Question

Is Nginx 1.18 Included in the LEMP image Secure?

Posted on February 1, 2024
Nginx Security DigitalOcean Droplets LEMP
Asked by George Chanturidze

I recently provisioned a droplet using digitalocean’s LEMP 43 image on the marketplace.

I noticed that Nginx version is 1.18.0. According to Nginx official site, this version is no longer supported. Only supported versions currently are 1.24 and 1.25. I’m not sure if DigitalOcean maintains and patches the 1.18.0 version somehow on their own (maybe using some PPA?).

So basically I’m trying to understand, am I secure using this v1.18.0 that came with the LEMP image, or should I be looking to manually upgrade?

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev

Site Moderator

• February 2, 2024

Hi there,

Yes, this is still the latest version available on the default Ubuntu repositories:

https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/#installing-prebuilt-ubuntu-packages

If you prefer to have v1.25 installed, what you could do is follow the steps from the above Nginx documentation, and install Nginx from the Official NGINX Repository rather than the default Ubuntu Repository.

Install the prerequisites:

sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring

Import an official nginx signing key so apt could verify the packages authenticity. Fetch the key:

curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null

Verify that the downloaded file contains the proper key:

gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg

The output should contain the full fingerprint 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 as follows:

pub   rsa2048 2011-08-19 [SC] [expires: 2024-06-14]
  573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid                      nginx signing key <signing-key@nginx.com>

If the fingerprint is different, remove the file.

To set up the apt repository for stable nginx packages, run the following command:

echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
    | sudo tee /etc/apt/sources.list.d/nginx.list

If you would like to use mainline nginx packages, run the following command instead:

echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" \
    | sudo tee /etc/apt/sources.list.d/nginx.list

Set up repository pinning to prefer our packages over distribution-provided ones:

echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
    | sudo tee /etc/apt/preferences.d/99nginx

Install NGINX Open Source:
```
sudo apt update
sudo apt install nginx
```
Start NGINX Open Source:
```
sudo systemctl start nginx
```

Verify that NGINX Open Source is up and running:

curl -I 127.0.0.1
HTTP/1.1 200 OK
Server: nginx/1.25.1

Before the upgrade, it is always recommended to backup your Droplet.

If you wish, you could submit a feature request for the LEMP image on the Marketplace via this repository here:

https://github.com/digitalocean/droplet-1-clicks/issues

Best,

Bobby

KFSys

Site Moderator

• February 5, 2024

Heya @geochanto,

As already mentioned, this is the default version(latest) provided by the defualt Ubuntu repositories.

You can try and update Nginx to 1.25 or 1.24 if you want as explained bellow how to do it however I do believe that it shouldn’t be necessary. There are no active bugs or exploits for Nginx 1.18.