theraw/The-World-Is-Yours
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: theraw/The-World-Is-Yours:0db40af7609659f044ad9748b2de9f7e228cf73e
Branches Tags
theraw/The-World-Is-Yours:master theraw/The-World-Is-Yours:raweb-upcoming-release theraw/The-World-Is-Yours:ffs theraw/The-World-Is-Yours:v2-1 theraw/The-World-Is-Yours:pcre-fix theraw/The-World-Is-Yours:docker theraw/The-World-Is-Yours:v3.0 theraw/The-World-Is-Yours:v2 theraw/The-World-Is-Yours:v2.0
theraw/The-World-Is-Yours:v1.27.4 theraw/The-World-Is-Yours:v1.26.0 theraw/The-World-Is-Yours:0.0.1
..
compare: theraw/The-World-Is-Yours:raweb-upcoming-release
Branches Tags
theraw/The-World-Is-Yours:master theraw/The-World-Is-Yours:raweb-upcoming-release theraw/The-World-Is-Yours:ffs theraw/The-World-Is-Yours:v2-1 theraw/The-World-Is-Yours:pcre-fix theraw/The-World-Is-Yours:docker theraw/The-World-Is-Yours:v3.0 theraw/The-World-Is-Yours:v2 theraw/The-World-Is-Yours:v2.0
theraw/The-World-Is-Yours:v1.27.4 theraw/The-World-Is-Yours:v1.26.0 theraw/The-World-Is-Yours:0.0.1

7 Commits
0db40af760 .. raweb-upcoming-release

Author SHA1 Message Date
root 94b9f0e5cb folder 2025-03-04 16:57:53 +00:00
𝓙𝓾𝓵𝓲𝓸 6d38221fa3 Update README.md 2025-02-25 15:19:56 +01:00
𝓙𝓾𝓵𝓲𝓸 713cb9160e Update README.md 2025-02-25 15:16:33 +01:00
𝓙𝓾𝓵𝓲𝓸 035d396c4f Update README.md 2025-02-24 16:03:23 +01:00
𝓙𝓾𝓵𝓲𝓸 e9a1efbf89 Update README.md 2025-02-24 15:58:33 +01:00
𝓙𝓾𝓵𝓲𝓸 1d905742bc Update README.md 2025-02-24 15:57:09 +01:00
𝓙𝓾𝓵𝓲𝓸 956543cfc3 Update README.md 2025-02-24 15:56:00 +01:00
8 changed files with 260 additions and 517 deletions
Expand all files Collapse all files
.gitea/workflows/build-publish.yml
-289
View File
@@ -1,289 +0,0 @@
# =============================================================================
# build-and-publish
#
# Compiles a custom nginx (with ModSecurity, naxsi, lua, brotli, geoip2, etc.),
# packages the result as a Debian .deb named `twiy`, and uploads it to a
# Sonatype Nexus apt-hosted repository so users can install via `apt`.
#
# Triggers:
# * Every push to master.
# * Manual run from the Actions UI (workflow_dispatch).
#
# Required repository secrets (see the "Publish to Nexus" step for details):
# NEXUS_USER, NEXUS_PASS, NEXUS_URL, NEXUS_REPO
# =============================================================================
name: build-and-publish
on:
push:
branches: [master]
workflow_dispatch:
jobs:
build:
# Pinned to ubuntu-22.04 because the build script targets the toolchain
# versions that ship with that release. Bumping this needs validation
# against the modules pinned in /version.
runs-on: ubuntu-22.04
steps:
- name: Checkout source
uses: actions/checkout@v4
- name: Install build dependencies
run: |
set -euo pipefail
# Minimal toolchain to: build nginx (build-essential), package the
# output (dpkg-dev, fakeroot), and fetch sources (git, curl, wget).
# gnupg is kept in case a future step needs to verify upstream sigs.
sudo apt-get update -y
sudo apt-get install -y --no-install-recommends \
git curl wget ca-certificates dpkg-dev fakeroot \
build-essential gnupg
- name: Compile nginx and modules
run: |
set -euo pipefail
# Touch /.dockerenv so build/run.sh's container-detection branch is
# taken: it skips `systemctl start nginx` (the runner has no systemd).
# The .deb's own postinst handles service start on the user's host.
sudo touch /.dockerenv
sudo bash build/run.sh new # download sources for nginx + modules
sudo bash build/run.sh build # configure, compile, install
sudo bash build/run.sh postfix # drop default configs into /nginx
# ─────────────────────────────────────────────────────────────────────────
# Assemble the .deb by hand (we don't use debhelper because the build
# script already places everything at its final paths under the runner's
# root; we just need to mirror those paths into PKG_DIR and add control
# metadata).
# ─────────────────────────────────────────────────────────────────────────
- name: Assemble .deb package
id: pkg
run: |
set -euo pipefail
PKG_NAME="twiy"
NGINX_VER="$(nginx -v 2>&1 | awk -F'/' '{print $2}')"
