fc

2026-04-20 16:47:50 +09:00
parent 44a853408e
commit 7ecb19e397
16 changed files with 11728 additions and 89 deletions
--- a/gateway/nginx.conf
+++ b/gateway/nginx.conf
@@ -3,7 +3,6 @@ map $time_iso8601 $time_custom {
    "~^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})" "$1-$2-$3 $4:$5:$6";
 }

-# Go slog 포맷과 맞춘 JSON 액세스 로그
 log_format json_combined escape=json
    '{'
    '"time":"$time_custom",'
@@ -29,18 +28,63 @@ server {
    }

    resolver 127.0.0.11 valid=10s ipv6=off;
-    set $backend_upstream http://baron_backend:3000;
-    set $userfront_upstream http://baron_userfront:5000;
-    set $oathkeeper_upstream http://ory_oathkeeper:4455;
+    set $backend_upstream http://backend:23000;
+    set $userfront_upstream http://userfront:5000;
+    set $oathkeeper_upstream http://oathkeeper:4455;

    error_log /dev/stderr warn;
    access_log /var/log/nginx/access.log json_combined;

-    # 안정성 튜닝
-    client_max_body_size 10m;
-    keepalive_timeout 65;
+    # --- CRITICAL: OIDC & OAuth2 (Must be at the TOP with ^~ to prevent falling through to /) ---
+    
+    # Discovery Document
+    location ^~ /.well-known/openid-configuration {
+        proxy_pass $oathkeeper_upstream;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # OAuth2 Auth/Token Endpoints (Standard)
+    location ^~ /oauth2/ {
+        proxy_pass $oathkeeper_upstream;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # OAuth2 Auth/Token Endpoints (Localized - /ko/oauth2)
+    location ^~ /ko/oauth2/ {
+        rewrite ^/ko/oauth2/(.*)$ /oauth2/$1 break;
+        proxy_pass $oathkeeper_upstream;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # OAuth2 Auth/Token Endpoints (Localized - /en/oauth2)
+    location ^~ /en/oauth2/ {
+        rewrite ^/en/oauth2/(.*)$ /oauth2/$1 break;
+        proxy_pass $oathkeeper_upstream;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # OIDC Endpoints (Localized - /ko/oidc, /en/oidc)
+    location ^~ /ko/oidc/ {
+        rewrite ^/ko/oidc/(.*)$ /oidc/$1 last;
+    }
+    location ^~ /en/oidc/ {
+        rewrite ^/en/oidc/(.*)$ /oidc/$1 last;
+    }
+
+    # --- Other Services ---

-    # --- Backend API Proxy ---
    location /api {
        proxy_pass $backend_upstream;
        proxy_set_header Host $host;
@@ -49,8 +93,6 @@ server {
        proxy_set_header X-Forwarded-Proto $scheme;
    }

-    # --- Ory Stack Proxy (via Oathkeeper) ---
-    # Kratos Public API
    location /auth {
        proxy_pass $oathkeeper_upstream;
        proxy_set_header Host $host;
@@ -59,7 +101,6 @@ server {
        proxy_set_header X-Forwarded-Proto $scheme;
    }

-    # Hydra Public API
    location /oidc {
        rewrite ^/oidc/(.*)$ /$1 break;
        proxy_pass $oathkeeper_upstream;
@@ -69,36 +110,7 @@ server {
        proxy_set_header X-Forwarded-Proto $scheme;
    }

-    # --- 내부 웹앱 프록시 (초기에는 Private Net 내부에서만 운영) ---
-    # AdminFront (Vite Dev Server or Nginx)
-    # location /admin {
-    #     proxy_pass http://baron_adminfront:5173;
-    #     proxy_set_header Host $host;
-    #     proxy_set_header X-Real-IP $remote_addr;
-    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    #     proxy_set_header X-Forwarded-Proto $scheme;
-    #
-    #     # WebSocket 지원 (Vite HMR)
-    #     proxy_http_version 1.1;
-    #     proxy_set_header Upgrade $http_upgrade;
-    #     proxy_set_header Connection "upgrade";
-    # }
-
-    # DevFront (Vite Dev Server or Nginx)
-    # location /dev {
-    #     proxy_pass http://baron_devfront:5173;
-    #     proxy_set_header Host $host;
-    #     proxy_set_header X-Real-IP $remote_addr;
-    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    #     proxy_set_header X-Forwarded-Proto $scheme;
-    #
-    #     # WebSocket 지원 (Vite HMR)
-    #     proxy_http_version 1.1;
-    #     proxy_set_header Upgrade $http_upgrade;
-    #     proxy_set_header Connection "upgrade";
-    # }
-
-    # --- UserFront 정적 파일 프록시 ---
+    # --- Default: UserFront ---
    location / {
        proxy_pass $userfront_upstream;
        proxy_set_header Host $host;