Just to add to this, despite having compiled it inside a freshly downloaded folder of nginx 1.18.0, somehow it seems the modules were compiled with 1.16.1? How does this happen?
# nginx -t nginx: [emerg] module "/usr/share/nginx/modules/ngx_http_security_headers_module.so" version 1016001 instead of 1018000 in /etc/nginx/nginx.conf:16 nginx: configuration file /etc/nginx/nginx.conf test failed On Thu, Jan 7, 2021 at 8:56 PM Phoenix Kiula <phoenix.ki...@gmail.com> wrote: > Thank you. So I tried this. It's not as straightforward as it sounds. > > Many issues with the ./configure step. If I include the "nginx -V" compile > options from my dnf repo install, it gives this stuff below, to which I add > the "--add-compat" with the modules to add (last four lines)-- > > > ./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx > --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf > --error-log-path=/var/log/nginx/error.log > --http-log-path=/var/log/nginx/access.log > --http-client-body-temp-path=/var/lib/nginx/tmp/client_body > --http-proxy-temp-path=/var/lib/nginx/tmp/proxy > --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi > --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi > --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid > --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx > --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module > --with-http_realip_module --with-stream_ssl_preread_module > --with-http_addition_module --with-http_xslt_module=dynamic > --with-http_image_filter_module=dynamic --with-http_sub_module > --with-http_dav_module --with-http_flv_module --with-http_mp4_module > --with-http_gunzip_module --with-http_gzip_static_module > --with-http_random_index_module --with-http_secure_link_module > --with-http_degradation_module --with-http_slice_module > --with-http_stub_status_module --with-http_perl_module=dynamic > --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module > --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module > --with-google_perftools_module --with-debug --with-cc-opt='-O2 -flto > -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall > -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS > -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong > -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic > -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' > --with-ld-opt='-Wl,-z,relro -Wl,--as-needed -Wl,-z,now > -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' \ > --with-compat \ > --add-dynamic-module=../ngx_brotli \ > --add-dynamic-module=../headers-more-nginx-module \ > --add-dynamic-module=../ngx_security_headers > > > > This gives the first error: > > error: the invalid value in --with-ld-opt="-Wl,-z,relro -Wl,--as-needed > -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E" > > Not super informative. So I just remove this "--with-ld-opt" parameter. > > Next error: > > ./configure: no supported file AIO was found > > Currently file AIO is supported on FreeBSD 4.3+ and Linux 2.6.22+ only > > So I try to do a "yum install libaio". > > # yum install libaio > > Last metadata expiration check: 0:00:22 ago on Thu 07 Jan 2021 08:44:10 PM > EST. > > Package libaio-0.3.111-10.fc33.x86_64 is already installed. > > Dependencies resolved. > > Nothing to do. > > Complete! > > > What do I need instead of this installed lib in the system? Anyway, I just > delete this option then. Try again the ./configure: > > Next error: > > ./configure: error: can not detect int size > > Googling for this suggests on stackoverflow that the "--with-cc-opt" is > the culprit. Not sure what precisely in this is the "int size" that it was > trying to detect. So I delete this whole parameter to try: > > --with-cc-opt='-O2 -flto -ffat-lto-objects -fexceptions -g > -grecord-gcc-switches -pipe -Wall -Werror=format-security > -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS > -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong > -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic > -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' > > > This entire thing is gone. > > Trying again without this above param: > > > ./configure: error: the HTTP image filter module requires the GD library. > > > Seriously, what amazing engineer has made this stuff? The GD library is > already installed on my system, but I check some variations: > > > # yum install libgd > > Last metadata expiration check: 0:00:05 ago on Thu 07 Jan 2021 08:50:20 PM > EST. > > No match for argument: *libgd* > > Error: Unable to find a match: libgd > > > > # yum install libgd-dev > > > Last metadata expiration check: 0:00:16 ago on Thu 07 Jan 2021 08:50:20 PM > EST. > > No match for argument: > *libgd-dev* > > Error: Unable to find a match: libgd-dev > > > > # yum install gd > > Last metadata expiration check: 0:00:51 ago on Thu 07 Jan 2021 08:50:20 PM > EST. > > Package gd-2.3.0-3.fc33.x86_64 is already installed. > > Dependencies resolved. > > Nothing to do. > > Complete! > > > > At this point I basically give up? What the heck? > > So I compiled the modules without all of these. Removed XSLT, removed > image filters, everything. The .so modules thus created of course don't do > much. When they're copied to the /etc/nginx/modules/ folder, and nginx > reloaded, they create an issue. > > > # systemctl status nginx.service > > > Jan 07 20:54:00 SERVER systemd[1]: Starting The nginx HTTP and reverse > proxy server... > Jan 07 20:54:00 SERVER nginx[39083]: nginx: [emerg] module > "/usr/share/nginx/modules/ngx_http_security_headers_module.so"> > Jan 07 20:54:00 SERVER nginx[39083]: nginx: configuration file > /etc/nginx/nginx.conf test failed > Jan 07 20:54:00 SERVER systemd[1]: nginx.service: Control process exited, > code=exited, status=1/FAILURE > Jan 07 20:54:00 SERVER systemd[1]: nginx.service: Failed with result > 'exit-code'. > Jan 07 20:54:00 SERVER systemd[1]: Failed to start The nginx HTTP and > reverse proxy server. > > > > This doesn't give any meaningful error. Nor does "journalctl -xe". > > Any suggestions to make this somewhat more sensible than this utterly > mediocre experience? > > Thanks. > > > > > > > > On Thu, Jan 7, 2021 at 1:35 AM Thomas Ward <tew...@thomas-ward.net> wrote: > >> You should, yes, to make sure your build as closely mirrors what is in >> the Fedora repos. >> >> >> Thomas >> >> >> On 1/6/21 11:19 PM, Phoenix Kiula wrote: >> >> Perfect. This is clear Thomas. Much appreciated...between Miguel's >> original pointer and this clarity from you I think it solves what I'm >> looking for. One last question: the `nginx -T` options...I'll add those to >> the ./configure command, yes? >> >> >> >> On Wed, Jan 6, 2021 at 10:55 PM Thomas Ward <tew...@thomas-ward.net> >> wrote: >> >>> This is where **manually compiling by hand** is the problem. You would >>> do the compilation in a separate directory **NOT** inside the space of the >>> system's control - usually I spawn new `/tmp` directories or destructable >>> directories in my home space. >>> >>> I'm not familiar with Fedora and the `dnf` command - but `dnf install` >>> installs the repositories-available-version of NGINX for Fedora's repos. >>> >>> The next steps you would take by hand are: >>> >>> (1) Install **all build dependencies and runtime dependencies** for >>> NGINX and the modules you're compiling dynamically. >>> >>> (2) Download the tarball to temporary space. >>> >>> (3) At the *very* least (though I suggest you go digging in the source >>> of Fedora's repos to get their build options, you can find them with `nginx >>> -T` output though) you need to do this: >>> >>> ./configure >>> --add-dynamic-module=/path/to/third/party/module/source/directory >>> make >>> >>> **This does not install nginx, this is the compiling of the binaries.