NGINX 환경설정 생성기

Ubuntu 18.04 구성하기 글에서 사용하는 도구입니다.
Ubuntu 24.04 구성하기(NEW) 글도 검토해보세요.

웹사이트 구성 파일을 작성합니다.
/etc/nginx/conf.d/samplesite.com.conf 위치에 아래의 내용을 작성합니다.

일반 PHP 사이트

일반적인 PHP 사이트 (그누보드 등)

 
server {
    listen       80;
    server_name  samplesite.com www.samplesite.com anothersite.net;
    root   /home/myuser1/www;

    server_tokens off;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    charset utf-8;

    #set same size as post_max_size(php.ini or php_admin_value).
    client_max_body_size 10M;

    access_log /var/log/nginx/samplesite.com.access.log main;
    error_log  /var/log/nginx/samplesite.com.error.log error;
 
    location / {
        index  index.php index.html;
    }
 
    # Allow Lets Encrypt Domain Validation Program
    location ^~ /.well-known/acme-challenge/ {
        allow all;
    }
 
    # Block dot file (.htaccess .htpasswd .svn .git .env and so on.)
    location ~ /\. {
        deny all;
    }
 
    # Block (log file, binary, certificate, shell script, sql dump file) access.
    location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key|yml|lock)$ {
        deny all;
    }
 
    # Block access
    location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml|access_log|error_log|gruntfile\.js)$ {
        deny all;
    }
 
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
 
    location = /robots.txt {
        log_not_found off;
        access_log off;
    }
 
    # Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard).
    location ~* /(?:uploads|default/files|data)/.*\.php$ {
        deny all;
    }

    location ~* /(?:uploads/session)/.* {
        deny all;
    }
 
    # Add PHP handler
    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }

        fastcgi_read_timeout 300;
        fastcgi_pass unix:/run/php/myuser1.sock;
        fastcgi_index index.php;
        fastcgi_buffers 64 16k; # default 8 4k

        include fastcgi_params;
    }
}

짧은 주소 사이트

짧은 주소 사이트(워드프레스, 드루팔, CI, Laravel)에서는 try_files 구문을 통해 응답을 index.php 파일로 보내도록 설정합니다.

 
server {
    listen       80;
    server_name  samplesite.com www.samplesite.com anothersite.net;
    root   /home/myuser1/www;

    server_tokens off;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    charset utf-8;

    #set same size as post_max_size(php.ini or php_admin_value).
    client_max_body_size 10M;

    access_log /var/log/nginx/samplesite.com.access.log main;
    error_log  /var/log/nginx/samplesite.com.error.log error;
 
    location / {
        index  index.php index.html;
        try_files $uri $uri/ /index.php?$args;
    }
 
    # Allow Lets Encrypt Domain Validation Program
    location ^~ /.well-known/acme-challenge/ {
        allow all;
    }
 
    # Block dot file (.htaccess .htpasswd .svn .git .env and so on.)
    location ~ /\. {
        deny all;
    }
 
    # Block (log file, binary, certificate, shell script, sql dump file) access.
    location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key|yml|lock)$ {
        deny all;
    }
 
    # Block access
    location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml|access_log|error_log|gruntfile\.js)$ {
        deny all;
    }
 
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
 
    location = /robots.txt {
        log_not_found off;
        access_log off;
    }
 
    # Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard).
    location ~* /(?:uploads|default/files|data)/.*\.php$ {
        deny all;
    }

    location ~* /(?:uploads/session)/.* {
        deny all;
    }
 
    # Add PHP handler
    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }

        fastcgi_read_timeout 300;
        fastcgi_pass unix:/run/php/myuser1.sock;
        fastcgi_index index.php;
        fastcgi_buffers 64 16k; # default 8 4k

        include fastcgi_params;
    }
}

HTTPS 짧은주소

https 관련 구문을 설정합니다.

인증서 발급업체에서 인증서 파일을 발급받아 준비해야 합니다. 또는 https://blog.lael.be/post/5107 글을 통해 직접 인증서 파일을 발급할 수 있습니다.
다음 명령어로 dhparam.pem 파일을 먼저 생성해야 합니다. (서버 내에 1회만 실행하면 됨. 중복실행해도 문제없음)

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

letsencrypt certonly --webroot --webroot-path=/home/myuser1/www -d samplesite.com -d www.samplesite.com -d anothersite.net

 
server {
    listen       80;
    server_name  samplesite.com www.samplesite.com anothersite.net;
 
    return       301 https://$host$request_uri;
}
 
 
server {
    listen       443 ssl http2;
    server_name  samplesite.com www.samplesite.com anothersite.net;
    root   /home/myuser1/www;

    server_tokens off;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    charset utf-8;

