key | sudo apt-key add -

For working with the source code later, the signing key needs to be added to the personal trusted keyring too:

$ wget -O - http://nginx.org/keys/nginx_signing.key | \
    gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import -

Update the systems packages list:

$ sudo apt update

Install required Software

Get all the stuff needed for building nginx and modules:

$ sudo apt install autoconf build-essential devscripts git \
    libgd-dev libgeoip-dev libpcre3 libpcre3-dev libxslt1-dev libxml2-dev \
    python-dev python2.7 unzip zlib1g-dev
$ sudo apt build-dep nginx

sudo apt-get install

Set Version Numbers

Set the Nginx Changes version number:

$ export NGX_VERSION=1.13.1

Set the OpenSSL version:

$ export OPENSSL_VERSION=1.1.0f

Set the ngx_cache_purge module version:

$ export NCP_VERSION=2.3

Set the Headers-More module version:

$ export NHM_VERSION=0.32

Set the ngx-fancyindex module version:

$ export FANCYINDEX_VERSION=0.4.1

Get the Source Code

Prepare source code directory:

$ sudo mkdir -p /usr/local/src/nginx
$ sudo chown $USER /usr/local/src/nginx
$ sudo chmod u+rwx /usr/local/src/nginx

Source Code for Nginx

Get the Nginx package source code:

$ cd /usr/local/src/nginx
$ apt source nginx

Modules:

$ apt source nginx-module-geoip nginx-module-image-filter nginx-module-xslt

Source Code for OpenSSL

Get and verify OpenSSL source:

$ cd /usr/local/src/nginx
$ wget https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz
$ wget https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz.asc
$ gpg2 --verify openssl-${OPENSSL_VERSION}.tar.gz.asc
$ tar -xzvf openssl-${OPENSSL_VERSION}.tar.gz
$ rm openssl-${OPENSSL_VERSION}.tar.gz

Build and install a standalone OpenSSL binary (optional):

$ cd /usr/local/src/nginx/openssl-${OPENSSL_VERSION}/
$ sudo mkdir -p /opt/openssl-${OPENSSL_VERSION}
$ ./config --prefix=/opt/openssl-${OPENSSL_VERSION} no-shared
$ make clean
$ make depend
$ make
$ make test
$ sudo make install_sw
$ /opt/openssl-${OPENSSL_VERSION}/bin/openssl version

Source Code for Brötli

Get and install Brötli source:

$ cd /usr/local/src/nginx
$ git clone https://github.com/google/brotli.git
$ cd brotli
$ sudo python setup.py install

Get Brötli Nginx module source:

$ cd /usr/local/src/nginx
$ git clone https://github.com/google/ngx_brotli.git

Make sure that the git submodule has been checked out:

cd /usr/local/src/nginx/ngx_brotli
git submodule update --init

Source Code for Cache Purge Module

Download the source code for the ngx_cache_purge module:

$ cd /usr/local/src/nginx
$ wget -O ngx_cache_purge-${NCP_VERSION}.zip \
    https://github.com/FRiCKLE/ngx_cache_purge/archive/${NCP_VERSION}.zip
$ unzip ngx_cache_purge-${NCP_VERSION}.zip

Source Code for Headers More Module

Download the source code for the headers-more-nginx-module:

$ cd /usr/local/src/nginx
$ wget -O ngx_headers_more-${NHM_VERSION}.tar.gz \
    https://github.com/openresty/headers-more-nginx-module/archive/v${NHM_VERSION}.tar.gz
$ tar -xzf ngx_headers_more-${NHM_VERSION}.tar.gz

Source Code for the Fancy Index Module

Download the source code for the ngx-fancyindex module:

$ cd /usr/local/src/nginx
$ wget -O ngx-fancyindex-${FANCYINDEX_VERSION}.tar.gz \
    https://github.com/aperezdc/ngx-fancyindex/archive/v${FANCYINDEX_VERSION}.tar.gz
$ tar -xzf ngx-fancyindex-${FANCYINDEX_VERSION}.tar.gz

Package Configuration

Open the file /usr/local/src/nginx/nginx-${NGX_VERSION}/debian/rules with your editor.

Add or modify lines of the ./configure commands in the Debian rules file. You have the following choices:

Remove unneeded modules by removing lines:

--with-http_flv_module \
--with-http_geoip_module=dynamic \
--with-http_image_filter_module \
--with-http_mp4_module \
--with-http_random_index_module \
--with-mail \
--with-stream \

Add additional modules:

--with-http_xslt_module \
--add-module=/usr/local/src/nginx/headers-more-nginx-module-${NHM_VERSION} \
--add-module=/usr/local/src/nginx/nginx-fancyindex-${FANCYINDEX_VERSION} \
--add-module=/usr/local/src/nginx/ngx_brotli \
--add-module=/usr/local/src/nginx/ngx_cache_purge-${NCP_VERSION} \

Set location of the OpenSSL source libraries instead of the system default:

--with-openssl=/usr/local/src/nginx/openssl-${OPENSSL_VERSION} \

Don’t forget to escape preceding lines with a backslash \.

