Ubuntu 24.04 LTS 编译安装 Nginx1.28+BoringSSL+Brotli

KazihaAkaze Posted on 2025-09-11 62 Views

AI Excerpt

历经多次排错,终于成功编译Nginx 1.28 + BoringSSL + Brotli!详细步骤分享,助你轻松搭建高性能QUIC服务器。

博主参考了许多帖子,花费大量时间排错,终于成功编译。

以下为编译步骤:

1. 安装编译依赖

sudo apt update&&sudo apt upgrade&&sudo apt install -y build-essential libpcre3 libpcre3-dev zlib1g zlib1g-dev libbrotli-dev libssl-dev git curl cmake golang-go

2. 准备nginx用户组

sudo groupadd --system nginx
sudo useradd --system --home /nonexistent --no-create-home --shell /bin/false -g nginx --comment "Nginx user" nginx

3. 创建运行目录

sudo mkdir -p /usr/share/nginx
sudo mkdir -p /etc/nginx
sudo mkdir -p /var/log/nginx
sudo mkdir -p /var/lib/nginx/{body,fastcgi,proxy,scgi,uwsgi}
sudo mkdir -p /run
sudo mkdir -p /usr/lib/nginx/modules

4. 设置目录权限

sudo chown -R nginx:nginx /var/lib/nginx
sudo chmod -R 750 /var/lib/nginx

5. 下载源码

cd /usr/local/src
sudo curl -O http://nginx.org/download/nginx-1.28.0.tar.gz
sudo tar -zxvf nginx-1.28.0.tar.gz
sudo git clone https://boringssl.googlesource.com/boringssl
sudo git clone https://github.com/google/ngx_brotli.git

6. 先单独编译BoringSSL

cd /usr/local/src/boringssl
sudo mkdir -p build
cd build
sudo cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF ..
sudo make

7. 初始化Brotli仓库submodule

cd /usr/local/src/ngx_brotli

sudo git submodule update --init

8. 修改Nginx适配BoringSSL提供QUIC支持

sudo vim /usr/local/src/nginx-1.28.0/src/event/quic/ngx_event_quic_openssl_compat.h

找到:

#if defined SSL_R_MISSING_QUIC_TRANSPORT_PARAMETERS_EXTENSION                 \
    || defined LIBRESSL_VERSION_NUMBER

修改为:

#if defined(OPENSSL_IS_BORINGSSL)                                             \
    || defined SSL_R_MISSING_QUIC_TRANSPORT_PARAMETERS_EXTENSION             \
    || defined LIBRESSL_VERSION_NUMBER

即增加一个判断是否为BoringSSL的条件

9. 配置Nginx手动链接BoringSSL

cd /usr/local/src/nginx-1.28.0

sudo ./configure \
    --with-cc-opt='-O3 -march=native -g -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -fPIC -Wdate-time -D_FORTIFY_SOURCE=3 -I../boringssl/include' \
    --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -Wl,-z,now -fPIC -L../boringssl/build -lstdc++' \
    --with-compat \
    --with-debug \
    --with-pcre-jit \
    --with-threads \
    --with-openssl=../boringssl \
    --with-http_v3_module \
    --with-http_v2_module \
    --with-http_ssl_module \
    --with-http_realip_module \
    --with-http_addition_module \
    --with-http_sub_module \
    --with-http_dav_module \
    --with-http_gzip_static_module \
    --with-http_gunzip_module \
    --with-http_auth_request_module \
    --with-http_random_index_module \
    --with-http_secure_link_module \
    --with-http_slice_module \
    --with-http_stub_status_module \
    --add-module=../ngx_brotli \
    --with-stream \
    --with-stream_ssl_module \
    --with-stream_ssl_preread_module \
    --with-stream_realip_module \
    --with-http_flv_module \
    --with-http_mp4_module \
    --with-mail_ssl_module \
    --prefix=/usr/share/nginx \
    --conf-path=/etc/nginx/nginx.conf \
    --http-log-path=/var/log/nginx/access.log \
    --error-log-path=/var/log/nginx/error.log \
    --lock-path=/var/lock/nginx.lock \
    --pid-path=/run/nginx.pid \
    --modules-path=/usr/lib/nginx/modules \
    --http-client-body-temp-path=/var/lib/nginx/body \
    --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
    --http-proxy-temp-path=/var/lib/nginx/proxy \
    --http-scgi-temp-path=/var/lib/nginx/scgi \
    --http-uwsgi-temp-path=/var/lib/nginx/uwsgi

10. 欺骗Nginx执行编译流程

cd /usr/local/src/nginx-1.28.0

printf 'all:\n\t@true\n\ninstall_sw:\n\t@true\nclean:\n\t@true\n' | sudo tee /usr/local/src/boringssl/Makefile > /dev/null

sudo touch /usr/local/src/boringssl/config

sudo chmod +x /usr/local/src/boringssl/config

sudo mkdir -p /usr/local/src/boringssl/.openssl/lib

sudo ln -s /usr/local/src/boringssl/build/libssl.a /usr/local/src/boringssl/.openssl/lib

sudo ln -s /usr/local/src/boringssl/build/libcrypto.a /usr/local/src/boringssl/.openssl/lib

sudo ln -s /usr/local/src/boringssl/include /usr/local/src/boringssl/.openssl

sudo make

sudo make install

11. 验证

/usr/share/nginx/sbin/nginx -V

nginx version: nginx/1.28.0
built by gcc 13.3.0 (Ubuntu 13.3.0-6ubuntu2~24.04)
built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --with-cc-opt='-O3 -march=native -g -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -fPIC -Wdate-time -D_FORTIFY_SOURCE=3 -I../boringssl/include' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -Wl,-z,now -fPIC -L../boringssl/build -lstdc++' --with-compat --with-debug --with-pcre-jit --with-threads --with-openssl=../boringssl --with-http_v3_module --with-http_v2_module --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_slice_module --with-http_stub_status_module --add-module=../ngx_brotli --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-http_flv_module --with-http_mp4_module --with-mail_ssl_module --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi

完成!