Debian 9๋ฅผ ์๋ก ์ค์นํ ๋ lua-resty-auto-ssl์ ์ค์นํ๋ ค๊ณ ํ์ต๋๋ค.
๋๋ ๋ค์์ํ๋ค
apt update
apt install nginx
apt install build-essential
apt install luarocks
luarocks install lua-resty-auto-ssl
mkdir /etc/resty-auto-ssl
chown www-data /etc/resty-auto-ssl
๊ทธ๋ฐ ๋ค์ /etc/nginx/nginx.conf๋ฅผ https://github.com/GUI/lua-resty-auto-ssl ์ฝ์ด๋ณด๊ธฐ์ ๊ฒ์๋ ์ต์ ์์ ๋ก ๋์ฒดํ์ต๋๋ค.
๊ทธ๋ฌ๋ ngix.conf์ ๋ด์ฉ์ ์ต์ํ์ ์์ ๋ก ๊ต์ฒดํ ํ nginx๋ ๋ ์ด์ ์์ํ ์ ์์ต๋๋ค.
๋๋ ์ป๋ค
root<strong i="13">@vultr</strong>:/etc/nginx# /etc/init.d/nginx start
[....] Starting nginx (via systemctl): nginx.serviceJob for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.
failed!
root<strong i="14">@vultr</strong>:/etc
root<strong i="17">@vultr</strong>:/etc/nginx# systemctl status nginx.service
โ nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sat 2019-02-02 20:17:41 UTC; 50s ago
Docs: man:nginx(8)
Process: 6606 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
Process: 483 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 6923 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
Main PID: 496 (code=exited, status=0/SUCCESS)
Feb 02 20:17:41 vultr.guest systemd[1]: Starting A high performance web server and a reverse proxy server...
Feb 02 20:17:41 vultr.guest nginx[6923]: nginx: [emerg] unknown directive "lua_shared_dict" in /etc/nginx/nginx.conf:14
Feb 02 20:17:41 vultr.guest nginx[6923]: nginx: configuration file /etc/nginx/nginx.conf test failed
Feb 02 20:17:41 vultr.guest systemd[1]: nginx.service: Control process exited, code=exited status=1
Feb 02 20:17:41 vultr.guest systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Feb 02 20:17:41 vultr.guest systemd[1]: nginx.service: Unit entered failed state.
Feb 02 20:17:41 vultr.guest systemd[1]: nginx.service: Failed with result 'exit-code'.
๋ด nginx.conf์ ๋ด์ฉ
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 1024;
}
http {
# The "auto_ssl" shared dict should be defined with enough storage space to
# hold your certificate data. 1MB of storage holds certificates for
# approximately 100 separate domains.
lua_shared_dict auto_ssl 1m;
# The "auto_ssl_settings" shared dict is used to temporarily store various settings
# like the secret used by the hook server on port 8999. Do not change or
# omit it.
lua_shared_dict auto_ssl_settings 64k;
# A DNS resolver must be defined for OCSP stapling to function.
#
# This example uses Google's DNS server. You may want to use your system's
# default DNS servers, which can be found in /etc/resolv.conf. If your network
# is not IPv6 compatible, you may wish to disable IPv6 results by using the
# "ipv6=off" flag (like "resolver 8.8.8.8 ipv6=off").
resolver 8.8.8.8;
# Initial setup tasks.
init_by_lua_block {
auto_ssl = (require "resty.auto-ssl").new()
-- Define a function to determine which SNI domains to automatically handle
-- and register new certificates for. Defaults to not allowing any domains,
-- so this must be configured.
