Categories
Nginx

Nginx 1.10.1 for Jessie and Wheezy

Nginx 1.10 – the new stable major version – has been released on May 24th 2016, followed by Nginx 1.10.1 on May 31st to fix the CVE-2016-4450 vulnerability.

The 1.10 branch brings a lot of new features and improvements, including :

  • HTTP/2 support: The SPDY module was replaced by the HTTP/2 module. Please make sure to update your listen directives.
  • The new stream module that lets you proxy and load-balance UDP and TCP traffic.
  • Support for dynamic modules.
  • SO_REUSEPORT support, TCP support for DNS resolution…

More details in this blog post.

As a consequence, I’m glad to announce that packages of Nginx 1.10.1 are now available :

  • for Debian 8 “Jessie” and Debian 7 “Wheezy”
  • On both amd64 and i386 architectures.

Important note when upgrading : please make sure that you have the following line at the beginning of your /etc/nginx/nginx.conf file :

include /etc/nginx/modules-enabled/*.conf;

Please also note that :

  • HTTP/2 with Chrome as a browser is not supported on stock Jessie and Wheezy, because it requires a more recent OpenSSL 1.0.2 for its ALPN protocol. Backporting such an important library is definitely not an option for me, so it’s totally your responsibility to upgrade OpenSSL from another vendor if you absolutely need HTTP/2.
  • even if the http-auth-pam, http-geoip, http-image-filter, http-lua, http-ndk, http-perl, http-xslt-filter, stream and mail modules now have their dedicated libnginx-mod-* packages, the current packaging scheme and numbering does not take profit from the dynamic loading for other extensions yet.
  • ngx_pagespeed has been updated to version 1.11.33.2 on Jessie.
  • ngx_pagespeed is stuck to version 1.9.32.11 on Wheezy because its 1.10 branch now requires GCC 4.8+. Usage of ngx_pagespeed on Wheezy has been kept for compatibility purpose but is highly discouraged. Upgrade to Jessie instead.
  • naxsi has been moved from its dedicated package to nginx-extras naxsi had to be temporarily disabled because of build failures, it should be back in nginx-extras (no more dedicated nginx-naxsi package) soon.
  • there won’t be any update for Squeeze, since its LTS support has been terminated.

For more details about which modules are included in the different Nginx flavors (light, full and extras), just take a look at the configuration options of their respective sections in the Jessie and Wheezy Makefiles.

67 replies on “Nginx 1.10.1 for Jessie and Wheezy”

nginx-extras for wheezy seems to be broken …

nginx: [emerg] unknown directive “gzip” in /etc/nginx/conf.d/gzip.conf:1

nginx: [emerg] unknown directive “charset” in /etc/nginx/conf.d/headers.conf:1

and so on …

on jessie all is fine…
installes temporarily nginx-full on wheezy …

Sorry for the double post, dotdeb! When I reloaded this page, my first comment was gone and I thought it had not been submitted properly. But after replying to
CKone2one’s comment my first comment popped up again.

Les gens qui utilisent ton repo en production ont du avoir de belles surprises avec des trucs qui fonctionnent à moitié, du naxsi qui disparait…

Would you consider maintaining nginx with a statically linked OpenSSL 1.0.2? That would solve the giant HTTP2 headache in the Jessie-using community.

same here:

dpkg: dependency problems prevent configuration of nginx:
nginx depends on nginx-full (>= 1.10.1-1~dotdeb+7.1) | nginx-light (>= 1.10.1-1~dotdeb+7.1) | nginx-extras (>= 1.10.1-1~dotdeb+7.1); however:
Package nginx-full is not installed.
Package nginx-light is not installed.
Package nginx-extras is not configured yet.
nginx depends on nginx-full (<< 1.10.1-1~dotdeb+7.1.1~) | nginx-light (<< 1.10.1-1~dotdeb+7.1.1~) | nginx-extras (<< 1.10.1-1~dotdeb+7.1.1~); however:
Package nginx-full is not installed.
Package nginx-light is not installed.
Package nginx-extras is not configured yet.

