Nginxを使ってWord Pressをセットアップ

Nginxは近年、人気が出てきたWebサーバで、軽量でかつ設定を冗長に出来るのが人気に秘密です。今回、次のような構成で設定してみることにしました。リバースプロキシに3台のウェブサーバを繋いでみます。

Internet <--> Reverse Proxy: Nginx <--> Web Servers: Nginx + Word Press

VPSにLXCを導入したのでプライベートネットワーク化して、SQLサーバなど個々にサーバを立てることができるようになっています。各設定は検索するとかなりの数がヒットするのでここでは設定例に留めておきます。

設定例: Reverse Proxy

Nginx

/etc/nginx/sites-enabled:

server { 
    listen       80; 
    server_name   www.example.net; 
    return 301    https://$host$request_uri; 
} 
 
server { 
    listen       80; 
    server_name   mail.example.net; 
    return 301    https://$host$request_uri; 
} 
 
server { 
    listen       443 ssl; 
    server_name www.example.net; 
 
    root /var/www/html; 
    index index.php index.html index.nginx-debian.html; 
 
    proxy_set_header    X-Real-IP       $remote_addr; 
    proxy_set_header    Host            $host; 
    proxy_set_header    X-Forwarded-Proto $scheme; 
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for; 
 
ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem; # managed by Certbot 
ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem; # managed by Certbot 
 
    ssl_session_cache  builtin:1000  shared:SSL:10m; 
#    ssl_session_cache shared:SSL:10m; 
#    ssl_session_timeout  5m; 
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE
-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDH
E-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:D
HE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:
AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DE
S-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; 
    ssl_prefer_server_ciphers   on; 
    ssl_dhparam /etc/nginx/ssl/dhparams.pem; 
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
 
 #   if ($scheme != "https") { 
 #       return 301 https://$host$request_uri; 
 #   } # managed by Certbot 
    location / { 
        proxy_pass http://10.0.0.2; 
        proxy_read_timeout  240; 
        proxy_buffering     off; 
        proxy_redirect      off; 
 
    } 
    location /OpenWrt { 
        proxy_pass http://10.0.0.3; 
        proxy_read_timeout  240; 
        proxy_buffering     off; 
        proxy_redirect      off; 
    } 
    location  { 
        proxy_pass http://10.0.0.4; 
        limit_req   zone=one  burst=1 nodelay; 
        proxy_read_timeout  240; 
        proxy_buffering     off; 
        proxy_redirect      off; 
    } 
    location ~ ^/\.user\.ini { 
        deny all; 
    } 
    location ~ ^/OpenWrt/\.user\.ini { 
        deny all; 
    } 
    location ~ ^/\.user\.ini { 
        deny all; 
    } 
    location ~ /.well-known/acme-challenge { 
        allow all; 
    } 
} 
 
server { 
    listen       443 ssl; 
    server_name  mail.example.net; 
 
    proxy_set_header    X-Real-IP       $remote_addr; 
    proxy_set_header    Host            $host; 
    proxy_set_header    X-Forwarded-Proto $scheme; 
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;  
    proxy_read_timeout  240; 
    proxy_buffering     off; 
 
ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem; # managed by Certbot 
ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem; # managed by Certbot 
 
    ssl_session_cache  builtin:1000  shared:SSL:10m; 
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE
-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDH
E-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:D
HE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:
AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DE
S-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; 
    ssl_prefer_server_ciphers   on; 
    ssl_dhparam /etc/nginx/ssl/dhparams.pem; 
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
 
    location / { 
        proxy_pass http://10.0.0.5; 
        proxy_redirect      http://10.0.0.5 http://10.0.0.5/webmail; 
    } 
}

DH Groupの作成

$ sudo openssl dhparam -out dhparams.pem 2048

 Nginx

/etc/nginx/sites-enabled:

server { 
        listen       80; 
        server_name  www.example.net; 
        index index.php ; 
        root /var/www/wordpress; 
        location ~* /wp-config.php { 
             deny all; 
        } 
        location ~ \.php$ { 
         
                root            /var/www/wordpress ; 
                fastcgi_index index.php; 
                fastcgi_param HTTPS           $https if_not_empty; 
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 
                include        fastcgi_params; 
                fastcgi_pass unix:/run/php/php7.0-fpm.sock; 
        } 
        location ~ ^/\.user\.ini { 
                deny all; 
        } 
        location @webapp { 
                fastcgi_pass   unix:/run/php/php7.0-fpm.sock; 
                fastcgi_param   SCRIPT_FILENAME /var/www/wordpress/index.php; 
                include /etc/nginx/fastcgi_params; 
        } 
}

PHP: FastCGI

インストール

$ sudo apt install php-cli php-common php-fpm php-gd \
$ sudo php-json php-mysql php-opcache php-readline

