add log

2026-02-19 22:18:36 +09:00
parent 9421df2b9b
commit ea74203667
5 changed files with 358 additions and 0 deletions
--- a/nginx/README.md
+++ b/nginx/README.md
@@ -0,0 +1,122 @@
+# Nginx HTTPS Configuration for KAMCO Change Detection API
+
+## SSL Certificate Setup
+
+### Required Files
+GlobalSign SSL 인증서 파일들을 서버의 `/etc/ssl/certs/globalsign/` 디렉토리에 배치해야 합니다:
+
+```
+/etc/ssl/certs/globalsign/
+├── certificate.crt      # SSL 인증서 파일
+├── private.key          # 개인 키 파일
+└── ca-bundle.crt        # CA 번들 파일 (중간 인증서)
+```
+
+### Certificate Installation Steps
+
+1. **디렉토리 생성**
+```bash
+sudo mkdir -p /etc/ssl/certs/globalsign
+sudo chmod 755 /etc/ssl/certs/globalsign
+```
+
+2. **인증서 파일 복사**
+```bash
+sudo cp your-certificate.crt /etc/ssl/certs/globalsign/certificate.crt
+sudo cp your-private.key /etc/ssl/certs/globalsign/private.key
+sudo cp ca-bundle.crt /etc/ssl/certs/globalsign/ca-bundle.crt
+```
+
+3. **파일 권한 설정**
+```bash
+sudo chmod 644 /etc/ssl/certs/globalsign/certificate.crt
+sudo chmod 600 /etc/ssl/certs/globalsign/private.key
+sudo chmod 644 /etc/ssl/certs/globalsign/ca-bundle.crt
+```
+
+## Configuration Overview
+
+### Service Architecture
+```
+Internet (HTTPS:12013)
+    ↓
+nginx (443 in container)
+    ↓
+kamco-changedetection-api (8080 in container)
+```
+
+### Key Features
+- **HTTPS/TLS**: TLSv1.2, TLSv1.3 지원
+- **Port**: 외부 12013 → 내부 443 (nginx)
+- **Domain**: aicd-api.e-kamco.com:12013
+- **Reverse Proxy**: kamco-changedetection-api:8080으로 프록시
+- **Security Headers**: HSTS, X-Frame-Options, X-Content-Type-Options 등
+- **Health Check**: /health 엔드포인트
+
+## Deployment
+
+### Start Services
+```bash
+docker-compose -f docker-compose-prod.yml up -d
+```
+
+### Check Logs
+```bash
+# Nginx logs
+docker logs kamco-cd-nginx
+
+# API logs
+docker logs kamco-changedetection-api
+```
+
+### Verify Configuration
+```bash
+# Test nginx configuration
+docker exec kamco-cd-nginx nginx -t
+
+# Check SSL certificate
+docker exec kamco-cd-nginx openssl s_client -connect localhost:443 -servername aicd-api.e-kamco.com
+```
+
+### Access Service
+```bash
+# HTTPS Access
+curl -k https://aicd-api.e-kamco.com:12013/monitor/health
+
+# Health Check
+curl -k https://aicd-api.e-kamco.com:12013/health
+```
+
+## Troubleshooting
+
+### Certificate Issues
+인증서 파일이 제대로 마운트되었는지 확인:
+```bash
+docker exec kamco-cd-nginx ls -la /etc/ssl/certs/globalsign/
+```
+
+### Nginx Configuration Test
+```bash
+docker exec kamco-cd-nginx nginx -t
+```
+
+### Connection Test
+```bash
+# Check if nginx is listening
+docker exec kamco-cd-nginx netstat -tlnp | grep 443
+
+# Check backend connection
+docker exec kamco-cd-nginx wget --spider http://kamco-changedetection-api:8080/monitor/health
+```
+
+## Configuration Files
+
+- `nginx/nginx.conf`: Main nginx configuration
+- `nginx/conf.d/default.conf`: Server block with SSL and proxy settings
+- `docker-compose-prod.yml`: Docker compose with nginx service
+
+## Notes
+
+- 인증서 파일명이 다를 경우 `nginx/conf.d/default.conf`에서 경로를 수정하세요
+- 인증서 갱신 시 nginx 컨테이너를 재시작하세요: `docker restart kamco-cd-nginx`
+- 포트 12013이 방화벽에서 허용되어 있는지 확인하세요
--- a/nginx/conf.d/default.conf
+++ b/nginx/conf.d/default.conf
@@ -0,0 +1,60 @@
+upstream kamco_api {
+    server kamco-cd-api:8080;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name aicd-api.e-kamco.com;
+
+    # GlobalSign SSL Certificate
+    ssl_certificate /etc/ssl/certs/globalsign/certificate.crt;
+    ssl_certificate_key /etc/ssl/certs/globalsign/private.key;
+
+    # SSL Configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    # Client Body Size
+    client_max_body_size 100M;
+
+    # Proxy Settings
+    location / {
+        proxy_pass http://kamco_api;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+
+        # Timeouts
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+
+        # WebSocket Support (if needed)
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+
+    # Health Check Endpoint
+    location /health {
+        access_log off;
+        return 200 "OK";
+        add_header Content-Type text/plain;
+    }
+
+    # Access and Error Logs
+    access_log /var/log/nginx/kamco-api-access.log;
+    error_log /var/log/nginx/kamco-api-error.log;
+}
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -0,0 +1,33 @@
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    tcp_nopush      on;
+    tcp_nodelay     on;
+    keepalive_timeout  65;
+    types_hash_max_size 2048;
+
+    gzip  on;
+    gzip_vary on;
+    gzip_min_length 1024;
+    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml+rss application/json;
+
+    include /etc/nginx/conf.d/*.conf;
+}