[enhance] 보안 및 request body size 등으로 인해 성능 튜닝 및 nginx 유저/그룹 추가

· groupadd -g 10000 nginx
· useradd --system -u 10000 --no-create-home --shell /bin/false -g nginx  nginx
※ 추가한 코드에는 주석으로 기능설명을 달아놓음

.gitea/workflows/deploy.yml

@@ -39,31 +39,39 @@ jobs:
       - name: Backup current nginx config
         run: |
           echo "📋 Creating backup of current nginx configuration..."
+          # nginx system config
+          sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup.$(date +%Y%m%d_%H%M%S)
+          # nginx server config
           sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.backup.$(date +%Y%m%d_%H%M%S)
           echo "✅ Backup created successfully"
           
-      - name: Validate new nginx configuration
+      - name: Validate & apply new nginx configuration
         run: |
           echo "🔍 Validating new nginx configuration syntax..."
           # Backup current config and test with new one
+
+          # nginx system config
+          sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.temp.backup
+          sudo cp nginx.conf /etc/nginx/nginx.conf
+          sudo nginx -t || {
+            echo "❌ New nginx system configuration has syntax errors!"
+            # Restore backup
+            sudo cp /etc/nginx/nginx.conf.temp.backup /etc/nginx/nginx.conf
+            exit 1
+          }
+          echo "✅ New configuration syntax is valid"
+
+          # nginx server config
           sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.temp.backup
           sudo cp server-nginx-default /etc/nginx/sites-available/default
           sudo nginx -t || {
-            echo "❌ New nginx configuration has syntax errors!"
+            echo "❌ New nginx server configuration has syntax errors!"
             # Restore backup
             sudo cp /etc/nginx/sites-available/default.temp.backup /etc/nginx/sites-available/default
             exit 1
           }
-          # Restore backup for now (will apply later)
-          sudo cp /etc/nginx/sites-available/default.temp.backup /etc/nginx/sites-available/default
           echo "✅ New configuration syntax is valid"
           
-      - name: Apply new nginx configuration
-        run: |
-          echo "📋 Applying new nginx configuration..."
-          sudo cp server-nginx-default /etc/nginx/sites-available/default
-          echo "✅ Configuration file updated"
-          
       - name: Test nginx configuration
         run: |
           echo "🔍 Testing nginx configuration with current setup..."

nginx.conf

@@ -0,0 +1,95 @@
+user nginx nginx;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+        worker_connections 1024;
+        # multi_accept on;
+}
+
+http {
+
+        ##
+        # Basic Settings
+        ##
+        sendfile on;
+        tcp_nopush on;
+        types_hash_max_size 2048;
+        # OS의 bit에 따라 배수로 설정
+        server_names_hash_bucket_size 64;
+        # TODO: 성능에 따라 조정필요
+        # ※ client_max_body_size = client_body_buffer_size -> disk에 기록하지 않는다는 가정의 최적의 튜닝
+        client_max_body_size 1000M;
+        client_body_buffer_size 1000M;
+        
+        # security options
+        server_tokens off;
+        fastcgi_hide_header X-Powered-By;
+
+        # enhance
+        # connection timeout(재활용) 0 ~ 최대한 짧게
+        keepalive_timeout 3;
+
+        # server_names_hash_bucket_size 64;
+        # server_name_in_redirect off;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        ##
+        # SSL Settings
+        ##
+
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+        ssl_prefer_server_ciphers on;
+
+        ##
+        # Logging Settings
+        ##
+
+        access_log /var/log/nginx/access.log;
+        error_log /var/log/nginx/error.log;
+
+        ##
+        # Gzip Settings
+        ##
+
+        gzip on;
+
+        # gzip_vary on;
+        # gzip_proxied any;
+        # gzip_comp_level 6;
+        # gzip_buffers 16 8k;
+        # gzip_http_version 1.1;
+        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+        ##
+        # Virtual Host Configs
+        ##
+
+        include /etc/nginx/conf.d/*.conf;
+        include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+#       # See sample authentication script at:
+#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+#       # auth_http localhost/auth.php;
+#       # pop3_capabilities "TOP" "USER";
+#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+#       server {
+#               listen     localhost:110;
+#               protocol   pop3;
+#               proxy      on;
+#       }
+#
+#       server {
+#               listen     localhost:143;
+#               protocol   imap;
+#               proxy      on;
+#       }
+#}

server-nginx-default

@@ -48,11 +48,18 @@ server {
         location / {
                 # First attempt to serve request as file, then
                 # as directory, then fall back to displaying a 404.
+
+                # metric 수집
+                stub_status on;
+
                 try_files $uri $uri/ /index.html;
         }
 
