From d61012fc04054c8dcd59ef6195b561a05690970b Mon Sep 17 00:00:00 2001 From: dongkyunKim Date: Sun, 21 Dec 2025 20:00:26 +0900 Subject: [PATCH] =?UTF-8?q?refactor(#159):=20nginx=20=EC=84=A4=EC=A0=95?= =?UTF-8?q?=ED=8C=8C=EC=9D=BC=20https=20=EC=84=A4=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- nginx/nginx.conf | 161 ++++++++++++----------------------------------- 1 file changed, 41 insertions(+), 120 deletions(-) diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 4b6f417..5f0810c 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -26,7 +26,7 @@ http { tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; - client_max_body_size 100M; # For large file uploads (photos/videos) + client_max_body_size 100M; # Gzip compression gzip on; @@ -44,34 +44,66 @@ http { keepalive 32; } - # HTTP Server + # [1] HTTP Server - Redirect to HTTPS server { listen 80; server_name dev.widyu.shop; - # Certbot ACME challenge location + # Certbot ACME challenge location (인증 갱신용) location /.well-known/acme-challenge/ { root /var/www/certbot; } + # 모든 HTTP 요청을 HTTPS로 리다이렉트 + location / { + return 301 https://$host$request_uri; + } + } + + # [2] HTTPS Server + server { + listen 443 ssl http2; + server_name dev.widyu.shop; + + # SSL Certificate paths + ssl_certificate /etc/letsencrypt/live/dev.widyu.shop/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/dev.widyu.shop/privkey.pem; + + # SSL configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_session_tickets off; + + # OCSP Stapling + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/letsencrypt/live/dev.widyu.shop/chain.pem; + + # Security headers + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + # API requests location /api/ { proxy_pass http://spring_backend; proxy_http_version 1.1; - # Headers proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Connection ""; - # Timeouts proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; - # Buffer settings proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 4k; @@ -116,12 +148,12 @@ http { proxy_set_header Host $host; } - # Nginx status (for monitoring - internal only) + # Nginx status (Internal only) location /nginx-status { stub_status on; access_log off; allow 127.0.0.1; - allow 172.16.0.0/12; # Docker network + allow 172.16.0.0/12; deny all; } @@ -131,115 +163,4 @@ http { root /usr/share/nginx/html; } } - - # HTTPS Server (SSL 인증서 발급 후 주석 해제) - # server { - # listen 443 ssl http2; - # server_name dev.widyu.shop; - # - # # SSL Certificate paths (managed by certbot) - # ssl_certificate /etc/letsencrypt/live/dev.widyu.shop/fullchain.pem; - # ssl_certificate_key /etc/letsencrypt/live/dev.widyu.shop/privkey.pem; - # - # # SSL configuration - # ssl_protocols TLSv1.2 TLSv1.3; - # ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; - # ssl_prefer_server_ciphers off; - # ssl_session_cache shared:SSL:10m; - # ssl_session_timeout 1d; - # ssl_session_tickets off; - # - # # OCSP Stapling - # ssl_stapling on; - # ssl_stapling_verify on; - # ssl_trusted_certificate /etc/letsencrypt/live/dev.widyu.shop/chain.pem; - # - # # Security headers - # add_header X-Frame-Options "SAMEORIGIN" always; - # add_header X-Content-Type-Options "nosniff" always; - # add_header X-XSS-Protection "1; mode=block" always; - # add_header Referrer-Policy "strict-origin-when-cross-origin" always; - # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - # - # # API requests - # location /api/ { - # proxy_pass http://spring_backend; - # proxy_http_version 1.1; - # - # # Headers - # proxy_set_header Host $host; - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header X-Forwarded-Proto $scheme; - # proxy_set_header Connection ""; - # - # # Timeouts - # proxy_connect_timeout 60s; - # proxy_send_timeout 60s; - # proxy_read_timeout 60s; - # - # # Buffer settings - # proxy_buffering on; - # proxy_buffer_size 4k; - # proxy_buffers 8 4k; - # proxy_busy_buffers_size 8k; - # } - # - # # Swagger UI - # location /swagger-ui/ { - # proxy_pass http://spring_backend; - # proxy_http_version 1.1; - # proxy_set_header Host $host; - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header X-Forwarded-Proto $scheme; - # } - # - # # Swagger API docs - # location /v3/api-docs { - # proxy_pass http://spring_backend; - # proxy_http_version 1.1; - # proxy_set_header Host $host; - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header X-Forwarded-Proto $scheme; - # } - # - # # Actuator endpoints (restrict in production) - # location /actuator/ { - # # Allow only from specific IPs in production - # # allow 10.0.0.0/8; - # # deny all; - # - # proxy_pass http://spring_backend; - # proxy_http_version 1.1; - # proxy_set_header Host $host; - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header X-Forwarded-Proto $scheme; - # } - # - # # Health check endpoint - # location /actuator/health { - # access_log off; - # proxy_pass http://spring_backend; - # proxy_http_version 1.1; - # proxy_set_header Host $host; - # } - # - # # Nginx status (for monitoring - internal only) - # location /nginx-status { - # stub_status on; - # access_log off; - # allow 127.0.0.1; - # allow 172.16.0.0/12; # Docker network - # deny all; - # } - # - # # Error pages - # error_page 502 503 504 /50x.html; - # location = /50x.html { - # root /usr/share/nginx/html; - # } - # } -} +} \ No newline at end of file