fix(docker): 서비스 안정성 개선 및 nginx/env 설정 보강

conf/docker/.env.setup

@@ -162,6 +162,8 @@ MC_IAM_MANAGER_PUBLIC_HOST=https://${MC_IAM_MANAGER_PUBLIC_DOMAIN}
 MC_IAM_MANAGER_PUBLIC_KEYCLOAK_HOST=${MC_IAM_MANAGER_PUBLIC_HOST}/auth
 
 # === nginx HTTPS Reverse Proxy Ports (for iframe/external access — same as direct published ports) ===
+MC_OBSERVABILITY_FRONT_PROXY_PORT=18081
+MC_OBSERVABILITY_FRONT_PUBLIC_HOST=https://${MC_IAM_MANAGER_PUBLIC_DOMAIN}:${MC_OBSERVABILITY_FRONT_PROXY_PORT}
 MC_OBSERVABILITY_GRAFANA_PROXY_PORT=33002
 MC_OBSERVABILITY_GRAFANA_PUBLIC_HOST=https://${MC_IAM_MANAGER_PUBLIC_DOMAIN}:${MC_OBSERVABILITY_GRAFANA_PROXY_PORT}
 MC_COST_OPTIMIZER_FE_PROXY_PORT=7780

conf/docker/conf/mc-iam-manager/.env.setup

@@ -93,3 +93,5 @@ MC_DATA_MANAGER_PROXY_PORT=3300
 MC_DATA_MANAGER_PUBLIC_HOST=https://${MC_IAM_MANAGER_PUBLIC_DOMAIN}:${MC_DATA_MANAGER_PROXY_PORT}
 MC_APPLICATION_MANAGER_PROXY_PORT=18084
 MC_APPLICATION_MANAGER_PUBLIC_HOST=https://${MC_IAM_MANAGER_PUBLIC_DOMAIN}:${MC_APPLICATION_MANAGER_PROXY_PORT}
+MC_OBSERVABILITY_FRONT_PROXY_PORT=18081
+MC_OBSERVABILITY_FRONT_PUBLIC_HOST=https://${MC_IAM_MANAGER_PUBLIC_DOMAIN}:${MC_OBSERVABILITY_FRONT_PROXY_PORT}

conf/docker/conf/mc-iam-manager/0_preset_dev.sh

@@ -10,6 +10,7 @@ echo "PROJECT_ROOT: $PROJECT_ROOT"
 
 # .env file path
 ENV_FILE="${PROJECT_ROOT}/.env"
+IAM_ENV_FILE="${SCRIPT_DIR}/.env"
 
 
 # Certificate output path (same structure as Let's Encrypt)
@@ -134,6 +135,46 @@ echo "  DATABASE_USER: $MC_IAM_MANAGER_DATABASE_USER"
 echo "  DATABASE_HOST: $MC_IAM_MANAGER_DATABASE_HOST"
 echo "  MC_IAM_MANAGER_PORT: $MC_IAM_MANAGER_PORT"
 
+# =============================================================================
+# Rewrite PUBLIC_HOST variables from http:// to https:// for remote IP/domain
+# =============================================================================
+
+_sedi() {
+    if [[ "$(uname)" == "Darwin" ]]; then
+        sed -i '' "$@"
+    else
+        sed -i "$@"
+    fi
+}
+
+rewrite_http_to_https() {
+    local env_file="$1"
+    if [ ! -f "$env_file" ]; then
+        return 0
+    fi
+    echo "Rewriting http:// → https:// in ${env_file##*/conf/docker/}..."
+
+    local vars=(
+        "MC_IAM_MANAGER_PUBLIC_HOST"
+        "MC_OBSERVABILITY_FRONT_PUBLIC_HOST"
+        "MC_OBSERVABILITY_GRAFANA_PUBLIC_HOST"
+        "MC_COST_OPTIMIZER_FE_PUBLIC_HOST"
+        "MC_WORKFLOW_MANAGER_PUBLIC_HOST"
+        "MC_DATA_MANAGER_PUBLIC_HOST"
+        "MC_APPLICATION_MANAGER_PUBLIC_HOST"
+    )
+
+    for var in "${vars[@]}"; do
+        if grep -qE "^${var}=http://" "$env_file"; then
+            _sedi "s|^${var}=http://|${var}=https://|" "$env_file"
+            echo "  ✓ ${var}: http:// → https://"
+        fi
+    done
+}
+
+rewrite_http_to_https "$ENV_FILE"
+rewrite_http_to_https "$IAM_ENV_FILE"
+
 # Define certificate directory based on PUBLIC_DOMAIN (same structure as Let's Encrypt)
 CERT_DIR="${CERT_PARENT_DIR}/certs/live/${MC_IAM_MANAGER_PUBLIC_DOMAIN}"
 

