Security hardening: Move creds to .env, enable stream logs, rate limits

.gitignore

@@ -15,3 +15,6 @@ archive/
 
 # OS specific
 .DS_Store
+
+# Secrets
+.env

docker-compose.yml

@@ -7,14 +7,14 @@ services:
     container_name: home-service-proxy
     restart: unless-stopped
     ports:
-      - "8097:80"   # 외부 접속용 포트 (8096과 구분)
-      - "8443:443"  # HTTPS
+      - "8097:80" # 외부 접속용 포트 (8096과 구분)
+      - "8443:443" # HTTPS
     volumes:
       - ./nginx-ssl.conf:/etc/nginx/nginx.conf:ro
       - ./security.conf:/etc/nginx/conf.d/security.conf:ro
       - ./fail2ban-log:/var/log/nginx
-      - ./ssl-certs:/etc/nginx/ssl:ro  # SSL 인증서 (선택)
-      - ./archive:/etc/nginx/ssl/archive:ro  # 시놀로지 와일드카드 인증서
+      - ./ssl-certs:/etc/nginx/ssl:ro # SSL 인증서 (선택)
+      - ./archive:/etc/nginx/ssl/archive:ro # 시놀로지 와일드카드 인증서
     networks:
       - home-service-proxy-net
 
@@ -37,14 +37,14 @@ services:
 
   # OmniFocus 전용 WebDAV 서버
   webdav:
-    image: hacdias/webdav:latest  # ARM64 지원
+    image: hacdias/webdav:latest # ARM64 지원
     container_name: omnifocus-webdav
     restart: unless-stopped
     ports:
-      - "8090:80"  # 내부 WebDAV 포트
+      - "8090:80" # 내부 WebDAV 포트
     environment:
-      - WEBDAV_USERNAME=omnifocus
-      - WEBDAV_PASSWORD=7mK9pL3xR8nQ2wE
+      - WEBDAV_USERNAME=${WEBDAV_USERNAME}
+      - WEBDAV_PASSWORD=${WEBDAV_PASSWORD}
       - TZ=Asia/Seoul
     volumes:
       - ./omnifocus-data:/srv
@@ -54,7 +54,3 @@ services:
 networks:
   home-service-proxy-net:
     driver: bridge
-
-
-
-

fail2ban.conf

@@ -40,3 +40,4 @@ logpath = /var/log/nginx/access.log
 maxretry = 3
 bantime = 1800        # 30분 차단
 
+

nginx-ssl.conf

@@ -10,6 +10,11 @@ events {
 }
 
 stream {
+    log_format basic '$remote_addr [$time_local] '
+                     '$protocol $status $bytes_sent $bytes_received '
+                     '$session_time';
+    access_log /var/log/nginx/stream.log basic;
+
     upstream mac_screen_sharing {
         server 192.168.1.122:5900;
     }
@@ -263,7 +268,7 @@ http {
         ssl_session_timeout 10m;
 
         # 보안 제한 (WebDAV용 - 파일 업로드 고려)
-        # limit_req zone=webdav burst=200 nodelay;
+        limit_req zone=webdav burst=200 nodelay;
         limit_conn perip 50;
         limit_conn perserver 200;