nginx
導入
CentOS 7
VirtualHost 運用
既定のホストを無効として厳密な名前の一致を求める
ホストのディレクトリは /var/www/vhosts/<FQDN>
ホスト設定は /etc/nginx/vhosts.d/<FQDN>.conf
RHEL 8 待ち
code:bash
sudo yum -y install nginx
# Suppress default host
cat <<'EOL' | sudo tee /etc/nginx/default.d/444.conf
return 444;
EOL
# Manage virtual hosts
cat <<'EOL' | sudo tee /etc/nginx/conf.d/z-server.conf
server_tokens off;
ssl_dhparam /etc/nginx/conf.d/dhparams.pem;
server {
listen 443 ssl http2 default_server;
listen :::443 ssl http2 default_server; server_name _;
return 444;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_trusted_certificate /path/to/certificates;
# resolver resolvers;
ssl_ecdh_curve secp384r1:secp521r1;
ssl_certificate /etc/pki/tls/certs/localhost.crt;
ssl_certificate_key /etc/pki/tls/private/localhost.key;
}
include /etc/nginx/vhosts.d/*.conf;
EOL
sudo openssl req -subj '/CN=*' -new -days 365 -x509 -nodes -out /etc/pki/tls/certs/localhost.crt -keyout /etc/pki/tls/private/localhost.key
sudo openssl dhparam -out /etc/nginx/conf.d/dhparams.pem 4096
sudo mkdir /etc/nginx/vhosts.d
sudo systemctl enable --now nginx
バーチャルホスト追加例
code:/etc/nginx/vhosts.d/example.com.conf
server {
listen 80;
server_name example.com;
}
server {
listen 443 ssl http2;
server_name example.com;
root /var/www/vhosts/example.com/public;
index index.html;
location ~ \.htaccess$ {
return 404;
}
fastcgi_param HTTP_PROXY "";
proxy_set_header Proxy "";
add_header Strict-Transport-Security "max-age=31104000";
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_trusted_certificate /path/to/certificates;
# resolver resolvers;
ssl_certificate /etc/pki/tls/certs/localhost.crt;
ssl_certificate_key /etc/pki/tls/private/localhost.key;
location ~ \.htaccess$ {
return 404;
}
# TODO
include /var/www/vhosts/example.com/nginx.conf;
}
お好みで Let's Encrypt
code:bash
sudo yum -y install python2-certbot-nginx
sudo certbot --nginx
アプリの設定は追加の nginx.conf で
code:nginx.conf
add_header X-Frame-Options "SAMEORIGIN"
add_header X-XSS-Protection "1; mode=block"
add_header X-Content-Type-Options "nosniff"
add_header Referrer-Policy "same-origin"
index index.html index.php;
location / {
try_files $uri /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}