[NGINX] NGINX에서 AWS private S3로 리버스 프록시 설정하기
June 23, 2021
서버 환경: ubuntu 18.04
모듈 설치
- 필요한 모듈들 설치하기
sudo apt-get update && sudo apt-get -y install --no-install-recommends \
libpcre3-dev libssl-dev perl make build-essential curl wget gnupg ca-certificates \
luarocks liblua5.1-0-dev libssl1.0-dev nginx
wget http://zlib.net/zlib-1.2.11.tar.gz
tar -zxvf zlib-1.2.11.tar.gz
wget https://github.com/openresty/luajit2/archive/refs/tags/v2.1-20210510.tar.gz
tar -zxvf v2.1-20210510.tar.gz
wget https://github.com/openresty/lua-nginx-module/archive/refs/tags/v0.10.19.tar.gz
tar -zxvf v0.10.19.tar.gz
wget https://github.com/vision5/ngx_devel_kit/archive/refs/tags/v0.3.1.tar.gz
tar -zxvf v0.3.1.tar.gz
wget https://ftp.pcre.org/pub/pcre/pcre-8.00.tar.gz
tar -zxvf pcre-8.00.tar.gz
wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz
tar -zxvf openssl-1.1.1k.tar.gz
sudo luarocks install lua-resty-core
sudo luarocks install lua-resty-http
sudo luarocks install lua-resty-hmac-ffi
sudo luarocks install lua-cjson
cd luajit2-2.1-20210510
sudo make install- NGINX recompile
몇몇 빌드 옵션들은 필요없을 수도 있는데 처음에 몇 개 빼고 필요할거 같은것만 넣어서했더니 중간중간 오류 나서 어디서 잘 빌드해주는 커맨드 복붙하고 필요한 것들 추가로 넣음
wget 'https://openresty.org/download/nginx-1.19.3.tar.gz'
tar -zxvf nginx-1.19.3.tar.gz
cd nginx-1.19.3/
sudo LUAJIT_LIB=/usr/local/lib LUAJIT_INC=/usr/local/include/luajit-2.1 \
./configure \
--user=nobody \
--group=nobody \
--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-pcre=../pcre-8.00 \
--with-zlib=../zlib-1.2.11 \
--with-openssl=../openssl-1.1.1k \
--with-file-aio \
--with-http_realip_module \
--without-http_scgi_module \
--without-http_uwsgi_module \
--without-http_fastcgi_module ${NGINX_DEBUG:+--debug} \
--with-cc-opt=-O2 \
--with-ld-opt='-Wl,-rpath,/usr/local/lib' \
--add-module=../ngx_devel_kit-0.3.1 \
--add-module=../lua-nginx-module-0.10.19
sudo make installAWS signature 설정 라이브러리 추가
AWS private resource에 접근하기 위해서는 request header애 signature가 필요한데 nginx 설정 파일에서 만들기는 여간 복잡해서 라이브러리로 설정한다.
vi /usr/local/share/lua/5.1/aws-signature.lua
# https://github.com/jobteaser/lua-resty-aws-signature/blob/master/lib/resty/aws-signature.lua 복붙NGINX 설정
# /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
env AWS_ACCESS_KEY_ID=; # AWS access key 추가
env AWS_SECRET_ACCESS_KEY=; # AWS secret key 추가
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
server {
listen 80;
listen [::]:80;
server_name example;
root /var/www/html;
index index.html index.htm;
set $bucket 'example';
set $s3_host $bucket.s3-ap-northeast-2.amazonaws.com;
location / {
resolver 8.8.8.8 valid=300s; # 안 넣으면 "no resolver defined to resolve ~~" 에러 발생
access_by_lua_block {
require("aws-signature").s3_set_headers(ngx.var.s3_host, ngx.var.uri)
}
proxy_pass https://$s3_host;
}
}
}