Debian 12 (Bookworm)を使いやすく・セキュアに構築する の続き(Ansibleで構成管理を止めた為)で、Nginxをセキュアにインストールして、デフォルト設定を確認しながら高速に動くようにチューニングと、運用しやすいように自動バックアップと既存(静的ページやWordPress等)を移行します。
Nginx+PHPをインストール
# apt update && apt install -y nginx php-fpm # systemctl enable --now nginx
動作確認
# nginx -v
nginx version: nginx/1.22.1
# php -v
PHP 8.2.29 (cli) (built: Jul 3 2025 16:16:05) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.29, Copyright (c) Zend Technologies
with Zend OPcache v8.2.29, Copyright (c), by Zend Technologies
設定&チューニング
# cd /etc/nginx # cp -a nginx.conf nginx.conf,def # vi nginx.conf
user www-data;
worker_processes auto;
events {
### START ###
# worker_connections 768;
worker_connections 1024;
### END ###
http {
# server_tokens off;
### START ###
server_tokens off;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
client_max_body_size 64m;
### END ###
### START ###
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $request_time "$host"';
# access_log /var/log/nginx/access.log;
access_log /var/log/nginx/access.log main;
### END ###
gzip on;
### START ###
gzip_vary on;
gzip_proxied no-cache no-store private expired auth;
gzip_comp_level 5;
gzip_min_length 1024;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss;
### END ###
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
# ll sites-enabled total 0 lrwxrwxrwx 1 root root 34 Dec 21 11:49 default -> /etc/nginx/sites-available/default # ll sites-available total 4 -rw-r--r-- 1 root root 2412 Aug 29 23:26 default # cp -a sites-available/default sites-available/default,def # vi sites-available/default
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
### START ###
# index index.html index.htm index.nginx-debian.html;
index index.html index.htm;
### END ###
server_name _;
### START ###
error_page 400 403 404 422 /404.html;
error_page 408 500 502 504 /500.html;
error_page 503 /503.html;
location = /503.html {
}
### END ###
location / {
デフォルトコンテンツ確認&変更
# cd /var/www/html # ll total 4 -rw-r--r-- 1 root root 615 Dec 21 11:49 index.nginx-debian.html # rm index.nginx-debian.html # vi index.html
<html>
<head>
<meta name="robots" content="noindex" />
<title>No data</title>
</head>
<body>
No data<br/>
</body>
</html>
# vi 404.html
<html>
<head>
<meta name="robots" content="noindex" />
<title>Not Found</title>
</head>
<body>
Not Found<br/>
<!-- IE bug support dumy data
123456789012345678901234567890123456789012345678901234567890
123456789012345678901234567890123456789012345678901234567890
123456789012345678901234567890123456789012345678901234567890
123456789012345678901234567890123456789012345678901234567890
123456789012345678901234567890123456789012345678901234567890
123456789012345678901234567890123456789012345678901234567890 -->
</body>
</html>
# vi 500.html
<html>
<head>
<meta name="robots" content="noindex" />
<title>Server Error</title>
</head>
<body>
Server Error<br/>
</body>
</html>
# vi 503.html
<html>
<head>
<meta name="robots" content="noindex" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>メンテナンス中</title>
</head>
<body>
現在、メンテナンスを行っております。<br/>
完了まで、しばらくお待ちください。<br/>
</body>
</html>
VirtualHost想定なので、denyにしています。
# vi robots.txt
User-Agent: *
Disallow: /
# touch favicon.ico
動作確認
# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful # systemctl restart nginx # curl http://localhost/ # curl http://localhost/xxx
logrotateの設定変更
# vi /etc/logrotate.d/nginx
/var/log/nginx/*.log {
daily
missingok
### START ###
# rotate 14
rotate 90
### END ###
### START ###
# notifempty
### END ###
create 0640 www-data adm
Firewalldのポート制限に追加
# firewall-cmd --permanent --add-port=80/tcp --add-port=443/tcp # firewall-cmd --reload # firewall-cmd --list-ports 80/tcp 443/tcp 22123/tcp 31281/tcp
既存コンテンツ移行
既存サーバー or バックアップからの移行
