CentOS7平滑升级Nginx版本并启用TLS1.3

  • 时间:2022/10/24 09:46
  • 分类:Nginx

一、升级Nginx

查看当前OpenSSL版本

openssl version

OpenSSL 1.0.2k-fips 26 Jan 2017

由于TLS1.3需要OpenSSL1.1.1及以上版本支持,如果版本过低,可参考升级OpenSSL版本

查看当前Nginx版本信息

/usr/local/nginx/sbin/nginx -V

nginx version: nginx/1.21.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --add-module=../nginx_mod_h264_streaming-2.2.7 --with-pcre=../pcre-8.43 --with-zlib=../zlib-1.2.11 --user=www --group=www --with-http_flv_module --with-http_stub_status_module --with-threads --with-http_ssl_module --with-openssl-opt='enable-tls1_3 enable-weak-ssl-ciphers' --with-http_v2_module --with-http_mp4_module --with-cc-opt=-O3

下载新版nginx、解压并进入解压后的目录

wget http://nginx.org/download/nginx-1.22.1.tar.gz
tar zxvf nginx-1.22.1.tar.gz
cd nginx-1.22.1

查看nginx版本的时候,configure后面有一大串编译参数,这也是你第一次安装nginx时所指定的参数,升级的时候也要同时指定,也可以添加其他参数

./configure --prefix=/usr/local/nginx --add-module=../nginx_mod_h264_streaming-2.2.7 --with-pcre=../pcre-8.43 --with-zlib=../zlib-1.2.11 --user=www --group=www --with-http_flv_module --with-http_stub_status_module --with-threads --with-http_ssl_module --with-openssl-opt='enable-tls1_3 enable-weak-ssl-ciphers' --with-http_v2_module --with-http_mp4_module --with-cc-opt=-O3 && make

make完以后,不需要执行make install,否则会覆盖安装,nginx服务会出现各种问题

不中断nginx服务器的正常运行称之为平滑升级,先重命名之前的nginx二进制文件

mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak

拷贝刚编译新生产的Nginx二进制文件到/usr/local/nginx/sbin/目录

cp /root/nginx-1.22.1/objs/nginx /usr/local/nginx/sbin/

开始执行升级命令

make upgrade

返回信息

/usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
kill -USR2 `cat /usr/local/nginx/logs/nginx.pid`
sleep 1
test -f /usr/local/nginx/logs/nginx.pid.oldbin
kill -QUIT `cat /usr/local/nginx/logs/nginx.pid.oldbin`

/usr/local/nginx/sbin/nginx -V

查看当前nginx版本

nginx version: nginx/1.22.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) 
built with OpenSSL 1.1.0e  16 Feb 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-pcre --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_image_filter_module --with-mail --with-threads --with-mail_ssl_module --with-stream_ssl_module

已经成功升级到1.22.1

二、启用TLS1.3和HTTP/2

找到网站的Nginx配置文件,将里面的listen 443改成:

listen 443 ssl http2 fastopen=3 reuseport;

将ssl_protocols项改成:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

找到ssl_ciphers项添加支持TLS1.3的加密套件:

ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;

重载Nginx

service nginx reload

标签:Nginx, 信息, 升级, 版本

添加新评论