** >>> >>> (4) Dig in the completed compile and find your .so file and put it in >>> /etc/nginx/modules (I believe that's where it is on your system, but I >>> can't validate that - again I'm not a Fedora user so I can't verify that's >>> exactly where you drop the module files themselves. >>> >>> >>> These're the *basic* steps - but again this will **not** install your >>> manually compiled nginx to overwrite what `dnf` installs - this simply >>> compiles everything and it's up to you to go digging to get the components >>> you need and put them where you need them to be for your system to >>> recognize them. >>> >>> >>> Thomas >>> On 1/6/21 10:47 PM, Phoenix Kiula wrote: >>> >>> Thank you Thomas. Much appreciate this, it sounds promising. Appreciate >>> your clarity. >>> >>> So if I: >>> >>> 1. Compile nginx via `dnf install nginx` and that becomes my system's >>> Nginx, installed usually in `/etc/nginx` >>> >>> 2. In a totally separate folder, say, `/usr/src`, I then download a >>> tarball of Nginx and compile it along with the dynamic modules -- which >>> will produce the .so files for said modules >>> >>> 3. Copy over the modules into the usual `/etc/nginx/modules` folder from >>> Step 1 >>> >>> >>> ....in this sequence of steps, how do I make sure that: >>> >>> >>> A. The compilation in Step 2 does not become my "system's nginx" (so >>> when I do an `nginx -v` at the command prompt it should be refer to the >>> nginx installed in Step 1 above, and *not* the one compiled via Step 2) >>> >>> B. The compile in Step 2 will use the "same libraries" that DNF used? In >>> the DNF version of life I didn't pick any libraries manually...DNF found >>> what was on my system. Will the manual compile not do the same? >>> >>> Many thanks! >>> >>> >>> >>> >>> On Wed, Jan 6, 2021 at 10:19 PM Thomas Ward <tew...@thomas-ward.net> >>> wrote: >>> >>>> I'm fairly familiar with the 'compiling process' for dynamic modules - >>>> the process is the same for NGINX Open Source as wel as NGINX Plus. >>>> >>>> You would need to compile the modules alongside NGINX and then harvest >>>> the compiled .so files and put them into corresponding locations on the >>>> system you want to load the dynamic modules. In Ubuntu, we do this (or at >>>> least, I do) by using the same OS and libraries as installed on the target >>>> system (as well as the same NGINX version). >>>> >>>> This being said, **compiling** NGINX is different than **installing** >>>> NGINX - you can *compile* the nginx version 1.18.0 with the dynamic modules >>>> and the same configuration as the Fedora version, and then **take the >>>> compiled module** and load it up in your installed nginx instance. >>>> Compiling NGINX to make the dynamic module does NOT require you to then >>>> install that NGINX version, provided that you match the `make` steps and >>>> installed/available libraries to those used in the original nginx compile >>>> done in Fedora. >>>> >>>> >>>> Thomas >>>> >>>> >>>> On 1/6/21 5:30 PM, Phoenix Kiula wrote: >>>> >>>> Thank you Miguel. But you misunderstood the question. This suggestion... >>>> >>>> >>>> >>>>> nginx blog as a great guide on it though >>>>> https://www.nginx.com/blog/compiling-dynamic-modules-nginx-plus/ >>>>> >>>>> >>>> >>>> >>>> ...misses the very first question in this thread: we cannot compile >>>> nginx from source on our server. At least not in a way that that compiled >>>> version would become the nginx installed in our *system*. We need to >>>> install nginx via the default Fedora dnf package manager, which at this >>>> time installs 1.18.0. >>>> >>>> Now, what I don't mind doing is to compile nginx in some self-contained >>>> folder somewhere, then use that compilation to create the .so or whatever >>>> the module file for that version is....if all of this module compiling does >>>> *not* affect the system-installed dnf version of nginx. Is this possible? >>>> >>>> If so, the instructions do not help with this. The first step in that >>>> official tutorial is to compile nginx and that compiled nginx then becomes >>>> the system's main nginx. It replaces whatever was installed via "dnf >>>> install nginx". Yes? >>>> >>>> Hope this makes sense. Have I correctly understood how nginx >>>> compilation works? Appreciate any pointers. >>>> >>>> Thank you. >>>> >>>> >>>> _______________________________________________ >>>> nginx mailing >>>> listnginx@nginx.orghttp://mailman.nginx.org/mailman/listinfo/nginx >>>> >>>>
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx