NGINX 設定ティップス

tk-fuse · 11月1、2019、08:02午前

NGINX設定ファイル

NGINXをリバースプロキシまたはウェブサーバとして使用するための設定ティップス。サーバセキュリティ、ロードバランサーとしての機能も併せ持つため、サーバ導入時には欠かせないオープンソースのサーバアプリです。

リバースプロキシ

ウェブサーバ

ロードバランサー

tk-fuse · 9月10、2020、12:11午後

HTTPベーシック認証によるアクセス制限

Securing HTTP Traffic to Upstream Servers

tk-fuse · 11月19、2019、07:22午前

Alphabetical index of variables

https://nginx.org/en/docs/varindex.html

tk-fuse · 1月16、2020、03:11午後

try_files

以下の例では、ロケーションで指定したデレクトリ内で、URIで表示された文字列を、まず初めにファイルとして検索、そのファイルが存在しない場合にはフォルダとして検索します。結果が一致した時点でその内容を返し、共に一致しなければ404を返します。

location / {
    try_files $uri $uri/ $uri.html =404;
}

ファイル、フォルダ名共にURIと一致しない場合、以下のようにプロキシーサーバに飛ばすことも出来ます。

location / {
    try_files $uri $uri/ @backend;
}

location @backend {
    proxy_pass http://backend.example.com;
}

Regular Expression正規表現参考

NGINX uses Perl Compatible Regular Expressions (PCRE).

tk-fuse · 1月17、2020、09:00午前

rootデレクティブとaliasディレクティブの違い

http://nginx.org/en/docs/http/ngx_http_core_module.html#alias

rootディレクティブ

location /static/ {
    root /var/www/app/;
    autoindex off;
}

rootで指定したディレクトリにlocationのディレクトリが追加されます。

/var/www/app/static

aliasディレクティブ

location /static/ {
    alias /var/www/app/static/;
    autoindex off;
}

locationのディレクトリがaliasのディレクトリを表します。

/var/www/app/static

tk-fuse · 1月21、2020、06:59午前

FastCGI Params

https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/

/etc/nginx/fastcgi_params
ファイル内で以下設定項目を確認すること。特にphpスクリプトを実行する上で、以下の設定がポイントとなります。（404が返ってきた場合はここを見直します）

fastcgi_param   SCRIPT_FILENAME         $document_root$fastcgi_script_name;

fastcgi_param   QUERY_STRING            $query_string;
fastcgi_param   REQUEST_METHOD          $request_method;
fastcgi_param   CONTENT_TYPE            $content_type;
fastcgi_param   CONTENT_LENGTH          $content_length;

fastcgi_param   SCRIPT_FILENAME         $document_root$fastcgi_script_name;
fastcgi_param   SCRIPT_NAME             $fastcgi_script_name;
fastcgi_param   PATH_INFO               $fastcgi_path_info;
fastcgi_param   PATH_TRANSLATED         $document_root$fastcgi_path_info;
fastcgi_param   REQUEST_URI             $request_uri;
fastcgi_param   DOCUMENT_URI            $document_uri;
fastcgi_param   DOCUMENT_ROOT           $document_root;
fastcgi_param   SERVER_PROTOCOL         $server_protocol;

fastcgi_param   GATEWAY_INTERFACE       CGI/1.1;
fastcgi_param   SERVER_SOFTWARE         nginx/$nginx_version;

fastcgi_param   REMOTE_ADDR             $remote_addr;
fastcgi_param   REMOTE_PORT             $remote_port;
fastcgi_param   SERVER_ADDR             $server_addr;
fastcgi_param   SERVER_PORT             $server_port;
fastcgi_param   SERVER_NAME             $server_name;

fastcgi_param   HTTPS                   $https;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param   REDIRECT_STATUS         200;

fastcgi_paramの設定については以下も参考にして下さい。

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
or
fastcgi_param SCRIPT_FILENAME $request_filename;

Example

You get the request /info/ and have the following configuration:

fastcgi_index  index.php;
fastcgi_param  SCRIPT_FILENAME  /home/www/scripts/php$fastcgi_script_name;

SCRIPT_FILENAME would equal /home/www/scripts/php/info/index.php , but using $request_filename it would just be /home/www/scripts/php/info/ .

