Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ jobs:
PUBLISHED_CONTAINERS=$(sudo docker ps -q --filter publish=9000)
if [ -n "$PUBLISHED_CONTAINERS" ]; then sudo docker rm -f $PUBLISHED_CONTAINERS; fi
sudo docker pull ${{ secrets.DOCKER_REPO }}/eatssu-prod
sudo docker run -d --name eatssu-prod --restart unless-stopped -p 9000:9000 \
sudo docker run -d --name eatssu-prod --restart unless-stopped -p 9000:9000 -p 127.0.0.1:9001:9001 \
--log-driver=awslogs \
--log-opt awslogs-region=ap-northeast-2 \
--log-opt awslogs-group=prod-ec2-group \
Expand Down Expand Up @@ -118,7 +118,7 @@ jobs:
PUBLISHED_CONTAINERS=$(sudo docker ps -q --filter publish=9000)
if [ -n "$PUBLISHED_CONTAINERS" ]; then sudo docker rm -f $PUBLISHED_CONTAINERS; fi
sudo docker pull ${{ secrets.DOCKER_REPO }}/eatssu-dev
sudo docker run -d --name eatssu-dev --restart unless-stopped -p 9000:9000 \
sudo docker run -d --name eatssu-dev --restart unless-stopped -p 9000:9000 -p 127.0.0.1:9001:9001 \
--log-driver=awslogs \
--log-opt awslogs-region=ap-northeast-2 \
--log-opt awslogs-group=dev-ec2-group \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ public class SecurityConfig {
private static final String[] AUTH_WHITELIST = {
"/", "/oauths/kakao", "/oauths/apple", "/menus/**", "/meals/**", "/admin/login", "/oauths/v2/kakao","/oauths/v2/apple",
"/reviews", "/reviews/menus/**", "/reviews/meals/**", "/v2/reviews/statistics/**",
"/v2/reviews/menus/**", "/v2/reviews/meals/**", "/actuator/**", "/error-test/**"
"/v2/reviews/menus/**", "/v2/reviews/meals/**", "/actuator/health", "/actuator/prometheus", "/error-test/**"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

[Reviewer, 2026-07-01] /actuator/prometheus 경로를 AUTH_WHITELIST에 추가하여 무인증으로 노출하면 시스템 메트릭 정보가 외부에 유출될 수 있으므로, 이를 화이트리스트에서 제외하고 별도의 인증(예: Basic Auth)이나 IP 필터링을 적용하여 보안을 강화해야 합니다.

Suggested change
"/v2/reviews/menus/**", "/v2/reviews/meals/**", "/actuator/health", "/actuator/prometheus", "/error-test/**"
"/v2/reviews/menus/**", "/v2/reviews/meals/**", "/actuator/health", "/error-test/**"

};

private static final String[] ADMIN_PAGE_LIST = {
Expand Down
8 changes: 8 additions & 0 deletions src/main/resources/application-dev.yml
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,10 @@ logging:
com.zaxxer.hikari: INFO

management:
server:
port: 9001
address: 0.0.0.0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

[Reviewer, 2026-07-01] 개발 환경(dev)에서 management.server.address를 0.0.0.0으로 설정할 경우, 외부망에 노출되지 않도록 보안 그룹 및 네트워크 접근 제어(NACL)를 통해 9001 포트를 보호해야 합니다.


endpoint:
metrics:
enabled: true
Expand All @@ -104,3 +108,7 @@ management:
web:
exposure:
include: health, info, metrics, prometheus

metrics:
tags:
application: eatssu-dev
8 changes: 8 additions & 0 deletions src/main/resources/application-prod.yml
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,10 @@ logging:


management:
server:
port: 9001
address: 0.0.0.0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

[Reviewer, 2026-07-01] 운영 환경(prod)에서 management.server.address를 0.0.0.0으로 설정하면 모든 네트워크 인터페이스에 바인딩되므로, 방화벽이나 보안 그룹을 통해 9001 포트로의 외부 접근을 엄격히 제한해야 합니다.


endpoint:
metrics:
enabled: true
Expand All @@ -111,3 +115,7 @@ management:
exposure:
include: health, info, metrics, prometheus

metrics:
tags:
application: eatssu-prod

Loading