In this tutorial we’ll Build NGINX from source and enable TLS 1.3 in Linux server. TLS 1.3 is secure and fast TLS protocol till now it have its own benefits like security and performance, the website using TLS 1.3 loads faster and is more secure.

Transportation Layer Security (TLS) 1.3 protocol provides unparalleled privacy and performance compared to previous versions of TLS and non-secure HTTP. Performance has a major impact on user experience. TLS 1.3 represents a pivotal turning point for HTTPS performance. Modern mobile networks will routinely add over 100ms of latency to each request. TLS 1.3 makes page load times significantly faster for mobile devices, improving the user experience for your visitors.

To build Nginx from source we need to remove any nginx installed from other sources like from official repository or from 3rdpart repository.

Step 1 :

First backup current nginx dir which contains configurations and vhosts :

cp -r /etc/nginx /etc/nginx.bak

Step 2 :

Remove Nginx :

yum remove nginx*

Step 3 :

Downloading dependencies and openssl :

Install deps from yum /centos7/8/el7/8 :

yum install -y perl perl-devel perl-ExtUtils-Embed libxslt libxslt-devel libxml2 libxml2-devel gd gd-devel GeoIP GeoIP-devel perl-IPC-Cmd

PCRE download :

cd /usr/local/src
rm -rf pcre*
wget https://github.com/mysterydata/md-disk/raw/main/pcre-8.45.zip
unzip pcre-8.45.zip

ZLIB download :

cd /usr/local/src
rm -rf zlib*
wget https://github.com/madler/zlib/releases/download/v1.2.13/zlib-1.2.13.tar.gz -O zlib.tar.gz
tar zxvf zlib.tar.gz
rm -rf zlib.tar.gz
mv zlib-* zlib

Download openssl 3.0 :

cd /usr/local/src
rm -rf openssl*
wget https://www.openssl.org/source/openssl-3.0.12.tar.gz -O openssl.tar.gz
tar -xf openssl.tar.gz
rm -rf openssl.tar.gz
mv openssl-* openssl

Step 3 :

Building Nginx from source :

cd /usr/local/src
rm -rf nginx*
wget http://nginx.org/download/nginx-1.24.0.tar.gz
tar zxvf nginx-1.24.0.tar.gz
cd nginx-1.24.0
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --build=CentOS --builddir=nginx-custom --with-select_module --with-poll_module --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-pcre=/usr/local/src/pcre-8.45 --with-pcre-jit --with-zlib=/usr/local/src/zlib --with-openssl=/usr/local/src/openssl  --with-openssl-opt=no-nextprotoneg --with-debug  
make && make install

Step 4 :

Now copy the config from the backup done before :

cat /etc/nginx.bak/nginx.conf > /etc/nginx/nginx.conf

Step 5 :

Creating systemed service file for nginx and disable nginx to install via yum package manager :

now create the systemed service file for nginx :

nano /usr/lib/systemd/system/nginx.service

and paste this to it and save :

[Unit]
Description=nginx - high performance web server
Documentation=https://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID

[Install]
WantedBy=multi-user.target

Disable nginx in yum/dnf package manager for not to override your compiled nginx [important] :

Centos 7/el7 :

cat /etc/yum.conf |grep "^exclude="|grep nginx 1> /dev/null 2> /dev/null || echo 'exclude=nginx*' >> /etc/yum.conf 

Centos 8/el8 :

cat /etc/dnf/dnf.conf |grep "^exclude="|grep nginx 1> /dev/null 2> /dev/null || echo 'exclude=nginx*' >> /etc/dnf/dnf.conf 

Step 6 :

Enabling TLSv1.3 in nginx :

Now we’ll add TLS 1.3 entry in all nginx vhost and in nginx.conf

sed -i 's/TLSv1.2;/TLSv1.2 TLSv1.3;/g' /etc/nginx/nginx.conf /etc/nginx/conf.d/*.conf /etc/nginx/conf.d/vhosts/*.conf /usr/local/cwpsrv/htdocs/resources/conf/web_servers/main/nginx/conf/nginx.conf
systemctl restart nginx
systemctl enable nginx

