为了解决nginx的安全漏洞,选择将nginx从1.18.0升级到1.23.1
这里还是写上1.18.0的安装步骤:centos7安装nginx1.18.0详细步骤_lanren312的博客-CSDN博客_centos7安装nginx1.18
升级中参考了两篇博文,记录下
Nginx平滑升级到1.23.1,解决版本号小于1.21.5存在的0day漏洞_钱叁壹的博客-CSDN博客
Linux利用源码包升级Nginx到1.23.1用以解决nginx安全漏洞问题_夜灬狼丶的博客-CSDN博客
一、下载nginx 1.23.1
wget http://nginx.org/download/nginx-1.23.1.tar.gz
tar -zxvf nginx-1.23.1.tar.gz
cd nginx-1.23.1
## 升级和安装的就不一样了..
./configure --prefix=/usr/local/nginx --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --with-pcre --with-http_ssl_module
## make进行编译,编译正常查看发现多了一个objs目录
make
二、/usr/local/sbin 目录下的nginx进行备份
cd /usr/local/nginx/sbin
mv nginx nginx_old_1.18.0
三、将objs目录下的nginx文件,拷贝到/usr/local/nginx/sbin目录下
四、执行 make upgrade 并检查nginx版本号
五、总结
./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-stream --with-http_stub_status_module --with-openssl=/usr/local/openssl
执行正常
make时有报错- make[1]: *** [/usr/local/openssl/.openssl/include/openssl/ssl.h] Error 127
之前我也是升级过openssl
将 ./configure......命令改为步骤一中的执行就好了
六、升级别人安装的nginx碰到问题记录
[root@localhost nginx-1.23.2]# make upgrade
/usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: [emerg] getpwnam("www") failed
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
make: *** [upgrade] 错误 1
原因 nginx.conf 文件
#user nobody;
user root; // 改成这个
[root@localhost nginx-1.23.2]# make upgrade
/usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
kill -USR2 `cat /usr/local/nginx/logs/nginx.pid`
sleep 1
test -f /usr/local/nginx/logs/nginx.pid.oldbin
kill -QUIT `cat /usr/local/nginx/logs/nginx.pid.oldbin`
systemctl start nginx.service 报错
Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details
原因:80端口被占用了,先kill掉
[root@localhost /]# netstat -nap | grep 80