ivada-infra/nginx-infra
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

[enhance] 보안 및 request body size 등으로 인해 성능 튜닝 및 nginx 유저/그룹 추가
All checks were successful
Deploy Nginx Config to Ubuntu Server / deploy (push) Successful in 1s
Details

Browse Source 
· groupadd -g 10000 nginx
· useradd --system -u 10000 --no-create-home --shell /bin/false -g nginx  nginx
※ 추가한 코드에는 주석으로 기능설명을 달아놓음
This commit is contained in:
hwansae91 2025-08-31 15:08:35 +09:00
parent 97203cd7e1
commit b9f7370441
3 changed files with 177 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
.gitea/workflows/deploy.yml
View File

@ -39,31 +39,39 @@ jobs:
- name: Backup current nginx config
run: |
echo "📋 Creating backup of current nginx configuration..."
# nginx system config
sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup.$(date +%Y%m%d_%H%M%S)
# nginx server config
sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.backup.$(date +%Y%m%d_%H%M%S)
echo "✅ Backup created successfully"
- name: Validate new nginx configuration
- name: Validate & apply new nginx configuration
run: |
echo "🔍 Validating new nginx configuration syntax..."
# Backup current config and test with new one
# nginx system config
sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.temp.backup
sudo cp nginx.conf /etc/nginx/nginx.conf
sudo nginx -t || {
echo "❌ New nginx system configuration has syntax errors!"
# Restore backup
sudo cp /etc/nginx/nginx.conf.temp.backup /etc/nginx/nginx.conf
exit 1
}
echo "✅ New configuration syntax is valid"
# nginx server config
sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.temp.backup
sudo cp server-nginx-default /etc/nginx/sites-available/default
sudo nginx -t || {
echo "❌ New nginx configuration has syntax errors!"
echo "❌ New nginx server configuration has syntax errors!"
# Restore backup
sudo cp /etc/nginx/sites-available/default.temp.backup /etc/nginx/sites-available/default
exit 1
}
# Restore backup for now (will apply later)
sudo cp /etc/nginx/sites-available/default.temp.backup /etc/nginx/sites-available/default
echo "✅ New configuration syntax is valid"
- name: Apply new nginx configuration
run: |
echo "📋 Applying new nginx configuration..."
sudo cp server-nginx-default /etc/nginx/sites-available/default
echo "✅ Configuration file updated"
- name: Test nginx configuration
run: |
echo "🔍 Testing nginx configuration with current setup..."

95
nginx.conf Normal file
View File

@ -0,0 +1,95 @@
user nginx nginx;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 1024;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# OS의 bit에 따라 배수로 설정
server_names_hash_bucket_size 64;
# TODO: 성능에 따라 조정필요
# client_max_body_size = client_body_buffer_size -> disk에 기록하지 않는다는 가정의 최적의 튜닝
client_max_body_size 1000M;
client_body_buffer_size 1000M;
# security options
server_tokens off;
fastcgi_hide_header X-Powered-By;
# enhance
# connection timeout(재활용) 0 ~ 최대한 짧게
keepalive_timeout 3;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

64
server-nginx-default
View File

@ -48,11 +48,18 @@ server {
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# metric 수집
stub_status on;
try_files $uri $uri/ /index.html;
}
# API endpoints
location /api/ {
# metric 수집
stub_status on;
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@ -62,6 +69,9 @@ server {
# Admin dashboard
location /admin {
# metric 수집
stub_status on;
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@ -71,6 +81,9 @@ server {
# RB10508 API endpoints - 51124 서버로 프록시
location ^~ /rb10508/ {
# metric 수집
stub_status on;
proxy_pass http://192.168.219.52:10508/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@ -80,6 +93,9 @@ server {
# RB8001 API endpoints - 51124 서버로 프록시
location ^~ /rb8001/ {
# metric 수집
stub_status on;
proxy_pass http://192.168.219.52:8001/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@ -89,6 +105,9 @@ server {
# RB10408 API endpoints (희재님 테스트용) - 51124 서버로 프록시
location ^~ /rb10408/ {
# metric 수집
stub_status on;
proxy_pass http://192.168.219.52:10408/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@ -98,6 +117,9 @@ server {
# Robeing Gateway - API Gateway for routing to robeings
location ^~ /gateway/ {
# metric 수집
stub_status on;
proxy_pass http://localhost:8100/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@ -107,6 +129,9 @@ server {
# Skill Email API endpoints
location /skill-email/ {
# metric 수집
stub_status on;
proxy_pass http://localhost:8501/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@ -115,6 +140,9 @@ server {
}
location /.well-known/acme-challenge/ {
# metric 수집
stub_status on;
alias /var/www/html/.well-known/acme-challenge/;
}
@ -184,11 +212,17 @@ server {
# Main application static files
location / {
# metric 수집
stub_status on;
try_files $uri $uri/ /index.html;
}
# API endpoints
location /api/ {
# metric 수집
stub_status on;
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@ -198,6 +232,9 @@ server {
# Admin dashboard
location /admin {
# metric 수집
stub_status on;
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@ -207,6 +244,9 @@ server {
# RB10508 API endpoints - 51124 서버로 프록시
location ^~ /rb10508/ {
# metric 수집
stub_status on;
proxy_pass http://192.168.219.52:10508/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@ -216,6 +256,9 @@ server {
# RB8001 API endpoints - 51124 서버로 프록시
location ^~ /rb8001/ {
# metric 수집
stub_status on;
proxy_pass http://192.168.219.52:8001/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@ -225,6 +268,9 @@ server {
# RB10408 API endpoints (희재님 테스트용) - 51124 서버로 프록시
location ^~ /rb10408/ {
# metric 수집
stub_status on;
proxy_pass http://192.168.219.52:10408/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@ -234,6 +280,9 @@ server {
# Robeing Gateway - API Gateway for routing to robeings
location ^~ /gateway/ {
# metric 수집
stub_status on;
proxy_pass http://localhost:8100/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@ -243,6 +292,9 @@ server {
# Skill Email API endpoints
location /skill-email/ {
# metric 수집
stub_status on;
proxy_pass http://localhost:8501/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@ -251,6 +303,9 @@ server {
}
location /.well-known/acme-challenge/ {
# metric 수집
stub_status on;
alias /var/www/html/.well-known/acme-challenge/;
}
@ -313,6 +368,9 @@ server {
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
# metric 수집
stub_status on;
proxy_pass http://localhost:3000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@ -338,6 +396,9 @@ server {
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
# metric 수집
stub_status on;
proxy_pass http://localhost:9000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@ -350,6 +411,9 @@ server {
}
location /.well-known/acme-challenge/ {
# metric 수집
stub_status on;
alias /var/www/html/.well-known/acme-challenge/;
}
}