** in CWP you need to do some extra steps which is mentioned below in Step

If you’re not using CWP then you’re done configuring TLS 1.3

Step 7 :

Ensure you create proper template for nginx in CWP else on every webserver build or ssl renew TLS 1.3 will be disabled

you need to copy the existing templates (tpl and stpl) and edit the stpl file and replace this line with new one :

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

with

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

that is only TLSv1.3 is need to be added before Semicolons ;

for example if you’re using default template for website you need to copy default templates to custom name example default-tls13.tpl and default-tls13.stpl ensure you’re using this template as a default for all domains and sub domain else tls 1.3 will not work by going to CWP.admin >> Webserver settings >> WEbservers Main conf choose Nginx default Vhost template from drop down menu which you created via below commands (default-tls13/force-https-http2-tls13). If you’re using php-fpm + nginx do the same for Nginx default PHP-FPM template

to copy the template to custom name do this :

cd /usr/local/cwpsrv/htdocs/resources/conf/web_servers/vhosts/nginx
cp -r default.stpl default-tls13.stpl
cp -r default.tpl default-tls13.tpl
sed -i 's/TLSv1.2;/TLSv1.2 TLSv1.3;/g' default-tls13.tpl default-tls13.stpl

** you can replace the “default” with the template name like for http2 “force-https-http2” template eg :

cd /usr/local/cwpsrv/htdocs/resources/conf/web_servers/vhosts/nginx
cp -r force-https-http2.stpl force-https-http2-tls13.stpl
cp -r force-https-http2.tpl force-https-http2-tls13.tpl
sed -i 's/TLSv1.2;/TLSv1.2 TLSv1.3;/g' force-https-http2-tls13.tpl force-https-http2-tls13.stpl

*** if you’re using nginx + fpm go to “/usr/local/cwpsrv/htdocs/resources/conf/web_servers/vhosts/nginx/php-fpm” dir and do the same for it too as above.

After running the above command lock this files if you don’t change nginx main config and Hostname of the server :

chattr +i /etc/nginx/conf.d/hostname-ssl.conf /etc/nginx/nginx.conf

If you want to change nginx main conf or change the server hostname just unlock this files and then rebuild webserver config or vhost :

chattr -i /etc/nginx/conf.d/hostname-ssl.conf /etc/nginx/nginx.conf

***after edit and webserver rebuild or vhost rebuild just lock the files again.

Now that nginx 1.26 adds http3 experimental support, it could be useful to update this guide to also enable http3 when building nginx from sources

I am having some problems.

When I lock the nginx file chattr +i /etc/nginx/conf.d/hostname-ssl.conf /etc/nginx/nginx.conf

after some time all my websites will be inaccessible.

This is the error I get

"Service Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later."

And if I unlock the nginx file the server work 100%

 

@Sandeep B. How to modify the sequence described in this post, if using AlmaLinux 9.5 with latest CWP and the OpenSSL version in the server is 3.2.2 ?
The TLSv1.2 with HTTP\2 is running well, and all CWP Nginx templates was modified to use ssl_protocols TLSv1.2 TLSv1.3; but TLS v 1.3 failed on the tests at https://www.cdn77.com/tls-test and also failed with terminal tests like: openssl s_client -connect example.com:443 -tls1_3 -debug while openssl s_client -connect example.com:443 -tls1_2 -debug is OK.

And no error messages in the nginx log.

Do you have any suggestion or my missing some necessary component in AlmaLinux 9.x ?

Any help or ideas will be appreciated.

Thanks for advance.

Edited January 25Jan 25 by TheHolbi
Added additional data to the issue.

On 4/24/2024 at 7:02 PM, Fidolas said:

Now that nginx 1.26 adds http3 experimental support, it could be useful to update this guide to also enable http3 when building nginx from sources

Yes, it would be good to extend this guide for http3 support and AlmaLinux 9.x support, with OpenSSL 3.x.

