Ací t'explique com he configurat la última versió de Drupal 11 en una Raspberry Pi 4 que tinc darrere de la Raspberry Pi principal de la meua xarxa, configurant un proxy invers Nginx en la primera Raspberry.
Primer de tot, ací tens tres articles directament relacionats amb aquest. El primer és com vaig configurar el proxy invers Nginx a la Raspberry Pi 4 amb IP 192.168.0.2. El segon article explica com vaig configurar els certificats DV (de validació de domini) per a que funcione l'SSL per a una navegació amb el protocol xifrat https. I el tercer article explique com vaig instal·lar, pròpiament, el Drupal 11 amb Composer:
- Configurar proxy invers a Nginx per tenir diferents Raspberry Pi i diferents IP i projectes
- Configurant certificat SSL per a la navegació HTTPS a les màquines darrerre del proxy invers
- Instal·lant un projecte Drupal 11 amb Composer a FreeBSD 13
I bé, en aquest article vull compartir la configuració que tinc en Nginx tant en la màquina principal on faig el proxy invers (amb IP 192.168.0.2) com en la màquina final on tinc corrent el Drupal 11 (amb IP 192.168.0.3). Ací tens un esquema fàcil de la xarxa:
Configuració del lloc web Nginx de 192.168.0.2 on tinc el proxy invers
Editarem /usr/local/etc/nginx/sites-enabled/nom-del-lloc-web i afegirem:
server {
server_name desenvolupament.eclipsecastello.net;
location / {
proxy_pass https://192.168.0.3/;
proxy_ssl_verify off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /usr/local/etc/letsencrypt/live/desenvolupament.eclipsecastello.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /usr/local/etc/letsencrypt/live/desenvolupament.eclipsecastello.net/privkey.pem; # managed by Certbot
include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = desenvolupament.eclipsecastello.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name desenvolupament.eclipsecastello.net;
return 404; # managed by Certbot
}
Configuració del lloc web Nginx de 192.168.0.3 on tinc allotjat Drupal
I ara editarem també /usr/local/etc/nginx/sites-enabled/nom-del-lloc-web i afegirem:
server {
server_name desenvolupament.eclipsecastello.net;
root /usr/local/www/desenvolupament.eclipsecastello.net/web; ## <-- Your only path reference.
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Very rarely should these ever be accessed outside of your lan
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to scripts in site files directory
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
# Allow "Well-Known URIs" as per RFC 5785
location ~* ^/.well-known/ {
allow all;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
return 403;
}
# Aci abans estava la configuracio del "location /" que
# feia de proxy invers a Mercuri (192.168.1.4) pero ara
# que ja estem a Ura (192.168.1.42) ja puc configurar el Nginx
# com el tenia configurat al inici, que es el seguent:
location / {
# try_files $uri @rewrite; # For Drupal <= 6
try_files $uri /index.php?$query_string; # For Drupal >= 7
}
location @rewrite {
#rewrite ^/(.*)$ /index.php?q=$1; # For Drupal <= 6
rewrite ^ /index.php; # For Drupal >= 7
}
# Don't allow direct access to PHP files in the vendor directory.
location ~ /vendor/.*\.php$ {
deny all;
return 404;
}
# Protect files and directories from prying eyes.
location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
deny all;
return 404;
}
# In Drupal 8, we must also match new paths where the '.php' appears in
# the middle, such as update.php/selection. The rule we use is strict,
# and only allows this pattern with the update.php front controller.
# This allows legacy path aliases in the form of
# blog/index.php/legacy-path to continue to route to Drupal nodes. If
# you do not have any paths like that, then you might prefer to use a
# laxer rule, such as:
# location ~ \.php(/|$) {
# The laxer rule will continue to work if Drupal uses this new URL
# pattern with front controllers other than update.php in a future
# release.
location ~ '\.php$|^/update.php' {
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
# Ensure the php file exists. Mitigates CVE-2019-11043
try_files $fastcgi_script_name =404;
# Security note: If you're running a version of PHP older than the
# latest 5.3, you should have "cgi.fix_pathinfo = 0;" in php.ini.
# See http://serverfault.com/q/627903/94922 for details.
include fastcgi_params;
# Block httpoxy attacks. See https://httpoxy.org/.
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_intercept_errors on;
# PHP 5 socket location.
#fastcgi_pass unix:/var/run/php5-fpm.sock;
# PHP 8.2 socket location.
fastcgi_pass unix:/var/run/php82-fpm.sock;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
# Fighting with Styles? This little gem is amazing.
# location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
try_files $uri @rewrite;
}
# Handle private files through Drupal. Private file's path can come
# with a language prefix.
location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
try_files $uri /index.php?$query_string;
}
# Enforce clean URLs
# Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page
# Could be done with 301 for permanent or other redirect codes.
if ($request_uri ~* "^(.*/)index\.php/(.*)") {
return 307 $1$2;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /usr/local/etc/letsencrypt/live/desenvolupament.eclipsecastello.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /usr/local/etc/letsencrypt/live/desenvolupament.eclipsecastello.net/privkey.pem; # managed by Certbot
include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = desenvolupament.eclipsecastello.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name desenvolupament.eclipsecastello.net;
listen 80;
return 404; # managed by Certbot
}
Reiniciarem Nginx amb:
$ doas service nginx restart
I això és tot.
Una vegada configurats els nginx de 192.168.0.2 i 192.168.0.3, ja veuràs que totes les peticions a https resoldran bé al port 443 mitjançant el certificat SSL i aniran a la màquina interna 192.168.0.3 on tenim allotjat el Drupal 11.
