From 29cde251f5c72383d9027428456becd84c7e4b6b Mon Sep 17 00:00:00 2001 From: minjungw00 Date: Sun, 17 Nov 2024 19:53:03 +0900 Subject: [PATCH 1/5] =?UTF-8?q?feat:=20NginX=EC=97=90=EC=84=9C=20HTTPS=20?= =?UTF-8?q?=EC=A0=91=EC=86=8D=20=EB=A1=9C=EC=A7=81=20=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit #136 --- nginx/default.conf | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/nginx/default.conf b/nginx/default.conf index 268c9e3c..4ff2ad01 100644 --- a/nginx/default.conf +++ b/nginx/default.conf @@ -3,8 +3,31 @@ upstream backend { server backend:3000; # 백엔드 서버 (NestJS) } +# HTTP 요청을 HTTPS로 리다이렉트 server { listen 80; + server_name nocta.site www.nocta.site; + + # HTTPS로 리다이렉트 + return 301 https://$host$request_uri; +} + +# HTTPS 서버 블록 +server { + listen 443 ssl; + server_name nocta.site www.nocta.site; + + # SSL 인증서와 키 파일 경로 + ssl_certificate /etc/letsencrypt/live/nocta.site/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/nocta.site/privkey.pem; + + # SSL 설정 + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers HIGH:!aNULL:!MD5; + + # HSTS 설정 (HTTPS 강제) + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # /api 경로로 들어오는 요청은 백엔드로 전달 location /api { From 37d47aa39570a6312d17ae4ebdd00aefc47dca8a Mon Sep 17 00:00:00 2001 From: minjungw00 Date: Sun, 17 Nov 2024 20:00:44 +0900 Subject: [PATCH 2/5] =?UTF-8?q?build:=20docker=20compose=EC=97=90=20certbo?= =?UTF-8?q?t=20=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit #136 --- docker-compose.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 620afd18..8732b870 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -25,11 +25,24 @@ services: dockerfile: ./nginx/Dockerfile ports: - "80:80" + - "443:443" volumes: - ./client/dist:/usr/share/nginx/html + - ./certbot/conf:/etc/letsencrypt # Certbot 인증서 파일 공유 + - ./certbot/www:/var/www/certbot # Certbot 웹 루트 디렉토리 공유 + - ./nginx/conf.d:/etc/nginx/conf.d # Nginx 설정 공유 depends_on: - frontend - backend + - certbot + + certbot: + image: certbot/certbot + container_name: certbot + volumes: + - ./certbot/conf:/etc/letsencrypt # 인증서 저장 경로 + - ./certbot/www:/var/www/certbot # 인증 과정에 필요한 웹 루트 경로 + entrypoint: /bin/sh -c 'trap exit TERM; while :; do sleep 1; done' networks: app-network: From 421169f369e2dabb95280e8504dfc4924d5ab6a6 Mon Sep 17 00:00:00 2001 From: minjungw00 Date: Mon, 18 Nov 2024 01:18:43 +0900 Subject: [PATCH 3/5] =?UTF-8?q?build:=20nginx=20dockerfile=20443=20?= =?UTF-8?q?=ED=8F=AC=ED=8A=B8=20=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit #136 --- nginx/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/nginx/Dockerfile b/nginx/Dockerfile index eddbc882..d47a76f8 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -5,4 +5,5 @@ WORKDIR /usr/share/nginx/html COPY ./nginx/default.conf /etc/nginx/conf.d/default.conf EXPOSE 80 +EXPOSE 443 CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file From e9bd779e8021e74cec2a3988bad75f0fae28e601 Mon Sep 17 00:00:00 2001 From: minjungw00 Date: Mon, 18 Nov 2024 02:31:06 +0900 Subject: [PATCH 4/5] =?UTF-8?q?build:=20certbot=20docker=20=EC=9D=B4?= =?UTF-8?q?=EB=AF=B8=EC=A7=80=20=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit #136 --- .github/workflows/deploy.yml | 7 ++++++- docker-compose.yml | 15 ++++++++------- nginx/default.conf | 11 +++++++++-- renew_certificates.sh | 4 ++++ 4 files changed, 27 insertions(+), 10 deletions(-) create mode 100755 renew_certificates.sh diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index d8f756e7..eef75d93 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -23,6 +23,11 @@ jobs: run: | docker-compose up -d --build - # 3. Clean up Old Images + # 3. 