生产漏洞修复总结
1、 修复ssh相关漏洞
漏洞列表:
OpenSSH auth_password函数拒绝服务漏洞(CVE-2016-6515)
OpenSSH do_setup_env函数权限提升漏洞(CVE-2015-8325)
OpenSSH glob表达式拒绝服务漏洞(CVE-2010-4755)
OpenSSH J-PAKE授权问题漏洞(CVE-2010-4478)
Openssh MaxAuthTries限制绕过漏洞(CVE-2015-5600)
OpenSSH 'schnorr.c'远程内存破坏漏洞(CVE-2014-1692)
OpenSSH sshd mm_answer_pam_free_ctx释放后重利用漏洞(CVE-2015-6564)
OpenSSH SSH守护进程安全漏洞(CVE-2016-6210)
OpenSSH 'x11_open_helper()'函数安全限制绕过漏洞(CVE-2015-5352)
OpenSSH 允许多次 KEXINIT 导致拒绝服务漏洞(CVE-2016-8858)【原理扫描】
OpenSSH多个拒绝服务漏洞(CVE-2016-10708)
OpenSSH 安全漏洞(CVE-2016-1908)
OpenSSH 安全漏洞(CVE-2017-15906)
OpenSSH 安全限制绕过漏洞(CVE-2016-10012)
OpenSSH 安全限制绕过漏洞(CVE-2016-10012)
OpenSSH 拒绝服务漏洞(CVE-2016-1907)
OpenSSH 用户枚举漏洞(CVE-2018-15473)【原理扫描】
OpenSSH 用户枚举漏洞(CVE-2018-15919)
OpenSSH 远程代码执行漏洞(CVE-2016-10009)
OpenSSH默认服务器配置拒绝服务漏洞(CVE-2010-5107)
OpenSSL "SSL-Death-Alert" 拒绝服务漏洞(CVE-2016-8610)【原理扫描】
OpenSSL 拒绝服务漏洞(CVE-2018-0739)
系统:centos7
把源码包上传到需要修复的主机,然后执行下面脚本
脚本:
#!/bin/bash
yum install -y gcc gcc-c++
yum install -y openssl-devel zlib-devel
mkdir /root/backup
mv /etc/ssh /root/backup/
tar -zxf openssh-7.9p1.tar.gz
cd openssh-7.9p1
./configure --prefix=/usr --sysconfdir=/etc/ssh
make
systemctl stop sshd.service
rpm -e --nodeps `rpm -qa | grep openssh`
make install
cp contrib/redhat/sshd.init /etc/init.d/sshd
systemctl enable sshd.service
# 如果主机允许root用户直连,可以加入下面这个配置
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
systemctl start sshd.service
systemctl enable sshd.service
替换为:
service sshd start
chkconfig sshd on
如需回滚:
mkdir /root/backup2
mv /etc/ssh /root/backup2
service sshd stop
mv /etc/init.d/sshd /root/backup2
cd openssh-7.9p1
make uninstall
yum -y install openssh-clients openssh-server openssh
ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
systemctl enable sshd.service
systemctl start sshd.service
注意:
如果有其他主机与这台主机配置了无密码登录
需要在其他主机相应用户下执行 ssh-keygen -R IP or HOSTNAME ,然后执行登录操作
如果还是不行,则删除.ssh/known_hosts 文件中相应的信息,然后执行ssh-copy-id USER@IP or HOSTNAME
2、 修复mysql相关漏洞
漏洞列表:
MySQL远程代码执行及权限提升漏洞(CVE-2016-6662)
Oracle MySQL Client组件任意代码执行漏洞(CVE-2016-0546)
Oracle MySQL Server: Pluggable Authentication子组件安全漏洞(CVE-2016-0639)
Oracle MySQL Server 安全漏洞(CVE-2018-2696)
Oracle MySQL Server组件安全漏洞(CVE-2018-2562)
Oracle MySQL Server组件安全漏洞(CVE-2018-2612)
Oracle MySQL Server组件安全漏洞(CVE-2018-2647)
Oracle MySQL Server远程安全漏洞(CVE-2017-3599)
Oracle MySQL 安全漏洞(CVE-2016-0705)
修复方法分为两种分别对应两种情况:
2.1、rpm包安装方式(mysql-5.7.18-1.el7.x86_64.rpm-bundle.tar)
下载mysql比较新的包mysql-5.7.26
更新安装(服务不用停止)
yum update -y mysql-community-*.rpm
2.2、tar包解压(mysql-5.7.26-linux-glibc2.12-x86_64.tar.gz)
tar -zxf mysql-5.7.26-linux-glibc2.12-x86_64.tar.gz -C /usr/local
停止现有的服务
service mysql stop
然后备份
cd /usr/local
mv mysql mysql-5.7.17
切换
mv mysql-5.7.26-linux-glibc2.12-x86_64 mysql
启动服务
service mysql start
异常解决:
问题1、应用查询报错:
Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Expression #2 of SELECT list is not in GROUP BY clause and contains nonaggregated column 'c.PRODUCT_LINE' which is not functionally dependent on columns in GROUP BY clause; this is incompatible with sql_mode=only_full_group_by
mysql> select @@sql_mode;
+-------------------------------------------------------------------------------------------------------------------------------------------+
| @@sql_mode |
+-------------------------------------------------------------------------------------------------------------------------------------------+
| ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION |
修改my.cnf
在[mysqld]下修改
sql_mode=STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
使配置生效
问题2、
2019-06-03T02:16:18.169901Z 2 [ERROR] Invalid (old?) table or database name 'lost+found'
2019-06-03T02:16:18.169942Z 2 [ERROR] Invalid (old?) table or database name 'mysql-5.6.28-linux-glibc2.5-x86_64
修改配置
ignore-db-dir=lost+found
ignore-db-dir=mysql-5.6.28-linux-glibc2.5-x86_64
使配置生效
问题3、[Warning] IP address 'xxx.xxx.xxx.xxx' could not be resolved: Name or service not known
修改配置
skip-name-resolve
使配置生效
3、修复ntp相关漏洞
漏洞列表:
NTP CRYPTO_ASSOC 内存泄漏导致拒绝服务漏洞 (CVE-2015-7701)
NTPD PRNG弱加密漏洞(CVE-2014-9294)
NTPD PRNG无效熵漏洞(CVE-2014-9293)
ntpd 安全漏洞(CVE-2016-1548)
ntpd 拒绝服务漏洞(CVE-2016-2516)
NTPD 栈缓冲区溢出漏洞(CVE-2014-9295)
NTP Kiss-o'-Death拒绝服务漏洞 (CVE-2015-7705)
NTP ntpd 代码注入漏洞(CVE-2014-9751)
NTP ntpd缓冲区溢出漏洞 (CVE-2015-7853)
NTP NULL Pointer Dereference 拒绝服务漏洞(CVE-2016-9311)
NTP Resource Exhaustion 拒绝服务漏洞(CVE-2016-9310)
NTP 安全漏洞(CVE 2016-2516)
NTP 身份验证绕过漏洞(CVE-2015-7871)
#!/bin/bash
service ntpd stop
# 安装基础包
yum install gcc gcc-c++ openssl-devel libstdc++* libcap* -y
# 备份
cp /etc/ntp.conf /etc/ntp.conf.bak
cp /etc/init.d/ntpd /etc/init.d/ntpd.bak
cp /etc/sysconfig/ntpd /etc/sysconfig/ntpd.bak
cp /etc/sysconfig/ntpdate /etc/sysconfig/ntpdate.bak
rpm -e --nodeps `rpm -qa | grep ntp-`
rpm -e --nodeps `rpm -qa | grep ntpdate`
# 编译安装
mkdir /data/usr/src
tar -zxf ntp-4.2.8p12.tar.gz -C /data/usr/src
cd /data/usr/src/ntp-4.2.8p12
./configure --prefix=/data/usr/ntpd --bindir=/usr/sbin --enable-all-clocks --enable-parse-clocks --docdir=/usr/share/doc/ntp-4.2.8p12
make && make install
# 启动服务
cp /etc/ntp.conf.bak /etc/ntp.conf
/usr/sbin/ntpd -c /etc/ntp.conf
# 开机自启动
echo '/usr/sbin/ntpd -c /etc/ntp.conf' >> /etc/rc.d/rc.local
4、修复http相关漏洞
漏洞列表:
