9

I need to use the Nginx module ngx_http_auth_pam_module on a Centos 7 server. As a package is only available through the getpagespeed repository, which isn't gratis, I want to compile it myself.

Following various instructions I found, I downloaded the sources for the module and for Nginx, listed the compile options for the version of Nginx installed with nginx -V, then compiled the module with ./configure then make modules, installing some packages to fix the various errors in the process.

However, when I try to configure Nginx to use the newly compiled module, nginx -t gives me nginx: [emerg] module "/opt/nginx/modules/ngx_http_auth_pam_module.so" is not binary compatible in /usr/share/nginx/modules/mod-http-auth-pam.conf:1

From what I read, this "not binary compatible" error is due to different compile flags in the installed version of Nginx vs the module, however I made sure to copy all those given by nginx -V. I also made sure to download the source code for the same version of Nginx as installed.

Any idea what could be causing the issue ? Should I just uninstall Nginx and reinstall the compiled version, or does that come with its own issues ?

Appendix :

here is the entire ./configure command :

./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_auth_request_module --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' --with-compat --add-dynamic-module=../ngx_http_auth_pam_module/

And here the nginx -V

nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_auth_request_module --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
user153991
  • 331
  • 2
  • 7

4 Answers4

5

Turns out, the --with-compat option was causing the issue. I added it because the guide on nginx.com said so, but after removing it and compiling one more time, nginx -t tells me that the config is good.

user153991
  • 331
  • 2
  • 7
1

A more compatible way:

  1. find out the current nginx instance version via nginx -v
  2. clone the nginx source code and checkout that tag, like "release-1.18.0".
  3. configure the source with exactly the same options via:
auto/configure --add-dynamic-module=/path/to/your/module `nginx -V`
  1. make
clarkttfu
  • 161
  • 1
  • 4
1

Removing --with-compat option cannot possibly solve it.

If you got the error about binary incompatible module that was compiled with this option, it only means that you compiled it for one version and loaded into a different version. E.g. module was compiled against NGINX source 1.16.0 while you're loading it (using) in NGINX 1.12.2. And that version is very old by the way, and has HTTP/2 security vulnerabilities, for which you have to update.

If anything, there's not much reason not to use --with-compat.

I am very biased in saying this, but GetPageSpeed repo, while being not gratis for CentOS 7 (free for CentOS/RHEL 8 as of this writing), allows you to get always up-to-date modules for new NGINX versions, which are released on a regular basis and address new security issues as well as added features. Otherwise, you have to continuously recompile modules as opposed to yum update, and potentially end up with compilation software on the production system. Which is a security issue of its own.

The GetPageSpeed alternative is subscribing to NGINX Plus, which costs far more than a few dollars.

Danila Vershinin
  • 4,738
  • 3
  • 16
  • 21
  • GetPageSpeed module now costs $50 per *month* so is impractical for most people other than 'enterprise' folks. Good for the programmer of that lovely repo, but it's not a good answer. Meanwhile your info is correct: compiling the module with or without `--with-compat` is irrelevant to this issue. Something else is happeninng. – Khom Nazid Jan 09 '21 at 23:00
  • 1
    Do the math. Compared to NGINX Plus which runs at $2.5K/year for a single instance, GetPageSpeed repo is only $600 per year and has nearly a hundred of installable NGINX modules (not talking about other software which is also included). It is not only for "enterprise": any small/medium business interested in boosting their online shops like Magento 2 etc. can easily afford that, and there is no limit on instance use as long as it shows up as a single IP address. – Danila Vershinin Jan 10 '21 at 16:44
  • 1
    Thank you Danila. Yes I think it’s a great price for companies making money online. It s a well done repo with excellent modules. I miss it for free use. – PKHunter Jan 11 '21 at 18:25
-2

To enable compat module on nginx, please try to use --with-compat before creating the dynamic module in your compile configuration and nginx installation. Here is my nginx installation:

  1. ./configure --prefix=/opt/nginx --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-pcre --with-debug --with-http_stub_status_module --with-openssl --with-compat
  2. make
  3. make install

And the try to create your dynamic module and load it from nginx.conf.

HTH

david
  • 43
  • 5