1. shuiliandong

    Posted

    shuiliandong
Changes in title
+Centos 7 にnginx用SSLをインストールする
Changes in tags
Changes in body
Source | HTML | Preview
@@ -0,0 +1,219 @@
+# 前提条件
+- OS : CentOS Linux release 7.4.1708 (Core)
+
+# 1. Nginxインストール&ファイアウォール設定
+
+- サーバーからNginxパッケージにアクセスするために、EPEL (extra packages for Enterprise Linux) リポジトリをインストールする必要がある
+
+```bash
+$ sudo yum install epel-release
+```
+---
+
+- Nginxをインストールする
+
+```bash
+$ sudo yum install nginx
+```
+
+---
+
+- Nginxサービスを起動する
+
+```bash
+$ sudo systemctl start nginx
+```
+
+---
+
+- Nginxのステータスを確認する
+
+```bash
+$ systemctl status nginx
+```
+
+```sh:プロンプト出力
+● nginx.service - The nginx HTTP and reverse proxy server
+ Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
+ Active: active (running) since Sun 2018-07-15 14:13:27 CST; 40s ago
+ Process: 31362 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
+ Process: 31359 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
+ Process: 31357 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
+ Main PID: 31364 (nginx)
+ CGroup: /system.slice/nginx.service
+ ├─31364 nginx: master process /usr/sbin/nginx
+ ├─31365 nginx: worker process
+ └─31366 nginx: worker process
+
+Jul 15 14:13:27 greenlist systemd[1]: Starting The nginx HTTP and reverse proxy server...
+Jul 15 14:13:27 greenlist nginx[31359]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
+Jul 15 14:13:27 greenlist nginx[31359]: nginx: configuration file /etc/nginx/nginx.conf test is successful
+Jul 15 14:13:27 greenlist systemd[1]: Started The nginx HTTP and reverse proxy server.
+```
+
+---
+
+- サーバ起動時、Nginxも同時に起動する
+
+```sh
+$ sudo systemctl enable nginx
+```
+
+```sh
+$ Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
+```
+
+---
+
+- iptables ファイアウォル設定により、HTTP と HTTPS のアクセス可能にする
+
+```sh
+$ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
+$ sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
+```
+
+---
+
+
+# 2. SSL証明書の作成
+
+```sh
+$ sudo mkdir /etc/ssl/private
+$ sudo chmod 700 /etc/ssl/private
+```
+
+
+```sh
+$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
+```
+```shell-session:プロンプト出力
+Generating a 2048 bit RSA private key
+......................................+++
+............................+++
+writing new private key to '/etc/ssl/private/nginx-selfsigned.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [XX]:JP
+State or Province Name (full name) []:TOKYO
+Locality Name (eg, city) [Default City]:TOKYO
+Organization Name (eg, company) [Default Company Ltd]:Greenlist INC.
+Organizational Unit Name (eg, section) []:IT
+Common Name (eg, your name or your server's hostname) []:greenlist
+Email Address []:xx@xxx.co.jp
+```
+
+
+```sh
+$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
+```
+
+# 3. SSLを使うため、Nginxの設定
+
+- TLS/SSL サーバ設定の作成
+
+```sh
+$ sudo vi /etc/nginx/conf.d/ssl.conf
+```
+
+
+```sh:/etc/nginx/conf.d/ssl.conf
+server {
+ listen 443 http2 ssl;
+ listen [::]:443 http2 ssl;
+
+ server_name server_IP_address;
+
+ ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
+ ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ ########################################################################
+ # from https://cipherli.st/ #
+ # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html #
+ ########################################################################
+
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_prefer_server_ciphers on;
+ ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ ssl_ecdh_curve secp384r1;
+ ssl_session_cache shared:SSL:10m;
+ ssl_session_tickets off;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ resolver 8.8.8.8 8.8.4.4 valid=300s;
+ resolver_timeout 5s;
+ # Disable preloading HSTS for now. You can use the commented out header line that includes
+ # the "preload" directive if you understand the implications.
+ #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+ add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
+ add_header X-Frame-Options DENY;
+ add_header X-Content-Type-Options nosniff;
+
+ ##################################
+ # END https://cipherli.st/ BLOCK #
+ ##################################
+
+ root /usr/share/nginx/html;
+
+ location / {
+ }
+
+ error_page 404 /404.html;
+ location = /404.html {
+ }
+
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ }
+}
+```
+
+---
+
+- HTTPからHTTPSへ転送設定の作成
+
+```sh
+$ sudo vi /etc/nginx/default.d/ssl-redirect.conf
+```
+
+```sh:/etc/nginx/default.d/ssl-redirect.conf
+return 301 https://$host$request_uri/;
+```
+---
+
+# 4. Nginx設定を有効にする
+- Nginx設定を確認する
+
+```sh
+$ sudo nginx -t
+```
+
+```sh:プロンプト出力
+nginx: [warn] "ssl_stapling" ignored, issuer certificate not found
+nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
+nginx: configuration file /etc/nginx/nginx.conf test is successful
+```
+
+---
+
+- Nginxを再起動する
+
+
+```sh
+$ sudo systemctl restart nginx
+```
+
+# 5. 暗号化されたサイトのテスト
+
+```sh
+https://server_domain_or_IP
+```
+
+---
+[参考サイト digitalocean.com](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-centos-7)