# Append the CI run number as the Debian revision so each rebuild
# produces a strictly-greater version (e.g. 1.26.0-3 > 1.26.0-2 >
# 1.26.0). Without this, `apt upgrade twiy` would be a no-op when
# upstream nginx hasn't moved, so packaging fixes wouldn't reach
# users who already have the package installed.
VERSION="${NGINX_VER}-${GITHUB_RUN_NUMBER:-1}"
ARCH="amd64"
PKG_DIR="/opt/${PKG_NAME}_${VERSION}_${ARCH}"
DEB_DIR="${PKG_DIR}/DEBIAN"
# The `*_temp` dirs under /usr/local/nginx are nginx's compiled-in
# defaults for client_body / proxy / fastcgi / uwsgi / scgi temp
# storage (no --http-*-temp-path was passed to ./configure). They
# must exist before `nginx -t` runs, so we ship them empty in the
# .deb and the postinst chowns them to the nginx user.
sudo mkdir -p "${PKG_DIR}/usr/sbin" "${PKG_DIR}/nginx" \
"${PKG_DIR}/etc/systemd/system" "${PKG_DIR}/var/log/nginx" \
"${PKG_DIR}/usr/lib" "${PKG_DIR}/usr/local/lib" \
"${PKG_DIR}/hostdata/default/public_html" \
"${PKG_DIR}/usr/nginx_lua" \
"${PKG_DIR}/usr/local/nginx/client_body_temp" \
"${PKG_DIR}/usr/local/nginx/proxy_temp" \
"${PKG_DIR}/usr/local/nginx/fastcgi_temp" \
"${PKG_DIR}/usr/local/nginx/uwsgi_temp" \
"${PKG_DIR}/usr/local/nginx/scgi_temp"
# Pull every artifact the build produced into the package tree.
# `|| true` on the recursive copies tolerates a missing source dir
# (e.g. when rebuilding without re-running postfix locally).
sudo cp /usr/sbin/nginx "${PKG_DIR}/usr/sbin/"
sudo cp -R /nginx/* "${PKG_DIR}/nginx/" || true
sudo cp /etc/systemd/system/nginx.service "${PKG_DIR}/etc/systemd/system/"
sudo cp -R /hostdata/default "${PKG_DIR}/hostdata/" || true
sudo cp -R /usr/nginx_lua "${PKG_DIR}/usr/" || true
# Bundle every shared library nginx links against. This makes the
# package self-contained: users don't need our exact build-host
# versions of libssl, libluajit, libmodsecurity, etc. The grep
# filters out the vDSO and the dynamic linker (which never appear
# as `=> /...`).
for lib in $(ldd /usr/sbin/nginx | grep '=> /' | awk '{print $3}'); do
sudo cp "$lib" "${PKG_DIR}/usr/lib/" || true
done
# ---- DEBIAN/control --------------------------------------------------
# Minimum metadata dpkg requires. The .deb bundles every shared library
# nginx links against (see the ldd loop above), so the only Depends we
# declare is libjemalloc2 — the systemd unit LD_PRELOADs it for the
# nginx workers; without it, the unit would fail to start.
sudo mkdir -p "${DEB_DIR}"
sudo tee "${DEB_DIR}/control" >/dev/null <<EOF
Package: ${PKG_NAME}
Version: ${VERSION}
Section: base
Priority: optional
Architecture: ${ARCH}
Depends: libjemalloc2
Maintainer: Julio <me@julio.al>
Description: Nginx L7 DDoS Protection (The-World-Is-Yours), built by RAWeb CI.
EOF
# ---- DEBIAN/postinst -------------------------------------------------
# Runs after dpkg unpacks the files. Designed to be safe to re-run:
# `apt install --reinstall twiy` and `apt upgrade twiy` both invoke
# this script and must not fail.
#
# Every step that may legitimately fail on a re-run (user already
# exists, service already enabled, host has no systemd, etc.) ends
# in `|| true`, and we `exit 0` explicitly so a flaky systemctl
# never aborts a dpkg transaction.
sudo tee "${DEB_DIR}/postinst" >/dev/null <<'EOF'
#!/bin/bash
# Idempotent: safe on first install, upgrade, and reinstall.
# System user nginx workers run as. -r = system account (no aging,
# UID below SYS_UID_MAX), no shell, home set to nginx's prefix.
useradd -r -d /usr/local/nginx -s /bin/false nginx 2>/dev/null || true
# nginx was compiled without --http-*-temp-path, so it defaults to
# <prefix>/<name> (/usr/local/nginx/client_body_temp etc.). The dirs
# already ship in the .deb, but `install -d` is the cleanest way to
# set owner/group/mode in one shot and is a no-op when the dir
# already exists with the right attributes.
install -d -o nginx -g nginx -m 0755 \
/usr/local/nginx \
/usr/local/nginx/client_body_temp \
/usr/local/nginx/proxy_temp \
/usr/local/nginx/fastcgi_temp \
/usr/local/nginx/uwsgi_temp \
/usr/local/nginx/scgi_temp \
/var/log/nginx
# Recursive chown picks up any user-supplied configs already under
# /nginx (vhosts, certs) so reloads don't trip on permissions.
chown -R nginx:nginx /var/log/nginx /nginx /usr/local/nginx 2>/dev/null || true
# Refresh systemd's view of unit files we just dropped, then bring
# the service up. `restart` (rather than `start`) handles the case
# where a previous broken install left the unit failed.
systemctl daemon-reload 2>/dev/null || true
systemctl enable nginx.service 2>/dev/null || true
systemctl restart nginx.service 2>/dev/null || true
exit 0
EOF
sudo chmod 755 "${DEB_DIR}/postinst"
# Build the .deb and hand ownership back to the runner user so the
# next step can read it without sudo.
sudo dpkg-deb --build "${PKG_DIR}"
DEB_FILE="${PKG_DIR}.deb"
sudo chown "$(id -u):$(id -g)" "${DEB_FILE}"
{
echo "deb_file=${DEB_FILE}"
echo "version=${VERSION}"
echo "pkg_name=${PKG_NAME}"
} >> "$GITHUB_OUTPUT"
ls -la "${DEB_FILE}"
sha256sum "${DEB_FILE}"
