前言

题图为 RPM 包制作原理图,有时候为了方便源码包的安装,和我们自己订制软件包的需求,我们会把一些源码包按照我们的需求来做成 rpm 包,当有了源码包就可以直接编译得到二进制安装包和其他任意包。spec file 是制作 rpm 包最核心的部分,rpm 包的制作就是根据 spec file 来实现的。在制作自定义 rpm 包的时候最好不要使用管理员进行, 因为管理员权限过大,如果一个命令写错了,结果可能是灾难性的,而制件一个 rpm 包普通用户完全可以实现。本文主要介绍使用 rpmbuild 制作 Nginx 的 RPM 包,大部分步骤已经使用 Bash Shell 自动化完成了,大家可以基于此重新定义。

使用 rpmbuild 制作 Nginx 的 RPM 包

更新历史

2020 年 04 月 06 日 - 增加修改、重新生成和安装 src.rpm 源码包
2019 年 11 月 04 日 - 更新 openresty/lua-nginx-module
2019 年 01 月 16 日 - 初稿

阅读原文 - https://wsgzao.github.io/post/rpmbuild/


什么是 RPM

An RPM package is simply a file containing other files and information about them needed by the system. Specifically, an RPM package consists of the cpio archive, which contains the files, and the RPM header, which contains metadata about the package. The rpm package manager uses this metadata to determine dependencies, where to install files, and other information.

There are two types of RPM packages:

  • source RPM (SRPM)
  • binary RPM

SRPMs and binary RPMs share the file format and tooling, but have different contents and serve different purposes. An SRPM contains source code, optionally patches to it, and a SPEC file, which describes how to build the source code into a binary RPM. A binary RPM contains the binaries built from the sources and patches.

RPM 有五种基本的操作功能:安装、卸载、升级、查询和验证。

Linux 软件包分为两大类:

  1. 二进制类包,包括 rpm 安装包(一般分为 i386 和 x86 等几种)
  2. 源码类包,源码包和开发包应该归位此类(.src.rpm)

在 Redhat 下,rpm 包的默认制作路径在 /usr/src/redhat 下,这其中包含了 6 个目录(要求全部大写)。但 Centos 并没有该目录,因此我们不得不自定义工作车间,即使在 Redhat 下有该目录,一般也是自定义到普通用户的家目录下的

Directory Usage
BUILD 源代码解压以后放的位置,只需提供 BUILD 目录,具体里面放什么,不用我们管,所以真正的制作车间是 BUILD 目录
RPMS 制作完成后的 rpm 包存放目录,为特定平台指定子目录(i386,i686,ppc)
SOURCES 收集的源文件,源材料,补丁文件等存放位置
SPECS 存放 spec 文件,作为制作 rpm 包的领岗文件,以 rpm 名. spec
SRPMS src 格式的 rpm 包位置 ,既然是 src 格式的包,就没有平台的概念了
BuiltRoot 假根,使用 install 临时安装到这个目录,把这个目录当作根来用的,所以在这个目录下的目录文件,才是真正的目录文件。当打包完成后,在清理阶段,这个目录将被删除

更详细的介绍可以参考 RPM Packaging Guide

https://rpm-packaging-guide.github.io/

修改、重新生成和安装 src.rpm 源码包

RHEL/CentOS/Fedora/Suse 等 Linux 发行版都使用 rpm 包作为软件包格式。另外还有一个相关的格式 srpm 包(后缀是. src.rpm),它包含了源代码,可以用它重新生成 rpm 包。

以 libip2location 为真实案例做下回顾
https://centos.pkgs.org/7/remi-x86_64/libip2location-8.0.7-1.el7.remi.x86_64.rpm.html

我们找到 libip2location 源码包
https://rpms.remirepo.net/SRPMS/libip2location-8.0.7-1.remi.src.rpm

1
2
3
4
5
6
7
8
9
10
# 直接安装 * src.rpm 源码包, 有时,我们没有找到可用的 rpm 包,但找到了其对应的 src.rpm 源码包,此时我们可以安装这个 src.rpm 源码包。步骤与直接安装 rpm 包很不相同。
wget https://rpms.remirepo.net/SRPMS/libip2location-8.0.7-1.remi.src.rpm
rpm -i libip2location-8.0.7-1.remi.src.rpm

# 此时还没有安装完成。只是在~/rpmbuild/ 目录下准备了该 src.rpm 源码包的资源,可用于进一步生成 rpm 包。
cd ~/rpmbuild/SPECS
rpmbuild -ba libip2location.spec

# 也可以直接使用如下命令,这个命令一步即可在~/rpmbuild/RPMS / 目录下重新生成 rpm 包。
rpmbuild --rebuild libip2location-8.0.7-1.remi.src.rpm

基于 * src.rpm 源码包修改代码后生成 rpm 包并安装, rpmbuild 命令基于. spec 文件和源码 tar.gz 及 patch 文件生成 src.rpm 和 rpm 包。

因此,我们只需要修改. spec 文件,或者对应的源码和 patch 文件,然后再执行命令,就可以生成更新后的 src.rpm 包和 rpm 包。

rpm 包在~/rpmbuild/RPMS 目录下,src.rpm 包在~/rpmbuild/SRPMS 目录下。

注意要修改~/rpmbuild/SOURCES / 目录下的文件:

  1. 你可以重新打包~/rpmbuild/SOURCES / 目录下的 tar.gz 源文件。
  2. 你可以修改. spec 文件,增加或者减少对 patch 的应用。

制作 rpm 包

如果你只关心如何使用可以直接跳过看下文,这里主要展示代码和配置文件

build shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# luajit.sh
LUAVER=2.0.5
WKDIR="/root/rpmbuild/SOURCES"
cd $WKDIR
wget http://luajit.org/download/LuaJIT-$LUAVER.tar.gz
tar zxf LuaJIT-$LUAVER.tar.gz
rm LuaJIT-$LUAVER.tar.gz
cd LuaJIT-$LUAVER
make BUILDMODE=static
make install
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.0

# build.sh
NGX_VER=1.14.2
WKDIR="/root/rpmbuild/SOURCES"
CURRENTDIR=`dirname $(readlink -f "$0")`
echo $CURRENTDIR
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.0
cd $WKDIR
wget http://nginx.org/download/nginx-$NGX_VER.tar.gz
tar xzf nginx-$NGX_VER.tar.gz
rm nginx-$NGX_VER.tar.gz
mv nginx-$NGX_VER nginx-garena-$NGX_VER
cd nginx-garena-$NGX_VER/

mkdir -p contrib
cd contrib/
git clone git://github.com/bigplum/Nginx-limit-traffic-rate-module.git
git clone git://github.com/agentzh/headers-more-nginx-module.git
#git clone git://github.com/gnosek/nginx-upstream-fair.git
git clone git://github.com/agentzh/echo-nginx-module.git
#git clone git://github.com/arut/nginx-dav-ext-module.git
git clone git://github.com/r10r/ngx_http_auth_pam_module.git
git clone git://github.com/FRiCKLE/ngx_cache_purge.git
git clone git://github.com/simpl/ngx_devel_kit.git
git clone git://github.com/openresty/lua-nginx-module.git
git clone git://github.com/nbs-system/naxsi.git
rm -rf */.git
cd ..

cp -r $CURRENTDIR/nginx-template/* $WKDIR/nginx-garena-$NGX_VER/
cp $CURRENTDIR/nginx-spec /root/rpmbuild/SPECS/
#cp /root/rules $WKDIR/nginx-garena-$NGX_VER/debian/
cd $WKDIR
tar zcf nginx-garena-$NGX_VER.tar.gz nginx-garena-$NGX_VER/
cd /root/rpmbuild/SPECS/
rpmbuild -ba nginx-spec
cd /root/rpmbuild/RPMS/noarch

nginx-spec

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# 1.The introduction section 
Name: nginx-garena # 软件包名称
Version: 1.14.2 # 版本号
Release: 0 # release 号
Summary: nginx garena rpm # 简要描述信息
Source0: nginx-garena-1.14.1.tar.gz # source 主要是引用一下自己定义好的脚本,配置文件之类的内容
License: GPL # 一定带上(最好是对方源码包的 License)BSD,GPL,GPLv2
Group: Rahul # 要全用这里面的一个组:less /usr/share/doc/rpm-version/GROUPS
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-buildroot
%description # 软件包详述
Garena self-build Nginx.
%define _binaries_in_noarch_packages_terminate_build 0

# 2.The Prep section 准备阶段, 主要就是把源码包解压到 build 目录下,设置一下环境变量,并 cd 进去
%prep
%setup -q %{name}-%{version} # 这个宏的作用静默模式解压并 cd

# 3.The Build Section 编译制作阶段,这一节主要用于编译源码
%build
CFLAGS="$RPM_OPT_FLAGS" ./configure --prefix=/usr/share/nginx/ \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--with-pcre-jit \
--with-http_flv_module \
--with-http_mp4_module \
--with-file-aio \
--with-http_v2_module \
--with-stream \
--with-stream_ssl_module \
--with-http_auth_request_module \
--with-http_slice_module \
--with-threads \
--with-http_gunzip_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_geoip_module \
--with-http_ssl_module \
--with-openssl=/usr/local/src/openssl-1.0.2p \
--with-http_addition_module \
--with-http_geoip_module \
--with-http_gzip_static_module \
--with-http_realip_module \
--with-ipv6 \
--without-mail_pop3_module \
--without-mail_imap_module \
--without-mail_smtp_module \
--add-module=contrib/Nginx-limit-traffic-rate-module \
--add-module=contrib/headers-more-nginx-module \
--add-module=contrib/echo-nginx-module \
--add-module=contrib/ngx_http_auth_pam_module \
--add-module=contrib/ngx_cache_purge \
--add-module=contrib/ngx_devel_kit \
--add-module=contrib/lua-nginx-module \
--add-module=contrib/naxsi/naxsi_src
make -j8

# 4.Install section 这一节主要用于完成实际安装软件必须执行的命令,可包含 4 种类型脚本
%install
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
make DESTDIR=$RPM_BUILD_ROOT install
install -m 0755 -d $RPM_BUILD_ROOT/etc/nginx/sites-enabled
install -m 0755 -d $RPM_BUILD_ROOT/etc/nginx/sites-available
install -m 0755 -d $RPM_BUILD_ROOT/var/log/nginx
install -m 0755 -d $RPM_BUILD_ROOT/var/lib/nginx
install -D -m 644 conf/sites-available/000_stub_status $RPM_BUILD_ROOT/etc/nginx/sites-available/000_stub_status
install -D -m 644 conf/django_fastcgi_params $RPM_BUILD_ROOT/etc/nginx/django_fastcgi_params
install -D -m 644 conf/naxsi_core.rules $RPM_BUILD_ROOT/etc/nginx/naxsi_core.rules
install -D -m 644 conf/sites-available/000_stub_status $RPM_BUILD_ROOT/etc/nginx/sites-enabled/000_stub_status
install -D -m 644 logrotate.d/nginx $RPM_BUILD_ROOT/etc/logrotate.d/nginx
install -D -m 644 nginx.service $RPM_BUILD_ROOT/usr/lib/systemd/system/nginx.service

# 5.clean section 清理段,clean 的主要作用就是删除 BUILD
%clean
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
%post
useradd -s /sbin/nologin -d /var/www www-data
chown -R www-data.www-data /var/log/nginx /var/lib/nginx
systemctl enable nginx
echo %{name}-%{version} is successfully installed.
systemctl start nginx
# 6.file section 文件列表段,这个阶段是把前面已经编译好的内容要打包了
%files
%defattr(-,root,root)
%dir /etc/nginx
/etc/nginx/*
%dir /usr/src/debug/nginx-garena-1.14.1
/usr/src/debug/nginx-garena-1.14.1/*
/usr/sbin/nginx
%dir /usr/share/nginx
/usr/share/nginx/*
/etc/logrotate.d/nginx
/usr/lib/systemd/system/nginx.service
/usr/lib/debug/*
/usr/lib/debug/.build-id/*
%dir /var/log/nginx
%dir /var/lib/nginx
%config(noreplace) /etc/nginx/nginx.conf

nginx-template

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
nginx-template
├── conf
│   ├── django_fastcgi_params
│   ├── naxsi_core.rules
│   └── sites-available
│   └── 000_stub_status
├── logrotate.d
│   └── nginx
├── nginx.conf
└── nginx.service

# nginx-rpmbuild-centos7/nginx-template/conf/django_fastcgi_params
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

fastcgi_param HTTP_X_FORWARDED_PROTOCOL $scheme;

fastcgi_pass_header Authorization;
fastcgi_intercept_errors off;
fastcgi_keep_conn on;

# nginx-rpmbuild-centos7/nginx-template/conf/naxsi_core.rules
##################################
## INTERNAL RULES IDS:1-999 ##
##################################
#@MainRule "msg:weird request, unable to parse" id:1;
#@MainRule "msg:request too big, stored on disk and not parsed" id:2;
#@MainRule "msg:invalid hex encoding, null bytes" id:10;
#@MainRule "msg:unknown content-type" id:11;
#@MainRule "msg:invalid formatted url" id:12;
#@MainRule "msg:invalid POST format" id:13;
#@MainRule "msg:invalid POST boundary" id:14;
#@MainRule "msg:invalid JSON" id:15;
#@MainRule "msg:empty POST" id:16;
#@MainRule "msg:libinjection_sql" id:17;
#@MainRule "msg:libinjection_xss" id:18;

##################################
## SQL Injections IDs:1000-1099 ##
##################################
MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002;
## Hardcore rules
MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003;
MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004;
MainRule "str:|" "msg:mysql keyword (|)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006;
## end of hardcore rules
MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007;
MainRule "str:;" "msg:semicolon" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;
MainRule "str:=" "msg:equal sign in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009;
MainRule "str:(" "msg:open parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
MainRule "str:)" "msg:close parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013;
MainRule "str:," "msg:comma" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015;
MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016;
MainRule "str:@@" "msg:double arobase (@@)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1017;

###############################
## OBVIOUS RFI IDs:1100-1199 ##
###############################
MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100;
MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101;
MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102;
MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103;
MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104;
MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105;
MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106;
MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107;
MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108;
MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109;
MainRule "str:gopher://" "msg:gopher:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1110;

#######################################
## Directory traversal IDs:1200-1299 ##
#######################################
MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200;
MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202;
MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203;
MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204;
MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205;
#MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206;

########################################
## Cross Site Scripting IDs:1300-1399 ##
########################################
MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
MainRule "str:[" "msg:open square backet ([), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310;
MainRule "str:]" "msg:close square bracket (]), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311;
MainRule "str:~" "msg:tilde (~) character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312;
MainRule "str:`" "msg:grave accent (`)" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314;
MainRule "rx:%[2|3]." "msg:double encoding" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;

####################################
## Evading tricks IDs: 1400-1500 ##
####################################
MainRule "str:&#" "msg:utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400;
MainRule "str:%U" "msg:M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401;

#############################
## File uploads: 1500-1600 ##
#############################
MainRule "rx:\.ph|\.asp|\.ht" "msg:asp/php file upload" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;

# nginx-rpmbuild-centos7/nginx-template/logrotate.d/nginx
/var/log/nginx/*.log /var/log/nginx/*/*.log{
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 640 root adm
sharedscripts
postrotate
[ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
endscript
}

# nginx-rpmbuild-centos7/nginx-template/nginx.conf
user www-data;
worker_processes auto;

#worker_cpu_affinity 00000001 00000010 00000100 00001000 00010000 00100000 01000000 10000000;
worker_rlimit_nofile 655650;

error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

events {
worker_connections 10240;
}


http {
# include /etc/nginx/naxsi_core.rules;
include mime.types;
default_type application/octet-stream;
log_format garena '$remote_addr - $remote_user [$time_iso8601]"$request"$status $body_bytes_sent'
'"$http_referer" "$http_user_agent" $request_time $upstream_response_time "$http_x_forwarded_for" "$geoip_country_code" "$host"';
log_format garena_post '$remote_addr - $remote_user [$time_iso8601]"$request"$status $body_bytes_sent'
'"$http_referer" "$http_user_agent" $request_time $upstream_response_time "$http_x_forwarded_for" "$geoip_country_code" "$host" "$request_body"';
log_format compact '$time_iso8601|$remote_addr|$geoip_country_code|$http_x_forwarded_for|$status|$request_time|$upstream_response_time|$request_length|$body_bytes_sent|$host|$request|$http_referer|$http_user_agent';
log_format compact_post '$time_iso8601|$remote_addr|$geoip_country_code|$http_x_forwarded_for|$status|$request_time|$upstream_response_time|$request_length|$body_bytes_sent|$host|$request|$http_referer|$http_user_agent|$request_body';


# access_log logs/access.log main;

sendfile on;
# tcp_nopush on;

keepalive_timeout 30;
fastcgi_keep_conn on;
tcp_nodelay on;

gzip on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
gzip_proxied any;
gzip_buffers 16 8k;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/xml text/css application/json;
gzip_vary on;
include /etc/nginx/sites-enabled/*;

set_real_ip_from 10.0.0.0/8;
real_ip_header X-Forwarded-For;
# real_ip_recursive on;
# geoip_country /usr/share/GeoIP/GeoIP.dat;

server_tokens off; # returns "Server: nginx"
more_clear_headers Server; # doesn't return"Server: "header at all
}

# nginx-rpmbuild-centos7/nginx-template/nginx.service
[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillMode=process
KillSignal=SIGQUIT
TimeoutStopSec=5
PrivateTmp=true

[Install]
WantedBy=multi-user.target

Initialize rpmbuild env

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# check current os version and kernel
cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
uname -r
3.10.0-862.el7.x86_64

# install lua
sh luajit.sh

# yum install dependencies
yum install -y gcc pam-devel git rpm-build pcre-devel openssl openssl-devel geoip-devel

# mkdir
mkdir -p /root/rpmbuild/SOURCES/
mkdir -p /root/rpmbuild/SPECS/
mkdir -p /root/rpmbuild/RPMS/noarch

# download openssl
cd /usr/local/src
wget https://github.com/openssl/openssl/archive/OpenSSL_1_0_2p.tar.gz
tar xf OpenSSL_1_0_2p.tar.gz
mv openssl-OpenSSL_1_0_2p/ openssl-1.0.2p

# confirm these files are correct
[root@localhost ~]# tree nginx-rpmbuild-centos7/
nginx-rpmbuild-centos7/
├── build.sh
├── conf_buid
│   ├── conf
│   │   ├── django_fastcgi_params
│   │   ├── fastcgi.conf
│   │   ├── fastcgi_params
│   │   ├── koi-utf
│   │   ├── koi-win
│   │   ├── mime.types
│   │   ├── naxsi_core.rules
│   │   ├── nginx.conf
│   │   ├── scgi_params
│   │   ├── sites-available
│   │   │   └── 000_stub_status
│   │   ├── uwsgi_params
│   │   └── win-utf
│   ├── logrotate.d
│   │   └── nginx
│   ├── nginx.conf
│   └── nginx.service
├── luajit.sh
├── nginx-spec
└── nginx-template
├── conf
│   ├── django_fastcgi_params
│   ├── naxsi_core.rules
│   └── sites-available
│   └── 000_stub_status
├── logrotate.d
│   └── nginx
├── nginx.conf
└── nginx.service

8 directories, 24 files

How to build Nginx RPM

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# check nginx stable version from official website
http://nginx.org/en/download.html

# check configuration
vim build.sh

NGX_VER=1.14.2
WKDIR="/root/rpmbuild/SOURCES"

# check nginx version
vim nginx-spec

# run build.sh
./build.sh

# RPM package
Processing files: nginx-garena-1.14.2-0.noarch
warning: File listed twice: /etc/nginx/nginx.conf
Provides: config(nginx-garena) = 1.14.2-0 nginx-garena = 1.14.2-0
Requires(interp): /bin/sh
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires(post): /bin/sh
Requires: libGeoIP.so.1()(64bit) libc.so.6()(64bit) libc.so.6(GLIBC_2.10)(64bit) libc.so.6(GLIBC_2.11)(64bit) libc.so.6(GLIBC_2.14)(64bit) libc.so.6(GLIBC_2.17)(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6(GLIBC_2.3)(64bit) libc.so.6(GLIBC_2.3.2)(64bit) libc.so.6(GLIBC_2.3.4)(64bit) libc.so.6(GLIBC_2.4)(64bit) libc.so.6(GLIBC_2.7)(64bit) libcrypt.so.1()(64bit) libcrypt.so.1(GLIBC_2.2.5)(64bit) libdl.so.2()(64bit) libdl.so.2(GLIBC_2.2.5)(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3)(64bit) libm.so.6()(64bit) libm.so.6(GLIBC_2.2.5)(64bit) libpam.so.0()(64bit) libpam.so.0(LIBPAM_1.0)(64bit) libpcre.so.1()(64bit) libpthread.so.0()(64bit) libpthread.so.0(GLIBC_2.2.5)(64bit) libpthread.so.0(GLIBC_2.3.2)(64bit) libz.so.1()(64bit) rtld(GNU_HASH)
warning: Arch dependent binaries in noarch package
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/nginx-garena-1.14.2-0.x86_64
Wrote: /root/rpmbuild/SRPMS/nginx-garena-1.14.2-0.src.rpm
Wrote: /root/rpmbuild/RPMS/noarch/nginx-garena-1.14.2-0.noarch.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.iR5dLd
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd nginx-garena-1.14.2
+ '[' /root/rpmbuild/BUILDROOT/nginx-garena-1.14.2-0.x86_64 '!=' / ']'
+ rm -rf /root/rpmbuild/BUILDROOT/nginx-garena-1.14.2-0.x86_64
+ exit 0

基于 openresty 制作 nginx rpm 安装包

推荐大家向 openresty 转型,我在编译过程中主要遇到以下 4 个小问题

  1. 问题 1 沿用官方的 luajit v2.0.5 编译新版本 lua-nginx-module 应该会提示建议切换至 openresty 的 luajit v2.1 分支
  2. 问题 2 的解决方案是使用低版本 lua-nginx-module v0.10.14,使用最新版发现会触发该问题,等待官方修复
  3. 问题 3 的原因是因为 nginx 启动需要一点点时间,而 systemd 在 nginx 完成启动前就去读取 pid file 造成读取 pid 失败
  4. 问题 4 的 libluajit-5.1.so.2 问题跟着我的步骤执行应该不会出现,不需要执行 ln 软链接等操作
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
[root@gop-sg-192-168-56-103 wangao]# tailf /var/log/nginx/error.log
# 问题 1
2019/11/04 11:59:56 [alert] 2749#2749: detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

# 问题 2
2019/11/04 11:59:56 [alert] 2749#2749: failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/local/share/luajit-2.0.5/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so') in /etc/nginx/nginx.conf:117

# 问题 3
[root@gop-sg-192-168-56-103 wangao]# systemctl status nginx
● nginx.service - The NGINX HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2019-08-19 01:36:46 +08; 2 months 17 days ago
Process: 1105 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 1071 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
Main PID: 1111 (nginx)
Tasks: 2
CGroup: /system.slice/nginx.service
├─1111 nginx: master process /usr/sbin/nginx
└─1112 nginx: worker process

Aug 19 01:36:46 gop-sg-192-168-56-103 systemd[1]: Starting The NGINX HTTP and reverse proxy server...
Aug 19 01:36:46 gop-sg-192-168-56-103 nginx[1071]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Aug 19 01:36:46 gop-sg-192-168-56-103 nginx[1071]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Aug 19 01:36:46 gop-sg-192-168-56-103 systemd[1]: Failed to read PID from file /run/nginx.pid: Invalid argument
Aug 19 01:36:46 gop-sg-192-168-56-103 systemd[1]: Started The NGINX HTTP and reverse proxy server.

# 问题 4
nginx: error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: No such file or directory

环境初始化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# check current os version and kernel
cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
uname -r
3.10.0-862.el7.x86_64

# yum
yum install -y gcc pam-devel git rpm-build pcre-devel openssl openssl-devel geoip-devel

# mkdir
mkdir -p /root/rpmbuild/SOURCES/
mkdir -p /root/rpmbuild/SPECS/
mkdir -p /root/rpmbuild/RPMS/noarch

# download openssl
cd /usr/local/src
wget https://github.com/openssl/openssl/archive/OpenSSL_1_0_2t.tar.gz
tar xf OpenSSL_1_0_2t.tar.gz
mv openssl-OpenSSL_1_0_2t/ openssl-1_0_2t

# install lua
sh luajit2.sh

# confirm these files are correct
[root@gop-sg-192-168-56-103 ~]# tree nginx-rpmbuild-centos7/
nginx-rpmbuild-centos7/
├── build.sh
├── conf_build
│   ├── conf
│   │   ├── django_fastcgi_params
│   │   ├── fastcgi.conf
│   │   ├── fastcgi_params
│   │   ├── koi-utf
│   │   ├── koi-win
│   │   ├── mime.types
│   │   ├── naxsi_core.rules
│   │   ├── nginx.conf
│   │   ├── scgi_params
│   │   ├── sites-available
│   │   │   └── 000_stub_status
│   │   ├── uwsgi_params
│   │   └── win-utf
│   ├── logrotate.d
│   │   └── nginx
│   ├── nginx.conf
│   └── nginx.service
├── luajit2.sh
├── luajit.sh
├── nginx-spec
└── nginx-template
├── conf
│   ├── django_fastcgi_params
│   ├── naxsi_core.rules
│   ├── nginx.conf
│   └── sites-available
│   └── 000_stub_status
├── logrotate.d
│   └── nginx
├── nginx.conf
└── nginx.service

8 directories, 26 files

luajit2.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# https://github.com/openresty/luajit2/releases
LUAVER="v2.1-20190912"
WKDIR="/root/rpmbuild/SOURCES"
cd $WKDIR
wget https://github.com/openresty/luajit2/archive/$LUAVER.tar.gz
tar zxf $LUAVER.tar.gz
rm -f $LUAVER.tar.gz
cd luajit2*
make BUILDMODE=static
make install
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.1
# ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2
# https://github.com/openresty/lua-nginx-module/issues/8

build.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
NGX_VER=1.16.1
BDDIR="/root/rpmbuild/BUILD"
WKDIR="/root/rpmbuild/SOURCES"
CURRENTDIR=`dirname $(readlink -f "$0")`
libIP2Location="$CURRENTDIR/IP2Location-C-Library-master/libIP2Location/IP2Location.h"
echo $CURRENTDIR
export LUAJIT_LIB=/usr/local/lib
# export LUAJIT_INC=/usr/local/include/luajit-2.0
export LUAJIT_INC=/usr/local/include/luajit-2.1
export LD_LIBRARY_PATH=/usr/local/lib
cd $BDDIR
rm -rf *
cd $WKDIR
rm -rf *
wget http://nginx.org/download/nginx-$NGX_VER.tar.gz
tar xzf nginx-$NGX_VER.tar.gz
rm -f nginx-$NGX_VER.tar.gz
mv nginx-$NGX_VER nginx-garena-$NGX_VER
cd nginx-garena-$NGX_VER/

mkdir -p contrib
cd contrib/
git clone git://github.com/openresty/headers-more-nginx-module.git
git clone git://github.com/openresty/echo-nginx-module.git
git clone git://github.com/simplresty/ngx_devel_kit.git
git clone git://github.com/ip2location/ip2location-nginx.git
# git clone git://github.com/openresty/lua-nginx-module
wget https://github.com/openresty/lua-nginx-module/archive/v0.10.14.tar.gz
tar xf v0.10.14.tar.gz
mv lua-nginx-module-0.10.14 lua-nginx-module
git clone git://github.com/nbs-system/naxsi.git
rm -rf */.git
rm -rf *.tar*
cd ..

cp -r $CURRENTDIR/nginx-template/* $WKDIR/nginx-garena-$NGX_VER/
cp -r $CURRENTDIR/conf_buid/conf/* $WKDIR/nginx-garena-$NGX_VER/conf/
cp $CURRENTDIR/nginx-spec /root/rpmbuild/SPECS/
# cp /root/rules $WKDIR/nginx-garena-$NGX_VER/debian/
# sed -Ei 's|#include"IP2Location.h"|#include"/root/nginx-rpmbuild-centos7/IP2Location-C-Library-master/libIP2Location/IP2Location.h"|' $WKDIR/nginx-garena-$NGX_VER/contrib/ip2location-nginx/ngx_http_ip2location_module.c
sed -Ei 's|#include"IP2Location.h"|#include"'${libIP2Location}'"|' $WKDIR/nginx-garena-$NGX_VER/contrib/ip2location-nginx/ngx_http_ip2location_module.c

cd $WKDIR
tar zcf nginx-garena-$NGX_VER.tar.gz nginx-garena-$NGX_VER/
cd /root/rpmbuild/SPECS/
rpmbuild -ba nginx-spec
cd /root/rpmbuild/RPMS/noarch

nginx-spec

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
Name: nginx-garena
Version: 1.16.1
Release: 0
Summary: nginx garena rpm
Source0: nginx-garena-%{version}.tar.gz
License: GPL
Group: Rahul
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-buildroot
%description
Garena self-build Nginx.
%define _binaries_in_noarch_packages_terminate_build 0
%prep
%setup -q %{name}-%{version}
%build
CFLAGS="$RPM_OPT_FLAGS" ./configure --prefix=/usr/share/nginx/ \
--with-ld-opt="-Wl,-rpath,/usr/local/lib" \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--with-pcre-jit \
--with-http_flv_module \
--with-http_mp4_module \
--with-file-aio \
--with-http_v2_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-http_auth_request_module \
--with-http_slice_module \
--with-threads \
--with-http_gunzip_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_geoip_module \
--with-http_ssl_module \
--with-openssl=/usr/local/src/openssl-1_0_2t \
--with-http_addition_module \
--with-http_geoip_module \
--with-http_gzip_static_module \
--with-http_realip_module \
--with-ipv6 \
--without-mail_pop3_module \
--without-mail_imap_module \
--without-mail_smtp_module \
--add-module=contrib/headers-more-nginx-module \
--add-module=contrib/echo-nginx-module \
--add-module=contrib/ngx_devel_kit \
--add-module=contrib/ip2location-nginx \
--add-module=contrib/lua-nginx-module \
--add-module=contrib/naxsi/naxsi_src

