2022년 7월 29일

오라클 클라우드에서 오라클 리눅스에 nginx 설치

Install and enable NGINX

Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.

Install the NGINX package

The following command installs the NGINX package and all of its dependencies:

sudo dnf install -y nginx

Enable and start the NGINX service

To enable and start the NGINX service for immediate access and make the service start automatically after a reboot, run the following command:

sudo systemctl enable --now nginx.service

The service starts a web server that listens on TCP port 80 by default. To check the status of the service, run this command:

sudo systemctl status nginx

Configure firewall rules (Optional)

If you are using a custom firewall profile or an Oracle Cloud Infrastructure instance, open the firewall port for the NGINX web service (80).

These commands enable the firewall port for the NGINX web service and reload the default firewall service:

sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --reload

Note that in the demonstration environment, the instance has a public facing IP address and no network security is applied. Depending on your production environment, you may need to configure additional security list rules or update your network security group configuration.

Test your deployment

With your web browser, go to the domain name or IP address of the compute instance. This is the same IP address that you used to SSH into the instance.

http://<IP_address>/

The NGINX web server opens the default test page /usr/share/nginx/html/index.html.

Create a custom NGINX configuration

To change the root path for your web server, do not edit the /etc/nginx/nginx.conf file directly. Instead, as a preferred method, create a site-specific configuration in the /etc/nginx/conf.d directory. For example, create the file /etc/nginx/conf.d/default.conf and populate it with a configuration for your site.

The following steps can be used to set up a dedicated site configuration:

  1. Create a directory to host a new site

    sudo mkdir /srv/website
    
  2. Create an index.html file to display to visitors to the new site.

    cat << EOF | sudo tee /srv/website/index.html
    <html>
    <head>
    <title>Hello</title>
    </head>
    <body><p>Hello World!</p></body>
    </html>
    EOF
    
  3. Update the permissions to provide ownership of the directory to the nginx process and to set the appropriate SELinux security context.

    sudo chown -R nginx:nginx /srv/website
    sudo chcon -Rt httpd_sys_content_t /srv/website
    
  4. Create a custom NGINX configuration at /etc/nginx/conf.d/default.conf for visitors to the server IP address.

    cat <<EOF | sudo tee /etc/nginx/conf.d/default.conf
    server {
      server_name    <IP_address>;
      root           /srv/website;
      index          index.html;
    }
    EOF
    

Replace the <IP_address> value with the public IP address for the instance.

  1. Restart the NGINX web service to load the new configuration.

    sudo systemctl restart nginx
    
  2. Confirm that the page is updated when you visit the public IP address for the instance by using a web browser.

  3. You can debug and view any connection issues by tailing the log files:

    sudo tail -f /var/log/nginx/access.log -f /var/log/nginx/error.log
    

    Use Ctrl-C to exit the tail application when you are finished watching the log files.

Configure HTTPS to secure your service

As a best practice, secure all communications between a web browser and your NGINX server by using HTTPS. For a secure setup, a TLS certificate is required.

Configure your TLS/SSL certificates

Oracle strongly recommends using a TLS certificate that has been signed by an external Certificate Authority (CA). See https://docs.oracle.com/en/operating-systems/oracle-linux/certmanage/ for more information.

  1. For the purpose of this demonstration, you can use a self-signed certificate. To create the certificate and key, run the following command:

    openssl req -new -x509 -days 30 -nodes -newkey rsa:2048 -keyout server.key\
    -out server.crt -subj "/C=US/ST=Ca/L=Sunnydale/CN=<IP_address>"
    

    Replace the <IP_address> value with the public IP address for the instance.

  2. Create a directory to store the keys and certificates for NGINX.

    sudo mkdir -p /etc/pki/nginx/private
    
  3. Copy the certificate to /etc/pki/nginx/server.crt and the key file to /etc/pki/nginx/private/server.key.

    sudo cp server.crt /etc/pki/nginx/
    sudo cp server.key /etc/pki/nginx/private
    

Update the NGINX configuration

  1. Replace the /etc/nginx/conf.d/default.conf file to include a configuration for a TLS enabled web site and include a 301 redirect for HTTP traffic to be referred to the HTTPS site.

    cat <<'EOF' | sudo tee /etc/nginx/conf.d/default.conf
     server {
     server_name   <IP_address>;
     return 301 https://$host$request_uri;
    }
    
    server {
     listen       443 ssl http2;
     listen       [::]:443 ssl http2;
     server_name    <IP_address>;
     root           /srv/website;
     index          index.html;
     ssl_certificate "/etc/pki/nginx/server.crt";
     ssl_certificate_key "/etc/pki/nginx/private/server.key";
     ssl_session_cache shared:SSL:1m;
     ssl_session_timeout  10m;
     ssl_ciphers PROFILE=SYSTEM;
     ssl_prefer_server_ciphers on;
    }
    EOF
    

    Replace the <IP_address> values with the public IP address for the instance.

    Note that if you are hosting for multiple domains, you can specify different ssl_certificate and ssl_certificate_key values for each server_name configuration that you create in the /etc/nginx/conf.d directory.

  2. Restart the NGINX service to load the new configuration.

    sudo systemctl restart nginx
    

Configure the firewall (optional)

Enable the firewall port (443) for the NGINX HTTPS web service and reload the default firewall service.

sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload

Confirm that HTTPS is working correctly

Open a browser and navigate to http://<IP_address>/. The browser should redirect to https://<IP_address>/.

Most browsers display a security risk warning when accessing a site that uses a self-signed certificate. You can accept the risk warning in this case to confirm that the site is working as expected.

The warning is not displayed if you use a CA signed certificate.

Additional Information





레퍼런스 : https://docs.oracle.com/en/learn/oracle-linux-nginx/index.html#create-a-custom-nginx-configuration

댓글 없음:

댓글 쓰기

추천 게시물

진포 해양테마 공원(위봉함)

  진포 해양테마 공원(위봉함) 고려 말 최무선 장군이 함포를 만들어 왜선을 500여 척이나 물리쳤던 진포대첩을 기념하기 위하여 2008년에 개관한 해양공원이다. 주소 : 전북특별자치도 군산시 내항2길 32 문의처: 063-454-7870 소개 군산 ...