# ─────────────────────────────────────────────────────────────────────────
# Publish the built .deb to a Sonatype Nexus apt-hosted repository.
#
# Threat model for this step (the workflow file is public):
# * Credentials come exclusively from repository secrets, never source.
# * Credentials must never appear in argv (visible via /proc/<pid>/cmdline
# to any local user) or in the runner's persistent filesystem.
# * If the job is cancelled or killed, secrets must still be wiped.
#
# To run this in your own fork, set four repository secrets:
# NEXUS_USER — Nexus account with write access to the apt repo
# NEXUS_PASS — its password (or token)
# NEXUS_URL — base URL, e.g. https://apt.example.com
# NEXUS_REPO — the apt-hosted repository name in Nexus
# ─────────────────────────────────────────────────────────────────────────
- name: Publish to Nexus
env:
NEXUS_USER: ${{ secrets.NEXUS_USER }}
NEXUS_PASS: ${{ secrets.NEXUS_PASS }}
NEXUS_URL: ${{ secrets.NEXUS_URL }}
NEXUS_REPO: ${{ secrets.NEXUS_REPO }}
DEB_FILE: ${{ steps.pkg.outputs.deb_file }}
PKG_NAME: ${{ steps.pkg.outputs.pkg_name }}
run: |
set -euo pipefail
umask 077 # any file we create is rw for us only
# ---- Secret-handling scratch dir ------------------------------------
# /dev/shm is tmpfs (RAM-backed). Even if the runner's disk is later
# imaged or recovered, secrets written here never touch persistent
# storage. Fall back to /tmp on minimal images that lack /dev/shm.
SECDIR="$(mktemp -d -p /dev/shm twiy-XXXXXXXX 2>/dev/null \
|| mktemp -d -t twiy-XXXXXXXX)"
chmod 700 "$SECDIR"
# Trap covers normal exit, errors (set -e), and the common cancellation
# signals Gitea / GitHub send when a job is cancelled or times out.
# `shred -uz` overwrites then unlinks; on tmpfs the overwrite is mostly
# symbolic, but it's free defence-in-depth in case /dev/shm wasn't
# available and we fell back to a disk-backed /tmp.
cleanup() {
find "$SECDIR" -type f -exec shred -uz {} + 2>/dev/null || true
rm -rf "$SECDIR"
}
trap cleanup EXIT INT TERM HUP
# ---- Build the netrc -------------------------------------------------
# Why netrc and not `curl -u user:pass`:
# - `-u` puts the password in argv; any local user can read it from
# /proc/<pid>/cmdline while the curl is in flight.
# - netrc is a 0600 file curl reads itself; the password never
# appears on a command line.
# Why `printf` (a bash builtin): builtins don't fork an external
# process, so the password is never an argv to any executable.
# The host string in netrc must match the URL host exactly, so we
# derive it from $NEXUS_URL rather than hardcoding it — this lets
# forks reuse the workflow without editing it.
NEXUS_HOST="$(printf '%s' "$NEXUS_URL" | awk -F/ '{print $3}')"
printf 'machine %s login %s password %s\n' \
"$NEXUS_HOST" "$NEXUS_USER" "$NEXUS_PASS" > "$SECDIR/netrc"
# Drop the in-memory copies now that the file is the source of truth.
unset NEXUS_USER NEXUS_PASS
# ---- Replace any prior version of this package -----------------------
# Nexus's apt-hosted format keeps every uploaded .deb forever unless we
# explicitly delete the old component. Without this, the repo grows
# unboundedly and `apt` may pick a stale version. Best-effort: a
# missing prior component is not an error.
OLD_ID="$(curl -fsS --netrc-file "$SECDIR/netrc" \
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO" \
| PKG_NAME="$PKG_NAME" python3 -c '
import sys, json, os
for c in json.load(sys.stdin).get("items", []):
if c.get("name") == os.environ["PKG_NAME"]:
print(c["id"]); break
' || true)"
if [ -n "$OLD_ID" ]; then
curl -fsS -X DELETE --netrc-file "$SECDIR/netrc" \
"$NEXUS_URL/service/rest/v1/components/$OLD_ID" -o /dev/null
fi
# ---- Upload the new .deb --------------------------------------------
# Body goes to a file inside SECDIR so the trap shreds it too — Nexus
# error responses sometimes echo request metadata we'd rather not
# leave on disk.
HTTP="$(curl -sS --netrc-file "$SECDIR/netrc" \
-o "$SECDIR/upload.body" -w '%{http_code}' \
-X POST -F "apt.asset=@$DEB_FILE" \
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO")"
case "$HTTP" in
201|204) echo "Uploaded $(basename "$DEB_FILE") to $NEXUS_URL/repository/$NEXUS_REPO/" ;;
*) echo "Upload failed (HTTP $HTTP)"; head -c 400 "$SECDIR/upload.body"; exit 1 ;;
