近期安扫工具扫描出nginx1.6版本存在漏洞,需要修复.
记录下升级过程.
1. 下载最新版本nginx 1.22
下载地址
2. 解压tar: tar -zxvf nginx-1.22.0.tar.gz
# 解压tar
[root@lstax ~]tar -zxvf nginx-1.22.0.tar.gz
# 文件列表
[root@lstax ~]# ll nginx-1.22.0
total 832
drwxr-xr-x 6 clamav git 4096 May 28 15:00 auto
-rw-r--r-- 1 clamav git 317070 May 24 07:59 CHANGES
-rw-r--r-- 1 clamav git 484445 May 24 07:59 CHANGES.ru
drwxr-xr-x 2 clamav git 4096 May 28 15:00 conf
-rwxr-xr-x 1 clamav git 2590 May 24 07:59 configure
drwxr-xr-x 4 clamav git 4096 May 28 15:00 contrib
drwxr-xr-x 2 clamav git 4096 May 28 15:00 html
-rw-r--r-- 1 clamav git 1397 May 24 07:59 LICENSE
drwxr-xr-x 2 clamav git 4096 May 28 15:00 man
-rw-r--r-- 1 clamav git 49 May 24 07:59 README
drwxr-xr-x 9 clamav git 4096 May 28 15:00 src
3. 查看老版nginx配置: /lsinfo/nginx/sbin/nginx -V
# 原nginx安装路径在/lsinfo/nginx
# 注意-V是大写,小写仅能查看nginx版本
[root@lstax nginx]# /lsinfo/nginx/sbin/nginx -V
nginx version: nginx/1.6.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
TLS SNI support enabled
configure arguments: --with-http_ssl_module --prefix=/lsinfo/nginx
4. 复制configure arguments:
后的参数,新版本编译时需要
5. 编译新版nginx
#进入新版nginx目录
[root@lstax nginx]cd ~/nginx-1.22.0
#设置编译参数
[root@lstax nginx-1.22.0]./configure --with-http_ssl_module --prefix=/lsinfo/nginx
#编译
[root@lstax nginx-1.22.0]make
6. 备份与更新
# 备份原nginx
[root@lstax nginx-1.22.0] mv /lsinfo/nginx/sbin/nginx /lsinfo/nginx/sbin/nginx.old
# 复制新
[root@lstax nginx-1.22.0] cp ~/nginx-1.22.0/objs/nginx /lsinfo/nginx/sbin/nginx
7. 测试新的nginx
[root@lstax nginx-1.22.0]cd /lsinfo/nginx/sbin
# 测试
[root@lstax sbin]# ./nginx -t
nginx: the configuration file /lsinfo/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /lsinfo/nginx/conf/nginx.conf test is successful
看到 successful 说明测试你成功
8. 启动新的nginx
[root@lstax sbin]# ps -ef|grep nginx
nobody 15765 21783 0 2月16 ? 00:14:24 nginx: worker process
root 21783 1 0 2021 ? 00:00:00 nginx: master process ./sbin/nginx
root 656504 609561 0 14:51 pts/0 00:00:00 grep --color=auto nginx
# 删除老版nginx进程
[root@lstax sbin]# killall nginx
# 启动新版nginx
[root@lstax sbin]# ./nginx -s reload
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /lsinfo/nginx/conf/nginx.conf:48
nginx: [error] open() "/lsinfo/nginx/logs/nginx.pid" failed (2: No such file or directory)
# 启动失败,没有nginx.pid,需要重新制定配置文件
[root@lstax nginx]# sbin/nginx -c /lsinfo/nginx/conf/nginx.conf
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /lsinfo/nginx/conf/nginx.conf:48
[root@lstax nginx]# sbin/nginx -s reload
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /lsinfo/nginx/conf/nginx.conf:48
9. 启动未报错,检查nginx启动情况
[root@lstax nginx]# ps -ef|grep nginx
root 680984 1 0 14:54 ? 00:00:00 nginx: master process sbin/nginx -c /lsinfo/nginx/conf/nginx.conf
nobody 681079 680984 0 14:54 ? 00:00:00 nginx: worker process
root 682822 609561 0 14:55 pts/0 00:00:00 grep --color=auto nginx
[root@lstax nginx]# ./sbin/nginx -V
nginx version: nginx/1.22.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --with-http_ssl_module --prefix=/lsinfo/nginx
nginx version: nginx/1.22.0
替换成功.
启动过程中存在 警告,可以不用管.
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /lsinfo/nginx/conf/nginx.conf:48