Nginx feste IP zuweisen

[lapepp]

Guten Tag,

ich bin hier neu im Forum & wollt' direkt mal meine erste Frage stellen...

Ich habe auf meinem Root Server mehrere IPs. Wie kann ich ein Nginx vHost auf eine feste IP binden, sodass dieser nur über diese IP erreichbar ist? Zudem möchte ich, dass Nginx komplett von der Standard IP "wegkommt".

Grüße

[rudelgurke]

Ein einfaches

Listen 127.254.255.256:80

müsste reichen Nginx bzw. VHosts an bestimmte IP's zu binden. Alternativ über Namen (sofern das DNS passt).

[Proteus]

Code: Select all

server {
   listen      127.254.255.256:80 default;
   listen      127.254.255.256:443 ssl default;
   listen      [2001:4ba0:ffff:0244::2]:80 ipv6only=on default;
   listen      [2001:4ba0:ffff:0244::2]:443 ssl default;
   server_name  www.domain.de domain.de;
   root /usr/local/www/wordpress;
   index index.php index.htm index.html;

[Proteus]

2 IP:

Code: Select all

server {
        listen       127.254.255.256:80;
        listen      127.254.255.256:443 ssl;
        listen      [2001:4ba0:ffff:0244::2]:80;
        listen      [2001:4ba0:ffff:0244::2]:443;
   server_name admin.domain.de;
   root /usr/local/www/phpMyAdmin;

[Proteus]

Hier in Gänze meine gesamte Config zu Nginx, falls Interesse.

nignx.conf

Code: Select all

user  www;
worker_processes 4;

error_log /var/log/nginx/error.log info;

pid /var/run/nginx.pid;

events {
   worker_connections 2048;
   multi_accept on;
   use kqueue;
}

http {
   include mime.types;
   access_log /var/log/nginx/access.log;
   default_type  application/octet-stream;
   log_format  main '$remote_addr - $remote_user [$time_local] "$request" ' 
       sendfile on;
       tcp_nopush on;
       tcp_nodelay on;
       keepalive_timeout 15;
   types_hash_max_size 2048;

# GENERAL
   ignore_invalid_headers on;
   sendfile on;
   server_name_in_redirect off;
   server_tokens off;
   charset utf-8;
   client_max_body_size 128M;
   client_body_buffer_size 128M;
   geoip_country /opt/conf/GeoIP.dat;

#SSL 
   ssl_session_timeout 5m;
   ssl_session_cache shared:SSL:50m;
   add_header Strict-Transport-Security max-age=15768000;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
   ssl_prefer_server_ciphers on;

# Timeouts
   client_body_timeout 65;
   client_header_timeout 65;
   send_timeout 65;

# Compression
   gzip on;
   gzip_disable "MSIE [1-6]\.(?!.*SV1)";
   gzip_proxied expired no-cache no-store private auth;
   gzip_buffers 256 8k;
   gzip_comp_level 6;
   gzip_http_version 1.0;
   gzip_min_length 1024;
   gzip_vary on;
   gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript application/json;

# Cache
   fastcgi_cache_path /usr/local/etc/nginx/cache levels=1:2 keys_zone=WORDPRESS:100m inactive=60m;
   fastcgi_cache_key "$scheme$request_method$host$request_uri";
   fastcgi_cache_use_stale error timeout invalid_header http_500;
   fastcgi_ignore_headers Cache-Control Expires Set-Cookie;

# Open file Cache
   open_file_cache          max=2000 inactive=20s;
   open_file_cache_valid    60s;
   open_file_cache_min_uses 5;
   open_file_cache_errors   off;

# FloodSchutz
   large_client_header_buffers 4 256k;
   limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
   limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=50r/s;
   limit_conn conn_limit_per_ip 20;
   limit_req zone=req_limit_per_ip burst=20;

# Pfad Website
   include wordpress/*.conf;
}

Dazugehörige Domain:

wordpress.conf

Code: Select all

server {
   listen      89.163.221.112:80 default;
   listen      89.163.221.112:443 ssl default;
   listen      [2001:4ba0:ffff:0244::2]:80 ipv6only=on default;
   listen      [2001:4ba0:ffff:0244::2]:443 ssl default;
   server_name  domain.de www.domain.de;
   root /usr/local/www/wordpress;
   index index.php index.htm index.html;
   expires     max;

# SSL Settings
### If you are using different names for your SSL certificate and key, change them below:
   ssl_certificate /etc/ssl/cert/www.leblogger.de.pem;
   ssl_certificate_key /etc/ssl/cert/www.leblogger.de.key;
   ssl_dhparam /etc/ssl/cert/dh_params.pem;
   ssl_session_timeout 5m;
       # ssl_session_cache shared:SSL:50m;
   add_header Strict-Transport-Security max-age=15768000;
       ssl_protocols TLSv1.1 TLSv1.2;
       ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
       ssl_prefer_server_ciphers on;

# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
# Verhindert Click Jacking Angriffe
   add_header X-Frame-Options SAMEORIGIN;

# Verbietet Content Sniffing
   add_header X-Content-Type-Options nosniff;

# Falls ein User aus Versehen, den Schutz bei sich deaktiviert hat, kann man ihn hiermit wieder erzwingen
   add_header X-XSS-Protection "1; mode=block";

# POST requests and urls with a query string should always go to PHP
   if ($request_method = POST) {
   set $skip_cache 1;
   }   
   if ($query_string != "") {
   set $skip_cache 1;
   }   

# Don't cache uris containing the following segments
   if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
   set $skip_cache 1;
   }   

# Don't use the cache for logged in users or recent commenters
   if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
   set $skip_cache 1;
   }

location / {
   try_files $uri $uri/ /index.php?$args;
   }    

location ~ \.php$ {
   limit_req zone=req_limit_per_ip burst=20;
   try_files $uri =404; 
   fastcgi_split_path_info ^(.+\.php)(/.+)$;
   include fastcgi_params;
   fastcgi_pass unix:/var/run/php-fpm.sock;
   fastcgi_index index.php;
   fastcgi_param SCRIPT_FILENAME $request_filename;
   fastcgi_cache_bypass $skip_cache;
   fastcgi_no_cache $skip_cache;
   fastcgi_cache WORDPRESS;
   fastcgi_cache_valid  60m;
   }

location ~ /purge(/.*) {
   fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
   }   

location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
   access_log off;   log_not_found off; expires max;
   }
location = /robots.txt { access_log off; log_not_found off; }
   location ~ /\. { deny  all; access_log off; log_not_found off; }
   }

In die php-fpm.conf muss

Code: Select all

;listen = 127.0.0.1:9000
listen = /var/run/php-fpm.sock

entweder ein- oder aus dokumentiert werden. Damit PHP funktioniert.