12367dd3a1
Phase 1 CRITICAL XSS: - marked.parse() → DOMPurify.sanitize() (system3 ai-assistant, issues-management) - toast innerHTML에 escapeHtml 적용 (system1 api-base, system3 common-header) - onclick 핸들러 → data 속성 + addEventListener (system2 issue-detail) Phase 2 HIGH 인가: - getUserBalance 본인확인 추가 (tksupport vacationController) Phase 3 HIGH 토큰+CSP: - localStorage 토큰 저장 제거 — 쿠키 전용 (7개 서비스) - unsafe-eval CSP 제거 (system1 security.js) Phase 4 MEDIUM: - nginx 보안 헤더 추가 (8개 서비스) - 500 에러 메시지 마스킹 (5개 API) - path traversal 방지 (system3 file_service.py) - cookie fallback 데드코드 제거 (4개 auth.js) - /login/form rate limiting 추가 (sso-auth) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
104 lines
3.2 KiB
Nginx Configuration File
104 lines
3.2 KiB
Nginx Configuration File
server {
|
|
listen 80;
|
|
server_name _;
|
|
|
|
client_max_body_size 50M;
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
|
|
root /usr/share/nginx/html;
|
|
index index.html;
|
|
|
|
# HTML 캐시 비활성화
|
|
location ~* \.html$ {
|
|
expires -1;
|
|
add_header Cache-Control "no-store, no-cache, must-revalidate";
|
|
}
|
|
|
|
# 정적 파일 캐시 (JS, CSS, 이미지 등)
|
|
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf)$ {
|
|
expires 1h;
|
|
add_header Cache-Control "public, no-transform";
|
|
}
|
|
|
|
# API 프록시 (System 1 API)
|
|
location /api/ {
|
|
proxy_pass http://system1-api:3005/api/;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
# 업로드 파일 프록시 (^~ 로 regex location보다 우선 매칭)
|
|
location ^~ /uploads/ {
|
|
proxy_pass http://system1-api:3005/uploads/;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
}
|
|
|
|
# FastAPI Bridge 프록시
|
|
location /fastapi/ {
|
|
proxy_pass http://system1-fastapi:8000/;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
# SSO Auth 프록시 (gateway에서 이관)
|
|
location /auth/ {
|
|
proxy_pass http://sso-auth:3000/api/auth/;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
# AI Service 프록시 (gateway에서 이관)
|
|
location /ai-api/ {
|
|
resolver 8.8.8.8 valid=300s ipv6=off;
|
|
set $ai_upstream https://ai.hyungi.net;
|
|
rewrite ^/ai-api/(.*) /api/ai/$1 break;
|
|
proxy_pass $ai_upstream;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host ai.hyungi.net;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_ssl_server_name on;
|
|
proxy_read_timeout 180s;
|
|
proxy_send_timeout 180s;
|
|
}
|
|
|
|
# 레거시 /login, /dashboard → gateway(tkds) 리다이렉트
|
|
location = /login {
|
|
return 302 $scheme://tkds.technicalkorea.net/dashboard$is_args$args;
|
|
}
|
|
location = /dashboard {
|
|
return 301 $scheme://tkds.technicalkorea.net/dashboard;
|
|
}
|
|
|
|
# Health check
|
|
location /health {
|
|
access_log off;
|
|
return 200 '{"status":"ok","service":"system1-web"}';
|
|
add_header Content-Type application/json;
|
|
}
|
|
|
|
# Static files (new Tailwind UI)
|
|
location /static/ {
|
|
expires 1h;
|
|
add_header Cache-Control "public, no-transform";
|
|
}
|
|
|
|
# SPA fallback
|
|
location / {
|
|
try_files $uri $uri/ /index.html;
|
|
}
|
|
}
|