Nginx でどんどこバーチャルホストを追加していると、以下の様なエラーが表示されて設定ファイルの再読み込みができなくなることがあります。
nginx: [emerg] could not build the server_names_hash, you should increase server_names_hash_bucket_size: 64
まぁ、言ってるとおりですね。
server_names_hash_bucket が足りなくなってるので増やせよっつってるので、/etc/nginx/nginx.conf に以下を追加しましょう。
網元使ってる場合は /etc/nginx/nginx.conf が再起動時に元に戻ってしまうので /etc/nginx/conf.d/00_server_name_hash_settings.conf という名前で、以下の内容のファイルを作ってやってください。
| server_names_hash_bucket_size 128; | |
| server_names_hash_max_size 1024; |
Nginx をオリジンサーバにして CloudFront を設置したときにテキストファイルが gzip 圧縮転送されないときは nginx.conf に以下を追加する。
gzip_proxied any; gzip_http_version 1.0;
参考: Serving Compressed Files – Amazon CloudFront
網元 AMI で対応するなら、以下の手順で
$ sudo sh -c 'echo "gzip_proxied any;" > /etc/nginx/conf.d/gzip_proxied.conf' $ sudo service nginx reload
| location ~* ^/(get_s3)/(.*) { | |
| set $s3_bucket 'your_s3_bucket_name.s3.amazonaws.com'; | |
| set $url_full "/$1/$2"; | |
| proxy_http_version 1.1; | |
| proxy_set_header Host $s3_bucket; | |
| proxy_set_header Authorization ''; | |
| proxy_hide_header x-amz-id-2; | |
| proxy_hide_header x-amz-request-id; | |
| proxy_hide_header Set-Cookie; | |
| proxy_ignore_headers "Set-Cookie"; | |
| proxy_buffering off; | |
| proxy_intercept_errors on; | |
| resolver 172.16.0.23 valid=300s; | |
| resolver_timeout 10s; | |
| proxy_pass http://$s3_bucket/$url_full; | |
| } |
参考:
http://davidburgosonline.com/dev-ops/2014/configure-nginx-amazon-s3/
https://coderwall.com/p/rlguog/nginx-as-proxy-for-amazon-s3-public-private-files
可用性は落ちちゃうけど、例えば S3 上のテキストファイルを gzip 圧縮転送したいとか、https + spdy で配信したいとかに使おう
/etc/nginx/php-fpm
try_files $uri =404;
expires off;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_busy_buffers_size 32k;
fastcgi_temp_file_write_size 256k;
/etc/nginx/conf.d/default.conf
upstream backend {
server unix:/var/run/nginx-backend.sock;
}
# reverse proxy
server {
listen 80 default;
server_name _;
root /path/to/wordpress;
index index.html index.htm;
charset utf-8;
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;
location ~ /\. { deny all; access_log /dev/null; log_not_found off; }
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
set $do_not_cache 0;
if ($http_cookie ~* "comment_author_|wordpress_(?!test_cookie)|wp-postpass_" ) {
set $do_not_cache 1;
}
if ($request_method = POST) {
set $do_not_cache 1;
}
location / {
try_files $uri @wordpress;
# Pass all .php files onto a php-fpm/php-fcgi server.
location ~ \.php$ {
include /etc/nginx/php-fpm;
}
}
location @wordpress {
proxy_no_cache $do_not_cache;
proxy_cache_bypass $do_not_cache;
proxy_redirect off;
proxy_cache czone;
proxy_cache_key "$scheme://$host$request_uri";
proxy_cache_valid 200 10m;
proxy_cache_valid 404 5m;
proxy_pass http://backend;
}
# 404
error_page 404 @not_found;
location @not_found {
internal;
rewrite ^ /404;
}
}
# backend
server {
listen unix:/var/run/nginx-backend.sock default;
server_name _;
root /path/to/wordpress;
index index.php index.html index.htm;
access_log /var/log/nginx/backend.access.log main;
keepalive_timeout 25;
port_in_redirect off;
gzip off;
gzip_vary off;
