[CentOS] Nginx proxy https

by ·0 Comments

Nginx proxy https

 

Nginx Self-sign https : http://blog.crois.net/2019/09/23/centos7-nginx-self-signed-https/ 설정하였던 VM 을

이용하여 nginx proxy 를 테스트 합니다. 상단 nginx-proxy 에만 인증서가 있으면 되며 백단 서버 두대의 경우

별도의 인증서 및 설정이 필요 하지 않습니다.

nginx 설치및 php 설치의 경우 이전 포스트를 참고해 주세요.

Nginx-Proxy 서버에서 ssl 설정을 하고 Nginx-www1 / Nginx-www2 에서는 80 port 설정만 진행 합니다.

1.Nginx-proxy 설정

[root@test ~]# vi /etc/nginx/sites-enabled/test_com.conf
server {
    listen       80;
    server_name  www.test.com test.com;
    root   /var/www/html/test.com/public_html;
    index  index.php index.html index.htm;
    location / {
        return 301 https://test.com$request_uri;
    }
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }
}

server {
    listen       443 http2 ssl;
    server_name  www.test.com test.com;
    root   /var/www/html/test.com/public_html;
    index  index.php index.html index.htm;

    access_log /var/www/html/test.com/logs/access.log;
    error_log  /var/www/html/test.com/logs/error.log warn;


    ssl_certificate /etc/ssl/certs/nginx-selfsign.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsign.key;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_session_timeout 10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_protocols TLSv1.2;
    ssl_ecdh_curve secp384r1;
    #ssl_ciphers  ECDH+AESGCM:!AES128:!RSA+AES:!aNULL:!MD5:!DSS:!DHE:!kEDH:HIGH:!eNULL:!EXPORT:!DES:!RC4:!PSK:!AECDH:!LOW:!SRP:!ADH:!RSA:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:!COMPLEMENTOFDEFAULT;
    ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
    ssl_prefer_server_ciphers on;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
#    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;


    fastcgi_buffering               on;
    fastcgi_buffer_size             16k;
    fastcgi_buffers                 16 16k;

    # time-out settings
    fastcgi_connect_timeout         600s;
    fastcgi_send_timeout            600s;
    fastcgi_read_timeout            600s;

    # php performance settings
    sendfile                        on;
    tcp_nopush                      off;
    keepalive_requests              0;


    location / {
        rewrite ^/(/.*)$ $1 break;
        proxy_pass http://test.com;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_redirect off;
        try_files $uri $uri/ /index.php?$query_string;
    }
}
upstream test.com {
    server 10.10.10.93:80;
    server 10.10.10.94:80;
}
[root@test ~]# systemctl restart nginx

 

 

2. server 설정

[root@www1 ~]# vi /etc/nginx/sites-enabled/test_com.conf
server {
    listen       80;
    server_name  www.test.com test.com;
    root   /var/www/html/test.com/public_html;
    index  index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
        autoindex on;
    }

    access_log  /var/www/html/test.com/logs/access.log;
    error_log  /var/www/html/test.com/logs/error.log warn;

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

[root@www1 ~]# systemctl restart nginx ; systemctl restart php-fpm

 

 

3. web-site 확인

 

4. server log 확인

tail -f access.log 를 확인 합니다.

댓글 남기기