Google Cloud Storage をnginx でhttpsで公開する
Google Cloud Storage(GCS) は独自ドメインでファイルを公開する機能が付いているが、http のみしか対応していない。 https で対応するには以下のようにnginxでプロキシするなどの方法を取る必要がある。
config
画像用ドメイン: static.kmn.jp バケット名: static.kmn.jp (※ https化にはlet's encrypt を利用しているため、そのための設定も入っている。)
$ cat /etc/nginx/conf.d/static.kmn.jp # Cache 10GB for 1 Month proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=GS:10m inactive=720h max_size=10240m; upstream gs { server 'storage.googleapis.com:443'; keepalive 100; } server { set $my_domain "static.kmn.jp"; server_name static.kmn.jp; ### # <tls setting> ### listen 443 ssl; # nginx 1.9.5 以降の場合 # listen 443 ssl http2; server_name static.kmn.jp; server_tokens off; ssl_certificate /etc/letsencrypt/live/static.kmn.jp/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/static.kmn.jp/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; # 環境によっては off にすると動かないので注意 (default は on) ssl_session_tickets on; # 2048bit 推奨 ssl_dhparam /etc/ssl/private/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ### # </tls setting> ### # Logs access_log off; error_log /var/log/nginx/static.kmn.jp.error.log error; # Cache Control expires max; add_header Cache-Control "public, max-age=31536000"; # Nameserver resolver 8.8.8.8 valid=300s; resolver_timeout 10s; # Proxy Cache proxy_temp_path /tmp/nginx; proxy_cache_lock on; proxy_cache_key "$uri"; # Ignore Parameters ## https://github.com/FRiCKLE/ngx_cache_purge #proxy_cache_purge on from 127.0.0.1; # Limit Request Methods to GET|HEAD|PURGE if ( $request_method !~ "GET|HEAD|PURGE" ) { return 405; } location / { proxy_set_header Host storage.googleapis.com; proxy_hide_header x-goog-hash; proxy_hide_header x-goog-generation; proxy_hide_header x-goog-metageneration; proxy_hide_header x-goog-stored-content-encoding; proxy_hide_header x-goog-stored-content-length; proxy_hide_header x-goog-storage-class; proxy_hide_header x-xss-protection; proxy_hide_header accept-ranges; proxy_hide_header alternate-protocol; proxy_hide_header Set-Cookie; proxy_ignore_headers "Set-Cookie"; proxy_intercept_errors on; proxy_cache GS; proxy_cache_valid 200 720h; # Cache For 1 Month proxy_cache_bypass $http_cache_purge; add_header X-Cache $upstream_cache_status; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_pass https://gs/$my_domain$uri; } } # let's encrypt の自動更新用の設定 server { listen 80; server_name static.kmn.jp; location '/.well-known/acme-challenge' { default_type "text/plain"; root /tmp/letsencrypt-auto; } location / { return 301 https://$server_name$request_uri; } }
設定反映
sudo service nginx configtest && sudo service nginx reload