Nginx:HttpsProxyFrontEnd

개인적으로 사용하는 NGINX의 Proxy Front-end 서버는 아래와 같이 설정한다.

PGP 서명을 추가한다.

$ curl -O http://nginx.org/keys/nginx_signing.key
$ sudo apt-key add nginx_signing.key

/etc/apt/sources.list파일에 아래 저장소를 추가한다.

deb http://nginx.org/packages/ubuntu/ trusty nginx
deb-src http://nginx.org/packages/ubuntu/ trusty nginx

NGINX설치.

$ sudo apt-get update
$ sudo apt-get install nginx

OpenSSL을 사용한 인증서 설치.

$ mkdir /etc/nginx/ssl
$ cd /etc/nginx/ssl
$ openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout private.key -out certificate.crt
## Country Name: KR
## State or Province Name: Seoul
## Organization Name: MyCompany
## Common Name: server-project.com

GitLab서버에 대한 Nginx의 Proxy설정을 /etc/nginx/conf.d/git-proxy.conf파일에 추가.

server {
    listen       8080;
    server_name  git.server-project.com;

    ssl  on;
    ssl_session_cache  builtin:1000 shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers  HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers  on;

    ssl_certificate      /etc/nginx/ssl/certificate.crt;
    ssl_certificate_key  /etc/nginx/ssl/private.key;

    charset  utf-8;
    access_log  /var/log/nginx/git.access.log  main;

    location / {
        proxy_set_header  Host $host;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto $scheme;

        proxy_pass          http://10.0.0.39;
        proxy_read_timeout  60;

        proxy_redirect  http://$host  https://$host:8080;
    }
}

MediaWiki서버에 대한 Nginx의 Proxy설정을 /etc/nginx/conf.d/wiki-proxy.conf파일에 추가.

server {
    listen       8080;
    server_name  wiki.server-project.com;

    ssl  on;
    ssl_session_cache  builtin:1000 shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers  HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers  on;

    ssl_certificate      /etc/nginx/ssl/certificate.crt;
    ssl_certificate_key  /etc/nginx/ssl/private.key;

    charset  utf-8;
    access_log  /var/log/nginx/wiki.access.log  main;

    location / {
        proxy_set_header  Host $host;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto $scheme;

        proxy_pass          http://10.0.0.40;
        proxy_read_timeout  60;

        proxy_redirect  http://$host  https://$host:8080;
    }
}

잘못된 도메인에 대한 Nginx의 기본 Proxy설정을 /etc/nginx/conf.d/default-proxy.conf파일에 추가.

server {
    listen       8080;
    server_name  .server-project.com;

    ssl  on;
    ssl_session_cache  builtin:1000 shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers  HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers  on;

    ssl_certificate      /etc/nginx/ssl/certificate.crt;
    ssl_certificate_key  /etc/nginx/ssl/private.key;

    charset  utf-8;
    access_log  /var/log/nginx/default.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

클라이언트의 최대 BODY 크기를 /etc/nginx/nginx.conf에서 설정한다.

http {
    # ...
    client_max_body_size 1024M;
    # ...
}

NGINX재시작 및 서비스 확인.

$ sudo service nginx restart
$ sudo netstat -ant

Example

http {
        server {
                listen 443;
                server_name server-project.com;

                ssl_certificate     /etc/nginx/certificate.crt;
                ssl_certificate_key /etc/nginx/private.key;

                ssl on;
                ssl_session_cache builtin:1000 shared:SSL:10m;
                ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
                ssl_prefer_server_ciphers on;

                charset utf-8;

                location / {
                        proxy_set_header  Host $host;
                        proxy_set_header  X-Real-IP $remote_addr;
                        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_set_header  X-Forwarded-Proto $scheme;

                        proxy_pass http://192.168.1.205:18002;
                        proxy_set_header host server-project.com;

                        proxy_redirect http://$host https://$host:8943;
                }
        }
}

Docker version

Self-signed SSL Reverse proxy with Docker

/opt/opm/nexus/proxy_ssl.conf file:

server {
    listen 443;

    ssl on;
    ssl_certificate       /etc/nginx/conf.d/cert.pem;
    ssl_certificate_key   /etc/nginx/conf.d/key.pem;

    location / {
        proxy_pass http://nexus_api:8081/;
    }
}

Self-signed SSL:

$ openssl req -subj '/CN=localhost' -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365

docker-compose file:

  web:
    image: nginx
    deploy:
      replicas: 1
      restart_policy:
        condition: any
    depends_on:
      - api
    ports:
      - "${WEB_PORT:?err}:443"
    networks:
      - net
    volumes:
      - "/opt/opm/nexus/key.pem:/etc/nginx/conf.d/key.pem"
      - "/opt/opm/nexus/cert.pem:/etc/nginx/conf.d/cert.pem"
      - "/opt/opm/nexus/proxy_ssl.conf:/etc/nginx/conf.d/proxy_ssl.conf"

Nginx:HttpsProxyFrontEnd

Example

Docker version

See also