Nginx:HttpsProxyFrontEnd
개인적으로 사용하는 NGINX의 Proxy Front-end 서버는 아래와 같이 설정한다.
PGP 서명을 추가한다.
 /etc/apt/sources.list파일에 아래 저장소를 추가한다. 
deb http://nginx.org/packages/ubuntu/ trusty nginx
deb-src http://nginx.org/packages/ubuntu/ trusty nginx
OpenSSL을 사용한 인증서 설치.
$ mkdir /etc/nginx/ssl
$ cd /etc/nginx/ssl
$ openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout private.key -out certificate.crt
## Country Name: KR
## State or Province Name: Seoul
## Organization Name: MyCompany
## Common Name: server-project.com
 GitLab서버에 대한 Nginx의 Proxy설정을 /etc/nginx/conf.d/git-proxy.conf파일에 추가. 
server {
    listen       8080;
    server_name  git.server-project.com;
    ssl  on;
    ssl_session_cache  builtin:1000 shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers  HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers  on;
    ssl_certificate      /etc/nginx/ssl/certificate.crt;
    ssl_certificate_key  /etc/nginx/ssl/private.key;
    charset  utf-8;
    access_log  /var/log/nginx/git.access.log  main;
    location / {
        proxy_set_header  Host $host;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto $scheme;
        proxy_pass          http://10.0.0.39;
        proxy_read_timeout  60;
        proxy_redirect  http://$host  https://$host:8080;
    }
}
 MediaWiki서버에 대한 Nginx의 Proxy설정을 /etc/nginx/conf.d/wiki-proxy.conf파일에 추가. 
server {
    listen       8080;
    server_name  wiki.server-project.com;
    ssl  on;
    ssl_session_cache  builtin:1000 shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers  HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers  on;
    ssl_certificate      /etc/nginx/ssl/certificate.crt;
    ssl_certificate_key  /etc/nginx/ssl/private.key;
    charset  utf-8;
    access_log  /var/log/nginx/wiki.access.log  main;
    location / {
        proxy_set_header  Host $host;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto $scheme;
        proxy_pass          http://10.0.0.40;
        proxy_read_timeout  60;
        proxy_redirect  http://$host  https://$host:8080;
    }
}
 잘못된 도메인에 대한 Nginx의 기본 Proxy설정을 /etc/nginx/conf.d/default-proxy.conf파일에 추가. 
server {
    listen       8080;
    server_name  .server-project.com;
    ssl  on;
    ssl_session_cache  builtin:1000 shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers  HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers  on;
    ssl_certificate      /etc/nginx/ssl/certificate.crt;
    ssl_certificate_key  /etc/nginx/ssl/private.key;
    charset  utf-8;
    access_log  /var/log/nginx/default.access.log  main;
    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}
 클라이언트의 최대 BODY 크기를 /etc/nginx/nginx.conf에서 설정한다. 
NGINX재시작 및 서비스 확인.
Example
http {
        server {
                listen 443;
                server_name server-project.com;
                ssl_certificate     /etc/nginx/certificate.crt;
                ssl_certificate_key /etc/nginx/private.key;
                ssl on;
                ssl_session_cache builtin:1000 shared:SSL:10m;
                ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
                ssl_prefer_server_ciphers on;
                charset utf-8;
                location / {
                        proxy_set_header  Host $host;
                        proxy_set_header  X-Real-IP $remote_addr;
                        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_set_header  X-Forwarded-Proto $scheme;
                        proxy_pass http://192.168.1.205:18002;
                        proxy_set_header host server-project.com;
                        proxy_redirect http://$host https://$host:8943;
                }
        }
}
Docker version
 /opt/opm/nexus/proxy_ssl.conf file: 
server {
    listen 443;
    ssl on;
    ssl_certificate       /etc/nginx/conf.d/cert.pem;
    ssl_certificate_key   /etc/nginx/conf.d/key.pem;
    location / {
        proxy_pass http://nexus_api:8081/;
    }
}
Self-signed SSL:
$ openssl req -subj '/CN=localhost' -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365
docker-compose file:
  web:
    image: nginx
    deploy:
      replicas: 1
      restart_policy:
        condition: any
    depends_on:
      - api
    ports:
      - "${WEB_PORT:?err}:443"
    networks:
      - net
    volumes:
      - "/opt/opm/nexus/key.pem:/etc/nginx/conf.d/key.pem"
      - "/opt/opm/nexus/cert.pem:/etc/nginx/conf.d/cert.pem"
      - "/opt/opm/nexus/proxy_ssl.conf:/etc/nginx/conf.d/proxy_ssl.conf"