公司目前使用的nginx版本比较低(nginx-1.0.12),请网络安全公司做了一下“远程安全评估”,发现有下列漏洞:
nginx URI处理安全限制绕过漏洞(CVE-2013-4547)
Nginx 'access.log'不安全文件权限漏洞(CVE-2013-0337)
nginx SSL会话固定漏洞(CVE-2014-3616)
nginx resolver 拒绝服务漏洞(CVE-2016-0747)
nginx resolver 拒绝服务漏洞(CVE-2016-0742)
nginx 'ngx_http_mp4_module.c'缓冲区溢出漏洞
nginx标头解析内存泄露漏洞
nginx 'ngx_http_close_connection()'远程整数溢出漏洞
nginx 空指针间接引用漏洞(CVE-2016-4450)
nginx resolver 释放后重利用漏洞(CVE-2016-0746)
为了修复上面的漏洞,决定将nginx 更新为nginx-1.12.0
1.首先下载 nginx-1.12.0.tar.gz,nginx-upstream-jvm-route-master.zip
ngx_cache_purge-2.3.tar.gz
附件中有依赖包
2.解压 tar -zxvf ngx_cache_purge-2.3.tar.gz
tar -zxvf nginx-upstream-jvm-route-master.zip
tar -zxvf nginx-1.12.0.tar.gz
3.通过./nginx -V 查看原来安装时的参数
# ./nginx -V
nginx version: nginx/1.0.12
configure arguments: --prefix=/opt/nginx --with-http_stub_status_module --with-pcre=/opt/soft/pcre-8.21 --add-module=../nginx_upstream_jvm_route/ --add-module=../ngx_cache_purge-1.5 --add-module=../nginx_upstream_check_module-master
4.进入 nginx-1.12.0 执行:
patch -p0 < nginx-upstream-jvm-route-master所在路径下的jvm_route.patch
patch -p0 < /opt/soft/nginx-upstream-jvm-route-master/jvm_route.patch
注意一定要执行,否则make 时会报错误
5.执行
# ./configure --prefix=/opt/nginx --with-http_stub_status_module --with-pcre=/opt/soft/pcre-8.21 --add-module=/opt/soft/nginx-upstream-jvm-route-master/ --add-module=/opt/soft/ngx_cache_purge-1.5 --add-module=/opt/soft/nginx_upstream_check_module-master
6. #make
7. mv /opt/nginx/sbin/nginx /opt/nginx/sbin/nginx.old
8. cp objs/nginx /opt/nginx/sbin/
9.# make upgrade
/opt/nginx/sbin/nginx -t
nginx: the configuration file /opt/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /opt/nginx/conf/nginx.conf test is successful
kill -USR2 `cat /opt/nginx/logs/nginx.pid`
sleep 1
test -f /opt/nginx/logs/nginx.pid.oldbin
kill -QUIT `cat /opt/nginx/logs/nginx.pid.oldbin`
注意:升级是不需要关闭nginx
10.# /opt/nginx/sbin/nginx -V
nginx version: nginx/1.12.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC)
configure arguments: --prefix=/opt/nginx --with-http_stub_status_module --with-pcre=/opt/soft/pcre-8.21 --add-module=/opt/soft/nginx-upstream-jvm-route-master/ --add-module=/opt/soft/ngx_cache_purge-2.3 --add-module=/opt/soft/nginx_upstream_check_module-master
升级成!
模块说明:
nginx_upstream_check_module 来检测后方realserver的健康状态,如果后端服务器不可用,则所以的请求不转发到这台服务器。
nginx_upstream_jvm_route: 通过session cookie的方式来获取session粘性。如果在cookie和url中并没有session,则这只是个简单的round-robin 负载均衡。
ngx_cache_purge:缓存模块
nginx URI处理安全限制绕过漏洞(CVE-2013-4547)
Nginx 'access.log'不安全文件权限漏洞(CVE-2013-0337)
nginx SSL会话固定漏洞(CVE-2014-3616)
nginx resolver 拒绝服务漏洞(CVE-2016-0747)
nginx resolver 拒绝服务漏洞(CVE-2016-0742)
nginx 'ngx_http_mp4_module.c'缓冲区溢出漏洞
nginx标头解析内存泄露漏洞
nginx 'ngx_http_close_connection()'远程整数溢出漏洞
nginx 空指针间接引用漏洞(CVE-2016-4450)
nginx resolver 释放后重利用漏洞(CVE-2016-0746)
为了修复上面的漏洞,决定将nginx 更新为nginx-1.12.0
1.首先下载 nginx-1.12.0.tar.gz,nginx-upstream-jvm-route-master.zip
ngx_cache_purge-2.3.tar.gz
附件中有依赖包
2.解压 tar -zxvf ngx_cache_purge-2.3.tar.gz
tar -zxvf nginx-upstream-jvm-route-master.zip
tar -zxvf nginx-1.12.0.tar.gz
3.通过./nginx -V 查看原来安装时的参数
# ./nginx -V
nginx version: nginx/1.0.12
configure arguments: --prefix=/opt/nginx --with-http_stub_status_module --with-pcre=/opt/soft/pcre-8.21 --add-module=../nginx_upstream_jvm_route/ --add-module=../ngx_cache_purge-1.5 --add-module=../nginx_upstream_check_module-master
4.进入 nginx-1.12.0 执行:
patch -p0 < nginx-upstream-jvm-route-master所在路径下的jvm_route.patch
patch -p0 < /opt/soft/nginx-upstream-jvm-route-master/jvm_route.patch
注意一定要执行,否则make 时会报错误
5.执行
# ./configure --prefix=/opt/nginx --with-http_stub_status_module --with-pcre=/opt/soft/pcre-8.21 --add-module=/opt/soft/nginx-upstream-jvm-route-master/ --add-module=/opt/soft/ngx_cache_purge-1.5 --add-module=/opt/soft/nginx_upstream_check_module-master
6. #make
7. mv /opt/nginx/sbin/nginx /opt/nginx/sbin/nginx.old
8. cp objs/nginx /opt/nginx/sbin/
9.# make upgrade
/opt/nginx/sbin/nginx -t
nginx: the configuration file /opt/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /opt/nginx/conf/nginx.conf test is successful
kill -USR2 `cat /opt/nginx/logs/nginx.pid`
sleep 1
test -f /opt/nginx/logs/nginx.pid.oldbin
kill -QUIT `cat /opt/nginx/logs/nginx.pid.oldbin`
注意:升级是不需要关闭nginx
10.# /opt/nginx/sbin/nginx -V
nginx version: nginx/1.12.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC)
configure arguments: --prefix=/opt/nginx --with-http_stub_status_module --with-pcre=/opt/soft/pcre-8.21 --add-module=/opt/soft/nginx-upstream-jvm-route-master/ --add-module=/opt/soft/ngx_cache_purge-2.3 --add-module=/opt/soft/nginx_upstream_check_module-master
升级成!
模块说明:
nginx_upstream_check_module 来检测后方realserver的健康状态,如果后端服务器不可用,则所以的请求不转发到这台服务器。
nginx_upstream_jvm_route: 通过session cookie的方式来获取session粘性。如果在cookie和url中并没有session,则这只是个简单的round-robin 负载均衡。
ngx_cache_purge:缓存模块
扫一扫
522
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
