GB-able · dongkyun0713 · Dec 21, 2025 · Dec 21, 2025
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -26,7 +26,7 @@ http {
     tcp_nodelay on;
     keepalive_timeout 65;
     types_hash_max_size 2048;
-    client_max_body_size 100M;  # For large file uploads (photos/videos)
+    client_max_body_size 100M;
 
     # Gzip compression
     gzip on;
@@ -44,34 +44,66 @@ http {
         keepalive 32;
     }
 
-    # HTTP Server
+    # [1] HTTP Server - Redirect to HTTPS
     server {
         listen 80;
         server_name dev.widyu.shop;
 
-        # Certbot ACME challenge location
+        # Certbot ACME challenge location (인증 갱신용)
         location /.well-known/acme-challenge/ {
             root /var/www/certbot;
         }
 
+        # 모든 HTTP 요청을 HTTPS로 리다이렉트
+        location / {
+            return 301 https://$host$request_uri;
+        }
+    }
+
+    # [2] HTTPS Server
+    server {
+        listen 443 ssl http2;
+        server_name dev.widyu.shop;
+
+        # SSL Certificate paths
+        ssl_certificate /etc/letsencrypt/live/dev.widyu.shop/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/dev.widyu.shop/privkey.pem;
+
+        # SSL configuration
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+        ssl_prefer_server_ciphers off;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 1d;
+        ssl_session_tickets off;
+
+        # OCSP Stapling
+        ssl_stapling on;
+        ssl_stapling_verify on;
+        ssl_trusted_certificate /etc/letsencrypt/live/dev.widyu.shop/chain.pem;
+
+        # Security headers
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
         # API requests
         location /api/ {
             proxy_pass http://spring_backend;
             proxy_http_version 1.1;
 
-            # Headers
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
             proxy_set_header Connection "";
 
-            # Timeouts
             proxy_connect_timeout 60s;
             proxy_send_timeout 60s;
             proxy_read_timeout 60s;
 
-            # Buffer settings
             proxy_buffering on;
             proxy_buffer_size 4k;
             proxy_buffers 8 4k;
@@ -116,12 +148,12 @@ http {
             proxy_set_header Host $host;
         }
 
-        # Nginx status (for monitoring - internal only)
+        # Nginx status (Internal only)
         location /nginx-status {
             stub_status on;
             access_log off;
             allow 127.0.0.1;
-            allow 172.16.0.0/12;  # Docker network
+            allow 172.16.0.0/12;
             deny all;
         }
 
@@ -131,115 +163,4 @@ http {
             root /usr/share/nginx/html;
         }
     }
-
-    # HTTPS Server (SSL 인증서 발급 후 주석 해제)
-    # server {
-    #     listen 443 ssl http2;
-    #     server_name dev.widyu.shop;
-    #
-    #     # SSL Certificate paths (managed by certbot)
-    #     ssl_certificate /etc/letsencrypt/live/dev.widyu.shop/fullchain.pem;
-    #     ssl_certificate_key /etc/letsencrypt/live/dev.widyu.shop/privkey.pem;
-    #
-    #     # SSL configuration
-    #     ssl_protocols TLSv1.2 TLSv1.3;
-    #     ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
-    #     ssl_prefer_server_ciphers off;
-    #     ssl_session_cache shared:SSL:10m;
-    #     ssl_session_timeout 1d;
-    #     ssl_session_tickets off;
-    #
-    #     # OCSP Stapling
-    #     ssl_stapling on;
-    #     ssl_stapling_verify on;
-    #     ssl_trusted_certificate /etc/letsencrypt/live/dev.widyu.shop/chain.pem;
-    #
-    #     # Security headers
-    #     add_header X-Frame-Options "SAMEORIGIN" always;
-    #     add_header X-Content-Type-Options "nosniff" always;
-    #     add_header X-XSS-Protection "1; mode=block" always;
-    #     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-    #     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-    #
-    #     # API requests
-    #     location /api/ {
-    #         proxy_pass http://spring_backend;
-    #         proxy_http_version 1.1;
-    #
-    #         # Headers
-    #         proxy_set_header Host $host;
-    #         proxy_set_header X-Real-IP $remote_addr;
-    #         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    #         proxy_set_header X-Forwarded-Proto $scheme;
-    #         proxy_set_header Connection "";
-    #
-    #         # Timeouts
-    #         proxy_connect_timeout 60s;
-    #         proxy_send_timeout 60s;
-    #         proxy_read_timeout 60s;
-    #
-    #         # Buffer settings
-    #         proxy_buffering on;
-    #         proxy_buffer_size 4k;
-    #         proxy_buffers 8 4k;
-    #         proxy_busy_buffers_size 8k;
-    #     }
-    #
-    #     # Swagger UI
-    #     location /swagger-ui/ {
-    #         proxy_pass http://spring_backend;
-    #         proxy_http_version 1.1;
-    #         proxy_set_header Host $host;
-    #         proxy_set_header X-Real-IP $remote_addr;
-    #         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    #         proxy_set_header X-Forwarded-Proto $scheme;
-    #     }
-    #
-    #     # Swagger API docs
-    #     location /v3/api-docs {
-    #         proxy_pass http://spring_backend;
-    #         proxy_http_version 1.1;
-    #         proxy_set_header Host $host;
-    #         proxy_set_header X-Real-IP $remote_addr;
-    #         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    #         proxy_set_header X-Forwarded-Proto $scheme;
-    #     }
-    #
-    #     # Actuator endpoints (restrict in production)
-    #     location /actuator/ {
-    #         # Allow only from specific IPs in production
-    #         # allow 10.0.0.0/8;
-    #         # deny all;
-    #
-    #         proxy_pass http://spring_backend;
-    #         proxy_http_version 1.1;
-    #         proxy_set_header Host $host;
-    #         proxy_set_header X-Real-IP $remote_addr;
-    #         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    #         proxy_set_header X-Forwarded-Proto $scheme;
-    #     }
-    #
-    #     # Health check endpoint
-    #     location /actuator/health {
-    #         access_log off;
-    #         proxy_pass http://spring_backend;
-    #         proxy_http_version 1.1;
-    #         proxy_set_header Host $host;
-    #     }
-    #
-    #     # Nginx status (for monitoring - internal only)
-    #     location /nginx-status {
-    #         stub_status on;
-    #         access_log off;
-    #         allow 127.0.0.1;
-    #         allow 172.16.0.0/12;  # Docker network
-    #         deny all;
-    #     }
-    #
-    #     # Error pages
-    #     error_page 502 503 504 /50x.html;
-    #     location = /50x.html {
-    #         root /usr/share/nginx/html;
-    #     }
-    # }
-}
+}