gong01/dockerSet
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9d0631338c405b60eff7b8b6bb9db86708d4f4f3
dockerSet/nginx/default.conf
devwill1004-dotcom 9d0631338c init: add server infra config files with log volume mounts
2026-03-07 05:06:47 +08:00

369 lines
11 KiB
Plaintext
Raw Blame History

# 버퍼 설정
proxy_buffering on;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
client_body_buffer_size 128k;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
# Cloudflare IP 허용 여부
geo $cloudflare_ip {
default 0;
# IPv4
103.21.244.0/22 1;
103.22.200.0/22 1;
103.31.4.0/22 1;
104.16.0.0/13 1;
104.24.0.0/14 1;
108.162.192.0/18 1;
131.0.72.0/22 1;
141.101.64.0/18 1;
162.158.0.0/15 1;
172.64.0.0/13 1;
173.245.48.0/20 1;
188.114.96.0/20 1;
190.93.240.0/20 1;
197.234.240.0/22 1;
198.41.128.0/17 1;
# IPv6
2400:cb00::/32 1;
2606:4700::/32 1;
2803:f800::/32 1;
2405:b500::/32 1;
2405:8100::/32 1;
2a06:98c0::/29 1;
2c0f:f248::/32 1;
}
map $http_user_agent $blocked_agent {
default 0;
~*masscan 1;
~*nikto 1;
~*sqlmap 1;
~*nmap 1;
~*zgrab 1;
~*python-requests 1;
~*go-http-client 1;
~*libwww-perl 1;
~*scrapy 1;
~*dirbuster 1;
~*nuclei 1;
~*WPScan 1;
}
# Docker internal DNS resolver (allows missing upstreams at startup)
resolver 127.0.0.11 valid=30s;
# HTTP -> HTTPS redirect
server {
listen 80;
server_name git.gong-dev.com jenkins.gong-dev.com pk.gong-dev.com
casino.gong-dev.com admin.gong-dev.com vendor.gong-dev.com
api.gong-dev.com vapi.gong-dev.com batch.gong-dev.com;
return 301 https://$host$request_uri;
}
# Gitea HTTPS
server {
listen 443 ssl;
server_name git.gong-dev.com;
client_max_body_size 2048m;
server_tokens off;
ssl_certificate /etc/ssl/acme/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
if ($blocked_agent) { return 403; }
if ($http_user_agent = "") { return 403; }
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location / {
proxy_pass http://gitea:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
}
}
# Jenkins HTTPS
server {
listen 443 ssl;
server_name jenkins.gong-dev.com;
server_tokens off;
ssl_certificate /etc/ssl/acme/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
if ($blocked_agent) { return 403; }
if ($http_user_agent = "") { return 403; }
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location / {
proxy_pass http://jenkins:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
}
}
# casino.gong-dev.com — pkcasino01
server {
listen 443 ssl;
server_name casino.gong-dev.com;
server_tokens off;
ssl_certificate /etc/ssl/acme/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
if ($blocked_agent) { return 403; }
if ($http_user_agent = "") { return 403; }
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location / {
set $backend "http://pkcasino01:80";
proxy_pass $backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 60;
proxy_connect_timeout 60;
}
}
# admin.gong-dev.com — agent_oms
server {
listen 443 ssl;
server_name admin.gong-dev.com;
server_tokens off;
ssl_certificate /etc/ssl/acme/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
if ($blocked_agent) { return 403; }
if ($http_user_agent = "") { return 403; }
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location / {
set $backend "http://agent-oms:80";
proxy_pass $backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 60;
proxy_connect_timeout 60;
}
}
# vendor.gong-dev.com — first_vendor_panel
server {
listen 443 ssl;
server_name vendor.gong-dev.com;
server_tokens off;
ssl_certificate /etc/ssl/acme/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
if ($blocked_agent) { return 403; }
if ($http_user_agent = "") { return 403; }
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location / {
set $backend "http://first-vendor-panel:80";
proxy_pass $backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 60;
proxy_connect_timeout 60;
}
}
# api.gong-dev.com — oms_api
server {
listen 443 ssl;
server_name api.gong-dev.com;
server_tokens off;
client_max_body_size 20m;
ssl_certificate /etc/ssl/acme/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
if ($blocked_agent) { return 403; }
if ($http_user_agent = "") { return 403; }
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location / {
set $backend "http://oms-api:8080";
proxy_pass $backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
}
}
# vapi.gong-dev.com — first_vendor_api
server {
listen 443 ssl;
server_name vapi.gong-dev.com;
server_tokens off;
client_max_body_size 20m;
ssl_certificate /etc/ssl/acme/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
if ($blocked_agent) { return 403; }
if ($http_user_agent = "") { return 403; }
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location / {
set $backend "http://first-vendor-api:8080";
proxy_pass $backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
}
}
# batch.gong-dev.com — first_vendor_batch
server {
listen 443 ssl;
server_name batch.gong-dev.com;
server_tokens off;
ssl_certificate /etc/ssl/acme/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
if ($blocked_agent) { return 403; }
if ($http_user_agent = "") { return 403; }
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location / {
set $backend "http://first-vendor-batch:8080";
proxy_pass $backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
}
}
# pk.gong-dev.com — pkcasino01
server {
listen 443 ssl;
server_name pk.gong-dev.com;
server_tokens off;
ssl_certificate /etc/ssl/acme/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
if ($blocked_agent) { return 403; }
if ($http_user_agent = "") { return 403; }
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location / {
set $backend "http://pkcasino01:80";
proxy_pass $backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 60;
proxy_connect_timeout 60;
}
}
Reference in New Issue View Git Blame Copy Permalink