在對網站服務器進行漏洞掃描時,發現了一個較嚴重的漏洞 SSL/TLS協議資訊泄露漏洞(CVE-2016-2183)
查看下同的openssl 版本
$ openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
系統使用的 nginx, 查看nginx編譯用的OpenSSL版本
$nginx -V
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments:
--prefix=/usr/share/nginx
解決上面的漏洞,需要將nginx的OpenSSL升級到1.1.1
平滑升級參考How To Upgrade Nginx In-Place Without Dropping Client Connections
- 準備好新的nginx可執行檔案,(從其他地方下載或已有的服務器上復制(運行的系統要相似),或者原始碼編譯,底部附有詳細的編譯程序)
校驗新的二進制檔案能否執行,從其他地方復制來的可能會出現缺少庫的情形,這時只需要吧回應的庫一并復制過來,放到相應位置即可,
./nginx -V
./nginx: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
- 查看當前運行的ngixn
$ which nginx
/usr/sbin/nginx
- 備份當前nginx,及器組態檔(nginx二進制檔案直接移走,不影響運行中的nginx服務)
mv /usr/sbin/nginx /usr/sbin/nginx.bak
cp -r /etc/nginx/ /etc/nginx_conf.bak
- 將新的二進制檔案,移到之前nginx的位置
cp nginx.new /usr/sbin/nginx
- 啟動新的nginx master,work行程組(不影響正在服務的master,worker)
sudo kill -s USR2 `cat /run/nginx.pid`
- 查看新老nginx服務 共存
ps aux | grep nginx
root 10846 0.0 0.3 47564 3280 ? S 13:26 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
nginx 10847 0.0 0.1 47936 1908 ? S 13:26 0:00 nginx: worker process
root 11003 0.0 0.3 47564 3132 ? S 13:56 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
nginx 11004 0.0 0.1 47936 1912 ? S 13:56 0:00 nginx: worker process
user 11031 0.0 0.0 112640 960 pts/0 S+ 14:01 0:00 grep --color=auto nginx
查看pid檔案,發現老的nginx的pid檔案從nginx.pid 變成了 nginx.pid.oldbin
tail /run/nginx.pid*
==> /run/nginx.pid <==
11003
==> /run/nginx.pid.oldbin <==
10846
- 停止老nginx的worker (worker服務完后當前的鏈接后,就退出了),
sudo kill -s WINCH `cat /run/nginx.pid.oldbin`
可以看到只有新nginx的work再回應請求,
ps aux | grep nginx
root 10846 0.0 0.3 47564 3280 ? S 13:26 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
root 11003 0.0 0.3 47564 3132 ? S 13:56 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
nginx 11004 0.0 0.1 47936 1912 ? S 13:56 0:00 nginx: worker process
user 11089 0.0 0.0 112640 964 pts/0 R+ 14:13 0:00 grep --color=auto nginx
- 查看請求的處理情況
沒有問題的話就可以安全的停止老nginx的行程了
sudo kill -s QUIT `cat /run/nginx.pid.oldbin`
如果新的nginx有問題的話,啟用老nginx的worker,來回應請求. 同時停止新的有問題的nginx
sudo kill -s HUP `cat /run/nginx.pid.oldbin`
sudo kill -s QUIT `cat /run/nginx.pid`
附錄 nginx原始碼編譯
- 下載openssl原始碼 https://www.openssl.org/source/ (使用openssl的原始碼,不升級系統的openssl,因為系統中很多程式依賴openssl,升級后可能造成嚴重的問題)
$wget https://www.openssl.org/source/openssl-1.1.1i.tar.gz
$tar zxvf openssl-1.1.1i.tar.gz
- 下載nginx原始碼 http://nginx.org/en/download.html
$wget http://nginx.org/download/nginx-1.18.0.tar.gz
$tar zxvf nginx-1.18.0.tar.gz
- 安裝編譯環境
yum groupinstall "Development tools"
yum install -y zlib zlib-devel openssl openssl-devel pcre pcre-devel
- 查看nginx當前的編譯引數
$nginx -V
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments:
--prefix=/usr/share/nginx
--sbin-path=/usr/sbin/nginx
--modules-path=/usr/lib64/nginx/modules
......
引數說明參考 http://nginx.org/en/docs/configure.html 和 https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
- 可根據當前的編譯引數還有需要調整編譯引數,但要加上openssl的原始碼地址
$./configure --with-openssl=../openssl-1.1.1i --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log
- 這時可能出現缺少庫的情形,安裝后,再次config即可
$./configure: error: the Google perftools module requires the Google perftools
library. You can either do not enable the module or install the library.
$yum install gperftools
- configure 成功后會出現 Makefile 檔案,這時make編譯,切記不要再執行make install
$make
- make后會生成nginx的可執行檔案,查看編譯有無問題,有問題的話,make clean,重新 configure,make(程序中要查看問題)
$./objs/nginx -V
nginx version: nginx/1.18.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.1.1i 8 Dec 2020
TLS SNI support enabled
configure arguments: --with-openssl=../openssl-1.1.1i --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/240494.html
標籤:其他
下一篇:Java List介面詳解