dpkg: error processing nginx (–configure):
dependency problems – leaving unconfigured
Errors were encountered while processing:
libnginx-mod-http-auth-pam
libnginx-mod-http-geoip
libnginx-mod-http-image-filter
libnginx-mod-http-ndk
libnginx-mod-http-lua
libnginx-mod-http-perl
libnginx-mod-http-xslt-filter
libnginx-mod-mail
libnginx-mod-stream
nginx-extras
nginx

looks like no extras will work on wheezy any more. So far it’s

gzip
geoip_country
more_set_headers

no matter if nginx-full or nginx-extras

although I can spot according compile options

# nginx -V
nginx version: nginx/1.10.1
built with OpenSSL 1.0.1e 11 Feb 2013
TLS SNI support enabled
configure arguments: –with-cc-opt=’-g -O2 -fstack-protector –param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2′ –with-ld-opt=’-Wl,-z,relro -Wl,-z,now’ –prefix=/usr/share/nginx –conf-path=/etc/nginx/nginx.conf –http-log-path=/var/log/nginx/access.log –error-log-path=/var/log/nginx/error.log –lock-path=/var/lock/nginx.lock –pid-path=/run/nginx.pid –modules-path=/usr/lib/nginx/modules –http-client-body-temp-path=/var/lib/nginx/body –http-fastcgi-temp-path=/var/lib/nginx/fastcgi –http-proxy-temp-path=/var/lib/nginx/proxy –http-scgi-temp-path=/var/lib/nginx/scgi –http-uwsgi-temp-path=/var/lib/nginx/uwsgi –with-debug –with-pcre-jit –with-ipv6 –with-http_ssl_module –with-http_stub_status_module –with-http_realip_module –with-http_auth_request_module –with-http_v2_module –with-http_dav_module –with-file-aio –with-threads –with-http_addition_module –with-http_flv_module –with-http_geoip_module=dynamic –with-http_gunzip_module –with-http_gzip_static_module –with-http_image_filter_module=dynamic –with-http_mp4_module –with-http_perl_module=dynamic –with-http_random_index_module –with-http_secure_link_module –with-http_sub_module –with-http_xslt_module=dynamic –with-mail=dynamic –with-mail_ssl_module –with-stream=dynamic –with-stream_ssl_module –add-module=/usr/src/builddir/debian/modules/headers-more-nginx-module –add-dynamic-module=/usr/src/builddir/debian/modules/nginx-auth-pam –add-module=/usr/src/builddir/debian/modules/nginx-cache-purge –add-module=/usr/src/builddir/debian/modules/nginx-dav-ext-module –add-dynamic-module=/usr/src/builddir/debian/modules/nginx-development-kit –add-module=/usr/src/builddir/debian/modules/nginx-echo –add-module=/usr/src/builddir/debian/modules/ngx-fancyindex –add-module=/usr/src/builddir/debian/modules/nginx-push-stream-module –add-dynamic-module=/usr/src/builddir/debian/modules/nginx-lua –add-module=/usr/src/builddir/debian/modules/nginx-upload-progress –add-module=/usr/src/builddir/debian/modules/nginx-upstream-fair –add-module=/usr/src/builddir/debian/modules/ngx_http_substitutions_filter_module –add-module=/usr/src/builddir/debian/modules/nginx-auth-ldap –add-module=/usr/src/builddir/debian/modules/ngx_http_pinba_module –add-module=/usr/src/builddir/debian/modules/ngx_pagespeed –add-module=/usr/src/builddir/debian/modules/nginx-x-rid-header –add-module=/usr/src/builddir/debian/modules/nginx-rtmp-module –with-ld-opt=-lossp-uuid

even core????

# nginx -t
nginx: [emerg] unknown directive “add_header” in /etc/nginx/sites-includes/001-ciphers.conf:28
nginx: configuration file /etc/nginx/nginx.conf test failed

unified summary of first 60VMs:

nginx: [emerg] unknown directive “add_header”
nginx: [emerg] unknown directive “expires”
nginx: [emerg] unknown directive “geoip_country”
nginx: [emerg] unknown directive “gzip”
nginx: [emerg] unknown directive “more_set_headers”
nginx: [emerg] unknown directive “pagespeed”

all wheezy, mixed nginx-extra and nginx-full. As soon an nginx got stopped, it won’t start ever.

anyone else? Any hints or fixes?

@all : could you please make sure that you have the following line at the beginning of your /etc/nginx/nginx.conf :

include /etc/nginx/modules-enabled/*.conf;

Example : https://github.com/gplessis/dotdeb-nginx/blob/jessie/debian/conf/nginx.conf#L4

If you want to rollback to the previous 1.8.1 version, you can force it’s version number :

apt-get install --reinstall nginx=1.8.1-1~dotdeb+8.1 nginx-common=1.8.1-1~dotdeb+8.1 nginx-full=1.8.1-1~dotdeb+8.1

(replace with 1.8.1-1~dotdeb+7.1 for Wheezy).

Sorry for this unexpected issues.

Guillaume,

With the include you asked, we are having:

Floating point exception (core dumped)

Even the downgrade crash…

having ” subprocess installed pre-removal script returned error exit status 1″ for every “new” package!

Yeah, I just ran into this too. For some reason nginx-full 1.10.1-1~dotdeb+8.1 isn’t handling any geo directives, so I had to downgrade back to 1.8.1-1~dotdeb+8.1.

I’m guessing the modules haven’t compiled in correctly? nginx -V did yield:- -with-http_geoip_module=dynamic but it wasn’t working.

@Sebastien: if you’re having trouble downgrading, may try opening up another shell and run “nginx -t” – this should tell you where the config file(s) is failing. If you use https, it’s probably because you changed ‘sdpy’ to ‘http2’ as required for the new nginx syntax >v1.9?

Diffing the nginx -V output from 1.8.1 to 1.10.1:

-nginx version: nginx/1.8.1
+nginx version: nginx/1.10.1
built with OpenSSL 1.0.1k 8 Jan 2015
TLS SNI support enabled
configure arguments:
–with-cc-opt=’-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2′
—with-ld-opt=-Wl,-z,relro
+–with-ld-opt=’-Wl,-z,relro -Wl,-z,now’
–prefix=/usr/share/nginx
–conf-path=/etc/nginx/nginx.conf
–http-log-path=/var/log/nginx/access.log
–error-log-path=/var/log/nginx/error.log
–lock-path=/var/lock/nginx.lock
–pid-path=/run/nginx.pid
+–modules-path=/usr/lib/nginx/modules
–http-client-body-temp-path=/var/lib/nginx/body
–http-fastcgi-temp-path=/var/lib/nginx/fastcgi
–http-proxy-temp-path=/var/lib/nginx/proxy
@@ -22,21 +23,23 @@
–with-http_stub_status_module
–with-http_realip_module
–with-http_auth_request_module
—with-http_gunzip_module
+–with-http_v2_module
+–with-http_dav_module
–with-file-aio
–with-threads
—with-http_spdy_module
–with-http_addition_module
—with-http_dav_module
—with-http_geoip_module
+–with-http_geoip_module=dynamic
+–with-http_gunzip_module
–with-http_gzip_static_module
—with-http_image_filter_module
+–with-http_image_filter_module=dynamic
–with-http_secure_link_module
–with-http_sub_module
—with-http_xslt_module
—with-mail
+–with-http_xslt_module=dynamic
+–with-stream=dynamic
+–with-stream_ssl_module
+–with-mail=dynamic
–with-mail_ssl_module
—add-module=/usr/src/builddir/debian/modules/nginx-auth-pam
+–add-dynamic-module=/usr/src/builddir/debian/modules/nginx-auth-pam
–add-module=/usr/src/builddir/debian/modules/nginx-dav-ext-module
–add-module=/usr/src/builddir/debian/modules/nginx-echo
–add-module=/usr/src/builddir/debian/modules/nginx-upstream-fair

(extra dependencies)
libnginx-mod-http-auth-pam:amd64 (1.10.1-1~dotdeb+8.1)
libnginx-mod-http-geoip:amd64 (1.10.1-1~dotdeb+8.1)
libnginx-mod-http-image-filter:amd64 (1.10.1-1~dotdeb+8.1)
libnginx-mod-http-xslt-filter:amd64 (1.10.1-1~dotdeb+8.1)
libnginx-mod-mail:amd64 (1.10.1-1~dotdeb+8.1)
libnginx-mod-stream:amd64 (1.10.1-1~dotdeb+8.1)

At a guess, it’s these dynamic libraries that aren’t working for some reason?

so far I know:

auto-update failed due the missing

include /etc/nginx/modules-enabled/*.conf;

ok, easy fix. But even with that line added the

Floating point exception

remains. Btw: some updates failed prior to linking all extra modules into /etc/nginx/modules-enabled which I had to fix manually too

@Guillaume: check your mail for access to a test VM

@Stef: Already done, but the reinstall/downgrade command give me:

apt-get install –reinstall nginx-common=1.8.1-1~dotdeb+7.1 nginx-extras=1.8.1-1~dotdeb+7.1
Reading package lists… Done
Building dependency tree
Reading state information… Done
Suggested packages:
fcgiwrap nginx-doc
The following packages will be REMOVED:
libnginx-mod-http-auth-pam libnginx-mod-http-geoip libnginx-mod-http-image-filter libnginx-mod-http-lua libnginx-mod-http-ndk libnginx-mod-http-perl
libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream
The following packages will be DOWNGRADED:
nginx-common nginx-extras
0 upgraded, 0 newly installed, 2 downgraded, 9 to remove and 0 not upgraded.
10 not fully installed or removed.
Need to get 0 B/5333 kB of archives.
After this operation, 1262 kB disk space will be freed.
Do you want to continue [Y/n]?
(Reading database … 54081 files and directories currently installed.)
Removing libnginx-mod-mail …
nginx: [emerg] unknown directive “gzip” in /etc/nginx/nginx.conf:55
dpkg: error processing libnginx-mod-mail (–remove):
subprocess installed pre-removal script returned error exit status 1
nginx: [emerg] unknown directive “gzip” in /etc/nginx/nginx.conf:55
dpkg: error while cleaning up:
subprocess installed post-installation script returned error exit status 1
Removing libnginx-mod-http-xslt-filter …
nginx: [emerg] unknown directive “gzip” in /etc/nginx/nginx.conf:55
dpkg: error processing libnginx-mod-http-xslt-filter (–remove):
subprocess installed pre-removal script returned error exit status 1
Removing libnginx-mod-http-perl …
nginx: [emerg] unknown directive “gzip” in /etc/nginx/nginx.conf:55
dpkg: error processing libnginx-mod-http-perl (–remove):
subprocess installed pre-removal script returned error exit status 1
Removing libnginx-mod-http-lua …
Removing libnginx-mod-http-ndk …
nginx: [emerg] unknown directive “gzip” in /etc/nginx/nginx.conf:55
dpkg: error processing libnginx-mod-http-ndk (–remove):
subprocess installed pre-removal script returned error exit status 1
Removing libnginx-mod-http-image-filter …
nginx: [emerg] unknown directive “gzip” in /etc/nginx/nginx.conf:55
dpkg: error processing libnginx-mod-http-image-filter (–remove):
subprocess installed pre-removal script returned error exit status 1
Removing libnginx-mod-http-geoip …
nginx: [emerg] unknown directive “gzip” in /etc/nginx/nginx.conf:55
dpkg: error processing libnginx-mod-http-geoip (–remove):
subprocess installed pre-removal script returned error exit status 1
Removing libnginx-mod-http-auth-pam …
nginx: [emerg] unknown directive “gzip” in /etc/nginx/nginx.conf:55
dpkg: error processing libnginx-mod-http-auth-pam (–remove):
subprocess installed pre-removal script returned error exit status 1
Errors were encountered while processing:
libnginx-mod-mail
libnginx-mod-http-xslt-filter
libnginx-mod-http-perl
libnginx-mod-http-ndk
libnginx-mod-http-image-filter
libnginx-mod-http-geoip
libnginx-mod-http-auth-pam
E: Sub-process /usr/bin/dpkg returned an error code (1)