esac
# ---- Why we don't sign each .deb ourselves ---------------------------
# apt's trust chain on the client is:
# Release.gpg → Packages (verified by SHA256 in Release)
# → the .deb (verified by SHA256 in Packages)
# Signing the Release file is enough; per-.deb signatures are not
# consulted by apt during install. Nexus signs Release on every
# upload using a key bound at repo-creation time, and that private
# key never leaves the Nexus host — so we deliberately keep all
# signing material off the CI runner.
.github/workflows/main.yml
+106
View File
@@ -0,0 +1,106 @@
name: Build and Publish NGINX
on:
push:
branches:
- master
pull_request:
branches:
- master
jobs:
build:
runs-on: ubuntu-22.04
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get -y install git dpkg-dev
- name: Clone the repository
run: |
cd $HOME
git clone https://github.com/theraw/The-World-Is-Yours.git
cd The-World-Is-Yours/
- name: Build NGINX
run: |
touch $HOME/.dockerenv
cd $HOME/The-World-Is-Yours/
sudo bash build/run.sh new
sudo bash build/run.sh build
sudo bash build/run.sh postfix
- name: Build .deb Package
id: build_deb
run: |
cd $HOME/The-World-Is-Yours/
sudo bash -c 'function create_deb() {
PKG_NAME="twiy"
VERSION=$(nginx -v 2>&1 | awk -F"/" "{print \$2}")
ARCH="amd64"
PKG_DIR="/opt/${PKG_NAME}_${VERSION}_${ARCH}"
DEB_DIR="${PKG_DIR}/DEBIAN"
mkdir -p ${PKG_DIR}/usr/sbin
mkdir -p ${PKG_DIR}/usr/local/nginx
mkdir -p ${PKG_DIR}/nginx
mkdir -p ${PKG_DIR}/etc/systemd/system
mkdir -p ${PKG_DIR}/var/log/nginx
mkdir -p ${PKG_DIR}/nginx/conf.d
mkdir -p ${PKG_DIR}/nginx/live
mkdir -p ${PKG_DIR}/nginx/modsec
mkdir -p ${PKG_DIR}/usr/lib
mkdir -p ${PKG_DIR}/usr/local/lib
mkdir -p ${PKG_DIR}/hostdata/default/public_html
mkdir -p ${PKG_DIR}/usr/nginx_lua
cp /usr/sbin/nginx ${PKG_DIR}/usr/sbin/
cp -R /nginx/* ${PKG_DIR}/nginx/
cp /etc/systemd/system/nginx.service ${PKG_DIR}/etc/systemd/system/
cp -R /hostdata/default ${PKG_DIR}/hostdata/
cp -R /usr/nginx_lua ${PKG_DIR}/usr/
for lib in $(ldd /usr/sbin/nginx | grep "=> /" | awk "{print \$3}"); do
cp "$lib" "${PKG_DIR}/usr/lib/"
done
for module in /opt/mod/*; do
if [ -f "$module" ]; then
for lib in $(ldd "$module" | grep "=> /" | awk "{print \$3}"); do
cp "$lib" "${PKG_DIR}/usr/lib/"
done
fi
done
mkdir -p ${DEB_DIR}
echo "Package: ${PKG_NAME}" > ${DEB_DIR}/control
echo "Version: ${VERSION}" >> ${DEB_DIR}/control
echo "Section: base" >> ${DEB_DIR}/control
echo "Priority: optional" >> ${DEB_DIR}/control
echo "Architecture: ${ARCH}" >> ${DEB_DIR}/control
echo "Maintainer: Julio <me@julio.al>" >> ${DEB_DIR}/control
echo "Description: Nginx L7 DDoS Protection! And many more features github.com/theraw/The-World-Is-Yours" >> ${DEB_DIR}/control
echo "#!/bin/bash" > ${DEB_DIR}/postinst
echo "useradd -r -d /usr/local/nginx -s /bin/false nginx || true" >> ${DEB_DIR}/postinst
chmod 755 ${DEB_DIR}/postinst
chmod -R 0755 ${DEB_DIR}
dpkg-deb --build ${PKG_DIR}
mv ${PKG_DIR}.deb /opt/${PKG_NAME}_${VERSION}_${ARCH}.deb
echo "Debian package created at /opt/${PKG_NAME}_${VERSION}_${ARCH}.deb"
echo "::set-output name=VERSION::${VERSION}"
}; create_deb'
- name: Create Git Tag
run: |
VERSION=${{ steps.build_deb.outputs.VERSION }}
git config user.name "theraw"
git config user.email "me@julio.al"
git tag v$VERSION
git push origin v$VERSION
- name: Upload .deb Package as Release Asset
uses: softprops/action-gh-release@v2
with:
files: /opt/*.deb
tag_name: v${{ steps.build_deb.outputs.version }}
env:
GITHUB_TOKEN: ${{ secrets.REPO_TOKEN }}
.gitignore
+24 -9
View File
@@ -1,10 +1,25 @@
.claude/
.codex
/.phpunit.cache
/node_modules
/public/build
/public/hot
/public/storage
/storage/*.key
/storage/pail
/vendor
.env
.creds
.workers
.local
Dockerfile
docker-compose.yaml
docker-compose.yml
PENDING_*.md
.env.backup
.env.production
.phpactor.json
.phpunit.result.cache
Homestead.json
Homestead.yaml
npm-debug.log
yarn-error.log
/auth.json
/.fleet
/.idea
/.nova
/.vscode
/.zed
/.cache
.cache
README.md
+56 -37
View File
@@ -2,28 +2,46 @@
![Simple](https://c.tenor.com/uYqsM9uIyuYAAAAC/simple-easy.gif)
- [x] Debian 13 (trixie) supported
- [x] nginx 1.30.0
- [x] HTTP/3 (QUIC) via AWS-LC
- [x] ModSecurity v3 (libmodsecurity)
- [x] Naxsi
- [x] Lua (LuaJIT 2.1)
- [x] Cookie-based challenge
- [x] [Versions List](https://git.julio.al/theraw/The-World-Is-Yours/src/branch/master/version)
- [x] **Support Ubuntu 22.04**
- [x] **Latest Nginx 1.26.0**
- [x] **HTTP/3**
- [x] **Admin Panel** : Optional *(Not installed by default)*
- [X] **Home Page** *(Nginx stats/graph via nginx stub stats)*
- [X] **Vhosts Page** *(Create, Delete, Edit)*
- [X] **IP Management** *(add, edit, delete)* *selectable on vhost creation*
- [X] **Ports Management** *(add, edit, delete)* *selectable on vhost creation*
- [ ] **Nginx Settings Page** *(Only change existing nginx.conf values)*
- [ ] **Log Reporting Page** (Not set yet, might be all in one page or seperated pages for access logs, modsec logs)
- [x] **Php Selector** (a.k.a creation of dedicated fpm pool) *selectable on vhost creation*
- [ ] **One click App installer** *(WordPress)*
- [x] ModSecurity Support *(Ngx Mod)*
- [x] Naxsi Support *(Ngx Mod)*
- [x] Lua Support.