auto_ssl:set("allow_domain", function(domain)
return true
end)
auto_ssl:init()
}
init_worker_by_lua_block {
auto_ssl:init_worker()
}
# HTTPS server
server {
listen 443 ssl;
# Dynamic handler for issuing or returning certs for SNI domains.
ssl_certificate_by_lua_block {
auto_ssl:ssl_certificate()
}
# You must still define a static ssl_certificate file for nginx to start.
#
# You may generate a self-signed fallback with:
#
# openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
# -subj '/CN=sni-support-required-for-valid-ssl' \
# -keyout /etc/ssl/resty-auto-ssl-fallback.key \
# -out /etc/ssl/resty-auto-ssl-fallback.crt
ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
}
# HTTP server
server {
listen 80;
# Endpoint used for performing domain verification with Let's Encrypt.
location /.well-known/acme-challenge/ {
content_by_lua_block {
auto_ssl:challenge_server()
}
}
}
# Internal server running on port 8999 for handling certificate tasks.
server {
listen 127.0.0.1:8999;
# Increase the body buffer size, to ensure the internal POSTs can always
# parse the full POST contents into memory.
client_body_buffer_size 128k;
client_max_body_size 128k;
location / {
content_by_lua_block {
auto_ssl:hook_server()
}
}
}
}
๋ญ๊ฐ ์๋ชป๋๋์ง ์๊ฐํด?
nginx๊ฐ lua๋ฅผ ์ฌ๋ฐ๋ฅด๊ฒ ๋ก๋ํ์ง ์๋ ๊ฒ ๊ฐ์ต๋๋ค.
์ฌ๊ธฐ ๋ด dockerfile์ ์ฐ๋ถํฌ 16:04๋ฅผ ๊ธฐ๋ฐ์ผ๋ก ํฉ๋๋ค. ์๋ง๋ ๋์์ด ๋ ๊ฒ์
๋๋ค.
https://pastebin.com/dnENPEaM
์ฌ๋ฐ๋ฅธ ์ค์ ์ผ๋ก ๊ตฌ์ฑ์ด ์ ๋๋ก ์๋ํด์ผ ํฉ๋๋ค.
nginx๊ฐ lua๋ฅผ ์ฌ๋ฐ๋ฅด๊ฒ ๋ก๋ํ์ง ์๋ ๊ฒ ๊ฐ์ต๋๋ค.
์ฌ๊ธฐ ๋ด dockerfile์ ์ฐ๋ถํฌ 16:04๋ฅผ ๊ธฐ๋ฐ์ผ๋ก ํฉ๋๋ค. ์๋ง๋ ๋์์ด ๋ ๊ฒ์ ๋๋ค.
https://pastebin.com/dnENPEaM
์ฌ๋ฐ๋ฅธ ์ค์ ์ผ๋ก ๊ตฌ์ฑ์ด ์ ๋๋ก ์๋ํด์ผ ํฉ๋๋ค.
๊ฐ์ฌํฉ๋๋ค. ํ์ผ์ ์๋ ๋ช ๋ น์ ์๋์ผ๋ก ์คํํ์ฌ ์ค์นํ๊ฒ ์ต๋๋ค. ๋ค๋ฅธ ๋ชจ๋ ๊ฒ๋ณด๋ค ๋จผ์ apt๋ฅผ ์ฌ์ฉํ์ฌ nginx๋ฅผ ์ค์นํด๋ ๊ด์ฐฎ์ต๋๊น?
๋๋ ๋น์ ์ ํ์ผ์ ๋ฐ๋ผ๊ฐ๊ธฐ ์์ํ์ง๋ง ์ด ์ค์ด ๋ฌด์์ ํ๋์ง ์ดํดํ์ง ๋ชปํฉ๋๋ค
ADD mime.types /etc/nginx/
ADD fastcgi_params /etc/nginx/
ADD ./start.sh /root/
๋๋ ๊ทธ ์์ ๊น์ง ๋ค๋ฅธ ๋ชจ๋ ๊ฒ์ํ๊ณ ์ค๋ฅ๊ฐ ์์์ต๋๋ค.
์๋ง๋ openresty๋ฅผ ์ฌ์ฉํ๋ ๊ฒ์ด ๋ ๋์ ๊ฒ์ ๋๋ค.
