【Nginx】从1.16.0升级到1.16.1
前言
运维的机器Nginx版本是1.16.0,被公司安全部门检测到,需要升级,这里做个手记,将过程记录下来。
环境信息
操作系统:Linux
[root@crhtest sbin]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.9 (Santiago)
[root@crhtest sbin]#
Nginx版本:1.16.0
[root@crhtest sbin]# ./nginx -V
nginx version: nginx/1.16.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC)
built with OpenSSL 1.0.2k 26 Jan 2017
TLS SNI support enabled
configure arguments: --with-pcre=../pcre-8.32 --with-zlib=../zlib-1.2.8 --with-openssl=../openssl-1.0.2k --with-poll_module --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-stream --with-stream_ssl_module --with-ipv6
[root@crhtest sbin]#
下载地址:https://nginx.org/en/download.html
我这边下载1.16.1,修复包
操作开始
备份
全路径备份:
[root@crhtest local]# cd /usr/local/ ;tar -czvf nginx.20240418.tar.gz nginx/
单独备份一下配置:
[root@crhtest nginx-1.16.1]# cp /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.20240418.bak
拉取程序
新建临时目录:
mkdir /tmp/nginx
cd /tmp/nginx
chmod +wrx /tmp/nginx/
下载nginx
[root@crhtest nginx]# wget https://nginx.org/download/nginx-1.16.1.tar.gz
--2024-04-18 09:40:11-- https://nginx.org/download/nginx-1.16.1.tar.gz
正在解析主机 nginx.org... 52.58.199.22, 3.125.197.172, 2a05:d014:5c0:2600::6, ...
正在连接 nginx.org|52.58.199.22|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:1032630 (1008K) [application/octet-stream]
正在保存至: “nginx-1.16.1.tar.gz”
100%[==================================================================================================================================================================>] 1,032,630 897K/s in 1.1s
2024-04-18 09:40:13 (897 KB/s) - 已保存 “nginx-1.16.1.tar.gz” [1032630/1032630])
[root@crhtest nginx]#
【可选】下载pcre
https://sourceforge.net/projects/pcre/files/pcre/8.32/pcre-8.32.tar.gz/download
之后上传
[root@crhtest nginx-1.16.1]# tar -xzvf pcre-8.32.tar.gz
pcre-8.32/
pcre-8.32/m4/
pcre-8.32/m4/libtool.m4
pcre-8.32/m4/ax_pthread.m4
pcre-8.32/m4/ltversion.m4
pcre-8.32/m4/lt~obsolete.m4
pcre-8.32/m4/ltoptions.m4
pcre-8.32/m4/pcre_visibility.m4
pcre-8.32/m4/ltsugar.m4
pcre-8.32/doc/
pcre-8.32/doc/html/
pcre-8.32/doc/html/pcre16.html
pcre-8.32/doc/html/pcre_assign_jit_stack.html
pcre-8.32/doc/html/pcre.html
pcre-8.32/doc/html/pcreperform.html
pcre-8.32/doc/html/pcrepartial.html
pcre-8.32/doc/html/pcreunicode.html
pcre-8.32/doc/html/pcre_study.html
【可选】下载&解压 zlib
[root@crhtest nginx-1.16.1]# wget https://www.zlib.net/fossils/zlib-1.2.8.tar.gz
--2024-04-18 10:27:27-- https://www.zlib.net/fossils/zlib-1.2.8.tar.gz
正在解析主机 www.zlib.net... 85.187.148.2
正在连接 www.zlib.net|85.187.148.2|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:571091 (558K) [application/x-gzip]
正在保存至: “zlib-1.2.8.tar.gz”
100%[==================================================================================================================================================================>] 571,091 510K/s in 1.1s
2024-04-18 10:27:30 (510 KB/s) - 已保存 “zlib-1.2.8.tar.gz” [571091/571091])
[root@crhtest nginx-1.16.1]# tar -xzvf zlib-1.2.8.tar.gz
zlib-1.2.8/
zlib-1.2.8/adler32.c
zlib-1.2.8/amiga/
zlib-1.2.8/amiga/Makefile.pup
zlib-1.2.8/amiga/Makefile.sas
zlib-1.2.8/as400/
zlib-1.2.8/as400/bndsrc
zlib-1.2.8/as400/compile.clp
zlib-1.2.8/as400/readme.txt
zlib-1.2.8/as400/zlib.inc
zlib-1.2.8/ChangeLog
zlib-1.2.8/CMakeLists.txt
zlib-1.2.8/compress.c
zlib-1.2.8/configure
【可选】下载&解压 openssl
[root@crhtest nginx-1.16.1]# wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1d.tar.gz
--2024-04-18 10:32:00-- https://www.openssl.org/source/old/1.1.1/openssl-1.1.1d.tar.gz
正在解析主机 www.openssl.org... 34.36.58.177, 2600:1901:0:1812::
正在连接 www.openssl.org|34.36.58.177|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:8845861 (8.4M) [application/x-tar]
正在保存至: “openssl-1.1.1d.tar.gz”
100%[==================================================================================================================================================================>] 8,845,861 4.07M/s in 2.1s
2024-04-18 10:32:05 (4.07 MB/s) - 已保存 “openssl-1.1.1d.tar.gz” [8845861/8845861])
[root@crhtest nginx-1.16.1]# tar -xzvf openssl-1.1.1d.tar.gz
解压nginx
[root@crhtest nginx]# ll
总用量 1012
-rw-r--r-- 1 root root 1032630 8月 14 2019 nginx-1.16.1.tar.gz
[root@crhtest nginx]# tar -xzvf nginx-1.16.1.tar.gz
安装
【可选,PCRE configure】
[root@crhtest pcre-8.32]# cd /tmp/nginx/nginx-1.16.1/pcre-8.32
[root@crhtest pcre-8.32]# ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking for g++... g++
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking dependency style of g++... gcc3
checking whether gcc and cc understand -c and -o together... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for int64_t... yes
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking how to print strings... printf
checking for a sed that does not truncate output... /bin/sed
checking for fgrep... /bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1966080
