이전
다음

Nginx



Location directive

요청과 서비스를 매핑하는 역할을 한다.

  • ~ 정규표현식 (대소문자 구분)
  • ~* 정규표현식 (대소문자 구분 없음)

.php로 끝나는 요청을 받아 처리하는 location directive 예

    location ~ \.(php)$ {
        root /usr/share/nginx/html/jopenbusiness;
        try_files $uri =404;
        fastcgi_pass unix:/var/opt/생략/run/php-fpm/www.sock;
        fastcgi_index index.php;
        fastcgi_read_timeout 180;
        fastcgi_buffers 16 16k;
        fastcgi_buffer_size 32k;

        include fastcgi.conf;
    }

/mediawiki/로 시작하고 .생략 으로끝나는 요청을 받아 처리하는 location directive 예

    location ~* /mediawiki/\*\.(js|css|png|jpg|jpeg|gif|ico|html|htm)$ {
        try_files $uri /mediawiki/index.php?title=$1&$args;
        expires max;
        log_not_found off;
    }

TLS(전송 계층 보안) 1.2/1.3 지원


TLS 업그레이드 적용 방법

#--- 현재 설치된 Software 버전 확인 방법
#---     Nginx   1.16.1 / 1.16.1 / 1.16.1
#---     openssl 1.0.2k / 1.0.2k / 1.0.2k
openssl  version
nginx  -v

yum  info  openssl
yum  info  nginx
yum  list  installed  |  grep  nginx
yum  list  installed  |  grep  openssl

#--- Software 버전 업그레이드
yum  -y  update  nginx
yum  -y  update  openssl

#--- Open SSL 1.1.1b 설치 in CentOS 7
wget  https://www.openssl.org/source/openssl-1.1.1b.tar.gz
tar  -xzvf  openssl-1.1.1b.tar.gz
cd  openssl-1.1.1b
./config  --prefix=/usr/local/ssl  --openssldir=/usr/local/ssl  shared  zlib
make
make  install

mv  /usr/bin/openssl  /usr/bin/openssl-1.0.2k
ln  -s  /usr/local/ssl/bin/openssl  /usr/bin/openssl

vi  /etc/ld.so.conf.d/openssl-1.1.1b.conf
    /usr/local/ssl/lib
ldconfig  -v

#--- TLS 1.2/1.3 지원 설정
vi  /etc/nginx/nginx.conf
    ssl_protocols    TLSv1.2;    #--- 지원하는 protocol
    ssl_ciphers      ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

systemctl  restart  nginx.service

#--- Protocol 지원 테스트
#---    https://www.ssllabs.com/ssltest/ 사이트에서 확인할 것
curl  -I  -v  --tlsv1.2  https://www.jopenbusiness.com/

curl  -I  -v  --tlsv1.2  --tls-max  1.2  https://www.jopenbusiness.com/
curl  -I  -v  --tlsv1.3  --tls-max  1.3  https://www.jopenbusiness.com/

openssl  s_client  -tls1_2  -connect  www.jopenbusiness.com:443  <  /dev/null
openssl  s_client  -tls1_3  -connect  www.jopenbusiness.com:443  <  /dev/null

#--- Protocol 미지원 테스트
curl  -I  -v  --tlsv1.1  --tls-max  1.1  https://www.jopenbusiness.com/
curl  -I  -v  --tlsv1    --tls-max  1.0  https://www.jopenbusiness.com/

openssl  s_client  -tls1_1  -connect  www.jopenbusiness.com:443  <  /dev/null
openssl  s_client  -tls1  -connect  www.jopenbusiness.com:443  <  /dev/null

Last modified : 2020.01.09 ~ 2020.01.09, version 0.01

이전
다음
공유하기