[리눅스] nginx http -> https 세팅 참고 예제
2022. 8. 22. 18:02ㆍ개발 참고
반응형
> nginx설치후 아래 설정 적용
<nginx.conf>
#user nobody;
worker_processes 100;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
##
# Basic Settings
##
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
#types_hash_bucket_size 64;
#gzip on;
# 캐시 설정
proxy_cache_path C:/tools/nginx-1.21.2/temp levels=1:2 keys_zone=my_zone:10m inactive=2m;
proxy_cache_key "$scheme$request_method$host$request_uri";
# 보안 설정
server_tokens off;
fastcgi_hide_header X-Powered-By;
fastcgi_hide_header X-Pingback;
fastcgi_hide_header Link;
proxy_hide_header X-Powered-By;
proxy_hide_header X-Pingback;
proxy_hide_header X-Link;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=15768000" always;
server_names_hash_bucket_size 64;
server_names_hash_max_size 2048;
# server_name_in_redirect off;
##
# Logging Settings
##
access_log C:/tools/nginx-1.21.2/logs/access.log main;
error_log C:/tools/nginx-1.21.2/logs/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_min_length 2048;
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}
##
# Include
##
include https_settings.conf;
#include tablepay.conf;
}
<proxy_params>
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
<https_settings.conf>
upstream proxy_ocr {
ip_hash;
server localhost:6001;
keepalive 32;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name payweb.kr;
# root html;
root S:/tomcat9_wocr/public;
index index.html index.htm;
client_max_body_size 5M;
# SSL 설정
include ssl.conf;
location / {
proxy_cache my_zone;
proxy_cache_bypass $http_cache_control;
add_header X-Proxy-Cache $upstream_cache_status;
add_header Access-Control-Allow-Origin *;
include proxy_params;
proxy_pass http://proxy_ocr;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
# charset utf-8;
# 이 밑으로는 옵션
# if ($request_filename ~* ^.*?/([^/]*?)$) {
# set $filename $1;
# }
# if ( $filename ~* ^.*?\.(eot)|(ttf)|(woff)$ ) {
# add_header Access-Control-Allow-Origin *;
# }
}
# 파비콘
# location /favicon.ico {}
# location /css/ {}
# location /js/ {}
# location /img/ {}
# Nginx 설정으로 robots.txt 덮어쓰기 (모든 검색로봇 방문 불허)
# 홈페이지 서버인 경우 노출할 검색로봇을 허용해준다.
location /robots.txt {
return 200 "User-agent: *\nDisallow: /";
}
location ~ /wp-conf* {
return 404;
}
location ~ /\.(env)* {
return 404;
}
location ~ /\.(ht|git|svn) {
return 404;
}
location ~ /.*\.(inc|ini|conf|cfg|xml|properties)$ {
return 404;
}
location ~* \.(sh|csh|bash|zsh)$ {
return 404;
}
# 아래 구문 활성화시 위에 /robots.txt 구문이 작동하지 않게 됨.
# location ~* \.(txt)$ {
# include s3_params;
# }
# location ~* /.*\.(htm|html|css|js)$ {
# include s3_params;
# }
# location ~ ^/(css|file|ico|img|js|newsimage)/ {
# include s3_params;
# }
location ~* \.(?:html)$ {
try_files $uri $uri/ =404;
}
}<ssl.conf>
1. ssl인증서와 키를 저장한 경로를 ssl_certificate, ssl_certificate_key, ssl_trusted_certificate에 세팅해준다.
2. curl https://ssl-config.mozilla.org/ 에서 최신 txt를 다운 받은후 받은 파일명을 ssl_dhparam에 세팅해준다.
# generated 2021-09-02, Mozilla Guideline v5.6, nginx 1.21.2, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.21.2&config=intermediate&openssl=1.1.1k&guideline=5.6
ssl_certificate /.ssl/api_paycoqocr.com.cer;
ssl_certificate_key /.ssl/api_paycoqocr.com.key;
ssl_session_timeout 5m;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# DH_PARAM - Start SSL 인증서를 발급받은 경우 인증서 발급 후 24시간이 지난 후에 설정해야 한다.
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam dhparam;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /.ssl/api_paycoqocr.com.cer;
# replace with the IP address of your resolver
resolver 8.8.8.8 8.8.4.4;
반응형
'개발 참고' 카테고리의 다른 글
| [아파치] 443포트로 접속시 특정 도메인이 아닐경우 원하는 도메인으로 리다렉트 시키기 (0) | 2023.08.14 |
|---|---|
| [아파치] 80포트로 접속시 특정 서브 도메인 제외하고 모두 차단하는 방법 (0) | 2023.08.14 |
| Tomcat 로그 회전 및 빠른 로그 확인 설정 (0) | 2022.01.27 |
| 톰캣 서버에서 여러 프로젝트 설정하기 (0) | 2022.01.23 |
| [리눅스] CentOS 7 아차피 http 접속시 https 리다이렉트하기 (0) | 2022.01.21 |