CentOS7にnginxを入れて阿部寛のホームページにリバプロします。
オレオレ証明書を作成してSSLでリバプロします。
[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
[root@localhost ~]#
nginxを入れる
・リポジトリを追加します。
[root@localhost ~]# rpm -ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm を取得中
警告: /var/tmp/rpm-tmp.7Fsh3a: ヘッダー V4 RSA/SHA1 Signature、鍵 ID 7bd9bf62: NOKEY
準備しています... ################################# [100%]
更新中 / インストール中...
1:nginx-release-centos-7-0.el7.ngx ################################# [100%]
[root@localhost ~]#
・nginxのレポジトリが追加されました。
[root@localhost ~]# yum repolist
読み込んだプラグイン:fastestmirror
base | 3.6 kB 00:00:00
extras | 3.4 kB 00:00:00
nginx | 2.9 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/5): base/7/x86_64/group_gz | 156 kB 00:00:00
(2/5): extras/7/x86_64/primary_db | 185 kB 00:00:00
(3/5): nginx/x86_64/primary_db | 31 kB 00:00:00
(4/5): updates/7/x86_64/primary_db | 6.9 MB 00:00:02
(5/5): base/7/x86_64/primary_db | 5.7 MB 00:00:03
Determining fastest mirrors
* base: ftp.iij.ad.jp
* extras: ftp.iij.ad.jp
* updates: ftp.iij.ad.jp
リポジトリー ID リポジトリー名 状態
base/7/x86_64 CentOS-7 - Base 9,591
extras/7/x86_64 CentOS-7 - Extras 448
nginx/x86_64 nginx repo 90
updates/7/x86_64 CentOS-7 - Updates 2,417
repolist: 12,546
[root@localhost ~]#
・Versionを確認してみます。
[root@localhost ~]# yum info nginx
読み込んだプラグイン:fastestmirror
Loading mirror speeds from cached hostfile
* base: ftp.iij.ad.jp
* extras: ftp.iij.ad.jp
* updates: ftp.iij.ad.jp
利用可能なパッケージ
名前 : nginx
アーキテクチャー : x86_64
エポック : 1
バージョン : 1.12.2
リリース : 1.el7_4.ngx
容量 : 716 k
リポジトリー : nginx/x86_64
要約 : High performance web server
URL : http://nginx.org/
ライセンス : 2-clause BSD-like license
説明 : nginx [engine x] is an HTTP and reverse proxy server, as well as
: a mail proxy server.
[root@localhost ~]#
・インストールします。
[root@localhost ~]# yum install -y nginx
読み込んだプラグイン:fastestmirror
Loading mirror speeds from cached hostfile
* base: ftp.iij.ad.jp
* extras: ftp.iij.ad.jp
* updates: ftp.iij.ad.jp
依存性の解決をしています
--> トランザクションの確認を実行しています。
---> パッケージ nginx.x86_64 1:1.12.2-1.el7_4.ngx を インストール
--> 依存性解決を終了しました。
依存性を解決しました
===============================================================================================================================
Package アーキテクチャー バージョン リポジトリー 容量
===============================================================================================================================
インストール中:
nginx x86_64 1:1.12.2-1.el7_4.ngx nginx 716 k
トランザクションの要約
===============================================================================================================================
インストール 1 パッケージ
総ダウンロード容量: 716 k
インストール容量: 2.5 M
Downloading packages:
nginx-1.12.2-1.el7_4.ngx.x86_64.rpm | 716 kB 00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
警告: RPMDB は yum 以外で変更されました。
インストール中 : 1:nginx-1.12.2-1.el7_4.ngx.x86_64 1/1
----------------------------------------------------------------------
Thanks for using nginx!
Please find the official documentation for nginx here:
* http://nginx.org/en/docs/
Please subscribe to nginx-announce mailing list to get
the most important news about nginx:
* http://nginx.org/en/support.html
Commercial subscriptions for nginx are available on:
* http://nginx.com/products/
----------------------------------------------------------------------
検証中 : 1:nginx-1.12.2-1.el7_4.ngx.x86_64 1/1
インストール:
nginx.x86_64 1:1.12.2-1.el7_4.ngx
完了しました!
[root@localhost ~]# nginx -v
nginx version: nginx/1.12.2
[root@localhost ~]#
・firewallでhttp,httpsを許可します。
[root@localhost ~]# firewall-cmd --permanent --add-service=http
success
[root@localhost ~]# firewall-cmd --permanent --add-service=https
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]#
・nginxを起動します。
[root@localhost ~]# systemctl start nginx
[root@localhost ~]# systemctl status nginx
● nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: active (running) since 土 2018-04-14 17:38:10 JST; 6s ago
Docs: http://nginx.org/en/docs/
Process: 11369 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
Process: 11367 ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
Main PID: 11371 (nginx)
CGroup: /system.slice/nginx.service
tq11371 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
mq11372 nginx: worker process
4月 14 17:38:10 localhost systemd[1]: Starting nginx - high performance web server...
4月 14 17:38:10 localhost nginx[11367]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
4月 14 17:38:10 localhost nginx[11367]: nginx: configuration file /etc/nginx/nginx.conf test is successful
4月 14 17:38:10 localhost systemd[1]: Started nginx - high performance web server.
[root@localhost ~]#
オレオレ証明書の作成
以下を参考に作成します。
※参考URL
http://d.hatena.ne.jp/ozuma/20130511/1368284304
https://qiita.com/nenokido2000/items/1d1c79a0a443ed923e92
[root@localhost ~]# openssl genrsa 2048 > server.key
Generating RSA private key, 2048 bit long modulus
....................+++
.....+++
e is 65537 (0x10001)
[root@localhost ~]# openssl req -new -key server.key > server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ~]# openssl x509 -days 3650 -req -signkey server.key < server.csr > server.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting Private key
[root@localhost ~]# ls
anaconda-ks.cfg original-ks.cfg server.crt server.csr server.key
[root@localhost ~]#
・nginx.confの設定、http{}の中ににserver{}を追加します。
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
}
nginxをstartさせたらエラーが出ました。
4月 14 20:04:09 localhost systemd[1]: Starting nginx - high performance web server...
4月 14 20:04:09 localhost nginx[18507]: nginx: [emerg] BIO_new_file("/etc/nginx/server.crt") failed (SSL: error:0200...m lib)
4月 14 20:04:09 localhost nginx[18507]: nginx: configuration file /etc/nginx/nginx.conf test failed
SELinuxが原因のようです。
(SElinuxがnginxプロセスのオレオレ証明書へのアクセスを拒否した。)
↓URLと同じ現象
http://www.kakiro-web.com/linux/selinux.html
https://www.solitary-island.com/wp/archives/335
server.csrのコンテキストがadmin_home_tになっています。
[root@localhost audit]# ls -Z /etc/nginx
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 fastcgi_params
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 koi-utf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 koi-win
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 mime.types
lrwxrwxrwx. root root system_u:object_r:httpd_config_t:s0 modules -> ../../usr/lib64/nginx/modules
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 nginx.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 scgi_params
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 server.crt
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 server.key
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 uwsgi_params
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 win-utf
[root@localhost audit]#
コンテキストをhttpd_config_tに変更します。
[root@localhost ~]# chcon unconfined_u:object_r:httpd_config_t:s0 /etc/nginx/server.crt
[root@localhost ~]# chcon unconfined_u:object_r:httpd_config_t:s0 /etc/nginx/server.key
※selinuxを無効にしちゃうのもありです。
起動してみる。
[root@localhost ~]# systemctl restart nginx
[root@localhost ~]# systemctl status nginx
● nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: active (running) since 土 2018-04-14 20:40:03 JST; 10s ago
Docs: http://nginx.org/en/docs/
Process: 18490 ExecStop=/bin/kill -s TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 18555 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
Process: 18553 ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
Main PID: 18557 (nginx)
CGroup: /system.slice/nginx.service
tq18557 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
mq18558 nginx: worker process
4月 14 20:40:03 localhost systemd[1]: Starting nginx - high performance web server...
4月 14 20:40:03 localhost nginx[18553]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
4月 14 20:40:03 localhost nginx[18553]: nginx: configuration file /etc/nginx/nginx.conf test is successful
4月 14 20:40:03 localhost systemd[1]: Started nginx - high performance web server.
[root@localhost ~]#
HTTPSでアクセスしてみます。よさそうです。
リバプロの設定
server{}の中に以下を追加してnginxを再起動します。
※参考URL
https://www.slideshare.net/tetsu.koba/linuxgolanggo-con
https://qiita.com/schwarz471/items/9b44adfbec006eab60b0
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location /abe/{
proxy_pass http://abehiroshi.la.coocan.jp/;
}
阿部寛のHPにリダイレクトされました。
