Nginx [nginx-announce] nginx-1.15.4

Only this upgrade.

---

Nginx is running but can't serve request on public.
Happens after some of the patch or boring compile step.

 

Works great now

My Config:

Code:

    keepalive_timeout 300;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header X-Content-Type-Options "nosniff" always;
    
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
    
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;
    ssl_buffer_size 1400;
    
    http2_max_field_size 16k;
    http2_max_header_size 32k;
    
    ### TLS 1.3
    ssl_early_data on;
    proxy_set_header Early-Data $ssl_early_data;

ssl_ciphers Config was taken here: Add TLS 1.3, X25519, Disable DHE for Intermediate Level, Reordering Cipher Suites by zzq1015 · Pull Request #175 · mozilla/server-side-tls

 

Same thing happen on another Server I just upgraded.

 

Nginx with the default OpenSSL.
Not using Boringssl, I just used what centmin.sh provide by default.

 

Upgrading to 1.15.4 and adding the dynamictls patch seems to have messed up ocsp stapling for some reason. Anyone else experiencing this issue?

 

How do you check on this?

 

Some of my custom config might be invalid already now that we used openssl 1.1.1?

Code:

ENABLEMOTD='n'

CUSTOMSERVERNAME='y'
CUSTOMSERVERSTRING='nginx'

AUTO_GITUPDATE='y'
DISABLE_IPVSIX='y'

PHP_PGO='y'

GENERAL_DEVTOOLSETGCC='y'
CRYPTO_DEVTOOLSETGCC='y'

NSD_DISABLED='y'
MEMCACHED_DISABLED='y'
PUREFTPD_DISABLED='y'

NGXDYNAMIC_NGXPAGESPEED='n'

NGINX_UPDATEMAINTENANCE='n'
PHP_UPDATEMAINTENANCE='n'
MARIADB_UPDATEMAINTENANCE='n'

ENABLE_MARIADBTENTWOUPGRADE='y'

AUTOTUNE_CLIENTMAXBODY='n'
NSD_INSTALL='n'              # Install NSD (DNS Server)
NGXMODULE_ALTORDER='n'       # nginx configure module ordering alternative order
NGINX_DEBUG='n'              # Enable & reinstall Nginx debug log nginx.org/en/docs/debugging_log.html & wiki.nginx.org/Debugging
NGINX_HTTP2='y'              # Nginx http/2 patch https://community.centminmod.com/threads/4127/
NGINX_MODSECURITY=n          # modsecurity module support https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
NGINX_REALIP='n'
NGINX_RDNS='n'               # https://github.com/flant/nginx-http-rdns
NGINX_NJS='n'                # nginScript https://www.nginx.com/blog/launching-nginscript-and-looking-ahead/
NGINX_GEOIP='n'              # Nginx GEOIP module install
NGINX_STUBSTATUS='n'         # http://nginx.org/en/docs/http/ngx_http_stub_status_module.html required for nginx statistics
NGINX_SUB='n'                # http://nginx.org/en/docs/http/ngx_http_sub_module.html
NGINX_ADDITION='n'           # http://nginx.org/en/docs/http/ngx_http_addition_module.html
NGINX_IMAGEFILTER='n'        # http://nginx.org/en/docs/http/ngx_http_image_filter_module.html
NGINX_PERL='n'               # http://nginx.org/en/docs/http/ngx_http_perl_module.html
NGINX_XSLT='n'               # http://nginx.org/en/docs/http/ngx_http_xslt_module.html
NGINX_CACHEPURGE='n'         # https://github.com/FRiCKLE/ngx_cache_purge/
NGINX_ACCESSKEY='n'          #
NGINX_HTTPCONCAT='n'         # https://github.com/alibaba/nginx-http-concat
NGINX_THREADS='n'            # https://www.nginx.com/blog/thread-pools-boost-performance-9x/
NGINX_STREAM='n'             # http://nginx.org/en/docs/stream/ngx_stream_core_module.html
NGINX_STREAMGEOIP='n'        # nginx 1.11.3+ option http://hg.nginx.org/nginx/rev/558db057adaa
NGINX_STREAMREALIP='n'       # nginx 1.11.4+ option http://hg.nginx.org/nginx/rev/9cac11efb205
NGINX_STREAMSSLPREREAD='n'   # nginx 1.11.5+ option https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html
NGINX_RTMP='n'               # Nginx RTMP Module support https://github.com/arut/nginx-rtmp-module
NGINX_FLV='n'                # http://nginx.org/en/docs/http/ngx_http_flv_module.html
NGINX_MP4='n'                # Nginx MP4 Module http://nginx.org/en/docs/http/ngx_http_mp4_module.html
NGINX_AUTHREQ='n'            # http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
NGINX_SECURELINK='n'         # http://nginx.org/en/docs/http/ngx_http_secure_link_module.html
NGINX_FANCYINDEX='n'         # http://wiki.nginx.org/NgxFancyIndex
NGINX_VHOSTSTATS='n'         # https://github.com/vozlt/nginx-module-vts
NGINX_LIBBROTLI='y'          # https://github.com/google/ngx_brotli
NGINX_LIBBROTLISTATIC='n'
NGINX_PAGESPEED='n'          # Install ngx_pagespeed
NGINX_PAGESPEEDGITMASTER='n' # Install ngx_pagespeed from official github master instead 
NGINX_PASSENGER='n'          # Install Phusion Passenger requires installing addons/passenger.sh before hand
NGINX_WEBDAV='n'             # Nginx WebDAV and nginx-dav-ext-module
NGINX_HTTPREDIS='n'          # Nginx redis http://wiki.nginx.org/HttpRedisModule
ORESTY_HEADERSMORE='n'       # openresty headers more https://github.com/openresty/headers-more-nginx-module
NGINX_STICKY='n'             # nginx sticky module https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng
NGINX_UPSTREAMCHECK='n'      # nginx upstream check https://github.com/yaoweibin/nginx_upstream_check_module
NGINX_OPENRESTY='n'          # Agentzh's openresty Nginx modules
ORESTY_SETMISCGIT='n'        # use git master instead of version specific
ORESTY_ECHOGIT='n'           # use git master instead of version specific

