Install Passenger/Nginx with Heartbleed Mitigation
The following steps may be taken to mitigate the OpenSSL vulnerability.
Compile the heartbleeder vulnerability tester
Locally:
$ brew install go # Mac only $ mkdir -p ~/Code/go $ export GOPATH=$HOME/Code/go $ cd $GOPATH $ go get github.com/titanous/heartbleeder $ go build heartbleeder $ bin/heartbleeder example.com
Update Passenger/Nginx
On your servers:
$ gem update passenger $ export EXTRA_CXXFLAGS="-DOPENSSL_NO_HEARTBEATS" $ export EXTRA_CFLAGS="-DOPENSSL_NO_HEARTBEATS" $ passenger-install-nginx-module # Update your nginx.conf with the new Passenger path # Restart your nginx processes
Check your https web servers
$ bin/heartbleeder example.com
Author: Patrick Morgan (patrick -at- patrick-morgan.net)
License: Creative Commons. Distribute Freely!
2 comments:
The Nginx installed by passenger-install-nginx-module should be dynamically linked to OpenSSL. If you upgrade the system's OpenSSL your Nginx installation should be fine; no need to rerun passenger-install-nginx-module.
Unless you only have the OpenSSL static library installed, which will cause passenger-install-nginx-module to statically link to OpenSSL. In that case, you have to rerun passenger-install-nginx-module every time you upgrade OpenSSL.
Thanks for the clarification. Updated my post!
Post a Comment