From d5d4555f4b29341c83e7d472816c6cc4224db079 Mon Sep 17 00:00:00 2001
From: Hexeong <123macanic@naver.com>
Date: Mon, 15 Jun 2026 16:14:58 +0900
Subject: [PATCH 1/2] =?UTF-8?q?refactor:=20=ED=81=AC=EB=A1=A4=EB=A7=81=20?=
 =?UTF-8?q?=EB=B4=87=EC=97=90=20=EB=8C=80=ED=95=9C=20=EC=9A=94=EC=B2=AD=20?=
 =?UTF-8?q?=EC=B0=A8=EB=8B=A8=20nginx=20=EB=A1=9C=EC=A7=81=20=EC=B6=94?=
 =?UTF-8?q?=EA=B0=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../app_stack/scripts/nginx_setup.sh.tftpl    | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/modules/app_stack/scripts/nginx_setup.sh.tftpl b/modules/app_stack/scripts/nginx_setup.sh.tftpl
index 590561f..4808f40 100644
--- a/modules/app_stack/scripts/nginx_setup.sh.tftpl
+++ b/modules/app_stack/scripts/nginx_setup.sh.tftpl
@@ -49,6 +49,24 @@ map \$http_upgrade \$connection_upgrade {
     ''      '';
 }
 
+# 1차 차단: 도메인과 일치하지 않는 요청 차단 (IP 직접 접근, 알 수 없는 Host 헤더)
+# 응답 없이 연결을 즉시 종료하여 봇이 서버 존재를 인식하지 못하게 함
+server {
+    listen 80 default_server;
+    server_name _;
+    return 444;
+}
+
+server {
+    listen 443 ssl default_server;
+    server_name _;
+
+    ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;
+
+    return 444;
+}
+
 server {
     listen 80;
     server_name $DOMAIN;
@@ -74,6 +92,11 @@ server {
     ssl_stapling on;
     ssl_stapling_verify on;
 
+    # 2차 차단: 취약점 탐색용 정적 파일 확장자 요청 차단
+    location ~* \.(php|asp|aspx|jsp|cgi|env|git|sql|bak|backup|config|ini|log|sh|xml|txt|html|htm)$ {
+        return 444;
+    }
+
     location / {
         proxy_pass http://app_backend;
         proxy_http_version 1.1;

From 0c7dc5013aa34dee0118f88a99f9847b5e399a6e Mon Sep 17 00:00:00 2001
From: Hexeong <123macanic@naver.com>
Date: Mon, 15 Jun 2026 16:52:33 +0900
Subject: [PATCH 2/2] =?UTF-8?q?refactor:=20(=EB=A6=AC=EB=B7=B0=20=EB=B0=98?=
 =?UTF-8?q?=EC=98=81)=EC=A0=95=EC=A0=81=20=ED=8C=8C=EC=9D=BC=20=EC=9A=94?=
 =?UTF-8?q?=EC=B2=AD=EC=97=90=20=EB=8C=80=ED=95=9C=20=EC=8A=A4=EC=BA=90?=
 =?UTF-8?q?=EB=84=88=20=EC=9A=B0=ED=9A=8C=20=EA=B3=BC=EC=A0=95=20=EB=B0=A9?=
 =?UTF-8?q?=EC=A7=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 modules/app_stack/scripts/nginx_setup.sh.tftpl | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/modules/app_stack/scripts/nginx_setup.sh.tftpl b/modules/app_stack/scripts/nginx_setup.sh.tftpl
index 4808f40..f9e1211 100644
--- a/modules/app_stack/scripts/nginx_setup.sh.tftpl
+++ b/modules/app_stack/scripts/nginx_setup.sh.tftpl
@@ -93,7 +93,13 @@ server {
     ssl_stapling_verify on;
 
     # 2차 차단: 취약점 탐색용 정적 파일 확장자 요청 차단
-    location ~* \.(php|asp|aspx|jsp|cgi|env|git|sql|bak|backup|config|ini|log|sh|xml|txt|html|htm)$ {
+    # ($|[/?]) 로 확장자 뒤에 /path 또는 ?query 가 붙는 우회 패턴도 차단
+    location ~* \.(php|asp|aspx|jsp|cgi|sql|bak|backup|config|ini|log|sh|xml|txt|html|htm)($|[/?]) {
+        return 444;
+    }
+
+    # .env, .env.production, .git 등 dotfile 변형 차단
+    location ~* (^|/)\.(env|git) {
         return 444;
     }