From 82701155bb5406c8c92299c11a60fa4d51f8e703 Mon Sep 17 00:00:00 2001
From: hyungi <hyungi@HyungiuiMacmini.hyungi.net>
Date: Sat, 3 Jan 2026 19:38:17 +0900
Subject: [PATCH] Security hardening: Move creds to .env, enable stream logs,
 rate limits

---
 .gitignore         |  3 +++
 docker-compose.yml | 20 ++++++++------------
 fail2ban.conf      |  1 +
 nginx-ssl.conf     |  7 ++++++-
 4 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/.gitignore b/.gitignore
index 2f159dd..1d61aa3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,3 +15,6 @@ archive/
 
 # OS specific
 .DS_Store
+
+# Secrets
+.env
diff --git a/docker-compose.yml b/docker-compose.yml
index 1c55947..5adc2ae 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,14 +7,14 @@ services:
     container_name: home-service-proxy
     restart: unless-stopped
     ports:
-      - "8097:80"   # 외부 접속용 포트 (8096과 구분)
-      - "8443:443"  # HTTPS
+      - "8097:80" # 외부 접속용 포트 (8096과 구분)
+      - "8443:443" # HTTPS
     volumes:
       - ./nginx-ssl.conf:/etc/nginx/nginx.conf:ro
       - ./security.conf:/etc/nginx/conf.d/security.conf:ro
       - ./fail2ban-log:/var/log/nginx
-      - ./ssl-certs:/etc/nginx/ssl:ro  # SSL 인증서 (선택)
-      - ./archive:/etc/nginx/ssl/archive:ro  # 시놀로지 와일드카드 인증서
+      - ./ssl-certs:/etc/nginx/ssl:ro # SSL 인증서 (선택)
+      - ./archive:/etc/nginx/ssl/archive:ro # 시놀로지 와일드카드 인증서
     networks:
       - home-service-proxy-net
 
@@ -37,14 +37,14 @@ services:
 
   # OmniFocus 전용 WebDAV 서버
   webdav:
-    image: hacdias/webdav:latest  # ARM64 지원
+    image: hacdias/webdav:latest # ARM64 지원
     container_name: omnifocus-webdav
     restart: unless-stopped
     ports:
-      - "8090:80"  # 내부 WebDAV 포트
+      - "8090:80" # 내부 WebDAV 포트
     environment:
-      - WEBDAV_USERNAME=omnifocus
-      - WEBDAV_PASSWORD=7mK9pL3xR8nQ2wE
+      - WEBDAV_USERNAME=${WEBDAV_USERNAME}
+      - WEBDAV_PASSWORD=${WEBDAV_PASSWORD}
       - TZ=Asia/Seoul
     volumes:
       - ./omnifocus-data:/srv
@@ -54,7 +54,3 @@ services:
 networks:
   home-service-proxy-net:
     driver: bridge
-
-
-
-
diff --git a/fail2ban.conf b/fail2ban.conf
index 1869230..0e02a43 100644
--- a/fail2ban.conf
+++ b/fail2ban.conf
@@ -40,3 +40,4 @@ logpath = /var/log/nginx/access.log
 maxretry = 3
 bantime = 1800        # 30분 차단
 
+
diff --git a/nginx-ssl.conf b/nginx-ssl.conf
index b1ea9dc..ca3e6d1 100644
--- a/nginx-ssl.conf
+++ b/nginx-ssl.conf
@@ -10,6 +10,11 @@ events {
 }
 
 stream {
+    log_format basic '$remote_addr [$time_local] '
+                     '$protocol $status $bytes_sent $bytes_received '
+                     '$session_time';
+    access_log /var/log/nginx/stream.log basic;
+
     upstream mac_screen_sharing {
         server 192.168.1.122:5900;
     }
@@ -263,7 +268,7 @@ http {
         ssl_session_timeout 10m;
 
         # 보안 제한 (WebDAV용 - 파일 업로드 고려)
-        # limit_req zone=webdav burst=200 nodelay;
+        limit_req zone=webdav burst=200 nodelay;
         limit_conn perip 50;
         limit_conn perserver 200;