This is Gentoo's testing wiki. It is a non-operational environment and its textual content is outdated.
Please visit our production wiki at https://wiki.gentoo.org
nginx/ja
Warning: Display title "nginx/ja" overrides earlier display title "Nginx".
nginx は強固で小さく高性能なウェブサーバ / リバースプロキシサーバです。Apache や lighttpd と同様に支持されているウェブサーバとして良い選択肢です。
インストール
www-servers/nginx パッケージのインストールを始める前に、まずはNginx向けの適切なUSEフラグを設定します。
Expanded USE flags
Nginxはモジュールによって機能が拡張されます。このモジュールによるアプローチの管理をより簡潔にするために、nginxのebuildではexpanded USE (USE_EXPAND) flagsを用い、どのモジュールをインストールするか指定されます。
- HTTP related modules can be enabled through the NGINX_MODULES_HTTP variable
- Mail related modules can be enabled through the NGINX_MODULES_MAIL variable
- Third party modules can be enabled through the NGINX_ADD_MODULES variable
これらの変数は/etc/portage/make.confに設定する必要があります。詳しい解説は /usr/portage/profiles/desc/nginx_modules_http.desc と /usr/portage/profiles/desc/nginx_modules_mail.desc にあります。
例えば、fastcgiモジュールを有効にするには:
/etc/portage/make.confNGINX_MODULES_HTTP="fastcgi"
The above will overwrite the default value of NGINX_MODULES_HTTP and set it to fastcgi. To enable the fastcgi module without overwriting the default NGINX_MODULES_HTTP value, the following USE flag notation can be specified in /etc/portage/package.use:
/etc/portage/package.usewww-servers/nginx NGINX_MODULES_HTTP: fastcgi
USE フラグ
USE flags for www-servers/nginx Robust, small and high performance http and reverse proxy server
+http
|
Enable HTTP core support |
+http-cache
|
Enable HTTP cache support |
+http2
|
Enable HTTP2 module support |
+pcre2
|
Enable support for pcre2 |
aio
|
Enables file AIO support |
debug
|
Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces |
http3
|
Enable HTTP3 module support |
ktls
|
Enable Kernel TLS offload (kTLS) |
libatomic
|
Use libatomic instead of builtin atomic operations |
pcre
|
Add support for Perl Compatible Regular Expressions |
pcre-jit
|
Enable JIT for pcre |
rtmp
|
NGINX-based Media Streaming Server |
selinux
|
!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur |
ssl
|
Enable HTTPS module for http. Enable SSL/TLS support for POP3/IMAP/SMTP for mail. |
test
|
Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) |
threads
|
Add threads support for various packages. Usually pthreads |
vim-syntax
|
Pulls in related vim syntax scripts |
Emerge
With the USE flags set, install www-servers/nginx:
root #emerge --ask www-servers/nginxInstallation verification
The default nginx configuration defines a virtual server with the root directory set to /var/www/localhost/htdocs. However due to bug #449136, the nginx ebuild will only create the /var/www/localhost directory and without an index file. To have a working default configuration, create the /var/www/localhost/htdocs directory and simple index file:
root #mkdir /var/www/localhost/htdocs
root #echo 'Hello, world!' > /var/www/localhost/htdocs/index.html
nginxパッケージはinitサービススクリプトをインストールし、それを使ってシステム管理者はnginxを停止、起動、及び再起動することができます。nginxサービスを起動するには次のコマンドを実行します:
root #/etc/init.d/nginx startTo verify that nginx is properly running, point a web browser to the http://localhost address or use a command-line web tool like curl:
user $curl http://localhost設定
nginxの設定は/etc/nginx/nginx.confファイルを通して行います。
単一サイト利用
以下は、(PHPのような)ダイナミック生成を用いない単一サイト利用の例です。
/etc/nginx/nginx.confGentooのデフォルト設定user nginx nginx;
worker_processes 1;
error_log /var/log/nginx/error_log info;
events {
worker_connections 1024;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$gzip_ratio"';
client_header_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 4 2k;
request_pool_size 4k;
gzip on;
gzip_min_length 1100;
gzip_buffers 4 8k;
gzip_types text/plain;
output_buffers 1 32k;
postpone_output 1460;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 75 20;
ignore_invalid_headers on;
index index.html;
server {
listen 127.0.0.1;
server_name localhost;
access_log /var/log/nginx/localhost.access_log main;
error_log /var/log/nginx/localhost.error_log info;
root /var/www/localhost/htdocs;
}
}
複数サイト利用
複数のファイルに設定を分割する為、includeディレクティブを利用することが可能です:
/etc/nginx/nginx.conf複数サイト設定user nginx nginx;
worker_processes 1;
error_log /var/log/nginx/error_log info;
events {
worker_connections 1024;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$gzip_ratio"';
client_header_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 4 2k;
request_pool_size 4k;
gzip on;
gzip_min_length 1100;
gzip_buffers 4 8k;
gzip_types text/plain;
output_buffers 1 32k;
postpone_output 1460;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 75 20;
ignore_invalid_headers on;
index index.html;
include /etc/nginx/conf.d/*.conf;
}
/etc/nginx/conf.d/local.conf単一ホストserver {
listen 127.0.0.1;
server_name localhost;
access_log /var/log/nginx/localhost.access_log main;
error_log /var/log/nginx/localhost.error_log info;
root /var/www/localhost/htdocs;
}
/etc/nginx/conf.d/local-ssl.conf単一SSLホストserver {
listen 443 ssl;
server_name host.tld;
ssl_certificate /etc/ssl/nginx/host.tld.pem;
ssl_certificate_key /etc/ssl/nginx/host.tld.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
ssl_dhparam /etc/ssl/nginx/host.tld.dh4096.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
}
PHP サポート
PHPサポートを有効化する為には、次の行をnginxの設定ファイルに追加してください。この例ではnginxとPHPプロセスはUNIXソケットを介して情報を交換します。
/etc/nginx/nginx.confPHPサポートの有効化...