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-unknown-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... dlltool
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for mt... no
checking if : is a manifest tool... no
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... no
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking how to run the C++ preprocessor... g++ -E
checking for ld used by g++... /usr/bin/ld -m elf_x86_64
checking if the linker (/usr/bin/ld -m elf_x86_64) is GNU ld... yes
checking whether the g++ linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking for g++ option to produce PIC... -fPIC -DPIC
checking if g++ PIC flag -fPIC -DPIC works... yes
checking if g++ static flag -static works... no
checking if g++ supports -c -o file.o... yes
checking if g++ supports -c -o file.o... (cached) yes
checking whether the g++ linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking dynamic linker characteristics... (cached) GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether ln -s works... yes
checking whether the -Werror option is usable... yes
checking for simple visibility declarations... yes
checking for ANSI C header files... (cached) yes
checking limits.h usability... yes
checking limits.h presence... yes
checking for limits.h... yes
checking for sys/types.h... (cached) yes
checking for sys/stat.h... (cached) yes
checking dirent.h usability... yes
checking dirent.h presence... yes
checking for dirent.h... yes
checking windows.h usability... no
checking windows.h presence... no
checking for windows.h... no
checking for alias support in the linker... no
checking for alias support in the linker... no
checking string usability... yes
checking string presence... yes
checking for string... yes
checking bits/type_traits.h usability... no
checking bits/type_traits.h presence... no
checking for bits/type_traits.h... no
checking type_traits.h usability... no
checking type_traits.h presence... no
checking for type_traits.h... no
checking for strtoq... yes
checking for long long... yes
checking for unsigned long long... yes
checking for an ANSI C-conforming const... yes
checking for size_t... yes
checking for bcopy... yes
checking for memmove... yes
checking for strerror... yes
checking zlib.h usability... yes
checking zlib.h presence... yes
checking for zlib.h... yes
checking for gzopen in -lz... yes
checking bzlib.h usability... yes
checking bzlib.h presence... yes
checking for bzlib.h... yes
checking for libbz2... yes
configure: creating ./config.status
config.status: creating Makefile
config.status: creating libpcre.pc
config.status: creating libpcre16.pc
config.status: creating libpcre32.pc
config.status: creating libpcreposix.pc
config.status: creating libpcrecpp.pc
config.status: creating pcre-config
config.status: creating pcre.h
config.status: creating pcre_stringpiece.h
config.status: creating pcrecpparg.h
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
config.status: executing script-chmod commands
config.status: executing delete-old-chartables commands
pcre-8.32 configuration summary:
Install prefix .................. : /usr/local
C preprocessor .................. : gcc -E
C compiler ...................... : gcc
C++ preprocessor ................ : g++ -E
C++ compiler .................... : g++
Linker .......................... : /usr/bin/ld -m elf_x86_64
C preprocessor flags ............ :
C compiler flags ................ : -O2 -fvisibility=hidden
C++ compiler flags .............. : -O2 -fvisibility=hidden -fvisibility-inlines-hidden
Linker flags .................... :
Extra libraries ................. :
Build 8 bit pcre library ........ : yes
Build 16 bit pcre library ....... : no
Build 32 bit pcre library ....... : no
Build C++ library ............... : yes
Enable JIT compiling support .... : no
Enable UTF-8/16/32 support ...... : no
Unicode properties .............. : no
Newline char/sequence ........... : lf
\R matches only ANYCRLF ......... : no
EBCDIC coding ................... : no
EBCDIC code for NL .............. : n/a
Rebuild char tables ............. : no
Use stack recursion ............. : yes
POSIX mem threshold ............. : 10
Internal link size .............. : 2
Match limit ..................... : 10000000
Match limit recursion ........... : MATCH_LIMIT
Build shared libs ............... : yes
Build static libs ............... : yes
Use JIT in pcregrep ............. : no
Buffer size for pcregrep ........ : 20480
Link pcregrep with libz ......... : no
Link pcregrep with libbz2 ....... : no
Link pcretest with libedit ...... : no
Link pcretest with libreadline .. : no
Valgrind support ................ : no
Code coverage ................... : no
[root@crhtest pcre-8.32]#
【可选,zlib configure】
[root@crhtest nginx-1.16.1]# cd zlib-1.2.8
[root@crhtest zlib-1.2.8]# ./configure
Checking for gcc...
