Nginx Compile Change

PDowney · web-flow · commit 89ac5d2947ae · 2026-02-18T21:32:54.000-05:00
The Cloudflare Zlib fork no longer appears to be actively maintained and currently suffers from a security vulnerability. This change updates the Nginx build to use the latest version of Zlib, which includes the necessary security fixes. Additionally, it removes the dependency on the Cloudflare fork, simplifying our build process and ensuring we are using a well-maintained library. https://www.sentinelone.com/vulnerability-database/cve-2023-6992/
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,52 @@ All notable changes to EngineScript will be documented in this file.
 
 Changes are organized by date, with the most recent changes listed first.
 
+## 2026-02-18
+
+### ⚡ NGINX JETPACK BOOST DELIVERY COMPATIBILITY
+
+- **Jetpack Boost static delivery fallback fix**: Added a dedicated Nginx location for `/wp-content/boost-cache/static/*.css|*.js` that uses `try_files` with fallback to `/index.php?$args`.
+  - Existing concatenated files continue to be served directly by Nginx.
+  - Missing concatenated files now route through WordPress instead of returning an Nginx-native 404.
+  - Restores compatibility with Jetpack Boost enhanced delivery detection that relies on WordPress `is_404()` behavior in `wp-content` paths.
+- **Generic CSS/JS location clarified**: Added inline guidance noting why `try_files` is intentionally not enabled in the general `\.(css|js)` location to preserve fast native 404 handling for non-Jetpack asset misses.
+- **FastCGI/PHP timeout alignment**: Tuned request timeout chain to reduce premature 504 responses and unnecessary long-running worker overlap.
+  - Updated Nginx `fastcgi_read_timeout` from `120s` to `130s`.
+  - Updated PHP-FPM `request_terminate_timeout` from `300s` to `125s`.
+  - Kept PHP `max_execution_time` at `120` as the baseline script limit.
+- **try_files simplification for endpoint-specific rules**: Removed unnecessary `$uri/` directory checks where URL patterns are file/endpoint specific.
+  - Updated Jetpack Boost static fallback in `static-files.conf` to `try_files $uri /index.php?$args;`.
+  - Updated `wp-json` fallback in `wp-secure.conf` to `try_files $uri /index.php?$args;`.
+- **Nginx zlib source migration**: Switched active Nginx build path from Cloudflare zlib fork to official zlib source.
+  - Updated `nginx-compile.sh` to use `--with-zlib="/usr/src/zlib-${ZLIB_VER}"` for both HTTP/2 and HTTP/3 builds.
+  - Disabled Cloudflare zlib clone/configure flow in `zlib-install.sh` by commenting it out (kept for future re-enable).
+  - Updated Nginx install/upgrade script messaging from "Cloudflare Zlib" to "zlib".
+
+## 2025-01-21
+
+### ⚙️ PHP VERSION SELECTION
+
+- **PHP 8.5 Default**: Default PHP version changed from 8.4 to 8.5
+- **Version Override System**: New `PHP_VERSION_OVERRIDE` variable in install options allows selecting PHP 8.4 or 8.3
+- **KEEP_OLD_PHP Removed**: Old PHP version is always removed during upgrades; use "Switch PHP Version" menu to change versions
+- **Switch PHP Version Menu**: New interactive option in Update Software menu lets users switch between PHP 8.3, 8.4, and 8.5
+- **resolve_php_version()**: New shared function validates version override and applies it at script startup
+- **Dynamic Package Blocking**: `package-block.sh` now dynamically blocks all PHP versions except the selected one
+- **Opcache Handling**: `php-install.sh` and `php-update.sh` conditionally skip `php-opcache` package for PHP 8.5+ (built-in)
+- **php-update.sh Rewrite**: Complete rewrite — auto-detects currently installed PHP version, version-agnostic upgrade logic, no hardcoded versions
+
+### 🐛 BUG FIXES
+
+- **alias-debug.sh**: Fixed hardcoded `php8.3-fpm` service name; now uses `${PHP_VER}` dynamically
+- **enginescript-common.sh**: Updated `restart_php_fpm()` version array to include PHP 8.5
+
+### 🔒 SECURITY IMPROVEMENTS
+
+- **HIGH_SECURITY_SSL TLS Enhancement**: When `HIGH_SECURITY_SSL=1` is configured, TLS 1.1 is now disabled in nginx
+  - SSL protocols reduced from `TLSv1.1 TLSv1.2 TLSv1.3` to `TLSv1.2 TLSv1.3`
+  - Applied during nginx installation via nginx-misc.sh
+  - Improves security posture for high-security environments by removing deprecated TLS 1.1 support
+
 ## 2025-11-17
 