    #set same size as post_max_size(php.ini or php_admin_value).
    client_max_body_size 10M;
 
	ssl_certificate "/etc/letsencrypt/live/samplesite.com/fullchain.pem";
	ssl_certificate_key "/etc/letsencrypt/live/samplesite.com/privkey.pem";
	ssl_dhparam "/etc/ssl/certs/dhparam.pem";
     
    # Enable HSTS. This forces SSL on clients that respect it, most modern browsers. The includeSubDomains flag is optional.
    add_header Strict-Transport-Security "max-age=31536000";
     
    # Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score.
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';
     
    access_log /var/log/nginx/samplesite.com.access.log main;
    error_log  /var/log/nginx/samplesite.com.error.log error;
 
    location / {
        index  index.php index.html;
        try_files $uri $uri/ /index.php?$args;
    }
 
    # Allow Lets Encrypt Domain Validation Program
    location ^~ /.well-known/acme-challenge/ {
        allow all;
    }
 
    # Block dot file (.htaccess .htpasswd .svn .git .env and so on.)
    location ~ /\. {
        deny all;
    }
 
    # Block (log file, binary, certificate, shell script, sql dump file) access.
    location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key|yml|lock)$ {
        deny all;
    }
 
    # Block access
    location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml|access_log|error_log|gruntfile\.js)$ {
        deny all;
    }
 
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
 
    location = /robots.txt {
        log_not_found off;
        access_log off;
    }
 
    # Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard).
    location ~* /(?:uploads|default/files|data)/.*\.php$ {
        deny all;
    }

    location ~* /(?:uploads/session)/.* {
        deny all;
    }
 
    # Add PHP handler
    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }

        fastcgi_read_timeout 300;
        fastcgi_pass unix:/run/php/myuser1.sock;
        fastcgi_index index.php;
        fastcgi_buffers 64 16k; # default 8 4k

        include fastcgi_params;
    }
}

HTTPS 일반

https 관련 구문을 설정합니다.

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

letsencrypt certonly --webroot --webroot-path=/home/myuser1/www -d samplesite.com -d www.samplesite.com -d anothersite.net

 
server {
    listen       80;
    server_name  samplesite.com www.samplesite.com anothersite.net;
 
    return       301 https://$host$request_uri;
}
 
 
server {
    listen       443 ssl http2;
    server_name  samplesite.com www.samplesite.com anothersite.net;
    root   /home/myuser1/www;

    server_tokens off;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    charset utf-8;

    #set same size as post_max_size(php.ini or php_admin_value).
    client_max_body_size 10M;

	ssl_certificate "/etc/letsencrypt/live/samplesite.com/fullchain.pem";
	ssl_certificate_key "/etc/letsencrypt/live/samplesite.com/privkey.pem";
    ssl_dhparam "/etc/ssl/certs/dhparam.pem";
     
    # Enable HSTS. This forces SSL on clients that respect it, most modern browsers. The includeSubDomains flag is optional.
    add_header Strict-Transport-Security "max-age=31536000";
     
    # Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score.
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';
     
    access_log /var/log/nginx/samplesite.com.access.log main;
    error_log  /var/log/nginx/samplesite.com.error.log error;
 
    location / {
        index  index.php index.html;
    }
 
    # Allow Lets Encrypt Domain Validation Program
    location ^~ /.well-known/acme-challenge/ {
        allow all;
    }
 
    # Block dot file (.htaccess .htpasswd .svn .git .env and so on.)
    location ~ /\. {
        deny all;
    }
 
    # Block (log file, binary, certificate, shell script, sql dump file) access.
    location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key|yml|lock)$ {
        deny all;
    }
 
    # Block access
    location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml|access_log|error_log|gruntfile\.js)$ {
        deny all;
    }
 
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
 
    location = /robots.txt {
        log_not_found off;
        access_log off;
    }
 
    # Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard).
    location ~* /(?:uploads|default/files|data)/.*\.php$ {
        deny all;
    }

    location ~* /(?:uploads/session)/.* {
        deny all;
    }

    # Add PHP handler
    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }

        fastcgi_read_timeout 300;
        fastcgi_pass unix:/run/php/myuser1.sock;
        fastcgi_index index.php;
        fastcgi_buffers 64 16k; # default 8 4k

        include fastcgi_params;
    }
}

HTTP, HTTPS-일반

http와 https 모두 사용합니다. 어쩔 수 없는 상황이 아니라면, https 하나만 사용하는 것이 좋습니다.