- [X] **AutoSSL** *(Lua Mod)*
- [ ] **Rate Limit** *(Lua Mod)*
- [ ] **Captcha** *(Lua Mod)*
- [x] Cookie Based Challenge *(Ngx Mod)*
- [x] [Versions List](https://github.com/theraw/The-World-Is-Yours/blob/master/version)
## Easy install
# Installation methods.
- 1 : **Repository (Easy)**
```bash
sudo install -d /etc/apt/keyrings
sudo curl -fsSL https://apt.julio.al/repository/public/keys/raweb.asc \
-o /etc/apt/keyrings/raweb.asc
# Add repository and update system.
echo '' > /etc/apt/sources.list.d/the-world-is-yours.list
apt-get update; apt-get upgrade -y
echo "deb [signed-by=/etc/apt/keyrings/raweb.asc] https://apt.julio.al/repository/raweb trixie main" \
| sudo tee /etc/apt/sources.list.d/raweb.list
# Install nginx.
apt-get install raweb -y
sudo apt update && sudo apt install twiy
# Install admin panel.
apt-get install raweb-admin -y
```
## Compile from source
- 2 : **Manual .deb (Med)**
```bash
Download them from : https://github.com/theraw/The-World-Is-Yours/releases
```
- 3 : **Compile from source (Hard)**
```bash
apt-get -y install git && cd /root/ && git clone https://github.com/theraw/The-World-Is-Yours.git && cd The-World-Is-Yours/
@@ -31,23 +49,27 @@ bash build/run.sh new
bash build/run.sh build
bash build/run.sh postfix
```
If you want to try with a custom nginx version then, open `version` file and change versions then run
- 3.1 : **Compiling from source with changed versions**
```bash
# assuming you completed step 3.
# update "version" file then run again
bash build/run.sh new
bash build/run.sh build
```
## CLI Info
```
```bash
bash build/run.sh new => Download all modules + nginx that are missing from /opt/. (If you make version changes to 'version' file then simply rerun this to download again)
bash build/run.sh build => This is going to simply compile nginx nothing else. (You can run this as many times as you need, its not going to replace configs)
bash build/run.sh postfix => This will redownload /nginx/nginx.conf everytime you run it. (Suggested to run only once when you install nginx via my repo for first time)
```
## Nginx info.
## Nginx Structure.
```
```bash
=> Nginx Folder = /nginx/
=> --conf-path = /nginx/nginx.conf
=> --pid-path = /var/run/nginx.pid
@@ -57,29 +79,26 @@ bash build/run.sh postfix => This will redownload /nginx/nginx.conf everytime yo
=> --error-log-path = /var/log/nginx/error.log
LUA RESTY CORE SCRIPTS = /usr/nginx_lua
# Admin Panel Info
=> Folder = /nginx/admin/public_html
```
## How to install lua scripts
```
- Method 1
```bash
. /root/The-World-Is-Yours/version
cd /opt/mod/; git clone https://github.com/openresty/lua-resty-lrucache.git
cd /opt/mod/lua-resty-lrucache; make install PREFIX=${LUA_SCRIPTS}
nginx -s reload
```
## Performance
### vs. vanilla nginx (same version, default config)
| Area | Twiy | Vanilla nginx | Why |
|---|---|---|---|
| TLS handshake throughput | **+515%** | baseline | AWS-LC's tuned AES/ChaCha asm vs OpenSSL |
| Static file throughput | **25×** | baseline | `open_file_cache` (off by default in vanilla) |
| TLS resumed handshakes | **~10× CPU saving** | baseline | 200 MB shared session cache vs none |
| Per-handshake latency (cold) | **50200 ms p95** | baseline | OCSP stapling on by default |
| Compressed-text bandwidth | **60 to 80%** | unchanged | brotli + gzip enabled in `http {}` |
| WAF, Lua, HTTP/3 | included | not included | needs custom build |
- Method 2
```bash
# At first when you use this method you may get errors for missing lua scripts, you can install them with "luarocks".
apt-get install luarocks
luarocks install lua-resty-lrucache
```
# Support options.
build/run.sh
+31 -75
View File
@@ -6,8 +6,8 @@ function reqs() {
# apt-get purge nftables firewalld ufw -y; apt-get autoremove -y
apt-get -y install wget zip unzip build-essential libssl-dev curl nano git
# apt-get -y install iptables ipset
apt-get install libtool pkg-config make cmake automake autoconf golang-go ninja-build -y
apt-get install libyajl-dev ssdeep zlib1g-dev libxslt1-dev libgd-dev libgeoip-dev liblmdb-dev libfuzzy-dev libmaxminddb-dev liblua5.1-dev libcurl4-openssl-dev libxml2 libxml2-dev mercurial libpcre2-dev libc-ares-dev libre2-dev libzstd-dev libjemalloc2 -y
apt-get install libtool pkg-config make cmake automake autoconf -y
apt-get install libyajl-dev ssdeep zlib1g-dev libxslt1-dev libgd-dev libgeoip-dev liblmdb-dev libfuzzy-dev libmaxminddb-dev liblua5.1-dev libcurl4-openssl-dev libxml2 libxml2-dev libpcre3-dev mercurial libpcre2-dev libc-ares-dev libre2-dev -y