/usr/local/src/nginx/nginx-${NGX_VERSION}/debian/rules
#!/usr/bin/make -f

#export DH_VERBOSE=1
export DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie
export DEB_CFLAGS_MAINT_APPEND=-Wp,-D_FORTIFY_SOURCE=2 -fPIC
export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -pie
DPKG_EXPORT_BUILDFLAGS = 1
include /usr/share/dpkg/buildflags.mk

PKGS = nginx nginx-dbg

BUILDDIR_nginx = $(CURDIR)/debian/build-nginx
BUILDDIR_nginx_debug = $(CURDIR)/debian/build-nginx-debug
INSTALLDIR = $(CURDIR)/debian/nginx
BASEDIR = $(CURDIR)

ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
	NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
	ifeq (${NUMJOBS}, 0)
		NUMJOBS = 1
	endif
else
	NUMJOBS = 1
endif

DO_PKGS = $(PKGS)

config.env.%:
	dh_testdir
	mkdir -p $(BUILDDIR_$*)
	cp -Pa $(CURDIR)/auto $(BUILDDIR_$*)/
	cp -Pa $(CURDIR)/conf $(BUILDDIR_$*)/
	cp -Pa $(CURDIR)/configure $(BUILDDIR_$*)/
	cp -Pa $(CURDIR)/contrib $(BUILDDIR_$*)/
	cp -Pa $(CURDIR)/man $(BUILDDIR_$*)/
	cp -Pa $(CURDIR)/src $(BUILDDIR_$*)/
	touch $@

config.status.nginx: config.env.nginx
	cd $(BUILDDIR_nginx) && \
	CFLAGS="" ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx \
		--modules-path=/usr/lib/nginx/modules \
		--conf-path=/etc/nginx/nginx.conf \
		--error-log-path=/var/log/nginx/error.log \
		--http-log-path=/var/log/nginx/access.log \
		--pid-path=/var/run/nginx.pid \
		--lock-path=/var/run/nginx.lock \
		--http-client-body-temp-path=/var/cache/nginx/client_temp \
		--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
		--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
		--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
		--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
		--user=nginx --group=nginx \
		--with-compat --with-file-aio --with-threads \
		--with-http_addition_module \
		--with-http_auth_request_module \
		--with-http_dav_module \
		--with-http_geoip_module \
		--with-http_gunzip_module \
		--with-http_gzip_static_module \
		--with-http_realip_module \
		--with-http_secure_link_module \
		--with-http_slice_module \
		--with-http_ssl_module \
		--with-http_stub_status_module \
		--with-http_sub_module \
		--with-http_v2_module \
		--with-http_xslt_module \
		--add-module=${SRC_DIR}/headers-more-nginx-module-${NHM_VERSION} \
		--add-module=${SRC_DIR}/ngx-fancyindex-${FANCYINDEX_VERSION} \
		--add-module=${SRC_DIR}/ngx_brotli \
		--add-module=${SRC_DIR}/ngx_cache_purge-${NCP_VERSION} \
		--with-openssl=${SRC_DIR}/openssl-${OPENSSL_VERSION} \
		--with-cc-opt="$(CFLAGS)" --with-ld-opt="$(LDFLAGS)"
	touch $@

config.status.nginx_debug: config.env.nginx_debug
	cd $(BUILDDIR_nginx_debug) && \
	CFLAGS="" ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx \
		--modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf \
		--error-log-path=/var/log/nginx/error.log \
		--http-log-path=/var/log/nginx/access.log \
		--pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock \
		--http-client-body-temp-path=/var/cache/nginx/client_temp \
		--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
		--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
		--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
		--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
		--user=nginx --group=nginx \
		--with-compat --with-file-aio --with-threads \
		--with-http_addition_module \
		--with-http_auth_request_module \
		--with-http_dav_module \
		--with-http_geoip_module \
		--with-http_gunzip_module \
		--with-http_gzip_static_module \
		--with-http_realip_module \
		--with-http_secure_link_module \
		--with-http_slice_module \
		--with-http_ssl_module \
		--with-http_stub_status_module \
		--with-http_sub_module \
		--with-http_v2_module \
		--with-http_xslt_module \
		--add-module=${SRC_DIR}/headers-more-nginx-module-${NHM_VERSION} \
		--add-module=${SRC_DIR}/ngx-fancyindex-${FANCYINDEX_VERSION} \
		--add-module=${SRC_DIR}/ngx_brotli \
		--add-module=${SRC_DIR}/ngx_cache_purge-${NCP_VERSION} \
		--with-openssl=${SRC_DIR}/openssl-${OPENSSL_VERSION} \
		--with-cc-opt="$(CFLAGS)" --with-ld-opt="$(LDFLAGS)" \
		--with-debug
	touch $@

build-arch.%: config.status.%
	dh_testdir
	dh_prep
	$(MAKE) -j$(NUMJOBS) -C $(BUILDDIR_$*) build

