nginx 升級為最新版 nginx -1.12.0
阿新 • • 發佈:2017-07-14
nginx
nginx 空指針間接引用漏洞(CVE-2016-4450)
nginx resolver 釋放後重利用漏洞(CVE-2016-0746)
為了修復上面的漏洞,決定將nginx 更新為nginx-1.12.0
1.首先下載 nginx-1.12.0.tar.gz,nginx-upstream-jvm-route-master.zip
ngx_cache_purge-2.3.tar.gz
附件中有依賴包
2.解壓 tar -zxvf ngx_cache_purge-2.3.tar.gz
tar -zxvf nginx-upstream-jvm-route-master.zip
tar -zxvf nginx-1.12.0.tar.gz
3.通過./nginx -V 查看原來安裝時的參數
[[email protected] sbin]# ./nginx -V
nginx version: nginx/1.0.12
configure arguments: --prefix=/opt/nginx --with-http_stub_status_module --with-pcre=/opt/soft/pcre-8.21 --add-module=../nginx_upstream_jvm_route/ --add-module=../ngx_cache_purge-1.5 --add-module=../nginx_upstream_check_module-master
4.進入 nginx-1.12.0 執行:
patch -p0 < nginx-upstream-jvm-route-master所在路徑下的jvm_route.patch
patch -p0 < /opt/soft/nginx-upstream-jvm-route-master/jvm_route.patch
註意一定要執行,否則make 時會報錯誤
5.執行
[[email protected] nginx-1.12.0]# ./configure --prefix=/opt/nginx --with-http_stub_status_module --with-pcre=/opt/soft/pcre-8.21 --add-module=/opt/soft/nginx-upstream-jvm-route-master/ --add-module=/opt/soft/ngx_cache_purge-1.5 --add-module=/opt/soft/nginx_upstream_check_module-master
6. [[email protected] nginx-1.12.0]#make
7.[[email protected] nginx-1.12.0] mv /opt/nginx/sbin/nginx /opt/nginx/sbin/nginx.old
8.[[email protected] nginx-1.12.0] cp objs/nginx /opt/nginx/sbin/
9.[[email protected] nginx-1.12.0]# make upgrade
/opt/nginx/sbin/nginx -t
nginx: the configuration file /opt/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /opt/nginx/conf/nginx.conf test is successful
kill -USR2 `cat /opt/nginx/logs/nginx.pid`
sleep 1
test -f /opt/nginx/logs/nginx.pid.oldbin
kill -QUIT `cat /opt/nginx/logs/nginx.pid.oldbin`
註意:升級是不需要關閉nginx
10.[[email protected] nginx-1.12.0]# /opt/nginx/sbin/nginx -V
nginx version: nginx/1.12.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC)
configure arguments: --prefix=/opt/nginx --with-http_stub_status_module --with-pcre=/opt/soft/pcre-8.21 --add-module=/opt/soft/nginx-upstream-jvm-route-master/ --add-module=/opt/soft/ngx_cache_purge-2.3 --add-module=/opt/soft/nginx_upstream_check_module-master
升級成!