mkdir -p $LUA_SCRIPTS
}
function clean_install() {
@@ -21,23 +21,10 @@ function clean_install() {
# START OF SYSTEM REQUIRED LIBS
# ============================================================================================================
# AWS-LC — TLS+QUIC backend. Replaces quictls/openssl. Built standalone
# (cmake+ninja) and installed to /usr/local/aws-lc/. nginx 1.29.2+ links
# against it via -I/-L; we no longer pass --with-openssl=PATH because we
# don't want nginx's configure to rebuild OpenSSL itself.
if [ ! -d /opt/mod/aws-lc-${SYSTEM_AWSLC} ]; then
cd /opt/mod && wget https://github.com/aws/aws-lc/archive/refs/tags/v${SYSTEM_AWSLC}.tar.gz
cd /opt/mod && tar xf v${SYSTEM_AWSLC}.tar.gz; rm -Rf v${SYSTEM_AWSLC}.tar.gz
fi
if [ ! -f /usr/local/aws-lc/lib/libssl.so ]; then
cd /opt/mod/aws-lc-${SYSTEM_AWSLC} && \
cmake -GNinja -B build \
-DCMAKE_INSTALL_PREFIX=/usr/local/aws-lc \
-DBUILD_SHARED_LIBS=1 \
-DCMAKE_BUILD_TYPE=Release && \
cmake --build build -j`nproc` && \
cmake --install build && \
ldconfig
# OPENSSL
if [ ! -d /opt/mod/openssl-opernssl-${SYSTEM_OPENSSL} ]; then
cd /opt/mod; wget https://github.com/quictls/openssl/archive/refs/tags/opernssl-${SYSTEM_OPENSSL}.tar.gz
cd /opt/mod && tar xf opernssl-${SYSTEM_OPENSSL}.tar.gz; rm -Rf opernssl-${SYSTEM_OPENSSL}.tar.gz
fi
# ZLIB
@@ -56,22 +43,20 @@ function clean_install() {
fi
fi
# SYSTEM_MODSECURITY (v3 — libmodsecurity, what ModSecurity-nginx connector needs)
# SYSTEM_MODSECURITY
if [ ! -d /opt/mod/modsecurity-v${SYSTEM_MODSECURITY} ]; then
cd /opt/mod && wget https://github.com/SpiderLabs/ModSecurity/releases/download/v${SYSTEM_MODSECURITY}/modsecurity-v${SYSTEM_MODSECURITY}.tar.gz
cd /opt/mod && tar xf modsecurity-v${SYSTEM_MODSECURITY}.tar.gz; rm -Rf modsecurity-v${SYSTEM_MODSECURITY}.tar.gz
if [ ! -d /usr/local/modsecurity ]; then
cd /opt/mod/modsecurity-v${SYSTEM_MODSECURITY} && ./configure && make -j`nproc` && make install
fi
if [ ! -f /usr/local/modsecurity/lib/libmodsecurity.so ]; then
cd /opt/mod/modsecurity-v${SYSTEM_MODSECURITY} && ./build.sh && ./configure --without-pcre --with-pcre2 && make -j`nproc` && make install
fi
# SYSTEM_PCRE
# Use the official release tarball (bundles the sljit submodule needed for
# JIT). The /archive/refs/tags/ tarball from GitHub is a raw source snapshot
# that omits submodules and breaks `--with-pcre-jit`.
if [ ! -d /opt/mod/pcre2-${SYSTEM_PCRE} ]; then
cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${SYSTEM_PCRE}/pcre2-${SYSTEM_PCRE}.tar.gz
if [ ! -d /opt/mod/pcre2-pcre2-${SYSTEM_PCRE} ]; then
cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/archive/refs/tags/pcre2-${SYSTEM_PCRE}.tar.gz
cd /opt/mod && tar xf pcre2-${SYSTEM_PCRE}.tar.gz; rm -Rf pcre2-${SYSTEM_PCRE}.tar.gz
cd /opt/mod/pcre2-pcre2-${SYSTEM_PCRE} && ./autogen.sh
fi
# LibInjection
@@ -90,36 +75,18 @@ function clean_install() {
cd /opt/mod/; wget https://github.com/openresty/lua-nginx-module/archive/refs/tags/v${NGX_MOD_LUA}.tar.gz
cd /opt/mod/; tar xf v${NGX_MOD_LUA}.tar.gz; rm -Rf v${NGX_MOD_LUA}.tar.gz
sed -i 's/cookies/cookie/g' /opt/mod/lua-nginx-module-${NGX_MOD_LUA}/src/ngx_http_lua_headers_in.c
# AWS-LC compatibility: lua-nginx-module already has guards around APIs
# missing from BoringSSL (SSL_get1_supported_ciphers, SSL_export_keying_
# material_early, etc.). AWS-LC has the same API limitations but defines
# OPENSSL_IS_AWSLC instead of OPENSSL_IS_BORINGSSL, so the guards never
# fire. Broaden every form (#if, #ifdef, #ifndef, #elif) to recognise
# both macros. Order matters: the bare `defined()` substitution runs
# first so the later #ifdef/#ifndef substitutions don't double-rewrite.
sed -i \
-e 's@defined(OPENSSL_IS_BORINGSSL)@(defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
-e 's@#ifdef OPENSSL_IS_BORINGSSL@#if (defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
-e 's@#ifndef OPENSSL_IS_BORINGSSL@#if !(defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
/opt/mod/lua-nginx-module-${NGX_MOD_LUA}/src/*.c
fi
# NGX_LUA_CORE — must stay in lockstep with NGX_MOD_LUA. lua-resty-core
# does a strict-equality check on ngx.config.ngx_lua_version at startup,
# so an upstream bump on master silently breaks the build. Pinning via
# the tagged tarball (dir name embeds the version) means changing
# LUA_SCRIPTS_RESTYCORE in `version` invalidates the cache automatically.
if [ ! -d /opt/mod/lua-resty-core-${LUA_SCRIPTS_RESTYCORE} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-core/archive/refs/tags/v${LUA_SCRIPTS_RESTYCORE}.tar.gz
cd /opt/mod/; tar xf v${LUA_SCRIPTS_RESTYCORE}.tar.gz; rm -Rf v${LUA_SCRIPTS_RESTYCORE}.tar.gz
cd /opt/mod/lua-resty-core-${LUA_SCRIPTS_RESTYCORE} && make install PREFIX=${LUA_SCRIPTS}
# NGX_LUA_CORE
if [ ! -d /opt/mod/lua-resty-core ]; then
cd /opt/mod/; git clone https://github.com/openresty/lua-resty-core.git
cd /opt/mod/lua-resty-core; make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_LUA_LRUCACHE — same pattern, pinned to LUA_SCRIPTS_LRUCACHE.
