TLS 1.3 is the latest and most secure version of the Transport Layer Security protocol, offering significant performance and security improvements. By enabling TLS 1.3, websites load faster, particularly on mobile devices, while providing enhanced security. This guide explains how to build NGINX from source and enable TLS 1.3 on Linux servers, including steps for systems using CentOS Web Panel (CWP).
Why TLS 1.3?
- Improved Security: Enhanced encryption standards reduce vulnerabilities.
- Faster Page Loads: Especially noticeable on mobile networks with high latency.
- Optimized Performance: Less overhead compared to older TLS versions.
Preparation: Remove Existing NGINX Installation
Before compiling NGINX with TLS 1.3 support, remove any pre-installed versions:
1. Backup NGINX Configuration:
cp -r /etc/nginx /etc/nginx.bak
2. Uninstall Current NGINX:
yum remove nginx*
TLS 1.3 Installation
Step 1: Install Dependencies
Install required libraries and tools:
yum install -y perl perl-devel perl-ExtUtils-Embed libxslt libxslt-devel libxml2 libxml2-devel gd gd-devel GeoIP GeoIP-devel
Download and prepare necessary components:
PCRE:
cd /usr/local/src wget https://ftp.pcre.org/pub/pcre/pcre-8.44.zip unzip pcre-8.44.zip
ZLIB:
wget https://www.zlib.net/zlib-1.2.11.tar.gz tar zxvf zlib-1.2.11.tar.gz
OpenSSL:
wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz tar zxvf openssl-1.1.1k.tar.gz
Step 2: Build NGINX from Source
1. Download and extract NGINX source files:
wget http://nginx.org/download/nginx-1.20.0.tar.gz
tar zxvf nginx-1.20.0.tar.gz
cd nginx-1.20.0
2. Configure and compile:
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules \ --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid \ --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --build=CentOS --with-select_module \ --with-poll_module --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module \ --with-http_realip_module --with-http_stub_status_module --with-pcre=/usr/local/src/pcre-8.44 \ --with-zlib=/usr/local/src/zlib-1.2.11 --with-openssl=/usr/local/src/openssl-1.1.1k make && make install
3. Restore the backup configuration:
cp /etc/nginx.bak/nginx.conf /etc/nginx/nginx.conf
Step 3: Configure Systemd Service
1. Create a systemd service file for NGINX:
nano /usr/lib/systemd/system/nginx.service
2. Paste the following content:
[Unit] Description=NGINX - high-performance web server Documentation=https://nginx.org/en/docs/ After=network-online.target remote-fs.target nss-lookup.target Wants=network-online.target [Service] Type=forking PIDFile=/var/run/nginx.pid ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf ExecReload=/bin/kill -s HUP $MAINPID ExecStop=/bin/kill -s TERM $MAINPID [Install] WantedBy=multi-user.target
3. Prevent package manager overwrites:
# CentOS 7 echo 'exclude=nginx*' >> /etc/yum.conf # CentOS 8 echo 'exclude=nginx*' >> /etc/dnf/dnf.conf
Step 4: Enable TLS 1.3
1. Add TLS 1.3 support in configuration files:
sed -i 's/TLSv1.2;/TLSv1.2 TLSv1.3;/g' /etc/nginx/nginx.conf /etc/nginx/conf.d/*.conf
2. Restart and enable NGINX:
systemctl restart nginx systemctl enable nginx
Step 5: Additional Configuration for CWP
For CWP users, ensure templates are updated:
1. Edit default templates:
cd /usr/local/cwpsrv/htdocs/resources/conf/web_servers/vhosts/nginx cp default.tpl default-tls13.tpl cp default.stpl default-tls13.stpl sed -i 's/TLSv1.2;/TLSv1.2 TLSv1.3;/g' default-tls13.tpl default-tls13.stpl
2. Lock configuration files to prevent unwanted changes:
chattr +i /etc/nginx/conf.d/hostname-ssl.conf /etc/nginx/nginx.conf
Verification
Verify TLS 1.3 is enabled by testing your website using online tools or command-line utilities. This ensures your NGINX server is secure and optimized for performance. By following this guide, your server will be ready to deliver faster and more secure connections using the TLS 1.3 protocol.