JP's picture

Hi guys,

The version of nginx that comes on your LEMP stack is 1.10, and an apt-get upgrade did not show any updates available. I've recently added the official nginx repo by adding this to my apt sources:

deb stretch nginx

I have a fully functioning setup now, however I want to use a WordPress plugin called Nginx Helper to purge the cache, however it doesn't seem to be working using the "Delete local server cache files."

I did some research - I need the use the ngx_cache_purge module. But when I try to install libnginx-mod-http-cache-purge, I get the following error:

root@nginx-php-fastcgi .../nginx/sites-enabled# apt install libnginx-mod-http-cache-purge Reading package lists... Done Building dependency tree Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation:

The following packages have unmet dependencies: libnginx-mod-http-cache-purge : Depends: nginx-common (= 1.10.3-1+deb9u3) but it is not going to be installed E: Unable to correct problems, you have held broken packages.

Obviously it's looking for the old nginx version dependency. Any idea how I can resolve this? 

apt-get install nginx-extras wants to install the module, but uninstall the current version of nginx that I have running, and downgrade me back to 1.10.


Jeremy Davis's picture

Is there is a particular feature that you need from a newer version? Or do you just want a "bleeding edge" version because it's new and shiny?

At risk of "over explaining"; Debian "stable" focuses on stability and security, rather than "latest and greatest" (aka "new and shiny"). It maintains stability by "freezing" the versions of software when a stable version is released. Other than rare specific circumstance, instead of updating the version to address bugs and security issues for the lifecycle of the stable OS release, security fixes are backported (and auto installed in TurnKey) and bugs are patched in the "frozen" version.

That process provides stability via the knowledge that the application APIs will be completely stable for the whole life of the OS. It also means that all the software has been tested with all the other software that might likely be installed alongside (including libraries). Security is provided via backported patches as noted above (which are auto installed by TurnKey). The downside is that the software becomes quite dated over time. Although as a general rule, stability is far more important on a server.

So unless there is some specific reason to run a newer version (e.g. a specific feature that the older version doesn't have, or a specific edge case bug which Debian hasn't patched), you are advised to just stick with the version provided by Debian.

So to circle back to your immediate concern; by installing the "mainline" version of Nginx from upstream you now have the latest version. But as you've discovered, there is a price for that. Nginx compile against the specific Debian version, so Nginx itself should be relatively stable and shouldn't break your system (i.e. it's not a "FrankenDebian). But you only get the main application and the precompiled modules that Nginx themselves provide for "free" (in context of effort required). Any other third party modules you want (e.g. 'ngx_cache_purge' - as provided by the 'libnginx-mod-http-cache-purge' Debian package) you'll need to compile from source yourself. You'll also need to recompile them every time that Nginx is updated.

Compiling from source is not the end of the world and is rarely as scary as it sounds. Although in some cases it can be a PITA; and it's a significant additional maintenance overhead. Regardless, if you're interested in pushing ahead with that, you'll need to install the relevant build tools (the 'build-essential' package should generally be enough), download the Nginx source code for the same version as you have installed (AFAIK you don't need to rebuild Nginx itself, but you need to source of the exact same version to compile the module against; and will need to redo this every time you update Nginx). The 'ngx_cache_purge' source code is on GitHub. Google turned up some "how to build" instructions, although I note that they are for installing from a source package on CentOS (rather than Debian) although the gist of that appears to be relevant on face value (although will likely require additional research and a bit of trial and error).

So as per my note above, unless you NEED a newer version of Nginx, downgrading to the version supplied by Debian (i.e. 1.10) is the recommended path. If you do need a specific feature in newer Nginx, then there may still be a better (i.e. less labor intensive) path than using 1.17 and installing your required module from source.

The backports repository (i.e. in the case of TurnKey v15.x; "stretch-backports") has v1.14 (and the module you want). Backports doesn't have security support, so updates won't be auto installed, but any security fixes would also likely be backported (although no guarantee on timeliness).

If you need newer than that, then v1.16 (the latest Nginx "stable" version) is in testing/Bullseye (although again testing has no guarantee of timely security updates). You do need to be a bit careful when installing stuff from testing (as per "FrankenDebian" link above). But assuming that it doesn't pull in too many newer dependencies, it can be done relatively safely via package pinning. I can assist further with that if you want to go that path.

Worst case scenario, compiling from the Debian source package on a Stretch base (essentially how backports are created) is still often easier than compiling from upstream source. That is all somewhat theoretical though and without further research, it's impossible to know how easy (or hard) it might be to install from anything other than backports.

