# Nginx HTTPS Configuration for KAMCO Change Detection API

## SSL Certificate Setup

### Required Files
GlobalSign SSL 인증서 파일들을 서버의 `/etc/ssl/certs/globalsign/` 디렉토리에 배치해야 합니다:

```
/etc/ssl/certs/globalsign/
├── certificate.crt      # SSL 인증서 파일
├── private.key          # 개인 키 파일
└── ca-bundle.crt        # CA 번들 파일 (중간 인증서)
```

### Certificate Installation Steps

1. **디렉토리 생성**
```bash
sudo mkdir -p /etc/ssl/certs/globalsign
sudo chmod 755 /etc/ssl/certs/globalsign
```

2. **인증서 파일 복사**
```bash
sudo cp your-certificate.crt /etc/ssl/certs/globalsign/certificate.crt
sudo cp your-private.key /etc/ssl/certs/globalsign/private.key
sudo cp ca-bundle.crt /etc/ssl/certs/globalsign/ca-bundle.crt
```

3. **파일 권한 설정**
```bash
sudo chmod 644 /etc/ssl/certs/globalsign/certificate.crt
sudo chmod 600 /etc/ssl/certs/globalsign/private.key
sudo chmod 644 /etc/ssl/certs/globalsign/ca-bundle.crt
```

## Configuration Overview

### Service Architecture
```
Internet (HTTPS:12013)
    ↓
nginx (443 in container)
    ↓
kamco-changedetection-api (8080 in container)
```

### Key Features
- **HTTPS/TLS**: TLSv1.2, TLSv1.3 지원
- **Port**: 외부 12013 → 내부 443 (nginx)
- **Domain**: aicd-api.e-kamco.com:12013
- **Reverse Proxy**: kamco-changedetection-api:8080으로 프록시
- **Security Headers**: HSTS, X-Frame-Options, X-Content-Type-Options 등
- **Health Check**: /health 엔드포인트

## Deployment

### Start Services
```bash
docker-compose -f docker-compose-prod.yml up -d
```

### Check Logs
```bash
# Nginx logs
docker logs kamco-cd-nginx

# API logs
docker logs kamco-changedetection-api
```

### Verify Configuration
```bash
# Test nginx configuration
docker exec kamco-cd-nginx nginx -t

# Check SSL certificate
docker exec kamco-cd-nginx openssl s_client -connect localhost:443 -servername aicd-api.e-kamco.com
```

### Access Service
```bash
# HTTPS Access
curl -k https://aicd-api.e-kamco.com:12013/monitor/health

# Health Check
curl -k https://aicd-api.e-kamco.com:12013/health
```

## Troubleshooting

### Certificate Issues
인증서 파일이 제대로 마운트되었는지 확인:
```bash
docker exec kamco-cd-nginx ls -la /etc/ssl/certs/globalsign/
```

### Nginx Configuration Test
```bash
docker exec kamco-cd-nginx nginx -t
```

### Connection Test
```bash
# Check if nginx is listening
docker exec kamco-cd-nginx netstat -tlnp | grep 443

# Check backend connection
docker exec kamco-cd-nginx wget --spider http://kamco-changedetection-api:8080/monitor/health
```

## Configuration Files

- `nginx/nginx.conf`: Main nginx configuration
- `nginx/conf.d/default.conf`: Server block with SSL and proxy settings
- `docker-compose-prod.yml`: Docker compose with nginx service

## Notes

- 인증서 파일명이 다를 경우 `nginx/conf.d/default.conf`에서 경로를 수정하세요
- 인증서 갱신 시 nginx 컨테이너를 재시작하세요: `docker restart kamco-cd-nginx`
- 포트 12013이 방화벽에서 허용되어 있는지 확인하세요