if [ ! -d /opt/mod/lua-resty-lrucache-${LUA_SCRIPTS_LRUCACHE} ]; then
cd /opt/mod/; wget https://github.com/openresty/lua-resty-lrucache/archive/refs/tags/v${LUA_SCRIPTS_LRUCACHE}.tar.gz
cd /opt/mod/; tar xf v${LUA_SCRIPTS_LRUCACHE}.tar.gz; rm -Rf v${LUA_SCRIPTS_LRUCACHE}.tar.gz
cd /opt/mod/lua-resty-lrucache-${LUA_SCRIPTS_LRUCACHE} && make install PREFIX=${LUA_SCRIPTS}
# NGX_LUA_LRUCACHE
if [ ! -d /opt/mod/lua-resty-lrucache ]; then
cd /opt/mod/; git clone https://github.com/openresty/lua-resty-lrucache.git
cd /opt/mod/lua-resty-lrucache; make install PREFIX=${LUA_SCRIPTS}
fi
# NGX_MOD_LUA_MYSQL
@@ -204,14 +171,6 @@ function clean_install() {
cd /opt/mod/; git clone --recurse-submodules https://github.com/wargio/naxsi.git naxsi
fi
# NGX_MOD_ZSTD — Zstandard compression module from tokers. Pinned via
# NGX_MOD_ZSTD; tarball pattern (dir name embeds version → cache invalidates
# automatically when the pin moves).
if [ ! -d /opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD} ]; then
cd /opt/mod/; wget https://github.com/tokers/zstd-nginx-module/archive/refs/tags/${NGX_MOD_ZSTD}.tar.gz
cd /opt/mod/; tar xf ${NGX_MOD_ZSTD}.tar.gz; rm -Rf ${NGX_MOD_ZSTD}.tar.gz
fi
# END OF NGINX MODULES
# ============================================================================================================
}
@@ -227,9 +186,11 @@ test_nginx() {
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-openssl=/opt/mod/openssl-opernssl-${SYSTEM_OPENSSL} \
--with-openssl-opt=enable-tls1_3 \
--with-pcre \
--with-pcre-jit \
--with-pcre=/opt/mod/pcre2-${SYSTEM_PCRE} \
--with-pcre=/opt/mod/pcre2-pcre2-${SYSTEM_PCRE} \
--with-zlib=/opt/mod/zlib \
--with-threads \
--with-file-aio \
@@ -269,10 +230,9 @@ test_nginx() {
--add-module=/opt/mod/srcache-nginx-module-${NGX_MOD_LUA_SRCACHE} \
--add-module=/opt/mod/redis2-nginx-module \
--add-module=/opt/mod/ngx_brotli \
--add-module=/opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD} \
--add-module=/opt/mod/testcookie \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I/usr/local/aws-lc/include" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/usr/local/aws-lc/lib -lssl -lcrypto -Wl,-rpath,/usr/local/aws-lc/lib"
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/lib/x86_64-linux-gnu -lpcre"
make clean
}
function build() {
@@ -286,9 +246,11 @@ function build() {
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-openssl=/opt/mod/openssl-opernssl-${SYSTEM_OPENSSL} \
--with-openssl-opt=enable-tls1_3 \
--with-pcre \
--with-pcre-jit \
--with-pcre=/opt/mod/pcre2-${SYSTEM_PCRE} \
--with-pcre=/opt/mod/pcre2-pcre2-${SYSTEM_PCRE} \
--with-zlib=/opt/mod/zlib \
--with-threads \
--with-file-aio \
@@ -328,16 +290,10 @@ function build() {
--add-module=/opt/mod/srcache-nginx-module-${NGX_MOD_LUA_SRCACHE} \
--add-module=/opt/mod/redis2-nginx-module \
--add-module=/opt/mod/ngx_brotli \
--add-module=/opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD} \
--add-module=/opt/mod/testcookie \
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I/usr/local/aws-lc/include" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/usr/local/aws-lc/lib -lssl -lcrypto -Wl,-rpath,/usr/local/aws-lc/lib"
# NOTE: kept as separate statements (not `make && make install && make clean`)
# so `set -e` actually fires on a make failure. The && chain hides left-side
# failures from set -e, which previously let half-built nginx ship.
cd /opt/nginx-${NGINX} && make -j`nproc`
cd /opt/nginx-${NGINX} && make install
cd /opt/nginx-${NGINX} && make clean
--with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/lib/x86_64-linux-gnu -lpcre"
make -j`nproc` && make install && make clean
unset NGINX
}
function post_build() {
static/Jammy/nginx.service
+1 -6
View File
@@ -5,12 +5,7 @@ Wants=network-online.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
# jemalloc replaces glibc malloc — better fragmentation/perf under nginx's
# alloc/free churn at scale. Package depends on libjemalloc2 so the .so is
# guaranteed present. Removing this line falls back to glibc malloc cleanly.
Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2
ExecStartPre=/usr/bin/install -d -o nginx -g nginx -m 0755 /usr/local/nginx /usr/local/nginx/client_body_temp /usr/local/nginx/proxy_temp /usr/local/nginx/fastcgi_temp /usr/local/nginx/uwsgi_temp /usr/local/nginx/scgi_temp /var/log/nginx
