Shulou(Shulou.com)05/31 Report--

In this article, the editor introduces in detail "how to adjust the Nginx server for OpenSSL security vulnerabilities", the content is detailed, the steps are clear, and the details are handled properly. I hope that this article "how to adjust the Nginx server for OpenSSL security vulnerabilities" can help you solve your doubts.

1. Overview

At present, openssl loopholes have been exposed, which will disclose private information, involving many machines and different environments, resulting in different repair schemes. Many servers use nginx, which compiles opensssl statically and compiles openssl directly into nginx, which means that simply upgrading openssl does not have any effect, nginx will not load external openssl dynamic link libraries, and nginx must be recompiled in order to cure it.

two。 Identify if nginx is statically compiled

The following three methods can confirm whether nginx compiles openssl statically.

2.1 View nginx compilation parameters

Enter the following directive to view the compilation parameters of nginx:

#. / sbin/nginx-v

If the compilation parameter contains-- with-openssl=..., then nginx is statically compiled openssl, as shown below:

Nginx version: nginx/1.4.1built by gcc 4.4.7 20120313 (red hat 4.4.7-3) (gcc) tls sni support enabledconfigure arguments:-- prefix=/opt/app/nginx-- with-http_ssl_module-- with-openssl=/opt/app/openssl-1.0.1e-- add-module=/opt/app/ngx_cache_purge-2.1

2.2 View nginx's dependent libraries

For further confirmation, take a look at the program's dependency library and enter the following instructions:

# ldd `which nginx` | grep ssl

Display

Libssl.so.10 = > / usr/lib/libssl.so.10 (0xb76c6000)

Note: if the output does not contain a file for libssl.so (), it means that it is statically compiled for openssl

Type the command again to determine the openssl to determine the openssl version of the library, but not too much detail, such as if it should have been 1.0.1e.5.7, but only output 1.0.1e:

# strings / usr/lib/libssl.so.10 | grep "^ openssl" openssl 1.0.1e-fips 11 feb 2013

2.3 View files opened by nginx

You can also view the file opened by nginx to see if it is statically compiled, and enter the following directive:

# ps aux | grep nginx# lsof-p 111111 | grep ssl

If the library file of openssl is not opened, openssl is compiled statically, as shown in the following figure:

3. Recompile nginx

In Internet companies, there are few unified versions of nginx, and each department chooses the corresponding plug-ins according to their own business needs, and then compiles them themselves, so when compiling, you must pay attention to the plug-ins, don't forget to compile some plug-ins, and try to keep the nginx features unchanged.

After reading this, the article "how to adjust the Nginx server for OpenSSL security vulnerabilities" has been introduced. If you want to master the knowledge points of this article, you still need to practice and use it yourself. If you want to know more about related articles, welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.