NGINX 멀티도메인 세팅

의도

 - zoo.com (www.zoo.com -> zoo.com redirect)

 - sub1.zoo.com

 

* 두개의 웹서비스를 하나의 VM에 호스팅하려고한다.

 

1. DNS 세팅

DNS 서버에서 A record와 cname 설정. (생략)

 

2. LetsEncrypt 설정

sudo apt-get update -y && sudo apt-get install letsencrypt -y
sudo letsencrypt certonly --standalone -d zoo.com -d www.zoo.com -d sub1.zoo.com

참고

 * 와일드카드 인증의 경우에는 txt record를 통한 인증으로 자동갱신을 하지못한다고한다.

 

3. NGINX 설정

 

아래 사이트에서 nginx 설정을 생성해준다. gitignore.io 같은건데 잘만들어놓은듯하다.

nginxconfig.io/

NGINX Config | DigitalOcean

보안 설정도 제공하고있어, 그대로썻다간 망할수있으니 주의.

 

하나씩 설정해보자.

 

- nginx.conf (/etc/nginx/nginx.conf)

# Generated by nginxconfig.io
# https://www.digitalocean.com/community/tools/nginx?domains.0.server.domain=cloudmt.co.kr&domains.0.server.redirectSubdomains=false&domains.0.php.wordPressRules=true&global.https.ocspCloudflare=false&global.https.ocspGoogle=false&global.https.ocspOpenDns=false

user                 www-data;
pid                  /run/nginx.pid;
worker_processes     auto;
worker_rlimit_nofile 65535;

events {
    multi_accept       on;
    worker_connections 65535;
}

http {
    charset              utf-8;
    sendfile             on;
    tcp_nopush           on;
    tcp_nodelay          on;
    server_tokens        off;
    log_not_found        off;
    types_hash_max_size  2048;
    client_max_body_size 100M;

    # MIME
    include              mime.types;
    default_type         application/octet-stream;

    # Logging
    access_log           /var/log/nginx/access.log;
    error_log            /var/log/nginx/error.log warn;

    # SSL
    ssl_session_timeout  1d;
    ssl_session_cache    shared:SSL:10m;
    ssl_session_tickets  off;

    # Diffie-Hellman parameter for DHE ciphersuites
    ssl_dhparam          /etc/nginx/dhparam.pem;

    # Mozilla Intermediate configuration
    ssl_protocols        TLSv1.2 TLSv1.3;
    ssl_ciphers          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    # OCSP Stapling
    ssl_stapling         on;
    ssl_stapling_verify  on;

    # Load configs
    include              /etc/nginx/conf.d/*.conf;
    include              /etc/nginx/sites-enabled/*;
}

기본 SSL 프로토콜을 사용하며, TLS 버전 확인하고

dhparam.pem 같은경우는 openssl을 통해 생성 가능하다

 

> openssl dhparam -out dhparam.pem 4096

 

- zoo.com.conf (/etc/nginx/sites-available/zoo.com.conf)

server {
    listen                  443 ssl http2;
    listen                  [::]:443 ssl http2;
    server_name             zoo.com;
    set                     $base /var/www/html;
    root                    $base/main;

    # SSL
    ssl_certificate         /etc/letsencrypt/live/zoo.com/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/zoo.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/zoo.com/chain.pem;

    # security
    include                 nginxconfig.io/security.conf;

    # index.php
    index                   index.php index.html index.htm;

    # index.php fallback
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # additional config
    include nginxconfig.io/general.conf;
    include nginxconfig.io/wordpress.conf;

    # handle .php
    location ~ \.php$ {
        include nginxconfig.io/php_fastcgi.conf;
    }
}

# HTTP redirect
server {
    listen      80;
    listen      [::]:80;
    server_name zoo.com;
    include     nginxconfig.io/letsencrypt.conf;

    location / {
        return 301 https://zoo.com$request_uri;
    }
}

# www redirect
server {
    listen      80;
    listen      [::]:80;
    listen      443 ssl http2;
    listen      [::]:443 ssl http2;     
    server_name www.zoo.com;
    include     nginxconfig.io/letsencrypt.conf;

    # SSL
    ssl_certificate         /etc/letsencrypt/live/www.zoo.com/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/www.zoo.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/www.zoo.com/chain.pem;

    location / {
        return 301 https://zoo.com$request_uri;
    }
}

zoo.com 같은경우 wordpress를 사용한다.

그리고 www 도메인을 리다이렉션시킨다. 여기서도 SSL 인증서가 필요했다.

 

주의사항

php_fastcgi.conf에서 내가 설치한 php위치와 버전이 맞는지 확인.

wordpress.conf 에서 deny된 리스트 확인.

security.conf 에서 헤더 확인. (플러그인 동작이 안될수있음)

 

- sub1.zoo.com.conf (/etc/nginx/sites-available/zoo.com.conf)

 

server {
    listen                  443 ssl http2;
    listen                  [::]:443 ssl http2;
    server_name             sub1.zoo.com;
    set                     $base /var/www/html;
    root                    $base/event;

    # SSL
    ssl_certificate         /etc/letsencrypt/live/sub1.zoo.com/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/sub1.zoo.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/sub1.zoo.com/chain.pem;

    # security
    include                 nginxconfig.io/security.conf;

    # index.php
    index                   index.html;

    # index.php fallback
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # additional config
    include nginxconfig.io/general.conf;

    # handle .php
    location ~ \.php$ {
        include nginxconfig.io/php_fastcgi.conf;
    }
}

# HTTP redirect
server {
    listen      80;
    listen      [::]:80;
    server_name sub1.zoo.com;
    include     nginxconfig.io/letsencrypt.conf;

    location / {
        return 301 https://sub1.zoo.com$request_uri;
    }
}

php 어플리케이션을 호스트하기 위한 설정.

 

- 심볼릭 링크

sudo ln -s /etc/nginx/sites-available/zoo.com.conf /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/sub1.zoo.com.conf /etc/nginx/sites-enabled/

 

이후 아래 명령어를 통해 conf 테스팅

> sudo nginx -t

 

통과하면

> sudo systemctl restart nginx