nginx漏洞修复&安装填坑记录

系统：linux/centos6.5
nginx版本openresty/1.13.6.2

漏洞描述
http://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html

Hello!

Two security issues were identified in nginx HTTP/2 implementation,
which might cause excessive memory consumption (CVE-2018-16843)
and CPU usage (CVE-2018-16844).

The issues affect nginx compiled with the ngx_http_v2_module (not
compiled by default) if the "http2" option of the "listen" directive is
used in a configuration file.

The issues affect nginx 1.9.5 - 1.15.5.
#nginx1.15.6,1.14.1修复了该问题
The issues are fixed in nginx 1.15.6, 1.14.1.

Thanks to Gal Goldshtein from F5 Networks for initial report of the CPU
usage issue.

.

为什么选择重新安装nginx？

openresty官网最新的稳定版本是1.13.6.2，尽管它推出了一个最新测试版1.15.8.1 RC1，考虑到稳定因素并且nginx配置中也基本没有特殊的场景需要用到Lua,最后我选择安装原生的nginx。

1. 下载

cd /home
#下载nginx 1.14.2
wget http://nginx.org/download/nginx-1.14.2.tar.gz
#解压
tar -xzf nginx-1.14.2.tar.gz

2. 编译安装

/home/nginx-1.14.2/configure --prefix=/usr/local/nginx 
--with-http_stub_status_module
--without-http_fastcgi_module
--without-http_upstream_ip_hash_module
--without-http_autoindex_module
--without-http_ssi_module
--without-mail_pop3_module
--without-mail_imap_module --without-mail_smtp_module
--without-http_uwsgi_module --without-http_scgi_module
--without-http_memcached_module
#编译
make
#安装
make install

接下来拷贝openresty中配置文件及SSL认证证书

cp -r /usr/local/openresty/nginx/conf/nginx.conf /usr/local/nginx/conf
...

检查nginx配置文件是否正确

/usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/nginx.conf:181
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

上面这个问题是我们在编译的时候少加了--with-http_ssl_module模块，我们需要把这个模块编译进去。

/home/nginx-1.14.2/configure --prefix=/usr/local/nginx 
--with-http_ssl_module
#只编译不需要install
make
#然后又报错啦！！！
/home/nginx-1.14.2/src/event/ngx_event_openssl.c:3397: undefined reference to `SSL_CIPHER_find'
/home/nginx-1.14.2/src/event/ngx_event_openssl.c:3417: undefined reference to `SSL_CIPHER_find'
objs/src/event/ngx_event_openssl.o: In function `ngx_ssl_check_host':
/home/nginx-1.14.2/src/event/ngx_event_openssl.c:3208: undefined reference to `X509_check_host'
objs/src/event/ngx_event_openssl.o: In function `ngx_ssl_handshake':
/home/nginx-1.14.2/src/event/ngx_event_openssl.c:1314: undefined reference to `SSL_is_server'
objs/src/event/ngx_event_openssl.o: In function `ngx_ssl_info_callback':
/home/nginx-1.14.2/src/event/ngx_event_openssl.c:851: undefined reference to `SSL_is_server'
objs/src/http/modules/ngx_http_ssl_module.o: In function `ngx_http_ssl_merge_srv_conf':
/home/nginx-1.14.2/src/http/modules/ngx_http_ssl_module.c:695: undefined reference to `SSL_CTX_set_alpn_select_cb'

Google查问题掉了一把头发，最后发现是机器openssl版本问题，因为nginx中用到了openssl新版本的东西而当前版本是没有的，于是接下来就应该去下载新版本的openssl了。

wget https://www.openssl.org/source/openssl-1.0.2r.tar.gz
tar -xzf openssl-1.0.2r.tar.gz
#重新编译模块
/home/nginx-1.14.2/configure --prefix=/usr/local/nginx 
--with-http_ssl_module 
--with-openssl=/home/openssl-1.0.2r

备份原来nginx文件

cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
#将新编译的nginx文件替换原有的
cp objs/nginx /usr/local/nginx/sbin/nginx

最后检查nginx配置是否正确

/usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
#启动nginx
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf