build : hashicorpvault 비활성화 / nginx modsecurity 비활성화 / Makefile 추가 / …

…mkcert 인증서 발급 및 iMAC 환경에서 trust 하도록 설정 / daphne는 해결 못함
LWJ0513 · Feb 13, 2024 · 522edfb · 522edfb
1 parent 4e4f57e
commit 522edfb
Show file tree

Hide file tree

Showing 8 changed files with 94 additions and 59 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -8,6 +8,8 @@ RUN mkdir -p backend && \
 COPY backend/requirements.txt ./backend/
 RUN pip install -r backend/requirements.txt
 
+ENV DJANGO_SETTINGS_MODULE=src.settings
+
 COPY backend ./backend
 WORKDIR /backend
 

diff --git a/Makefile b/Makefile
@@ -0,0 +1,23 @@
+DOCKER_COMPOSE = docker-compose
+
+
+all : up
+
+up :
+	$(DOCKER_COMPOSE) up --build
+
+clean :
+	$(DOCKER_COMPOSE) down -v
+
+re : clean all
+
+fclean: clean
+	docker system prune
+
+show: 
+	docker ps -a | tail -n +1; echo
+	docker images | tail -n +1; echo
+	docker network ls | tail -n +1; echo
+	docker volume ls | tail -n +1; echo
+
+.PHONY: all up clean show fclean
diff --git a/backend/requirements.txt b/backend/requirements.txt
@@ -15,7 +15,6 @@ django-environ==0.11.2
 djangorestframework==3.14.0
 djangorestframework-simplejwt==5.3.1
 drf-yasg==1.21.7
-gunicorn==21.2.0
 hvac==2.1.0
 idna==3.6
 inflection==0.5.1

diff --git a/backend/src/settings.py b/backend/src/settings.py
@@ -128,7 +128,6 @@ def wait_for_vault_client(client, retries=5, delay=5):
 CORS_ALLOW_ALL_ORIGINS = True
 
 INSTALLED_APPS = [
-    "daphne",
     'channels',
     'users.apps.UsersConfig',
     'games.apps.GamesConfig',
@@ -143,11 +142,11 @@ def wait_for_vault_client(client, retries=5, delay=5):
     'drf_yasg',
     'rest_framework_simplejwt',
 
-    "django.contrib.sites",
-    "allauth",
-    "allauth.account",
-    "allauth.socialaccount",
-    "allauth.socialaccount.providers.google",
+    'django.contrib.sites',
+    'allauth',
+    'allauth.account',
+    'allauth.socialaccount',
+    'allauth.socialaccount.providers.google',
 
     'corsheaders',
 ]
@@ -186,6 +185,13 @@ def wait_for_vault_client(client, retries=5, delay=5):
     },
 ]
 
+
+ASGI_APPLICATION = "src.asgi.application"
+CHANNEL_LAYERS = {
+    'default': {
+        'BACKEND': 'channels.layers.InMemoryChannelLayer'
+    }
+}
 WSGI_APPLICATION = 'src.wsgi.application'
 
 if DEBUG:
@@ -278,11 +284,3 @@ def wait_for_vault_client(client, retries=5, delay=5):
 