@Sebastien

I managed a downgrade on one vm after forced removal of all modules & nginx.

apt-get remove libnginx*
apt-get -f install
apt-get remove libnginx*
apt-get remove nginx-*

(your sequence might differ)

apt-get install –reinstall nginx-common=1.8.1-1~dotdeb+7.1 nginx-extras=1.8.1-1~dotdeb+7.1

@Guillaume: To make it uninstalled/downgrade properly or to keep it at the latest version?!

if apt-get remove libnginx* fails with postinstall errors, like

/var/lib/dpkg/info/libnginx-mod-stream.postinst: 16: /var/lib/dpkg/info/libnginx-mod-stream.postinst: nginx: not found

try to

rm /run/nginx.pid

(stopped nginx assumed) and run again

apt-get remove libnginx*

see below, I got issues with /var/lib/dpkg/info/libnginx-mod-stream.postinst: 16

opened that skript and found invokation of nginx bin in line 16 (which won’t work until properly installed)

@all : I managed to have the Floating point exception and Unknown directive issues fixed on Wheezy with the packages (version 1.10.1-1~dotdeb+7.2) that I just uploaded to the main Dotdeb repository.

Could you please try on your side (after checking that you have the include /etc/nginx/modules-enabled/*.conf; line at the beginning of /etc/nginx/nginx.conf) and keep me posted?

For the record, ngx_pagespeed was faulty. Patching it to support Nginx 1.9.11+ / dynamic modules solved all the above mentioned issue on my test machines.

Jessie seems to be unaffected, just make sure – once again – that you have the include /etc/nginx/modules-enabled/*.conf; line at the beginning of /etc/nginx/nginx.conf.

@Guillaume: Working perfectly now! But to make it work perfectly after the upgrade, I manage to remove spdy/http2 option!

Still getting the exact same errors with the 7.2 update and the modules-enabled include line in my nginx.conf.

Thanks Guillaume,

so far – that update resolved all our issues. I will report if any of my “exotic” VMs fail, but don’t expect that.

Marcus / Techniker / Sebastien / anyone else who got it working on Wheezy — What steps did you take to correct the issue? I updated with the new 1.10.1-1~dotdeb+7.2 and re-ran the upgrade command, but I am still getting the same errors as when I first tried updating nginx-extras. Did you have to downgrade back to 1.8 first and then upgrade to 1.10?

I have the failed (partially configured) nginx-extras 1.10.1-1~dotdeb+7.1 package on my server right now, and have only tried going directly to 1.10.1-1~dotdeb+7.2.

Thanks for your help!

And yes, the “include /etc/nginx/modules-enabled/*.conf;” directive is the first line in my nginx.conf.

@Justin:

On VMs that had recent 1.10.1 installed another apt-get upgrade fixed nginx install.

On downgraded VMs I had to manually reinstall nginx-extras & nginx-common.

Only one VM had issues as it had an ‘nginx’ (no flavour) Package installed. Removed it and installed ‘nginx-common’ + ‘nginx-extras’ without hassle

I was able to get it working by removing the nginx package and all its related packages, then reinstalling. Thanks for the help everyone.

@Jan : ok, sorry for that. Could you please be more precise and give us some more details about your environment (Debian version, nginx flavor) and the error message (in a gist or a pastebin)?

I noticed a new version, 1.10.1-1~dotdeb+7.3, which updated fine on my server (+7.1 broke it, and +7.2 did not fix it automatically, but I was able to get +7.2 working after removing all nginx packages and reinstalling +7.2).

What has changed with +7.3?

@Guillaume
You’ve said that the latest ngx_pagespeed version is not available on Wheezy due to GCC 4.8. Did you consider to compile with clang instead of gcc? Seems to work for me.

