1. shuiliandong

    No comment

    shuiliandong
Changes in body
Source | HTML | Preview
@@ -1,219 +1,219 @@
# 前提条件
-- OS : CentOS Linux release 7.4.1708 (Core)
+- OS : CentOS Linux release 7.4 (Core)
# 1. Nginxインストール&ファイアウォール設定
- サーバーからNginxパッケージにアクセスするために、EPEL (extra packages for Enterprise Linux) リポジトリをインストールする必要がある
```bash
$ sudo yum install epel-release
```
---
- Nginxをインストールする
```bash
$ sudo yum install nginx
```
---
- Nginxサービスを起動する
```bash
$ sudo systemctl start nginx
```
---
- Nginxのステータスを確認する
```bash
$ systemctl status nginx
```
```sh:プロンプト出力
● nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: active (running) since Sun 2018-07-15 14:13:27 CST; 40s ago
Process: 31362 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 31359 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
Process: 31357 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
Main PID: 31364 (nginx)
CGroup: /system.slice/nginx.service
├─31364 nginx: master process /usr/sbin/nginx
├─31365 nginx: worker process
└─31366 nginx: worker process
Jul 15 14:13:27 greenlist systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jul 15 14:13:27 greenlist nginx[31359]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jul 15 14:13:27 greenlist nginx[31359]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Jul 15 14:13:27 greenlist systemd[1]: Started The nginx HTTP and reverse proxy server.
```
---
-- サーバ起動時、Nginxも同時に起動
+- サーバ起動時、Nginxも同時に起動させ
```sh
$ sudo systemctl enable nginx
```
-```sh
-$ Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
+```sh:プロンプト出力
+Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
```
---
- iptables ファイアウォル設定により、HTTP と HTTPS のアクセス可能にする
```sh
$ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
```
---
# 2. SSL証明書の作成
```sh
$ sudo mkdir /etc/ssl/private
$ sudo chmod 700 /etc/ssl/private
```
```sh
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
```
```shell-session:プロンプト出力
Generating a 2048 bit RSA private key
......................................+++
............................+++
writing new private key to '/etc/ssl/private/nginx-selfsigned.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:TOKYO
Locality Name (eg, city) [Default City]:TOKYO
Organization Name (eg, company) [Default Company Ltd]:Greenlist INC.
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:greenlist
Email Address []:xx@xxx.co.jp
```
```sh
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
```
# 3. SSLを使うため、Nginxの設定
- TLS/SSL サーバ設定の作成
```sh
$ sudo vi /etc/nginx/conf.d/ssl.conf
```
```sh:/etc/nginx/conf.d/ssl.conf
server {
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
server_name server_IP_address;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
########################################################################
# from https://cipherli.st/ #
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html #
########################################################################
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
##################################
# END https://cipherli.st/ BLOCK #
##################################
root /usr/share/nginx/html;
location / {
}
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
```
---
- HTTPからHTTPSへ転送設定の作成
```sh
$ sudo vi /etc/nginx/default.d/ssl-redirect.conf
```
```sh:/etc/nginx/default.d/ssl-redirect.conf
return 301 https://$host$request_uri/;
```
---
# 4. Nginx設定を有効にする
- Nginx設定を確認する
```sh
$ sudo nginx -t
```
```sh:プロンプト出力
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
```
---
- Nginxを再起動する
```sh
$ sudo systemctl restart nginx
```
# 5. 暗号化されたサイトのテスト
```sh
https://server_domain_or_IP
```
---
[参考サイト digitalocean.com](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-centos-7)