diff --git a/docker-compose.yml b/docker-compose.yml index a2901e5..dc72910 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -36,7 +36,6 @@ services: - dbdata:/var/lib/mysql - ./docker/mysql/init.sql:/docker-entrypoint-initdb.d/init.sql - ./docker/mysql/mysql-healthcheck.sh:/usr/local/bin/mysql-healthcheck.sh - networks: - retrip-net restart: always @@ -66,7 +65,10 @@ services: image: prom/prometheus container_name: prometheus volumes: + - ./data/prometheus:/prometheus - ./prometheus.yml:/etc/prometheus/prometheus.yml + depends_on: + - retrip-app ports: - "9090:9090" networks: @@ -83,6 +85,7 @@ services: ports: - "3000:3000" volumes: + - ./data/grafana:/var/lib/grafana - grafana-storage:/var/lib/grafana depends_on: - prometheus @@ -131,6 +134,7 @@ volumes: networks: retrip-net: + name: retrip-net driver: bridge ipam: config: diff --git a/nginx/nginx-prod.conf b/nginx/nginx-prod.conf index 31a7a3e..0929608 100644 --- a/nginx/nginx-prod.conf +++ b/nginx/nginx-prod.conf @@ -86,17 +86,10 @@ server { add_header X-Frame-Options DENY always; add_header X-XSS-Protection "1; mode=block" always; - # 내부 네트워크 허용 - allow 192.168.0.0/16; - allow 172.16.0.0/12; - allow 127.0.0.1; - - # IP 화이트리스트 - include /etc/nginx/conf.d/allowed_ips.conf; - # 백엔드 API 프록시 location / { - # OPTIONS 요청 처리 + + # OPTIONS 요청 처리 if ($request_method = 'OPTIONS') { add_header Content-Length 0; add_header Content-Type text/plain; @@ -139,12 +132,12 @@ server { add_header X-Frame-Options SAMEORIGIN always; add_header X-XSS-Protection "1; mode=block" always; - # IP 화이트리스트 설정 - include /etc/nginx/conf.d/allowed_ips.conf; + # IP 화이트리스트 + include /etc/nginx/conf.d/allowed_ips.rules; - # Grafana 프록시 location / { - proxy_pass http://grafana:3000; + + proxy_pass http://grafana:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -183,12 +176,13 @@ server { add_header X-Frame-Options DENY always; add_header X-XSS-Protection "1; mode=block" always; - # IP 화이트리스트 설정 - include /etc/nginx/conf.d/allowed_ips.conf; + # IP 화이트리스트 + include /etc/nginx/conf.d/allowed_ips.rules; # Prometheus 프록시 location / { - proxy_pass http://prometheus:9090; + + proxy_pass http://prometheus:9090; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/scripts/deploy.sh b/scripts/deploy.sh index 6f29cd5..4ec82e7 100644 --- a/scripts/deploy.sh +++ b/scripts/deploy.sh @@ -16,7 +16,7 @@ MAIN_DOMAIN="retrip.kr" CERT_FILE_PATH="./data/certbot/conf/live/$MAIN_DOMAIN/fullchain.pem" NGINX_CONF_DIR="./nginx/conf.d" NGINX_CONTAINER_NAME="nginx" -WHITELIST_FILE="$NGINX_CONF_DIR/allowed_ips.conf" +WHITELIST_FILE="$NGINX_CONF_DIR/allowed_ips.rules" if command -v docker-compose &> /dev/null; then DOCKER_COMPOSE="docker-compose" @@ -41,7 +41,8 @@ setup_whitelist() { echo "모든 IP에서 접근이 허용됩니다." # 기본 설정 (모든 IP 허용) - cat > "$WHITELIST_FILE" << EOF + sudo tee "$WHITELIST_FILE" > /dev/null << EOF + EOF return 0 fi @@ -49,7 +50,7 @@ EOF echo "화이트리스트가 설정되었습니다: $WHITELIST_IPS" # 화이트리스트 파일 생성 - cat > "$WHITELIST_FILE" << EOF + sudo tee "$WHITELIST_FILE" > /dev/null << EOF EOF # 쉼표로 구분된 IP들을 처리 @@ -60,7 +61,7 @@ EOF # IP 형식 검증 if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(/[0-9]{1,2})?$ ]]; then - echo "allow $ip;" >> "$WHITELIST_FILE" + echo "allow $ip;" | sudo tee -a "$WHITELIST_FILE" > /dev/null echo " - 허용된 IP: $ip" else echo "WARNING: 잘못된 IP 형식입니다: $ip" @@ -68,7 +69,7 @@ EOF done # 마지막에 deny all 추가 - echo "deny all;" >> "$WHITELIST_FILE" + echo "deny all;" | sudo tee -a "$WHITELIST_FILE" > /dev/null echo "화이트리스트 설정이 완료되었습니다." echo "설정된 내용:" @@ -171,6 +172,9 @@ echo "최종 운영 설정을 적용하고 모든 서비스를 시작합니다." echo "운영용 Nginx 설정을 적용합니다." sudo cp ./nginx-prod.conf $NGINX_CONF_DIR/default.conf +echo "기존 컨테이너를 종료합니다..." +$DOCKER_COMPOSE down + echo "새로운 Docker 이미지를 pull 합니다" $DOCKER_COMPOSE pull retrip-app