AmazonLinux에 최신 버전의 Nginx(mainline) 설치

10288 단어 nginxAmazonLinux

목적


  • AmazonLinux에 최신 버전의 Nginx(mainline) 설치
  • 서버 인증서를 서버에 설치
  • Basic 인증 넣기
  • 80 => 443 리디렉션 설정
  • 로그에 암호화 프로토콜 넣기
  • 고속화 대응


    • 설정


  • nginx에 대한 저장소 만들기

    • /etc/yum.repos.d/nginx.repo
    [nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/6/$basearch/
gpgcheck=1
enabled=1
gpgkey=http://nginx.org/keys/nginx_signing.key

[nginx-source]
name=nginx source
baseurl=http://nginx.org/packages/mainline/centos/6/SRPMS/
gpgcheck=1
enabled=0
gpgkey=http://nginx.org/keys/nginx_signing.key
  • install 
    •  # yum --disablerepo=amzn-main --disablerepo=amzn-updates install nginx
 (snip)
 Installed:
  nginx.x86_64 0:1.13.5-1.el6.ngx

Complete!
  • 자동 업데이트 
    • # yum install yum-cron
(snip)
Installed:
  yum-cron.noarch 0:3.4.3-150.70.amzn1

Dependency Installed:
  yum-cron-daily.noarch 0:3.4.3-150.70.amzn1

Complete!

# cp --backup=number -f /etc/yum/yum-cron.conf /etc/yum/yum-cron.conf

    /etc/yum/yum-cron.conf
    # diff yum-cron.conf yum-cron.conf.~1~
20c20
< apply_updates = yes
---
> apply_updates = no
  • 작업자 프로세스 및 자동 업데이트 설정

    • /etc/nginx/nginx.conf
    # cp --backup=number -f /etc/nginx/nginx.conf /etc/nginx/nginx.conf
# diff nginx.conf nginx.conf.~1~
3c3
< worker_processes  auto;
---
> worker_processes  1;
32,33d31
<
<     server_tokens off;
  • Basic 인증 
    • # yum install httpd-tools
# htpasswd -c -m /etc/nginx/.htpasswd <username>
New password:
Re-type new password:
Adding password for user <username>

    /etc/nginx/conf.d/default.conf
    server {
    listen       80;
    server_name  <xxxx>.com;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        auth_basic  "enter password";
        auth_basic_user_file  /etc/nginx/.htpasswd;
    }
(snip)

    확인


  • https 대응
  • 비밀 키 
    • $ sudo make <xxxx>-server.key
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > <xxxx>-server.key
Generating RSA private key, 2048 bit long modulus
..............................................................................+++
................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
  • 비밀번호를 해제하려면 
    • # openssl rsa -in <xxxx>-server.key -out <xxxx>-server.nopass.key
# chmod 400 <xxxx>-server.nopass.key
  • CSR 
    • $ sudo make <xxxx>-server.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key <xxxx>-server.key -out <xxxx>-server.csr
Enter pass phrase for <xxxx>-server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:<xxxx>-ku
Organization Name (eg, company) [Default Company Ltd]:<xxxx> Co., Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:<secondlevel-domain>.com
Email Address []:<xxxx>@<xxxx>.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

  • 인증서 설정
  • CA에서 발급한 인증서를 다음 순서로 연결
  • 서버 인증서
  • 중간 인증서
  • 크로스 루트 인증서





    • /etc/nginx/conf.d/default.conf
    server {
    listen       443 ssl;
    server_name  <xxxx>.com;

    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_certificate /etc/pki/tls/certs/<xxxx>-server.crt;
    ssl_certificate_key /etc/pki/tls/certs/<xxxx>-server.nopass.key;
    root /usr/share/nginx/html;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        auth_basic  "enter password";
        auth_basic_user_file  /etc/nginx/.htpasswd;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
(snip)
  • 80 => 443 리디렉션
  • HSTC (HTTP Strict Transport Security) 헤더를 추가하고 모든 연결이 HTTPS가되도록합니다 (처음부터 HTTPS를 사용하여 게시하는 사이트에는 필요하지 않음).

    • server {
    listen 80;
    return 301 https://$host$request_uri; #redirect
}

server {
    listen       443 ssl;
    add_header   Strict-Trancport-Security max-age=15768000; #HTTP Strict Transport Security
    server_name  <xxxx>.com;

    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_certificate /etc/pki/tls/certs/<xxxx>-server.crt;
    ssl_certificate_key /etc/pki/tls/certs/<xxxx>-server.nopass.key;
    root /usr/share/nginx/html;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        #auth_basic  "enter password";
        #auth_basic_user_file  /etc/nginx/.htpasswd;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
(snip)
  • 로그에 암호화 프로토콜이 들어가도록 설정
  • $ssl_protocol
  • $ssl_cipher


    • /etc/nginx/nginx.conf
    (snip)
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  https  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"'
                      '"$ssl_protocol/$ssl_cipher"';

    access_log  /var/log/nginx/access.log  https;

(snip)
}
  • 확인

  • HTTPS 가속화
  • 세션 ID를 사용하여 세션을 다시 시작합니다.

    • server {
    listen 80;
    return 301 https://$host$request_uri; #redirect
}

server {
    listen       443 ssl;
    add_header   Strict-Trancport-Security max-age=15768000; #HTTP Strict Transport Security
    server_name  <xxxx>.com;

    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_certificate /etc/pki/tls/certs/<xxxx>-server.crt;
    ssl_certificate_key /etc/pki/tls/certs/<xxxx>-server.nopass.key;
    root /usr/share/nginx/html;
    ssl_session_timeout 1d; #1day
    ssl_session_cache shared:SSL:50m; #1m=4000session

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        #auth_basic  "enter password";
        #auth_basic_user_file  /etc/nginx/.htpasswd;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

  • 측정
  • Befor

  • After
  • ReadTime => 1/2



    • Amazon Linux에 연결된 EBS 루트 볼륨 크기를 온라인으로 확장합니다.
    Amazon Linux 2를 VirtualBox에서 온프레미스 개발 환경에 사용

    좋은 웹페이지 즐겨찾기

    개발자 우수 사이트 수집

    개발자가 알아야 할 필수 사이트 100선 추천 우리는 당신을 위해 100개의 자주 사용하는 개발자 학습 사이트를 정리했습니다
    best100-homepage