The output of command: `update-crypto-policies --show` is “DEFAULT“

In addition I tried to set in AlmaLinux 9.5 the following settings: `sudo update-crypto-policies --set FUTURE` and it cause error on Nginx configuration:

`2025/01/25 13:01:53 [emerg] 69470#69470: SSL_CTX_use_certificate("/etc/pki/tls/certs/hostname.bundle") failed (SSL: error:0A00018F:SSL routines::ee key too small)`

Resolved:

The solution of TLSv1.3 in AlmaLinux 9.5 with CWP Pro was reinstall hostname certificates (for all services) in the Change Hostname menu with 4096 size key.
After then all issue was resolved, and the TLSv1.3 check was pass in both way, from terminal and from browser also.

Of course in all templates and Nginx config files was changed the setting to ssl_protocols TLSv1.2 TLSv1.3;

Hello

I do have cwp pro updated to latest version as of april 2025, updated almalinux 9.5 , Apache/2.4.62 + nginx 1.28.0, php-fpm, also I forced use of https http2

I have tried to add use of tls 1.3 following this of the last post in this thread:

"The solution of TLSv1.3 in AlmaLinux 9.5 with CWP Pro was reinstall hostname certificates (for all services) in the Change Hostname menu with 4096 size key. After then all issue was resolved, and the TLSv1.3 check was pass in both way, from terminal and from browser also. Of course in all templates and Nginx config files was changed the setting to ssl_protocols TLSv1.2 TLSv1.3;"

I did not notice errors, but does not work.

Am I missing something?

Thank you in advance for any help.

Hello

I solved the problem on my server.

The following is what I could get out of this experience.

In the case one has a recent linux version, just as in my case in which I had Almalinux 9.5, then updated to 9.6 (Sage Margay), and a CWP pro recent version, mine now is 0.9.8.1204, there is no need to compile Nginx and other components.

Just in case before starting check if your Nginx, openssl, apache are compiled to support http2, maybe http3, and TLSv1.3, if they are you are good to proceed.

Next step is to create proper templates for the webservers (nginx in particular if you use it as reverse proxy) as described by Sandeep (thank you Sandeep for the help, very appreciated in the years!)

While you do this you also might want to add security directives and options, that depends on your needs

Then rebuild your host and vhost configurations, check that all nginx conf files so generated are correct and reflecting your choices (if they do not you have some mistake in your templates, adjust and check, eventually later on fix your templates too).

In latest nginx builds the use of the directive (here with variables as seen in the nginx conf templates in CWP) listen %ip%:%nginx_port% ssl %http2%; is deprecated

use the following instead

listen %ip%:%nginx_port% ssl;

%http2% on;

In your generated conf files will look like this:

listen 123.123.1231233:443 ssl;

http2 on;

Check in your nginx conf files of the host and vhosts that all lines telling ssl_protocols do have both TLSv1.2 and TLSv1.3 stated, as follows:

ssl_protocols TLSv1.2 TLSv1.3;

When done in a terminal check nginx configuration running nginx -t

If OK without errors restart nginx service (either form cwp or terminal)

I am not sure that changing host name as suggested in previous post from TheHolbi is always necessary, however if checking your website for TLSv1.3 (e.g. against qualys website, or in your terminal) you get errors, try "change hostname" in CWP, in reality you do not really need to actually change the name of your host, you just need to click the button so to have all rebuilt and a new certificate generated, if you want to improve your host security you can chose the 4096 bit key, this will increase computation and some traffic, but this is not truly going to affect all of your server (as far as I understood... I should dig more on that).

In conclusion if you have CWP Pro (maybe also the fre one, I do not know as I did not try it) on Alamlinux 9.6 everything is already good to go, you just need to tell the server to use TLSv1.3

That's all folks.

Thank you again for all the help published here and other websites, special thanks to Sandeep again.

Bye.

Will this guide work on a AL8 elevated CWP server?