目录
背景
升级nginx到1.23.1用以解决以下下安全漏洞问题
NGINX 环境问题漏洞(CVE-2019-20372)
NGINX 环境问题漏洞(CVE-2020-12440)
NGINX 拒绝服务漏洞(CVE-2016-4450)
NGINX RANGE FILTER模块数字错误漏洞(CVE-2017-7529)
准备工作
1、配置本地yum源安装基础编译环境
yum -y install openssl openssl-devel make zlib zlib-devel gcc gcc-c++ libtool pcre pcre-devel pam pam-devel
2、原Nginx信息获取
[root@centos111 sbin]# ./nginx -V
nginx version: nginx/1.18.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --with-pcre --with-http_ssl_module
[root@centos111 sbin]#
3、升级包下载(本例已最新版1.23.1为例)
Index of /download/ (nginx.org)
升级
1、上传新版本源码包到服务器并解压(本例/opt/soft/nginx)
-rw-r--r-- 1 root root 1104352 7月 21 10:16 nginx-1.23.1.tar.gz
[root@centos111 nginx]# pwd
/opt/soft/nginx
[root@centos111 nginx]# ll
总用量 1080
-rw-r--r-- 1 root root 1104352 7月 21 10:16 nginx-1.23.1.tar.gz
[root@centos111 nginx]# tar -xvzf nginx-1.23.1.tar.gz
[root@centos111 nginx]# ll
总用量 1080
drwxr-xr-x 8 elasticsearch elasticsearch 158 7月 19 22:05 nginx-1.23.1
-rw-r--r-- 1 root root 1104352 7月 21 10:16 nginx-1.23.1.tar.gz
[root@centos111 nginx]#
2、进入解压目录并按照旧版本的配置进行编译前的配置(旧版本配置信息请查看【准备工作】中的第二步),正确执行完成后输出类似如下结果(执行过程略)
[root@centos111 nginx]# cd nginx-1.23.1/
[root@centos111 nginx-1.23.1]# ./configure --prefix=/usr/local/nginx --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --with-pcre --with-http_ssl_module
过程略
checking for PCRE library ... found
checking for PCRE JIT support ... found
checking for OpenSSL library ... found
checking for zlib library ... found
creating objs/Makefile
Configuration summary
+ using system PCRE library
+ using system OpenSSL library
+ using system zlib library
nginx path prefix: "/usr/local/nginx"
nginx binary file: "/usr/local/nginx/sbin/nginx"
nginx modules path: "/usr/local/nginx/modules"
nginx configuration prefix: "/usr/local/nginx/conf"
nginx configuration file: "/usr/local/nginx/conf/nginx.conf"
nginx pid file: "/usr/local/nginx/logs/nginx.pid"
nginx error log file: "/usr/local/nginx/logs/error.log"
nginx http access log file: "/usr/local/nginx/logs/access.log"
nginx http client request body temporary files: "client_body_temp"
nginx http proxy temporary files: "proxy_temp"
nginx http fastcgi temporary files: "fastcgi_temp"
nginx http uwsgi temporary files: "uwsgi_temp"
nginx http scgi temporary files: "scgi_temp"
您在 /var/spool/mail/root 中有新邮件
[root@centos111 nginx-1.23.1]#
3、编译生成objs目录,执行make进行编译,编译正常结果如下,执行ll查看发现多了一个objs目录
[root@centos111 nginx-1.23.1]# make
过程略
objs/src/http/modules/ngx_http_upstream_zone_module.o \
objs/src/http/modules/ngx_http_stub_status_module.o \
objs/ngx_modules.o \
-ldl -lpthread -lcrypt -lpcre -lssl -lcrypto -ldl -lpthread -lz \
-Wl,-E
sed -e "s|%%PREFIX%%|/usr/local/nginx|" \
-e "s|%%PID_PATH%%|/usr/local/nginx/logs/nginx.pid|" \
-e "s|%%CONF_PATH%%|/usr/local/nginx/conf/nginx.conf|" \
-e "s|%%ERROR_LOG_PATH%%|/usr/local/nginx/logs/error.log|" \
< man/nginx.8 > objs/nginx.8
make[1]: 离开目录“/opt/soft/nginx/nginx-1.23.1”
您在 /var/spool/mail/root 中有新邮件
[root@centos111 nginx-1.23.1]# ll
总用量 808
drwxr-xr-x 6 elasticsearch elasticsearch 326 7月 21 10:24 auto
-rw-r--r-- 1 elasticsearch elasticsearch 319222 7月 19 22:05 CHANGES
-rw-r--r-- 1 elasticsearch elasticsearch 487813 7月 19 22:05 CHANGES.ru
drwxr-xr-x 2 elasticsearch elasticsearch 168 7月 21 10:24 conf
-rwxr-xr-x 1 elasticsearch elasticsearch 2590 7月 19 22:05 configure
drwxr-xr-x 4 elasticsearch elasticsearch 72 7月 21 10:24 contrib
drwxr-xr-x 2 elasticsearch elasticsearch 40 7月 21 10:24 html
-rw-r--r-- 1 elasticsearch elasticsearch 1397 7月 19 22:05 LICENSE
-rw-r--r-- 1 root root 438 7月 21 10:27 Makefile
drwxr-xr-x 2 elasticsearch elasticsearch 21 7月 21 10:24 man
drwxr-xr-x 3 root root 174 7月 21 10:30 objs
-rw-r--r-- 1 elasticsearch elasticsearch 49 7月 19 22:05 README
drwxr-xr-x 9 elasticsearch elasticsearch 91 7月 21 10:24 src
4、备份旧版程序并覆盖新版本
[root@centos111 nginx-1.23.1]# mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx_1.18
[root@centos111 nginx-1.23.1]# cp ./objs/nginx /usr/local/nginx/sbin/nginx
5、平滑升级
[root@centos111 nginx-1.23.1]# make upgrade
/usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
kill -USR2 `cat /usr/local/nginx/logs/nginx.pid`
sleep 1
test -f /usr/local/nginx/logs/nginx.pid.oldbin
kill -QUIT `cat /usr/local/nginx/logs/nginx.pid.oldbin`
[root@centos111 nginx-1.23.1]#
验证
[root@centos111 nginx-1.23.1]# /usr/local/nginx/sbin/nginx -v
nginx version: nginx/1.23.1
[root@centos111 nginx-1.23.1]#