nginx Installation

Posted on 18 2026

The source material this page replaces covers cloning the nginx source, installing build dependencies, compiling with custom flags, and packaging the result as a .deb file. It is a thorough guide to building nginx from source on Ubuntu, and in 2016 when it was written there were genuine reasons to do so: the Ubuntu repositories lagged significantly behind upstream, and modules like ngx_pagespeed had no packaged alternative.

The situation in 2026 is different. The official nginx package repository provides current stable and mainline releases, updated within days of upstream. The modules needed for this setup are all present in the standard package. The maintenance overhead of a source build, manually tracking CVEs, rebuilding for OpenSSL patches, managing package conflicts, is no longer justified for a self-hosted homelab.

Why the source approach is not used here

Security updates: when a security vulnerability is found in nginx or its dependencies (most commonly OpenSSL), the packaged version is updated by the nginx team and available via apt upgrade. A source build requires manually rebuilding against the patched library and managing the reinstallation. For a mail server or web server exposed to the internet, the time between a patch being available and it being applied matters.

Module availability: the ngx_pagespeed module the source material includes is a Google project for automatically optimising web page assets. It was more relevant when web optimisation tooling was less sophisticated. Modern build pipelines handle this better, and it adds significant compilation complexity for marginal gain on a self-hosted site.

Maintenance burden: a source build is not managed by apt. It does not appear in security auditing tools. It does not benefit from Ubuntu’s patch management. For a server running other services, keeping one component on a manual update cycle is unnecessary friction.

Version currency: the nginx stable release in the official repository is typically the same version as the current stable source release, or within a minor version. The gap that existed in 2016 no longer exists.

Installation

The Ubuntu default repositories include nginx but may lag. The official nginx package repository provides the current stable release:

# Import the nginx signing key
sudo curl -fsSLo /usr/share/keyrings/nginx-archive-keyring.gpg \
    https://nginx.org/keys/nginx_signing.key

# Add the stable release repository
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
    http://nginx.org/packages/ubuntu $(lsb_release -cs) nginx" | \
    sudo tee /etc/apt/sources.list.d/nginx.list

sudo apt update
sudo apt install nginx

Pinning the nginx repository

If both the Ubuntu default repositories and the official nginx repository are present, apt may prefer one over the other unpredictably. Pin the nginx package to the official repository:

sudo tee /etc/apt/preferences.d/99nginx << 'EOF'
Package: nginx
Pin: origin nginx.org
Pin-Priority: 900
EOF

This ensures nginx updates always come from the official repository rather than the Ubuntu mirrors.

Verify the installation

nginx -v
nginx -V 2>&1 | grep "configure arguments"

The version should match the current stable release from https://nginx.org/. The configure arguments show which modules are compiled in.

Verify required modules

nginx -V 2>&1 | tr ' ' '\n' | grep -- '--with' | sort

For this series, the following modules must be present:

--with-http_ssl_module          TLS support
--with-http_v2_module           HTTP/2 support
--with-http_gzip_static_module  Pre-compressed static files
--with-http_proxy_module        Reverse proxy
--with-http_realip_module       Real IP from proxy headers
--with-http_headers_module      Response header modification
--with-http_auth_request_module Subrequest authentication
--with-stream                   TCP/UDP proxy (for SMTP proxy if needed)
--with-stream_ssl_module        TLS for stream proxy

All of these are present in the standard nginx package from the official repository. If any are missing, nginx-extras from the Ubuntu repository adds them:

sudo apt install nginx-extras

Enable and start

sudo systemctl enable --now nginx
sudo systemctl status nginx

Test with a basic request:

curl -I http://localhost

Expected response: 200 OK with the nginx default page.

Keeping nginx updated

With the packaged approach, updates are handled by the standard apt upgrade process:

sudo apt update && sudo apt upgrade nginx

After upgrading, nginx performs a graceful reload automatically on most Ubuntu configurations. Verify with:

nginx -v
sudo systemctl status nginx

Subscribe to the nginx security announcements mailing list at https://nginx.org/en/security_advisories.html to be notified of security releases. Security advisories are also distributed via Ubuntu’s USN (Ubuntu Security Notices) mailing list for the packaged version.

When a source build is still appropriate

There are situations where building from source remains the right choice:

  • A custom module not available in the package repository is required
  • Specific OpenSSL compile-time features are needed
  • The deployment is performance-critical enough to justify compile-time optimisation
  • Vendor-specific patches need to be applied

For this self-hosted homelab serving a small number of users and services, none of these apply. If you have a specific reason that does apply, the source material’s build guide is a reasonable reference, updated for current nginx and OpenSSL versions.

The test for whether to build from source is whether the packaged version cannot do something you specifically need, not whether you prefer having the absolute latest version. For a server that accepts inbound connections from the internet, predictable security updates from the package manager are more valuable than marginal version currency.