Nginx

この章では、Nginxをインストールし、リバースプロキシを構築します。
よくあるパターンとして以下の例を勉強していきます！

SSL証明書設定
Webアプリへのリバースプロキシ
複数サーバへのServerNameでの振り分け
同種別サーバへの負荷分散設定
TCPロードバランサー
PHP-FPM連携

準備

rootに昇格

sudo su -

sudo su -

便利ツールインストール

yum -y install vim bash-completion net-tools bind-utils

1	yum -y install vim bash-completion net-tools bind-utils

SELinux停止

vi /etc/selinux/config

1	vi /etc/selinux/config

SELINUX=disabled

1	SELINUX=disabled

反映

reboot

reboot

Nginxインストール

EPELリポジトリ登録

yum -y install epel-release

1	yum -y install epel-release

Nginxインストール

yum --enablerepo=epel -y install nginx

1	yum --enablerepo=epel -y install nginx

起動

systemctl start nginx
systemctl enable nginx

1 2	systemctl start nginx systemctl enable nginx

ファイアウォール

firewall-cmd --add-service=http --permanent
firewall-cmd --reload

1 2	firewall-cmd --add-service=http --permanent firewall-cmd --reload

動作確認

http://192.168.11.231/ へアクセス

証明書

自己証明書作成

openssl genrsa 2048 > server.key && openssl req -new -key server.key -subj "/C=JP/ST=Tokyo" -out server.csr && openssl x509 -days 3650 -req -signkey server.key -in server.csr -out server.crt
mv server.* /etc/nginx/

1 2	openssl genrsa 2048 > server.key && openssl req -new -key server.key -subj "/C=JP/ST=Tokyo" -out server.csr && openssl x509 -days 3650 -req -signkey server.key -in server.csr -out server.crt mv server.* /etc/nginx/

HTTPSをListenする設定

/etc/nginx/nginx.conf

server {
listen       443 ssl http2 default_server;
server_name  _;
root         /usr/share/nginx/html;

ssl_certificate "/etc/nginx/server.crt";
ssl_certificate_key "/etc/nginx/server.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout  10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;

location / {
}

error_page 404 /404.html;
location = /404.html {
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}

server {

listen 443 ssl http2 default_server;

server_name _;

root /usr/share/nginx/html;

ssl_certificate "/etc/nginx/server.crt";

ssl_certificate_key "/etc/nginx/server.key";

ssl_session_cache shared:SSL:1m;

ssl_session_timeout 10m;

ssl_ciphers HIGH:!aNULL:!MD5;

ssl_prefer_server_ciphers on;

# Load configuration files for the default server block.

include /etc/nginx/default.d/*.conf;

location / {

}

error_page 404 /404.html;

location = /404.html {

}

error_page 500 502 503 504 /50x.html;

location = /50x.html {

}

コンフィグテスト

nginx -t

nginx -t

起動

systemctl restart nginx

1	systemctl restart nginx

ファイアウォール

firewall-cmd --add-service=https --permanent
firewall-cmd --reload

1 2	firewall-cmd --add-service=https --permanent firewall-cmd --reload

動作確認

https://192.168.11.231/ へアクセス

Webアプリへのリバースプロキシ(NextCloud)

インストール

yum -y install docker
docker ps
systemctl enable docker
systemctl start docker

yum -y install docker

docker ps

systemctl enable docker

systemctl start docker

nextcloud

docker run --name nextcloud -d -p 8080:80 nextcloud

1	docker run --name nextcloud -d -p 8080:80 nextcloud

nextcloudコンテナの動作確認

curl -i http://localhost:8080

1	curl -i http://localhost:8080

proxy_passを設定

/etc/nginx/nginx.conf

全体

   #server {
    #    listen       80 default_server;
    #    listen       [::]:80 default_server;
    #    server_name  _;
    #    root         /usr/share/nginx/html;

