The current Nginx version running is 1.18.0. It seems like the Nginx version from the default Ubuntu repositories is still 1.18.0, which might not have the latest security patches. To resolve this, you can add the official Nginx repository to get the latest stable version.
1. Backup your current Nginx configuration
It's a good practice to back up your current Nginx configuration before making any changes:
sudo cp -r /etc/nginx /etc/nginx.bak
2. Add the official Nginx repository
Create a new file for the Nginx repository
echo "deb http://nginx.org/packages/ubuntu/ focal nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
3. Add the Nginx signing key
Add the Nginx signing key to verify the packages:
curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add -
4. Update the package list and install Nginx
Now, update the package list and install Nginx from the new repository
sudo apt update
sudo apt install nginx
5. Verify the Nginx version
Check the Nginx version to ensure it's updated:
nginx -v
Post running the above command, the response was 1.18.0. Subsequently, running the commands noted earlier didn't impact the version installed of Nginx. Let's verify if the Nginx configuration files are correct and if there are any errors
sudo nginx -t
If there are errors, the output will provide clues about what needs to be fixed.
6. Restart Nginx
Restart Nginx to apply the changes:
sudo systemctl restart nginx
7. Check for security updates
Keep monitoring the security updates for Nginx and your server to stay protected.
By following these steps, you should be able to upgrade to the latest stable version of Nginx and mitigate the vulnerabilities CVE-2024-32002, CVE-2024-32004, and CVE-2024-32465.
Site is not loading
Following the Nginx upgrade, these appears to have altered the Nginx configuration. The installation of Nginx has broken where the site was running. The result is the the front end is displaying 'cannot access the server'.
Check Nginx Configuration
Verify if the Nginx configuration files are correct and if there are any errors
sudo nginx -t
If there are errors, the output will provide clues about what needs to be fixed. Note, the nginx.conf file was updated with the necessary changes
# user www-data; # default 1.26.1 install
user nginx; # new
worker_processes auto;
# pid /run/nginx.pid; # default 1.26.1 install
include /etc/nginx/modules-enabled/*.conf; # new
error_log /var/log/nginx/error.log notice; # new
pid /var/run/nginx.pid; # new
events {
worker_connections 1024; # default 1.26.1 install was 768
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
##
# Gzip Settings
##
gzip on; # new this was off
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Check the Site Configuration
Ensure your site's configuration file is present and correctly configured in /etc/nginx/sites-available and linked to /etc/nginx/sites-enabled.
sudo ls /etc/nginx/sites-available/
sudo ls /etc/nginx/sites-enabled/
If the site configuration file is missing, restore it from your backup
sudo cp /etc/nginx.bak/sites-available/your_site /etc/nginx/sites-available/
sudo ln -s /etc/nginx/sites-available/your_site /etc/nginx/sites-enabled/
Verify Server Block Configuration
Check your server block configuration to ensure it's correctly set up. It should look something like this
server {
listen 80;
server_name your_domain.com;
root /var/www/your_site;
index index.html index.htm index.nginx-debian.html;
location / {
try_files $uri $uri/ =404;
}
# Additional configuration, such as proxy_pass, if applicable
}
The actual update was
server {
client_max_body_size 100M;
listen 443 ssl;
ssl_certificate /etc/ssl/certs/FRBundle.crt;
ssl_certificate_key /etc/ssl/private/FRMultidomainWildcard.key;
# Redirect non-https traffic to https
if ($scheme = "http") {
return 301 https://$host$request_uri;
}
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_set_header Host $host;
proxy_cache cache;
proxy_cache_bypass $cookie_auth_tkt;
proxy_no_cache $cookie_auth_tkt;
proxy_cache_valid 30m;
proxy_cache_key $host$scheme$proxy_host$request_uri;
# In emergency comment out line to force caching
# proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
Restart Nginx
After verifying and correcting the configurations, restart Nginx:
sudo systemctl restart nginx
Check Nginx Logs
If the site is still not accessible, check the Nginx logs for errors:
sudo tail -f /var/log/nginx/error.log
sudo tail -f /var/log/nginx/access.log
The logs should provide more details about what might be causing the issue.