Skip to content

Building Nginx from source with ALPN support

Published by tex on April 29, 2017

What is ALPN ?

Application-Layer Protocol Negotiation (ALPN) is a Transport Layer Security (TLS) extension for application layer protocol negotiation. ALPN allows the application layer to negotiate which protocol should be performed over a secure connection in a manner which avoids additional round trips and which is independent of the application layer protocols. It is used by HTTP/2.

Why not NPN ? (Next Protocol Negotiation)

Chrome is switching to the newer Application-Layer Protocol Negotiation (ALPN) extension for TLS negotiation. ALPN requires at least OpenSSL 1.0.2. Right now, Red Hat Enterprise Linux, CentOS, Ubuntu and Debian only support up to OpenSSL 1.0.1. (15th 2016)

Changes with nginx 1.13.0

    *) Change: SSL renegotiation is now allowed on backend connections.
    *) Feature: the "rcvbuf" and "sndbuf" parameters of the "listen"
       directives of the mail proxy and stream modules.
    *) Feature: the "return" and "error_page" directives can now be used to
       return 308 redirections.
       Thanks to Simon Leblanc.
    *) Feature: the "TLSv1.3" parameter of the "ssl_protocols" directive.
    *) Feature: when logging signals nginx now logs PID of the process which
       sent the signal.
    *) Bugfix: in memory allocation error handling.
    *) Bugfix: if a server in the stream module listened on a wildcard
       address, the source address of a response UDP datagram could differ
       from the original datagram destination address.

I have compiled Nginx from source with TFO Support and also with OpenSSL 1.1.0e. 

root@ns:~/work# wget http://nginx.org/download/nginx-1.13.0.tar.gz
--2017-04-29 01:45:42--  http://nginx.org/download/nginx-1.13.0.tar.gz
Resolving nginx.org (nginx.org)... 206.251.255.63, 95.211.80.227, 2606:7100:1:69::3f, ...
Connecting to nginx.org (nginx.org)|206.251.255.63|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 982592 (960K) [application/octet-stream]
Saving to: ‘nginx-1.13.0.tar.gz’

nginx-1.13.0.tar.gz                             100%[==========================>] 959.56K  4.79Mb/s   in 1.6s   

2017-04-29 01:45:44 (4.79 Mb/s) - ‘nginx-1.13.0.tar.gz’ saved [982592/982592]

root@ns:~/work# tar zxf nginx-1.13.0.tar.gz 
root@ns:~/work# cd nginx-1.13.0/

root@ns:~/work/nginx-1.13.0# wget https://www.openssl.org/source/openssl-1.1.0e.tar.gz
--2017-04-29 01:46:59--  https://www.openssl.org/source/openssl-1.1.0e.tar.gz
Resolving www.openssl.org (www.openssl.org)... 104.83.98.22, 2a02:26f0:ad:291::c1e, 2a02:26f0:ad:2a2::c1e
Connecting to www.openssl.org (www.openssl.org)|104.83.98.22|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5202247 (5.0M) [application/x-gzip]
Saving to: ‘openssl-1.1.0e.tar.gz’

openssl-1.1.0e.tar.gz                           100%[===========================>]   4.96M   150Mb/s   in 0.3s   

2017-04-29 01:46:59 (150 Mb/s) - ‘openssl-1.1.0e.tar.gz’ saved [5202247/5202247]
root@ns:~/work/nginx-1.13.0# tar xvf openssl-1.1.0e.tar.gz

root@ns:~/work/nginx-1.13.0# ./configure \
> --conf-path=/etc/nginx/nginx.conf \
> --sbin-path=/usr/sbin \
> --error-log-path=/var/log/nginx/error.log \
> --http-proxy-temp-path=/dev/shm/proxy_temp \
> --http-client-body-temp-path=/dev/shm/client_body_temp \
> --http-fastcgi-temp-path=/dev/shm/fastcgi_temp \
> --http-uwsgi-temp-path=/dev/shm/uwsgi_temp \
> --http-scgi-temp-path=/dev/shm/scgi_temp \
> --with-threads \
> --with-stream \
> --with-stream_geoip_module \
> --with-stream_ssl_module \
> --with-http_image_filter_module \
> --with-pcre \
> --with-http_mp4_module \
> --with-http_secure_link_module \
> --with-http_v2_module \
> --with-http_flv_module \
> --with-http_geoip_module \
> --with-http_gzip_static_module \
> --with-http_stub_status_module \
> --with-http_ssl_module \
> --with-openssl=openssl-1.1.0e \
> --build="With TFO + OpenSSL 1.1.0e - UnixTeacher" --with-cc-opt='-O2 -fstack-protector-strong -DTCP_FASTOPEN=23'

root@ns:~/work/nginx-1.13.0# objs/nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@ns:~/work/nginx-1.13.0# /etc/init.d/nginx stop && cp objs/nginx /usr/sbin/ && /etc/init.d/nginx start
[ ok ] Stopping nginx (via systemctl): nginx.service.
[ ok ] Starting nginx (via systemctl): nginx.service.

root@ns:~/work/nginx-1.13.0# nginx -v
nginx version: nginx/1.13.0 (With TFO + OpenSSL 1.1.0e - UnixTeacher)

References

https://ma.ttias.be/chrome-drops-npn-support-for-http2-alpn-only/
https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation
http://nginx.org/en/CHANGES
https://www.ssllabs.com/ssltest/analyze.html?d=www.unixteacher.org

Published inLinuxWebservers