인증서 갱신 및 Nginx 재시작 + - name: Renew SSL Certificates + run: | + ./renew_certificates.sh + + # 4. Clean up Old Images - name: Remove Dangling Images run: docker image prune -f diff --git a/docker-compose.yml b/docker-compose.yml index 8732b870..68fde014 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -28,9 +28,8 @@ services: - "443:443" volumes: - ./client/dist:/usr/share/nginx/html - - ./certbot/conf:/etc/letsencrypt # Certbot 인증서 파일 공유 - - ./certbot/www:/var/www/certbot # Certbot 웹 루트 디렉토리 공유 - - ./nginx/conf.d:/etc/nginx/conf.d # Nginx 설정 공유 + - ./certbot/www:/var/www/certbot + - certbot-etc:/etc/letsencrypt:ro depends_on: - frontend - backend @@ -38,11 +37,13 @@ services: certbot: image: certbot/certbot - container_name: certbot volumes: - - ./certbot/conf:/etc/letsencrypt # 인증서 저장 경로 - - ./certbot/www:/var/www/certbot # 인증 과정에 필요한 웹 루트 경로 - entrypoint: /bin/sh -c 'trap exit TERM; while :; do sleep 1; done' + - certbot-etc:/etc/letsencrypt + - ./certbot/www:/var/www/certbot + command: certonly --webroot --webroot-path=/var/www/certbot --email minjungw00@naver.com --agree-tos --no-eff-email -d nocta.site -d www.nocta.site + +volumes: + certbot-etc: networks: app-network: diff --git a/nginx/default.conf b/nginx/default.conf index 4ff2ad01..769620a8 100644 --- a/nginx/default.conf +++ b/nginx/default.conf @@ -3,13 +3,20 @@ upstream backend { server backend:3000; # 백엔드 서버 (NestJS) } -# HTTP 요청을 HTTPS로 리다이렉트 +# HTTP 서버 블록 server { listen 80; server_name nocta.site www.nocta.site; + # Let's Encrypt 인증을 위한 설정 + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + # HTTPS로 리다이렉트 - return 301 https://$host$request_uri; + location / { + return 301 https://$host$request_uri; + } } # HTTPS 서버 블록 diff --git a/renew_certificates.sh b/renew_certificates.sh new file mode 100755 index 00000000..2bd0c5f9 --- /dev/null +++ b/renew_certificates.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +docker-compose run certbot renew --webroot --webroot-path=/var/www/certbot +docker-compose exec nginx nginx -s reload From 01f888651e6bfc565d52cda0cb5dfe58911d1508 Mon Sep 17 00:00:00 2001 From: minjungw00 Date: Mon, 18 Nov 2024 02:49:59 +0900 Subject: [PATCH 5/5] =?UTF-8?q?build:=20certbot=EC=9D=84=20=EC=84=9C?= =?UTF-8?q?=EB=B2=84=EC=97=90=EC=84=9C=20=EB=B3=84=EB=8F=84=EB=A1=9C=20?= =?UTF-8?q?=EC=A0=9C=EC=96=B4=ED=95=98=EA=B8=B0=20=EC=9C=84=ED=95=B4=20cer?= =?UTF-8?q?tbot=20=EA=B4=80=EB=A0=A8=20=EC=84=A4=EC=A0=95=20=EC=A0=9C?= =?UTF-8?q?=EA=B1=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit #136 --- .github/workflows/deploy.yml | 7 +------ docker-compose.yml | 14 +------------- renew_certificates.sh | 4 ---- 3 files changed, 2 insertions(+), 23 deletions(-) delete mode 100755 renew_certificates.sh diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index eef75d93..d8f756e7 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -23,11 +23,6 @@ jobs: run: | docker-compose up -d --build - # 3. 인증서 갱신 및 Nginx 재시작 - - name: Renew SSL Certificates - run: | - ./renew_certificates.sh - - # 4. Clean up Old Images + # 3. Clean up Old Images - name: Remove Dangling Images run: docker image prune -f diff --git a/docker-compose.yml b/docker-compose.yml index 68fde014..c4f9f03d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -28,22 +28,10 @@ services: - "443:443" volumes: - ./client/dist:/usr/share/nginx/html - - ./certbot/www:/var/www/certbot - - certbot-etc:/etc/letsencrypt:ro + - /etc/letsencrypt:/etc/letsencrypt:ro depends_on: - frontend - backend - - certbot - - certbot: - image: certbot/certbot - volumes: - - certbot-etc:/etc/letsencrypt - - ./certbot/www:/var/www/certbot - command: certonly --webroot --webroot-path=/var/www/certbot --email minjungw00@naver.com --agree-tos --no-eff-email -d nocta.site -d www.nocta.site - -volumes: - certbot-etc: networks: app-network: diff --git a/renew_certificates.sh b/renew_certificates.sh deleted file mode 100755 index 2bd0c5f9..00000000 --- a/renew_certificates.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash - -docker-compose run certbot renew --webroot --webroot-path=/var/www/certbot -docker-compose exec nginx nginx -s reload