Apache HTTP Server ap_get_basic_auth_pw身份验证绕过漏洞(CVE-2017-3167)
Apache HTTP Server mod_mime缓冲区溢出漏洞(CVE-2017-7679)
Apache HTTP Server mod_ssl空指针间接引用漏洞(CVE-2017-3169)
现有环境:
CentOS release 6.9 (Final)
rpm -qa | grep httpd
httpd-2.2.15-69.el6.centos.x86_64
httpd-tools-2.2.15-69.el6.centos.x86_64
现有配置
Listen 8080
User http
Group http
DocumentRoot "/"
Options FollowSymLinks
AllowOverride None
Header set Access-Control-Allow-Origin *
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
更新:
停止服务并备份
service httpd stop
备份
mv /etc/httpd /etc/httpd_bak
编译安装
tar -zxf apr-1.6.5.tar.gz -C /data/usr/src
cd /data/usr/src/apr-1.6.5
./configure --prefix=/data/usr/apr
make && make install
tar -zxf apr-util-1.6.1.tar.gz -C /data/usr/src
cd /data/usr/src/apr-util-1.6.1/
./configure --prefix=/data/usr/apr-util --with-apr=/data/usr/apr
make && make install
tar -zxf httpd-2.4.39.tar.gz -C /data/usr/src
cd /data/usr/src/httpd-2.4.39/
./configure --prefix=/data/usr/httpd --sysconfdir=/etc/httpd --with-apr=/data/usr/apr --with-apr-util=/data/usr/apr-util
make && make install
更改配置(配置按照实际情况做修改)
vi /etc/httpd/httpd.conf
Listen 8080
User http
Group http
ServerName localhost:8080
AllowOverride none
Require all denied
DocumentRoot "/"
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
Header set Access-Control-Allow-Origin *
启动服务并验证
cd /data/usr/httpd/bin
./apachectl start
5、 修复weblogic相关
weblogic打补丁参考:
https://blog.csdn.net/maple_fix/article/details/80351527
漏洞列表:
Oracle Fusion Middleware Oracle WebLogic Server组件任意代码执行漏洞(CVE-2016-0572)
Oracle Fusion Middleware Oracle WebLogic Server组件远程安全漏洞(CVE-2016-3505)
Oracle Fusion Middleware Oracle WebLogic Server组件远程安全漏洞(CVE-2016-5531)
Oracle Fusion Middleware Oracle WebLogic Server组件远程安全漏洞(CVE-2016-5535)
Oracle Fusion Middleware WebLogic Server安全漏洞(CVE-2016-3586)
Oracle Fusion Middleware WebLogic Server组件信息泄露漏洞(CVE-2016-0577)
Oracle Fusion Middleware WebLogic Server组件安全漏洞(CVE-2017-5645)
Oracle Fusion Middleware WebLogic Server组件安全漏洞(CVE-2018-2893)
Oracle Fusion Middleware WebLogic Server组件安全漏洞(CVE-2018-2935)
Oracle Fusion Middleware WebLogic Server组件远程安全漏洞(CVE-2016-0573)
Oracle Fusion Middleware WebLogic Server组件远程安全漏洞(CVE-2016-0574)
Oracle Fusion Middleware WebLogic Server远程安全漏洞(CVE-2016-0638)
Oracle WebLogic Server WLS Security组件安全漏洞(CVE-2017-10271)
Oracle WebLogic Server WLS Security组件安全漏洞(CVE-2017-10271)【原理扫描】
Oracle WebLogic Server WLS 组件安全漏洞(CVE-2018-2893)【原理扫描】
Oracle WebLogic Server 任意代码执行漏洞(CVE-2014-2470)
Oracle WebLogic Server 反序列化漏洞(CVE-2018-2628)
Oracle WebLogic Server 反序列化漏洞(CVE-2018-2628)【原理扫描】
Oracle WebLogic Server 安全漏洞(CVE-2013-2186)
Oracle WebLogic Server 安全漏洞(CVE-2017-3248)
