diff --git a/docker-compose-prod.yml b/docker-compose-prod.yml index dd2b55f..4e796d8 100644 --- a/docker-compose-prod.yml +++ b/docker-compose-prod.yml @@ -1,33 +1,10 @@ services: - nginx: - image: nginx:alpine - container_name: kamco-cd-nginx - ports: - - "80:80" - - "443:443" - volumes: - - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro - - ./nginx/ssl:/etc/nginx/ssl:ro - - nginx-logs:/var/log/nginx - depends_on: - kamco-changedetection-api: - condition: service_healthy - networks: - - kamco-cds - restart: unless-stopped - healthcheck: - test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "--no-check-certificate", "https://localhost/monitor/health"] - interval: 30s - timeout: 10s - retries: 3 - start_period: 10s - - kamco-changedetection-api: + kamco-train-api: build: context: . dockerfile: Dockerfile - image: kamco-cd-training-api:${IMAGE_TAG:-latest} - container_name: kamco-cd-training-api + image: kamco-train-api:${IMAGE_TAG:-latest} + container_name: kamco-train-api expose: - "8080" environment: @@ -50,7 +27,3 @@ services: networks: kamco-cds: external: true - -volumes: - nginx-logs: - driver: local diff --git a/nginx/SSL_SETUP.md b/nginx/SSL_SETUP.md index 5b3a22a..ef481c3 100644 --- a/nginx/SSL_SETUP.md +++ b/nginx/SSL_SETUP.md @@ -389,6 +389,23 @@ docker-compose -f docker-compose-prod.yml restart nginx sudo setenforce 0 ``` + +### 2단계: 시스템 신뢰 폴더로 복사 +터미널을 열고 관리자 권한(sudo)을 사용해 인증서를 시스템 폴더로 복사합니다. + +``` +sudo cp mycert.crt /etc/pki/ca-trust/source/anchors/ +``` + +### 3단계: 시스템 신뢰 목록 업데이트 +아래 명령어를 입력해 추가한 인증서를 시스템에 갱신시킵니다. + +``` +sudo update-ca-trust +``` + + + ## 참고 자료 - [OpenSSL Documentation](https://www.openssl.org/docs/) diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 9411202..007a4e9 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -22,7 +22,11 @@ http { # Upstream 설정 upstream api_backend { - server kamco-changedetection-api:8080; + server kamco-train-api:8080; + } + + upstream web_backend { + server kamco-train-web:3002; } # HTTP → HTTPS 리다이렉트 서버 @@ -37,7 +41,7 @@ http { # HTTPS 서버 설정 server { listen 443 ssl http2; - server_name api.train-kamco.com train-kamco.com; + server_name api.train-kamco.com; # SSL 인증서 설정 (사설 인증서 - 멀티 도메인) ssl_certificate /etc/nginx/ssl/train-kamco.com.crt; @@ -90,4 +94,59 @@ http { access_log off; } } -} \ No newline at end of file + + # HTTPS 서버 설정 - Next.js Web Application + server { + listen 443 ssl http2; + server_name train-kamco.com; + + # SSL 인증서 설정 (사설 인증서 - 멀티 도메인) + ssl_certificate /etc/nginx/ssl/train-kamco.com.crt; + ssl_certificate_key /etc/nginx/ssl/train-kamco.com.key; + + # SSL 프로토콜 및 암호화 설정 + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; + + # SSL 세션 캐시 + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + # HSTS (HTTP Strict Transport Security) + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # 보안 헤더 + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + + # 프록시 설정 + location / { + proxy_pass http://web_backend; + proxy_http_version 1.1; + + # 프록시 헤더 설정 + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $server_name; + + # Next.js WebSocket 지원을 위한 Upgrade 헤더 + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # 타임아웃 설정 + proxy_connect_timeout 600s; + proxy_send_timeout 600s;질무 + proxy_read_timeout 600s; + + # 버퍼 설정 + proxy_buffering on; + proxy_buffer_size 4k; + proxy_buffers 8 4k; + proxy_busy_buffers_size 8k; + } + } +}