tuska298/memos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4fdab33a7c
memos/Home Server/Network/nginx.md
tuska298 4fdab33a7c vault backup: 2024-09-19 00:04:19
2024-09-19 00:04:19 +09:00

5.8 KiB
Raw Blame History

1. Install using docker

1.1. Directory structure

- /mnt/md0/infra
    - /nginx
        - /conf.d
            - default.conf
        - nginx.conf
    - .env
    - compose.yml

1.2. /.env

BASE_PATH=/mnt/md0/infra

1.3. Docker compose

name: infrastructure
service:
  nginx:
    image: nginx:1.26-alpine3.20
    container_name: nginx
    restart: always
    ports:
      - 80:80
    volumes:
      - ${BASE_PATH}/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - ${BASE_PATH}/nginx/conf.d:/etc/nginx/conf.d:ro
    networks:
      - infra
    depends_on:
      - dns

networks:
  infra:
    driver: bridge

2. nginx configuration

2.1. /nginx/nginx.conf

기본 설정 파일을 그대로 사용함

2.2. /nginx/conf.d/default.conf

server {
    listen 80;
    server_name localhost;
    error_page 404 500 502 053 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    # 추후 다른 세팅을 쉽게 추가하기 위해 변경
    include /etc/nginx/conf.d/locations/*.conf;
}

2.3. subdomain

server {
    listen 80;
    server_name gitea.home.server;

    location / {
        proxy_set_header    Connection         $http_connection;
        proxy_set_header    Upgrade            $http_upgrade;
        proxy_set_header    Host               $host;
        proxy_set_header    X-Real-IP          $remote_addr;
        proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto  $scheme;
        proxy_pass http://gitea:3000;
    }
}

2.4. reload

docker exec -it nginx-reverse-proxy nginx -s reload

3. SSL

3.1. Cert, Key file

- /mnt/md0/infra
    - /nginx
        - /conf.d
            - default.conf
        - nginx.conf
    - /ssl/cloudflare
        - cloudflare.cert.pem
        - cloudflare.key.pem
    - .env
    - compose.yml

3.2. Docker Compose

  nginx:
    image: nginx:1.26-alpine3.20
    container_name: nginx
    restart: always
    ports:
      - 80:80
    volumes:
      - ${BASE_PATH}/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - ${BASE_PATH}/nginx/conf.d:/etc/nginx/conf.d:ro
      # NEW
      - ${BASE_PATH}/ssl/cloudflare:/etc/nginx/ssl:ro
    networks:
      - infra
    depends_on:
      - dns

3.3. /nginx/conf.d/default.conf

3.3.1. 같은 서버 블럭 사용

server {
    listen 80;

    # 여기부터 변경 시작
    if ($scheme = "http") {
        return 301 https://$host$request_uri;
    }

    listen 443 ssl;
    http2 on;

    ssl_certificate /etc/nginx/ssl/cloudflare.cert.pem;
    ssl_certificate_key /etc/nginx/ssl/cloudflare.key.pem;

    server_name tuska298.dev;
    # 변경 끝
    
    error_page 404 500 502 053 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    # ...
}

3.3.2. 다른 서버 블럭 사용

server {
    listen 80;
    
    # 여기부터 변경 시작
    server_name tuska298.dev;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name tuska298.dev;
    http2 on;
    
    ssl_certificate /etc/nginx/ssl/cloudflare.cert.pem;
    ssl_certificate_key /etc/nginx/ssl/cloudflare.key.pem;
    # 변경 끝
    
    error_page 404 500 502 053 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    # ...
}

4. 공통 설정 빼내기

4.1. 설정 파일 폴더

- /mnt/md0/infra
    - /nginx
        - /etc.d
            - ssl.conf
        - nginx.conf
    - .env
    - compose.yml

4.2. Docker Compose

  nginx:
    image: nginx:1.26-alpine3.20
    container_name: nginx
    restart: always
    ports:
      - 80:80
    volumes:
      - ${BASE_PATH}/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - ${BASE_PATH}/nginx/conf.d:/etc/nginx/conf.d:ro
      - ${BASE_PATH}/ssl/cloudflare:/etc/nginx/ssl:ro
      # NEW
      - ${BASE_PATH}/nginx/etc.d:/etc/nginx/etc.d:ro
    networks:
      - infra
    depends_on:
      - dns

4.3. conf file

4.3.1. /etc.d/ssl.conf

ssl_certificate /etc/nginx/ssl/cloudflare.cert.pem;
ssl_certificate_key /etc/nginx/ssl/cloudflare.key.pem;

4.3.2. /conf.d/default.conf

server {
    listen 443 ssl;
    server_name tuska298.dev;
    http2 on;

    # Delete
    # ssl_certificate /etc/nginx/ssl/cloudflare.cert.pem;
    # ssl_certificate_key /etc/nginx/ssl/cloudflare.key.pem;
    
    # NEW
    include /etc/nginx/etc.d/ssl.conf;
    
    error_page 404 500 502 053 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    # ...
}

5. robots.txt

5.1. 설정 파일 폴더

- /mnt/md0/infra
    - /nginx
        - /etc.d
            - robots.conf
        - nginx.conf

5.2. /etc.d/robots.conf

location /robots.txt {
    return 200 "User-agent: *\n"
}

5.3. /conf.d/default.conf

server {
    listen 443 ssl;
    server_name tuska298.dev;
    http2 on;

    include /etc/nginx/etc.d/ssl.conf;
    
    # NEW
    include /etc/nginx/etc.d/robots.conf;
    
    error_page 404 500 502 053 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    # ...

6. 접근 제한

6.1. 설정 파일 폴더

- /mnt/md0/infra
    - /nginx
        - /etc.d
            - deny.lan.conf
        - nginx.conf

6.2. /etc.d/deny.lan.conf

allow 172.18.0.0/24;
allow 192.168.200.0/24;
deny all;

6.3. /conf.d/default.conf

server {
    listen 443 ssl;
    server_name tuska298.dev;
    http2 on;

    # NEW
    include /etc/nginx/etc.d/deny.lan.conf;
    
    include /etc/nginx/etc.d/ssl.conf;
    include /etc/nginx/etc.d/robots.conf;
    
    error_page 404 500 502 053 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    # ...