目录

背景

准备工作

升级

验证

背景

升级nginx到1.23.1用以解决以下下安全漏洞问题

NGINX 环境问题漏洞(CVE-2019-20372)
NGINX 环境问题漏洞(CVE-2020-12440)
NGINX 拒绝服务漏洞(CVE-2016-4450)
NGINX RANGE FILTER模块数字错误漏洞(CVE-2017-7529)

准备工作

1、配置本地yum源安装基础编译环境

yum -y install openssl openssl-devel make zlib zlib-devel gcc gcc-c++ libtool    pcre pcre-devel pam pam-devel

2、原Nginx信息获取

[root@centos111 sbin]# ./nginx -V
nginx version: nginx/1.18.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --with-pcre --with-http_ssl_module
[root@centos111 sbin]# 

3、升级包下载(本例已最新版1.23.1为例)

Index of /download/ (nginx.org)

升级

1、上传新版本源码包到服务器并解压(本例/opt/soft/nginx)

-rw-r--r-- 1 root root 1104352 7月  21 10:16 nginx-1.23.1.tar.gz
[root@centos111 nginx]# pwd
/opt/soft/nginx
[root@centos111 nginx]# ll
总用量 1080
-rw-r--r-- 1 root root 1104352 7月  21 10:16 nginx-1.23.1.tar.gz
[root@centos111 nginx]# tar -xvzf nginx-1.23.1.tar.gz 
[root@centos111 nginx]# ll
总用量 1080
drwxr-xr-x 8 elasticsearch elasticsearch     158 7月  19 22:05 nginx-1.23.1
-rw-r--r-- 1 root          root          1104352 7月  21 10:16 nginx-1.23.1.tar.gz
[root@centos111 nginx]# 

2、进入解压目录并按照旧版本的配置进行编译前的配置(旧版本配置信息请查看【准备工作】中的第二步)，正确执行完成后输出类似如下结果(执行过程略)

[root@centos111 nginx]# cd nginx-1.23.1/
[root@centos111 nginx-1.23.1]# ./configure --prefix=/usr/local/nginx --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --with-pcre --with-http_ssl_module
 
过程略
 
checking for PCRE library ... found
checking for PCRE JIT support ... found
checking for OpenSSL library ... found
checking for zlib library ... found
creating objs/Makefile
 
Configuration summary
  + using system PCRE library
  + using system OpenSSL library
  + using system zlib library
 
  nginx path prefix: "/usr/local/nginx"
  nginx binary file: "/usr/local/nginx/sbin/nginx"
  nginx modules path: "/usr/local/nginx/modules"
  nginx configuration prefix: "/usr/local/nginx/conf"
  nginx configuration file: "/usr/local/nginx/conf/nginx.conf"
  nginx pid file: "/usr/local/nginx/logs/nginx.pid"
  nginx error log file: "/usr/local/nginx/logs/error.log"
  nginx http access log file: "/usr/local/nginx/logs/access.log"
  nginx http client request body temporary files: "client_body_temp"
  nginx http proxy temporary files: "proxy_temp"
  nginx http fastcgi temporary files: "fastcgi_temp"
  nginx http uwsgi temporary files: "uwsgi_temp"
  nginx http scgi temporary files: "scgi_temp"
 
您在 /var/spool/mail/root 中有新邮件
[root@centos111 nginx-1.23.1]#

3、编译生成objs目录，执行make进行编译，编译正常结果如下，执行ll查看发现多了一个objs目录

[root@centos111 nginx-1.23.1]# make
 
过程略
 
objs/src/http/modules/ngx_http_upstream_zone_module.o \
objs/src/http/modules/ngx_http_stub_status_module.o \
objs/ngx_modules.o \
-ldl -lpthread -lcrypt -lpcre -lssl -lcrypto -ldl -lpthread -lz \
-Wl,-E
sed -e "s|%%PREFIX%%|/usr/local/nginx|" \
	-e "s|%%PID_PATH%%|/usr/local/nginx/logs/nginx.pid|" \
	-e "s|%%CONF_PATH%%|/usr/local/nginx/conf/nginx.conf|" \
	-e "s|%%ERROR_LOG_PATH%%|/usr/local/nginx/logs/error.log|" \
	< man/nginx.8 > objs/nginx.8
make[1]: 离开目录“/opt/soft/nginx/nginx-1.23.1”
您在 /var/spool/mail/root 中有新邮件
[root@centos111 nginx-1.23.1]# ll
总用量 808
drwxr-xr-x 6 elasticsearch elasticsearch    326 7月  21 10:24 auto
-rw-r--r-- 1 elasticsearch elasticsearch 319222 7月  19 22:05 CHANGES
-rw-r--r-- 1 elasticsearch elasticsearch 487813 7月  19 22:05 CHANGES.ru
drwxr-xr-x 2 elasticsearch elasticsearch    168 7月  21 10:24 conf
-rwxr-xr-x 1 elasticsearch elasticsearch   2590 7月  19 22:05 configure
drwxr-xr-x 4 elasticsearch elasticsearch     72 7月  21 10:24 contrib
drwxr-xr-x 2 elasticsearch elasticsearch     40 7月  21 10:24 html
-rw-r--r-- 1 elasticsearch elasticsearch   1397 7月  19 22:05 LICENSE
-rw-r--r-- 1 root          root             438 7月  21 10:27 Makefile
drwxr-xr-x 2 elasticsearch elasticsearch     21 7月  21 10:24 man
drwxr-xr-x 3 root          root             174 7月  21 10:30 objs
-rw-r--r-- 1 elasticsearch elasticsearch     49 7月  19 22:05 README
drwxr-xr-x 9 elasticsearch elasticsearch     91 7月  21 10:24 src

4、备份旧版程序并覆盖新版本

[root@centos111 nginx-1.23.1]# mv /usr/local/nginx/sbin/nginx  /usr/local/nginx/sbin/nginx_1.18
[root@centos111 nginx-1.23.1]# cp ./objs/nginx /usr/local/nginx/sbin/nginx

5、平滑升级

[root@centos111 nginx-1.23.1]# make upgrade
/usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
kill -USR2 `cat /usr/local/nginx/logs/nginx.pid`
sleep 1
test -f /usr/local/nginx/logs/nginx.pid.oldbin
kill -QUIT `cat /usr/local/nginx/logs/nginx.pid.oldbin`
[root@centos111 nginx-1.23.1]# 

验证

[root@centos111 nginx-1.23.1]# /usr/local/nginx/sbin/nginx -v
nginx version: nginx/1.23.1
[root@centos111 nginx-1.23.1]#