tk-factory-services/system2-report/web/nginx.conf

server {
    listen 80;
    server_name _;
    resolver 127.0.0.11 valid=10s ipv6=off;

    root /usr/share/nginx/html;
    index pages/safety/issue-report.html;

    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    # 사진 업로드를 위한 body 크기 제한 (base64 인코딩 시 원본 대비 ~33% 증가)
    client_max_body_size 50m;

    # 민감 파일 차단 — exact match (^~ 우회 불가)
    location = /Dockerfile { return 404; }
    location = /docker-compose.yml { return 404; }
    location = /nginx.conf { return 404; }
    location = /.env { return 404; }
    location = /.gitignore { return 404; }

    # .git 디렉토리 전체 차단
    location ^~ /.git/ { return 404; }
    location = /.git { return 404; }

    # 민감 파일 차단 — regex (하위 경로 + 변형 대비)
    location ~* (Dockerfile|docker-compose|\.env|nginx\.conf) {
        return 404;
    }

    # 정적 파일 캐시
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
        expires 1h;
        add_header Cache-Control "public, no-transform";
    }

    # HTML은 캐시하지 않음
    location ~* \.html$ {
        expires -1;
        add_header Cache-Control "no-store, no-cache, must-revalidate";
    }

    # System 1 API 프록시 (공장/작업장, TBM, 출입관리, 프로젝트)
    location /api/workplaces/ {
        set $upstream http://system1-api:3005;
        proxy_pass $upstream$request_uri;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /api/projects/ {
        set $upstream http://system1-api:3005;
        proxy_pass $upstream$request_uri;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /api/tbm/ {
        set $upstream http://system1-api:3005;
        proxy_pass $upstream$request_uri;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /api/workplace-visits/ {
        set $upstream http://system1-api:3005;
        proxy_pass $upstream$request_uri;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # AI Service 프록시 (맥미니 home-service-proxy 경유)
    location /ai-api/ {
        set $ai_upstream https://ai.hyungi.net;
        rewrite ^/ai-api/(.*) /api/ai/$1 break;
        proxy_pass $ai_upstream;
        proxy_http_version 1.1;
        proxy_set_header Host ai.hyungi.net;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_ssl_server_name on;
        proxy_read_timeout 180s;
        proxy_send_timeout 180s;
    }

    # System 2 API 프록시 (신고 관련)
    location /api/ {
        set $upstream http://system2-api:3005;
        proxy_pass $upstream$request_uri;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # System 2 uploads (신고 사진 등)
    location ^~ /uploads/issues/ {
        set $upstream http://system2-api:3005;
        proxy_pass $upstream$request_uri;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # System 1 uploads 프록시 (작업장 레이아웃 이미지 등)
    location ^~ /uploads/ {
        set $upstream http://system1-api:3005;
        proxy_pass $upstream$request_uri;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location / {
        try_files $uri $uri/ /pages/safety/issue-report.html;
    }
}