init: add server infra config files with log volume mounts

nginx/default.conf

@@ -0,0 +1,368 @@
+# 버퍼 설정
+proxy_buffering on;
+proxy_buffer_size 128k;
+proxy_buffers 4 256k;
+proxy_busy_buffers_size 256k;
+client_body_buffer_size 128k;
+client_header_buffer_size 1k;
+large_client_header_buffers 4 8k;
+
+# Cloudflare IP 허용 여부
+geo $cloudflare_ip {
+    default 0;
+    # IPv4
+    103.21.244.0/22 1;
+    103.22.200.0/22 1;
+    103.31.4.0/22 1;
+    104.16.0.0/13 1;
+    104.24.0.0/14 1;
+    108.162.192.0/18 1;
+    131.0.72.0/22 1;
+    141.101.64.0/18 1;
+    162.158.0.0/15 1;
+    172.64.0.0/13 1;
+    173.245.48.0/20 1;
+    188.114.96.0/20 1;
+    190.93.240.0/20 1;
+    197.234.240.0/22 1;
+    198.41.128.0/17 1;
+    # IPv6
+    2400:cb00::/32 1;
+    2606:4700::/32 1;
+    2803:f800::/32 1;
+    2405:b500::/32 1;
+    2405:8100::/32 1;
+    2a06:98c0::/29 1;
+    2c0f:f248::/32 1;
+}
+
+map $http_user_agent $blocked_agent {
+    default           0;
+    ~*masscan         1;
+    ~*nikto           1;
+    ~*sqlmap          1;
+    ~*nmap            1;
+    ~*zgrab           1;
+    ~*python-requests 1;
+    ~*go-http-client  1;
+    ~*libwww-perl     1;
+    ~*scrapy          1;
+    ~*dirbuster       1;
+    ~*nuclei          1;
+    ~*WPScan          1;
+}
+
+# Docker internal DNS resolver (allows missing upstreams at startup)
+resolver 127.0.0.11 valid=30s;
+
+# HTTP -> HTTPS redirect
+server {
+    listen 80;
+    server_name git.gong-dev.com jenkins.gong-dev.com pk.gong-dev.com
+                casino.gong-dev.com admin.gong-dev.com vendor.gong-dev.com
+                api.gong-dev.com vapi.gong-dev.com batch.gong-dev.com;
+    return 301 https://$host$request_uri;
+}
+
+# Gitea HTTPS
+server {
+    listen 443 ssl;
+    server_name git.gong-dev.com;
+    client_max_body_size 2048m;
+    server_tokens off;
+
+    ssl_certificate /etc/ssl/acme/fullchain.pem;
+    ssl_certificate_key /etc/ssl/acme/key.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+
+    if ($blocked_agent) { return 403; }
+    if ($http_user_agent = "") { return 403; }
+
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    location / {
+        proxy_pass http://gitea:3000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_read_timeout 300;
+        proxy_connect_timeout 300;
+        proxy_send_timeout 300;
+    }
+}
+
+# Jenkins HTTPS
+server {
+    listen 443 ssl;
+    server_name jenkins.gong-dev.com;
+    server_tokens off;
+
+    ssl_certificate /etc/ssl/acme/fullchain.pem;
+    ssl_certificate_key /etc/ssl/acme/key.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+
+    if ($blocked_agent) { return 403; }
+    if ($http_user_agent = "") { return 403; }
+
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    location / {
+        proxy_pass http://jenkins:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_read_timeout 300;
+        proxy_connect_timeout 300;
+        proxy_send_timeout 300;
+    }
+}
+
+# casino.gong-dev.com — pkcasino01
+server {
+    listen 443 ssl;
+    server_name casino.gong-dev.com;
+    server_tokens off;
+
+    ssl_certificate /etc/ssl/acme/fullchain.pem;
+    ssl_certificate_key /etc/ssl/acme/key.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+
+    if ($blocked_agent) { return 403; }
+    if ($http_user_agent = "") { return 403; }
+
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    location / {
+        set $backend "http://pkcasino01:80";
+        proxy_pass $backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_read_timeout 60;
+        proxy_connect_timeout 60;
+    }
+}
+
+# admin.gong-dev.com — agent_oms
+server {
+    listen 443 ssl;
+    server_name admin.gong-dev.com;
+    server_tokens off;
+
+    ssl_certificate /etc/ssl/acme/fullchain.pem;
