How to build an Nginx with Brotli and TLS 1.3 support

It is a record of how I build an Nginx with Brotli compression and TLS 1.3 support.

 

I use it on my Linode VPS. It is a Nanon type of VPS at Fremont, CA, USA.

1GB RAM, 25GB storage, 1 CPU.

Ubuntu 18.04 LTS was installed on it.

Linode VPS @Fremont,CA

 

Step 0, Build the system from Linode Dashboard.

Step 1, Update the system

I SSH to the server with user root.

apt updat

apt upgrade

Step 2, Enable TCP BBR to improve network speed

sysctl net.ipv4.tcp_available_congestion_control

The above command should report

net.ipv4.tcp_available_congestion_control = cubic reno

To change it to bbr, opent the file /etc/sysctl.conf, and add following lines intot the end of the file.

]net.core.default_qdisc=fq

net.ipv4.tcp_congestion_control=bbr

Save the file and enter the following command

sysctl -p

Step 3, Install Webmin 1.9.0

I like to use webmin as my web panel on VPS.

Enter the following command to install the latest webmin version 1.9.0

apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.910_all.deb
dpkg --install webmin_1.910_all.deb

Reboot the server, the ssh connection is lost.

Step 4, Add a new user

Sign in the webmin as user root by entering the URL into the browser https://ip.address.of.the.vps:10000

Add a new user, for example: davidyin and add sudo as the second group of this user.

From this point, I will use davidyin to do all the ssh jobs. I will not use root in terminal anymore.

Step 5 Build Nginx with TLS 1.3 and brotli now

SSH the VPS with user davidyin.

First, list the version of the software.

  • Openssl: openssl-1.1.1b
  • Nginx: nginx-1.17.0
  • Brotli: ngx-brotli-0.13rc

 

Install the related software packages.

sudo apt install build-essential

sudoapt install libpcre3 libpcre3-dev zlib1g zlib1g-dev openssl libssl-dev

Prepare the source code.

Nginx:
wget https://nginx/org/download/nginx-1.17.0.tar.gz

tar xvzfnginx-1.17.0.tar.gz

rm nginx-1.17.0.tar.gz
Openssl:
wget https://www.openssl.org/source/openssl-1.1.1b.tar.gz

tar xvzf openssl-1.1.1b.tar.gz

rm openssl-1.1.1b.tar.gz
Brotli:
git clone https://github.com/eustas/ngx_brotli.git

cd ngx_brotli

git submodule update --init --recursive

Compile Nginx

cd ~/nginx-1.17.0

./configureĀ  --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/nginx.lock --user=www-data --group=www-data --with-openssl=../openssl-1.1.1b --with-openssl-opt=enable-tls1_3 --with-http_v2_module --with-http_ssl_module --with-debug --with-http_gunzip_module --with-http_realip_module --with-http_sub_module --with-http_gzip_static_module --with-threads --with-file-aio --add-module=../ngx_brotli

make

sudo make install

Make Nginx as a service

If you can not start Nginx as service by “sudo service nginx restart”, make a new file at /etc/systemd/system/nginx.service

cd /etc/systemd/system

sudo nano nginx.service

Paste the following content:

# Stop dance for nginx
# =======================
#
# ExecStop sends SIGSTOP (graceful stop) to the nginx process.
# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
# and sends SIGTERM (fast shutdown) to the main process.
# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
#
# nginx signals reference doc:
# http://nginx.org/en/docs/control.html
#
[Unit]
Description=A high performance web server and a reverse proxy server
After=network.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /var/run/nginx.pid
TimeoutStopSec=5
KillMode=mixed
[Install]
WantedBy=multi-user.target

Ente the command to check the version:

nginx version: nginx/1.17.0
built by gcc 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04)
built with OpenSSL 1.1.1b 26 Feb 2019

Now the Nginx server is supporting TLS 1.3 and Brotli compression.