Security hardening: Move creds to .env, enable stream logs, rate limits

.gitignore

@@ -15,3 +15,6 @@ archive/
 
 # OS specific
 .DS_Store
+
+# Secrets
+.env

docker-compose.yml

@@ -43,8 +43,8 @@ services:
     ports:
       - "8090:80" # 내부 WebDAV 포트
     environment:
-      - WEBDAV_USERNAME=omnifocus
-      - WEBDAV_PASSWORD=7mK9pL3xR8nQ2wE
+      - WEBDAV_USERNAME=${WEBDAV_USERNAME}
+      - WEBDAV_PASSWORD=${WEBDAV_PASSWORD}
       - TZ=Asia/Seoul
     volumes:
       - ./omnifocus-data:/srv
@@ -54,7 +54,3 @@ services:
 networks:
   home-service-proxy-net:
     driver: bridge
-
-
-
-

fail2ban.conf

@@ -40,3 +40,4 @@ logpath = /var/log/nginx/access.log
 maxretry = 3
 bantime = 1800        # 30분 차단
 
+

nginx-ssl.conf

@@ -10,6 +10,11 @@ events {
 }
 
 stream {
+    log_format basic '$remote_addr [$time_local] '
+                     '$protocol $status $bytes_sent $bytes_received '
+                     '$session_time';
+    access_log /var/log/nginx/stream.log basic;
+
     upstream mac_screen_sharing {
         server 192.168.1.122:5900;
     }
@@ -263,7 +268,7 @@ http {
         ssl_session_timeout 10m;
 
         # 보안 제한 (WebDAV용 - 파일 업로드 고려)
-        # limit_req zone=webdav burst=200 nodelay;
+        limit_req zone=webdav burst=200 nodelay;
         limit_conn perip 50;
         limit_conn perserver 200;