nginx/ja

From Gentoo Wiki
Jump to: navigation, search
This page is a translated version of the page Nginx and the translation is 58% complete.

Other languages:
Deutsch • ‎English • ‎español • ‎日本語 • ‎한국어 • ‎русский • ‎Türkçe • ‎中文(中国大陆)‎

Warning: Display title "nginx/ja" overrides earlier display title "Nginx".

nginx は強固で小さく高性能なウェブサーバ / リバースプロキシサーバです。Apachelighttpd と同様に支持されているウェブサーバとして良い選択肢です。

インストール

www-servers/nginx パッケージのインストールを始める前に、まずはNginx向けの適切なUSEフラグを設定します。

Expanded USE flags

Nginxはモジュールによって機能が拡張されます。このモジュールによるアプローチの管理をより簡潔にするために、nginxのebuildではexpanded USE (USE_EXPAND) flagsを用い、どのモジュールをインストールするか指定されます。

  • HTTP related modules can be enabled through the NGINX_MODULES_HTTP variable
  • Mail related modules can be enabled through the NGINX_MODULES_MAIL variable
  • Third party modules can be enabled through the NGINX_ADD_MODULES variable

これらの変数は/etc/portage/make.confに設定する必要があります。詳しい解説は /usr/portage/profiles/desc/nginx_modules_http.desc/usr/portage/profiles/desc/nginx_modules_mail.desc にあります。

例えば、fastcgiモジュールを有効にするには:

FILE /etc/portage/make.conf
NGINX_MODULES_HTTP="fastcgi"

The above will overwrite the default value of NGINX_MODULES_HTTP and set it to fastcgi. To enable the fastcgi module without overwriting the default NGINX_MODULES_HTTP value, the following USE flag notation can be specified in /etc/portage/package.use:

FILE /etc/portage/package.use
www-servers/nginx NGINX_MODULES_HTTP: fastcgi

USE フラグ

USE flags for www-servers/nginx Robust, small and high performance http and reverse proxy server

aio Enables file AIO support local
http Enable HTTP core support local
http-cache Enable HTTP cache support local
http2 Enable HTTP2 module support local
libatomic Use libatomic instead of builtin atomic operations local
luajit Use dev-lang/luajit instead of dev-lang/lua for lua support when building the lua http module. local
pcre-jit Enable JIT for pcre local
rtmp NGINX-based Media Streaming Server local
ssl Enable HTTPS module for http. Enable SSL/TLS support for POP3/IMAP/SMTP for mail. local
threads Add threads support for various packages. Usually pthreads global

Emerge

With the USE flags set, install www-servers/nginx:

root #emerge --ask www-servers/nginx

Installation verification

The default nginx configuration defines a virtual server with the root directory set to /var/www/localhost/htdocs. However due to bug #449136, the nginx ebuild will only create the /var/www/localhost directory and without an index file. To have a working default configuration, create the /var/www/localhost/htdocs directory and simple index file:

root #mkdir /var/www/localhost/htdocs
root #echo 'Hello, world!' > /var/www/localhost/htdocs/index.html

nginxパッケージはinitサービススクリプトをインストールし、それを使ってシステム管理者はnginxを停止、起動、及び再起動することができます。nginxサービスを起動するには次のコマンドを実行します:

root #/etc/init.d/nginx start

To verify that nginx is properly running, point a web browser to the http://localhost address or use a command-line web tool like curl:

user $curl http://localhost

設定

nginxの設定は/etc/nginx/nginx.confファイルを通して行います。

単一サイト利用

以下は、(PHPのような)ダイナミック生成を用いない単一サイト利用の例です。

FILE /etc/nginx/nginx.confGentooのデフォルト設定
user nginx nginx;
worker_processes 1;
  
error_log /var/log/nginx/error_log info;
  
