読者です 読者をやめる 読者になる 読者になる

Google Cloud Storage をnginx でhttpsで公開する

Google Cloud Storage(GCS) は独自ドメインでファイルを公開する機能が付いているが、http のみしか対応していない。 https で対応するには以下のようにnginxでプロキシするなどの方法を取る必要がある。

config

画像用ドメイン: static.kmn.jp バケット名: static.kmn.jp (※ https化にはlet's encrypt を利用しているため、そのための設定も入っている。)

$ cat /etc/nginx/conf.d/static.kmn.jp
# Cache 10GB for 1 Month
proxy_cache_path           /var/cache/nginx levels=1:2 keys_zone=GS:10m inactive=720h max_size=10240m;

upstream gs {
    server                   'storage.googleapis.com:443';
    keepalive                100;
}

server {
    set $my_domain "static.kmn.jp";
    server_name static.kmn.jp;

    ###
    # <tls setting>
    ###

    listen 443 ssl;
    # nginx 1.9.5 以降の場合
    # listen 443 ssl http2;

    server_name static.kmn.jp;
    server_tokens off;

    ssl_certificate     /etc/letsencrypt/live/static.kmn.jp/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/static.kmn.jp/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    # 環境によっては off にすると動かないので注意 (default は on)
    ssl_session_tickets on;

    # 2048bit 推奨
    ssl_dhparam /etc/ssl/private/dhparam.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    ###
    # </tls setting>
    ###


    # Logs
    access_log off;
    error_log /var/log/nginx/static.kmn.jp.error.log error;

    # Cache Control
    expires max;
    add_header Cache-Control "public, max-age=31536000";

    # Nameserver
    resolver                   8.8.8.8 valid=300s;
    resolver_timeout           10s;

    # Proxy Cache
    proxy_temp_path /tmp/nginx;
    proxy_cache_lock on;
    proxy_cache_key "$uri"; # Ignore Parameters

    ## https://github.com/FRiCKLE/ngx_cache_purge
    #proxy_cache_purge on from 127.0.0.1;

    # Limit Request Methods to GET|HEAD|PURGE
    if ( $request_method !~ "GET|HEAD|PURGE" ) {
        return 405;
    }

    location / {
        proxy_set_header    Host storage.googleapis.com;
        proxy_hide_header   x-goog-hash;
        proxy_hide_header   x-goog-generation;
        proxy_hide_header   x-goog-metageneration;
        proxy_hide_header   x-goog-stored-content-encoding;
        proxy_hide_header   x-goog-stored-content-length;
        proxy_hide_header   x-goog-storage-class;
        proxy_hide_header   x-xss-protection;
        proxy_hide_header   accept-ranges;
        proxy_hide_header   alternate-protocol;
        proxy_hide_header      Set-Cookie;
        proxy_ignore_headers   "Set-Cookie";
        proxy_intercept_errors on;

        proxy_cache            GS;
        proxy_cache_valid      200 720h; # Cache For 1 Month
        proxy_cache_bypass     $http_cache_purge;
        add_header              X-Cache $upstream_cache_status;

        proxy_http_version     1.1;
        proxy_set_header       Connection "";
        proxy_pass             https://gs/$my_domain$uri;
    }
}

# let's encrypt の自動更新用の設定
server {
  listen        80;
  server_name   static.kmn.jp;

  location      '/.well-known/acme-challenge' {
  default_type  "text/plain";
    root        /tmp/letsencrypt-auto;
  }

  location / {
    return      301 https://$server_name$request_uri;
  }
}

設定反映

sudo service nginx configtest && sudo service nginx reload

参考

touhonoob/gs.nginx.conf