大家好,我是早九晚十二,目前是做运维相关的工作。写博客是为了积累,希望大家一起进步!
最近,nginx曝出了最新漏洞CVE-2022-41741,这个影响还是比较大的,因为这个包含了一些相对稳定的版本,所以好多环境都需要有升级。
那么,如何快速的升级nginx版本,规避这些漏洞呢?
版本选择
升级我们选择1.23.4版本,下载地址:https://nginx.org/download/nginx-1.23.4.tar.gz
[root@localhost]# tar xf nginx-1.23.4.tar.gz
[root@localhost ~]# cd nginx-1.23.4
[root@localhost nginx-1.23.4]# ls
auto CHANGES CHANGES.ru conf configure contrib html LICENSE man README src
编译服务
[root@localhost nginx-1.23.4]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
checking for OS
+ Linux 3.10.0-1160.el7.x86_64 x86_64
checking for C compiler ... not found
./configure: error: C compiler cc is not found
##错误解决
yum -y install gcc gcc-c++ autoconf automake make
##再次执行编译命令
[root@localhost nginx-1.23.4] ./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-openssl=system
./configure: error: the HTTP rewrite module requires the PCRE library.
You can either disable the module by using --without-http_rewrite_module
option, or install the PCRE library into the system, or build the PCRE library
statically from the source with nginx by using --with-pcre=<path> option.
##问题解决
yum install -y pcre pcre-devel zlib zlib-devel
##安装nginx
make
这时候会报错openssl的问题,我们需先安装openssl
[root@localhost]# wget -k https://www.openssl.org/source/openssl-1.1.1t.tar.gz --no-check-certificate
[root@localhost]# tar zxf openssl-1.1.1t.tar.gz
[root@localhost]# cd openssl-1.1.1t
[root@localhost]# ./config
注意不能再共享目录make校验
[root@localhost]# make clean && make
#安装
[root@localhost]# make install
##配置默认openssl路径
echo "/usr/local/lib64/" >> /etc/ld.so.conf
ldconfig
修改openssl配置
打开nginx原文件下conf文件
#如果编译的openssl没有在默认目录下,需要修改nginx源文件的配置,改成对应的openssl路径
[root@localhost]# vim nginx-1.23.4/auto/lib/openssl/conf
#修改39-42行
39 CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
40 CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
41 CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
42 CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
再次编译
[root@localhost nginx-1.23.4]# make && make install
|| cp conf/uwsgi_params '/usr/local/nginx/conf'
cp conf/uwsgi_params \
'/usr/local/nginx/conf/uwsgi_params.default'
test -f '/usr/local/nginx/conf/scgi_params' \
|| cp conf/scgi_params '/usr/local/nginx/conf'
cp conf/scgi_params \
'/usr/local/nginx/conf/scgi_params.default'
test -f '/usr/local/nginx/conf/nginx.conf' \
|| cp conf/nginx.conf '/usr/local/nginx/conf/nginx.conf'
cp conf/nginx.conf '/usr/local/nginx/conf/nginx.conf.default'
test -d '/usr/local/nginx/logs' \
|| mkdir -p '/usr/local/nginx/logs'
test -d '/usr/local/nginx/logs' \
|| mkdir -p '/usr/local/nginx/logs'
test -d '/usr/local/nginx/html' \
|| cp -R html '/usr/local/nginx'
test -d '/usr/local/nginx/logs' \
|| mkdir -p '/usr/local/nginx/logs'
make[1]: Leaving directory `/root/nginx-1.23.4'
检查nginx版本
[root@localhost3 nginx-1.23.4]# /usr/local/nginx/sbin/nginx -v
nginx version: nginx/1.23.4
码字不易。如果文章对您有希望的话,请三连支持一波。
如有问题,欢迎留言,一起探讨,感谢。
也可关注早九晚十二微信公众号,看到留言后会第一时间回复。