Checking for shared library support...
Building shared library libz.so.1.2.8 with gcc.
Checking for off64_t... Yes.
Checking for fseeko... Yes.
Checking for strerror... Yes.
Checking for unistd.h... Yes.
Checking for stdarg.h... Yes.
Checking whether to use vs[n]printf() or s[n]printf()... using vs[n]printf().
Checking for vsnprintf() in stdio.h... Yes.
Checking for return value of vsnprintf()... Yes.
Checking for attribute(visibility) support... Yes.
[root@crhtest zlib-1.2.8]#
【可选,openssl config】
[root@crhtest openssl-1.1.1d]# ./config
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 1.1.1d (0x1010104fL) for linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile
**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL file first) ***
*** ***
**********************************************************************
[root@crhtest openssl-1.1.1d]#
我一般是建议先在记事本中将命令整理一份出来,之后粘贴到shell中执行,否则会出现回车失误(真的)
参考之前查看 nginx -V
的信息,需要追加一些编译参数。
./configure
--sbin-path=/usr/local/nginx/nginx
--conf-path=/usr/local/nginx/nginx.conf
--pid-path=/usr/local/nginx/nginx.pid
--with-pcre=./pcre-8.32
--with-zlib=./zlib-1.2.8
--with-openssl=./openssl-1.1.1d
--with-poll_module
--with-http_stub_status_module
--with-http_ssl_module
--with-http_gzip_static_module
--with-http_realip_module
--with-stream
--with-stream_ssl_module
--with-ipv6
在确信没有问题后,需要将所有的换行去掉,这就是在记事本中先编辑的好处!
configure
[root@crhtest nginx-1.16.1]# ./configure --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --pid-path=/usr/local/nginx/nginx.pid --with-pcre=./pcre-8.32 --with-zlib=./zlib-1.2.8 --with-openssl=./openssl-1.1.1d --with-poll_module --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-stream --with-stream_ssl_module --with-ipv6
checking for OS
+ Linux 2.6.32-696.20.1.el6.x86_64 x86_64
checking for C compiler ... found
+ using GNU C compiler
+ gcc version: 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC)
checking for gcc -pipe switch ... found
checking for -Wl,-E switch ... found
checking for gcc builtin atomic operations ... found
checking for C99 variadic macros ... found
checking for gcc variadic macros ... found
checking for gcc builtin 64 bit byteswap ... found
checking for unistd.h ... found
checking for inttypes.h ... found
checking for limits.h ... found
checking for sys/filio.h ... not found
checking for sys/param.h ... found
checking for sys/mount.h ... found
checking for sys/statvfs.h ... found
checking for crypt.h ... found
checking for Linux specific features
checking for epoll ... found
checking for EPOLLRDHUP ... found
checking for EPOLLEXCLUSIVE ... not found
checking for O_PATH ... not found
checking for sendfile() ... found
checking for sendfile64() ... found
checking for sys/prctl.h ... found
checking for prctl(PR_SET_DUMPABLE) ... found
checking for prctl(PR_SET_KEEPCAPS) ... found
checking for capabilities ... found
checking for crypt_r() ... found
checking for sys/vfs.h ... found
checking for nobody group ... found
checking for poll() ... found
checking for /dev/poll ... not found
checking for kqueue ... not found
checking for crypt() ... not found
checking for crypt() in libcrypt ... found
checking for F_READAHEAD ... not found
checking for posix_fadvise() ... found
checking for O_DIRECT ... found
checking for F_NOCACHE ... not found
checking for directio() ... not found
checking for statfs() ... found
checking for statvfs() ... found
checking for dlopen() ... not found
checking for dlopen() in libdl ... found
checking for sched_yield() ... found
checking for sched_setaffinity() ... found
checking for SO_SETFIB ... not found
checking for SO_REUSEPORT ... found
checking for SO_ACCEPTFILTER ... not found
checking for SO_BINDANY ... not found
checking for IP_TRANSPARENT ... found
checking for IP_BINDANY ... not found
checking for IP_BIND_ADDRESS_NO_PORT ... not found
checking for IP_RECVDSTADDR ... not found
checking for IP_SENDSRCADDR ... not found
checking for IP_PKTINFO ... found
