Want more timely Centmin Mod News Updates?
Become a Member

Nginx [nginx-announce] nginx-1.15.4

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Sep 26, 2018.

  1. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    10:58 AM
    Mainline
    10.2
    Only this upgrade.

    Nginx is running but can't serve request on public.
    Happens after some of the patch or boring compile step.
     
  2. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    10:58 AM
    Mainline
    10.2
    Works great now :)

    My Config:
    Code:
        keepalive_timeout 300;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
        add_header X-Content-Type-Options "nosniff" always;
        
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA';
        ssl_prefer_server_ciphers on;
        
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 1d;
        ssl_buffer_size 1400;
        
        http2_max_field_size 16k;
        http2_max_header_size 32k;
        
        ### TLS 1.3
        ssl_early_data on;
        proxy_set_header Early-Data $ssl_early_data;
    
    ssl_ciphers Config was taken here: Add TLS 1.3, X25519, Disable DHE for Intermediate Level, Reordering Cipher Suites by zzq1015 · Pull Request #175 · mozilla/server-side-tls


    upload_2018-9-27_1-4-29.png

    upload_2018-9-27_1-5-46.png
     
    • Informative Informative x 1
  3. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    10:58 AM
    Mainline
    10.2
    Same thing happen on another Server I just upgraded.
     
  4. eva2000

    eva2000 Administrator Staff Member

    43,079
    9,781
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,100
    Local Time:
    12:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    You using Nginx with BoringSSL or OpenSSL 1.1.1 ? Could be related to switch between Nginx + BoringSSL and switching over to Nginx + OpenSSL 1.1.1
     
  5. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    10:58 AM
    Mainline
    10.2
    Nginx with the default OpenSSL.
    Not using Boringssl, I just used what centmin.sh provide by default.
     
  6. omfgbear

    omfgbear New Member

    8
    1
    3
    Sep 27, 2018
    Ratings:
    +1
    Local Time:
    4:58 AM
    1.15.4
    10
    Upgrading to 1.15.4 and adding the dynamictls patch seems to have messed up ocsp stapling for some reason. Anyone else experiencing this issue?
     
  7. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    10:58 AM
    Mainline
    10.2
    How do you check on this?
     
  8. eva2000

    eva2000 Administrator Staff Member

    43,079
    9,781
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,100
    Local Time:
    12:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    what's output for these commands
    Code (Text):
    cmdir
    git log -1 | sed '/centminmod.com/d'
    

    Can you elaborate on what you mean messed up ? how you verifying the issue ?
     
    Last edited: Sep 27, 2018
  9. eva2000

    eva2000 Administrator Staff Member

    43,079
    9,781
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,100
    Local Time:
    12:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  10. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    10:58 AM
    Mainline
    10.2
    Some of my custom config might be invalid already now that we used openssl 1.1.1?
    Code:
    ENABLEMOTD='n'
    
    CUSTOMSERVERNAME='y'
    CUSTOMSERVERSTRING='nginx'
    
    AUTO_GITUPDATE='y'
    DISABLE_IPVSIX='y'
    
    PHP_PGO='y'
    
    GENERAL_DEVTOOLSETGCC='y'
    CRYPTO_DEVTOOLSETGCC='y'
    
    NSD_DISABLED='y'
    MEMCACHED_DISABLED='y'
    PUREFTPD_DISABLED='y'
    
    NGXDYNAMIC_NGXPAGESPEED='n'
    
    NGINX_UPDATEMAINTENANCE='n'
    PHP_UPDATEMAINTENANCE='n'
    MARIADB_UPDATEMAINTENANCE='n'
    
    ENABLE_MARIADBTENTWOUPGRADE='y'
    
