Debian jessie nginx with openssl 1.0.2 to use ALPN rather than NPN
I am running debian jessie on my server and recently upgraded to new nginx web server with http/2 support (nginx 1.10). As today, it works great and webserver is delivering content with http2 protocol.
I have read, that chrome is dropping NPN support and only allows ALPN after 15.5.2016. ALPN is extension, which requires openssl 1.0.2 installed, but on debian jessie is only openssl 1.0.1 (also on debian backports and another repositories, there is no openssl 1.0.2 version for this debian).
And there is the problem - i have upgraded from SPDY to http2 and in few days, i will have to turn off http2 and cannot use SPDY because this version of nignx have only http2. I have also read, that this version of debian will stuck with openssl 1.0.1 and only debian stretch will have openssl 1.0.2. But to release date there is almost year and chrome will be dropping support soon, so i do not want to loose the benefit of http2 protocol.
Is there any solution, how to install openssl 1.0.2 on this system, without building own build (bad maintenance) or waiting for backports repository to have it? I also don't want two versions of openssl on my system if one of them must be linked and maintained manually.
Thanks for any help.
Update 2016/08/08: nginx
in jessie-backports
(version 1.9.10-1~bpo8+3
was built against openssl >= 1.0.2~
. Getting ALPN
working now if running jessie
just requires the packages out of jessie-backports
, no need anymore to pull packages out of stretch
.
--
Original answer: Well, here goes my answer, according to the comments: In my opinion, there aren't that many ways to solve this as of today, 2016/05/09. Basically you've to try somehow to get a modern nginx
into your system, compiled against >= openssl 1.0.2~
.
The only two options I see currently: Either you compile for yourself, which you don't want to do, which is quite understandable, or you pull in modern packages out of Debian stretch
into your system. This involves some risks, because you're mixing a stable environment with another one, but in my opinion these risks are quite low, because you're using Debian
.
So, let's go and try out this:
-
Add the
Debian stretch
repository to yourapt sources
. Don't use/etc/apt/sources.list
for this, but instead use a dedicated file inside/etc/apt/sources.list.d/
to keep it clean, personally I'm usingstretch.list
.Put these lines inside there:
deb http://httpredir.debian.org/debian/ stretch main contrib non-free deb-src http://httpredir.debian.org/debian/ stretch main contrib non-free deb http://security.debian.org/ stretch/updates main contrib non-free deb-src http://security.debian.org/ stretch/updates main contrib non-free # stretch-updates, previously known as 'volatile' deb http://httpredir.debian.org/debian/ stretch-updates main contrib non-free deb-src http://httpredir.debian.org/debian/ stretch-updates main contrib non-free
-
Set up apt pinning to make sure you only pull in packages out of
Debian stretch
which you're specifying. The file to use for this is/etc/apt/preferences
, inside there, put:Package: * Pin: release n=jessie Pin-Priority: 900 Package: * Pin: release a=jessie-backports Pin-Priority: 500 Package: * Pin: release n=stretch Pin-Priority: 100
(You might have to alter the suites and priorities to fit your environment.)
Run
apt-get update
(viasudo
/ asroot
) to update the package cache.Install
nginx
fromDebian stretch
:apt-get install -t stretch nginx
(do this viasudo
/ asroot
). Profit!As I described in my comment(s), to even lower the risks involved, you could use something like a chroot or a container-solution like LXC. In case you want to go the
chroot
way, you have to set up a network interface inside there: To do this, have a look at this blogpost for example, which gives an introduction tonetwork namespaces
.Hope this helps; in case you've got more question, feel free to contact me. I would appreciate feedback and I'm interested in how it goes.
Another method is to install OpenSSL 1.0.2 from jessie-backports and use Ubuntu 16.04 LTS builds from nginx's own repository. That way you're at least using an OpenSSL package built for Jessie.
Add to /etc/apt/sources.list
:
# jessie-backports, from stretch-level but with no dependencies
deb http://httpredir.debian.org/debian/ jessie-backports main contrib non-free
deb-src http://httpredir.debian.org/debian/ jessie-backports main contrib non-free
# Nginx repository - use Ubuntu 16.04 LTS Xenial to get packages compiled with OpenSSL 1.0.2
deb http://nginx.org/packages/mainline/ubuntu/ xenial nginx
deb-src http://nginx.org/packages/mainline/ubuntu/ xenial nginx
Then run:
apt-get update
apt-get install -t jessie-backports openssl
apt-get install nginx
This obviously puts you into an officially unsupported configuration, but perhaps that's better than not having a package at all - and it worked for me. Plus, using nginx's repo means you get fresh updates.