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

letsencrypt certonly --webroot --webroot-path=/home/myuser1/www -d samplesite.com -d www.samplesite.com -d anothersite.net

 
server {
    listen       80;
    server_name  samplesite.com www.samplesite.com anothersite.net;
    root   /home/myuser1/www;

    server_tokens off;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    charset utf-8;

    #set same size as post_max_size(php.ini or php_admin_value).
    client_max_body_size 10M;

    access_log /var/log/nginx/samplesite.com.access.log main;
    error_log  /var/log/nginx/samplesite.com.error.log error;
 
    location / {
        index  index.php index.html;
    }
 
    # Allow Lets Encrypt Domain Validation Program
    location ^~ /.well-known/acme-challenge/ {
        allow all;
    }
 
    # Block dot file (.htaccess .htpasswd .svn .git .env and so on.)
    location ~ /\. {
        deny all;
    }
 
    # Block (log file, binary, certificate, shell script, sql dump file) access.
    location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key|yml|lock)$ {
        deny all;
    }
 
    # Block access
    location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml|access_log|error_log|gruntfile\.js)$ {
        deny all;
    }
 
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
 
    location = /robots.txt {
        log_not_found off;
        access_log off;
    }
 
    # Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard).
    location ~* /(?:uploads|default/files|data)/.*\.php$ {
        deny all;
    }

    location ~* /(?:uploads/session)/.* {
        deny all;
    }

    # Add PHP handler
    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }

        fastcgi_read_timeout 300;
        fastcgi_pass unix:/run/php/myuser1.sock;
        fastcgi_index index.php;
        fastcgi_buffers 64 16k; # default 8 4k

        include fastcgi_params;
    }
}
 
 
server {
    listen       443 ssl http2;
    server_name  samplesite.com www.samplesite.com anothersite.net;
    root   /home/myuser1/www;
    
    server_tokens off;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    charset utf-8;

    #set same size as post_max_size(php.ini or php_admin_value).
    client_max_body_size 10M;
 
	ssl_certificate "/etc/letsencrypt/live/samplesite.com/fullchain.pem";
	ssl_certificate_key "/etc/letsencrypt/live/samplesite.com/privkey.pem";
    ssl_dhparam "/etc/ssl/certs/dhparam.pem";
     
    # Disable HSTS.
    add_header Strict-Transport-Security "max-age=0";
     
    # Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score.
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';
     
    access_log /var/log/nginx/samplesite.com.access.log main;
    error_log  /var/log/nginx/samplesite.com.error.log error;
 
    location / {
        index  index.php index.html;
    }
 
    # Allow Lets Encrypt Domain Validation Program
    location ^~ /.well-known/acme-challenge/ {
        allow all;
    }
 
    # Block dot file (.htaccess .htpasswd .svn .git .env and so on.)
    location ~ /\. {
        deny all;
    }
 
    # Block (log file, binary, certificate, shell script, sql dump file) access.
    location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key|yml|lock)$ {
        deny all;
    }
 
    # Block access
    location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml|access_log|error_log|gruntfile\.js)$ {
        deny all;
    }
 
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
 
    location = /robots.txt {
        log_not_found off;
        access_log off;
    }
 
    # Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard).
    location ~* /(?:uploads|default/files|data)/.*\.php$ {
        deny all;
    }

    location ~* /(?:uploads/session)/.* {
        deny all;
    }

    # Add PHP handler
    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }

        fastcgi_read_timeout 300;
        fastcgi_pass unix:/run/php/myuser1.sock;
        fastcgi_index index.php;
        fastcgi_buffers 64 16k; # default 8 4k

        include fastcgi_params;
    }
}

라이믹스 (https://github.com/rhymix/rhymix) 소프트웨어를 사용하는 경우 설정법입니다.
1. 먼저 [HTTPS 짧은주소] 방법대로 사이트를 접속할 수 있게 설정합니다.
2. 다음의 명령어를 사용해서 라이믹스용 추가 설정파일을 다운로드 받습니다.

wget https://raw.githubusercontent.com/rhymix/rhymix/master/common/manual/server_config/rhymix-nginx.conf -O /etc/nginx/snippets_rhymix.conf

3. 원하는 해당 사이트에 다음과 같이 수정합니다.

    # location / {
    #     index  index.php index.html;
    #     try_files $uri $uri/ /index.php?$args;
    # }
    index  index.php index.html;
    include snippets_rhymix.conf;

4. 적용을 위해서 nginx 를 재시작합니다.

service nginx restart