From 66126cbc1e99e392fb7a1a81fca9f2c0518ef4a9 Mon Sep 17 00:00:00 2001 From: kappa Date: Sun, 15 Mar 2026 12:37:13 +0900 Subject: [PATCH] =?UTF-8?q?apisix:=20=EC=84=9C=EC=9A=B8=20=EA=B2=8C?= =?UTF-8?q?=EC=9D=B4=ED=8A=B8=EC=9B=A8=EC=9D=B4=20global=5Frules,=20?= =?UTF-8?q?=EB=9D=BC=EC=9A=B0=ED=8A=B8=EB=B3=84=20limit-req=20=EC=84=A4?= =?UTF-8?q?=EC=A0=95=20=EA=B8=B0=EB=A1=9D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- infra/apisix.md | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/infra/apisix.md b/infra/apisix.md index d0dfaa3..99a30b1 100644 --- a/infra/apisix.md +++ b/infra/apisix.md @@ -21,10 +21,23 @@ BunnyCDN(inouter, ID 5316471) → apisix-osaka(172.233.93.180) → 백엔드 ``` - 용도: KR존 리버스 프록시 - upstream: K3s Traefik (192.168.9.134/214/135:443), LAN 서비스(192.168.9.x) -- 라우트: nocodb.inouter.com, hcv.inouter.com, gitea.anvil.it.com - SSL: cert-manager wildcard `*.inouter.com` 인증서 -- SafeLine WAF 연동 (chaitin-waf 플러그인) - Admin API: `curl http://10.179.99.126:9180/apisix/admin` (incus proxy device, 192.168.9.0/24에서 접근 가능) +- etcd: apisix-etcd (10.179.99.101) + +#### global_rules +- `real-ip` — source: http_x_real_ip, trusted: 0.0.0.0/0 +- `chaitin-waf` — mode: block, SafeLine detector: 10.165.246.10:8000 (OVN 네트워크, plugin_metadata) +- `http-logger` → CrowdSec (10.253.100.240:8085, 인증: apisix-crowdsec-log-2024) + +#### 라우트 및 limit-req + +| 라우트 ID | 호스트 | upstream | limit-req (rate/burst) | +|-----------|--------|----------|----------------------| +| gitea-anvil-it-com | gitea.anvil.it.com | 192.168.9.100:8418 | 50/30 | +| hcv-inouter-com | hcv.inouter.com | K3s Traefik :443 (roundrobin) | 20/10 | +| nocodb | nocodb.inouter.com | K3s Traefik :443 (roundrobin) | 100/50 | +| nocodb-nuxt | nocodb.inouter.com | K3s Traefik :443 (roundrobin) | 100/50 | ### BunnyCDN Pull Zone 매핑 @@ -65,10 +78,10 @@ BunnyCDN WAF가 NocoDB JS를 오탐 차단하여 CDN 우회 처리 (2026-03-15). ## CrowdSec 로그 연동 -APISIX(osaka) CrowdSec 로그 연동 현황 (2026-03-01) +오사카/서울 양쪽 APISIX → CrowdSec (10.253.100.240:8085) http-logger global_rules로 전송. 인증: Authorization: apisix-crowdsec-log-2024 커스텀 파서: custom/apisix-json-logs (403 응답만 필터) -osaka APISIX에서 40K줄 수신, 403만 파싱 (커스텀 파서), 시나리오 매칭 +시나리오 매칭으로 반복 공격자 탐지.