Networking

How to build NGINX with TLS support on Ubuntu Server 18.04

Out of the box, NGINX isn't built with TLS support, but Jack Wallen walks you through the process of building NGINX to support the security protocol.

nginxhero.jpg
Image: Jack Wallen

NGINX has become one very popular web server. With good reason. It's incredibly fast and scales quite well. One of the caveats with using this open source web browser, however, is that it doesn't support Transport Layer Security (TLS) out of the box.

It is possible to build NGINX where it does support TLS. I'm going to walk you through the process of doing just that. I'll demonstrate on Ubuntu Server 18.04. The process is handled completely from the command line, and shouldn't take more than thirty minutes of your time.

Why TLS?

Why is TLS necessary? The answer is simple—security and performance. With the release of the latest version of TLS, round trip handshakes are faster and more secure. Thanks to the new zero round trip mode (0-RTT session resumption), connection time will be drastically reduced (a big improvement for mobile users). With this new flavor of TLS built into NGINX, you can count on a more secure platform, thanks to the TLS developers having also removed support for old cipher suites.

But how do you build this into NGINX? Let's find out. Get ready to type.

SEE: Server deployment/migration checklist (Tech Pro Research)

Adding the official NGINX repository

The first thing to do is add the official NGINX repository. Open a terminal window and issue the following two commands:

wget http://nginx.org/keys/nginx_signing.key
sudo apt-key add nginx_signing.key

Next, create an apt source file for NGINX with the command:

sudo nano /etc/apt/sources.list.d/nginx.list

In that new file, paste the following contents:

deb [arch=amd64] http://nginx.org/packages/mainline/ubuntu/ bionic nginx
deb-src http://nginx.org/packages/mainline/ubuntu/ bionic nginx

Save and close that file.

Update apt with the command:

sudo apt update

Download the NGINX source code

Now we have to download the NGINX source code. To do this, first create a new directory with the command:

sudo mkdir /usr/local/src/nginx

Change into that new directory with the command cd /usr/local/src/nginx and issue the following commands:

sudo apt install dpkg-dev
sudo apt source nginx

Issue the ls command and take note of the version number of NGINX (for my demonstration, that number is 1.15.5).

Clone OpenSSL

Now we need to clone OpenSSL from GitHub. Do this with the following commands:

cd /usr/local/src
sudo apt install gitsudo git clone
https://github.com/openssl/openssl.git
cd openssl

Using git, find out the latest branch of OpenSSL with the command:

git branch -a

For this demonstration, that branch is 1_1_1-stable.

Checkout that branch with the command:

sudo git checkout OpenSSL_1_1_1-stable

Configure the NGINX compile rules

To enable SSL for NGINX, we must edit the compile rules. Issue the command:

sudo nano /usr/local/src/nginx/nginx-1.15.5/debian/rules

Note: Make sure to use the version of NGINX you downloaded.

Locate the following line:

config.status.nginx: config.env.nginx

At the end of the CFLAGS section, add this:

--with-openssl=/usr/local/src/openssl

The above will be added directly after "$(LDFLAGS)", like so:

"$(LDFLAGS)" --with-openssl=/usr/local/src/openssl

Save and close that file.

Compile NGINX

Before we build NGINX, we have to prevent a build error. Issue the command:

sudo nano /usr/local/src/nginx/nginx-1.15.5/auto/cc/gcc

Locate and comment out add a # symbol at the beginning of the following line (Figure A):

CFLAGS="$CFLAGS -Werror"

Figure A

Figure A

Preemptively preventing a build error.


Save and close that file.

Now we get to compile NGINX. Change into the NGINX source directory with the command:

cd /usr/local/src/nginx/nginx-1.15.5

Build NGINX dependencies with the command:

sudo apt build-dep nginx

Finally, build NGINX with the command:

sudo dpkg-buildpackage -b -uc -us

The above command takes about 10-20 minutes, so either sit back and watch the fun or take care of another task.

Installing NGINX

We can now install our TLS-enabled NGINX with the following commands:

cd /usr/local/src/nginx/
sudo dpkg -i nginx_1.15.5-1~bionic_amd64.deb

Note: If you already have NGINX installed, you need to remove it with the command sudo apt remove nginx nginx-common nginx-full.

When the command completes, issue the following to be certain that the build includes OpenSSL:

sudo nginx -V

You should see OpenSSL included (Figure B).

Figure B

Figure B

OpenSSL has been rolled into NGINX.


Congratulations, TLS has now been rolled into NGINX. Next time we'll cover how to enable this feature in the NGINX server blocks, so you can start serving up TLS-enabled sites with NGINX.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox