330 lines
5.8 KiB
Markdown
330 lines
5.8 KiB
Markdown
# 1. Install using docker
|
|
## 1.1. Directory structure
|
|
|
|
```dirtree
|
|
- /mnt/md0/infra
|
|
- /nginx
|
|
- /conf.d
|
|
- default.conf
|
|
- nginx.conf
|
|
- .env
|
|
- compose.yml
|
|
```
|
|
|
|
## 1.2. /.env
|
|
```
|
|
BASE_PATH=/mnt/md0/infra
|
|
```
|
|
|
|
## 1.3. Docker compose
|
|
|
|
```yml
|
|
name: infrastructure
|
|
service:
|
|
nginx:
|
|
image: nginx:1.26-alpine3.20
|
|
container_name: nginx
|
|
restart: always
|
|
ports:
|
|
- 80:80
|
|
volumes:
|
|
- ${BASE_PATH}/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
|
|
- ${BASE_PATH}/nginx/conf.d:/etc/nginx/conf.d:ro
|
|
networks:
|
|
- infra
|
|
depends_on:
|
|
- dns
|
|
|
|
networks:
|
|
infra:
|
|
driver: bridge
|
|
```
|
|
|
|
# 2. nginx configuration
|
|
## 2.1. /nginx/nginx.conf
|
|
기본 설정 파일을 그대로 사용함
|
|
|
|
## 2.2. /nginx/conf.d/default.conf
|
|
|
|
```nginx
|
|
server {
|
|
listen 80;
|
|
server_name localhost;
|
|
error_page 404 500 502 053 504 /50x.html;
|
|
location = /50x.html {
|
|
root /usr/share/nginx/html;
|
|
}
|
|
|
|
# 추후 다른 세팅을 쉽게 추가하기 위해 변경
|
|
include /etc/nginx/conf.d/locations/*.conf;
|
|
}
|
|
```
|
|
|
|
## 2.3. subdomain
|
|
|
|
```nginx
|
|
server {
|
|
listen 80;
|
|
server_name gitea.home.server;
|
|
|
|
location / {
|
|
proxy_set_header Connection $http_connection;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_pass http://gitea:3000;
|
|
}
|
|
}
|
|
```
|
|
|
|
## 2.4. reload
|
|
|
|
```shell
|
|
docker exec -it nginx-reverse-proxy nginx -s reload
|
|
```
|
|
|
|
# 3. SSL
|
|
|
|
## 3.1. Cert, Key file
|
|
|
|
```dirtree
|
|
- /mnt/md0/infra
|
|
- /nginx
|
|
- /conf.d
|
|
- default.conf
|
|
- nginx.conf
|
|
- /ssl/cloudflare
|
|
- cloudflare.cert.pem
|
|
- cloudflare.key.pem
|
|
- .env
|
|
- compose.yml
|
|
```
|
|
|
|
## 3.2. Docker Compose
|
|
|
|
```yml
|
|
nginx:
|
|
image: nginx:1.26-alpine3.20
|
|
container_name: nginx
|
|
restart: always
|
|
ports:
|
|
- 80:80
|
|
volumes:
|
|
- ${BASE_PATH}/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
|
|
- ${BASE_PATH}/nginx/conf.d:/etc/nginx/conf.d:ro
|
|
# NEW
|
|
- ${BASE_PATH}/ssl/cloudflare:/etc/nginx/ssl:ro
|
|
networks:
|
|
- infra
|
|
depends_on:
|
|
- dns
|
|
```
|
|
|
|
## 3.3. /nginx/conf.d/default.conf
|
|
### 3.3.1. 같은 서버 블럭 사용
|
|
|
|
```nginx
|
|
server {
|
|
listen 80;
|
|
|
|
# 여기부터 변경 시작
|
|
if ($scheme = "http") {
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
|
|
listen 443 ssl;
|
|
http2 on;
|
|
|
|
ssl_certificate /etc/nginx/ssl/cloudflare.cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/cloudflare.key.pem;
|
|
|
|
server_name tuska298.dev;
|
|
# 변경 끝
|
|
|
|
error_page 404 500 502 053 504 /50x.html;
|
|
location = /50x.html {
|
|
root /usr/share/nginx/html;
|
|
}
|
|
|
|
# ...
|
|
}
|
|
```
|
|
|
|
### 3.3.2. 다른 서버 블럭 사용
|
|
|
|
```nginx
|
|
server {
|
|
listen 80;
|
|
|
|
# 여기부터 변경 시작
|
|
server_name tuska298.dev;
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
server_name tuska298.dev;
|
|
http2 on;
|
|
|
|
ssl_certificate /etc/nginx/ssl/cloudflare.cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/cloudflare.key.pem;
|
|
# 변경 끝
|
|
|
|
error_page 404 500 502 053 504 /50x.html;
|
|
location = /50x.html {
|
|
root /usr/share/nginx/html;
