# 1. Install using docker
## 1.1. Directory structure

```dirtree
- /mnt/md0/infra
    - /nginx
        - /conf.d
            - default.conf
        - nginx.conf
    - .env
    - compose.yml
```

## 1.2. /.env

```
BASE_PATH=/mnt/md0/infra
```

## 1.3. Docker compose

```yml
name: infrastructure
service:
  nginx:
    image: nginx:1.26-alpine3.20
    container_name: nginx
    restart: always
    ports:
      - 80:80
    volumes:
      - ${BASE_PATH}/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - ${BASE_PATH}/nginx/conf.d:/etc/nginx/conf.d:ro
    networks:
      - infra
    depends_on:
      - dns

networks:
  infra:
    driver: bridge
```

# 2. nginx configuration
## 2.1. /nginx/nginx.conf
기본 설정 파일을 그대로 사용함

## 2.2. /nginx/conf.d/default.conf

```nginx
server {
    listen 80;
    server_name localhost;
    error_page 404 500 502 053 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    # 추후 다른 세팅을 쉽게 추가하기 위해 변경
    include /etc/nginx/conf.d/locations/*.conf;
}
```

## 2.3. subdomain

```nginx
server {
    listen 80;
    server_name gitea.home.server;

    location / {
        proxy_set_header    Connection         $http_connection;
        proxy_set_header    Upgrade            $http_upgrade;
        proxy_set_header    Host               $host;
        proxy_set_header    X-Real-IP          $remote_addr;
        proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto  $scheme;
        proxy_pass http://gitea:3000;
    }
}
```

## 2.4. reload

```shell
docker exec -it nginx-reverse-proxy nginx -s reload
```

# 3. SSL

## 3.1. Cert, Key file

```dirtree
- /mnt/md0/infra
    - /nginx
        - /conf.d
            - default.conf
        - nginx.conf
    - /ssl/cloudflare
        - cloudflare.cert.pem
        - cloudflare.key.pem
    - .env
    - compose.yml
```

## 3.2. Docker Compose

```yml
  nginx:
    image: nginx:1.26-alpine3.20
    container_name: nginx
    restart: always
    ports:
      - 80:80
    volumes:
      - ${BASE_PATH}/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - ${BASE_PATH}/nginx/conf.d:/etc/nginx/conf.d:ro
      # NEW
      - ${BASE_PATH}/ssl/cloudflare:/etc/nginx/ssl:ro
    networks:
      - infra
    depends_on:
      - dns
```

## 3.3. /nginx/conf.d/default.conf
### 3.3.1. 같은 서버 블럭 사용

```nginx
server {
    listen 80;

    # 여기부터 변경 시작
    if ($scheme = "http") {
        return 301 https://$host$request_uri;
    }

    listen 443 ssl;
    http2 on;

    ssl_certificate /etc/nginx/ssl/cloudflare.cert.pem;
    ssl_certificate_key /etc/nginx/ssl/cloudflare.key.pem;

    server_name tuska298.dev;
    # 변경 끝
    
    error_page 404 500 502 053 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    # ...
}
```

### 3.3.2. 다른 서버 블럭 사용

```nginx
server {
    listen 80;
    
    # 여기부터 변경 시작
    server_name tuska298.dev;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name tuska298.dev;
    http2 on;
    
    ssl_certificate /etc/nginx/ssl/cloudflare.cert.pem;
    ssl_certificate_key /etc/nginx/ssl/cloudflare.key.pem;
    # 변경 끝
    
    error_page 404 500 502 053 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    # ...
}
```

# 4. 공통 설정 빼내기

## 4.1. 설정 파일 폴더

```dirtree
- /mnt/md0/infra
    - /nginx
        - /etc.d
            - ssl.conf
        - nginx.conf
    - .env
    - compose.yml
```

## 4.2. Docker Compose

```yml
  nginx:
    image: nginx:1.26-alpine3.20
    container_name: nginx
    restart: always
    ports:
      - 80:80
    volumes:
      - ${BASE_PATH}/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - ${BASE_PATH}/nginx/conf.d:/etc/nginx/conf.d:ro
      - ${BASE_PATH}/ssl/cloudflare:/etc/nginx/ssl:ro
      # NEW
      - ${BASE_PATH}/nginx/etc.d:/etc/nginx/etc.d:ro
    networks:
      - infra
    depends_on:
      - dns
```

## 4.3. conf file
### 4.3.1. /etc.d/ssl.conf

```nginx
ssl_certificate /etc/nginx/ssl/cloudflare.cert.pem;
ssl_certificate_key /etc/nginx/ssl/cloudflare.key.pem;
```

### 4.3.2. /conf.d/default.conf

```nginx
server {
    listen 443 ssl;
    server_name tuska298.dev;
    http2 on;

    # Delete
    # ssl_certificate /etc/nginx/ssl/cloudflare.cert.pem;
    # ssl_certificate_key /etc/nginx/ssl/cloudflare.key.pem;
    
    # NEW
    include /etc/nginx/etc.d/ssl.conf;
    
    error_page 404 500 502 053 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    # ...
}
```

# 5. robots.txt
## 5.1. 설정 파일 폴더

```dirtree
- /mnt/md0/infra
    - /nginx
        - /etc.d
            - robots.conf
        - nginx.conf
```

## 5.2. /etc.d/robots.conf

```nginx
location /robots.txt {
    return 200 "User-agent: *\n"
}
```

## 5.3. /conf.d/default.conf

```nginx
server {
    listen 443 ssl;
    server_name tuska298.dev;
    http2 on;

    include /etc/nginx/etc.d/ssl.conf;
    
    # NEW
    include /etc/nginx/etc.d/robots.conf;
    
    error_page 404 500 502 053 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    # ...
```

# 6. 접근 제한
## 6.1. 설정 파일 폴더

```dirtree
- /mnt/md0/infra
    - /nginx
        - /etc.d
            - deny.lan.conf
        - nginx.conf
```

## 6.2. /etc.d/deny.lan.conf

```nginx
allow 172.18.0.0/24;
allow 192.168.200.0/24;
deny all;
```

## 6.3. /conf.d/default.conf

```nginx
server {
    listen 443 ssl;
    server_name tuska298.dev;
    http2 on;

    # NEW
    include /etc/nginx/etc.d/deny.lan.conf;
    
    include /etc/nginx/etc.d/ssl.conf;
    include /etc/nginx/etc.d/robots.conf;
    
    error_page 404 500 502 053 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    # ...
```