๋ถํํ๋ ์์ง ์ฑ๊ณตํ์ง ๋ชปํ์ต๋๋ค. Debian 9๋ฅผ ์๋ก ์ค์นํ ๋ ๋ค์์ ์ํํ์ต๋๋ค. ์ด๋ฒ์๋ Ngix๋ฅผ ์ค์นํ์ง ์๊ณ ๋์ Openresty๋ฅผ ์ค์นํ์ต๋๋ค.
apt update
apt upgrade
wget -qO - https://openresty.org/package/pubkey.gpg | apt-key add -
apt-get -y install software-properties-common
add-apt-repository -y "deb http://openresty.org/package/debian $(lsb_release -sc) openresty"
apt-get update
apt-get install openresty
apt install luarocks
apt install build-essential
luarocks install lua-resty-auto-ssl
mkdir /etc/resty-auto-ssl
chown www-data /etc/resty-auto-ssl
๊ทธ๋ฐ ๋ค์ /etc/openresty/nginx.conf์ ๋ด์ฉ์ ๋ณ๊ฒฝํ์ต๋๋ค.
๊ทธ๋ฌ๋ ๋๋ ๊ทธ๊ฒ์ ์์ํ๋ ค๊ณ ์๋ํ ํ์ ๋ค์์ ์ป๋๋ค.
root<strong i="10">@vultr</strong>:/etc/openresty# /etc/init.d/openresty start
[....] Starting openresty (via systemctl): openresty.serviceJob for openresty.service failed because the control process exited with error code.
See "systemctl status openresty.service" and "journalctl -xe" for details.
failed!
๊ทธ๋ฆฌ๊ณ ์ค๋ฅ๋
root<strong i="14">@vultr</strong>:~# systemctl status --no-pager --full openresty.service
โ openresty.service - full-fledged web platform
Loaded: loaded (/lib/systemd/system/openresty.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sun 2019-02-03 19:44:22 UTC; 16min ago
Process: 18855 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /usr/local/openresty/nginx/logs/nginx.pid (code=exited, status=0/SUCCESS)
Process: 18886 ExecStartPre=/usr/local/openresty/nginx/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
Main PID: 12782 (code=exited, status=0/SUCCESS)
Feb 03 19:44:22 vultr.guest systemd[1]: Starting full-fledged web platform...
Feb 03 19:44:22 vultr.guest nginx[18886]: nginx: [emerg] BIO_new_file("/etc/ssl/resty-auto-ssl-fallback.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/ssl/resty-auto-ssl-fallback.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
Feb 03 19:44:22 vultr.guest nginx[18886]: nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test failed
Feb 03 19:44:22 vultr.guest systemd[1]: openresty.service: Control process exited, code=exited status=1
Feb 03 19:44:22 vultr.guest systemd[1]: Failed to start full-fledged web platform.
Feb 03 19:44:22 vultr.guest systemd[1]: openresty.service: Unit entered failed state.
Feb 03 19:44:22 vultr.guest systemd[1]: openresty.service: Failed with result 'exit-code'.
๋๋ ๊ทธ๊ฒ์ ์คํํ์ฌ ์์ํ์ต๋๋ค.
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj '/CN=sni-support-required-for-valid-ssl' \
> -keyout /etc/ssl/resty-auto-ssl-fallback.key -out /etc/ssl/resty-auto-ssl-fallback.crt
๋ด๊ฐ ์ง๊ธ ์ง๋ฉดํ๊ณ ์๋ ์ ์ผํ ๋ฌธ์ ๋ https://mydomain.com์ผ๋ก ์ด๋ํ๋ ๊ฒฝ์ฐ ์ธ์ฆ์๊ฐ "sni-support-required-for-valid-ssl"์ ์ํ ๊ฒ์ด๋ฉฐ ๋ด ๋๋ฉ์ธ์ ๋ํ letsencrypt ์ธ์ฆ์๋ฅผ ์์ฑํ์ง ์๋ ๊ฒ์ฒ๋ผ ๋ณด์ ๋๋ค.
๊ถํ ๋ฌธ์ ์ ๋๋ค. nginx ์ฌ์ฉ์๋ฅผ ๋ฃจํธ๋ก ๋ณ๊ฒฝํ๋ฉด ๋ชจ๋ ๊ฒ์ด ์ ์๋ํฉ๋๋ค. ๊ณ ์น ์ ์๋ ๋ฐฉ๋ฒ์ ์ฐพ์ ๋ค์ ์ค์น ๊ฐ์ด๋๋ฅผ ์์ฑํ๊ฒ ์ต๋๋ค.