    #    # Load configuration files for the default server block.
    #    include /etc/nginx/default.d/*.conf;

    #    location / {
    #    }

    #    error_page 404 /404.html;
    #    location = /404.html {
    #    }

    #    error_page 500 502 503 504 /50x.html;
    #    location = /50x.html {
    #    }
    #}

    server {
        listen       443 ssl http2 default_server;
        server_name  nextcloud.vamemic.com;

        ssl_certificate "/etc/nginx/server.crt";
        ssl_certificate_key "/etc/nginx/server.key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        keepalive_timeout 300;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
            proxy_pass http://127.0.0.1:8080/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Port $server_port;
        }

        error_page 404 /404.html;
        location = /404.html {
        }
    }

    server {
    # httpをhttpsにリダイレクト
    listen 80;
    server_name _;
    return 301 https://$host$request_uri;
    }

#server {

# listen 80 default_server;

# listen [::]:80 default_server;

# server_name _;

# root /usr/share/nginx/html;

# # Load configuration files for the default server block.

# include /etc/nginx/default.d/*.conf;

# location / {

# }

# error_page 404 /404.html;

# location = /404.html {

# }

# error_page 500 502 503 504 /50x.html;

# location = /50x.html {

# }

server {

listen 443 ssl http2 default_server;

server_name nextcloud.vamemic.com;

ssl_certificate "/etc/nginx/server.crt";

ssl_certificate_key "/etc/nginx/server.key";

ssl_session_cache shared:SSL:1m;

ssl_session_timeout 10m;

ssl_ciphers HIGH:!aNULL:!MD5;

ssl_prefer_server_ciphers on;

keepalive_timeout 300;

# Load configuration files for the default server block.

include /etc/nginx/default.d/*.conf;

location / {

proxy_pass http://127.0.0.1:8080/;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Forwarded-Port $server_port;

}

error_page 404 /404.html;

location = /404.html {

}

server {

# httpをhttpsにリダイレクト

listen 80;

server_name _;

return 301 https://$host$request_uri;

}

hostsに追記(ローカル)

192.168.11.221       nextcloud.vamdemic.com

1	192.168.11.221 nextcloud.vamdemic.com

複数サーバへのServerNameでの振り分け

Mattermost（チャットアプリ）を起動

docker run --name mattermost-preview -d --publish 8065:8065 mattermost/mattermost-preview

1	docker run --name mattermost-preview -d --publish 8065:8065 mattermost/mattermost-preview

nginx.confの修正

    # NextCloud 443
    server {
        listen       443 ssl http2;
        server_name  nextcloud.vamdemic.com;

        ssl_certificate "/etc/nginx/server.crt";
        ssl_certificate_key "/etc/nginx/server.key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        keepalive_timeout 300;

        location / {
            proxy_pass http://127.0.0.1:8080/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Port $server_port;
        }
    }

    # mattermost443
    server {
        listen       443 ssl http2;
        server_name  mattermost.vamdemic.com;

        ssl_certificate "/etc/nginx/server.crt";
        ssl_certificate_key "/etc/nginx/server.key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        keepalive_timeout 300;

        location / {
            proxy_pass http://127.0.0.1:8065;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Port $server_port;
        }
    }

# NextCloud 443

server {

listen 443 ssl http2;

server_name nextcloud.vamdemic.com;

ssl_certificate "/etc/nginx/server.crt";

ssl_certificate_key "/etc/nginx/server.key";

ssl_session_cache shared:SSL:1m;

ssl_session_timeout 10m;

ssl_ciphers HIGH:!aNULL:!MD5;

ssl_prefer_server_ciphers on;

keepalive_timeout 300;

location / {

proxy_pass http://127.0.0.1:8080/;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Forwarded-Port $server_port;

}

# mattermost443

server {

listen 443 ssl http2;

server_name mattermost.vamdemic.com;

ssl_certificate "/etc/nginx/server.crt";

ssl_certificate_key "/etc/nginx/server.key";

ssl_session_cache shared:SSL:1m;

ssl_session_timeout 10m;

ssl_ciphers HIGH:!aNULL:!MD5;

ssl_prefer_server_ciphers on;

keepalive_timeout 300;

location / {

proxy_pass http://127.0.0.1:8065;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Forwarded-Port $server_port;

