Control Web Panel
WebPanel => Apache => Nginx => Topic started by: liltrig3 on September 05, 2024, 05:26:39 PM
-
I host a client's website on a dedicated server running CWP hosted at inmotionhosting.com . My client recently hired a cybersecurity company to check the security of their digital assets which includes the website I host for them. The only issue flagged as HIGH in the report is the outdated version of NGINX nginx-1.14.2 which I am using on the server. The remedy to this is to update to more current version like nginx-1.26.2 .
My host's advanced support reps, tell me this is currently IMPOSSIBLE to achieve because CWP is yet to release an update for nginx above the currently installed version 1.14.2.. They say any attempt to update it will break my server and thus we have to wait for an official update from CWP. This is what has brought me here. my question therefore is ,
How Can I update the version of NGINx to 1.26.2 without breaking my server.
I am dire need of a solution else I risk losing my client.
-
Are you running an EL8 release (AlmaLinux 8 or Rocky Linux 8)? [You should be...]
https://blog.alphagnu.com/update-nginx-to-latest-official-version-in-centos-8-el8-cwp/ (https://blog.alphagnu.com/update-nginx-to-latest-official-version-in-centos-8-el8-cwp/)
-
I just want to fill in, I already updated nginx to the latest version on 4 servers and for those with CWP + Almalinux 8 the best solution is here:
https://www.alphagnu.com/topic/55-how-to-install-latest-stablemainline-nginx-in-cwp-centos-89-stream-almalinux-89-rockylinux-89/
First of all I find this commands, to disable and remove installed nginx, much more reliable:
sudo dnf module disable nginx -y
sudo dnf remove nginx* -y
Second, nginx.repo is recommended for public servers to install nginx stable version not mainline because not all mainline updates are fully tested. That said, you can use the Yum Manager to edit the nginx.repo repository or the terminal:
sudo > /etc/yum.repos.d/nginx.repo
sudo nano /etc/yum.repos.d/nginx.repo
And then add this repository for official stable version of nginx:
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
Attention Almalinux users :o dnf and yum are not 100% the same thing. The dnf command is official in Almalinux and yes compatibility with yum is kept for those who have transitioned from Centos, but in a fresh install it is recommended to use dnf when processing installations or uninstalls for 100% compatibility with Almalinux and Centos Web Panel.
So, to proceed with the installation of the latest stable version of nginx, run the commands:
sudo dnf install nginx -y
sudo systemctl enable nginx
sudo systemctl restart nginx
As a CWP client, you must rebuild the webserver after updating. It is advisable to make a backup of at least the configurations in /etc/nginx/nginx.conf, although 8) I recommend a more compact backup:
sudo cp -r /etc/nginx /etc/nginx.pre-upgrade
Want to know what vulnerabilities nginx 1.14.2 has? See them here:
https://www.cybersecurity-help.cz/vdb/nginx/nginx/1.14.2/
BONUS!
My version of nginx.conf optimized for 2025 with Nginx version 1.26.2 (more tweaks can be made, but these are safe and CWP compatible):
user nobody;
worker_processes auto;
#worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log crit;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
# Dezactivează afișarea informațiilor despre server
server_tokens off;
# Include MIME types (nu adăugăm duplicat)
include mime.types;
default_type application/octet-stream;
# Configurări pentru timeout și buffer
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_header_timeout 3m;
client_body_timeout 3m;
client_max_body_size 256m;
client_header_buffer_size 4k;
client_body_buffer_size 256k;
large_client_header_buffers 4 32k;
send_timeout 3m;
keepalive_timeout 60 60;
reset_timedout_connection on;
server_names_hash_max_size 1024;
server_names_hash_bucket_size 1024;
ignore_invalid_headers on;
connection_pool_size 256;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;
# Compresie GZIP
gzip on;
gzip_vary on;
gzip_disable "msie6";
gzip_proxied any;
gzip_min_length 512;
gzip_comp_level 6;
gzip_buffers 8 64k;
gzip_types text/plain text/xml text/css text/js application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg image/svg+xml application/xml+rss text/javascript application/atom+xml application/javascript application/json application/x-font-ttf font/opentype;
# Configurări SSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+AESGCM:EECDH+aRSA+AESGCM:!RC4:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
# Proxy settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Set-Cookie;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_buffers 32 4k;
proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=512m;
proxy_cache_key "$host$request_uri $cookie_user";
proxy_temp_path /var/cache/nginx/temp;
proxy_ignore_headers Expires Cache-Control;
proxy_cache_use_stale error timeout invalid_header http_502;
proxy_cache_valid any 1d;
# Setări open_file_cache
open_file_cache_valid 120s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
open_file_cache max=5000 inactive=30s;
open_log_file_cache max=1024 inactive=30s min_uses=2;
# Limitare de rată pentru cereri abuzive
limit_req_zone $binary_remote_addr zone=limit_zone:10m rate=10r/s;
# Evitare cache pentru utilizatorii autentificați WordPress
map $http_cookie $no_cache {
default 0;
~SESS 1;
~wordpress_logged_in 1;
}
# Logs
log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format bytes '$body_bytes_sent';
#access_log /var/log/nginx/access.log main;
access_log off;
# Includem fișierele suplimentare de configurare
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/cloudflare.inc;
}
-
Thanks, that's great! You should contribute more!