๋น์ ์ ๋์์ ์ฃผ์ ์ ๊ฐ์ฌํฉ๋๋ค. ๋์ค์ ์ฐธ์กฐํ ์ ์๋๋ก ๋จ๊ณ๋ณ ๊ฐ์ด๋๋ฅผ ์์ฑํ์ต๋๋ค.
๋ด nginx.conf์ ๋ด์ฉ
`์ฌ์ฉ์ www-๋ฐ์ดํฐ;
์์
์ ํ๋ก์ธ์ค ์๋;
pid /run/nginx.pid;
/etc/nginx/modules-enabled/*.conf ํฌํจ;
์ด๋ฒคํธ {
์์
์ ์ฐ๊ฒฐ 768;
}
http {
# ๊ธฐ๋ณธ ๊ตฌ์ฑ
์ผ๋ํ์ผ ์ผ๊ธฐ;
tcp_nopush on;
tcp_nodelay ์ผ์ง;
keepalive_timeout 65;
์ ํ_ํด์_์ต๋_ํฌ๊ธฐ 2048;
/etc/nginx/mime.types ํฌํจ;
default_type ์์ฉ ํ๋ก๊ทธ๋จ/์ฅํ
์คํธ๋ฆผ;
# SSL ๊ตฌ์ฑ
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers ์ผ์ง;
# ๋ก๊น
๊ตฌ์ฑ
log_format ์ฌ์ฉ์ ์ ์ '$remote_addr - $remote_user [$time_local] '
'"$์์ฒญ" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log ์ฌ์ฉ์ ์ ์;
error_log /var/log/nginx/error.log;
# zip
gzip ์ผ๊ธฐ;
# ๊ฐ์ ํธ์คํธ ์ค์
ํฌํจ /etc/nginx/conf.d/*.conf;
lua_shared_dict prometheus_metrics 10M;
lua_package_path "/home/kunal/Documents/nginx-lua-prometheus/?.lua;;";
init_worker_by_lua_block {
prometheus = require("prometheus").init("prometheus_metrics")
metric_requests = ํ๋ก๋ฉํ
์ฐ์ค:์นด์ดํฐ (
"nginx_http_requests_total", "HTTP ์์ฒญ ์", {"ํธ์คํธ", "์ํ"})
metric_latency = ํ๋ก๋ฉํ
์ฐ์ค:ํ์คํ ๊ทธ๋จ (
"nginx_http_request_duration_seconds", "HTTP ์์ฒญ ๋๊ธฐ ์๊ฐ", {"ํธ์คํธ"})
metric_connections = ํ๋ก๋ฉํ
์ฐ์ค:๊ฒ์ด์ง (
"nginx_http_connections", "HTTP ์ฐ๊ฒฐ ์", {"state"})
}
log_by_lua_block {
metric_ requests:inc (1, {ngx.var.server_name, ngx.var.status})
metric_ latency:๊ด์ฐฐ (tonumber(ngx.var.request_time), {ngx.var.server_name})
}
`
์ฌ๊ธฐ์ ๋ฌด์์ด ์๋ชป๋์๋์ง์ ๋ํ ์ ์์ด ์์ต๋๊น?
๋น์ ์ ๋์์ ์ฃผ์ ์ ๊ฐ์ฌํฉ๋๋ค. ๋์ค์ ์ฐธ์กฐํ ์ ์๋๋ก ๋จ๊ณ๋ณ ๊ฐ์ด๋๋ฅผ ์์ฑํ์ต๋๋ค.
์๋ ํ์ธ์ @arya6000 ,
์ ๋ ๊ฐ์ ๋ฌธ์ ๋ฅผ ๊ฒช๊ณ ์์ง๋ง ๊ฒ์ํ ๋งํฌ๊ฐ ์ด์ ๊นจ์ก์ต๋๋ค :(
๋น์ ์ด ๋๋ฅผ ๋์ธ ์ ์๋ค๊ณ ์๊ฐํฉ๋๊น?