    AUTOTUNE_CLIENTMAXBODY='n'
    NSD_INSTALL='n'              # Install NSD (DNS Server)
    NGXMODULE_ALTORDER='n'       # nginx configure module ordering alternative order
    NGINX_DEBUG='n'              # Enable & reinstall Nginx debug log nginx.org/en/docs/debugging_log.html & wiki.nginx.org/Debugging
    NGINX_HTTP2='y'              # Nginx http/2 patch https://community.centminmod.com/threads/4127/
    NGINX_MODSECURITY=n          # modsecurity module support https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
    NGINX_REALIP='n'
    NGINX_RDNS='n'               # https://github.com/flant/nginx-http-rdns
    NGINX_NJS='n'                # nginScript https://www.nginx.com/blog/launching-nginscript-and-looking-ahead/
    NGINX_GEOIP='n'              # Nginx GEOIP module install
    NGINX_STUBSTATUS='n'         # http://nginx.org/en/docs/http/ngx_http_stub_status_module.html required for nginx statistics
    NGINX_SUB='n'                # http://nginx.org/en/docs/http/ngx_http_sub_module.html
    NGINX_ADDITION='n'           # http://nginx.org/en/docs/http/ngx_http_addition_module.html
    NGINX_IMAGEFILTER='n'        # http://nginx.org/en/docs/http/ngx_http_image_filter_module.html
    NGINX_PERL='n'               # http://nginx.org/en/docs/http/ngx_http_perl_module.html
    NGINX_XSLT='n'               # http://nginx.org/en/docs/http/ngx_http_xslt_module.html
    NGINX_CACHEPURGE='n'         # https://github.com/FRiCKLE/ngx_cache_purge/
    NGINX_ACCESSKEY='n'          #
    NGINX_HTTPCONCAT='n'         # https://github.com/alibaba/nginx-http-concat
    NGINX_THREADS='n'            # https://www.nginx.com/blog/thread-pools-boost-performance-9x/
    NGINX_STREAM='n'             # http://nginx.org/en/docs/stream/ngx_stream_core_module.html
    NGINX_STREAMGEOIP='n'        # nginx 1.11.3+ option http://hg.nginx.org/nginx/rev/558db057adaa
    NGINX_STREAMREALIP='n'       # nginx 1.11.4+ option http://hg.nginx.org/nginx/rev/9cac11efb205
    NGINX_STREAMSSLPREREAD='n'   # nginx 1.11.5+ option https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html
    NGINX_RTMP='n'               # Nginx RTMP Module support https://github.com/arut/nginx-rtmp-module
    NGINX_FLV='n'                # http://nginx.org/en/docs/http/ngx_http_flv_module.html
    NGINX_MP4='n'                # Nginx MP4 Module http://nginx.org/en/docs/http/ngx_http_mp4_module.html
    NGINX_AUTHREQ='n'            # http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
    NGINX_SECURELINK='n'         # http://nginx.org/en/docs/http/ngx_http_secure_link_module.html
    NGINX_FANCYINDEX='n'         # http://wiki.nginx.org/NgxFancyIndex
    NGINX_VHOSTSTATS='n'         # https://github.com/vozlt/nginx-module-vts
    NGINX_LIBBROTLI='y'          # https://github.com/google/ngx_brotli
    NGINX_LIBBROTLISTATIC='n'
    NGINX_PAGESPEED='n'          # Install ngx_pagespeed
    NGINX_PAGESPEEDGITMASTER='n' # Install ngx_pagespeed from official github master instead 
    NGINX_PASSENGER='n'          # Install Phusion Passenger requires installing addons/passenger.sh before hand
    NGINX_WEBDAV='n'             # Nginx WebDAV and nginx-dav-ext-module
    NGINX_HTTPREDIS='n'          # Nginx redis http://wiki.nginx.org/HttpRedisModule
    ORESTY_HEADERSMORE='n'       # openresty headers more https://github.com/openresty/headers-more-nginx-module
    NGINX_STICKY='n'             # nginx sticky module https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng
    NGINX_UPSTREAMCHECK='n'      # nginx upstream check https://github.com/yaoweibin/nginx_upstream_check_module
    NGINX_OPENRESTY='n'          # Agentzh's openresty Nginx modules
    ORESTY_SETMISCGIT='n'        # use git master instead of version specific
    ORESTY_ECHOGIT='n'           # use git master instead of version specific
    
    LUAJIT_GITINSTALL='n'        # opt to install luajit 2.1 from dev branch http://repo.or.cz/w/luajit-2.0.git/shortlog/refs/heads/v2.1
    
    ORESTY_LUANGINX='n'             # enable or disable or ORESTY_LUA* nginx modules below
    NGX_LUAUPSTREAM='n'                # disable https://github.com/openresty/lua-upstream-nginx-module
    NGX_LUAUPSTREAMCACHE='n'           # disable https://github.com/cloudflare/lua-upstream-cache-nginx-module
    
    PHPGEOIP_ALWAYS='n'          # GeoIP php extension is always reinstalled on php recompiles
    PHPDEBUGMODE='n'             # --enable-debug PHP compile flag
    PHPFINFO='n'                 # Disable or Enable PHP File Info extension
    PHPPCNTL='n'                 # Disable or Enable PHP Process Control extension
    PHPINTL='n'                  # Disable or Enable PHP intl extension
    PHPRECODE=n                  # Disable or Enable PHP Recode extension
    PHPSNMP='n'                  # Disable or Enable PHP SNMP extension
    PHPIMAGICK='y'               # Disable or Enable PHP ImagicK extension
    PHPMAILPARSE='n'             # Disable or Enable PHP mailparse extension
    PHPIONCUBE='n'               # Disable or Enable Ioncube Loader via addons/ioncube.sh
    POSTGRESQL='n'               # set to =y to install PostgreSQL 9.4 server, devel packages and pdo-pgsql PHP extension
    
    NGINX_VHOSTSSL='n'           # enable centmin.sh menu 2 prompt to create self signed SSL vhost 2nd vhost conf
    NGINXBACKUP='n'
    
    ### Nginx SSL options
    CLOUDFLARE_ZLIB='y'
    NGINX_DYNAMICTLS='y'
    OPENSSLECDSA_PATCH='y'
    OPENSSLECDHX_PATCH='y'
    