The configuration of fastcgi_split_path_info is important as well. See here for further help: https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_split_path_info

tk-fuse · 2月7、2020、09:11午前

ヘッダー読み取りエラー

デフォルトでNginxはアンダースコア"_"を含むヘッダーは読み込まない。
Nginxの設定ファイルに “underscores_in_headers on;” を追加。

underscores_in_headers
https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers

Ex)

gist.github.com

https://gist.github.com/zeroed/8554827

nginx.sample.conf


upstream foo_app {
  server 127.0.0.1:3000;
}

server {
   listen 80;
#  listen [::]:80 default_server ipv6only=on;

   root /home/user/foo/foo_web/public;

This file has been truncated. show original

upstream foo_app {
  server 127.0.0.1:3000;
}

server {
   listen 80;
#  listen [::]:80 default_server ipv6only=on;

   root /home/user/foo/foo_web/public;

   server_name foo.it  www.foo.it;
   underscores_in_headers on;
   client_max_body_size 4g;

   location ~ ^/(assets)/ {
      gzip_static on;
      expires max;
      add_header Cache-Control public;
      }
   location / {
     proxy_set_header  X-Real-IP  $remote_addr;
     proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header  Host $http_host;

     proxy_connect_timeout 300;
     proxy_read_timeout 300;


     proxy_pass_request_headers on;
     proxy_pass http://foo_app;

     }
}

tk-fuse · 2月8、2020、03:07午前

NginxにおけるApacheのgetallheaders()代替案

https://www.php.net/manual/en/function.getallheaders.php#84262

<?php
if (!function_exists('getallheaders'))
{
    function getallheaders()
    {
           $headers = [];
       foreach ($_SERVER as $name => $value)
       {
           if (substr($name, 0, 5) == 'HTTP_')
           {
               $headers[str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5)))))] = $value;
           }
       }
       return $headers;
    }
}
?>

tk-fuse · 2月10、2020、02:10午前

HTTP Digest Authentication

https://www.nginx.com/resources/wiki/modules/auth_digest/

標準モジュールではないため、別途インストールが必要。

github.com

atomx/nginx-http-auth-digest/blob/master/readme.rst

==================================
Nginx Digest Authentication module
==================================

Changes from other forks
========================
Bug fixes
`1 <https://github.com/samizdatco/nginx-http-auth-digest/commit/9d77dcc58420d5afb8aa5a8138b1bf22a1933dd6>`_, 
`2 <https://github.com/samizdatco/nginx-http-auth-digest/commit/b98725d3d0506c895f6a9f9d38f9168d499275fc>`_,
`3 <https://github.com/samizdatco/nginx-http-auth-digest/commit/47d5bac13cf071b4dbe81048b0f12a742ba512ae>`_

`Added log message for invalid login attempts <https://github.com/samizdatco/nginx-http-auth-digest/commit/9a402045082291c1f2f0a432ac24475277e2d176>`_

Description
===========
The ``ngx_http_auth_digest`` module supplements Nginx_'s built-in Basic Authentication `module`_ by providing support for `RFC`_ 2617 `Digest Authentication`_. The module is currently functional but has only been tested and reviewed by its author. And given that this is security code, one set of eyes is almost certainly insufficient to guarantee that it's 100% correct. Until a few bug reports come in and some of the ‘unknown unknowns’ in the code are flushed out, consider this module an ‘alpha’ and treat it with the appropriate amount of skepticism.

A listing of known issues with the module can be found in the ``bugs.txt`` file as well as in the `Issue Tracker`_. Please do consider contributing a patch if you have the time and inclination. Any help fixing the bugs or changing the implementation to a more idiomatically nginx-y one would be greatly appreciated.

Dependencies

This file has been truncated. show original

tk-fuse · 6月10、2020、08:23午前

Nginx: 413 – Request Entity Too Large

/etc/nginx/conf.d/dfault.conf内のlocationブロックで以下指定

client_max_body_size 20M;

tk-fuse · 9月9、2020、02:44午後

Setting up SSL with nginx reverse proxy

server {
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;

     root /var/www/html;
     index index.php index.js index.html index.htm index.nginx-debian.html;
     server_name domain.com www.domain.com;
     ssl_certificate /ssl/domain.com.chained.crt;
     ssl_certificate_key /ssl/domain.com.key;

    location / {
        proxy_pass http://localhost:8000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    location /wordpress {
        proxy_pass http://localhost:8090;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}