Oracle WebLogic Server 远程安全漏洞(CVE-2017-3506)
Oracle WebLogic Server 远程安全漏洞(CVE-2017-5638)(cpuapr2017-3236618)
WebLogic Commons Collections组件反序列化漏洞(CVE-2015-4852)【原理扫描】
环境情况:
系统:centos6.9
jdk1.7
双核,4G内存
升级:
查看weblogic信息
cd /wls/wls81/Oracle/Middleware/utils/bsu
$ sh bsu.sh -prod_dir=/wls/wls81/Oracle/Middleware/wlserver_10.3 -status=applied -verbose -view
ProductName: WebLogic Server
ProductVersion: 10.3 MP6
Components: WebLogic Server/Core Application Server,WebLogic Server/Admi
nistration Console,WebLogic Server/Configuration Wizard and
Upgrade Framework,WebLogic Server/Web 2.0 HTTP Pub-Sub Serve
r,WebLogic Server/WebLogic SCA,WebLogic Server/WebLogic JDBC
Drivers,WebLogic Server/Third Party JDBC Drivers,WebLogic S
erver/WebLogic Server Clients,WebLogic Server/WebLogic Web S
erver Plugins,WebLogic Server/UDDI and Xquery Support,WebLog
ic Server/Evaluation Database,WebLogic Server/Workshop Code
Completion Support
BEAHome: /wls/wls81/Oracle/Middleware
ProductHome: /wls/wls81/Oracle/Middleware/wlserver_10.3
PatchSystemDir: /wls/wls81/Oracle/Middleware/utils/bsu
PatchDir: /wls/wls81/Oracle/Middleware/patch_wls1036
Profile: Default
DownloadDir: /wls/wls81/Oracle/Middleware/utils/bsu/cache_dir
JavaVersion: 1.6.0_29
JavaVendor: Sun
停止服务并备份
$ cd /wls/wls81/Oracle/Middleware/user_projects/domains/base_domain/bin
$ sh stopWebLogic.sh
$ cd /wls
$ cp -r wls81 wls81_bak
$ cd wls81/Oracle/Middleware/utils/bsu/cache_dir
$ wget xxxx/patch/p29204678_1036_Generic.tgz
$ wget xxxx/patch/p29694149_10360190416_Generic.tgz
这里是使用公司内网的补丁连接地址,大家可以上网找找其他资源下载。
修复U5I2
$ tar -zxf p29204678_1036_Generic.tgz
$ ll
总用量 338412
-rw-r----- 1 wls81 wls 101161413 5月 30 17:16 p29204678_1036_Generic.tgz
-rw-r----- 1 wls81 wls 15777418 5月 30 17:16 p29694149_10360190416_Generic.tgz
-rw-r----- 1 wls81 wls 136403408 2月 4 04:30 patch-catalog_26516.xml
-rw-r----- 1 wls81 wls 61197 4月 15 17:56 README.txt
-rw-r----- 1 wls81 wls 93124490 2月 4 04:30 U5I2.jar
$ cd ..
$ ./bsu.sh -install -patch_download_dir=/wls/wls81/Oracle/Middleware/utils/bsu/cache_dir -patchlist=U5I2 -prod_dir=/wls/wls81/Oracle/Middleware/wlserver_10.3
如果上边一步出现报错“java.lang.OutOfMemoryError: GC overhead limit exceeded”
则增加内存配置:
$ vi bsu.sh
MEM_ARGS="-Xms256m -Xmx512m"
"$JAVA_HOME/bin/java" ${MEM_ARGS} -jar patch-client.jar $*
>>
MEM_ARGS="-Xms2048m -Xmx3072m"
"$JAVA_HOME/bin/java" ${MEM_ARGS} -jar patch-client.jar $*
再次执行
$ ./bsu.sh -install -patch_download_dir=/wls/wls81/Oracle/Middleware/utils/bsu/cache_dir -patchlist=U5I2 -prod_dir=/wls/wls81/Oracle/Middleware/wlserver_10.3
检查冲突........
未检测到冲突
正在安装补丁程序 ID: U5I2..
