Nginx module installation, bug fixes
Chapter 1 Add ssl module after Nginx installation
Chapter 2 Nginx shield header attack
Chapter 3 openssl upgrade (SSL/TLS LogJam middleman security restriction bypass vulnerability (CVE-2015-4000)
Article Directory
foreword
The public key is too weak to fix
1. Whether openssl has not been upgraded and nginx is compiled with –with-http_ssl_module module
2. After upgrading openssl, nginx is compiled with –with-http_ssl_module --with-openssl=absolute path of the source package
1. The openssl version has not been upgraded
Unupgraded openssl version 1.0.2k
[root@h5 /]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
nginx compiles normally
[root@h5 sbin]# ./nginx -V
nginx version: nginx/1.20.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --with-http_ssl_module
2. Upgraded openssl version (upgrade openssl to see openssl upgrade )
Upgraded openssl
[root@h5 openssl-1.1.1o]# openssl version
OpenSSL 1.1.1o 3 May 2022
When compiling nginx from source code, add the absolute path of openssl source code
[root@h5 nginx-1.20.0]# ./configure --with-http_ssl_module --with-openssl=/u01/openssl-1.1.1o/ ##编译nginx,直接用源码包目录后期编译不会有报错。
After compiling and installing make, an error is reported: no such file or directory.
[root@h5 nginx-1.20.2]# make
/bin/sh:行2: ./config: 没有那个文件或目录
make[1]: *** [/usr/include/openssl/.openssl/include/openssl/ssl.h] 错误 127
make[1]: 离开目录“/u01/nginx/nginx-1.20.2”
make: *** [build] 错误 2
Solution: Remove /.openssl/ from the following conf
原有:
CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
修改后:
[root@h5 nginx-1.8.0]# vim auto/lib/openssl/conf
CORE_INCS="$CORE_INCS $OPENSSL/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a"
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
If the following error is reported during source package installation, it means that the versions of openssl and nginx do not match.
src/event/ngx_event_openssl.c: 在函数‘ngx_ssl_init’中:
src/event/ngx_event_openssl.c:112:5: 错误:不建议使用‘OPENSSL_config’(声明于 /u01/openssl-1.1.1o//.openssl/include/openssl/conf.h:91) [-Werror=deprecated-declarations]
OPENSSL_config(NULL);
^
src/event/ngx_event_openssl.c: 在函数‘ngx_ssl_rsa512_key_callback’中:
src/event/ngx_event_openssl.c:753:9: 错误:不建议使用‘RSA_generate_key’(声明于 /u01/openssl-1.1.1o//.openssl/include/openssl/rsa.h:235) [-Werror=deprecated-declarations]
key = RSA_generate_key(512, RSA_F4, NULL, NULL);
^
src/event/ngx_event_openssl.c: 在函数‘ngx_ssl_dhparam’中:
src/event/ngx_event_openssl.c:943:11: 错误:提领指向不完全类型的指针
dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);