/etc/php/7.0/fpm/php.ini:

[PHP] 
engine = On 
short_open_tag = Off 
precision = 14 
output_buffering = 4096 
zlib.output_compression = Off 
implicit_flush = Off 
unserialize_callback_func = 
serialize_precision = 17 
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wi
fsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispat
ch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcnt
l_getpriority,pcntl_setpriority, 
disable_classes = 
zend.enable_gc = On 
expose_php = Off 
max_execution_time = 30 
max_input_time = 60 
memory_limit = 128M 
max_input_vars = 5000 
max_execution_time = 300 
post_max_size = 50M 
upload_max_filesize = 50M 
suhosin.request.max_vars = 5000 
suhosin.post.max_vars = 5000 
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT 
display_errors = Off 
display_startup_errors = Off 
log_errors = On 
log_errors_max_len = 1024 
ignore_repeated_errors = Off 
ignore_repeated_source = Off 
report_memleaks = On 
track_errors = Off 
html_errors = On 
variables_order = "GPCS" 
request_order = "GP" 
register_argc_argv = Off 
auto_globals_jit = On 
post_max_size = 8M 
auto_prepend_file = 
auto_append_file = 
default_mimetype = "text/html" 
default_charset = "UTF-8" 
doc_root = 
user_dir = 
enable_dl = Off 
file_uploads = On 
upload_max_filesize = 2M 
max_file_uploads = 20 
allow_url_fopen = On 
allow_url_include = Off 
default_socket_timeout = 60 
[CLI Server] 
cli_server.color = On 
[Date] 
[filter] 
[iconv] 
[intl] 
[sqlite3] 
[Pcre] 
[Pdo] 
[Pdo_mysql] 
pdo_mysql.cache_size = 2000 
pdo_mysql.default_socket= 
[Phar] 
[mail function] 
SMTP = localhost 
smtp_port = 25 
mail.add_x_header = On 
[SQL] 
sql.safe_mode = Off 
[ODBC] 
odbc.allow_persistent = On 
odbc.check_persistent = On 
odbc.max_persistent = -1 
odbc.max_links = -1 
odbc.defaultlrl = 4096 
odbc.defaultbinmode = 1 
[Interbase] 
ibase.allow_persistent = 1 
ibase.max_persistent = -1 
ibase.max_links = -1 
ibase.timestampformat = "%Y-%m-%d %H:%M:%S" 
ibase.dateformat = "%Y-%m-%d" 
ibase.timeformat = "%H:%M:%S" 
[MySQLi] 
mysqli.max_persistent = -1 
mysqli.allow_persistent = On 
mysqli.max_links = -1 
mysqli.cache_size = 2000 
mysqli.default_port = 3306 
mysqli.default_socket = 
mysqli.default_host = 
mysqli.default_user = 
mysqli.default_pw = 
mysqli.reconnect = Off 
[mysqlnd] 
mysqlnd.collect_statistics = On 
mysqlnd.collect_memory_statistics = Off 
[OCI8] 
[PostgreSQL] 
pgsql.allow_persistent = On 
pgsql.auto_reset_persistent = Off 
pgsql.max_persistent = -1 
pgsql.max_links = -1 
pgsql.ignore_notice = 0 
pgsql.log_notice = 0 
[bcmath] 
bcmath.scale = 0 
[browscap] 
[Session] 
session.save_handler = files 
session.use_strict_mode = 0 
session.use_cookies = 1 
session.use_only_cookies = 1 
session.name = PHPSESSID 
session.auto_start = 0 
session.cookie_lifetime = 0 
session.cookie_path = / 
session.cookie_domain = 
session.cookie_httponly = 
session.serialize_handler = php 
session.gc_probability = 0 
session.gc_divisor = 1000 
session.gc_maxlifetime = 1440 
session.referer_check = 
session.cache_limiter = nocache 
session.cache_expire = 180 
session.use_trans_sid = 0 
session.hash_function = 0 
session.hash_bits_per_character = 5 
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry" 
[Assertion] 
zend.assertions = -1 
[COM] 
[mbstring] 
[gd] 
[exif] 
[Tidy] 
tidy.clean_output = Off 
[soap] 
soap.wsdl_cache_enabled=1 
soap.wsdl_cache_dir="/tmp" 
soap.wsdl_cache_ttl=86400 
soap.wsdl_cache_limit = 5 
[sysvshm] 
[ldap] 
ldap.max_links = -1 
[mcrypt] 
[dba] 
[opcache] 
[curl] 
[openssl]

WordPress

SSL用に追加します。

/var/www/wordpress/wp-config.php:

/** 
 * Handle SSL reverse proxy 
 */
 if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') 
    $_SERVER['HTTPS']='on'; 
 
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) { 
    $_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST']; 
}