+    ssl_certificate_key /etc/ssl/acme/key.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+
+    if ($blocked_agent) { return 403; }
+    if ($http_user_agent = "") { return 403; }
+
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    location / {
+        set $backend "http://agent-oms:80";
+        proxy_pass $backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_read_timeout 60;
+        proxy_connect_timeout 60;
+    }
+}
+
+# vendor.gong-dev.com — first_vendor_panel
+server {
+    listen 443 ssl;
+    server_name vendor.gong-dev.com;
+    server_tokens off;
+
+    ssl_certificate /etc/ssl/acme/fullchain.pem;
+    ssl_certificate_key /etc/ssl/acme/key.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+
+    if ($blocked_agent) { return 403; }
+    if ($http_user_agent = "") { return 403; }
+
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    location / {
+        set $backend "http://first-vendor-panel:80";
+        proxy_pass $backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_read_timeout 60;
+        proxy_connect_timeout 60;
+    }
+}
+
+# api.gong-dev.com — oms_api
+server {
+    listen 443 ssl;
+    server_name api.gong-dev.com;
+    server_tokens off;
+    client_max_body_size 20m;
+
+    ssl_certificate /etc/ssl/acme/fullchain.pem;
+    ssl_certificate_key /etc/ssl/acme/key.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+
+    if ($blocked_agent) { return 403; }
+    if ($http_user_agent = "") { return 403; }
+
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    location / {
+        set $backend "http://oms-api:8080";
+        proxy_pass $backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_read_timeout 300;
+        proxy_connect_timeout 300;
+        proxy_send_timeout 300;
+    }
+}
+
+# vapi.gong-dev.com — first_vendor_api
+server {
+    listen 443 ssl;
+    server_name vapi.gong-dev.com;
+    server_tokens off;
+    client_max_body_size 20m;
+
+    ssl_certificate /etc/ssl/acme/fullchain.pem;
+    ssl_certificate_key /etc/ssl/acme/key.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+
+    if ($blocked_agent) { return 403; }
+    if ($http_user_agent = "") { return 403; }
+
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    location / {
+        set $backend "http://first-vendor-api:8080";
+        proxy_pass $backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_read_timeout 300;
+        proxy_connect_timeout 300;
+        proxy_send_timeout 300;
+    }
+}
+
+# batch.gong-dev.com — first_vendor_batch
+server {
+    listen 443 ssl;
+    server_name batch.gong-dev.com;
+    server_tokens off;
+
+    ssl_certificate /etc/ssl/acme/fullchain.pem;
+    ssl_certificate_key /etc/ssl/acme/key.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+
+    if ($blocked_agent) { return 403; }
+    if ($http_user_agent = "") { return 403; }
+
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    location / {
+        set $backend "http://first-vendor-batch:8080";
+        proxy_pass $backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_read_timeout 300;
+        proxy_connect_timeout 300;
+        proxy_send_timeout 300;
+    }
+}
+
+# pk.gong-dev.com — pkcasino01
+server {
+    listen 443 ssl;
+    server_name pk.gong-dev.com;
+    server_tokens off;
+
+    ssl_certificate /etc/ssl/acme/fullchain.pem;
+    ssl_certificate_key /etc/ssl/acme/key.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+
+    if ($blocked_agent) { return 403; }
+    if ($http_user_agent = "") { return 403; }
+
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    location / {
+        set $backend "http://pkcasino01:80";
+        proxy_pass $backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_read_timeout 60;
+        proxy_connect_timeout 60;
+    }
+}