make -j8

%install
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
make DESTDIR=$RPM_BUILD_ROOT install
install -m 0755 -d $RPM_BUILD_ROOT/etc/nginx/sites-enabled
install -m 0755 -d $RPM_BUILD_ROOT/etc/nginx/sites-available
install -m 0755 -d $RPM_BUILD_ROOT/etc/nginx/ssl
install -m 0755 -d $RPM_BUILD_ROOT/var/log/nginx
install -m 0755 -d $RPM_BUILD_ROOT/var/lib/nginx
install -D -m 644 conf/sites-available/000_stub_status $RPM_BUILD_ROOT/etc/nginx/sites-available/000_stub_status
install -D -m 644 conf/sites-available/000_stub_status $RPM_BUILD_ROOT/etc/nginx/sites-enabled/000_stub_status
install -D -m 644 conf/sites-available/000_default $RPM_BUILD_ROOT/etc/nginx/sites-available/000_default
install -D -m 644 conf/sites-available/000_default $RPM_BUILD_ROOT/etc/nginx/sites-enabled/000_default
install -D -m 644 conf/ssl/nginx.key $RPM_BUILD_ROOT/etc/nginx/ssl/nginx.key
install -D -m 644 conf/ssl/nginx.crt $RPM_BUILD_ROOT/etc/nginx/ssl/nginx.crt
install -D -m 644 conf/django_fastcgi_params $RPM_BUILD_ROOT/etc/nginx/django_fastcgi_params
install -D -m 644 conf/naxsi_core.rules $RPM_BUILD_ROOT/etc/nginx/naxsi_core.rules
install -D -m 644 logrotate.d/nginx $RPM_BUILD_ROOT/etc/logrotate.d/nginx
install -D -m 644 nginx.service $RPM_BUILD_ROOT/usr/lib/systemd/system/nginx.service
%clean
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
%post
useradd -s /sbin/nologin -d /var/www www-data
chown -R www-data.www-data /var/log/nginx /var/lib/nginx
systemctl enable nginx
echo %{name}-%{version} is successfully installed.
systemctl start nginx
%files
%defattr(-,root,root)
%dir /etc/nginx
/etc/nginx/*
%dir /usr/src/debug/nginx-garena-%{version}
/usr/src/debug/nginx-garena-%{version}/*
/usr/sbin/nginx
%dir /usr/share/nginx
/usr/share/nginx/*
/etc/logrotate.d/nginx
/usr/lib/systemd/system/nginx.service
/usr/lib/debug/*
/usr/lib/debug/.build-id/*
%dir /var/log/nginx
%dir /var/lib/nginx
%config(noreplace) /etc/nginx/nginx.conf

logrotate.d/nginx

1
2
3
4
5
6
7
8
9
10
11
12
13
14

/var/log/nginx/*.log /var/log/nginx/*/*.log{
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 640 root adm
sharedscripts
postrotate
[ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
endscript
}

nginx.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

user www-data;
worker_processes auto;

#worker_cpu_affinity 00000001 00000010 00000100 00001000 00010000 00100000 01000000 10000000;
worker_rlimit_nofile 655650;

error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

events {
worker_connections 10240;
}


http {
# include /etc/nginx/naxsi_core.rules;
include mime.types;
default_type application/octet-stream;
log_format garena '$remote_addr - $remote_user [$time_iso8601] "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $request_time $upstream_response_time "$http_x_forwarded_for" "$geoip_country_code" "$host"';
log_format garena_post '$remote_addr - $remote_user [$time_iso8601] "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $request_time $upstream_response_time "$http_x_forwarded_for" "$geoip_country_code" "$host" "$request_body"';
log_format compact '$time_iso8601|$remote_addr|$geoip_country_code|$http_x_forwarded_for|$status|$request_time|$upstream_response_time|$request_length|$body_bytes_sent|$host|$request|$http_referer|$http_user_agent';
log_format compact_post '$time_iso8601|$remote_addr|$geoip_country_code|$http_x_forwarded_for|$status|$request_time|$upstream_response_time|$request_length|$body_bytes_sent|$host|$request|$http_referer|$http_user_agent|$request_body';


# access_log logs/access.log main;

sendfile on;
# tcp_nopush on;

keepalive_timeout 30;
fastcgi_keep_conn on;
tcp_nodelay on;

gzip on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
gzip_proxied any;
gzip_buffers 16 8k;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/xml text/css application/json;
gzip_vary on;
include /etc/nginx/sites-enabled/*;

set_real_ip_from 10.0.0.0/8;
real_ip_header X-Forwarded-For;
# real_ip_recursive on;
# geoip_country /usr/share/GeoIP/GeoIP.dat;

server_tokens off; # returns "Server: nginx"
more_clear_headers Server; # doesn't return "Server: " header at all
}

nginx.service

https://www.nginx.com/resources/wiki/start/topics/examples/initscripts/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillMode=process
KillSignal=SIGQUIT
TimeoutStopSec=5
PrivateTmp=true

[Install]
WantedBy=multi-user.target

编译生成 nginx rpm

  1. 编辑 build.sh 和 nginx-spec 定义 NGX_VER=1.16.1
  2. 如果需要改变 contrib 的 module 也是修改上述两处位置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
sh build.sh

