feat: add VNC stream proxy & automate certbot renewal

2026-01-03 19:10:52 +09:00
parent 07ba73e329
commit dc5db0d15a
4 changed files with 178 additions and 13 deletions
--- a/nginx-ssl.conf
+++ b/nginx-ssl.conf
@@ -9,6 +9,19 @@ events {
    multi_accept on;
 }

+stream {
+    upstream mac_screen_sharing {
+        server 192.168.1.122:5900;
+    }
+
+    server {
+        listen 5901;
+        proxy_pass mac_screen_sharing;
+        proxy_connect_timeout 60s;
+        proxy_timeout 300s;
+    }
+}
+
 http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
@@ -80,13 +93,38 @@ http {
        keepalive 16;
    }

+    upstream dsm_backend {
+        server 192.168.1.227:5000;
+        keepalive 16;
+    }
+
+    upstream document_backend {
+        server 192.168.1.122:8181;
+        keepalive 16;
+    }
+
+    upstream gitea_backend {
+        server 192.168.1.227:10300;
+        keepalive 16;
+    }
+
+    upstream vault_backend {
+        server 192.168.1.227:8443;
+        keepalive 16;
+    }
+
+    upstream news_backend {
+        server 192.168.1.227:8080;
+        keepalive 16;
+    }
+



    # HTTP → HTTPS 리다이렉트
    server {
        listen 80;
-        server_name jellyfin.hyungi.net komga.hyungi.net webdav.hyungi.net;
+        server_name jellyfin.hyungi.net komga.hyungi.net webdav.hyungi.net ds1525.hyungi.net document.hyungi.net git.hyungi.net vault.hyungi.net news.hyungi.net;
        
        # Let's Encrypt 인증 경로
        location /.well-known/acme-challenge/ {
@@ -278,4 +316,107 @@ http {
        }
    }

+    # HTTPS 서버 - DSM (Synology)
+    server {
+        listen 443 ssl;
+        http2 on;
+        server_name ds1525.hyungi.net;
+
+        ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
+        
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
+        ssl_prefer_server_ciphers off;
+        
+        client_max_body_size 0;
+
+        location / {
+            proxy_pass http://dsm_backend;
+            include /etc/nginx/conf.d/security.conf;
+        }
+    }
+
+    # HTTPS 서버 - DevonThink (Document)
+    server {
+        listen 443 ssl;
+        http2 on;
+        server_name document.hyungi.net;
+
+        ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
+        
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
+        ssl_prefer_server_ciphers off;
+
+        location / {
+            proxy_pass http://document_backend;
+            include /etc/nginx/conf.d/security.conf;
+        }
+    }
+
+    # HTTPS 서버 - Gitea
+    server {
+        listen 443 ssl;
+        http2 on;
+        server_name git.hyungi.net;
+
+        ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
+        
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
+        ssl_prefer_server_ciphers off;
+        
+        client_max_body_size 512M;
+
+        location / {
+            proxy_pass http://gitea_backend;
+            include /etc/nginx/conf.d/security.conf;
+        }
+    }
+
+    # HTTPS 서버 - Vaultwarden
+    server {
+        listen 443 ssl;
+        http2 on;
+        server_name vault.hyungi.net;
+
+        ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
+        
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
+        ssl_prefer_server_ciphers off;
+
+        location / {
+            proxy_pass http://vault_backend;
+            include /etc/nginx/conf.d/security.conf;
+            
+            # WebSocket support for Vaultwarden notifications
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+        }
+    }
+
+    # HTTPS 서버 - News (RSS)
+    server {
+        listen 443 ssl;
+        http2 on;
+        server_name news.hyungi.net;
+
+        ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
+        
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
+        ssl_prefer_server_ciphers off;
+
+        location / {
+            proxy_pass http://news_backend;
+            include /etc/nginx/conf.d/security.conf;
+        }
+    }
+
 }