hyungi/home-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add ai/mark/document proxy, add news/kuma servers

Browse Source 
- document.hyungi.net: DEVONthink → Paperless-ngx (NAS)
- mark.hyungi.net: Karakeep 추가 (NAS)
- ai.hyungi.net: Open WebUI 추가 (Mac Mini)
- news.hyungi.net: FreshRSS 추가
- kuma.hyungi.net: Uptime Kuma 추가
- Remove unused VNC stream port (5901)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
hyungi
2026-02-25 15:21:20 +09:00
parent 789de08f99
commit 256c3e56a4
2 changed files with 119 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docker-compose-ssl.yml
View File

@@ -9,7 +9,7 @@ services:
ports: ports:
- "80:80" # HTTP (Let's Encrypt 인증용) - "80:80" # HTTP (Let's Encrypt 인증용)
- "8443:443" # HTTPS (최종 접속용) - "8443:443" # HTTPS (최종 접속용)
- "5901:5901" # macOS Screen Sharing (TCP Stream)
volumes: volumes:
- ./nginx-ssl.conf:/etc/nginx/nginx.conf:ro - ./nginx-ssl.conf:/etc/nginx/nginx.conf:ro
- ./security.conf:/etc/nginx/conf.d/security.conf:ro - ./security.conf:/etc/nginx/conf.d/security.conf:ro

126
nginx-ssl.conf
View File

@@ -88,7 +88,17 @@ http {
} }
upstream document_backend { upstream document_backend {
server 192.168.1.122:8181; server 192.168.1.227:8000; # Paperless-ngx (시놀로지 NAS)
keepalive 16;
}
upstream mark_backend {
server 192.168.1.227:3000; # Karakeep (시놀로지 NAS)
keepalive 16;
}
upstream ai_backend {
server 192.168.1.122:3080; # Open WebUI (Mac Mini)
keepalive 16; keepalive 16;
} }
@@ -127,13 +137,23 @@ http {
keepalive 16; keepalive 16;
} }
upstream news_backend {
server 192.168.1.122:8080; # FreshRSS on Mac Mini
keepalive 16;
}
upstream kuma_backend {
server 192.168.1.227:3001;
keepalive 16;
}
# HTTP → HTTPS 리다이렉트 # HTTP → HTTPS 리다이렉트
server { server {
listen 80; listen 80;
server_name jellyfin.hyungi.net komga.hyungi.net webdav.hyungi.net ds1525.hyungi.net document.hyungi.net git.hyungi.net vault.hyungi.net link.hyungi.net mailplus.hyungi.net contacts.hyungi.net calendar.hyungi.net note.hyungi.net; server_name jellyfin.hyungi.net komga.hyungi.net webdav.hyungi.net ds1525.hyungi.net document.hyungi.net mark.hyungi.net ai.hyungi.net git.hyungi.net vault.hyungi.net link.hyungi.net mailplus.hyungi.net contacts.hyungi.net calendar.hyungi.net note.hyungi.net news.hyungi.net kuma.hyungi.net;
# Let's Encrypt 인증 경로 # Let's Encrypt 인증 경로
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {
@@ -320,9 +340,9 @@ http {
deny all; deny all;
} }
location ~ /\. { # location ~ /\. {
deny all; # deny all;
} # }
} }
# HTTPS 서버 - DSM (Synology) # HTTPS 서버 - DSM (Synology)
@@ -346,7 +366,7 @@ http {
} }
} }
# HTTPS 서버 - DevonThink (Document) # HTTPS 서버 - Paperless-ngx (Document)
server { server {
listen 443 ssl; listen 443 ssl;
http2 on; http2 on;
@@ -354,13 +374,57 @@ http {
ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem; ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem; ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
client_max_body_size 100M;
location / {
proxy_pass http://document_backend;
include /etc/nginx/conf.d/security.conf;
}
}
# HTTPS 서버 - Open WebUI (AI)
server {
listen 443 ssl;
http2 on;
server_name ai.hyungi.net;
ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers off;
location / { location / {
proxy_pass http://document_backend; proxy_pass http://ai_backend;
include /etc/nginx/conf.d/security.conf;
# WebSocket 지원 (채팅 스트리밍)
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# HTTPS 서버 - Karakeep (Mark/Bookmark)
server {
listen 443 ssl;
http2 on;
server_name mark.hyungi.net;
ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
location / {
proxy_pass http://mark_backend;
include /etc/nginx/conf.d/security.conf; include /etc/nginx/conf.d/security.conf;
} }
} }
@@ -522,4 +586,50 @@ http {
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
} }
} }
# HTTPS 서버 - freshrss
server {
listen 443 ssl;
http2 on;
server_name news.hyungi.net;
ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
location / {
proxy_pass http://news_backend;
include /etc/nginx/conf.d/security.conf;
# WebSocket support for freshrss notifications
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# HTTPS 서버 - Uptime Kuma
server {
listen 443 ssl;
http2 on;
server_name kuma.hyungi.net;
ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
location / {
proxy_pass http://kuma_backend;
include /etc/nginx/conf.d/security.conf;
# WebSocket 지원 (Uptime Kuma 실시간 업데이트용)
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
} }