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload
static/nginx/nginx.conf
+10 -60
View File
@@ -1,14 +1,8 @@
# Suggestions? => https://github.com/theraw/The-World-Is-Yours/issues
# Problems? => https://github.com/theraw/The-World-Is-Yours/issues
#
# Tuned for shared hosting at 5,000+ vhost scale.
# Per-vhost listen/ssl_certificate directives live in /nginx/live/* — this
# file only contains the global event/http settings.
user nginx;
pid /var/run/nginx.pid;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 65535;
events {
@@ -32,46 +26,21 @@ http {
# =================== END LOGS ========================= #
# ==================== GENERAL ========================= #
client_header_buffer_size 4k;
large_client_header_buffers 4 16k;
client_body_buffer_size 16k;
client_body_buffer_size 2M;
client_header_buffer_size 2M;
client_body_timeout 90s;
client_header_timeout 90s;
client_max_body_size 2M;
client_body_timeout 30s;
client_header_timeout 30s;
send_timeout 30s;
reset_timedout_connection on;
keepalive_timeout 65s;
keepalive_requests 2000;
max_headers 100;
keepalive_timeout 15s;
port_in_redirect off;
sendfile on;
sendfile_max_chunk 1m;
server_names_hash_bucket_size 6969;
server_name_in_redirect off;
server_tokens off;
tcp_nodelay on;
tcp_nopush on;
server_tokens off;
server_name_in_redirect off;
server_names_hash_bucket_size 128;
server_names_hash_max_size 32768;
types_hash_max_size 4096;
# File metadata cache — biggest single win for static-heavy shared hosting.
open_file_cache max=200000 inactive=30s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# ===================== TLS ============================ #
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:200m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
# ===================== END TLS ======================== #
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;
types_hash_max_size 2048;
resolver 1.1.1.1 1.0.0.1;
default_type application/octet-stream;
include /nginx/mime.types;
@@ -79,25 +48,6 @@ http {
default upgrade;
'' close;
}
# ==================== COMPRESSION ===================== #
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 4;
gzip_min_length 256;
gzip_types text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
brotli on;
brotli_comp_level 4;
brotli_min_length 256;
brotli_types text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
zstd on;
zstd_comp_level 4;
zstd_min_length 256;
zstd_types text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
# =================== END COMPRESSION ================== #
# =================== END GENERAL ====================== #
# ================ LOAD VHOST +CONFIGS ================= #
version
+14 -23
View File
@@ -1,60 +1,51 @@
export NGINX="1.30.0"
export NGINX="1.26.0"
# Lua Path
export LUA_SCRIPTS="/usr/nginx_lua"
# https://github.com/openresty/lua-nginx-module/tags
export NGX_MOD_LUA="0.10.29"
export NGX_MOD_LUA="0.10.27"
# https://github.com/vision5/ngx_devel_kit/tags
export NGX_MOD_DEVELKIT="0.3.4"
export NGX_MOD_DEVELKIT="0.3.3"
# https://github.com/leev/ngx_http_geoip2_module/releases
export NGX_MOD_GEOIP2="3.4"
# https://github.com/owasp-modsecurity/ModSecurity-nginx/releases
export NGX_MOD_MODSECURITY="1.0.4"
export NGX_MOD_MODSECURITY="1.0.3"
# https://github.com/winshining/nginx-http-flv-module/releases
export NGX_MOD_HTTPFLV="1.2.13"
export NGX_MOD_HTTPFLV="1.2.11"
# https://github.com/openresty/headers-more-nginx-module/tags
export NGX_MOD_HEADERS_MORE="0.39"
export NGX_MOD_HEADERS_MORE="0.37"
# https://github.com/openresty/set-misc-nginx-module/releases
export NGX_MOD_SETMISC="0.33"
# https://github.com/openresty/lua-resty-core/tags
export LUA_SCRIPTS_RESTYCORE="0.1.32"
export LUA_SCRIPTS_RESTYCORE="0.1.28"
# https://github.com/openresty/lua-resty-lrucache/tags
export LUA_SCRIPTS_LRUCACHE="0.15"
export LUA_SCRIPTS_LRUCACHE="0.13"
# https://github.com/openresty/luajit2/tags
export SYSTEM_LUAJIT="2.1-20260311"
export SYSTEM_LUAJIT="2.1-20231117"
# https://github.com/PCRE2Project/pcre2/releases
export SYSTEM_PCRE="10.47"
export SYSTEM_PCRE="10.43"
# https://github.com/aws/aws-lc/tags
# AWS-LC = Amazon's BoringSSL fork. Supported natively in nginx since 1.29.2.
# Picked over quictls (EOL OpenSSL 3.1 base) and over OpenSSL 3.5 native QUIC
# because of better TLS handshake throughput and clean release tagging.
export SYSTEM_AWSLC="1.72.0"
# https://github.com/openssl/openssl
export SYSTEM_OPENSSL="3.1.5-quic1"
# https://github.com/SpiderLabs/ModSecurity/releases 3.0.12
# https://github.com/SpiderLabs/ModSecurity/releases
export SYSTEM_MODSECURITY="3.0.12"
# https://github.com/openresty/lua-resty-mysql/tags
export NGX_MOD_LUA_MYSQL="0.29"
export NGX_MOD_LUA_MYSQL="0.27"
# https://github.com/openresty/lua-resty-lock/tags
export NGX_MOD_LUA_LOCK="0.09"
# https://github.com/openresty/srcache-nginx-module/tags
export NGX_MOD_LUA_SRCACHE="0.33"
# https://github.com/tokers/zstd-nginx-module/tags
# Zstandard compression module. Chrome 123+ and Firefox 126+ send
# `Accept-Encoding: zstd`; older clients fall back to brotli/gzip.
export NGX_MOD_ZSTD="0.1.1"