模塊說明:
nginx_upstream_check_module 來檢測後方realserver的健康狀態,如果後端服務器不可用,則所以的請求不轉發到這臺服務器。
nginx_upstream_jvm_route: 通過session cookie的方式來獲取session粘性。如果在cookie和url中並沒有session,則這只是個簡單的round-robin 負載均衡。
ngx_cache_purge:緩存模塊
公司目前使用的nginx版本比較低(nginx-1.0.12),請網絡安全公司做了一下“遠程安全評估”,發現有下列漏洞:
nginx URI處理安全限制繞過漏洞(CVE-2013-4547)
Nginx ‘access.log‘不安全文件權限漏洞(CVE-2013-0337)
nginx SSL會話固定漏洞(CVE-2014-3616)
nginx resolver 拒絕服務漏洞(CVE-2016-0747)
nginx resolver 拒絕服務漏洞(CVE-2016-0742)
nginx ‘ngx_http_mp4_module.c‘緩沖區溢出漏洞
nginx標頭解析內存泄露漏洞
nginx ‘ngx_http_close_connection()‘遠程整數溢出漏洞
nginx 空指針間接引用漏洞(CVE-2016-4450)
nginx resolver 釋放後重利用漏洞(CVE-2016-0746)
為了修復上面的漏洞,決定將nginx 更新為nginx-1.12.0
1.首先下載 nginx-1.12.0.tar.gz,nginx-upstream-jvm-route-master.zip
ngx_cache_purge-2.3.tar.gz
附件中有依賴包
2.解壓 tar -zxvf ngx_cache_purge-2.3.tar.gz
tar -zxvf nginx-upstream-jvm-route-master.zip
tar -zxvf nginx-1.12.0.tar.gz
3.通過./nginx -V 查看原來安裝時的參數
[[email protected] sbin]# ./nginx -V
nginx version: nginx/1.0.12
configure arguments: --prefix=/opt/nginx --with-http_stub_status_module --with-pcre=/opt/soft/pcre-8.21 --add-module=../nginx_upstream_jvm_route/ --add-module=../ngx_cache_purge-1.5 --add-module=../nginx_upstream_check_module-master
4.進入 nginx-1.12.0 執行:
patch -p0 < nginx-upstream-jvm-route-master所在路徑下的jvm_route.patch
patch -p0 < /opt/soft/nginx-upstream-jvm-route-master/jvm_route.patch
註意一定要執行,否則make 時會報錯誤
5.執行
[[email protected] nginx-1.12.0]# ./configure --prefix=/opt/nginx --with-http_stub_status_module --with-pcre=/opt/soft/pcre-8.21 --add-module=/opt/soft/nginx-upstream-jvm-route-master/ --add-module=/opt/soft/ngx_cache_purge-1.5 --add-module=/opt/soft/nginx_upstream_check_module-master
6. [[email protected] nginx-1.12.0]#make
7.[[email protected] nginx-1.12.0] mv /opt/nginx/sbin/nginx /opt/nginx/sbin/nginx.old
8.[[email protected] nginx-1.12.0] cp objs/nginx /opt/nginx/sbin/
9.[[email protected] nginx-1.12.0]# make upgrade
/opt/nginx/sbin/nginx -t
nginx: the configuration file /opt/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /opt/nginx/conf/nginx.conf test is successful
kill -USR2 `cat /opt/nginx/logs/nginx.pid`
sleep 1
test -f /opt/nginx/logs/nginx.pid.oldbin
kill -QUIT `cat /opt/nginx/logs/nginx.pid.oldbin`
註意:升級是不需要關閉nginx
10.[[email protected] nginx-1.12.0]# /opt/nginx/sbin/nginx -V
nginx version: nginx/1.12.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC)
configure arguments: --prefix=/opt/nginx --with-http_stub_status_module --with-pcre=/opt/soft/pcre-8.21 --add-module=/opt/soft/nginx-upstream-jvm-route-master/ --add-module=/opt/soft/ngx_cache_purge-2.3 --add-module=/opt/soft/nginx_upstream_check_module-master
升級成!
模塊說明:
nginx_upstream_check_module 來檢測後方realserver的健康狀態,如果後端服務器不可用,則所以的請求不轉發到這臺服務器。
nginx_upstream_jvm_route: 通過session cookie的方式來獲取session粘性。如果在cookie和url中並沒有session,則這只是個簡單的round-robin 負載均衡。
ngx_cache_purge:緩存模塊
模塊下載:http://gjp014.iteye.com/blog/2384146
本文出自 “菜鳥” 博客,請務必保留此出處http://gjp014.blog.51cto.com/2393413/1947429
nginx 升級為最新版 nginx -1.12.0