http {
...
server {
...
location ~ \.php$ {
# Test for non-existent scripts or throw a 404 error
# Without this line, nginx will blindly send any request ending in .php to php-fpm
try_files $uri =404;
include /etc/nginx/fastcgi.conf;
fastcgi_pass unix:/run/php-fpm.socket;
}
}
}
To support this setup, PHP needs to be built with FastCGI Process Manager support (dev-lang/php), which is handled through the fpm USE flag:
root #echo "dev-lang/php fpm" >> /etc/portage/package.usefpm USEフラグを有効にして PHP を再ビルドします:
root #emerge --ask dev-lang/phpここではUNIXソケット通信を使うことを選びます。これは推奨される設定でもあります
Review the /etc/php/fpm-php5.5/php-fpm.conf configuration and add following line:
/etc/php/fpm-php5.5/php-fpm.confUNIXソケットサポートを用いて PHP を稼働させるlisten = /run/php-fpm.socket listen.owner = nginx
Set the timezone in the php-fpm php.ini file. Substitute the <PUT_TIMEZONE_HERE> text in the FileBox below with the appropriate timezone information:
/etc/php/fpm-php5.5/php.iniSetup timezone in php.inidate.timezone = <PUT_TIMEZONE_HERE>
Start the php-fpm daemon:
root #/etc/init.d/php-fpm startAdd php-fpm to the default runlevel:
root #rc-update add php-fpm defaultReload nginx with changed configuration:
root #/etc/init.d/nginx reloadIP アドレスのアクセスリスト
The next example shows how to allow access to a particular URL (in this case /nginx_status) only to:
- certain hosts (e.g. 192.0.2.1 127.0.0.1)
- and IP networks (e.g. 198.51.100.0/24)
/etc/nginx/nginx.confEnabling and configuring an IP access lists for /nginx_status pagehttp {
server {
location /nginx_status {
stub_status on;
allow 127.0.0.1/32;
allow 192.0.2.1/32;
allow 198.51.100.0/24;
deny all;
}
}
}
ベーシック認証
nginx allows limiting access to resources by validating the user name and password:
/etc/nginx/nginx.confEnabling and configuring user authentication for the / locationhttp {
server {
location / {
auth_basic "Authentication failed";
auth_basic_user_file conf/htpasswd;
}
}
}
The htpasswd file can be generated using:
user $openssl passwdTLS サポート
It is warmly suggested to support only TLS and disable known insecure ciphers.
/etc/nginx/nginx.confEnabling TLS and disabling insecure ciphersserver {
listen 443;
server_name host.tld;
ssl on;
ssl_certificate /etc/ssl/nginx/host.tld.pem;
ssl_certificate_key /etc/ssl/nginx/host.tld.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
ssl_dhparam /etc/ssl/nginx/host.tld.dh4096.pem;
}
The ebuild provides stock self signed certificates in /etc/ssl/nginx/
Forward secrecy
The diffie-hellman certificate can be created using openssl:
user $openssl dhparam -out dh4096.pem 4096サードパーティー製モジュール
Download third party module source and move it to /usr/src. Manually compile the selected Nginx module, then add the following line to /etc/portage/make.conf:
/etc/portage/make.confAdding third party moduleNGINX_ADD_MODULES="/usr/src/nginxmodule"
Rebuild nginx with the third party module enabled:
root #emerge --ask www-servers/nginx使い方
Service control
OpenRC
Start nginx:
root #/etc/init.d/nginx startnginx の停止:
root #/etc/init.d/nginx stopAdd nginx to the default runlevel:
root #rc-update add nginx defaultRestart the nginx service:
root #/etc/init.d/nginx restartトラブルシューティング
In case of problems, the following commands can help troubleshoot the situation.
Validate configuration
Verify that the running nginx configuration has no errors:
root #/usr/sbin/nginx -tnginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
By running nginx with the -t option, it will validate the configuration file without actually starting the nginx daemon.
Verify processes are running
Check if nginx processes are running:
user $ps aux | egrep 'nginx|PID'PID TTY STAT TIME COMMAND 26092 ? Ss 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf 26093 ? S 0:00 nginx: worker proces
Verify bound addresses and ports
Verify nginx daemon is listening on the right TCP port (such as 80 for HTTP or 443 for HTTPS):
root #netstat -tulpen | grep :80tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 0 12336835 -26092/nginx: master
参考
外部の情報
- https://nginx.org/en/docs/beginners_guide.html - A nginx beginner's guide. Helpful for those who do not know much about nginx.
- https://nginx.com/resources/admin-guide/ - The ngnix administration guide. Helpful for web administrators who have been working in the field.
- http://wiki.nginx.org/Main - The nginx wiki.
- https://github.com/h5bp/server-configs-nginx - H5BP nginx config.