Nginx
この章では、Nginxをインストールし、リバースプロキシを構築します。
よくあるパターンとして以下の例を勉強していきます!
- SSL証明書設定
- Webアプリへのリバースプロキシ
- 複数サーバへのServerNameでの振り分け
- 同種別サーバへの負荷分散設定
- TCPロードバランサー
- PHP-FPM連携
準備
rootに昇格
sudo su - 便利ツールインストール
yum -y install vim bash-completion net-tools bind-utilsSELinux停止
vi /etc/selinux/configSELINUX=disabled反映
rebootNginxインストール
EPELリポジトリ登録
yum -y install epel-releaseNginxインストール
yum --enablerepo=epel -y install nginx起動
systemctl start nginx
systemctl enable nginxファイアウォール
firewall-cmd --add-service=http --permanent
firewall-cmd --reload動作確認
http://192.168.11.231/ へアクセス
証明書
自己証明書作成
openssl genrsa 2048 > server.key && openssl req -new -key server.key -subj "/C=JP/ST=Tokyo" -out server.csr && openssl x509 -days 3650 -req -signkey server.key -in server.csr -out server.crt
mv server.* /etc/nginx/HTTPSをListenする設定
-
/etc/nginx/nginx.conf
server { listen 443 ssl http2 default_server; server_name _; root /usr/share/nginx/html; ssl_certificate "/etc/nginx/server.crt"; ssl_certificate_key "/etc/nginx/server.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /404.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }
コンフィグテスト
nginx -t起動
systemctl restart nginxファイアウォール
firewall-cmd --add-service=https --permanent
firewall-cmd --reload動作確認
https://192.168.11.231/ へアクセス
Webアプリへのリバースプロキシ(NextCloud)
インストール
yum -y install docker
docker ps
systemctl enable docker
systemctl start dockernextcloud
docker run --name nextcloud -d -p 8080:80 nextcloudnextcloudコンテナの動作確認
curl -i http://localhost:8080proxy_passを設定
- /etc/nginx/nginx.conf
全体
#server {
# listen 80 default_server;
# listen [::]:80 default_server;
# server_name _;
# root /usr/share/nginx/html;
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
# location / {
# }
# error_page 404 /404.html;
# location = /404.html {
# }
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
#}
server {
listen 443 ssl http2 default_server;
server_name nextcloud.vamemic.com;
ssl_certificate "/etc/nginx/server.crt";
ssl_certificate_key "/etc/nginx/server.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
keepalive_timeout 300;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
error_page 404 /404.html;
location = /404.html {
}
}
server {
# httpをhttpsにリダイレクト
listen 80;
server_name _;
return 301 https://$host$request_uri;
}hostsに追記(ローカル)
192.168.11.221 nextcloud.vamdemic.com複数サーバへのServerNameでの振り分け
Mattermost(チャットアプリ)を起動
docker run --name mattermost-preview -d --publish 8065:8065 mattermost/mattermost-previewnginx.confの修正
# NextCloud 443
server {
listen 443 ssl http2;
server_name nextcloud.vamdemic.com;
ssl_certificate "/etc/nginx/server.crt";
ssl_certificate_key "/etc/nginx/server.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
keepalive_timeout 300;
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
}
# mattermost443
server {
listen 443 ssl http2;
server_name mattermost.vamdemic.com;
ssl_certificate "/etc/nginx/server.crt";
ssl_certificate_key "/etc/nginx/server.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
keepalive_timeout 300;
location / {
proxy_pass http://127.0.0.1:8065;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
}設定反映
systemctl restart nginxhostsに追記(ローカル)
127.0.0.1 mattermost.vamdemic.comロードバランサー(負荷分散)
nginxを2台起動
1台目
mkdir nginx-1
echo 1 > nginx-1/index.html
docker run --name nginx-1 -v /root/nginx-1/:/usr/share/nginx/html:ro -d -p 8081:80 nginx2台目
mkdir nginx-2
echo 2 > nginx-2/index.html
docker run --name nginx-2 -v /root/nginx-2/:/usr/share/nginx/html:ro -d -p 8082:80 nginxnginx.confへ追記
# 負荷分散
upstream loadbalancer {
server localhost:8081;
server localhost:8082;
}
# nginx-lb
server {
listen 443 ssl http2;
server_name nginx-lb.vamdemic.com;
ssl_certificate "/etc/nginx/server.crt";
ssl_certificate_key "/etc/nginx/server.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
keepalive_timeout 300;
location / {
proxy_pass http://loadbalancer;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
}hostsに追記(ローカル)
127.0.0.1 nginx-lb.vamdemic.com動作確認
- ブラウザでアクセス or
curl https://nginx-lb.vamdemic.com/ --insecure -H "User-Agent: hoge"
TCPロードバランサー
Postgresqlを動作させる
docker run --name postgres -p 15432:5432 -e POSTGRES_PASSWORD=password -d postgresNginx設定
stream {
error_log /var/log/nginx/stream.log info;
upstream postgres {
server localhost:15432;
}
server {
listen 5432;
proxy_pass postgres;
}
}firewall
firewall-cmd --add-service=postgresql --permanent
firewall-cmd --reload動作確認
php-fpm連携
php7.4用リポジトリ登録
rpm -ivh http://rpms.famillecollet.com/enterprise/remi-release-7.rpmphpインストール(php7.4)
- php-fpmも一緒にインストール
yum --enablerepo=remi-php74 -y install php php-devel php-mbstring php-gd php-pdo php-pgsql php-mysqlnd php-mcrypt php-xml php-bcmath php-tokenizer php-zip php-pecl-xdebug php-fpm
設定変更
- デフォルト設定がApache向けのようなので変更
- 高速化のためWebソケットで動作させる
[root@localhost ~]# diff /etc/php-fpm.d/www.conf /etc/php-fpm.d/www.conf_bk 12,13c12 < ;listen = 127.0.0.1:9000 < listen = /var/run/php-fpm/php-fpm.sock --- > listen = 127.0.0.1:9000 35,36d33 < listen.owner = nginx < listen.group = nginx 42c39 < user = nginx --- > user = apache 44c41 < group = nginx --- > group = apache
phpinfo作成
echo "<?php phpinfo(); ?>" > /var/www/html/index.phpphp-fpm再起動
systemctl restart php-fpmnginx設定変更
server {
listen 443 ssl http2;
server_name php.vamdemic.com;
root /var/www/html;
location / {
index index.php index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}nginx再起動
systemctl restart nginxhostsに追記(ローカル)
127.0.0.1 php.vamdemic.com動作確認
https://php.vamdemic.com/へアクセス
付録
動作している仮想マシンのovaファイルです。うまくいかない場合、こちらをインポートしていただき設定値をご確認いただければと思います!
https://vamdemic.sharepoint.com/:f:/s/vamdemicsystem/Ev8PMm4hm51Arfximf9punkBKIoGya9blqdZMmC2KbWc-w?e=yblewM
pass: nginx