}

設定反映

systemctl restart nginx

1	systemctl restart nginx

hostsに追記(ローカル)

127.0.0.1       mattermost.vamdemic.com

1	127.0.0.1 mattermost.vamdemic.com

ロードバランサー(負荷分散)

nginxを2台起動

1台目

mkdir nginx-1
echo 1 > nginx-1/index.html
docker run --name nginx-1  -v /root/nginx-1/:/usr/share/nginx/html:ro -d -p 8081:80 nginx

mkdir nginx-1

echo 1 > nginx-1/index.html

docker run --name nginx-1 -v /root/nginx-1/:/usr/share/nginx/html:ro -d -p 8081:80 nginx

2台目

mkdir nginx-2
echo 2 > nginx-2/index.html
docker run --name nginx-2  -v /root/nginx-2/:/usr/share/nginx/html:ro -d -p 8082:80 nginx

mkdir nginx-2

echo 2 > nginx-2/index.html

docker run --name nginx-2 -v /root/nginx-2/:/usr/share/nginx/html:ro -d -p 8082:80 nginx

nginx.confへ追記

    # 負荷分散
    upstream loadbalancer {
        server localhost:8081;
        server localhost:8082;
    }

    # nginx-lb
    server {
        listen       443 ssl http2;
        server_name  nginx-lb.vamdemic.com;

        ssl_certificate "/etc/nginx/server.crt";
        ssl_certificate_key "/etc/nginx/server.key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        keepalive_timeout 300;

        location / {
            proxy_pass http://loadbalancer;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Port $server_port;
        }
    }

# 負荷分散

upstream loadbalancer {

server localhost:8081;

server localhost:8082;

}

# nginx-lb

server {

listen 443 ssl http2;

server_name nginx-lb.vamdemic.com;

ssl_certificate "/etc/nginx/server.crt";

ssl_certificate_key "/etc/nginx/server.key";

ssl_session_cache shared:SSL:1m;

ssl_session_timeout 10m;

ssl_ciphers HIGH:!aNULL:!MD5;

ssl_prefer_server_ciphers on;

keepalive_timeout 300;

location / {

proxy_pass http://loadbalancer;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Forwarded-Port $server_port;

}

hostsに追記(ローカル)

127.0.0.1       nginx-lb.vamdemic.com

1	127.0.0.1 nginx-lb.vamdemic.com

動作確認

ブラウザでアクセス or curl https://nginx-lb.vamdemic.com/ --insecure -H "User-Agent: hoge"

TCPロードバランサー

Postgresqlを動作させる

docker run --name postgres -p 15432:5432 -e POSTGRES_PASSWORD=password -d postgres

1	docker run --name postgres -p 15432:5432 -e POSTGRES_PASSWORD=password -d postgres

Nginx設定

stream {
    error_log /var/log/nginx/stream.log info;

    upstream postgres {
       server localhost:15432;
    }

    server {
        listen 5432;
        proxy_pass postgres;
    }
}

stream {

error_log /var/log/nginx/stream.log info;

upstream postgres {

server localhost:15432;

}

server {

listen 5432;

proxy_pass postgres;

}

firewall

firewall-cmd --add-service=postgresql --permanent
firewall-cmd --reload

1 2	firewall-cmd --add-service=postgresql --permanent firewall-cmd --reload

動作確認

https://tableplus.com/

php-fpm連携

php7.4用リポジトリ登録

rpm -ivh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm

1	rpm -ivh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm

phpインストール(php7.4)

php-fpmも一緒にインストール

yum --enablerepo=remi-php74 -y install php php-devel php-mbstring php-gd php-pdo php-pgsql php-mysqlnd php-mcrypt php-xml php-bcmath php-tokenizer php-zip php-pecl-xdebug php-fpm