checking for IPV6_RECVPKTINFO ... found
checking for TCP_DEFER_ACCEPT ... found
checking for TCP_KEEPIDLE ... found
checking for TCP_FASTOPEN ... not found
checking for TCP_INFO ... found
checking for accept4() ... found
checking for eventfd() ... found
checking for int size ... 4 bytes
checking for long size ... 8 bytes
checking for long long size ... 8 bytes
checking for void * size ... 8 bytes
checking for uint32_t ... found
checking for uint64_t ... found
checking for sig_atomic_t ... found
checking for sig_atomic_t size ... 4 bytes
checking for socklen_t ... found
checking for in_addr_t ... found
checking for in_port_t ... found
checking for rlim_t ... found
checking for uintptr_t ... uintptr_t found
checking for system byte ordering ... little endian
checking for size_t size ... 8 bytes
checking for off_t size ... 8 bytes
checking for time_t size ... 8 bytes
checking for AF_INET6 ... found
checking for setproctitle() ... not found
checking for pread() ... found
checking for pwrite() ... found
checking for pwritev() ... found
checking for sys_nerr ... found
checking for localtime_r() ... found
checking for clock_gettime(CLOCK_MONOTONIC) ... not found
checking for clock_gettime(CLOCK_MONOTONIC) in librt ... found
checking for posix_memalign() ... found
checking for memalign() ... found
checking for mmap(MAP_ANON|MAP_SHARED) ... found
checking for mmap("/dev/zero", MAP_SHARED) ... found
checking for System V shared memory ... found
checking for POSIX semaphores ... not found
checking for POSIX semaphores in libpthread ... found
checking for struct msghdr.msg_control ... found
checking for ioctl(FIONBIO) ... found
checking for struct tm.tm_gmtoff ... found
checking for struct dirent.d_namlen ... not found
checking for struct dirent.d_type ... found
checking for sysconf(_SC_NPROCESSORS_ONLN) ... found
checking for sysconf(_SC_LEVEL1_DCACHE_LINESIZE) ... found
checking for openat(), fstatat() ... found
checking for getaddrinfo() ... found
creating objs/Makefile
Configuration summary
+ using PCRE library: ../pcre-8.32
+ using OpenSSL library: ../openssl-1.1.1d
+ using zlib library: ../zlib-1.2.8
nginx path prefix: "/usr/local/nginx"
nginx binary file: "/usr/local/nginx/nginx"
nginx modules path: "/usr/local/nginx/modules"
nginx configuration prefix: "/usr/local/nginx"
nginx configuration file: "/usr/local/nginx/nginx.conf"
nginx pid file: "/usr/local/nginx/nginx.pid"
nginx error log file: "/usr/local/nginx/logs/error.log"
nginx http access log file: "/usr/local/nginx/logs/access.log"
nginx http client request body temporary files: "client_body_temp"
nginx http proxy temporary files: "proxy_temp"
nginx http fastcgi temporary files: "fastcgi_temp"
nginx http uwsgi temporary files: "uwsgi_temp"
nginx http scgi temporary files: "scgi_temp"
./configure: warning: the "--with-ipv6" option is deprecated
[root@crhtest nginx-1.16.1]#
make build & make install
[root@crhtest nginx-1.16.1]# make build & make install
验证
[root@crhtest sbin]# ./nginx -V
nginx version: nginx/1.16.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC)
built with OpenSSL 1.1.1d 10 Sep 2019
TLS SNI support enabled
configure arguments: --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --pid-path=/usr/local/nginx/nginx.pid --with-pcre=./pcre-8.32 --with-zlib=./zlib-1.2.8 --with-openssl=./openssl-1.1.1d --with-poll_module --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-stream --with-stream_ssl_module --with-ipv6
[root@crhtest sbin]# cd -
/tmp/nginx/nginx-1.16.1
[root@crhtest nginx-1.16.1]# ll
升级完成
后记
白忙活了,建议是升级到1.21.0,我看了下最新稳定版是1.24.0
,所以建议各位升级到1.24.0吧。
https://nginx.org/download/nginx-1.24.0.tar.gz
本文来自:【Nginx】从1.16.0升级到1.16.1-小码农,转载请保留本条链接,感谢!
温馨提示:
本文最后更新于 2024年04月18日,已超过 217 天没有更新。若文章内的图片失效(无法正常加载),请留言反馈或直接联系我。
正文到此结束
- 本文标签: nginx 升级 修复漏洞
- 本文链接: https://djc8.cn/archives/nginx-upgrade-from-1160-to-1161.html
- 版权声明: 本文由小码农原创发布,转载请遵循《署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0)》许可协议授权