nginx/ja

From Gentoo Wiki
Jump to: navigation, search
This page is a translated version of the page Nginx and the translation is 58% complete.

Other languages:
Deutsch • ‎English • ‎español • ‎日本語 • ‎한국어 • ‎русский • ‎Türkçe • ‎中文(中国大陆)‎

Warning: Display title "nginx/ja" overrides earlier display title "Nginx".

nginx は強固で小さく高性能なウェブサーバ / リバースプロキシサーバです。Apachelighttpd と同様に支持されているウェブサーバとして良い選択肢です。

インストール

www-servers/nginx パッケージのインストールを始める前に、まずはNginx向けの適切なUSEフラグを設定します。

Expanded USE flags

Nginxはモジュールによって機能が拡張されます。このモジュールによるアプローチの管理をより簡潔にするために、nginxのebuildではexpanded USE (USE_EXPAND) flagsを用い、どのモジュールをインストールするか指定されます。

  • HTTP related modules can be enabled through the NGINX_MODULES_HTTP variable
  • Mail related modules can be enabled through the NGINX_MODULES_MAIL variable
  • Third party modules can be enabled through the NGINX_ADD_MODULES variable

これらの変数は/etc/portage/make.confに設定する必要があります。詳しい解説は /usr/portage/profiles/desc/nginx_modules_http.desc/usr/portage/profiles/desc/nginx_modules_mail.desc にあります。

例えば、fastcgiモジュールを有効にするには:

FILE /etc/portage/make.conf
NGINX_MODULES_HTTP="fastcgi"

The above will overwrite the default value of NGINX_MODULES_HTTP and set it to fastcgi. To enable the fastcgi module without overwriting the default NGINX_MODULES_HTTP value, the following USE flag notation can be specified in /etc/portage/package.use:

FILE /etc/portage/package.use
www-servers/nginx NGINX_MODULES_HTTP: fastcgi

USE フラグ

USE flags for www-servers/nginx Robust, small and high performance http and reverse proxy server

aio Enables file AIO support local
http Enable HTTP core support local
http-cache Enable HTTP cache support local
http2 Enable HTTP2 module support local
libatomic Use libatomic instead of builtin atomic operations local
luajit Use dev-lang/luajit instead of dev-lang/lua for lua support when building the lua http module. local
pcre-jit Enable JIT for pcre local
rtmp NGINX-based Media Streaming Server local
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur global
ssl Enable HTTPS module for http. Enable SSL/TLS support for POP3/IMAP/SMTP for mail. local
vim-syntax Pulls in related vim syntax scripts global

Emerge

With the USE flags set, install www-servers/nginx:

root #emerge --ask www-servers/nginx

Installation verification

The default nginx configuration defines a virtual server with the root directory set to /var/www/localhost/htdocs. However due to bug #449136, the nginx ebuild will only create the /var/www/localhost directory and without an index file. To have a working default configuration, create the /var/www/localhost/htdocs directory and simple index file:

root #mkdir /var/www/localhost/htdocs
root #echo 'Hello, world!' > /var/www/localhost/htdocs/index.html

nginxパッケージはinitサービススクリプトをインストールし、それを使ってシステム管理者はnginxを停止、起動、及び再起動することができます。nginxサービスを起動するには次のコマンドを実行します:

root #/etc/init.d/nginx start

To verify that nginx is properly running, point a web browser to the http://localhost address or use a command-line web tool like curl:

user $curl http://localhost

設定

nginxの設定は/etc/nginx/nginx.confファイルを通して行います。

単一サイト利用

以下は、(PHPのような)ダイナミック生成を用いない単一サイト利用の例です。

FILE /etc/nginx/nginx.confGentooのデフォルト設定
user nginx nginx;
worker_processes 1;
  
error_log /var/log/nginx/error_log info;
  
events {
        worker_connections 1024;
        use epoll;
}
  
http {
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
  
        log_format main
                '$remote_addr - $remote_user [$time_local] '
                '"$request" $status $bytes_sent '
                '"$http_referer" "$http_user_agent" '
                '"$gzip_ratio"';
  
        client_header_timeout 10m;
        client_body_timeout 10m;
        send_timeout 10m;
  
        connection_pool_size 256;
        client_header_buffer_size 1k;
        large_client_header_buffers 4 2k;
        request_pool_size 4k;
  
        gzip on;
        gzip_min_length 1100;
        gzip_buffers 4 8k;
        gzip_types text/plain;
  
        output_buffers 1 32k;
        postpone_output 1460;
  
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
  
        keepalive_timeout 75 20;
  
        ignore_invalid_headers on;
  
        index index.html;
  
        server {
                listen 127.0.0.1;
                server_name localhost;
  
                access_log /var/log/nginx/localhost.access_log main;
                error_log /var/log/nginx/localhost.error_log info;
  
                root /var/www/localhost/htdocs;
        }
}

複数サイト利用

複数のファイルに設定を分割する為、includeディレクティブを利用することが可能です:

FILE /etc/nginx/nginx.conf複数サイト設定
user nginx nginx;
worker_processes 1;
   
error_log /var/log/nginx/error_log info;
  
events {
        worker_connections 1024;
        use epoll;
}
http {
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
  
        log_format main
                '$remote_addr - $remote_user [$time_local] '
                '"$request" $status $bytes_sent '
                '"$http_referer" "$http_user_agent" '
                '"$gzip_ratio"';
  
        client_header_timeout 10m;
        client_body_timeout 10m;
        send_timeout 10m;
  
        connection_pool_size 256;
        client_header_buffer_size 1k;
        large_client_header_buffers 4 2k;
        request_pool_size 4k;
  
        gzip on;
        gzip_min_length 1100;
        gzip_buffers 4 8k;
        gzip_types text/plain;
  
        output_buffers 1 32k;
        postpone_output 1460;
  
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
  
        keepalive_timeout 75 20;
  
        ignore_invalid_headers on;
  
        index index.html;
 
        include /etc/nginx/conf.d/*.conf;
}
FILE /etc/nginx/conf.d/local.conf単一ホスト
server {
        listen 127.0.0.1;
        server_name localhost;
  
        access_log /var/log/nginx/localhost.access_log main;
        error_log /var/log/nginx/localhost.error_log info;
  
        root /var/www/localhost/htdocs;
}
FILE /etc/nginx/conf.d/local-ssl.conf単一SSLホスト
server {
    listen 443 ssl;
    server_name host.tld;
    ssl_certificate /etc/ssl/nginx/host.tld.pem;
    ssl_certificate_key /etc/ssl/nginx/host.tld.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
    ssl_dhparam /etc/ssl/nginx/host.tld.dh4096.pem;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;
}

PHP サポート

PHPサポートを有効化する為には、次の行をnginxの設定ファイルに追加してください。この例ではnginxとPHPプロセスはUNIXソケットを介して情報を交換します。

FILE /etc/nginx/nginx.confPHPサポートの有効化
...
http {
...
    server { 
    ...
            location ~ \.php$ {
                       # Test for non-existent scripts or throw a 404 error
                       # Without this line, nginx will blindly send any request ending in .php to php-fpm
                       try_files $uri =404;
                       include /etc/nginx/fastcgi.conf;
                       fastcgi_pass unix:/run/php-fpm.socket;
           }
    }
}

To support this setup, PHP needs to be built with FastCGI Process Manager support (dev-lang/php), which is handled through the fpm USE flag:

root #echo "dev-lang/php fpm" >> /etc/portage/package.use

fpm USEフラグを有効にして PHP を再ビルドします:

root #emerge --ask dev-lang/php
Note
ここではUNIXソケット通信を使うことを選びます。これは推奨される設定でもあります

Review the /etc/php/fpm-php5.5/php-fpm.conf configuration and add following line:

FILE /etc/php/fpm-php5.5/php-fpm.confUNIXソケットサポートを用いて PHP を稼働させる
listen = /run/php-fpm.socket
listen.owner = nginx

Set the timezone in the php-fpm php.ini file. Substitute the <PUT_TIMEZONE_HERE> text in the FileBox below with the appropriate timezone information:

FILE /etc/php/fpm-php5.5/php.iniSetup timezone in php.ini
date.timezone = <PUT_TIMEZONE_HERE>

Start the php-fpm daemon:

root #/etc/init.d/php-fpm start

Add php-fpm to the default runlevel:

root #rc-update add php-fpm default

Reload nginx with changed configuration:

root #/etc/init.d/nginx reload

IP アドレスのアクセスリスト

The next example shows how to allow access to a particular URL (in this case /nginx_status) only to:

  • certain hosts (e.g. 192.0.2.1 127.0.0.1)
  • and IP networks (e.g. 198.51.100.0/24)
FILE /etc/nginx/nginx.confEnabling and configuring an IP access lists for /nginx_status page
http {
    server { 
            location /nginx_status {
                     stub_status on;
                     allow 127.0.0.1/32;
                     allow 192.0.2.1/32;
                     allow 198.51.100.0/24;
                     deny all;
             }
     }
}

ベーシック認証

nginx allows limiting access to resources by validating the user name and password:

FILE /etc/nginx/nginx.confEnabling and configuring user authentication for the / location
http {
    server { 
            location / {
                   auth_basic           "Authentication failed";
                   auth_basic_user_file conf/htpasswd;
             }
     }
}

The htpasswd file can be generated using:

user $openssl passwd

TLS サポート

It is warmly suggested to support only TLS and disable known insecure ciphers.

FILE /etc/nginx/nginx.confEnabling TLS and disabling insecure ciphers
server {
    listen 443;
    server_name host.tld;
    ssl on;
    ssl_certificate /etc/ssl/nginx/host.tld.pem;
    ssl_certificate_key /etc/ssl/nginx/host.tld.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
    ssl_dhparam /etc/ssl/nginx/host.tld.dh4096.pem;
}

The ebuild provides stock self signed certificates in /etc/ssl/nginx/

Forward secrecy

The diffie-hellman certificate can be created using openssl:

user $openssl dhparam -out dh4096.pem 4096

サードパーティー製モジュール

Download third party module source and move it to /usr/src. Manually compile the selected Nginx module, then add the following line to /etc/portage/make.conf:

FILE /etc/portage/make.confAdding third party module
NGINX_ADD_MODULES="/usr/src/nginxmodule"

Rebuild nginx with the third party module enabled:

root #emerge --ask www-servers/nginx

使い方

Service control

OpenRC

Start nginx:

root #/etc/init.d/nginx start

nginx の停止:

root #/etc/init.d/nginx stop

Add nginx to the default runlevel:

root #rc-update add nginx default

Restart the nginx service:

root #/etc/init.d/nginx restart

トラブルシューティング

In case of problems, the following commands can help troubleshoot the situation.

Validate configuration

Verify that the running nginx configuration has no errors:

root #/usr/sbin/nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

By running nginx with the -t option, it will validate the configuration file without actually starting the nginx daemon.

Verify processes are running

Check if nginx processes are running:

user $ps aux | egrep 'nginx|PID'
  PID TTY      STAT   TIME COMMAND
26092 ?        Ss     0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
26093 ?        S      0:00 nginx: worker proces

Verify bound addresses and ports

Verify nginx daemon is listening on the right TCP port (such as 80 for HTTP or 443 for HTTPS):

root #netstat -tulpen | grep :80
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      0          12336835   -26092/nginx: master

参考

  • Apache - インターネット上で最も多く使われている HTTP サーバー
  • Lighttpd - 高速かつ軽量なウェブサーバー

外部の情報