 # Cookie settings
 SESSION_COOKIE_HTTPONLY = True
-
-# Socket
-ASGI_APPLICATION = "src.asgi.application"
-CHANNEL_LAYERS = {
-    'default': {
-        'BACKEND': 'channels.layers.InMemoryChannelLayer'
-    }
-}
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -8,12 +8,9 @@ services:
   #   ports:
   #     - 8200:8200
   #   volumes:
-  #     # - "/Users/sejokim/desktop/volumes/vault/file:/vault/file"
-  #     # - "/Users/sejokim/desktop/volumes/vault/logs:/vault/logs"
-  #     # - "/Users/sejokim/desktop/volumes/vault/config:/vault/config"
-  #     # - "./volumes/vault/config:/vault/config"
-  #     # - "./volumes/vault/logs:/vault/logs"
-  #     # - "./volumes/vault/file:/vault/file"
+  #     - "/Users/sejokim/desktop/volumes/vault/file:/vault/file"
+  #     - "/Users/sejokim/desktop/volumes/vault/logs:/vault/logs"
+  #     - "/Users/sejokim/desktop/volumes/vault/config:/vault/config"
   #   environment:
   #     VAULT_ADDR: "http://hashicorp_vault:8200"
   #   cap_add:
@@ -29,7 +26,7 @@ services:
     networks:
       - app_network
     volumes:
-      - "./backend/static:/backend/static"
+      - static-volume:/backend/static
     environment:
     # DB
       DB_HOST: ${DB_HOST}
@@ -56,6 +53,7 @@ services:
       INTRA42_CLIENT_SECRET: ${INTRA42_CLIENT_SECRET}
       INTRA42_REDIRECT_URI: ${INTRA42_REDIRECT_URI}
       INTRA42_USERINFO_API: ${INTRA42_USERINFO_API}
+      DJANGO_SETTING_MODULE: "src.settings"
 
     # depends_on:
       # - hashicorp_vault
@@ -65,9 +63,8 @@ services:
     container_name: nginx_container
     volumes:
       - "./frontend:/usr/share/nginx/html"
-      - "./volumes/nginx/static:/usr/share/nginx/html/static"
+      - static-volume:/usr/share/nginx/html/static
       # - "/Users/sejokim/desktop/volumes/nginx/logs:/var/log/nginx"
-      # - "/Users/sejokim/desktop/volumes/nginx/lib:/usr/local/modsecurity/lib"
     logging:
       options:
         max-size: "10m"
@@ -133,6 +130,9 @@ services:
   #   networks:
   #     - app_network
 
+volumes:
+  static-volume:
+
 networks:
   app_network:
     driver: bridge
diff --git a/init.sh b/init.sh
@@ -1,7 +1,9 @@
 #!/bin/sh
 
-#python manage.py collectstatic --noinput
+python manage.py collectstatic --noinput
 
 #exec gunicorn --bind 0.0.0.0:8000 src.wsgi:application
 
+# exec daphne -p 8000 src.asgi:application
+
 exec python3 manage.py runserver 0.0.0.0:8000
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
@@ -4,46 +4,48 @@ FROM nginx:1.21.6-alpine
 RUN apk add --no-cache git build-base libtool automake autoconf zlib-dev pcre-dev openssl-dev linux-headers openssl
 
 # # ModSecurity 다운로드 및 컴파일
-RUN git clone --depth 1 https://github.com/SpiderLabs/ModSecurity.git /usr/local/src/modsecurity \
-    && cd /usr/local/src/modsecurity \
-    && git submodule init \
-    && git submodule update \
-    && ./build.sh \
-    && ./configure \
-    && make \
-    && make install
+# RUN git clone --depth 1 https://github.com/SpiderLabs/ModSecurity.git /usr/local/src/modsecurity \
+#     && cd /usr/local/src/modsecurity \
+#     && git submodule init \
+#     && git submodule update \
+#     && ./build.sh \
+#     && ./configure \
+#     && make \
+#     && make install
 
 # ModSecurity-nginx 커넥터 다운로드
-RUN git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git /usr/local/src/modsecurity-nginx
+# RUN git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git /usr/local/src/modsecurity-nginx
 