extracting debug info from /root/rpmbuild/BUILDROOT/nginx-garena-1.16.1-0.x86_64/usr/sbin/nginx
dwz: Too few files for multifile optimization
/usr/lib/rpm/sepdebugcrcfix: Updated 1 CRC32s, 0 CRC32s did match.
12776 blocks
+ /usr/lib/rpm/check-buildroot
+ /usr/lib/rpm/redhat/brp-compress
+ /usr/lib/rpm/redhat/brp-strip-static-archive /usr/bin/strip
+ /usr/lib/rpm/brp-python-bytecompile /usr/bin/python 1
+ /usr/lib/rpm/redhat/brp-python-hardlink
+ /usr/lib/rpm/redhat/brp-java-repack-jars
Processing files: nginx-garena-1.16.1-0.noarch
warning: File listed twice: /etc/nginx/nginx.conf
Provides: config(nginx-garena) = 1.16.1-0 nginx-garena = 1.16.1-0
Requires(interp): /bin/sh
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires(post): /bin/sh
Requires: libGeoIP.so.1()(64bit) libc.so.6()(64bit) libc.so.6(GLIBC_2.10)(64bit) libc.so.6(GLIBC_2.11)(64bit) libc.so.6(GLIBC_2.14)(64bit) libc.so.6(GLIBC_2.17)(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6(GLIBC_2.3)(64bit) libc.so.6(GLIBC_2.3.2)(64bit) libc.so.6(GLIBC_2.3.4)(64bit) libc.so.6(GLIBC_2.4)(64bit) libc.so.6(GLIBC_2.7)(64bit) libcrypt.so.1()(64bit) libcrypt.so.1(GLIBC_2.2.5)(64bit) libdl.so.2()(64bit) libdl.so.2(GLIBC_2.2.5)(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3)(64bit) libm.so.6()(64bit) libm.so.6(GLIBC_2.2.5)(64bit) libpcre.so.1()(64bit) libpthread.so.0()(64bit) libpthread.so.0(GLIBC_2.2.5)(64bit) libpthread.so.0(GLIBC_2.3.2)(64bit) libz.so.1()(64bit) rtld(GNU_HASH)
warning: Arch dependent binaries in noarch package
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/nginx-garena-1.16.1-0.x86_64
Wrote: /root/rpmbuild/SRPMS/nginx-garena-1.16.1-0.src.rpm
Wrote: /root/rpmbuild/RPMS/noarch/nginx-garena-1.16.1-0.noarch.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.Qc7JbE
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd nginx-garena-1.16.1
+ '[' /root/rpmbuild/BUILDROOT/nginx-garena-1.16.1-0.x86_64 '!=' / ']'
+ rm -rf /root/rpmbuild/BUILDROOT/nginx-garena-1.16.1-0.x86_64
+ exit 0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
[root@sg-gop-10-71-49-5 wangao]# nginx -V
nginx version: nginx/1.16.1
built with OpenSSL 1.0.2t 10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx/ --with-ld-opt=-Wl,-rpath,/usr/local/lib --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-pcre-jit --with-http_flv_module --with-http_mp4_module --with-file-aio --with-http_v2_module --with-stream --with-stream_ssl_module --with-http_auth_request_module --with-http_slice_module --with-threads --with-http_gunzip_module --with-http_random_index_module --with-http_secure_link_module --with-http_geoip_module --with-http_ssl_module --with-openssl=/usr/local/src/openssl-1_0_2t --with-http_addition_module --with-http_geoip_module --with-http_gzip_static_module --with-http_realip_module --with-ipv6 --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --add-module=contrib/headers-more-nginx-module --add-module=contrib/echo-nginx-module --add-module=contrib/ngx_devel_kit --add-module=contrib/lua-nginx-module --add-module=contrib/naxsi/naxsi_src

# Prettier
https://serverfault.com/questions/223509/how-can-i-see-which-flags-nginx-was-compiled-with

[root@sg-gop-10-71-49-5 wangao]# 2>&1 nginx -V | xargs -n1
nginx
version:
nginx/1.16.1
built
with
OpenSSL
1.0.2t
10
Sep
2019
TLS
SNI
support
enabled
configure
arguments:
--prefix=/usr/share/nginx/
--with-ld-opt=-Wl,-rpath,/usr/local/lib
--sbin-path=/usr/sbin/nginx
--conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log
--pid-path=/var/run/nginx.pid
--lock-path=/var/lock/nginx.lock
--http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi
--with-pcre-jit
--with-http_flv_module
--with-http_mp4_module
--with-file-aio
--with-http_v2_module
--with-stream
--with-stream_ssl_module
--with-http_auth_request_module
--with-http_slice_module
--with-threads
--with-http_gunzip_module
--with-http_random_index_module
--with-http_secure_link_module
--with-http_geoip_module
--with-http_ssl_module
--with-openssl=/usr/local/src/openssl-1_0_2t
--with-http_addition_module
--with-http_geoip_module
--with-http_gzip_static_module
--with-http_realip_module
--with-ipv6
--without-mail_pop3_module
--without-mail_imap_module
--without-mail_smtp_module
--add-module=contrib/headers-more-nginx-module
--add-module=contrib/echo-nginx-module
--add-module=contrib/ngx_devel_kit
--add-module=contrib/lua-nginx-module
--add-module=contrib/naxsi/naxsi_src

[root@sg-gop-10-71-49-5 wangao]# 2>&1 nginx -V | xargs -n1 | grep ssl
--with-stream_ssl_module
--with-http_ssl_module
--with-openssl=/usr/local/src/openssl-1_0_2t

[root@sg-gop-10-71-49-5 wangao]# 2>&1 nginx -V | xargs -n1 | grep lua
--add-module=contrib/lua-nginx-module

参考文章

OpenResty

Creating RPM packages

How to create a GNU Hello RPM

使用 rpm-build 制作 nginx 的 rpm 包

修改、重新生成和安装 src.rpm 源码包

文章目录
  1. 1. 前言
  2. 2. 更新历史
  3. 3. 什么是 RPM
  4. 4. 修改、重新生成和安装 src.rpm 源码包
  5. 5. 制作 rpm 包
    1. 5.1. build shell
    2. 5.2. nginx-spec
    3. 5.3. nginx-template
  6. 6. Initialize rpmbuild env
  7. 7. How to build Nginx RPM
  8. 8. 基于 openresty 制作 nginx rpm 安装包
    1. 8.1. 环境初始化
    2. 8.2. 编译生成 nginx rpm
  9. 9. 参考文章