From 7102f9b15d592ee3c258d2647841d0878ddf394b Mon Sep 17 00:00:00 2001 From: happybell80 Date: Wed, 9 Jul 2025 18:19:19 +0900 Subject: [PATCH] =?UTF-8?q?feat:=20=EC=84=9C=EB=B2=84=20nginx=20=EC=A7=81?= =?UTF-8?q?=EC=A0=91=20=EC=84=A4=EC=A0=95=20=EB=B0=B0=ED=8F=AC=EB=A1=9C=20?= =?UTF-8?q?=EB=B3=80=EA=B2=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Docker nginx 대신 서버 nginx 설정 직접 적용 - sudo NOPASSWD 특정 명령어만 허용하여 보안 유지 - nginx -t 및 systemctl reload 자동화 - README.md 배포 플로우 업데이트 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- .github/workflows/deploy.yml | 6 +- README.md | 8 +- server-nginx-default | 193 +++++++++++++++++++++++++++++++++++ 3 files changed, 201 insertions(+), 6 deletions(-) create mode 100644 server-nginx-default diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index dcf8a21..7e7e629 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -26,7 +26,7 @@ jobs: ssh -o StrictHostKeyChecking=no -p $PORT $USER@$HOST "rm -rf ~/robeing-nginx/* || true; mkdir -p ~/robeing-nginx" tar --exclude='.git' -czf - . | ssh -o StrictHostKeyChecking=no -p $PORT $USER@$HOST "cd ~/robeing-nginx && tar -xzf -" - - name: Start services via SSH + - name: Apply nginx config via SSH env: HOST: ${{ secrets.NAS_HOST }} PORT: ${{ secrets.NAS_PORT }} @@ -34,6 +34,8 @@ jobs: run: | ssh -o StrictHostKeyChecking=no -p $PORT $USER@$HOST << 'EOF' cd ~/robeing-nginx + sudo cp server-nginx-default /etc/nginx/sites-available/default + sudo nginx -t + sudo systemctl reload nginx docker compose down || true - docker compose up -d EOF \ No newline at end of file diff --git a/README.md b/README.md index 7ba9177..bbb2969 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ nginx-deploy/ 1. **main 브랜치에 push** 2. **GitHub Actions** 자동 실행 3. **파일 전송** (Ubuntu 서버 ~/robeing-nginx) -4. **Docker Compose** 자동 재시작 +4. **nginx 설정 적용** (서버 nginx 자동 reload) ## 서버 설정 @@ -30,9 +30,9 @@ NAS_SSH_KEY_ADMIN: SSH 개인키 ``` ### 서버 요구사항 -- Ubuntu 22.04 LTS -- Docker & Docker Compose 설치 -- admin 사용자 sudo 권한 (NOPASSWD) +- Ubuntu 22.04 LTS +- Nginx 설치 및 SSL 설정 완료 +- admin 사용자 특정 명령어 sudo 권한 (NOPASSWD) - 포트 80, 443 오픈 ## 프록시 라우팅 diff --git a/server-nginx-default b/server-nginx-default new file mode 100644 index 0000000..58f7ef3 --- /dev/null +++ b/server-nginx-default @@ -0,0 +1,193 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# https://www.nginx.com/resources/wiki/start/ +# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ +# https://wiki.debian.org/Nginx/DirectoryStructure +# +# In most cases, administrators will remove this file from sites-enabled/ and +# leave it as reference inside of sites-available where it will continue to be +# updated by the nginx packaging team. +# +# This file will automatically load configuration files provided by other +# applications, such as Drupal or Wordpress. These applications will be made +# available underneath a path with that package name, such as /drupal8. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# Default server configuration +# +server { + listen 80 default_server; + listen [::]:80 default_server; + + # SSL configuration + # + # listen 443 ssl default_server; + # listen [::]:443 ssl default_server; + # + # Note: You should disable gzip for SSL traffic. + # See: https://bugs.debian.org/773332 + # + # Read up on ssl_ciphers to ensure a secure configuration. + # See: https://bugs.debian.org/765782 + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + # include snippets/snakeoil.conf; + + root /var/www/html; + + # Add index.php to the list if you are using PHP + index index.html index.htm index.nginx-debian.html; + + server_name _; + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ =404; + } + + location /.well-known/acme-challenge/ { + alias /var/www/html/.well-known/acme-challenge/; + } + + + # pass PHP scripts to FastCGI server + # + #location ~ \.php$ { + # include snippets/fastcgi-php.conf; + # + # # With php-fpm (or other unix sockets): + # fastcgi_pass unix:/run/php/php7.4-fpm.sock; + # # With php-cgi (or other tcp sockets): + # fastcgi_pass 127.0.0.1:9000; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} + + +# Virtual Host configuration for example.com +# +# You can move that to a different file under sites-available/ and symlink that +# to sites-enabled/ to enable it. +# +#server { +# listen 80; +# listen [::]:80; +# +# server_name example.com; +# +# root /var/www/example.com; +# index index.html; +# +# location / { +# try_files $uri $uri/ =404; +# } +#} + +server { + + # SSL configuration + # + # listen 443 ssl default_server; + # listen [::]:443 ssl default_server; + # + # Note: You should disable gzip for SSL traffic. + # See: https://bugs.debian.org/773332 + # + # Read up on ssl_ciphers to ensure a secure configuration. + # See: https://bugs.debian.org/765782 + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + # include snippets/snakeoil.conf; + + root /var/www/html; + + # Add index.php to the list if you are using PHP + index index.html index.htm index.nginx-debian.html; + server_name ro-being.com; # managed by Certbot + + # Main application proxy + location / { + proxy_pass http://localhost:5173; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # API endpoints + location /api/ { + proxy_pass http://localhost:18000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # RB8001 API endpoints + location /rb8001/ { + proxy_pass http://localhost:8001; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /.well-known/acme-challenge/ { + alias /var/www/html/.well-known/acme-challenge/; + } + + + # pass PHP scripts to FastCGI server + # + #location ~ \.php$ { + # include snippets/fastcgi-php.conf; + # + # # With php-fpm (or other unix sockets): + # fastcgi_pass unix:/run/php/php7.4-fpm.sock; + # # With php-cgi (or other tcp sockets): + # fastcgi_pass 127.0.0.1:9000; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} + + + listen [::]:443 ssl ipv6only=on; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/ro-being.com/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/ro-being.com/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = ro-being.com) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80 ; + listen [::]:80 ; + server_name ro-being.com; + return 404; # managed by Certbot + + +} \ No newline at end of file