    MEMCACHED_INSTALL='n'         # Install Memcached
    PHPREDIS='y'                # redis PHP extension install
    PHPMONGODB='n'              # MongoDB PHP extension install
    PHP_FTPEXT='n'              # ftp PHP extension
    PHP_MEMCACHE='n'            # memcache PHP extension
    PHP_MEMCACHED='n'           # memcached PHP extension
    PHPZOPFLI='n'
    PHPZOPFLI_ALWAYS='n'
    
    PHP_OVERWRITECONF='n'
    PHP_VERSION='7.2.9'        # Use this version of PHP
    ZOPCACHEDFT='y'
    PHP_EXTRAOPTS=""
    
    Specially this?
    OPENSSLECDSA_PATCH='y'
    OPENSSLECDHX_PATCH='y'
     
  11. eva2000

    eva2000 Administrator Staff Member

    43,079
    9,781
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,100
    Local Time:
    12:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    try them disabled as that is default

    you should also try with /etc/centminmod/custom_config.inc empty to verify if there's any conflicts if you have issues with nginx upgrades
     
    • Like Like x 1
  12. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    10:58 AM
    Mainline
    10.2
    And also enabled for openssl 1.1.0 right?
    Not for 1.1.1?
     
  13. eva2000

    eva2000 Administrator Staff Member

    43,079
    9,781
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,100
    Local Time:
    12:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    yeah you can try against OpenSSL 1.1.0i vs 1.1.1 too
     
  14. Sunka

    Sunka Well-Known Member

    1,117
    305
    83
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +492
    Local Time:
    3:58 AM
    Nginx 1.15.8
    MariaDB 10.3.12
    Upgraded

     
    • Like Like x 1
  15. Kuro

    Kuro Member

    80
    10
    8
    Feb 8, 2018
    Ratings:
    +17
    Local Time:
    9:58 AM
    1.15.10
    10.3
    Hi!
    I'm using Cloudflare pro plan and Cloudflare certificate (5$/m), i turned on TLS 1.3 +ORT, SSL: Full (strict), Authenticated Origin Pulls on Cloudflare and add CF ECDSA Origin Certificate to vhost. I configured on vhost like this, is it enough? I am a newbie and my english is not good. Thanks.
    (nginx 1.15.4, openssl 1.1.1)

    [​IMG]
     
  16. eva2000

    eva2000 Administrator Staff Member

    43,079
    9,781
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,100
    Local Time:
    12:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    @Kuro looks good.. though you really only want to test ssl_early_data enabled on test sites and not live production for now and Cloudflare doesn't talk to your Centmin Mod Nginx via TLS 1.3 0-RTT Early Data anyway
     
    • Like Like x 1
  17. Kuro

    Kuro Member

    80
    10
    8
    Feb 8, 2018
    Ratings:
    +17
    Local Time:
    9:58 AM
    1.15.10
    10.3
    Do I need to add ssl_ciphers, ssl_prefer_server_ciphers, ssl_buffer_size... to Vhost?
    Is the configuration optimized for vhost using Cloudflare?

    [​IMG]
     
  18. eva2000

    eva2000 Administrator Staff Member

    43,079
    9,781
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,100
    Local Time:
    12:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    yes you do need the those settings as you need working HTTPS SSL on Centmin Mod Nginx to communicate with Cloudflare over Authenticated Origin Pulls with Cloudflare FULL SSL.
     
  19. omfgbear

    omfgbear New Member

    8
    1
    3
    Sep 27, 2018
    Ratings:
    +1
    Local Time:
    4:58 AM
    1.15.4
    10
    Hi,
    Here's the output:
    Code (Text):
    [10:24][[email protected] centminmod]# git log -1 | sed '/centminmod.com/d'
    commit b2e49d2ccf54cfc0e488533dd59c3d5b026c981d
    Date:   Thu Sep 27 05:23:38 2018 +1000
    
        typo fix
    


    The test from sslabs shows the certificate supports stapling but it's not enabled. I have no idea how to test otherwise.

    I checked the nginx config file and the stapling lines are uncommented. In fact, they work in nginx 1.15.3 but not 1.15.4 for some reason.

    Let me know if I should post the custom config or any other config file. Everything is pretty standard however.

    Cheers!
     
  20. eva2000

    eva2000 Administrator Staff Member

    43,079
    9,781
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,100
    Local Time:
    12:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    OCSP stapling in Nginx is per Nginx worker process so if you have a 2-4 nginx worker process setup server, each request populates OCSP stapling per worker used. So if you re-run ssllabs a few times you eventually populate all Nginx workers and OCSP stapling should then show up

    to verify you're using right nginx + openssl setup also post output for command
    Code (Text):
    nginx -V
    

    for nginx version output, you can wrap it in QUOTE tags so lines wrap

    You can also do a OCSP Stapling quick test within SSH telnet command, type the following where domain.com is the domain.com SSL domain you setup:
    Code (Text):
      openssl s_client -connect domain.com:443 -tlsextdebug -status
    

    look for output:
    Code (Text):
      OCSP response:
    ======================================
    OCSP Response Data:
       OCSP Response Status: successful (0x0)?