AmazonLinux에 최신 버전의 Nginx(mainline) 설치

10288 단어 nginxAmazonLinux

목적


  • AmazonLinux에 최신 버전의 Nginx(mainline) 설치
  • 서버 인증서를 서버에 설치
  • Basic 인증 넣기
  • 80 => 443 리디렉션 설정
  • 로그에 암호화 프로토콜 넣기
  • 고속화 대응


  • 설정


  • nginx에 대한 저장소 만들기

  • /etc/yum.repos.d/nginx.repo
    [nginx]
    name=nginx repo
    baseurl=http://nginx.org/packages/mainline/centos/6/$basearch/
    gpgcheck=1
    enabled=1
    gpgkey=http://nginx.org/keys/nginx_signing.key
    
    [nginx-source]
    name=nginx source
    baseurl=http://nginx.org/packages/mainline/centos/6/SRPMS/
    gpgcheck=1
    enabled=0
    gpgkey=http://nginx.org/keys/nginx_signing.key
    
  • install
  •  # yum --disablerepo=amzn-main --disablerepo=amzn-updates install nginx
     (snip)
     Installed:
      nginx.x86_64 0:1.13.5-1.el6.ngx
    
    Complete!
    
  • 자동 업데이트
  • # yum install yum-cron
    (snip)
    Installed:
      yum-cron.noarch 0:3.4.3-150.70.amzn1
    
    Dependency Installed:
      yum-cron-daily.noarch 0:3.4.3-150.70.amzn1
    
    Complete!
    
    # cp --backup=number -f /etc/yum/yum-cron.conf /etc/yum/yum-cron.conf
    

    /etc/yum/yum-cron.conf
    # diff yum-cron.conf yum-cron.conf.~1~
    20c20
    < apply_updates = yes
    ---
    > apply_updates = no
    
    
  • 작업자 프로세스 및 자동 업데이트 설정

  • /etc/nginx/nginx.conf
    # cp --backup=number -f /etc/nginx/nginx.conf /etc/nginx/nginx.conf
    # diff nginx.conf nginx.conf.~1~
    3c3
    < worker_processes  auto;
    ---
    > worker_processes  1;
    32,33d31
    <
    <     server_tokens off;
    
  • Basic 인증
  • # yum install httpd-tools
    # htpasswd -c -m /etc/nginx/.htpasswd <username>
    New password:
    Re-type new password:
    Adding password for user <username>
    

    /etc/nginx/conf.d/default.conf
    server {
        listen       80;
        server_name  <xxxx>.com;
    
        #charset koi8-r;
        #access_log  /var/log/nginx/host.access.log  main;
    
        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
            auth_basic  "enter password";
            auth_basic_user_file  /etc/nginx/.htpasswd;
        }
    (snip)
    

    확인


  • https 대응
  • 비밀 키
  • $ sudo make <xxxx>-server.key
    umask 77 ; \
    /usr/bin/openssl genrsa -aes128 2048 > <xxxx>-server.key
    Generating RSA private key, 2048 bit long modulus
    ..............................................................................+++
    ................+++
    e is 65537 (0x10001)
    Enter pass phrase:
    Verifying - Enter pass phrase:
    
  • 비밀번호를 해제하려면
  • # openssl rsa -in <xxxx>-server.key -out <xxxx>-server.nopass.key
    # chmod 400 <xxxx>-server.nopass.key
    
  • CSR
  • $ sudo make <xxxx>-server.csr
    umask 77 ; \
    /usr/bin/openssl req -utf8 -new -key <xxxx>-server.key -out <xxxx>-server.csr
    Enter pass phrase for <xxxx>-server.key:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:JP
    State or Province Name (full name) []:Tokyo
    Locality Name (eg, city) [Default City]:<xxxx>-ku
    Organization Name (eg, company) [Default Company Ltd]:<xxxx> Co., Ltd
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:<secondlevel-domain>.com
    Email Address []:<xxxx>@<xxxx>.com
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    

  • 인증서 설정
  • CA에서 발급한 인증서를 다음 순서로 연결
  • 서버 인증서
  • 중간 인증서
  • 크로스 루트 인증서





  • /etc/nginx/conf.d/default.conf
    server {
        listen       443 ssl;
        server_name  <xxxx>.com;
    
        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_certificate /etc/pki/tls/certs/<xxxx>-server.crt;
        ssl_certificate_key /etc/pki/tls/certs/<xxxx>-server.nopass.key;
        root /usr/share/nginx/html;
    
        #charset koi8-r;
        #access_log  /var/log/nginx/host.access.log  main;
    
        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
            auth_basic  "enter password";
            auth_basic_user_file  /etc/nginx/.htpasswd;
        }
    
        #error_page  404              /404.html;
    
        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }
    (snip)
    
  • 80 => 443 리디렉션
  • HSTC (HTTP Strict Transport Security) 헤더를 추가하고 모든 연결이 HTTPS가되도록합니다 (처음부터 HTTPS를 사용하여 게시하는 사이트에는 필요하지 않음).

  • server {
        listen 80;
        return 301 https://$host$request_uri; #redirect
    }
    
    server {
        listen       443 ssl;
        add_header   Strict-Trancport-Security max-age=15768000; #HTTP Strict Transport Security
        server_name  <xxxx>.com;
    
        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_certificate /etc/pki/tls/certs/<xxxx>-server.crt;
        ssl_certificate_key /etc/pki/tls/certs/<xxxx>-server.nopass.key;
        root /usr/share/nginx/html;
    
        #charset koi8-r;
        #access_log  /var/log/nginx/host.access.log  main;
    
        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
            #auth_basic  "enter password";
            #auth_basic_user_file  /etc/nginx/.htpasswd;
        }
    
        #error_page  404              /404.html;
    
        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }
    (snip)
    
  • 로그에 암호화 프로토콜이 들어가도록 설정
  • $ssl_protocol
  • $ssl_cipher


  • /etc/nginx/nginx.conf
    (snip)
    http {
        include       /etc/nginx/mime.types;
        default_type  application/octet-stream;
    
        log_format  https  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"'
                          '"$ssl_protocol/$ssl_cipher"';
    
        access_log  /var/log/nginx/access.log  https;
    
    (snip)
    }
    
  • 확인

  • HTTPS 가속화
  • 세션 ID를 사용하여 세션을 다시 시작합니다.

  • server {
        listen 80;
        return 301 https://$host$request_uri; #redirect
    }
    
    server {
        listen       443 ssl;
        add_header   Strict-Trancport-Security max-age=15768000; #HTTP Strict Transport Security
        server_name  <xxxx>.com;
    
        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_certificate /etc/pki/tls/certs/<xxxx>-server.crt;
        ssl_certificate_key /etc/pki/tls/certs/<xxxx>-server.nopass.key;
        root /usr/share/nginx/html;
        ssl_session_timeout 1d; #1day
        ssl_session_cache shared:SSL:50m; #1m=4000session
    
        #charset koi8-r;
        #access_log  /var/log/nginx/host.access.log  main;
    
        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
            #auth_basic  "enter password";
            #auth_basic_user_file  /etc/nginx/.htpasswd;
        }
    
        #error_page  404              /404.html;
    
        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }
    

  • 측정
  • Befor

  • After
  • ReadTime => 1/2



  • 좋은 웹페이지 즐겨찾기