This blog mainly records the process of fixing the nginx security vulnerability (CVE-2021-23017) using the front-end project deployed by Docker.
bug report
According to the information on the Internet, the version affected by the vulnerability is 0.6.18-1.20.0, and the official website http://nginx.org/en/download.html has provided a stable version of 1.20.2, so it can be considered Upgrade nginx version to 1.20.2.
Upgrade nginx version
1. View the nginx version used in the production environment
curl -i 127.0.0.1
returns as follows:
HTTP/1.1 200 OK
Server: nginx/1.17.3
2. View the locally installed nginx version
# 查找nginx安装位置
whereis nginx
The return is: nginx: /usr/local/nginx
View nginx installation version:
/usr/local/nginx/sbin/nginx -V
The returned version is nginx version: nginx/1.2.8, which means that the production environment does not use the version installed by the system. Therefore, it can be considered that the production environment is deployed through docker.
View the running version of the current nginx mirror:
docker inspect nginx
pull nginx version 1.20.2
docker pull nginx:1.20.2
Change docker-compose.ymlthe configuration, the following /var/trunkis changed to the location of your actual Docker deployment project, and its notable feature is to include docker-compose.yml, Dockerfileetc. files
cd /var/trunk
vim docker-compose.yml
Modify the version number of nginx
to close docker-compose and then reopen:
docker-compose down
docker-compose restart
Check nginx version:
curl -i 127.0.0.1
returns as follows:
HTTP/1.1 200 OK
Server: nginx/1.20.2
This shows that nginx in the production environment has been upgraded to 1.20.2, and the vulnerability has been successfully fixed!
It should be noted that this blog is only applicable to nginx version upgrades for projects that use Docker to deploy production environments!