Hakase-nginx

My nginx build files.

This repository is no longer operational. Use an alternative such as tengine.

Example Web Server - https://ssl.haka.se/

Please install dependency library.

• CentOS / Red Hat - yum install jemalloc-devel libuuid-devel libatomic libatomic_ops-devel expat-devel unzip autoconf automake libtool gd-devel libmaxminddb-devel libxslt-devel libxml2-devel gcc-c++ curl
• Ubuntu / Debian - apt install libjemalloc-dev uuid-dev libatomic1 libatomic-ops-dev expat unzip autoconf automake libtool libgd-dev libmaxminddb-dev libxslt1-dev libxml2-dev g++ curl

How to Install?

1. Clone this repository - git clone https://github.com/hakasenyang/nginx-build.git --recursive
2. Install dependency library. (If you have already install it, omit it.)
3. Edit for config.inc file. (SERVER_HEADER, Modules, ETC.)
   • If you receive the source for the first time, type the following command to set it.
   • Then modify config.inc.
   • cp config.inc.example config.inc
4. Run sudo ./auto.sh
5. Install systemd file (If you have already install it, omit it.)
6. Check version and error test : nginx -v; nginx -t;
7. Run systemctl restart nginx
8. The END!!

Features

• Auto SSL Cipher settings
  • The following information is preset. Do not set it yourself unless you need it.
  • ssl_protocols : TLSv1.2 TLSv1.3
  • ssl_ciphers : [TLS13+AESGCM+AES128|TLS13+CHACHA20]:TLS13+AESGCM+AES256:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA
  • ssl_prefer_server_ciphers : On
  • ssl_ecdh_curve : X25519:P-256:P-384
  • ssl_session_timeout : 64800 (< TLSv1.3)
  • ssl_session_timeout_tls13 : 172800 (TLSv1.3 only)
  • DO NOT USE ssl_dhparam. Not required.
  • Use the settings below to support older browsers. (TLS Protocol)
  • ssl_protocols : TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
  • ssl_ciphers : [TLS13+AESGCM+AES128|TLS13+CHACHA20]:TLS13+AESGCM+AES256:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
• TLS v1.3
  • Use OpenSSL-3.0.0-alpha3-dev
  • Use OpenSSL equal preference patch (BoringSSL & buik)
  • My OpenSSL patch is here.
• Prefers ChaCha20 suites with clients that don't have AES-NI(AES hardware acceleration) (e.g., Android devices)
  • Support CHACHA20-draft by @JemmyLoveJenny.
• More library!
  • headers_more_nginx_module
  • Google PageSpeed for nginx
  • and the other.
• Support HPACK, SSL Dynamic TLS Records. (Thanks to cloudflare!)
• SSL Strict-SNI (ex: http { strict_sni on; } ) (Thanks to @JemmyLoveJenny)
  • Strict SNI requires at least two ssl server settings (server { listen 443 ssl }).
  • If you do not have two server settings, SNI will not be enabled and Strict SNI will not be enabled.
  • It does not matter what kind of certificate or duplicate.
  • Use "strict_sni_header on" if you do not want to respond to invalid headers. (only with strict_sni)
• GeoIP2 Module - Issues #2
  • Check the following page for GeoIP2 settings method.

Upcoming Features

• Auto build (rpm, deb, etc.)
• Memory sharing(shm) for OCSP Stapling.
• ETC.

Deprecated Features

• SPDY (Not compatible this version.)
• GeoIP (Changed to GeoIP2.)