How to adjust Nginx server for OpenSSL security vulnerability

1. Overview
Currently, openssl vulnerabilities have been exposed, which will leak private information. There are many machines involved and the environments are very different, resulting in different repair solutions. Many servers use nginx to statically compile openssl and directly compile openssl into nginx. This means that simply upgrading openssl will have no effect. nginx will not load the external openssl dynamic link library. nginx must be Recompiling can cure it.

2. Identify whether nginx is statically compiled

The following three methods can confirm whether nginx is statically compiled openssl.
2.1 View nginx compilation parameters

Enter the following command to view nginx compilation parameters:

# ./sbin/nginx -v

If the compilation parameters contain --with-openssl =..., it indicates that nginx compiles openssl statically, as shown below:

nginx version: nginx/1.4.1
built by gcc 4.4.7 20120313 (red hat 4.4.7-3) (gcc)
tls sni support enabled
configure arguments: --prefix=/opt/app/nginx --with-http_ssl_module --with-openssl=/opt/app/openssl-1.0.1e --add-module=/opt/app/ngx_cache_purge-2.1

2.2 Check nginx’s dependent library

For further confirmation, you can check the program Dependent library, enter the following command:

# ldd `which nginx` | grep ssl

Display

libssl.so.10 => /usr/lib/libssl.so.10 (0xb76c6000)

Note: If the output does not contain the file () of libssl.so, it means that it is statically compiled openssl

Enter the command to determine openssl to determine the openssl version to which the library belongs, but it will not be too detailed. For example, it should be 1.0.1e.5.7, but only 1.0.1e is output:

# strings /usr/lib/libssl.so.10 | grep "^openssl "
openssl 1.0.1e-fips 11 feb 2013

2.3 Check the files opened by nginx

You can also check whether the files opened by nginx are statically compiled. Enter the following command:

# ps aux | grep nginx
# lsof -p 111111<这里换成nginx的进程pid> | grep ssl

If the openssl library file is not opened , it means that openssl is compiled statically, as shown in the following figure:

3. Recompile nginx

In Internet companies, there are few unified nginx versions. Each department selects the corresponding plug-in according to its own business needs, and then compiles it by itself. Therefore, you must pay attention to the plug-in when compiling, and don’t forget to compile some Plug-in, try to keep nginx features unchanged.

The above is the detailed content of How to adjust Nginx server for OpenSSL security vulnerability. For more information, please follow other related articles on the PHP Chinese website!