From 9c89c47dc6aa508b1265a10cf08240f59d96e329 Mon Sep 17 00:00:00 2001 From: "rieger::CLOUD" Date: Tue, 2 Oct 2018 08:15:32 +0200 Subject: [PATCH 1/6] Preparation for NGINX modifications made to the rules file --- rules.nginx | 137 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 137 insertions(+) create mode 100644 rules.nginx diff --git a/rules.nginx b/rules.nginx new file mode 100644 index 0000000..7d41ceb --- /dev/null +++ b/rules.nginx @@ -0,0 +1,137 @@ +#!/usr/bin/make -f + +#export DH_VERBOSE=1 +export DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie +export DEB_CFLAGS_MAINT_APPEND=-Wp,-D_FORTIFY_SOURCE=2 -fPIC +export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -pie +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk + +PKGS = nginx #nginx-dbg + +BUILDDIR_nginx = $(CURDIR)/debian/build-nginx +BUILDDIR_nginx_debug = $(CURDIR)/debian/build-nginx-debug +INSTALLDIR = $(CURDIR)/debian/nginx +BASEDIR = $(CURDIR) + +ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + ifeq (${NUMJOBS}, 0) + NUMJOBS = 1 + endif +else + NUMJOBS = 1 +endif + +DO_PKGS = $(PKGS) + +config.env.%: + dh_testdir + mkdir -p $(BUILDDIR_$*) + cp -Pa $(CURDIR)/auto $(BUILDDIR_$*)/ + cp -Pa $(CURDIR)/conf $(BUILDDIR_$*)/ + cp -Pa $(CURDIR)/configure $(BUILDDIR_$*)/ + cp -Pa $(CURDIR)/contrib $(BUILDDIR_$*)/ + cp -Pa $(CURDIR)/man $(BUILDDIR_$*)/ + cp -Pa $(CURDIR)/src $(BUILDDIR_$*)/ + touch $@ + +config.status.nginx: config.env.nginx + cd $(BUILDDIR_nginx) && \ + CFLAGS="" ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt="$(CFLAGS)" --with-ld-opt="$(LDFLAGS)" --with-openssl=/usr/local/src/openssl + touch $@ + +config.status.nginx_debug: config.env.nginx_debug + cd $(BUILDDIR_nginx_debug) && \ + CFLAGS="" ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt="$(CFLAGS)" --with-ld-opt="$(LDFLAGS)" --with-openssl=/usr/local/src/openssl --with-debug + touch $@ + +build-arch.%: config.status.% + dh_testdir + dh_prep + $(MAKE) -j$(NUMJOBS) -C $(BUILDDIR_$*) build + +build-arch: build-arch.nginx build-arch.nginx_debug + dh_testdir + touch $@ + +build-dbg.%: install + dh_testdir + dh_strip --dbg-package=nginx-dbg + +build-dbg: build-dbg.nginx + dh_testdir + touch $@ + +build-indep: + dh_testdir + touch $@ + +build: build-arch build-indep + dh_testdir + touch $@ + +clean: + dh_testdir + dh_testroot + dh_clean + rm -f $(CURDIR)/objs + rm -rf $(CURDIR)/debian/build-* + rm -f $(CURDIR)/debian/*.init + find $(CURDIR) -maxdepth 1 -size 0 -delete + +post-build: + mv $(BUILDDIR_nginx_debug)/objs/nginx $(BUILDDIR_nginx_debug)/objs/nginx-debug + ln -s $(BUILDDIR_nginx)/objs $(CURDIR)/objs + cp $(BUILDDIR_nginx)/objs/nginx.8 $(BUILDDIR_nginx)/objs/nginx-debug.8 + +install: + dh_testdir + dh_testroot + dh_prep + dh_installdirs + dh_install + mkdir -p $(INSTALLDIR)/usr/lib/nginx/modules + mkdir -p $(INSTALLDIR)/usr/share/doc/nginx + install -m 644 debian/CHANGES $(INSTALLDIR)/usr/share/doc/nginx/changelog + install -m 644 debian/nginx.vh.default.conf $(INSTALLDIR)/etc/nginx/conf.d/default.conf + ln -s /usr/lib/nginx/modules $(INSTALLDIR)/etc/nginx/modules + +binary-indep: build post-build install + dh_testdir + dh_testroot + dh_installman -i -pnginx + dh_installdebconf + sed -e 's/%%PROVIDES%%/nginx/g' \ + -e 's/%%DEFAULTSTART%%/2 3 4 5/g' \ + -e 's/%%DEFAULTSTOP%%/0 1 6/g' \ + < debian/nginx.init.in > debian/nginx.init + dh_installinit -i -pnginx --no-restart-on-upgrade --no-start --name=nginx + dh_systemd_enable -pnginx --name=nginx nginx.service + sed -e 's/%%PROVIDES%%/nginx-debug/g' \ + -e 's/%%DEFAULTSTART%%//g' \ + -e 's/%%DEFAULTSTOP%%/0 1 2 3 4 5 6/g' \ + < debian/nginx.init.in > debian/nginx-debug.init + dh_installinit -i -pnginx --no-restart-on-upgrade --no-start --noscripts --name=nginx-debug + dh_systemd_enable -pnginx --name=nginx-debug --no-enable nginx-debug.service + dh_installlogrotate -i -pnginx --name=nginx + +binary-arch: install build-dbg + dh_testdir + dh_testroot + dh_installchangelogs -a + dh_installdocs -a + dh_lintian -a + dh_link -aA + dh_compress -a + dh_perl -a + dh_fixperms -a + dh_installdeb -a + dh_shlibdeps -a --dpkg-shlibdeps-params=--ignore-missing-info + dh_gencontrol -a + dh_md5sums -a + dh_builddeb $(foreach p,$(DO_PKGS),-p$(p)) + +binary: binary-indep binary-arch + +.PHONY: build clean binary-indep binary-arch binary install From 88b4fd30ea2f16c3a07d525174ca07dbeb502204 Mon Sep 17 00:00:00 2001 From: "rieger::CLOUD" Date: Tue, 2 Oct 2018 08:17:41 +0200 Subject: [PATCH 2/6] Compile NGINX using OpenSSL 1.1.1 The script will compile NGINX from scratch to embed OpenSSL 1.1.1 and enable TLSv.13 --- install-nextcloud.sh | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/install-nextcloud.sh b/install-nextcloud.sh index d8ca8b6..3e20e22 100644 --- a/install-nextcloud.sh +++ b/install-nextcloud.sh @@ -65,8 +65,20 @@ update_and_clean apt install software-properties-common zip unzip screen curl git wget ffmpeg libfile-fcntllock-perl -y apt remove nginx nginx-common nginx-full -y --allow-change-held-packages update_and_clean -###instal NGINX -apt install nginx -y +###instal NGINX using TLSv1.3, OpenSSL 1.1.1 +mkdir /usr/local/src/nginx && cd /usr/local/src/nginx/ +apt install dpkg-dev -y && apt source nginx +cd /usr/local/src && apt install git -y +git clone https://github.com/openssl/openssl.git +cd openssl && git checkout OpenSSL_1_1_1-stable +cp /usr/local/src/install-nextcloud/rules.nginx /usr/local/src/nginx/nginx-1.15.4/debian/rules +sed -i "s/.*-Werror.*/# &/" /usr/local/src/nginx/nginx-1.15.4/auto/cc/gcc +cd /usr/local/src/nginx/nginx-1.15.4/ +apt build-dep nginx -y && dpkg-buildpackage -b +cd /usr/local/src/nginx/ +dpkg -i nginx_1.15.4-1~bionic_amd64.deb +service nginx restart && apt-mark hold nginx +# apt install nginx -y ###enable NGINX autostart systemctl enable nginx.service ### prepare the NGINX From e8aa24c49a8407b592c5dfc8183c17fdc7a18a89 Mon Sep 17 00:00:00 2001 From: "rieger::CLOUD" Date: Tue, 2 Oct 2018 08:40:31 +0200 Subject: [PATCH 3/6] NGINX RULES cosmeticals --- rules.nginx | 168 ++++++++++++++++++++++++++-------------------------- 1 file changed, 84 insertions(+), 84 deletions(-) diff --git a/rules.nginx b/rules.nginx index 7d41ceb..f1a6989 100644 --- a/rules.nginx +++ b/rules.nginx @@ -15,122 +15,122 @@ INSTALLDIR = $(CURDIR)/debian/nginx BASEDIR = $(CURDIR) ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) - NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) - ifeq (${NUMJOBS}, 0) - NUMJOBS = 1 - endif + NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + ifeq (${NUMJOBS}, 0) + NUMJOBS = 1 + endif else - NUMJOBS = 1 + NUMJOBS = 1 endif DO_PKGS = $(PKGS) config.env.%: - dh_testdir - mkdir -p $(BUILDDIR_$*) - cp -Pa $(CURDIR)/auto $(BUILDDIR_$*)/ - cp -Pa $(CURDIR)/conf $(BUILDDIR_$*)/ - cp -Pa $(CURDIR)/configure $(BUILDDIR_$*)/ - cp -Pa $(CURDIR)/contrib $(BUILDDIR_$*)/ - cp -Pa $(CURDIR)/man $(BUILDDIR_$*)/ - cp -Pa $(CURDIR)/src $(BUILDDIR_$*)/ - touch $@ + dh_testdir + mkdir -p $(BUILDDIR_$*) + cp -Pa $(CURDIR)/auto $(BUILDDIR_$*)/ + cp -Pa $(CURDIR)/conf $(BUILDDIR_$*)/ + cp -Pa $(CURDIR)/configure $(BUILDDIR_$*)/ + cp -Pa $(CURDIR)/contrib $(BUILDDIR_$*)/ + cp -Pa $(CURDIR)/man $(BUILDDIR_$*)/ + cp -Pa $(CURDIR)/src $(BUILDDIR_$*)/ + touch $@ config.status.nginx: config.env.nginx - cd $(BUILDDIR_nginx) && \ - CFLAGS="" ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt="$(CFLAGS)" --with-ld-opt="$(LDFLAGS)" --with-openssl=/usr/local/src/openssl - touch $@ + cd $(BUILDDIR_nginx) && \ + CFLAGS="" ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt="$(CFLAGS)" --with-ld-opt="$(LDFLAGS)" --with-openssl=/usr/local/src/openssl + touch $@ config.status.nginx_debug: config.env.nginx_debug - cd $(BUILDDIR_nginx_debug) && \ - CFLAGS="" ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt="$(CFLAGS)" --with-ld-opt="$(LDFLAGS)" --with-openssl=/usr/local/src/openssl --with-debug - touch $@ + cd $(BUILDDIR_nginx_debug) && \ + CFLAGS="" ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt="$(CFLAGS)" --with-ld-opt="$(LDFLAGS)" --with-openssl=/usr/local/src/openssl --with-debug + touch $@ build-arch.%: config.status.% - dh_testdir - dh_prep - $(MAKE) -j$(NUMJOBS) -C $(BUILDDIR_$*) build + dh_testdir + dh_prep + $(MAKE) -j$(NUMJOBS) -C $(BUILDDIR_$*) build build-arch: build-arch.nginx build-arch.nginx_debug - dh_testdir - touch $@ + dh_testdir + touch $@ build-dbg.%: install - dh_testdir - dh_strip --dbg-package=nginx-dbg + dh_testdir + dh_strip --dbg-package=nginx-dbg build-dbg: build-dbg.nginx - dh_testdir - touch $@ + dh_testdir + touch $@ build-indep: - dh_testdir - touch $@ + dh_testdir + touch $@ build: build-arch build-indep - dh_testdir - touch $@ + dh_testdir + touch $@ clean: - dh_testdir - dh_testroot - dh_clean - rm -f $(CURDIR)/objs - rm -rf $(CURDIR)/debian/build-* - rm -f $(CURDIR)/debian/*.init - find $(CURDIR) -maxdepth 1 -size 0 -delete + dh_testdir + dh_testroot + dh_clean + rm -f $(CURDIR)/objs + rm -rf $(CURDIR)/debian/build-* + rm -f $(CURDIR)/debian/*.init + find $(CURDIR) -maxdepth 1 -size 0 -delete post-build: - mv $(BUILDDIR_nginx_debug)/objs/nginx $(BUILDDIR_nginx_debug)/objs/nginx-debug - ln -s $(BUILDDIR_nginx)/objs $(CURDIR)/objs - cp $(BUILDDIR_nginx)/objs/nginx.8 $(BUILDDIR_nginx)/objs/nginx-debug.8 + mv $(BUILDDIR_nginx_debug)/objs/nginx $(BUILDDIR_nginx_debug)/objs/nginx-debug + ln -s $(BUILDDIR_nginx)/objs $(CURDIR)/objs + cp $(BUILDDIR_nginx)/objs/nginx.8 $(BUILDDIR_nginx)/objs/nginx-debug.8 install: - dh_testdir - dh_testroot - dh_prep - dh_installdirs - dh_install - mkdir -p $(INSTALLDIR)/usr/lib/nginx/modules - mkdir -p $(INSTALLDIR)/usr/share/doc/nginx - install -m 644 debian/CHANGES $(INSTALLDIR)/usr/share/doc/nginx/changelog - install -m 644 debian/nginx.vh.default.conf $(INSTALLDIR)/etc/nginx/conf.d/default.conf - ln -s /usr/lib/nginx/modules $(INSTALLDIR)/etc/nginx/modules + dh_testdir + dh_testroot + dh_prep + dh_installdirs + dh_install + mkdir -p $(INSTALLDIR)/usr/lib/nginx/modules + mkdir -p $(INSTALLDIR)/usr/share/doc/nginx + install -m 644 debian/CHANGES $(INSTALLDIR)/usr/share/doc/nginx/changelog + install -m 644 debian/nginx.vh.default.conf $(INSTALLDIR)/etc/nginx/conf.d/default.conf + ln -s /usr/lib/nginx/modules $(INSTALLDIR)/etc/nginx/modules binary-indep: build post-build install - dh_testdir - dh_testroot - dh_installman -i -pnginx - dh_installdebconf - sed -e 's/%%PROVIDES%%/nginx/g' \ - -e 's/%%DEFAULTSTART%%/2 3 4 5/g' \ - -e 's/%%DEFAULTSTOP%%/0 1 6/g' \ - < debian/nginx.init.in > debian/nginx.init - dh_installinit -i -pnginx --no-restart-on-upgrade --no-start --name=nginx - dh_systemd_enable -pnginx --name=nginx nginx.service - sed -e 's/%%PROVIDES%%/nginx-debug/g' \ - -e 's/%%DEFAULTSTART%%//g' \ - -e 's/%%DEFAULTSTOP%%/0 1 2 3 4 5 6/g' \ - < debian/nginx.init.in > debian/nginx-debug.init - dh_installinit -i -pnginx --no-restart-on-upgrade --no-start --noscripts --name=nginx-debug - dh_systemd_enable -pnginx --name=nginx-debug --no-enable nginx-debug.service - dh_installlogrotate -i -pnginx --name=nginx + dh_testdir + dh_testroot + dh_installman -i -pnginx + dh_installdebconf + sed -e 's/%%PROVIDES%%/nginx/g' \ + -e 's/%%DEFAULTSTART%%/2 3 4 5/g' \ + -e 's/%%DEFAULTSTOP%%/0 1 6/g' \ + < debian/nginx.init.in > debian/nginx.init + dh_installinit -i -pnginx --no-restart-on-upgrade --no-start --name=nginx + dh_systemd_enable -pnginx --name=nginx nginx.service + sed -e 's/%%PROVIDES%%/nginx-debug/g' \ + -e 's/%%DEFAULTSTART%%//g' \ + -e 's/%%DEFAULTSTOP%%/0 1 2 3 4 5 6/g' \ + < debian/nginx.init.in > debian/nginx-debug.init + dh_installinit -i -pnginx --no-restart-on-upgrade --no-start --noscripts --name=nginx-debug + dh_systemd_enable -pnginx --name=nginx-debug --no-enable nginx-debug.service + dh_installlogrotate -i -pnginx --name=nginx binary-arch: install build-dbg - dh_testdir - dh_testroot - dh_installchangelogs -a - dh_installdocs -a - dh_lintian -a - dh_link -aA - dh_compress -a - dh_perl -a - dh_fixperms -a - dh_installdeb -a - dh_shlibdeps -a --dpkg-shlibdeps-params=--ignore-missing-info - dh_gencontrol -a - dh_md5sums -a - dh_builddeb $(foreach p,$(DO_PKGS),-p$(p)) + dh_testdir + dh_testroot + dh_installchangelogs -a + dh_installdocs -a + dh_lintian -a + dh_link -aA + dh_compress -a + dh_perl -a + dh_fixperms -a + dh_installdeb -a + dh_shlibdeps -a --dpkg-shlibdeps-params=--ignore-missing-info + dh_gencontrol -a + dh_md5sums -a + dh_builddeb $(foreach p,$(DO_PKGS),-p$(p)) binary: binary-indep binary-arch From 79b26930f583d1617d7b28d13f82ee351caa51a2 Mon Sep 17 00:00:00 2001 From: "rieger::CLOUD" Date: Tue, 2 Oct 2018 08:54:01 +0200 Subject: [PATCH 4/6] Nextcloud latest using TLS 1.3 and OpenSSL 1.1.1 Nextcloud latest using TLS 1.3 and OpenSSL 1.1.1 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7fc5b99..d3d8c3c 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,8 @@ The initial script (install-nextcloud.sh) will install your self hosted Nextclou Fail2Ban (Nextcloud and SSH jails) MariaDB 10.3.9 Nextcloud 14 - NGINX 1.15.3 - OpenSSL 1.1.0 + NGINX 1.15.4 TLSv.1.3 + OpenSSL 1.1.1 PHP 7.2.10 Redis-Server self signed or Let's Encrypt SSL using the second script From baf7db734f11a07ff6146b8dbd8f70c3353ad1c1 Mon Sep 17 00:00:00 2001 From: "rieger::CLOUD" Date: Tue, 2 Oct 2018 08:57:59 +0200 Subject: [PATCH 5/6] Installscript Ready for NGINX 1.15.4 using OpenSSL 1.1.1 and TLSv1.3 --- install-nextcloud.sh | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/install-nextcloud.sh b/install-nextcloud.sh index 3e20e22..95ed707 100644 --- a/install-nextcloud.sh +++ b/install-nextcloud.sh @@ -3,8 +3,9 @@ # https://www.c-rieger.de # https://github.com/riegercloud # INSTALL-NEXTCLOUD.SH -# Version 5.2 AMD64 -# September, 20th 2018 +# Version 6.0 +# OpenSSL 1.1.1, TLSv1.3 +# Octobre, 02nd 2018 ################################################ # Ubuntu 18.04 LTS AMD64 - Nextcloud 14 ################################################ @@ -437,12 +438,12 @@ ssl_trusted_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; -ssl_protocols TLSv1.2; -ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384'; +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384'; ssl_ecdh_curve secp521r1:secp384r1:prime256v1; ssl_prefer_server_ciphers on; -#ssl_stapling on; -#ssl_stapling_verify on; +ssl_stapling on; +ssl_stapling_verify on; EOF touch /etc/nginx/proxy.conf cat </etc/nginx/proxy.conf From 9deb6f26e009703041e7affacc19fc9fb4bf253a Mon Sep 17 00:00:00 2001 From: "rieger::CLOUD" Date: Tue, 2 Oct 2018 08:58:47 +0200 Subject: [PATCH 6/6] Rules NGINX rules file for compilation purposes --- rules.nginx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules.nginx b/rules.nginx index f1a6989..b0f203f 100644 --- a/rules.nginx +++ b/rules.nginx @@ -7,7 +7,7 @@ export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -pie DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk -PKGS = nginx #nginx-dbg +PKGS = nginx nginx-dbg BUILDDIR_nginx = $(CURDIR)/debian/build-nginx BUILDDIR_nginx_debug = $(CURDIR)/debian/build-nginx-debug