1	yum --enablerepo=remi-php74 -y install php php-devel php-mbstring php-gd php-pdo php-pgsql php-mysqlnd php-mcrypt php-xml php-bcmath php-tokenizer php-zip php-pecl-xdebug php-fpm

設定変更

デフォルト設定がApache向けのようなので変更

高速化のためWebソケットで動作させる

[root@localhost ~]# diff /etc/php-fpm.d/www.conf /etc/php-fpm.d/www.conf_bk
12,13c12
< ;listen = 127.0.0.1:9000
< listen = /var/run/php-fpm/php-fpm.sock
---
> listen = 127.0.0.1:9000
35,36d33
< listen.owner = nginx
< listen.group = nginx
42c39
< user = nginx
---
> user = apache
44c41
< group = nginx
---
> group = apache

[root@localhost ~]# diff /etc/php-fpm.d/www.conf /etc/php-fpm.d/www.conf_bk

12,13c12

< ;listen = 127.0.0.1:9000

< listen = /var/run/php-fpm/php-fpm.sock

---

> listen = 127.0.0.1:9000

35,36d33

< listen.owner = nginx

< listen.group = nginx

42c39

< user = nginx

---

> user = apache

44c41

< group = nginx

---

> group = apache

phpinfo作成

echo "<?php phpinfo(); ?>" > /var/www/html/index.php

1	echo "<?php phpinfo(); ?>" > /var/www/html/index.php

php-fpm再起動

systemctl restart php-fpm

1	systemctl restart php-fpm

nginx設定変更

    server {
        listen       443 ssl http2;
        server_name  php.vamdemic.com;
        root   /var/www/html;

        location / {
            index index.php index.html index.htm;
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }

        location ~ \.php$ {
            fastcgi_pass   unix:/var/run/php-fpm/php-fpm.sock;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }
    }

server {

listen 443 ssl http2;

server_name php.vamdemic.com;

root /var/www/html;

location / {

index index.php index.html index.htm;

}

error_page 500 502 503 504 /50x.html;

location = /50x.html {

root /usr/share/nginx/html;

}

location ~ \.php$ {

fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

include fastcgi_params;

}

nginx再起動

systemctl restart nginx

1	systemctl restart nginx

hostsに追記(ローカル)

127.0.0.1       php.vamdemic.com

1	127.0.0.1 php.vamdemic.com

動作確認

https://php.vamdemic.com/へアクセス

付録

動作している仮想マシンのovaファイルです。うまくいかない場合、こちらをインポートしていただき設定値をご確認いただければと思います！

https://vamdemic.sharepoint.com/:f:/s/vamdemicsystem/Ev8PMm4hm51Arfximf9punkBKIoGya9blqdZMmC2KbWc-w?e=yblewM
pass: nginx

Nginx

準備

rootに昇格

便利ツールインストール

SELinux停止

反映

Nginxインストール

EPELリポジトリ登録

Nginxインストール

起動

ファイアウォール

動作確認

証明書

自己証明書作成

HTTPSをListenする設定

コンフィグテスト

起動

ファイアウォール

動作確認

Webアプリへのリバースプロキシ(NextCloud)

インストール

nextcloud

nextcloudコンテナの動作確認

proxy_passを設定

全体

hostsに追記(ローカル)

複数サーバへのServerNameでの振り分け

Mattermost（チャットアプリ）を起動

nginx.confの修正

設定反映

hostsに追記(ローカル)

ロードバランサー(負荷分散)

nginxを2台起動

1台目

2台目

nginx.confへ追記

hostsに追記(ローカル)

動作確認

TCPロードバランサー

Postgresqlを動作させる

Nginx設定

firewall

動作確認

php-fpm連携

php7.4用リポジトリ登録

phpインストール(php7.4)

設定変更

phpinfo作成

php-fpm再起動

nginx設定変更

nginx再起動

hostsに追記(ローカル)

動作確認

付録

参考サイト