hyungi/tk-factory-services
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9b586da72012d1e7ebbe944102f41779830810dd
tk-factory-services/system2-report/web/nginx.conf
Hyungi Ahn 12367dd3a1 fix(security): 전체 서비스 보안 점검 — XSS·인가·토큰·헤더·에러마스킹 일괄 수정 
Phase 1 CRITICAL XSS:
- marked.parse() → DOMPurify.sanitize() (system3 ai-assistant, issues-management)
- toast innerHTML에 escapeHtml 적용 (system1 api-base, system3 common-header)
- onclick 핸들러 → data 속성 + addEventListener (system2 issue-detail)

Phase 2 HIGH 인가:
- getUserBalance 본인확인 추가 (tksupport vacationController)

Phase 3 HIGH 토큰+CSP:
- localStorage 토큰 저장 제거 — 쿠키 전용 (7개 서비스)
- unsafe-eval CSP 제거 (system1 security.js)

Phase 4 MEDIUM:
- nginx 보안 헤더 추가 (8개 서비스)
- 500 에러 메시지 마스킹 (5개 API)
- path traversal 방지 (system3 file_service.py)
- cookie fallback 데드코드 제거 (4개 auth.js)
- /login/form rate limiting 추가 (sso-auth)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 19:50:00 +09:00

107 lines
3.7 KiB
Nginx Configuration File
Raw Blame History

server {
listen 80;
server_name _;
root /usr/share/nginx/html;
index pages/safety/issue-report.html;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# 사진 업로드를 위한 body 크기 제한 (base64 인코딩 시 원본 대비 ~33% 증가)
client_max_body_size 50m;
# 정적 파일 캐시
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 1h;
add_header Cache-Control "public, no-transform";
}
# HTML은 캐시하지 않음
location ~* \.html$ {
expires -1;
add_header Cache-Control "no-store, no-cache, must-revalidate";
}
# System 1 API 프록시 (공장/작업장, TBM, 출입관리, 프로젝트)
location /api/workplaces/ {
proxy_pass http://system1-api:3005;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /api/projects/ {
proxy_pass http://system1-api:3005;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /api/tbm/ {
proxy_pass http://system1-api:3005;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /api/workplace-visits/ {
proxy_pass http://system1-api:3005;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# AI Service 프록시 (맥미니 home-service-proxy 경유)
location /ai-api/ {
resolver 8.8.8.8 valid=300s ipv6=off;
set $ai_upstream https://ai.hyungi.net;
rewrite ^/ai-api/(.*) /api/ai/$1 break;
proxy_pass $ai_upstream;
proxy_http_version 1.1;
proxy_set_header Host ai.hyungi.net;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ssl_server_name on;
proxy_read_timeout 180s;
proxy_send_timeout 180s;
}
# System 2 API 프록시 (신고 관련)
location /api/ {
proxy_pass http://system2-api:3005;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# System 2 uploads (신고 사진 등)
location ^~ /uploads/issues/ {
proxy_pass http://system2-api:3005/uploads/issues/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# System 1 uploads 프록시 (작업장 레이아웃 이미지 등)
location ^~ /uploads/ {
proxy_pass http://system1-api:3005/uploads/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
try_files $uri $uri/ /pages/safety/issue-report.html;
}
}
Reference in New Issue View Git Blame Copy Permalink