やること
- 未だにnginxをちゃんと触っていなかったので学習
- dockerで構成
- 複数のアプリケーションサーバにプロキシ
- nginxサーバとクライアント間をオレオレ証明書でhttps
全体的なファイル構成
├── app # アプリケーションサーバ類
│ ├── main
│ │ └── index.html
│ └── sub
│ └── index.html
├── docker
│ └── docker-compose.yml
└── proxy # nginx + ssl
├── conf.d
│ ├── default.conf
│ └── main.conf
├── mime.types #
├── nginx.conf
└── ssl
├── server-private.pem
├── server-public.key
├── server.csr
├── server_self_signed.crt
└── subjectaltname.ext
docker-compose
docker-compose.yml
version: '3'
services:
main-server:
image: nginx
container_name: 'main-server'
volumes:
- ../app/main:/usr/share/nginx/html
ports:
- 7000:80
sub-server:
image: nginx
container_name: 'sub-server'
volumes:
- ../app/sub:/usr/share/nginx/html
ports:
- 7001:80
reverse-proxy:
image: nginx
volumes:
- ../proxy:/etc/nginx
ports:
- 80:80
- 443:443
nginxでプロキシ
proxy/nginx.conf
user nginx;
events {
worker_connections 16;
}
http {
charset UTF-8;
# log format設定
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /etc/nginx/access_log main;
# 仮想サーバの設定ディレクトリ
include ./conf.d/*.conf;
}
proxt/conf.d/main.conf
server {
listen 80;
return 301 https://$host$request_uri; # http to https
}
server {
listen 443 ssl;
server_name localhost; # ドメイン
keepalive_timeout 70;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_buffer_size 16k;
ssl_certificate /etc/nginx/ssl/server_self_signed.crt;
ssl_certificate_key /etc/nginx/ssl/server-private.pem;
location /main {
proxy_pass http://host.docker.internal:7000/;
proxy_redirect off;
}
location /sub {
proxy_pass http://host.docker.internal:7001/;
proxy_redirect off;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
アプリサーバー
app/main/index.html
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<title>main</title>
</head>
<body>
<h1>main</h1>
</body>
</html>
app/sub/index.html
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<title>sub</title>
</head>
<body>
<h1>sub</h1>
</body>
</html>
オレオレ証明書作成
証明書作成
openssl genrsa -out server-private.pem 2048 # RSA形式で1024ビットの秘密鍵を作成
openssl rsa -in server-private.pem -pubout -out server-public.key # 公開鍵を生成
openssl req -new -key server-private.pem > server.csr # CSR作成
openssl x509 -req -in server.csr -signkey server-private.pem
-out server_self_signed.crt -days 825 -extfile subjectaltname.ext # 自己署名証明書発行
subjectaltname.ext
subjectAltName=DNS:localhost
ここまでできたらserver_self_signed.crtをホストの証明書に登録します。
登録したら信頼するのを忘れない様にします。
https://qiita.com/colomney/items/887f9ea7b68a3b427060
備忘的に実装だけを書きましたので、詳細についてはそれぞれご確認お願いします。
参考/引用元
https://nginx.org/en/docs/beginners_guide.html
https://qiita.com/zawawahoge/items/d58ab6b746625e8d4457
https://qiita.com/kunichiko/items/12cbccaadcbf41c72735
https://qiita.com/katsunory/items/97f5a4738863776fbaf4
https://kazuhira-r.hatenablog.com/entry/20180803/1533302929