结果: 成功
查看信息
$ sh bsu.sh -prod_dir=/wls/wls81/Oracle/Middleware/wlserver_10.3 -status=applied -verbose -view
ProductName: WebLogic Server
ProductVersion: 10.3 MP6
Components: WebLogic Server/Core Application Server,WebLogic Server/Admi
nistration Console,WebLogic Server/Configuration Wizard and
Upgrade Framework,WebLogic Server/Web 2.0 HTTP Pub-Sub Serve
r,WebLogic Server/WebLogic SCA,WebLogic Server/WebLogic JDBC
Drivers,WebLogic Server/Third Party JDBC Drivers,WebLogic S
erver/WebLogic Server Clients,WebLogic Server/WebLogic Web S
erver Plugins,WebLogic Server/UDDI and Xquery Support,WebLog
ic Server/Evaluation Database,WebLogic Server/Workshop Code
Completion Support
BEAHome: /wls/wls81/Oracle/Middleware
ProductHome: /wls/wls81/Oracle/Middleware/wlserver_10.3
PatchSystemDir: /wls/wls81/Oracle/Middleware/utils/bsu
PatchDir: /wls/wls81/Oracle/Middleware/patch_wls1036
Profile: Default
DownloadDir: /wls/wls81/Oracle/Middleware/utils/bsu/cache_dir
JavaVersion: 1.6.0_29
JavaVendor: Sun
Patch ID: U5I2
PatchContainer: U5I2.jar
Checksum: 1091735558
Severity: optional
Category: General
CR/BUG: 29204678
Restart: true
Description: WLS PATCH SET UPDATE 10.3.6.0.190416
WLS PATCH SET UPDATE 10
.3.6.0.190416
修复6JJ4
$ cd cache_dir/
$ tar -zxf p29694149_10360190416_Generic.tgz
$ cd ..
$ ./bsu.sh -install -patch_download_dir=/wls/wls81/Oracle/Middleware/utils/bsu/cache_dir -patchlist=6JJ4 -prod_dir=/wls/wls81/Oracle/Middleware/wlserver_10.3
如果需要删除补丁
./bsu.sh -remove -patchlist=6JJ4 -prod_dir=/wls/wls81/Oracle/Middleware/wlserver_10.3
6、 redis相关
漏洞列表:
Redis 未授权访问漏洞【原理扫描】
6.1、主从
主节点修改配置文件:
添加(密码自定义)
requirepass Redis2019!
从节点修改配置文件
添加
requirepass Redis2019!
Masterauth Redis2019!
重启主从服务
6.2、cluster集群
IP分别是(假设):
192.168.121,121
192.168.121,122
192.168.121,123
redis-cli –h 192.168.121.121 –c –p 7001
config set masterauth Redis2019!
config set requirepass Redis2019!
config rewrite
redis-cli –h 192.168.121.121 –c –p 7002
config set masterauth Redis2019!
config set requirepass Redis2019!
config rewrite
redis-cli –h 192.168.121.122 –c –p 7001
config set masterauth Redis2019!
config set requirepass Redis2019!
config rewrite
redis-cli –h 192.168.121.122 –c –p 7002
config set masterauth Redis2019!
config set requirepass Redis2019!
config rewrite
redis-cli –h 192.168.121.123 –c –p 7001
config set masterauth Redis2019!
config set requirepass Redis2019!
config rewrite
redis-cli –h 192.168.121.123 –c –p 7002
config set masterauth Redis2019!
config set requirepass Redis2019!
config rewrite
当然主从也可以使用上边的方法,执行相应的命令就可以。
异常:
使用上面的方法修复了漏洞之后,当执行redis-trib.rb check 命令后会报错:
Sorry, can’t connect ro node
解决:
修改配置文件client.rb
find / -name “client.rb”
vi /usr/local/ruby/lib/ruby/gems/2.5.0/gems/redis-4.0.1/lib/redis/client.rb
:password => nil
>>
:password => “Redis2019!”
如果是单个节点只需要添加下面一行配置就可以
requirepass Redis2019!
