Skip to content

Refactor: IP 화이트 리스트 설정으로 모니터링 도구 접근 제한 #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Bumnote merged 1 commit into from
Jul 20, 2025
Merged

Refactor: IP 화이트 리스트 설정으로 모니터링 도구 접근 제한 #49

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,6 @@ services:
- dbdata:/var/lib/mysql
- ./docker/mysql/init.sql:/docker-entrypoint-initdb.d/init.sql
- ./docker/mysql/mysql-healthcheck.sh:/usr/local/bin/mysql-healthcheck.sh

networks:
- retrip-net
restart: always
Expand Down Expand Up @@ -66,7 +65,10 @@ services:
image: prom/prometheus
container_name: prometheus
volumes:
- ./data/prometheus:/prometheus
Copy link

Copilot AI Jul 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The volume mapping ./data/prometheus:/prometheus may conflict with Prometheus's default data directory. Consider using /prometheus/data as the container path or ensure the host directory has proper permissions for the prometheus user (UID 65534).

Suggested change
- ./data/prometheus:/prometheus
- ./data/prometheus:/prometheus/data

Copilot uses AI. Check for mistakes.
- ./prometheus.yml:/etc/prometheus/prometheus.yml
depends_on:
- retrip-app
ports:
- "9090:9090"
networks:
Expand All @@ -83,6 +85,7 @@ services:
ports:
- "3000:3000"
volumes:
- ./data/grafana:/var/lib/grafana
Copy link

Copilot AI Jul 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You have both ./data/grafana:/var/lib/grafana and grafana-storage:/var/lib/grafana mounting to the same container path. This will cause the named volume to be ignored. Consider removing one of these volume mappings to avoid conflicts.

Suggested change
- ./data/grafana:/var/lib/grafana

Copilot uses AI. Check for mistakes.
- grafana-storage:/var/lib/grafana
depends_on:
- prometheus
Expand Down Expand Up @@ -131,6 +134,7 @@ volumes:

networks:
retrip-net:
name: retrip-net
driver: bridge
ipam:
config:
Expand Down
26 changes: 10 additions & 16 deletions nginx/nginx-prod.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,17 +86,10 @@ server {
add_header X-Frame-Options DENY always;
add_header X-XSS-Protection "1; mode=block" always;

# 내부 네트워크 허용
allow 192.168.0.0/16;
allow 172.16.0.0/12;
allow 127.0.0.1;

# IP 화이트리스트
include /etc/nginx/conf.d/allowed_ips.conf;

# 백엔드 API 프록시
location / {
# OPTIONS 요청 처리

# OPTIONS 요청 처리
if ($request_method = 'OPTIONS') {
add_header Content-Length 0;
add_header Content-Type text/plain;
Expand Down Expand Up @@ -139,12 +132,12 @@ server {
add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;

# IP 화이트리스트 설정
include /etc/nginx/conf.d/allowed_ips.conf;
# IP 화이트리스트
include /etc/nginx/conf.d/allowed_ips.rules;

# Grafana 프록시
location / {
proxy_pass http://grafana:3000;

proxy_pass http://grafana:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Expand Down Expand Up @@ -183,12 +176,13 @@ server {
add_header X-Frame-Options DENY always;
add_header X-XSS-Protection "1; mode=block" always;

# IP 화이트리스트 설정
include /etc/nginx/conf.d/allowed_ips.conf;
# IP 화이트리스트
include /etc/nginx/conf.d/allowed_ips.rules;

# Prometheus 프록시
location / {
proxy_pass http://prometheus:9090;

proxy_pass http://prometheus:9090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Expand Down
14 changes: 9 additions & 5 deletions scripts/deploy.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ MAIN_DOMAIN="retrip.kr"
CERT_FILE_PATH="./data/certbot/conf/live/$MAIN_DOMAIN/fullchain.pem"
NGINX_CONF_DIR="./nginx/conf.d"
NGINX_CONTAINER_NAME="nginx"
WHITELIST_FILE="$NGINX_CONF_DIR/allowed_ips.conf"
WHITELIST_FILE="$NGINX_CONF_DIR/allowed_ips.rules"

if command -v docker-compose &> /dev/null; then
DOCKER_COMPOSE="docker-compose"
Expand All @@ -41,15 +41,16 @@ setup_whitelist() {
echo "모든 IP에서 접근이 허용됩니다."

# 기본 설정 (모든 IP 허용)
cat > "$WHITELIST_FILE" << EOF
sudo tee "$WHITELIST_FILE" > /dev/null << EOF

EOF
return 0
fi

echo "화이트리스트가 설정되었습니다: $WHITELIST_IPS"

# 화이트리스트 파일 생성
cat > "$WHITELIST_FILE" << EOF
sudo tee "$WHITELIST_FILE" > /dev/null << EOF
EOF

# 쉼표로 구분된 IP들을 처리
Expand All @@ -60,15 +61,15 @@ EOF

# IP 형식 검증
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(/[0-9]{1,2})?$ ]]; then
echo "allow $ip;" >> "$WHITELIST_FILE"
echo "allow $ip;" | sudo tee -a "$WHITELIST_FILE" > /dev/null
echo " - 허용된 IP: $ip"
else
echo "WARNING: 잘못된 IP 형식입니다: $ip"
fi
done

# 마지막에 deny all 추가
echo "deny all;" >> "$WHITELIST_FILE"
echo "deny all;" | sudo tee -a "$WHITELIST_FILE" > /dev/null

echo "화이트리스트 설정이 완료되었습니다."
echo "설정된 내용:"
Expand Down Expand Up @@ -171,6 +172,9 @@ echo "최종 운영 설정을 적용하고 모든 서비스를 시작합니다."
echo "운영용 Nginx 설정을 적용합니다."
sudo cp ./nginx-prod.conf $NGINX_CONF_DIR/default.conf

echo "기존 컨테이너를 종료합니다..."
$DOCKER_COMPOSE down

echo "새로운 Docker 이미지를 pull 합니다"
$DOCKER_COMPOSE pull retrip-app

Expand Down
Loading