MVPTeam/kamco-train-api
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hoony

Browse Source
This commit is contained in:
dabeeo
2026-04-20 17:15:27 +09:00
parent f75ec77ccf
commit de2a2e2c35
3 changed files with 31 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
deploy/check-nginx.sh
View File

@@ -126,9 +126,14 @@ section "nginx 설정 문법 검사"
# ────────────────────────────────────────── # ──────────────────────────────────────────
if command -v docker &>/dev/null && docker info &>/dev/null 2>&1; then if command -v docker &>/dev/null && docker info &>/dev/null 2>&1; then
echo " docker run으로 nginx -t 실행 중..." echo " docker run으로 nginx -t 실행 중..."
if docker run --rm \ # kamco-cds 네트워크가 있으면 연결 (upstream DNS 조회 가능)
-v "$NGINX_DIR/nginx.conf:/etc/nginx/nginx.conf:ro" \ NETWORK_OPT=""
-v "$NGINX_DIR/ssl:/etc/nginx/ssl:ro" \ if docker network ls --format '{{.Name}}' | grep -q "^kamco-cds$"; then
NETWORK_OPT="--network kamco-cds"
fi
if docker run --rm $NETWORK_OPT \
-v "$NGINX_DIR/nginx.conf:/etc/nginx/nginx.conf:ro,Z" \
-v "$NGINX_DIR/ssl:/etc/nginx/ssl:ro,Z" \
nginx:alpine nginx -t 2>&1; then nginx:alpine nginx -t 2>&1; then
ok "nginx 설정 문법 OK" ok "nginx 설정 문법 OK"
else else

8
deploy/docker-compose-nginx.yml
View File

@@ -2,14 +2,14 @@ services:
nginx: nginx:
image: nginx:alpine image: nginx:alpine
container_name: kamco-train-nginx container_name: kamco-train-nginx
user: 1000:1000 user: "1000:1000"
ports: ports:
- "80:80" - "80:80"
- "443:443" - "443:443"
volumes: volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro - ./nginx.conf:/etc/nginx/nginx.conf:ro,Z
- ./ssl:/etc/nginx/ssl:ro - ./ssl:/etc/nginx/ssl:ro,Z
- ./logs:/var/log/nginx - ./logs:/var/log/nginx:Z
networks: networks:
- kamco-cds - kamco-cds
restart: unless-stopped restart: unless-stopped