 ### 🌐 NEW FEATURE: External Services Monitoring
diff --git a/scripts/install/nginx/nginx-compile.sh b/scripts/install/nginx/nginx-compile.sh
@@ -131,7 +131,7 @@ if [[ "${INSTALL_HTTP3}" == "1" ]];
       --with-threads \
       --with-pcre="/usr/src/pcre2-${PCRE2_VER}" \
       --with-pcre-jit \
-      --with-zlib=/usr/src/zlib-cf \
+      --with-zlib="/usr/src/zlib-${ZLIB_VER}" \
       --with-zlib-opt=-fPIC \
       --with-http_ssl_module \
       --with-http_v2_module \
@@ -178,7 +178,7 @@ if [[ "${INSTALL_HTTP3}" == "1" ]];
       --with-threads \
       --with-pcre="/usr/src/pcre2-${PCRE2_VER}" \
       --with-pcre-jit \
-      --with-zlib=/usr/src/zlib-cf \
+      --with-zlib="/usr/src/zlib-${ZLIB_VER}" \
       --with-zlib-opt=-fPIC \
       --with-http_ssl_module \
       --with-http_v2_module \
diff --git a/scripts/install/nginx/nginx-install.sh b/scripts/install/nginx/nginx-install.sh
@@ -28,10 +28,10 @@ debug_pause "Nginx Source Downloads"
 print_last_errors
 debug_pause "Brotli"
 
-# Retrieve Latest Cloudflare Zlib
+# Retrieve Latest zlib
 /usr/local/bin/enginescript/scripts/install/zlib/zlib-install.sh 2>> /tmp/enginescript_install_errors.log
 print_last_errors
-debug_pause "Cloudflare Zlib"
+debug_pause "zlib"
 
 # Retrieve Latest PCRE2
 /usr/local/bin/enginescript/scripts/install/pcre/pcre-install.sh 2>> /tmp/enginescript_install_errors.log
diff --git a/scripts/install/zlib/zlib-install.sh b/scripts/install/zlib/zlib-install.sh
@@ -21,19 +21,18 @@ source /usr/local/bin/enginescript/scripts/functions/shared/enginescript-common.
 # Return to /usr/src
 cd /usr/src
 
-# Cloudflare zlib Download
-# Remove existing Zlib-CF directory if it exists
-if [[ -d "/usr/src/zlib-cf" ]]; then
-  rm -rf "/usr/src/zlib-cf"
-fi
-
-# Clone Zlib-CF
-git clone --depth 1 https://github.com/cloudflare/zlib.git -b gcc.amd64 "/usr/src/zlib-cf"
-cd "/usr/src/zlib-cf"
-sudo ./configure --prefix=path \
-  --static \
-  --64
-make -f Makefile.in distclean
+# Cloudflare zlib fork (disabled)
+# Disabled due to security and maintenance concerns. Keep this block for future re-enable if upstream status improves.
+#if [[ -d "/usr/src/zlib-cf" ]]; then
+#  rm -rf "/usr/src/zlib-cf"
+#fi
+#
+#git clone --depth 1 https://github.com/cloudflare/zlib.git -b gcc.amd64 "/usr/src/zlib-cf"
+#cd "/usr/src/zlib-cf"
+#sudo ./configure --prefix=path \
+#  --static \
+#  --64
+#make -f Makefile.in distclean
 
 #make
 #make test
@@ -53,6 +52,14 @@ make -f Makefile.in distclean
 #ldconfig
 
 # Official zlib Download
+# Remove existing official zlib source directory and tarball if they exist
+if [[ -d "/usr/src/zlib-${ZLIB_VER}" ]]; then
+  rm -rf "/usr/src/zlib-${ZLIB_VER}"
+fi
+if [[ -f "/usr/src/zlib-${ZLIB_VER}.tar.gz" ]]; then
+  rm -f "/usr/src/zlib-${ZLIB_VER}.tar.gz"
+fi
+
 wget -O "/usr/src/zlib-${ZLIB_VER}.tar.gz" "https://github.com/madler/zlib/archive/refs/tags/v${ZLIB_VER}.tar.gz"
 tar -xzf "/usr/src/zlib-${ZLIB_VER}.tar.gz"
 
diff --git a/scripts/update/nginx-update.sh b/scripts/update/nginx-update.sh
@@ -40,10 +40,10 @@ debug_pause "Brotli"
 print_last_errors
 debug_pause "OpenSSL"
 
-# Retrieve Latest Cloudflare Zlib
+# Retrieve Latest zlib
 /usr/local/bin/enginescript/scripts/install/zlib/zlib-install.sh 2>> /tmp/enginescript_install_errors.log
 print_last_errors
-debug_pause "Cloudflare Zlib"
+debug_pause "zlib"
 
 # Retrieve Latest PCRE2
 /usr/local/bin/enginescript/scripts/install/pcre/pcre-install.sh 2>> /tmp/enginescript_install_errors.log