build-arch: build-arch.nginx build-arch.nginx_debug
	dh_testdir
	touch $@

build-dbg.%: install
	dh_testdir
	dh_strip --dbg-package=nginx-dbg

build-dbg: build-dbg.nginx
	dh_testdir
	touch $@

build-indep:
	dh_testdir
	touch $@

build: build-arch build-indep
	dh_testdir
	touch $@

clean:
	dh_testdir
	dh_testroot
	dh_clean
	rm -f $(CURDIR)/objs
	rm -rf $(CURDIR)/debian/build-*
	rm -f $(CURDIR)/debian/*.init
	find $(CURDIR) -maxdepth 1 -size 0 -delete

post-build:
	mv $(BUILDDIR_nginx_debug)/objs/nginx $(BUILDDIR_nginx_debug)/objs/nginx-debug
	ln -s $(BUILDDIR_nginx)/objs $(CURDIR)/objs
	cp $(BUILDDIR_nginx)/objs/nginx.8 $(BUILDDIR_nginx)/objs/nginx-debug.8

install:
	dh_testdir
	dh_testroot
	dh_prep
	dh_installdirs
	dh_install
	mkdir -p $(INSTALLDIR)/usr/lib/nginx/modules
	mkdir -p $(INSTALLDIR)/usr/share/doc/nginx
	install -m 644 debian/CHANGES $(INSTALLDIR)/usr/share/doc/nginx/changelog
	install -m 644 debian/nginx.vh.default.conf $(INSTALLDIR)/etc/nginx/conf.d/default.conf
	ln -s /usr/lib/nginx/modules $(INSTALLDIR)/etc/nginx/modules

binary-indep: build post-build install
	dh_testdir
	dh_testroot
	dh_installman -i -pnginx
	dh_installdebconf
	sed -e 's/%%PROVIDES%%/nginx/g' \
		-e 's/%%DEFAULTSTART%%/2 3 4 5/g' \
		-e 's/%%DEFAULTSTOP%%/0 1 6/g' \
		< debian/nginx.init.in > debian/nginx.init
	dh_installinit -i -pnginx --no-restart-on-upgrade --no-start --name=nginx
	sed -e 's/%%PROVIDES%%/nginx-debug/g' \
		-e 's/%%DEFAULTSTART%%//g' \
		-e 's/%%DEFAULTSTOP%%/0 1 2 3 4 5 6/g' \
		< debian/nginx.init.in > debian/nginx-debug.init
	dh_installinit -i -pnginx --no-restart-on-upgrade --no-start --noscripts --name=nginx-debug
	dh_installlogrotate -i -pnginx --name=nginx

binary-arch: install build-dbg
	dh_testdir
	dh_testroot
	dh_installchangelogs -a
	dh_installdocs -a
	dh_lintian -a
	dh_link -aA
	dh_compress -a
	dh_perl -a
	dh_fixperms -a
	dh_installdeb -a
	dh_shlibdeps -a
	dh_gencontrol -a
	dh_md5sums -a
	dh_builddeb $(foreach p,$(DO_PKGS),-p$(p))

binary: binary-indep binary-arch

.PHONY: build clean binary-indep binary-arch binary install

Increase Package Version

Ubuntu will always remember, that our package was not installed from the official package source, and will therefore always offer to “upgrade” our package to the “newest version”, which is essentially the same version we already have. By increasing the version number of our package, we don’t get bothered with update notfications:

$ cd /usr/local/src/nginx/nginx-${NGX_VERSION}
$ dch

An editor opens where the package changes can be entered.

The scheme used by Ubuntu software packages is:

<Upstream Version>-<Debian Version>~Ubuntu<Ubuntu Package Version>

A new version number and your name are already pre-filled:

nginx (1.13.1-1~xenialubuntu1) UNRELEASED; urgency=medium
.
  * Change server name reported in HTTP responses
  * Build against OpenSSL 1.1.0c
  * Added dynamic XSLT module
  * Added 3rd-party brotli compression module
  * Added 3rd-party cache purge module
  * Added 3rd-party Google PageSpeed module
  * Changed mail module to dynamic

After saving and closing the file the customized package source is ready for building.

Building the Software

In case you want to restart from a clean build:

$ cd /usr/local/src/nginx/nginx-${NGX_VERSION}
$ dpkg-buildpackage -rfakeroot -Tclean

Build the Nginx package as follows:

$ cd /usr/local/src/nginx/nginx-${NGX_VERSION}
$ dpkg-buildpackage -rfakeroot -uc -b

Depending on your options the building process might take anything form five minutes to over a half-hour to complete.

Package Installation

Install the package(s):

$ cd /usr/local/src/nginx
$ sudo dpkg --install nginx_${NGX_VERSION}-1~xenialubuntu1_amd64.deb

Nginx is installed and started as system service nginx running as user nginx.

Configuration files are found in the /etc/nginx directory.

Prevent future releases to automatically overwrite our customized packages:

$ sudo apt-mark hold nginx

Test

Show version number and available modules:

$ nginx -V
nginx version: nginx/1.13.1
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
built with OpenSSL 1.1.0f  25 May 2017
TLS SNI support enabled