Nginx proxy https
Nginx Self-sign https : http://blog.crois.net/2019/09/23/centos7-nginx-self-signed-https/ 설정하였던 VM 을
이용하여 nginx proxy 를 테스트 합니다. 상단 nginx-proxy 에만 인증서가 있으면 되며 백단 서버 두대의 경우
별도의 인증서 및 설정이 필요 하지 않습니다.
nginx 설치및 php 설치의 경우 이전 포스트를 참고해 주세요.
Nginx-Proxy 서버에서 ssl 설정을 하고 Nginx-www1 / Nginx-www2 에서는 80 port 설정만 진행 합니다.
1.Nginx-proxy 설정
[root@test ~]# vi /etc/nginx/sites-enabled/test_com.conf server { listen 80; server_name www.test.com test.com; root /var/www/html/test.com/public_html; index index.php index.html index.htm; location / { return 301 https://test.com$request_uri; } error_page 500 502 503 504 /50x.html; location = /50x.html { } } server { listen 443 http2 ssl; server_name www.test.com test.com; root /var/www/html/test.com/public_html; index index.php index.html index.htm; access_log /var/www/html/test.com/logs/access.log; error_log /var/www/html/test.com/logs/error.log warn; ssl_certificate /etc/ssl/certs/nginx-selfsign.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsign.key; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_protocols TLSv1.2; ssl_ecdh_curve secp384r1; #ssl_ciphers ECDH+AESGCM:!AES128:!RSA+AES:!aNULL:!MD5:!DSS:!DHE:!kEDH:HIGH:!eNULL:!EXPORT:!DES:!RC4:!PSK:!AECDH:!LOW:!SRP:!ADH:!RSA:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:!COMPLEMENTOFDEFAULT; ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; # add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; fastcgi_buffering on; fastcgi_buffer_size 16k; fastcgi_buffers 16 16k; # time-out settings fastcgi_connect_timeout 600s; fastcgi_send_timeout 600s; fastcgi_read_timeout 600s; # php performance settings sendfile on; tcp_nopush off; keepalive_requests 0; location / { rewrite ^/(/.*)$ $1 break; proxy_pass http://test.com; proxy_set_header X-Real-IP $remote_addr; proxy_redirect off; try_files $uri $uri/ /index.php?$query_string; } } upstream test.com { server 10.10.10.93:80; server 10.10.10.94:80; } [root@test ~]# systemctl restart nginx
2. server 설정
[root@www1 ~]# vi /etc/nginx/sites-enabled/test_com.conf server { listen 80; server_name www.test.com test.com; root /var/www/html/test.com/public_html; index index.php index.html index.htm; location / { try_files $uri $uri/ /index.php?$query_string; autoindex on; } access_log /var/www/html/test.com/logs/access.log; error_log /var/www/html/test.com/logs/error.log warn; error_page 500 502 503 504 /50x.html; location = /50x.html { } location ~ \.php$ { try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } } [root@www1 ~]# systemctl restart nginx ; systemctl restart php-fpm
3. web-site 확인
4. server log 확인
tail -f access.log 를 확인 합니다.