LUAJIT_GITINSTALL='n'        # opt to install luajit 2.1 from dev branch http://repo.or.cz/w/luajit-2.0.git/shortlog/refs/heads/v2.1

ORESTY_LUANGINX='n'             # enable or disable or ORESTY_LUA* nginx modules below
NGX_LUAUPSTREAM='n'                # disable https://github.com/openresty/lua-upstream-nginx-module
NGX_LUAUPSTREAMCACHE='n'           # disable https://github.com/cloudflare/lua-upstream-cache-nginx-module

PHPGEOIP_ALWAYS='n'          # GeoIP php extension is always reinstalled on php recompiles
PHPDEBUGMODE='n'             # --enable-debug PHP compile flag
PHPFINFO='n'                 # Disable or Enable PHP File Info extension
PHPPCNTL='n'                 # Disable or Enable PHP Process Control extension
PHPINTL='n'                  # Disable or Enable PHP intl extension
PHPRECODE=n                  # Disable or Enable PHP Recode extension
PHPSNMP='n'                  # Disable or Enable PHP SNMP extension
PHPIMAGICK='y'               # Disable or Enable PHP ImagicK extension
PHPMAILPARSE='n'             # Disable or Enable PHP mailparse extension
PHPIONCUBE='n'               # Disable or Enable Ioncube Loader via addons/ioncube.sh
POSTGRESQL='n'               # set to =y to install PostgreSQL 9.4 server, devel packages and pdo-pgsql PHP extension

NGINX_VHOSTSSL='n'           # enable centmin.sh menu 2 prompt to create self signed SSL vhost 2nd vhost conf
NGINXBACKUP='n'

### Nginx SSL options
CLOUDFLARE_ZLIB='y'
NGINX_DYNAMICTLS='y'
OPENSSLECDSA_PATCH='y'
OPENSSLECDHX_PATCH='y'

MEMCACHED_INSTALL='n'         # Install Memcached
PHPREDIS='y'                # redis PHP extension install
PHPMONGODB='n'              # MongoDB PHP extension install
PHP_FTPEXT='n'              # ftp PHP extension
PHP_MEMCACHE='n'            # memcache PHP extension
PHP_MEMCACHED='n'           # memcached PHP extension
PHPZOPFLI='n'
PHPZOPFLI_ALWAYS='n'

PHP_OVERWRITECONF='n'
PHP_VERSION='7.2.9'        # Use this version of PHP
ZOPCACHEDFT='y'
PHP_EXTRAOPTS=""

Specially this?
OPENSSLECDSA_PATCH='y'
OPENSSLECDHX_PATCH='y'

 

And also enabled for openssl 1.1.0 right?
Not for 1.1.1?

 

Upgraded

 

Hi!
I'm using Cloudflare pro plan and Cloudflare certificate (5$/m), i turned on TLS 1.3 +ORT, SSL: Full (strict), Authenticated Origin Pulls on Cloudflare and add CF ECDSA Origin Certificate to vhost. I configured on vhost like this, is it enough? I am a newbie and my english is not good. Thanks.
(nginx 1.15.4, openssl 1.1.1)

 

Do I need to add ssl_ciphers, ssl_prefer_server_ciphers, ssl_buffer_size... to Vhost?
Is the configuration optimized for vhost using Cloudflare?

 

Hi,
Here's the output:

Code (Text):

[10:24][root@main.domain.com centminmod]# git log -1 | sed '/centminmod.com/d'
commit b2e49d2ccf54cfc0e488533dd59c3d5b026c981d
Date:   Thu Sep 27 05:23:38 2018 +1000

    typo fix

The test from sslabs shows the certificate supports stapling but it's not enabled. I have no idea how to test otherwise.

I checked the nginx config file and the stapling lines are uncommented. In fact, they work in nginx 1.15.3 but not 1.15.4 for some reason.

Let me know if I should post the custom config or any other config file. Everything is pretty standard however.

Cheers!