Upgrading Nginx on Ubuntu to due vulnerabilities CVE-2024-32002, CVE-2024-32004 and CVE-2024-32465

The current Nginx version running is 1.18.0.  It seems like the Nginx version from the default Ubuntu repositories is still 1.18.0, which might not have the latest security patches. To resolve this, you can add the official Nginx repository to get the latest stable version.

1. Backup your current Nginx configuration

It's a good practice to back up your current Nginx configuration before making any changes:

sudo cp -r /etc/nginx /etc/nginx.bak

2. Add the official Nginx repository

Create a new file for the Nginx repository

echo "deb http://nginx.org/packages/ubuntu/ focal nginx" | sudo tee /etc/apt/sources.list.d/nginx.list

3. Add the Nginx signing key

Add the Nginx signing key to verify the packages:

curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add -

4. Update the package list and install Nginx

Now, update the package list and install Nginx from the new repository

sudo apt update
sudo apt install nginx

5. Verify the Nginx version

Check the Nginx version to ensure it's updated:

nginx -v

Post running the above command, the response was 1.18.0.  Subsequently, running the commands noted earlier didn't impact the version installed of Nginx.  Let's verify if the Nginx configuration files are correct and if there are any errors

sudo nginx -t

If there are errors, the output will provide clues about what needs to be fixed.

6. Restart Nginx

Restart Nginx to apply the changes:

sudo systemctl restart nginx

7. Check for security updates

Keep monitoring the security updates for Nginx and your server to stay protected.

By following these steps, you should be able to upgrade to the latest stable version of Nginx and mitigate the vulnerabilities CVE-2024-32002, CVE-2024-32004, and CVE-2024-32465.

Site is not loading

Following the Nginx upgrade, these appears to have altered the Nginx configuration.  The installation of Nginx has broken where the site was running.  The result is the the front end is displaying 'cannot access the server'.

Check Nginx Configuration

Verify if the Nginx configuration files are correct and if there are any errors

sudo nginx -t

If there are errors, the output will provide clues about what needs to be fixed.  Note, the nginx.conf file was updated with the necessary changes

# user www-data;  # default 1.26.1 install
user nginx;  # new
worker_processes  auto;
# pid 	   /run/nginx.pid;  # default 1.26.1 install
include    /etc/nginx/modules-enabled/*.conf;  # new
error_log  /var/log/nginx/error.log notice;  # new
pid        /var/run/nginx.pid;  # new
events {
   worker_connections  1024;  # default 1.26.1 install was 768
}
http {
       ##
       # Basic Settings
       ##
       sendfile on;
       tcp_nopush on;
       tcp_nodelay on;
       keepalive_timeout 65;
       types_hash_max_size 2048;
       # server_tokens off;
       include       /etc/nginx/mime.types;
       default_type  application/octet-stream;
       ##
       # SSL Settings
       ##
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
       ssl_prefer_server_ciphers on;
       log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                         '$status $body_bytes_sent "$http_referer" '
                         '"$http_user_agent" "$http_x_forwarded_for"';
       access_log  /var/log/nginx/access.log  main;
       
       ##
       # Gzip Settings
       ##
       gzip on;  # new this was off
       # gzip_vary on;
       # gzip_proxied any;
       # gzip_comp_level 6;
       # gzip_buffers 16 8k;
       # gzip_http_version 1.1;
       # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
       
       ##
       # Virtual Host Configs
       ##
       include /etc/nginx/conf.d/*.conf;
       include /etc/nginx/sites-enabled/*;
}

Check the Site Configuration

Ensure your site's configuration file is present and correctly configured in /etc/nginx/sites-available and linked to /etc/nginx/sites-enabled.

sudo ls /etc/nginx/sites-available/
sudo ls /etc/nginx/sites-enabled/

If the site configuration file is missing, restore it from your backup

sudo cp /etc/nginx.bak/sites-available/your_site /etc/nginx/sites-available/
sudo ln -s /etc/nginx/sites-available/your_site /etc/nginx/sites-enabled/

Verify Server Block Configuration

Check your server block configuration to ensure it's correctly set up. It should look something like this

server {
   listen 80;
   server_name your_domain.com;
   root /var/www/your_site;
   index index.html index.htm index.nginx-debian.html;
   location / {
       try_files $uri $uri/ =404;
   }
   # Additional configuration, such as proxy_pass, if applicable
}

The actual update was

server {
    client_max_body_size 100M;

    listen 443 ssl;
    ssl_certificate /etc/ssl/certs/FRBundle.crt;
    ssl_certificate_key /etc/ssl/private/FRMultidomainWildcard.key;

    # Redirect non-https traffic to https
    if ($scheme = "http") {
        return 301 https://$host$request_uri;
    }

    location / {
        proxy_pass http://127.0.0.1:8080/;
        proxy_set_header Host $host;
        proxy_cache cache;
        proxy_cache_bypass $cookie_auth_tkt;
        proxy_no_cache $cookie_auth_tkt;
        proxy_cache_valid 30m;
        proxy_cache_key $host$scheme$proxy_host$request_uri;
        # In emergency comment out line to force caching
        # proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
        auth_basic "Restricted Content";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }

}

Restart Nginx

After verifying and correcting the configurations, restart Nginx:

sudo systemctl restart nginx

Check Nginx Logs

If the site is still not accessible, check the Nginx logs for errors:

sudo tail -f /var/log/nginx/error.log
sudo tail -f /var/log/nginx/access.log

The logs should provide more details about what might be causing the issue.