# This order might seem weird - this is attempted to match last if rules below fail.
location / {
try_files $uri $uri/ /index.php?$args;
}
# Pass all .php files onto a php-fpm/php-fcgi server.
location ~ \.php$ {
set $proxy_https '';
if ( $http_x_forwarded_proto = 'https' ) {
set $proxy_https 'on';
}
include /etc/nginx/php-fpm;
fastcgi_param REMOTE_ADDR $http_x_real_ip;
fastcgi_param HTTPS $proxy_https if_not_empty;
fastcgi_pass_header "X-Accel-Redirect";
fastcgi_pass_header "X-Accel-Buffering";
fastcgi_pass_header "X-Accel-Charset";
fastcgi_pass_header "X-Accel-Expires";
fastcgi_pass_header "X-Accel-Limit-Rate";
}
}忘れっぽいので残しておきます
| // ssl 証明書用の秘密鍵を作る(パスワード設定しておく) | |
| $ openssl genrsa -des3 -out privkey.pem 2048 | |
| Generating RSA private key, 2048 bit long modulus | |
| ……+++ | |
| ………………+++ | |
| e is 65537 (0x10001) | |
| Enter pass phrase for privkey.pem: | |
| Verifying – Enter pass phrase for privkey.pem: | |
| // 秘密鍵から csr を作成 → 証明局に提出して ssl 証明書をもらう | |
| $ openssl req -new -key privkey.pem -out server.csr | |
| Enter pass phrase for server.key: | |
| You are about to be asked to enter information that will be incorporated | |
| into your certificate request. | |
| What you are about to enter is what is called a Distinguished Name or a DN. | |
| There are quite a few fields but you can leave some blank | |
| For some fields there will be a default value, | |
| If you enter '.', the field will be left blank. | |
| —– | |
| Country Name (2 letter code) [XX]:JP → 国コード (必須) | |
| State or Province Name (full name) []:Tokyo → 都道府県名 (必須) | |
| Locality Name (eg, city) [Default City]:Shinjuku → 市町村区 (必須) | |
| Organization Name (eg, company) [Default Company Ltd]: → 会社または組織名 (必須) | |
| Organizational Unit Name (eg, section) []: → 部署名 | |
| Common Name (eg, your name or your server's hostname) []: → サーバ名 (必須) | |
| Email Address []: → Email Address | |
| Please enter the following 'extra' attributes | |
| to be sent with your certificate request | |
| A challenge password []: → パスワード | |
| An optional company name []: → 会社または組織名 | |
| // 秘密鍵をパスワード無しに変換 | |
| $ cp privkey.pem privkey.pem.org | |
| $ openssl rsa -in privkey.pem.org -out privkey.pem | |
| // nginx.conf を修正 | |
| $ vi /etc/nginx/nginx.conf | |
| : | |
| server { | |
| listen 443 ssl http2; | |
| server_name _; | |
| root /var/www/html; | |
| index index.html index.htm; | |
| charset utf-8; | |
| ssl on; | |
| ssl_certificate /etc/nginx/ssl.keys/fullchain.pem; # 証明局から取得した ssl 証明書に中間CA証明書をくっつけたやつ | |
| ssl_certificate_key /etc/nginx/ssl.keys/privkey.pem; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_prefer_server_ciphers on; | |
| ssl_ciphers AESGCM:HIGH:!aNULL:!MD5; | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_session_timeout 5m; | |
| # 以下はお好みで | |
| #ssl_stapling on; | |
| #ssl_stapling_verify on; | |
| #ssl_trusted_certificate /etc/nginx/ssl.keys/fullchain.pem; | |
| #resolver 8.8.8.8 8.8.4.4 valid=300s; | |
| #resolver_timeout 5s; |
自己証明書を作りたい時は…
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crtp7s から pem に変換
$ openssl pkcs7 -in server.p7s -print_certs| location ~* /wp-login\.php|/wp-admin/((?!(admin-ajax\.php|css/|js/)).)*$ { | |
| index index.php index.html index.htm; | |
| # Basic認証のメッセージ | |
| auth_basic "Please enter your ID and password"; | |
| # .htpasswd ファイルのパス | |
| auth_basic_user_file /etc/nginx/conf.d/.htpasswd; | |
| location ~ .*\.php$ { | |
| try_files $uri =404; | |
| proxy_pass http://backend; | |
| } | |
| } |
proxy_pass 使用してるんで、これはリバプロ側の設定です。
バックエンド側とか、そもそもリバプロ建てないって時は if ($request_filename ~ .*\.php) { } の中をよしなに変更してください。
まず、openssl コマンドでサーバ証明書と秘密鍵を生成
$ openssl pkcs12 -in input.pfx -nodes -out output.pem
$ openssl pkcs12 -in input.pfx -nocerts -nodes -out output.keyそんで、nginx.conf で設定
server {
listen 443 default ssl;
server_name _;
root /var/www/html;
index index.html index.htm;
charset utf-8;
ssl on;
ssl_certificate /path/to/output.pem;
ssl_certificate_key /path/to/output.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# (略)| server { | |
| listen 80 default; | |
| server_name example.com; | |
| root /path/to/cake_php; | |
| index index.php index.html index.htm; | |
| charset utf-8; | |
| access_log /var/log/nginx/access.log main; | |
| error_log /var/log/nginx/error.log; | |
| location ~* \.(js|css|html?|xml|gz|jpe?g|gif|png|swf|wmv|flv|ico)$ { | |
| expires 7d; | |
| } | |
| location / { | |
| try_files $uri $uri/ /index.php?url=$uri$args; | |
| } | |
| location ~ \.php$ { | |
| try_files $uri =404; | |
| expires off; | |
| fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
| fastcgi_pass phpfpm; | |
| fastcgi_index index.php; | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| include fastcgi_params; | |
| } | |
| } |
さらに /path/to/cake_php に移動して、以下のシンボリックリンクを作っておくこと
$ ln -s app/webroot/css css
$ ln -s app/webroot/img img
$ ln -s app/webroot/js js
$ ln -s app/webroot/files files| <?php | |
| if ( isset($_GET['url']) ) { | |
| $url = stripslashes($_GET['url']); | |
| NginxCachePurge::purge($url); | |
| } | |
| Class NginxCachePurge { | |
| const CACHE_LEVELS = '1:2'; | |
| const CACHE_DIR = '/var/cache/nginx/proxy_cache'; | |
| public static function purge($url) { | |
| $cache_key = self::get_cache_key($url); | |
| $cache = self::get_cache_file($cache_key); | |
| if ( file_exists($cache) && @unlink($cache) ) { | |
| printf('Success purge : %s (%s)', $url, $cache_key) . "\n"; | |
| } else { | |
| printf('Failure purge : %s (%s)', $url, $cache_key) . "\n"; | |
| } | |
| } | |
| private static function get_cache_key($url) { | |
| return md5($url); | |
| } | |
| private static function get_cache_file($key) { | |
| $levels = preg_split("/:/", self::CACHE_LEVELS); | |
| $path = array(); | |
| $path[] = self::CACHE_DIR; | |
| $offset = 0; | |
| foreach ($levels as $l) { | |
| $offset = $offset + $l; | |
| $path[] = substr($key, 0–$offset, $l); | |
| } | |
| $path[] = $key; | |
| return join("/", $path); | |
| } | |
| } |
JBoss を Nginx から使用するには、リバースプロキシ設定すればおっけ。
server {
listen 80;
server_name example.com;
root /path/to/app;
index index.html index.htm;
:
location / {
proxy_pass http://127.0.0.1:8080; # JBoss server name
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}ただし、クライアントの IP とかを取得する時に HttpServletRequest の getRemoteAddr() メソッドでは、Nginx サーバの IP アドレスを取得してしまうので、以下のようにして x-forwarded-for を取得するようにしてやる。
public static InetAddress remoteIp(final HttpServletRequest request)
throws UnknownHostException {
if (request.getHeader("x-forwarded-for") != null) {
return InetAddress.getByName(request.getHeader("x-forwarded-for"));
}
return InetAddress.getByName(request.getRemoteAddr());
}