diff --git a/deploy/check-nginx.sh b/deploy/check-nginx.sh index aacb562..14f8643 100755 --- a/deploy/check-nginx.sh +++ b/deploy/check-nginx.sh @@ -126,9 +126,14 @@ section "nginx 설정 문법 검사" # ────────────────────────────────────────── if command -v docker &>/dev/null && docker info &>/dev/null 2>&1; then echo " docker run으로 nginx -t 실행 중..." - if docker run --rm \ - -v "$NGINX_DIR/nginx.conf:/etc/nginx/nginx.conf:ro" \ - -v "$NGINX_DIR/ssl:/etc/nginx/ssl:ro" \ + # kamco-cds 네트워크가 있으면 연결 (upstream DNS 조회 가능) + NETWORK_OPT="" + if docker network ls --format '{{.Name}}' | grep -q "^kamco-cds$"; then + NETWORK_OPT="--network kamco-cds" + fi + if docker run --rm $NETWORK_OPT \ + -v "$NGINX_DIR/nginx.conf:/etc/nginx/nginx.conf:ro,Z" \ + -v "$NGINX_DIR/ssl:/etc/nginx/ssl:ro,Z" \ nginx:alpine nginx -t 2>&1; then ok "nginx 설정 문법 OK" else diff --git a/deploy/docker-compose-nginx.yml b/deploy/docker-compose-nginx.yml index e7632ae..ea2a947 100644 --- a/deploy/docker-compose-nginx.yml +++ b/deploy/docker-compose-nginx.yml @@ -2,14 +2,14 @@ services: nginx: image: nginx:alpine container_name: kamco-train-nginx - user: 1000:1000 + user: "1000:1000" ports: - "80:80" - "443:443" volumes: - - ./nginx.conf:/etc/nginx/nginx.conf:ro - - ./ssl:/etc/nginx/ssl:ro - - ./logs:/var/log/nginx + - ./nginx.conf:/etc/nginx/nginx.conf:ro,Z + - ./ssl:/etc/nginx/ssl:ro,Z + - ./logs:/var/log/nginx:Z networks: - kamco-cds restart: unless-stopped diff --git a/deploy/nginx.conf b/deploy/nginx.conf index 5d0e80a..7f1d3cb 100644 --- a/deploy/nginx.conf +++ b/deploy/nginx.conf @@ -1,3 +1,5 @@ +pid /var/log/nginx/nginx.pid; + events { worker_connections 1024; } @@ -17,18 +19,19 @@ http { sendfile on; keepalive_timeout 65; + # user 1000:1000 실행 시 /var/cache/nginx 접근 불가 → logs 경로로 우회 + client_body_temp_path /var/log/nginx/client_temp; + proxy_temp_path /var/log/nginx/proxy_temp; + fastcgi_temp_path /var/log/nginx/fastcgi_temp; + uwsgi_temp_path /var/log/nginx/uwsgi_temp; + scgi_temp_path /var/log/nginx/scgi_temp; + # 업로드 파일 크기 / 타임아웃 (10GB, 10분) client_max_body_size 10G; client_body_timeout 600s; - # Upstream 설정 - upstream api_backend { - server kamco-train-api:8080; - } - - upstream web_backend { - server kamco-train-web:3002; - } + # Docker 내부 DNS - 시작 시 upstream 조회 실패 방지 + resolver 127.0.0.11 valid=30s ipv6=off; # HTTP → HTTPS 리다이렉트 서버 server { @@ -45,23 +48,17 @@ http { http2 on; server_name api.train-kamco.com; - # SSL 인증서 설정 (사설 인증서 - 멀티 도메인) ssl_certificate /etc/nginx/ssl/train-kamco.com.crt; ssl_certificate_key /etc/nginx/ssl/train-kamco.com.key; - # SSL 프로토콜 및 암호화 설정 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; ssl_prefer_server_ciphers off; - # SSL 세션 캐시 ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; - # HSTS (HTTP Strict Transport Security) add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - - # 보안 헤더 add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; @@ -72,41 +69,35 @@ http { add_header Access-Control-Allow-Headers "Authorization, Content-Type, Cookie, X-Requested-With" always; add_header Access-Control-Allow-Credentials "true" always; - # 프록시 설정 location / { - # OPTIONS preflight 처리 if ($request_method = OPTIONS) { return 204; } - proxy_pass http://api_backend; + set $api http://kamco-train-api:8080; + proxy_pass $api; proxy_http_version 1.1; - # 프록시 헤더 설정 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $server_name; - - # 인증 헤더 및 쿠키 전달 (JWT 토큰 전달 보장) proxy_pass_request_headers on; proxy_set_header Cookie $http_cookie; proxy_set_header Authorization $http_authorization; - # 타임아웃 설정 (10분) proxy_connect_timeout 600s; proxy_send_timeout 600s; proxy_read_timeout 600s; - # 대용량 업로드: 버퍼링 없이 백엔드로 스트리밍 proxy_request_buffering off; proxy_buffering off; } - # 헬스체크 엔드포인트 location /monitor/health { - proxy_pass http://api_backend/monitor/health; + set $api http://kamco-train-api:8080; + proxy_pass $api/monitor/health; access_log off; } } @@ -117,75 +108,59 @@ http { http2 on; server_name train-kamco.com; - # SSL 인증서 설정 (사설 인증서 - 멀티 도메인) ssl_certificate /etc/nginx/ssl/train-kamco.com.crt; ssl_certificate_key /etc/nginx/ssl/train-kamco.com.key; - # SSL 프로토콜 및 암호화 설정 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; ssl_prefer_server_ciphers off; - # SSL 세션 캐시 ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; - # HSTS (HTTP Strict Transport Security) add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - - # 보안 헤더 add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; - # API 프록시 설정 (Web에서 API 호출 시) location /api/ { - proxy_pass http://api_backend/api/; + set $api http://kamco-train-api:8080; + proxy_pass $api/api/; proxy_http_version 1.1; - # 프록시 헤더 설정 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $server_name; - - # 인증 헤더 및 쿠키 전달 proxy_pass_request_headers on; proxy_set_header Cookie $http_cookie; - # 타임아웃 설정 (10분) proxy_connect_timeout 600s; proxy_send_timeout 600s; proxy_read_timeout 600s; - # 대용량 업로드: 버퍼링 없이 백엔드로 스트리밍 proxy_request_buffering off; proxy_buffering off; } - # 프록시 설정 location / { - proxy_pass http://web_backend; + set $web http://kamco-train-web:3002; + proxy_pass $web; proxy_http_version 1.1; - # 프록시 헤더 설정 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $server_name; - - # Next.js WebSocket 지원을 위한 Upgrade 헤더 proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; - # 타임아웃 설정 (10분) proxy_connect_timeout 600s; proxy_send_timeout 600s; proxy_read_timeout 600s; - # 버퍼 설정 proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 4k;