A new one: module links don’t get installed during update nor by reinstall. Tried remove & reinstall in the end without luck and had to link

/usr/share/nginx/modules-available/*.conf into /etc/nginx/modules-enabled manually to get back in business.

with missing modules you’ll get install error due to missing directives. I guess that error also prevents links from building, results in a loop of issues.

It’s just me or I have lost pagespeed module when upgrading?

See:

nginx -V
nginx version: nginx/1.10.1
built with OpenSSL 1.0.1k 8 Jan 2015
TLS SNI support enabled
configure arguments: –with-cc-opt=’-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2′ –with-ld-opt=’-Wl,-z,relro -Wl,-z,now’ –prefix=/usr/share/nginx –conf-path=/etc/nginx/nginx.conf –http-log-path=/var/log/nginx/access.log –error-log-path=/var/log/nginx/error.log –lock-path=/var/lock/nginx.lock –pid-path=/run/nginx.pid –modules-path=/usr/lib/nginx/modules –http-client-body-temp-path=/var/lib/nginx/body –http-fastcgi-temp-path=/var/lib/nginx/fastcgi –http-proxy-temp-path=/var/lib/nginx/proxy –http-scgi-temp-path=/var/lib/nginx/scgi –http-uwsgi-temp-path=/var/lib/nginx/uwsgi –with-debug –with-pcre-jit –with-ipv6 –with-http_ssl_module –with-http_stub_status_module –with-http_realip_module –with-http_auth_request_module –with-http_v2_module –with-http_dav_module –with-file-aio –with-threads –with-http_addition_module –with-http_geoip_module=dynamic –with-http_gunzip_module –with-http_gzip_static_module –with-http_image_filter_module=dynamic –with-http_secure_link_module –with-http_sub_module –with-http_xslt_module=dynamic –with-stream=dynamic –with-stream_ssl_module –with-mail=dynamic –with-mail_ssl_module –add-dynamic-module=/usr/src/builddir/debian/modules/nginx-auth-pam –add-module=/usr/src/builddir/debian/modules/nginx-dav-ext-module –add-module=/usr/src/builddir/debian/modules/nginx-echo –add-module=/usr/src/builddir/debian/modules/nginx-upstream-fair –add-module=/usr/src/builddir/debian/modules/ngx_http_substitutions_filter_module –add-module=/usr/src/builddir/debian/modules/nginx-cache-purge –add-module=/usr/src/builddir/debian/modules/ngx_http_pinba_module –add-module=/usr/src/builddir/debian/modules/nginx-x-rid-header –with-ld-opt=-lossp-uuid

Hi Guillaume, thanks for your hard work!
Any thoughts about using fast open for nginx compilation in further releases? Any drawbacks?

Thanks!

RealIP Module is broken in jessie build. I can do whatever I want, Nginx will never use the IP from the Real IP header I specify. Rolled back to 1.9.10 (from jessie backports).

@Charuru : I just tested with nginx-light from Dotdeb on a clean Jessie, everything is working as expected with the following configuration :

server {
        listen 80 default_server;
        server_name _;
        set_real_ip_from 0.0.0.0/0;
        real_ip_header X-Forwarded-For;

        location / {
                default_type text/plain;
                echo $remote_addr;
        }
}

@Guillaume Plessis: I used nginx-full and the realip config from CloudFlare – even if I didn’t set a trusted IP, $remote_addr didn’t change to the real client IP, I still got reported the CloudFlare server’s IP.

Also seeing issues with realip with nginx behind varnish.

Seeing local server ip since the update.

set_real_ip_from server_ip_address;
real_ip_recursive on;

this all worked before 1.10

downgrading to the backports 1.9.10-1~bpo8+2 version restores the realip functionality

@Jools : sorry to hear that. Could you please provide sore more input in a gist or a pastebin, especially the headers :

  • received by Varnish
  • sent by Varnish
  • received by Nginx
  • the value returned by real_ip

Will need to reproduce it locally to provide some debugging, as the problem is on a very busy production site. Will get back when I can with further information.

Comments are closed.