-
Thanks, that's great! You should contribute more!
In fact, know that this is also my thought since the beginning of the year. I have been here in the community for many years and I have not contributed from my experience, until now. Think about it, I'm a fan of CWP after getting fed up with CPanel/WHM, and because all the hosting companies in my country promote them, but also because their license costs don't justify sacrificing the resources of a machine for a control panel + other reasons. I'm not even talking about the others with similar tools. CWP has something special and it pleases me!
The community should relax, I'm here too from now on and I'm going to contribute everywhere. 8)
Have you seen how many unanswered topics are on here? You don't know how many times I couldn't find any solution here or anywhere online and solved the problem myself.
Man, we almost have an open source control panel here. We help each other! There is no such thing in the official competition forums! They get official help. Here... they are too busy to offer something like that (or unprofessional?)...
Respect @Sandeep ! ::)
-
I upgraded nginx to version: nginx/1.26.2 using the guide here.
version 1016000 instead of 1026002 in /etc/nginx/nginx.conf:1
There is an error in mismatch in the objects buildID’s
The error:
####
Feb 3 23:27:32 net systemd[1]: Starting nginx - high performance web server...
Feb 3 23:27:32 net nginx[2242722]: nginx: [emerg] module "/etc/nginx/modules/ngx_http_brotli_filter_module.so" version 1016000 instead of 1026002 in /etc/nginx/nginx.conf:1
Feb 3 23:27:32 net systemd[1]: nginx.service: Control process exited, code=exited status=1
Feb 3 23:27:32 net systemd[1]: nginx.service: Failed with result 'exit-code'.
Feb 3 23:27:33 net systemd[1]: Failed to start nginx - high performance web server.
####
How can I resolve it?
Thanks for any insight you can share.
-
The module Brotli used by previous version of NGINX is incompatible with newer NGINX version. You need to disable the module Brotli or recompile it from sources agains the new NGINX version or find another 3rd party nginx repository with Brotli module for Nginx.
To recompile the module again the new NGINX version you need to recompile NGINX too.
-
force update nginx-1.26.3-1.el8.ngx.x86_64
sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup
sudo cp -r /etc/nginx/conf.d /etc/nginx/conf.d.backup
sudo dnf update -y
sudo dnf remove nginx -y
sudo dnf install -y epel-release
sudo dnf install -y https://nginx.org/packages/centos/8/x86_64/RPMS/nginx-1.26.3-1.el8.ngx.x86_64.rpm
nginx -v
sudo cp /etc/nginx/nginx.conf.backup /etc/nginx/nginx.conf
sudo cp -r /etc/nginx/conf.d.backup /etc/nginx/conf.d
sudo systemctl restart nginx
:o :o :o :o ;D ;D ;D ;D ;D ;D
-
don't forget the [ code ] tags on the forum will format most code blocks nicely.
-
My Approach to Upgrading Nginx Without a Full Reinstallation
In my experience, the optimal strategy is to update Nginx directly using the official stable repository, rather than removing it entirely. This approach helps maintain your current configuration and avoids the hassle of extensive reconfiguration.
Step 1: Backup Existing Configurations
- Backup the conf.d directory.
- Backup the nginx.conf file.
Step 2: Add the Official Stable Repository
Instead of removing your existing Nginx installation, add the new stable repository. This is crucial for accessing the latest version without disrupting your current setup.
Step 3: Direct Update
Execute a direct update using:
dnf update nginx
This command updates Nginx in place, preserving your configuration and significantly reducing the risk of introducing new issues.
Step 4: Apply Configuration Adjustments
Navigate to WebServer Settings > WebServers Main Conf. Verify and adjust the necessary settings, and enable the "rebuild all vhost on save" option to ensure all virtual host configurations are updated seamlessly.
Step 5: Restart Services
Restart both Apache and Nginx to finalize the update.
This method emphasizes stability and preserves your existing configuration, avoiding the unnecessary overhead and risks associated with a full reinstallation.
-
My Approach to Upgrading Nginx Without a Full Reinstallation
In my experience, the optimal strategy is to update Nginx directly using the official stable repository, rather than removing it entirely. This approach helps maintain your current configuration and avoids the hassle of extensive reconfiguration.
(...)
No only the package installation, but nginx have modules too, and you need to follow up and maintain updated the modules too.
This is much more easy to do with AlmaLinux modules.
A manual installation would impose to you build the module packages, this is not good.
For this reason, I do "module" installation.
To check available modules:
# dnf module list nginx
There are only nginx version 1.24 available to install.
# dnf -y module enable nginx:1.24
Installing nginx and modules ..."
# dnf -y module install nginx
Changing permissions to directory /var/lib/nginx :
# chmod +x -R /var/lib/nginx
Changing ownership of directory /var/lib/nginx :
# chown nobody -R /var/lib/nginx/
Ps.: the downside is that AlmaLinux modules do not have such up-to-date versions. But the current nginx version (1.24) is good to work.
Regards,
Netino