One other option would be to request that v1.16 is backported for Debian 10/Buster (what TurnKey v16.x will be based on) and do a Debian "in place" upgrade to a 10/Buster base OS. You'll need to wait until Nginx is backported though, as currently it's not in buster-backports. As we don't yet have Buster packages built, you won't get any TurnKey package updates yet either, but it should work ok.

As a bit of an aside, it's perhaps also worth clarifying that as of the release of Debian 10/Buster as "stable", Debian 9/Stretch is now "oldstable"; "testing" is the as yet unreleased 11/Bullseye. When Debian "testing" is released as "stable" (roughly every 2 years), the previous "stable" becomes "oldstable" and the previous "oldstable" becomes "oldoldstable".

Anyway, I suspect that I may have inadvertently lulled you into thinking that installing latest versions from upstream isn't that big a deal via my notes re updating Dehydrated (i.e. the Let's Encrypt "nonce" issue). Whilst installing from upstream is ok, the way I advised to do that is generally considered very poor practice and there was a very specific contest to me making that recommendation (and even then, it was a bit of a hack). Dehydrated is a bash script, so only depends on bash. That means virtually no risk of breaking other stuff. And it was to work around an immediate issue. At the time there was no easy and immediate fix other than via a newer Dehydrated version, although incidentally it is now provided via a backported package anyway.

Anyway, sorry about the essay... Let me know which path you plan to go and/or your specific needs and I'm happy to provide further guidance. If you have specific questions, ideas or problems, please feel free to bounce stuff off me... :)

JP's picture

Hey man! I totally get where you're coming from - I work in IT ;-) I only wish Microsoft did the same as these distros as far as maintaining stability. I honestly had no idea that the updates worked that way.

To be honest with you - I really don't give a hoot what version of nginx I am running - I want stability. And, the only reason why I compiled from source is because I saw that 1.17.4 was released (why not compile that), and I included the purge module because none of the WordPress modules would purge the cache automatically after updating / adding a post or page. I was able to manually clear it out (after adding a custom rule to my opendir statement to include /etc/nginx/cache), but the automatic purging I wanted to get working to make it easier. Automatic purging is working now.

But, what you're saying makes total sense. 

At this point, I am just looking for a way to stay stable and keep including the purge module. After reading a bit more, I had no idea that the purge module was a 3rd party until after seeing the github.

The direction I would want to go is:

Have both nginx and libnginx-mod-http-cache-purge installed and maintained by apt

So, correct me if I'm wrong - starting with a fresh Turnkey installation - I should just be able to install libnginx-mod-http-cache-purge with apt, and call it a day, right?

No worries about the essay - I really appreciate you taking the time to explain!

Jeremy Davis's picture

So the easiest path back to where you were would be to remove (or comment out) the Nginx upstream repo (where you installed the current version of Nginx from). Then do a package list update and reinstall Nginx from the Debian repos. TBH, there is a chance it won't work (Debian packages are only designed to be upgraded, not downgraded), but in my experience, it works fine in most case.

So first up, remove the Nginx upstream repo from your sources list (i.e the "deb stretch nginx" line). Alternatively you can comment it out by adding in a "#" at the start of the line. If you've written it to it's own list file (e.g. /etc/apt/sources.list.d/nginx.list) then another option is renaming the file (only files with a '.list' file extension are used, all other files are ignored) so rename to something like this: "/etc/apt/sources.list.d/nginx.list.disabled".

Then run an apt update and reinstall nginx. FWIW, there are actually 3 different Nginx packages, and each contains a different set of default modules. In order of size, they are "nginx-light", "nginx-full" and "nginx-extras". FWIW, these packages are known as "meta-packages" as they don't actually include the additional code, just pull the extra packages in via dependencies. I forget which one we install by default but feel free to have a read about them all and make a choice. If in doubt, you may as well install the extras. The extras package will install all the additional module packages, including the libnginx-mod-http-cache-purge package that you wanted.

So fingers crossed, after removing/commenting out the Nginx repo, this will get you back to default Nginx, with the module you want installed:

First update the package lists:

apt update

Then reinstall nginx; this one should install the extras package:

apt install --reinstall nginx-extras

Or if you want to keep it light:

apt install --reinstall nginx-light libnginx-mod-http-cache-purge

You'll likely need to restart Nginx too (the install scripts may have done that for you, but it doesn't hurt):

systemctl restart nginx.service

Good luck! :)

Let me know if you have any issues.

JP's picture

Thank you sir - that is exactly what I did last night - all is working perfectly fine. I'm looking forward to your next build! Maybe it will include new and shiny nginx ;-)


Jeremy Davis's picture

And v16.x will have a newer version of Nginx (pretty much newer versions of everything), albeit not super new. FWIW v16.x will be based on Buster, so will have Nginx v1.14.

JP's picture

Awesome - I will be your guinea pig ;-)

Add new comment