root
51b6eaa694
build-and-publish / build (push) Successful in 3m18s
- nginx 1.30.0, ModSecurity v3.0.12, AWS-LC 1.72.0 (replaces
quictls/openssl 3.1.5-quic1; OpenSSL 3.1 is EOL upstream)
- AWS-LC build via cmake+ninja, installed to /usr/local/aws-lc;
nginx links via -I/-L and rpath
- lua-nginx-module: sed-broaden the existing OPENSSL_IS_BORINGSSL
guards to also recognise OPENSSL_IS_AWSLC (covers #ifdef,
#ifndef, #elif defined). without this the missing-API stubs
never fire on AWS-LC and the build breaks on
SSL_get1_supported_ciphers / SSL_export_keying_material_early
- lua-resty-core / lrucache: switched from `git clone master`
to wget tarball pinned via LUA_SCRIPTS_RESTYCORE/LRUCACHE.
master drifted to wanting ngx_lua 0.10.30 while the pin was
0.10.29 — silent CI breakage waiting to happen
- ModSec rewritten for v3 build flow (./build.sh && ./configure
--without-pcre --with-pcre2). v2's standalone.so isn't what
ModSecurity-nginx connector links against; it wants
libmodsecurity.so
- PCRE2: switched to /releases/download/ tarball (bundles the
sljit submodule needed for --with-pcre-jit); /archive/refs/tags/
is a raw snapshot and omits submodules
- LuaJIT version pin had a stray leading 'v' that produced
/tags/vv2.1-... → 404
- drop -L/lib/x86_64-linux-gnu -lpcre from --with-ld-opt;
PCRE1 is gone from debian 13
- drop libpcre3-dev from apt install for the same reason
- fix latent bug in build/run.sh build(): make && make install
&& make clean swallows make failures from set -e because of
&&-chain semantics. now separate statements
- static/nginx/nginx.conf rewrite for shared hosting at 5k+
vhosts: server_names_hash_max_size 32768, shared SSL session
cache 200m, OCSP stapling, open_file_cache, brotli+gzip
enabled in http{}, worker_cpu_affinity auto, max_headers 100,
keepalive_requests 10000. client_header_buffer_size dropped
from 2M to 4k (was a memory amplification surface)
- README: performance section comparing twiy vs vanilla nginx,
OpenResty, Apache; expected yield breakdown
55 lines
1.6 KiB
Plaintext
55 lines
1.6 KiB
Plaintext
export NGINX="1.30.0"
|
|
|
|
export LUA_SCRIPTS="/usr/nginx_lua"
|
|
|
|
# https://github.com/openresty/lua-nginx-module/tags
|
|
export NGX_MOD_LUA="0.10.29"
|
|
|
|
# https://github.com/vision5/ngx_devel_kit/tags
|
|
export NGX_MOD_DEVELKIT="0.3.4"
|
|
|
|
# https://github.com/leev/ngx_http_geoip2_module/releases
|
|
export NGX_MOD_GEOIP2="3.4"
|
|
|
|
# https://github.com/owasp-modsecurity/ModSecurity-nginx/releases
|
|
export NGX_MOD_MODSECURITY="1.0.4"
|
|
|
|
# https://github.com/winshining/nginx-http-flv-module/releases
|
|
export NGX_MOD_HTTPFLV="1.2.13"
|
|
|
|
# https://github.com/openresty/headers-more-nginx-module/tags
|
|
export NGX_MOD_HEADERS_MORE="0.39"
|
|
|
|
# https://github.com/openresty/set-misc-nginx-module/releases
|
|
export NGX_MOD_SETMISC="0.33"
|
|
|
|
# https://github.com/openresty/lua-resty-core/tags
|
|
export LUA_SCRIPTS_RESTYCORE="0.1.32"
|
|
|
|
# https://github.com/openresty/lua-resty-lrucache/tags
|
|
export LUA_SCRIPTS_LRUCACHE="0.15"
|
|
|
|
# https://github.com/openresty/luajit2/tags
|
|
export SYSTEM_LUAJIT="2.1-20260311"
|
|
|
|
# https://github.com/PCRE2Project/pcre2/releases
|
|
export SYSTEM_PCRE="10.47"
|
|
|
|
# https://github.com/aws/aws-lc/tags
|
|
# AWS-LC = Amazon's BoringSSL fork. Supported natively in nginx since 1.29.2.
|
|
# Picked over quictls (EOL OpenSSL 3.1 base) and over OpenSSL 3.5 native QUIC
|
|
# because of better TLS handshake throughput and clean release tagging.
|
|
export SYSTEM_AWSLC="1.72.0"
|
|
|
|
# https://github.com/SpiderLabs/ModSecurity/releases 3.0.12
|
|
export SYSTEM_MODSECURITY="3.0.12"
|
|
|
|
# https://github.com/openresty/lua-resty-mysql/tags
|
|
export NGX_MOD_LUA_MYSQL="0.29"
|
|
|
|
# https://github.com/openresty/lua-resty-lock/tags
|
|
export NGX_MOD_LUA_LOCK="0.09"
|
|
|
|
# https://github.com/openresty/srcache-nginx-module/tags
|
|
export NGX_MOD_LUA_SRCACHE="0.33"
|