Skip to content

Instantly share code, notes, and snippets.

@kskomori
Last active January 24, 2018 06:44
Show Gist options
  • Save kskomori/b69e8c87b9d56046bbe6349154217c81 to your computer and use it in GitHub Desktop.
Save kskomori/b69e8c87b9d56046bbe6349154217c81 to your computer and use it in GitHub Desktop.
Server settings Ubuntu 14.04
  • user1 ユーザを id 3000 で追加
$ sudo adduser --uid 3000 user1
  • user1 ユーザを sudo グループに追加
$ sudo gpasswd -a user1 sudo
  • user1 ユーザを www-data グループに追加
$ sudo gpasswd -a user1 www-data
$ sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$ sudo iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$ sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$ sudo iptables -A INPUT -i lo -j ACCEPT
$ sudo iptables -A INPUT -p icmp -j ACCEPT
$ sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
$ sudo iptables -A INPUT -p tcp -m tcp --dport 50022 -j ACCEPT
$ sudo iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ sudo iptables -P INPUT DROP
$ sudo iptables -P OUTPUT ACCEPT

$ sudo apt-get install iptables-persistent

$ sudo /etc/init.d/iptables-persistent save (restore)
  • インストール
$ curl http://nginx.org/keys/nginx_signing.key | sudo apt-key add -
$ sudo sh -c "echo 'deb http://nginx.org/packages/ubuntu/ trusty nginx' >> /etc/apt/sources.list.d/nginx.list"
$ sudo sh -c "echo 'deb-src http://nginx.org/packages/ubuntu/ trusty nginx' >> /etc/apt/sources.list.d/nginx.list"
$ sudo apt-get update
$ sudo apt-get install nginx
  • 共通設定(/etc/nginx/nginx/conf)
worker_processes  auto;

events {
    worker_connections  1024;
    use epoll;
    multi_accept on;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time';


    log_format  ltsv  'domain:$host\t'
                      'host:$remote_addr\t'
                      'user:$remote_user\t'
                      'time:$time_local\t'
                      'method:$request_method\t'
                      'path:$request_uri\t'
                      'protocol:$server_protocol\t'
                      'status:$status\t'
                      'size:$body_bytes_sent\t'
                      'referer:$http_referer\t'
                      'agent:$http_user_agent\t'
                      'response_time:$request_time\t'
                      'cookie:$http_cookie\t'
                      'set_cookie:$sent_http_set_cookie\t'
                      'forwarded_for:$http_x_forwarded_for\t'
                      'upstream_addr:$upstream_addr\t'
                      'upstream_cache_status:$upstream_cache_status\t'
                      'upstream_response_time:$upstream_response_time';

    access_log  /var/log/nginx/access.log  ltsv;

    sendfile        on;
    #tcp_nopush     on;

    server_tokens   off;

    keepalive_timeout      2;
    keepalive_requests    64;
    client_header_timeout 10;
    client_body_timeout   10;
    #send_timeout          10;
    #reset_timedout_connection on;

    #gzip  on;
    # 参考)https://worklog.be/archives/3222
    #gzip_http_version 1.0;
    #gzip_types        text/plain
              #text/xml
              #text/css
              #text/javascript
              #application/xml
              #application/xhtml+xml
              #application/rss+xml
              #application/atom_xml
              #application/javascript
              #application/x-javascript
              #application/x-httpd-php;
    #gzip_disable      "MSIE [1-6]\.";
    #gzip_disable      "Mozilla/4";
    #gzip_comp_level   1;
    #gzip_buffers      4 8k;
    #gzip_min_length   1100;

    #fastcgi_buffers 8 64k;
    #fastcgi_buffer_size 64k;
    #fastcgi_connect_timeout 10;
    #fastcgi_read_timeout    10;
    #fastcgi_send_timeout    10;