events {
        worker_connections 1024;
        use epoll;
}
  
http {
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
  
        log_format main
                '$remote_addr - $remote_user [$time_local] '
                '"$request" $status $bytes_sent '
                '"$http_referer" "$http_user_agent" '
                '"$gzip_ratio"';
  
        client_header_timeout 10m;
        client_body_timeout 10m;
        send_timeout 10m;
  
        connection_pool_size 256;
        client_header_buffer_size 1k;
        large_client_header_buffers 4 2k;
        request_pool_size 4k;
  
        gzip on;
        gzip_min_length 1100;
        gzip_buffers 4 8k;
        gzip_types text/plain;
  
        output_buffers 1 32k;
        postpone_output 1460;
  
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
  
        keepalive_timeout 75 20;
  
        ignore_invalid_headers on;
  
        index index.html;
  
        server {
                listen 127.0.0.1;
                server_name localhost;
  
                access_log /var/log/nginx/localhost.access_log main;
                error_log /var/log/nginx/localhost.error_log info;
  
                root /var/www/localhost/htdocs;
        }
}

複数サイト利用

複数のファイルに設定を分割する為、includeディレクティブを利用することが可能です:

FILE /etc/nginx/nginx.conf複数サイト設定
user nginx nginx;
worker_processes 1;
   
error_log /var/log/nginx/error_log info;
  
events {
        worker_connections 1024;
        use epoll;
}
http {
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
  
        log_format main
                '$remote_addr - $remote_user [$time_local] '
                '"$request" $status $bytes_sent '
                '"$http_referer" "$http_user_agent" '
                '"$gzip_ratio"';
  
        client_header_timeout 10m;
        client_body_timeout 10m;
        send_timeout 10m;
  
        connection_pool_size 256;
        client_header_buffer_size 1k;
        large_client_header_buffers 4 2k;
        request_pool_size 4k;
  
        gzip on;
        gzip_min_length 1100;
        gzip_buffers 4 8k;
        gzip_types text/plain;
  
        output_buffers 1 32k;
        postpone_output 1460;
  
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
  
        keepalive_timeout 75 20;
  
        ignore_invalid_headers on;
  
        index index.html;
 
        include /etc/nginx/conf.d/*.conf;
}
FILE /etc/nginx/conf.d/local.conf単一ホスト
server {
        listen 127.0.0.1;
        server_name localhost;
  
        access_log /var/log/nginx/localhost.access_log main;
        error_log /var/log/nginx/localhost.error_log info;
  
        root /var/www/localhost/htdocs;
}
FILE /etc/nginx/conf.d/local-ssl.conf単一SSLホスト
server {
    listen 443 ssl;
    server_name host.tld;
    ssl_certificate /etc/ssl/nginx/host.tld.pem;
    ssl_certificate_key /etc/ssl/nginx/host.tld.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
    ssl_dhparam /etc/ssl/nginx/host.tld.dh4096.pem;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;
}

PHP サポート

PHPサポートを有効化する為には、次の行をnginxの設定ファイルに追加してください。この例ではnginxとPHPプロセスはUNIXソケットを介して情報を交換します。

FILE /etc/nginx/nginx.confPHPサポートの有効化
...
http {
...
    server { 
    ...
            location ~ \.php$ {
                       # Test for non-existent scripts or throw a 404 error
                       # Without this line, nginx will blindly send any request ending in .php to php-fpm
                       try_files $uri =404;
                       include /etc/nginx/fastcgi.conf;
                       fastcgi_pass unix:/run/php-fpm.socket;
           }
    }
}

To support this setup, PHP needs to be built with FastCGI Process Manager support (dev-lang/php), which is handled through the fpm USE flag:

root #echo "dev-lang/php fpm" >> /etc/portage/package.use

fpm USEフラグを有効にして PHP を再ビルドします:

root #emerge --ask dev-lang/php
Note
ここではUNIXソケット通信を使うことを選びます。これは推奨される設定でもあります

Review the /etc/php/fpm-php5.5/php-fpm.conf configuration and add following line:

FILE /etc/php/fpm-php5.5/php-fpm.confUNIXソケットサポートを用いて PHP を稼働させる
listen = /run/php-fpm.socket
listen.owner = nginx

Set the timezone in the php-fpm php.ini file. Substitute the <PUT_TIMEZONE_HERE> text in the FileBox below with the appropriate timezone information:

FILE /etc/php/fpm-php5.5/php.iniSetup timezone in php.ini
date.timezone = <PUT_TIMEZONE_HERE>

Start the php-fpm daemon:

root #/etc/init.d/php-fpm start

Add php-fpm to the default runlevel:

root #rc-update add php-fpm default

Reload nginx with changed configuration:

root #/etc/init.d/nginx reload

IP アドレスのアクセスリスト

The next example shows how to allow access to a particular URL (in this case /nginx_status) only to:

  • certain hosts (e.g. 192.0.2.1 127.0.0.1)
  • and IP networks (e.g. 198.51.100.0/24)
FILE /etc/nginx/nginx.confEnabling and configuring an IP access lists for /nginx_status page
http {
    server { 
            location /nginx_status {
                     stub_status on;
                     allow 127.0.0.1/32;
                     allow 192.0.2.1/32;
                     allow 198.51.100.0/24;
                     deny all;
             }
     }
}

ベーシック認証

nginx allows limiting access to resources by validating the user name and password:

FILE /etc/nginx/nginx.confEnabling and configuring user authentication for the / location
http {
    server { 
            location / {
                   auth_basic           "Authentication failed";
                   auth_basic_user_file conf/htpasswd;
             }
     }
}

The htpasswd file can be generated using:

user $openssl passwd

TLS サポート

It is warmly suggested to support only TLS and disable known insecure ciphers.

FILE /etc/nginx/nginx.confEnabling TLS and disabling insecure ciphers
server {
    listen 443;
    server_name host.tld;
    ssl on;
    ssl_certificate /etc/ssl/nginx/host.tld.pem;
    ssl_certificate_key /etc/ssl/nginx/host.tld.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
    ssl_dhparam /etc/ssl/nginx/host.tld.dh4096.pem;
}

The ebuild provides stock self signed certificates in /etc/ssl/nginx/

Forward secrecy

The diffie-hellman certificate can be created using openssl:

user $openssl dhparam -out dh4096.pem 4096

サードパーティー製モジュール

Download third party module source and move it to /usr/src. Manually compile the selected Nginx module, then add the following line to /etc/portage/make.conf:

FILE /etc/portage/make.confAdding third party module
NGINX_ADD_MODULES="/usr/src/nginxmodule"

Rebuild nginx with the third party module enabled:

root #emerge --ask www-servers/nginx

使い方

Service control

OpenRC

Start nginx:

root #/etc/init.d/nginx start

nginx の停止:

root #/etc/init.d/nginx stop

Add nginx to the default runlevel:

root #rc-update add nginx default

Restart the nginx service:

root #/etc/init.d/nginx restart

トラブルシューティング

In case of problems, the following commands can help troubleshoot the situation.

Validate configuration

Verify that the running nginx configuration has no errors:

root #/usr/sbin/nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

By running nginx with the -t option, it will validate the configuration file without actually starting the nginx daemon.

Verify processes are running

Check if nginx processes are running:

user $ps aux | egrep 'nginx|PID'
  PID TTY      STAT   TIME COMMAND
26092 ?        Ss     0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
26093 ?        S      0:00 nginx: worker proces

Verify bound addresses and ports

Verify nginx daemon is listening on the right TCP port (such as 80 for HTTP or 443 for HTTPS):

root #netstat -tulpen | grep :80
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      0          12336835   -26092/nginx: master

参考

  • Apache - インターネット上で最も多く使われている HTTP サーバー
  • Lighttpd - 高速かつ軽量なウェブサーバー

外部の情報