|
|
}
|
|
|
|
# ...
|
|
}
|
|
```
|
|
|
|
# 4. 공통 설정 빼내기
|
|
|
|
## 4.1. 설정 파일 폴더
|
|
|
|
```dirtree
|
|
- /mnt/md0/infra
|
|
- /nginx
|
|
- /etc.d
|
|
- ssl.conf
|
|
- nginx.conf
|
|
- .env
|
|
- compose.yml
|
|
```
|
|
|
|
## 4.2. Docker Compose
|
|
|
|
```yml
|
|
nginx:
|
|
image: nginx:1.26-alpine3.20
|
|
container_name: nginx
|
|
restart: always
|
|
ports:
|
|
- 80:80
|
|
volumes:
|
|
- ${BASE_PATH}/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
|
|
- ${BASE_PATH}/nginx/conf.d:/etc/nginx/conf.d:ro
|
|
- ${BASE_PATH}/ssl/cloudflare:/etc/nginx/ssl:ro
|
|
# NEW
|
|
- ${BASE_PATH}/nginx/etc.d:/etc/nginx/etc.d:ro
|
|
networks:
|
|
- infra
|
|
depends_on:
|
|
- dns
|
|
```
|
|
|
|
## 4.3. conf file
|
|
### 4.3.1. /etc.d/ssl.conf
|
|
|
|
```nginx
|
|
ssl_certificate /etc/nginx/ssl/cloudflare.cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/cloudflare.key.pem;
|
|
```
|
|
|
|
### 4.3.2. /conf.d/default.conf
|
|
|
|
```nginx
|
|
server {
|
|
listen 443 ssl;
|
|
server_name tuska298.dev;
|
|
http2 on;
|
|
|
|
# Delete
|
|
# ssl_certificate /etc/nginx/ssl/cloudflare.cert.pem;
|
|
# ssl_certificate_key /etc/nginx/ssl/cloudflare.key.pem;
|
|
|
|
# NEW
|
|
include /etc/nginx/etc.d/ssl.conf;
|
|
|
|
error_page 404 500 502 053 504 /50x.html;
|
|
location = /50x.html {
|
|
root /usr/share/nginx/html;
|
|
}
|
|
|
|
# ...
|
|
}
|
|
```
|
|
|
|
# 5. robots.txt
|
|
## 5.1. 설정 파일 폴더
|
|
|
|
```dirtree
|
|
- /mnt/md0/infra
|
|
- /nginx
|
|
- /etc.d
|
|
- robots.conf
|
|
- nginx.conf
|
|
```
|
|
|
|
## 5.2. /etc.d/robots.conf
|
|
|
|
```nginx
|
|
location /robots.txt {
|
|
return 200 "User-agent: *\n"
|
|
}
|
|
```
|
|
|
|
## 5.3. /conf.d/default.conf
|
|
|
|
```nginx
|
|
server {
|
|
listen 443 ssl;
|
|
server_name tuska298.dev;
|
|
http2 on;
|
|
|
|
include /etc/nginx/etc.d/ssl.conf;
|
|
|
|
# NEW
|
|
include /etc/nginx/etc.d/robots.conf;
|
|
|
|
error_page 404 500 502 053 504 /50x.html;
|
|
location = /50x.html {
|
|
root /usr/share/nginx/html;
|
|
}
|
|
|
|
# ...
|
|
```
|
|
|
|
# 6. 접근 제한
|
|
## 6.1. 설정 파일 폴더
|
|
|
|
```dirtree
|
|
- /mnt/md0/infra
|
|
- /nginx
|
|
- /etc.d
|
|
- deny.lan.conf
|
|
- nginx.conf
|
|
```
|
|
|
|
## 6.2. /etc.d/deny.lan.conf
|
|
|
|
```nginx
|
|
allow 172.18.0.0/24;
|
|
allow 192.168.200.0/24;
|
|
deny all;
|
|
```
|
|
|
|
## 6.3. /conf.d/default.conf
|
|
|
|
```nginx
|
|
server {
|
|
listen 443 ssl;
|
|
server_name tuska298.dev;
|
|
http2 on;
|
|
|
|
# NEW
|
|
include /etc/nginx/etc.d/deny.lan.conf;
|
|
|
|
include /etc/nginx/etc.d/ssl.conf;
|
|
include /etc/nginx/etc.d/robots.conf;
|
|
|
|
error_page 404 500 502 053 504 /50x.html;
|
|
location = /50x.html {
|
|
root /usr/share/nginx/html;
|
|
}
|
|
|
|
# ...
|
|
``` |