DDNS 서비스를 변경하면서 내부망도 이것저것 도메인으로 묶고 이런저런 걸 하고자
NPM 리버스 프록시를 설정하고
로그 확인용 GoAccess 설치 및 crowdsec으로 침입 탐지 맟 방화벽 Bouncer 설치.
이 모든 것은 제미나이와 함께 작업.
Code Type : plain
services:
# 1. Nginx Proxy Manager
npm:
image: jc21/nginx-proxy-manager:latest
container_name: npm
restart: unless-stopped
ports:
- 20080:80
- 20443:443
- 81:81
volumes:
- /{TrueNASDisk}/npm/data:/data
- /{TrueNASDisk}/npm/letsencrypt:/etc/letsencrypt
networks:
- crowdsec_network
environment:
- TZ=Asia/Seoul
- DISABLE_IPV6=true
# 2. GoAccess (로그 시각화)
goaccess:
image: xavierh/goaccess-for-nginxproxymanager:latest
container_name: npm-goaccess
restart: unless-stopped
ports:
- 7880:7880
networks:
- crowdsec_network
environment:
- TZ=Asia/Seoul
- SKIP_ARCHIVED_LOGS=False
volumes:
# NPM 로그 경로 (읽기 전용)
- /{TrueNASDisk}/npm/data/logs:/opt/log:ro
# 3. CrowdSec (침입 탐지)
crowdsec:
image: crowdsecurity/crowdsec:latest
container_name: npm-crowdsec
restart: unless-stopped
ports:
- 8080:8080
networks:
- crowdsec_network
environment:
- GID=1000
- COLLECTIONS=crowdsecurity/nginx-proxy-manager
- TZ=Asia/Seoul
volumes:
- /{TrueNASDisk}/crowdsec/conf:/etc/crowdsec
- /{TrueNASDisk}/crowdsec/data:/var/lib/crowdsec/data
- /{TrueNASDisk}/npm/data/logs:/var/log/npm:ro
# 4. Firewall Bouncer (방화벽 제어)
crowdsec-firewall-bouncer:
image: crowdsecurity/crowdsec-firewall-bouncer-iptables:latest
container_name: npm-firewall-bouncer
restart: unless-stopped
network_mode: host
privileged: true
environment:
- TZ=Asia/Seoul
volumes:
- /{TrueNASDisk}/crowdsec/bouncer/crowdsec-firewall-bouncer.yaml:/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
- /var/log:/var/log:ro
depends_on:
- crowdsec
networks:
crowdsec_network:
driver: bridge