How to Enable TLS 1.3 in Nginx with Openssl 3.0 – CWP/Centos 7/Centos 8/EL7/El8
In this tutorial we’ll Build NGINX from source and enable TLS 1.3 in Linux server. TLS 1.3 is secure and fast TLS protocol till now it have its own benefits like security and performance, the website using TLS 1.3 loads faster and is more secure.
Transportation Layer Security (TLS) 1.3 protocol provides unparalleled privacy and performance compared to previous versions of TLS and non-secure HTTP. Performance has a major impact on user experience. TLS 1.3 represents a pivotal turning point for HTTPS performance. Modern mobile networks will routinely add over 100ms of latency to each request. TLS 1.3 makes page load times significantly faster for mobile devices, improving the user experience for your visitors.
To build Nginx from source we need to remove any nginx installed from other sources like from official repository or from 3rdpart repository.
Step 1 :
First backup current nginx dir which contains configurations and vhosts :
cp -r /etc/nginx /etc/nginx.bak
Step 2 :
Remove Nginx :
yum remove nginx*
Step 3 :
Downloading dependencies and openssl :
Install deps from yum /centos7/8/el7/8 :
yum install -y perl perl-devel perl-ExtUtils-Embed libxslt libxslt-devel libxml2 libxml2-devel gd gd-devel GeoIP GeoIP-devel perl-IPC-Cmd
PCRE download :
cd /usr/local/src rm -rf pcre* wget https://github.com/mysterydata/md-disk/raw/main/pcre-8.45.zip unzip pcre-8.45.zip
ZLIB download :
cd /usr/local/src rm -rf zlib* wget https://github.com/madler/zlib/archive/refs/tags/v1.2.12.tar.gz -O zlib.tar.gz tar zxvf zlib.tar.gz rm -rf zlib.tar.gz mv zlib-* zlib
Download openssl 3.0 :
cd /usr/local/src rm -rf openssl* wget https://www.openssl.org/source/openssl-3.0.8.tar.gz -O openssl.tar.gz tar -xf openssl.tar.gz rm -rf openssl.tar.gz mv openssl-* openssl
Step 3 :
Building Nginx from source :
cd /usr/local/src rm -rf nginx* wget http://nginx.org/download/nginx-1.24.0.tar.gz tar zxvf nginx-1.24.0.tar.gz cd nginx-1.24.0 ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --build=CentOS --builddir=nginx-custom --with-select_module --with-poll_module --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-pcre=/usr/local/src/pcre-8.45 --with-pcre-jit --with-zlib=/usr/local/src/zlib --with-openssl=/usr/local/src/openssl --with-openssl-opt=no-nextprotoneg --with-debug make && make install
Step 4 :
Now copy the config from the backup done before :
cat /etc/nginx.bak/nginx.conf > /etc/nginx/nginx.conf
Step 5 :
Creating systemed service file for nginx and disable nginx to install via yum package manager :
now create the systemed service file for nginx :
nano /usr/lib/systemd/system/nginx.service
and paste this to it and save :
[Unit] Description=nginx - high performance web server Documentation=https://nginx.org/en/docs/ After=network-online.target remote-fs.target nss-lookup.target Wants=network-online.target [Service] Type=forking PIDFile=/var/run/nginx.pid ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf ExecReload=/bin/kill -s HUP $MAINPID ExecStop=/bin/kill -s TERM $MAINPID [Install] WantedBy=multi-user.target
Disable nginx in yum/dnf package manager for not to override your compiled nginx [important] :
Centos 7/el7 :
cat /etc/yum.conf |grep "^exclude="|grep nginx 1> /dev/null 2> /dev/null || echo 'exclude=nginx*' >> /etc/yum.conf
Centos 8/el8 :
cat /etc/dnf/dnf.conf |grep "^exclude="|grep nginx 1> /dev/null 2> /dev/null || echo 'exclude=nginx*' >> /etc/dnf/dnf.conf
Step 6 :
Enabling TLSv1.3 in nginx :
Now we’ll add TLS 1.3 entry in all nginx vhost and in nginx.conf
sed -i 's/TLSv1.2;/TLSv1.2 TLSv1.3;/g' /etc/nginx/nginx.conf /etc/nginx/conf.d/*.conf /etc/nginx/conf.d/vhosts/*.conf systemctl restart nginx systemctl enable nginx
for CWP run this instead :
sed -i 's/TLSv1.2;/TLSv1.2 TLSv1.3;/g' /etc/nginx/nginx.conf /etc/nginx/conf.d/*.conf /etc/nginx/conf.d/vhosts/*.conf /usr/local/cwpsrv/htdocs/resources/conf/web_servers/main/nginx/conf/nginx.conf systemctl restart nginx systemctl enable nginx
** in CWP you need to do some extra steps which is mentioned below in Step
If you’re not using CWP then you’re done configuring TLS 1.3
Step 7 :
ONLY FOR CWP :
Ensure you create proper template for nginx in CWP else on every webserver build or ssl renew TLS 1.3 will be disabled
you need to copy the existing templates (tpl and stpl) and edit the stpl file and replace this line with new one :
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
with
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
that is only TLSv1.3 is need to be added before Semicolons ;
for example if you’re using default template for website you need to copy default templates to custom name example default-tls13.tpl and default-tls13.stpl ensure you’re using this template as a default for all domains and sub domain else tls 1.3 will not work by going to CWP.admin >> Webserver settings >> WEbservers Main conf choose Nginx default Vhost template from drop down menu which you created via below commands (default-tls13/force-https-http2-tls13). If you’re using php-fpm + nginx do the same for Nginx default PHP-FPM template
to copy the template to custom name do this :
cd /usr/local/cwpsrv/htdocs/resources/conf/web_servers/vhosts/nginx cp -r default.stpl default-tls13.stpl cp -r default.tpl default-tls13.tpl sed -i 's/TLSv1.2;/TLSv1.2 TLSv1.3;/g' default-tls13.tpl default-tls13.stpl
** you can replace the “default” with the template name like for http2 “force-https-http2” template just replace “default” word eg :
cd /usr/local/cwpsrv/htdocs/resources/conf/web_servers/vhosts/nginx cp -r force-https-http2.stpl force-https-http2-tls13.stpl cp -r force-https-http2.tpl force-https-http2-tls13.tpl sed -i 's/TLSv1.2;/TLSv1.2 TLSv1.3;/g' force-https-http2-tls13.tpl force-https-http2-tls13.stpl
*** if you’re using nginx + fpm go to “/usr/local/cwpsrv/htdocs/resources/conf/web_servers/vhosts/nginx/php-fpm” dir and do the same for it too as above.
After running the above command lock this files if you don’t change nginx main config and Hostname of the server :
chattr +i /etc/nginx/conf.d/hostname-ssl.conf /etc/nginx/nginx.conf
If you want to change nginx main conf or change the server hostname just unlock this files and then rebuild webserver config or vhost :
chattr -i /etc/nginx/conf.d/hostname-ssl.conf /etc/nginx/nginx.conf
***after edit and webserver rebuild or vhost rebuild just lock the files again.
To check TLS 1.3 is enabled or not go to this post at the end there some instructions upon how to check
You can significantly reduce the size of your nginx binary by stripping debug symbols from it:
[root@webhost nginx-1.22.1]# which nginx
/usr/sbin/nginx
[root@webhost nginx-1.22.1]# du -csh /usr/sbin/nginx
13M
13M total
[root@webhost nginx-1.22.1]# systemctl stop nginx && strip /usr/sbin/nginx ; systemctl start nginx
[root@webhost nginx-1.22.1]# du -csh /usr/sbin/nginx
5.9M /usr/sbin/nginx
5.9M total
`strip` removes debugging symbols from the binary file. In most cases, the debugging symbols are not necessary unless you intend to debug the nginx binary. This means the binary size in RAM is reduced from 13M down to only 5.9M in RAM… 50% less RAM used.
** Tip: You can do this with php, php-cgi, and php-fpm as well!
[root@webhost sbin]# pwd
/opt/alt/php-fpm80/usr/sbin
[root@webhost sbin]# du -csh php-fpm
60M php-fpm
60M total
[root@webhost sbin]# cp php-fpm php-fpm.bak
[root@webhost sbin]# systemctl stop php-fpm80.service && strip php-fpm ; systemctl restart php-fpm80.service
[root@webhost sbin]# du -csh php-fpm
17M php-fpm
17M total
As of Sept 4, 2022 these instructions will also work with nginx-1.22.0 and pcre2-10.40, no issues!
To compile nginx-1.22.0 with pcre2-10.40 you must change the configure command!
./configure ……. –with-pcre=ENTER_THE_FULL_PATH_TO_PCRE2_HERE …….
This is how I did it on my server:
In step 3 I did not download pcre-8.45!
wget https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.40/pcre2-10.40.zip
unzip pcre2-10.40/pcre2-10.40.zip
And I did not download nginx-1.20.2!
wget https://nginx.org/download/nginx-1.22.0.tar.gz
tar xvzf nginx-1.22.0.tar.gz
cd nginx-1.22.0
./configure –prefix=/etc/nginx –sbin-path=/usr/sbin/nginx –modules-path=/usr/lib64/nginx/modules –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –pid-path=/var/run/nginx.pid –lock-path=/var/run/nginx.lock –user=nginx –group=nginx –build=CentOS –builddir=nginx-custom –with-select_module –with-poll_module –with-threads –with-file-aio –with-http_ssl_module –with-http_v2_module –with-http_realip_module –with-http_addition_module –with-http_xslt_module=dynamic –with-http_image_filter_module=dynamic –with-http_geoip_module=dynamic –with-http_sub_module –with-http_dav_module –with-http_flv_module –with-http_mp4_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_auth_request_module –with-http_random_index_module –with-http_secure_link_module –with-http_degradation_module –with-http_slice_module –with-http_stub_status_module –http-log-path=/var/log/nginx/access.log –http-client-body-temp-path=/var/cache/nginx/client_temp –http-proxy-temp-path=/var/cache/nginx/proxy_temp –http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp –http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp –http-scgi-temp-path=/var/cache/nginx/scgi_temp –with-mail=dynamic –with-mail_ssl_module –with-stream=dynamic –with-stream_ssl_module –with-stream_realip_module –with-stream_geoip_module=dynamic –with-stream_ssl_preread_module –with-compat –with-pcre=/usr/local/src/pcre2-10.40 –with-pcre-jit –with-zlib=/usr/local/src/zlib –with-openssl=/usr/local/src/openssl –with-openssl-opt=no-nextprotoneg –with-debug
make && make install
No errors 🙂 Thank you Sandeep!!
I have Nginx & Varnish & Apache and forced php-fpm , i ihave tired everyhing tls 1.3 doesn’t work. does it not work with CWP ?
hi did you followed all the steps.
cd /usr/local/src
rm -rf pcre*
wget https://ftp.pcre.org/pub/pcre/pcre-8.44.zip
unzip pcre-8.44.zip
to
cd /usr/local/src
rm -rf pcre*
wget https://deac-ams.dl.sourceforge.net/project/pcre/pcre/8.44/pcre-8.44.zip
unzip pcre-8.44.zip
Thanks Also updated latest link (fast download)for PCRE and updated tutorial with Openssl 3, yes nginx will work with openssl 3 for better security and performance 🙂
I am using cloudflare. Is it enough to open the TLS 1.3 part or do we have to do these operations?
Hi when using cloudflare you can manage TLS options from cloudflare dashboard.
Thank you! How could I disable TLS 1 and TLS 1.1 in my CWP, I’m using Nginx & Varnish & Apache with Force Apache to use PHP-FPM Selector option.
I get “enable” in red for those outdated protocols so I want to disable them.
hello
check this for more info about disabling tls 1.0 and 1.1
https://www.uxlinux.com/get-a-score-rating-with-ssllabs-qualys-in-cwp-control-web-panel/