Web Server Load Balancing with NGINX Plus

Are NGINX and NGINX Plus Vulnerable to the Heartbleed Vulnerability in OpenSSL?

The Heartbleed bug (see and the OpenSSL advisory) is a serious vulnerability in the popular OpenSSL cryptographic software library, announced on April 7,  2014. It allows access to up to 64 KB of internal memory in affected servers, which potentially exposes sensitive information including SSL private keys.

The bug was introduced in OpenSSL 1.0.1, and is resolved in version 1.0.1g and later. If your NGINX version or NGINX Plus release uses an affected version of OpenSSL, you must upgrade your OpenSSL library immediately and verify that your NGINX and NGINX Plus instances are using the updated version.

Does Your NGINX Installation Use Your OS Vendor’s Version of OpenSSL?

NGINX builds provided by NGINX, Inc. or through a third party repository are usually dynamically linked to the operating system’s instance of Run the ldd command to learn the full path to the file and the strings command to display the associated version number (in this case, it’s 1.0.1f):

$ ldd `which nginx` | grep ssl => /lib/x86_64-linux-gnu/ (0x00007f82e62bf000)
$ strings /lib/x86_64-linux-gnu/ | grep "^OpenSSL "
OpenSSL 1.0.1f 6 Jan 2014

Output on your system might look somewhat different. You can also run openssl version, although the output might not be reliable if there are several instances of OpenSSL on your server.

We strongly recommend that you upgrade to the most recent OpenSSL library provided by your operating system vendor, even if the earlier version you are running is not reported to be affected. Then restart the NGINX software to use the updated library. Check your vendor’s response to CVE-2014-0160 to determine the correct upgrade process. For your convenience, here are the links for Red Hat and Ubuntu.

Please note that some Linux operating system vendors have released fixed packages that still bear the OpenSSL 1.0.1e version number. Even though the OpenSSL project released 1.0.1g as their newest software, downstream Linux providers have in some cases elected to include just the fix for CVE-2014-0160 in their packages in order to provide a small update quickly.

Does Your NGINX Installation Use a Statically Linked Instance of OpenSSL?

If you have compiled NGINX yourself, you might have statically linked the OpenSSL libraries. In this case the output from ldd does not reveal dependencies on the operating system library. Run nginx -V to display the compile‑time options you used:

$ ./objs/nginx -V
nginx version: nginx/1.5.11
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
configure arguments: --with-cc-opt=-I../openssl-1.0.1f/include 
  --with-ld-opt='-L../openssl-1.0.1f -Wl,-Bstatic -lssl -lcrypto -Wl,-Bdynamic -ldl' 

If you are using a vulnerable version of OpenSSL, recompile NGINX with a fixed version, or recompile OpenSSL using the -DOPENSSL_NO_HEARTBEATS option and then recompile NGINX.

Hero image
Are Your Applications Secure?

Learn how to protect your apps with NGINX and NGINX Plus


Owen Garrett


Owen is a senior member of the NGINX Product Management team, covering open source and commercial NGINX products. He holds a particular responsibility for microservices and Kubernetes‑centric solutions. He’s constantly amazed by the ingenuity of NGINX users and still learns of new ways to use NGINX with every discussion.


F5, Inc. 是备受欢迎的开源软件 NGINX 背后的商业公司。我们为现代应用的开发和交付提供一整套技术。我们的联合解决方案弥合了 NetOps 和 DevOps 之间的横沟,提供从代码到用户的多云应用服务。访问 了解更多相关信息。