 # Nginx 컴파일을 위한 준비 및 ModSecurity 모듈 빌드
-ARG NGINX_VERSION=1.21.6
-RUN wget https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz \
-    && tar zxvf nginx-${NGINX_VERSION}.tar.gz \
-    && cd nginx-${NGINX_VERSION} \
-    && ./configure --with-compat --add-dynamic-module=/usr/local/src/modsecurity-nginx \
-    && make modules \
-    && cp objs/ngx_http_modsecurity_module.so /usr/lib/nginx/modules
-
-# SSL 인증서 생성
-RUN mkdir -p /etc/nginx/certs && \
-    openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-    -subj "/C=XX/ST=XX/L=XX/O=XX/CN=localhost" \
-    -keyout /etc/nginx/certs/server.key -out /etc/nginx/certs/server.crt \
-    && chown -R nginx:nginx /etc/nginx/certs/server.* && \
-    chmod -R 600 /etc/nginx/certs/server.*
+# ARG NGINX_VERSION=1.21.6
+# RUN wget https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz \
+    # && tar zxvf nginx-${NGINX_VERSION}.tar.gz \
+    # && cd nginx-${NGINX_VERSION} \
+    # && ./configure --with-compat --add-dynamic-module=/usr/local/src/modsecurity-nginx \
+    # && make modules \
+    # && cp objs/ngx_http_modsecurity_module.so /usr/lib/nginx/modules
+
+
 
 # ModSecurity 설정 디렉토리 생성 및 파일 복사
-RUN mkdir -p /etc/nginx/modsecurity
-COPY ./config/modsecurity.conf /etc/nginx/modsecurity/
-COPY ./config/owasp-crs /etc/nginx/modsecurity/owasp-crs
+# RUN mkdir -p /etc/nginx/modsecurity
+# COPY ./config/modsecurity.conf /etc/nginx/modsecurity/
+# COPY ./config/owasp-crs /etc/nginx/modsecurity/owasp-crs
+
+RUN apk add --no-cache nss-tools
+RUN wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 -O /usr/local/bin/mkcert
+RUN chmod +x /usr/local/bin/mkcert
+
+RUN mkcert -install
+RUN mkdir -p /etc/nginx/certs
+RUN mkcert -key-file /etc/nginx/certs/server.key -cert-file /etc/nginx/certs/server.crt localhost 127.0.0.1 ::1
 
 # Nginx 설정 파일 복사 및 모듈 로드
 COPY ./config/nginx.conf /etc/nginx/nginx.conf
 
-RUN mkdir -p /etc/nginx/modules-load.d/ \
-    && echo 'load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;' > /etc/nginx/modules-load.d/00-modsecurity.conf \
-    && cat /etc/nginx/nginx.conf > /etc/nginx/nginx.conf.bak \
-    && cat /etc/nginx/modules-load.d/00-modsecurity.conf /etc/nginx/nginx.conf.bak > /etc/nginx/nginx.conf
+# RUN mkdir -p /etc/nginx/modules-load.d/ \
+    # && echo 'load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;' > /etc/nginx/modules-load.d/00-modsecurity.conf \
+    # && cat /etc/nginx/nginx.conf > /etc/nginx/nginx.conf.bak \
+    # && cat /etc/nginx/modules-load.d/00-modsecurity.conf /etc/nginx/nginx.conf.bak > /etc/nginx/nginx.conf
 
 CMD ["nginx", "-g", "daemon off;"]
diff --git a/nginx/config/nginx.conf b/nginx/config/nginx.conf
@@ -79,16 +79,15 @@ http {
         ssl_certificate_key /etc/nginx/certs/server.key;
         ssl_protocols TLSv1.1 TLSv1.2;
 
-        modsecurity on;
-        modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
+        # modsecurity on;
+        # modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
 
         location / {
             root /usr/share/nginx/html;
             index index.html index.htm;
             try_files $uri $uri/ /index.html;
         }
 
-
         location /static/ {
             alias /usr/share/nginx/html/static/;
         }
@@ -128,5 +127,15 @@ http {
             add_header 'Access-Control-Allow-Origin' '*' always;
             add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
         }
+
+        # location /vault {
+        #     proxy_pass http://hashicorp_vault:8200;
+        #     proxy_http_version 1.1;
+        #     proxy_set_header Host $host;
+        #     proxy_set_header X-Real-IP $remote_addr;
+        #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        #     proxy_set_header X-Forwarded-Host $server_name;
+        #     proxy_set_header X-Forwarded-Proto https;
+        # }
     }
 }