         # API endpoints
         location /api/ {
+            # metric 수집
+            stub_status on;
+
             proxy_pass http://localhost:8000;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
@@ -62,6 +69,9 @@ server {
 
         # Admin dashboard
         location /admin {
+            # metric 수집
+            stub_status on;
+
             proxy_pass http://localhost:8000;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
@@ -71,6 +81,9 @@ server {
 
         # RB10508 API endpoints - 51124 서버로 프록시
         location ^~ /rb10508/ {
+            # metric 수집
+            stub_status on;
+
             proxy_pass http://192.168.219.52:10508/;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
@@ -80,6 +93,9 @@ server {
 
         # RB8001 API endpoints - 51124 서버로 프록시
         location ^~ /rb8001/ {
+            # metric 수집
+            stub_status on;
+
             proxy_pass http://192.168.219.52:8001/;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
@@ -89,6 +105,9 @@ server {
 
         # RB10408 API endpoints (희재님 테스트용) - 51124 서버로 프록시
         location ^~ /rb10408/ {
+            # metric 수집
+            stub_status on;
+
             proxy_pass http://192.168.219.52:10408/;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
@@ -98,6 +117,9 @@ server {
 
         # Robeing Gateway - API Gateway for routing to robeings
         location ^~ /gateway/ {
+            # metric 수집
+            stub_status on;
+
             proxy_pass http://localhost:8100/;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
@@ -107,6 +129,9 @@ server {
 
         # Skill Email API endpoints
         location /skill-email/ {
+            # metric 수집
+            stub_status on;
+
             proxy_pass http://localhost:8501/;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
@@ -115,6 +140,9 @@ server {
         }
 
         location /.well-known/acme-challenge/ {
+            # metric 수집
+            stub_status on;
+
             alias /var/www/html/.well-known/acme-challenge/;
         }
 
@@ -184,11 +212,17 @@ server {
 
         # Main application static files
         location / {
+            # metric 수집
+            stub_status on;
+
             try_files $uri $uri/ /index.html;
         }
 
         # API endpoints
         location /api/ {
+            # metric 수집
+            stub_status on;
+
             proxy_pass http://localhost:8000;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
@@ -198,6 +232,9 @@ server {
 
         # Admin dashboard
         location /admin {
+            # metric 수집
+            stub_status on;
+
             proxy_pass http://localhost:8000;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
@@ -207,6 +244,9 @@ server {
 
         # RB10508 API endpoints - 51124 서버로 프록시
         location ^~ /rb10508/ {
+            # metric 수집
+            stub_status on;
+
             proxy_pass http://192.168.219.52:10508/;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
@@ -216,6 +256,9 @@ server {
 
         # RB8001 API endpoints - 51124 서버로 프록시
         location ^~ /rb8001/ {
+            # metric 수집
+            stub_status on;
+
             proxy_pass http://192.168.219.52:8001/;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
@@ -225,6 +268,9 @@ server {
 
         # RB10408 API endpoints (희재님 테스트용) - 51124 서버로 프록시
         location ^~ /rb10408/ {
+            # metric 수집
+            stub_status on;
+
             proxy_pass http://192.168.219.52:10408/;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
@@ -234,6 +280,9 @@ server {
 
         # Robeing Gateway - API Gateway for routing to robeings
         location ^~ /gateway/ {
+            # metric 수집
+            stub_status on;
+
             proxy_pass http://localhost:8100/;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
@@ -243,6 +292,9 @@ server {
 
         # Skill Email API endpoints
         location /skill-email/ {
+            # metric 수집
+            stub_status on;
+
             proxy_pass http://localhost:8501/;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
@@ -251,6 +303,9 @@ server {
         }
 
         location /.well-known/acme-challenge/ {
+            # metric 수집
+            stub_status on;
+
             alias /var/www/html/.well-known/acme-challenge/;
         }
 
@@ -313,6 +368,9 @@ server {
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
     location / {
+        # metric 수집
+        stub_status on;
+
         proxy_pass http://localhost:3000/;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
@@ -338,6 +396,9 @@ server {
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
     location / {
+        # metric 수집
+        stub_status on;
+
         proxy_pass http://localhost:9000/;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
@@ -350,6 +411,9 @@ server {
     }
 
     location /.well-known/acme-challenge/ {
+        # metric 수집
+        stub_status on;
+
         alias /var/www/html/.well-known/acme-challenge/;
     }
 }