63
deploy/nginx.conf
View File

@@ -1,3 +1,5 @@
pid /var/log/nginx/nginx.pid;
events { events {
worker_connections 1024; worker_connections 1024;
} }
@@ -17,18 +19,19 @@ http {
sendfile on; sendfile on;
keepalive_timeout 65; keepalive_timeout 65;
# user 1000:1000 실행 시 /var/cache/nginx 접근 불가 → logs 경로로 우회
client_body_temp_path /var/log/nginx/client_temp;
proxy_temp_path /var/log/nginx/proxy_temp;
fastcgi_temp_path /var/log/nginx/fastcgi_temp;
uwsgi_temp_path /var/log/nginx/uwsgi_temp;
scgi_temp_path /var/log/nginx/scgi_temp;
# 업로드 파일 크기 / 타임아웃 (10GB, 10분) # 업로드 파일 크기 / 타임아웃 (10GB, 10분)
client_max_body_size 10G; client_max_body_size 10G;
client_body_timeout 600s; client_body_timeout 600s;
# Upstream 설정 # Docker 내부 DNS - 시작 시 upstream 조회 실패 방지
upstream api_backend { resolver 127.0.0.11 valid=30s ipv6=off;
server kamco-train-api:8080;
}
upstream web_backend {
server kamco-train-web:3002;
}
# HTTP → HTTPS 리다이렉트 서버 # HTTP → HTTPS 리다이렉트 서버
server { server {
@@ -45,23 +48,17 @@ http {
http2 on; http2 on;
server_name api.train-kamco.com; server_name api.train-kamco.com;
# SSL 인증서 설정 (사설 인증서 - 멀티 도메인)
ssl_certificate /etc/nginx/ssl/train-kamco.com.crt; ssl_certificate /etc/nginx/ssl/train-kamco.com.crt;
ssl_certificate_key /etc/nginx/ssl/train-kamco.com.key; ssl_certificate_key /etc/nginx/ssl/train-kamco.com.key;
# SSL 프로토콜 및 암호화 설정
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers off;
# SSL 세션 캐시
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m; ssl_session_timeout 10m;
# HSTS (HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 보안 헤더
add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always; add_header X-XSS-Protection "1; mode=block" always;
@@ -72,41 +69,35 @@ http {
add_header Access-Control-Allow-Headers "Authorization, Content-Type, Cookie, X-Requested-With" always; add_header Access-Control-Allow-Headers "Authorization, Content-Type, Cookie, X-Requested-With" always;
add_header Access-Control-Allow-Credentials "true" always; add_header Access-Control-Allow-Credentials "true" always;
# 프록시 설정
location / { location / {
# OPTIONS preflight 처리
if ($request_method = OPTIONS) { if ($request_method = OPTIONS) {
return 204; return 204;
} }
proxy_pass http://api_backend; set $api http://kamco-train-api:8080;
proxy_pass $api;
proxy_http_version 1.1; proxy_http_version 1.1;
# 프록시 헤더 설정
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Host $server_name;
# 인증 헤더 및 쿠키 전달 (JWT 토큰 전달 보장)
proxy_pass_request_headers on; proxy_pass_request_headers on;
proxy_set_header Cookie $http_cookie; proxy_set_header Cookie $http_cookie;
proxy_set_header Authorization $http_authorization; proxy_set_header Authorization $http_authorization;
# 타임아웃 설정 (10분)
proxy_connect_timeout 600s; proxy_connect_timeout 600s;
proxy_send_timeout 600s; proxy_send_timeout 600s;
proxy_read_timeout 600s; proxy_read_timeout 600s;
# 대용량 업로드: 버퍼링 없이 백엔드로 스트리밍
proxy_request_buffering off; proxy_request_buffering off;
proxy_buffering off; proxy_buffering off;
} }
# 헬스체크 엔드포인트
location /monitor/health { location /monitor/health {
proxy_pass http://api_backend/monitor/health; set $api http://kamco-train-api:8080;
proxy_pass $api/monitor/health;
access_log off; access_log off;
} }
} }
@@ -117,75 +108,59 @@ http {
http2 on; http2 on;
server_name train-kamco.com; server_name train-kamco.com;
# SSL 인증서 설정 (사설 인증서 - 멀티 도메인)
ssl_certificate /etc/nginx/ssl/train-kamco.com.crt; ssl_certificate /etc/nginx/ssl/train-kamco.com.crt;
ssl_certificate_key /etc/nginx/ssl/train-kamco.com.key; ssl_certificate_key /etc/nginx/ssl/train-kamco.com.key;
# SSL 프로토콜 및 암호화 설정
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers off;
# SSL 세션 캐시
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m; ssl_session_timeout 10m;
# HSTS (HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 보안 헤더
add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always; add_header X-XSS-Protection "1; mode=block" always;
# API 프록시 설정 (Web에서 API 호출 시)
location /api/ { location /api/ {
proxy_pass http://api_backend/api/; set $api http://kamco-train-api:8080;
proxy_pass $api/api/;
proxy_http_version 1.1; proxy_http_version 1.1;
# 프록시 헤더 설정
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Host $server_name;
# 인증 헤더 및 쿠키 전달
proxy_pass_request_headers on; proxy_pass_request_headers on;
proxy_set_header Cookie $http_cookie; proxy_set_header Cookie $http_cookie;
# 타임아웃 설정 (10분)
proxy_connect_timeout 600s; proxy_connect_timeout 600s;
proxy_send_timeout 600s; proxy_send_timeout 600s;
proxy_read_timeout 600s; proxy_read_timeout 600s;
# 대용량 업로드: 버퍼링 없이 백엔드로 스트리밍
proxy_request_buffering off; proxy_request_buffering off;
proxy_buffering off; proxy_buffering off;
} }
# 프록시 설정
location / { location / {
proxy_pass http://web_backend; set $web http://kamco-train-web:3002;
proxy_pass $web;
proxy_http_version 1.1; proxy_http_version 1.1;
# 프록시 헤더 설정
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Host $server_name;
# Next.js WebSocket 지원을 위한 Upgrade 헤더
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
# 타임아웃 설정 (10분)
proxy_connect_timeout 600s; proxy_connect_timeout 600s;
proxy_send_timeout 600s; proxy_send_timeout 600s;
proxy_read_timeout 600s; proxy_read_timeout 600s;
# 버퍼 설정
proxy_buffering on; proxy_buffering on;
proxy_buffer_size 4k; proxy_buffer_size 4k;
proxy_buffers 8 4k; proxy_buffers 8 4k;