# 버퍼 설정 proxy_buffering on; proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; client_body_buffer_size 128k; client_header_buffer_size 1k; large_client_header_buffers 4 8k; # Cloudflare IP 허용 여부 geo $cloudflare_ip { default 0; # IPv4 103.21.244.0/22 1; 103.22.200.0/22 1; 103.31.4.0/22 1; 104.16.0.0/13 1; 104.24.0.0/14 1; 108.162.192.0/18 1; 131.0.72.0/22 1; 141.101.64.0/18 1; 162.158.0.0/15 1; 172.64.0.0/13 1; 173.245.48.0/20 1; 188.114.96.0/20 1; 190.93.240.0/20 1; 197.234.240.0/22 1; 198.41.128.0/17 1; # IPv6 2400:cb00::/32 1; 2606:4700::/32 1; 2803:f800::/32 1; 2405:b500::/32 1; 2405:8100::/32 1; 2a06:98c0::/29 1; 2c0f:f248::/32 1; } map $http_user_agent $blocked_agent { default 0; ~*masscan 1; ~*nikto 1; ~*sqlmap 1; ~*nmap 1; ~*zgrab 1; ~*python-requests 1; ~*go-http-client 1; ~*libwww-perl 1; ~*scrapy 1; ~*dirbuster 1; ~*nuclei 1; ~*WPScan 1; } # Docker internal DNS resolver (allows missing upstreams at startup) resolver 127.0.0.11 valid=30s; # HTTP -> HTTPS redirect server { listen 80; server_name git.gong-dev.com jenkins.gong-dev.com pk.gong-dev.com casino.gong-dev.com admin.gong-dev.com vendor.gong-dev.com api.gong-dev.com vapi.gong-dev.com batch.gong-dev.com; return 301 https://$host$request_uri; } # Gitea HTTPS server { listen 443 ssl; server_name git.gong-dev.com; client_max_body_size 2048m; server_tokens off; ssl_certificate /etc/ssl/acme/fullchain.pem; ssl_certificate_key /etc/ssl/acme/key.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; if ($blocked_agent) { return 403; } if ($http_user_agent = "") { return 403; } add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location / { proxy_pass http://gitea:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_send_timeout 300; } } # Jenkins HTTPS server { listen 443 ssl; server_name jenkins.gong-dev.com; server_tokens off; ssl_certificate /etc/ssl/acme/fullchain.pem; ssl_certificate_key /etc/ssl/acme/key.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; if ($blocked_agent) { return 403; } if ($http_user_agent = "") { return 403; } add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location / { proxy_pass http://jenkins:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_send_timeout 300; } } # casino.gong-dev.com — pkcasino01 server { listen 443 ssl; server_name casino.gong-dev.com; server_tokens off; ssl_certificate /etc/ssl/acme/fullchain.pem; ssl_certificate_key /etc/ssl/acme/key.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; if ($blocked_agent) { return 403; } if ($http_user_agent = "") { return 403; } add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location / { set $backend "http://pkcasino01:80"; proxy_pass $backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 60; proxy_connect_timeout 60; } } # admin.gong-dev.com — agent_oms server { listen 443 ssl; server_name admin.gong-dev.com; server_tokens off; ssl_certificate /etc/ssl/acme/fullchain.pem; ssl_certificate_key /etc/ssl/acme/key.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; if ($blocked_agent) { return 403; } if ($http_user_agent = "") { return 403; } add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location / { set $backend "http://agent-oms:80"; proxy_pass $backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 60; proxy_connect_timeout 60; } } # vendor.gong-dev.com — first_vendor_panel server { listen 443 ssl; server_name vendor.gong-dev.com; server_tokens off; ssl_certificate /etc/ssl/acme/fullchain.pem; ssl_certificate_key /etc/ssl/acme/key.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; if ($blocked_agent) { return 403; } if ($http_user_agent = "") { return 403; } add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location / { set $backend "http://first-vendor-panel:80"; proxy_pass $backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 60; proxy_connect_timeout 60; } } # api.gong-dev.com — oms_api server { listen 443 ssl; server_name api.gong-dev.com; server_tokens off; client_max_body_size 20m; ssl_certificate /etc/ssl/acme/fullchain.pem; ssl_certificate_key /etc/ssl/acme/key.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; if ($blocked_agent) { return 403; } if ($http_user_agent = "") { return 403; } add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location / { set $backend "http://oms-api:8080"; proxy_pass $backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_send_timeout 300; } } # vapi.gong-dev.com — first_vendor_api server { listen 443 ssl; server_name vapi.gong-dev.com; server_tokens off; client_max_body_size 20m; ssl_certificate /etc/ssl/acme/fullchain.pem; ssl_certificate_key /etc/ssl/acme/key.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; if ($blocked_agent) { return 403; } if ($http_user_agent = "") { return 403; } add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location / { set $backend "http://first-vendor-api:8080"; proxy_pass $backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_send_timeout 300; } } # batch.gong-dev.com — first_vendor_batch server { listen 443 ssl; server_name batch.gong-dev.com; server_tokens off; ssl_certificate /etc/ssl/acme/fullchain.pem; ssl_certificate_key /etc/ssl/acme/key.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; if ($blocked_agent) { return 403; } if ($http_user_agent = "") { return 403; } add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location / { set $backend "http://first-vendor-batch:8080"; proxy_pass $backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_send_timeout 300; } } # pk.gong-dev.com — pkcasino01 server { listen 443 ssl; server_name pk.gong-dev.com; server_tokens off; ssl_certificate /etc/ssl/acme/fullchain.pem; ssl_certificate_key /etc/ssl/acme/key.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; if ($blocked_agent) { return 403; } if ($http_user_agent = "") { return 403; } add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location / { set $backend "http://pkcasino01:80"; proxy_pass $backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 60; proxy_connect_timeout 60; } }