7、 nginx相关
漏洞列表:
nginx resolver 释放后重利用漏洞(CVE-2016-0746)
nginx 安全漏洞(CVE-2018-16843
修复前:
# rpm -qa | grep nginx
nginx-mod-stream-1.12.2-2.el7.x86_64
nginx-mod-http-perl-1.12.2-2.el7.x86_64
nginx-mod-mail-1.12.2-2.el7.x86_64
nginx-mod-http-image-filter-1.12.2-2.el7.x86_64
nginx-mod-http-geoip-1.12.2-2.el7.x86_64
nginx-all-modules-1.12.2-2.el7.noarch
nginx-mod-http-xslt-filter-1.12.2-2.el7.x86_64
nginx-filesystem-1.12.2-2.el7.noarch
nginx-1.12.2-2.el7.x86_64
源码包下载并上传到需要修复的主机
http://zlib.net/zlib-1.2.11.tar.gz
https://www.openssl.org/source/openssl-1.1.0k.tar.gz
https://www.cpan.org/src/5.0/perl-5.28.0.tar.gz
http://ftp.pcre.org/pub/pcre/pcre-8.41.tar.gz
http://nginx.org/download/nginx-1.14.2.tar.gz
修复尽量升级到高版本
首先查看nginx管理账户和组
使用 nginx –V 查看编译配置参数
#!/bin/bash
BASEDIR=`pwd`
SRC_DIR=/data/usr/src
INSTALL_DIR=/data/usr
LOGS_DIR=/data/logs/nginx
LOGROTATE_FILE=/etc/logrotate.d/nginx
GCC_COUNT=`rpm -qa | grep gcc | wc -l`
function install_nginx(){
if [ -e "/data/usr/src" ]; then
echo "SRC_DIR is exist"
else
mkdir -p $SRC_DIR
fi
# nginx_install
cd $BASEDIR
tar -zxf perl-5.28.0.tar.gz -C $SRC_DIR
cd $SRC_DIR/perl-5.28.0/
./Configure -des
make && make install
cd $BASEDIR
tar -zxf pcre-8.41.tar.gz -C $SRC_DIR
cd $SRC_DIR/pcre-8.41/
./configure
make && make install
cd $BASEDIR
tar -zxf zlib-1.2.11.tar.gz -C $SRC_DIR
cd $SRC_DIR/zlib-1.2.11/
./configure
make && make install
cd $BASEDIR
tar -zxf openssl-1.1.0k.tar.gz -C $SRC_DIR
cd $SRC_DIR/openssl-1.1.0k/
./config
make && make install
cd $BASEDIR
tar -zxf nginx-1.14.2.tar.gz -C $SRC_DIR
cd $SRC_DIR/nginx-1.14.2/
./configure --prefix=$INSTALL_DIR/nginx --with-http_ssl_module --with-stream --with-stream_ssl_module --with-zlib=$SRC_DIR/zlib-1.2.11 --with-openssl=$SRC_DIR/openssl-1.1.0k --with-pcre=$SRC_DIR/pcre-8.41
make && make install
if [ -e $LOGS_DIR ]; then
echo "LOGS_DIR is exist"
else
mkdir -p $LOGS_DIR
fi
# nginx_config
sed -e '3i\user root;' -i $INSTALL_DIR/nginx/conf/nginx.conf
sed -e "9i\error_log $LOGS_DIR/error.log;" -i $INSTALL_DIR/nginx/conf/nginx.conf
sed -e "12i\pid $LOGS_DIR/nginx.pid;" -i $INSTALL_DIR/nginx/conf/nginx.conf
sed -e "29i\ \taccess_log $LOGS_DIR/access.log;" -i $INSTALL_DIR/nginx/conf/nginx.conf
# logrotate
touch $LOGROTATE_FILE
echo -e "$LOGS_DIR/*.log {" >> $LOGROTATE_FILE
echo -e "\tdaily" >> $LOGROTATE_FILE
echo -e "\trotate" >> $LOGROTATE_FILE
echo -e "\tmissingok" >> $LOGROTATE_FILE
echo -e "\tdateext" >> $LOGROTATE_FILE
echo -e "\tcompress" >> $LOGROTATE_FILE
echo -e "\tdelaycompress" >> $LOGROTATE_FILE
echo -e "\tnotifempty" >> $LOGROTATE_FILE
echo -e "\tsharedscripts" >> $LOGROTATE_FILE
echo -e "\tpostrotate" >> $LOGROTATE_FILE
echo -e "\t/usr/bin/kill -USR1 \`cat $LOGS_DIR/nginx.pid\`" >> $LOGROTATE_FILE
echo -e "\tendscript" >> $LOGROTATE_FILE
echo -e "\t}" >> $LOGROTATE_FILE
}
if [ $GCC_COUNT -ge 3 ]; then
echo "gcc is installed"
install_nginx
else
echo "gcc is not install"
yum install gcc gcc-c++ -y
install_nginx
fi
然后按照实际的nginx配置去修改nginx.conf等配置文件
chown -R nginx:nginx /data/usr/nginx
停止老的nginx服务
systemctl stop nginx.service
启动新服务
cd /data/usr/nginx
./sbin/nginx -t
./sbin/nginx