From 256c3e56a442ed873d6a8be2508bc6953b40ce40 Mon Sep 17 00:00:00 2001
From: hyungi <hyungi@hyungi.net>
Date: Wed, 25 Feb 2026 15:21:20 +0900
Subject: [PATCH] feat: Add ai/mark/document proxy, add news/kuma servers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- document.hyungi.net: DEVONthink → Paperless-ngx (NAS)
- mark.hyungi.net: Karakeep 추가 (NAS)
- ai.hyungi.net: Open WebUI 추가 (Mac Mini)
- news.hyungi.net: FreshRSS 추가
- kuma.hyungi.net: Uptime Kuma 추가
- Remove unused VNC stream port (5901)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 docker-compose-ssl.yml |   2 +-
 nginx-ssl.conf         | 126 ++++++++++++++++++++++++++++++++++++++---
 2 files changed, 119 insertions(+), 9 deletions(-)

diff --git a/docker-compose-ssl.yml b/docker-compose-ssl.yml
index ef2429b..21c8054 100644
--- a/docker-compose-ssl.yml
+++ b/docker-compose-ssl.yml
@@ -9,7 +9,7 @@ services:
     ports:
       - "80:80" # HTTP (Let's Encrypt 인증용)
       - "8443:443" # HTTPS (최종 접속용)
-      - "5901:5901" # macOS Screen Sharing (TCP Stream)
+
     volumes:
       - ./nginx-ssl.conf:/etc/nginx/nginx.conf:ro
       - ./security.conf:/etc/nginx/conf.d/security.conf:ro
diff --git a/nginx-ssl.conf b/nginx-ssl.conf
index 53f3132..2385c3f 100644
--- a/nginx-ssl.conf
+++ b/nginx-ssl.conf
@@ -88,7 +88,17 @@ http {
     }
 
     upstream document_backend {
-        server 192.168.1.122:8181;
+        server 192.168.1.227:8000;  # Paperless-ngx (시놀로지 NAS)
+        keepalive 16;
+    }
+
+    upstream mark_backend {
+        server 192.168.1.227:3000;  # Karakeep (시놀로지 NAS)
+        keepalive 16;
+    }
+
+    upstream ai_backend {
+        server 192.168.1.122:3080;  # Open WebUI (Mac Mini)
         keepalive 16;
     }
 
@@ -127,13 +137,23 @@ http {
         keepalive 16;
     }
 
+    upstream news_backend {
+        server 192.168.1.122:8080;  # FreshRSS on Mac Mini
+        keepalive 16;
+    }
+
+    upstream kuma_backend {
+        server 192.168.1.227:3001;
+        keepalive 16;
+    }
+
 
 
 
     # HTTP → HTTPS 리다이렉트
     server {
         listen 80;
-        server_name jellyfin.hyungi.net komga.hyungi.net webdav.hyungi.net ds1525.hyungi.net document.hyungi.net git.hyungi.net vault.hyungi.net link.hyungi.net mailplus.hyungi.net contacts.hyungi.net calendar.hyungi.net note.hyungi.net;
+        server_name jellyfin.hyungi.net komga.hyungi.net webdav.hyungi.net ds1525.hyungi.net document.hyungi.net mark.hyungi.net ai.hyungi.net git.hyungi.net vault.hyungi.net link.hyungi.net mailplus.hyungi.net contacts.hyungi.net calendar.hyungi.net note.hyungi.net news.hyungi.net kuma.hyungi.net;
         
         # Let's Encrypt 인증 경로
         location /.well-known/acme-challenge/ {
@@ -320,9 +340,9 @@ http {
             deny all;
         }
         
-        location ~ /\. {
-            deny all;
-        }
+        # location ~ /\. {
+        #     deny all;
+        # }
     }
 
     # HTTPS 서버 - DSM (Synology)
@@ -346,7 +366,7 @@ http {
         }
     }
 
-    # HTTPS 서버 - DevonThink (Document)
+    # HTTPS 서버 - Paperless-ngx (Document)
     server {
         listen 443 ssl;
         http2 on;
@@ -354,13 +374,57 @@ http {
 
         ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
         ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
-        
+
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+        ssl_prefer_server_ciphers off;
+
+        client_max_body_size 100M;
+
+        location / {
+            proxy_pass http://document_backend;
+            include /etc/nginx/conf.d/security.conf;
+        }
+    }
+
+    # HTTPS 서버 - Open WebUI (AI)
+    server {
+        listen 443 ssl;
+        http2 on;
+        server_name ai.hyungi.net;
+
+        ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
+        ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
+
         ssl_protocols TLSv1.2 TLSv1.3;
         ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
         ssl_prefer_server_ciphers off;
 
         location / {
-            proxy_pass http://document_backend;
+            proxy_pass http://ai_backend;
+            include /etc/nginx/conf.d/security.conf;
+
+            # WebSocket 지원 (채팅 스트리밍)
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+        }
+    }
+
+    # HTTPS 서버 - Karakeep (Mark/Bookmark)
+    server {
+        listen 443 ssl;
+        http2 on;
+        server_name mark.hyungi.net;
+
+        ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
+        ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
+
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+        ssl_prefer_server_ciphers off;
+
+        location / {
+            proxy_pass http://mark_backend;
             include /etc/nginx/conf.d/security.conf;
         }
     }
@@ -522,4 +586,50 @@ http {
             proxy_set_header Connection "upgrade";
         }
     }
+
+# HTTPS 서버 - freshrss
+    server {
+        listen 443 ssl;
+        http2 on;
+        server_name news.hyungi.net;
+
+        ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
+        ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
+
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+        ssl_prefer_server_ciphers off;
+
+        location / {
+            proxy_pass http://news_backend;
+            include /etc/nginx/conf.d/security.conf;
+
+            # WebSocket support for freshrss notifications
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+        }
+    }
+
+    # HTTPS 서버 - Uptime Kuma
+    server {
+        listen 443 ssl;
+        http2 on;
+        server_name kuma.hyungi.net;
+
+        ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
+        ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
+
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+        ssl_prefer_server_ciphers off;
+
+        location / {
+            proxy_pass http://kuma_backend;
+            include /etc/nginx/conf.d/security.conf;
+
+            # WebSocket 지원 (Uptime Kuma 실시간 업데이트용)
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+        }
+    }
 }