OpenSSL升级后如何升级Nginx

上一篇我们讲了如何升级OpenSSL，这一篇来看一下如何升级Nginx服务的OpenSSL版本。

可以使用命令，查看当前Nginx服务的版本以及OpenSSL的版本，另外还有编译时的参数。

nginx -V

内容如下

nginx version: nginx/1.12.2
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: –prefix=/etc/nginx –sbin-path=/usr/sbin/nginx –modules-path=/usr/lib/nginx/modules –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –pid-path=/var/run/nginx.pid –lock-path=/var/run/nginx.lock –http-client-body-temp-path=/var/cache/nginx/client_temp –http-proxy-temp-path=/var/cache/nginx/proxy_temp –http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp –http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp –http-scgi-temp-path=/var/cache/nginx/scgi_temp –user=nginx –group=nginx –with-compat –with-file-aio –with-threads –with-http_addition_module –with-http_auth_request_module –with-http_dav_module –with-http_flv_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_mp4_module –with-http_random_index_module –with-http_realip_module –with-http_secure_link_module –with-http_slice_module –with-http_ssl_module –with-http_stub_status_module –with-http_sub_module –with-http_v2_module –with-mail –with-mail_ssl_module –with-stream –with-stream_realip_module –with-stream_ssl_module –with-stream_ssl_preread_module –with-cc-opt=’-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector –param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -fPIC’ –with-ld-opt=’-Wl,-z,relro -Wl,-z,now -pie’

可以看到当前Nginx服务使用的还是旧版的OpenSSL。那么如何才能让Nginx使用上新版OpenSSL呢？

先从Nginx官网下载最新稳定版本的Nginx，为什么不建议下载和当前Nginx一模一样的版本呢？因为我试过，编译的时候报错

undefined reference to `pthread_atfork’

其中的一个解决办法就是下载一个最新版本的Nginx，我下载的是Nginx-1.14.1稳定版本。

下载源码后，将其解压

cd ~/Downloads
wget http://nginx.org/download/nginx-1.14.1.tar.gz
tar zvxf nginx-1.14.1.tar.gz
cd nginx-1.14.1

接下来需要修改Nginx加载OpenSSL的方式，否则指定OpenSSL路径后，编译会报错

vi auto/lib/openssl/conf

将内容

CORE_INCS=”$CORE_INCS $OPENSSL/.openssl/include”

CORE_DEPS=”$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h”

CORE_LIBS=”$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a”

CORE_LIBS=”$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a”

修改为

CORE_INCS=”$CORE_INCS $OPENSSL/include”

CORE_DEPS=”$CORE_DEPS $OPENSSL/include/openssl/ssl.h”

CORE_LIBS=”$CORE_LIBS $OPENSSL/lib/libssl.a”

CORE_LIBS=”$CORE_LIBS $OPENSSL/lib/libcrypto.a”

编译Nginx

sudo ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --with-openssl=/usr/local/opensslsudo make

sudo make

这里的配置参数，主要引用了nginx -V命令里的参数，因为我的目的不是替换原来的，而是沿用原来的。唯一的区别在于最后的参数--with-openssl=/usr/local/openssl，其中/usr/local/openssl就是我的OpenSSL最新版本的安装路径。

执行完make命令后千万不要再执行make install，不然它会替换原先的Nginx配置。

最后就是备份以及替换Nginx的二进制文件了

sudo mv /usr/sbin/nginx /usr/sbin/nginx.old
sudo cp ./objs/nginx /usr/sbin/nginx

查看一下最新Nginx的版本

nginx version: nginx/1.14.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC)
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: –prefix=/etc/nginx –sbin-path=/usr/sbin/nginx –modules-path=/usr/lib/nginx/modules –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –pid-path=/var/run/nginx.pid –lock-path=/var/run/nginx.lock –http-client-body-temp-path=/var/cache/nginx/client_temp –http-proxy-temp-path=/var/cache/nginx/proxy_temp –http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp –http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp –http-scgi-temp-path=/var/cache/nginx/scgi_temp –user=nginx –group=nginx –with-compat –with-file-aio –with-threads –with-http_addition_module –with-http_auth_request_module –with-http_dav_module –with-http_flv_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_mp4_module –with-http_random_index_module –with-http_realip_module –with-http_secure_link_module –with-http_slice_module –with-http_ssl_module –with-http_stub_status_module –with-http_sub_module –with-http_v2_module –with-mail –with-mail_ssl_module –with-stream –with-stream_realip_module –with-stream_ssl_module –with-stream_ssl_preread_module –with-cc-opt=’-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector –param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -fPIC’ –with-ld-opt=’-Wl,-z,relro -Wl,-z,now -pie’ –with-openssl=/usr/local/openssl

恭喜，升级Nginx的OpenSSL版本成功！