Raspberry Pi 4 Model B 8GB(Revision:d03114)にWebサーバーを構築した。

2020年11月4日 23:57

　ふと、おさしみくんはWebサーバーをとても構築したくなりました。アパッチにするかエンジンエックスにするか？今回はエンジンエックスで構築。SSL証明書はLet's Encrypt。httpアクセスはhttpsにリダイレクトさせる。SSL証明書も自動更新させる。これで行きます。
　なお、ポート開放(80番・443番)は予め済ませてあります。Webサーバーを構築しないと気がすみません。ああ、すみません。

Nginxインストール

　インストール。

$ sudo apt install nginx

　自動起動設定の確認。

$ systemctl is-enabled nginx
enabled

　所有権の確認と変更と変更の確認。

$ cd /var/www

$ ls
html

$ ls -l
合計 4
drwxr-xr-x 2 root root 4096 11月  4 22:49 html

$ sudo chown pi:pi html

$ ls -l
drwxr-xr-x 2 pi pi 4096 11月  4 22:50 html

certbotインストール

　インストール。

$ sudo apt install certbot

　ドメインを指定してSSL証明書を発行。

$ sudo certbot certonly --webroot -w /var/www/html/ -d hogepiyo.hogepiyo.f5.si
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): hoge@piyo.ed.jp

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hogepiyo.hogepiyo.f5.si
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/hogepiyo.hogepiyo.f5.si/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/hogepiyo.hogepiyo.f5.si/privkey.pem
  Your cert will expire on 2021-01-31. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew *all* of your certificates, run
  "certbot renew"
- Your account credentials have been saved in your Certbot
  configuration directory at /etc/letsencrypt. You should make a
  secure backup of this folder now. This configuration directory will
  also contain certificates and private keys obtained by Certbot so
  making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
  Donating to EFF:                    https://eff.org/donate-le

　指定したドメイン用にconfファイルを作成。
　httpsのリダイレクト処理と発行したSSL証明書をねじ込む。

$ sudo nano /etc/nginx/conf.d/hogepiyohogepiyo.conf

server {
    listen 80;
    server_name hogepiyo.hogepiyo.f5.si;
    return 301 https://$host$request_uri;
}

server{
    server_name hogepiyo.hogepiyo.f5.si;
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/hogepiyo.hogepiyo.f5.si/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/hogepiyo.hogepiyo.f5.si/privkey.pem;
}

　構文チェック。

$ sudo nginx -t
nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_
size: 32
nginx: configuration file /etc/nginx/nginx.conf test failed

　怒られたのでserver_names_hash_bucket_sizeを増やす。

$ sudo nano /etc/nginx/nginx.conf

       keepalive_timeout 65;
       types_hash_max_size 2048;
       # server_tokens off;

       # server_names_hash_bucket_size 64;
       # server_name_in_redirect off;

       include /etc/nginx/mime.types;
       default_type application/octet-stream;

　コメントアウトを外して2倍の64にした。

       keepalive_timeout 65;
       types_hash_max_size 2048;
       # server_tokens off;

       server_names_hash_bucket_size 64;
       # server_name_in_redirect off;

       include /etc/nginx/mime.types;
       default_type application/octet-stream;

　怒られなくなった。

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

　再読み込み。

$ sudo systemctl reload nginx

自動更新設定

　cronに登録。

$ sudo crontab -e

19 4 1,15 * * /usr/bin/certbot renew --post-hook "/bin/systemctl reload nginx"
1 7 1,15 * * /usr/bin/certbot renew --post-hook "/bin/systemctl reload nginx"

　毎月1日か15日の4時19分か7時1分に自動更新。30日の期限前に1度何かしらのアクシデントで更新が行われなかった場合、残り3回更新する機会を設ける。

$ sudo crontab -l
# m h  dom mon dow   command
MAILTO=""
29 * * * * systemctl restart systemd-timesyncd
20 3 * * * /sbin/reboot
19 4 1,15 * * /usr/bin/certbot renew --post-hook "/bin/systemctl reload nginx"
1 7 1,15 * * /usr/bin/certbot renew --post-hook "/bin/systemctl reload nginx"

ドキュメントルートの変更 ※必要であれば

$ cd /var/www/html/
$ mkdir hogepiyo.hogepiyo.f5.si
$ sudo nano /etc/nginx/conf.d/hogepiyohogepiyo.conf


       server_name hogepiyo.hogepiyo.f5.si;
       root /var/www/html/hogepiyo.hogepiyo.f5.si;


$ sudo nginx -t
$ sudo systemctl reload nginx

『cronに統一感ねーじゃん！』

　賛否両論いいじゃない！！

　ご理解頂けますよね？実験・研究は食べ物です。自分だけのラズパイをお好みで作ってください。それがラズパイの醍醐味で面白さであります。キレんで、うん……キレんで。

この記事が気に入ったらサポートをしてみませんか？