    #proxy_connect_timeout  60;
    #proxy_send_timeout     60;
    #proxy_read_timeout     60;
    #proxy_set_header       Host               $host;
    #proxy_set_header       X-Real-IP          $remote_addr;
    #proxy_set_header       X-Forwarded-Host   $host;
    #proxy_set_header       X-Forwarded-Server $host;
    #proxy_set_header       X-Forwarded-For    $proxy_add_x_forwarded_for;
    #proxy_temp_path        /home/www/tmp;

    include /etc/nginx/conf.d/*.conf;
}

  • 個別設定(Rails)
upstream www.example.jp.7701 {
    server unix:/var/www/www.example.jp/htdocs/tmp/sockets/unicorn.sock  fail_timeout=0;
}

server {
    listen       80;
    server_name  example.jp www.example.jp;
    root /var/www/www.example.jp/htdocs/public;

    access_log  /var/log/nginx/www.example.jp/access.log  ltsv;
    error_log   /var/log/nginx/www.example.jp/error.log;

    location / {
        try_files $uri/index.html $uri.html $uri @unicorn;
    }

    location @unicorn {
        proxy_set_header Host                  $http_host;
        proxy_set_header Client-IP             $remote_addr;
        proxy_set_header X-Real-IP             $remote_addr;
        proxy_set_header X-Forwarded-For       $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host      $host;
        proxy_set_header X-Forwarded-Server    $host;
        proxy_pass http://www.example.jp.7701;
    }
}


server {
    listen       443 ssl;
    listen       [::]:443 ssl;
    server_name  example.jp www.example.jp;
    root /var/www/www.example.jp/htdocs/public;

    access_log  /var/log/nginx/www.example.jp/ssl_access.log  ltsv;
    error_log   /var/log/nginx/www.example.jp/ssl_error.log;

    ssl_certificate     /etc/letsencrypt/live/example.jp/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.jp/privkey.pem;
    ssl_dhparam         cert.d/www.example.jp/dhparam.pem;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers         ECDHE+RSAGCM:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL!eNull:!EXPORT:!DES:!3DES:!MD5:!DSS;

    #add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
    add_header Strict-Transport-Security 'max-age=31536000;';

    location / {
        try_files $uri/index.html $uri.html $uri @unicorn;
    }

    location @unicorn {
        proxy_set_header Host                  $http_host;
        proxy_set_header Client-IP             $remote_addr;
        proxy_set_header X-Real-IP             $remote_addr;
        proxy_set_header X-Forwarded-For       $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host      $host;
        proxy_set_header X-Forwarded-Server    $host;
        proxy_set_header X-Forwarded-Ssl       on;
        proxy_pass http://www.example.jp.7701;
    }
}
  • 個別設定(PHP)
server {
    listen       80;
    server_name  wp.example.jp;

    root /var/www/wp.example.jp/htdocs;

    access_log  /var/log/nginx/wp.example.jp/access.log  main;
    error_log   /var/log/nginx/wp.example.jp/error.log;

    proxy_set_header Host                  $http_host;
    proxy_set_header Client-IP             $remote_addr;
    proxy_set_header X-Real-IP             $remote_addr;
    proxy_set_header X-Forwarded-For       $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host      $host;
    proxy_set_header X-Forwarded-Server    $host;


    # 参考)https://worklog.be/archives/3222
    #       http://anopara.matrix.jp/2014/10/01/10-min-nginx-wordpress/
    #       https://yamaken.jp/2014/05/09/88/
    location ~* /wp-config.php {
        deny all;
    }

    index index.php;

    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;

        ##fastcgi_no_cache      $do_not_cache;
        ##fastcgi_cache_bypass  $do_not_cache;
        ##fastcgi_cache_key     $is_mobile$scheme://$host$request_uri;
        #fastcgi_cache_valid   200 2h;
        #fastcgi_cache_valid   301 302 1h;
        #fastcgi_cache_valid   404 1m;
        #fastcgi_cache_valid   500 1s;
        #fastcgi_cache_valid   any 5m;


        fastcgi_param  PHP_VALUE "max_execution_time=300
                                  memory_limit=128M
                                  post_max_size=16M
                                  upload_max_filesize=2M
                                  max_input_time=300
                                  always_populate_raw_post_data=-1
                                  date.timezone=Asia/Tokyo";
    }
}

$ sudo apt-get install ntp
  • 設定変更
$ sudo vi /etc/ntp.conf
        ##server 0.ubuntu.pool.ntp.org
        #server 1.ubuntu.pool.ntp.org
        #server 2.ubuntu.pool.ntp.org
        #server 3.ubuntu.pool.ntp.org
        #server ubuntu.pool.ntp.org
        server ntp1.jst.mfeed.ad.jp
        server ntp2.jst.mfeed.ad.jp
        server ntp3.jst.mfeed.ad.jp
$ sudo service ntp restart
  • 確認
$ ntpq -p

Ubuntu 14.04 LTS でのサーバ設定方法

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment