一、安装编译最新版的openssl 1.1.1m
安装所需的编译包
# yum install -y zlib* |
亦或考虑
yum -y install gcc zlib zlib-devel pcre-devel openssl openssl-devel wget |
下载源码包
# wget --no-check-certificate https://www.openssl.org/source/old/1.1.1/openssl-1.1.1m.tar.gz # tar zxvf openssl-1.1.1m.tar.gz |
注:
##### 检查是否支持 TLS1.3
# grep TLS1_3_VERSION ./* -R
编译及安装
# cd openssl-1.1.1m # ./config --prefix=/usr/local/ssl # make -j4 # make install |
#备份老版本的openssl
# mv /usr/bin/openssl /usr/bin/openssl.bak # mv /usr/include/openssl /usr/include/openssl.bak |
创建新的符号链接
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl # ln -s /usr/local/ssl/include/openssl /usr/include/openssl # ln -s /usr/local/ssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1 # ln -s /usr/local/ssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1 |
修改配置
#vim /etc/ld.so.conf ### 在最后添加两行 /usr/local/lib64 /usr/local/ssl/lib |
重新加载配置并验证
重新加载
# ldconfig -v |
验证 openssl 版本 及是否支持TLS1.3 版本
# openssl version # openssl ciphers -V |grep TLSv1.3 或 #openssl s_client -help 2>&1 | awk '/-(ssl|tls)[0-9]/{print $1}' |
或
# openssl s_client -help 2>&1 | awk '/-(ssl|tls)[0-9]/{print $1}'
二、升级Nginx到1.20.1
下载
# wget http://nginx.org/download/nginx-1.20.1.tar.gz # tar zxvf nginx-1.20.1.tar.gz |
安装所需编译包
#yum install -y gcc gcc-c++ autoconf automake zlib zlib-devel openssl openssl-devel pcre pcre-devel |
编译及安装
# cd nginx-1.20.1 # ./configure --prefix=/usr/local/nginx-1.20.1 --with-openssl=../openssl-1.1.1m --with-openssl-opt='enable-tls1_3 enable-weak-ssl-ciphers' --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_realip_module # make # make install |
若要严格权限,则可以考虑:
###可参考https://www.cnblogs.com/visionsl/p/8184647.html # groupadd -r nginx # useradd -r -g nginx nginx # useradd -s /sbin/nologin -M nginx # ./configure --prefix=/usr/local/nginx-1.20.1 --user=nginx --group=nginx --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_realip_module --with-openssl=../openssl-1.1.1m # make # make install |
提示:
如果 nginx 在编译过程中遇到 undefined reference to `pthread_atfork' 错误,需要在运行 ./configure 命令之后,修改 obj/Makefile 文件,将第一个 -lpthread 删除,并将第二个 -lpthread 移动到该行最后。保存后然后再执行 make 命令。若只有一个-lpthread,则将其改为-pthread。
确认nginx版本
# /usr/local/nginx-1.20.1/sbin/nginx -v
修改配置文件
#vim nginx.conf
找到 HTTPS server这段 ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # 增加 TLSv1.3 ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; |
检查Nginx配置文件
# /usr/local/nginx-1.20.1/sbin/nginx -t |
启动 ./nginx 停止 ./nginx -s stop 重启 ./nginx -s reload |
检测确认安装结果
# 样例:假设 cccc.abc.com:60036 是支持TLS1.3的网站 # /usr/local/openssl1.1.1/bin/openssl s_client -connect cccc.abc.com:50036 -tls1_3 |
自启及服务模式
vi /etc/init.d/nginx #!/bin/bash # nginx Startup script for the Nginx HTTP Server # it is v.0.0.2 version. # chkconfig: - 85 15 # description: Nginx is a high-performance web and proxy server. # It has a lot of features, but it's not for everyone. # processname: nginx # pidfile: /var/run/nginx.pid # config: /usr/local/nginx/conf/nginx.conf nginxd=/usr/local/nginx/sbin/nginx nginx_config=/usr/local/nginx/conf/nginx.conf nginx_pid=/var/run/nginx.pid RETVAL=0 prog="nginx" # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 [ -x $nginxd ] || exit 0 # Start nginx daemons functions. start() { if [ -e $nginx_pid ];then echo "nginx already running...." exit 1 fi echo -n $"Starting $prog: " daemon $nginxd -c ${nginx_config} RETVAL=$? echo [ $RETVAL = 0 ] && touch /var/lock/subsys/nginx return $RETVAL } # Stop nginx daemons functions. stop() { echo -n $"Stopping $prog: " killproc $nginxd RETVAL=$? echo [ $RETVAL = 0 ] && rm -f /var/lock/subsys/nginx /var/run/nginx.pid } # reload nginx service functions. reload() { echo -n $"Reloading $prog: " #kill -HUP `cat ${nginx_pid}` killproc $nginxd -HUP RETVAL=$? echo } # See how we were called. case "$1" in start) start ;; stop) stop ;; reload) reload ;; restart) stop start ;; status) status $prog RETVAL=$? ;; *) echo $"Usage: $prog {start|stop|restart|reload|status|help}" exit 1 esac exit $RETVAL |