conf/docker/conf/mc-iam-manager/0_preset_local.sh

@@ -110,6 +110,7 @@ rewrite_https_to_http() {
 
     local vars=(
         "MC_IAM_MANAGER_PUBLIC_HOST"
+        "MC_OBSERVABILITY_FRONT_PUBLIC_HOST"
         "MC_OBSERVABILITY_GRAFANA_PUBLIC_HOST"
         "MC_COST_OPTIMIZER_FE_PUBLIC_HOST"
         "MC_WORKFLOW_MANAGER_PUBLIC_HOST"

conf/docker/conf/mc-iam-manager/1_setup_auto.sh

@@ -466,10 +466,20 @@ register_framework_services() {
 update_public_service_urls() {
     echo "Updating framework service URLs to public-accessible addresses..."
 
+    _public_fe_scheme() {
+        case "${MC_IAM_MANAGER_PUBLIC_DOMAIN:-}" in
+            localhost|127.0.0.1|mciam.local) echo "http" ;;
+            *) echo "https" ;;
+        esac
+    }
+
+    local public_scheme
+    public_scheme=$(_public_fe_scheme)
+
     # mc-cost-optimizer-fe: replace the internal container URL (http://mc-cost-optimizer-fe:7780)
-    # with the nginx HTTPS proxy URL accessible directly from the browser.
+    # with the nginx proxy URL accessible directly from the browser.
     # /api/getapihosts returns this value as the iframe src in MCIAM_USE=true environments.
-    local cost_fe_public_url="${MC_COST_OPTIMIZER_FE_PUBLIC_HOST:-http://${MC_IAM_MANAGER_PUBLIC_DOMAIN}:${MC_COST_OPTIMIZER_FE_PROXY_PORT}}"
+    local cost_fe_public_url="${MC_COST_OPTIMIZER_FE_PUBLIC_HOST:-${public_scheme}://${MC_IAM_MANAGER_PUBLIC_DOMAIN}:${MC_COST_OPTIMIZER_FE_PROXY_PORT}}"
 
     # mc-cost-optimizer-fe is not in the upstream api.yaml, so attempt registration first (idempotent)
     local reg_body
@@ -605,6 +615,37 @@ update_public_service_urls() {
         return 1
     fi
 
+    # mc-observability-fe: register and update dedicated iframe nginx HTTPS proxy URL
+    local obs_fe_public_url="${MC_OBSERVABILITY_FRONT_PUBLIC_HOST}"
+    reg_body=$(printf '{"name":"mc-observability-fe","version":"v0.0.1","baseUrl":"http://mc-observability-front:18081","authType":"none","authUser":"","authPass":"","isActive":true}')
+    reg_resp=$(curl -s -w "HTTPSTATUS:%{http_code}" -X POST \
+        --header "Authorization: Bearer $MC_IAM_MANAGER_PLATFORMADMIN_ACCESSTOKEN" \
+        --header 'Content-Type: application/json' \
+        --data "$reg_body" \
+        "$MC_IAM_MANAGER_HOST/api/mcmp-apis")
+    reg_code=$(echo $reg_resp | tr -d '\n' | sed -e 's/.*HTTPSTATUS://')
+    if [ "$reg_code" = "201" ]; then
+        echo "  ✓ mc-observability-fe registered"
+    elif [ "$reg_code" = "409" ]; then
+        echo "  ✓ mc-observability-fe already registered"
+    else
+        echo "  ✗ Failed to register mc-observability-fe (HTTP $reg_code)"
+        return 1
+    fi
+    response=$(curl -s -w "HTTPSTATUS:%{http_code}" -X PUT \
+        --header "Authorization: Bearer $MC_IAM_MANAGER_PLATFORMADMIN_ACCESSTOKEN" \
+        --header 'Content-Type: application/json' \
+        --data "{\"base_url\": \"${obs_fe_public_url}\"}" \
+        "$MC_IAM_MANAGER_HOST/api/mcmp-apis/name/mc-observability-fe")
+    http_code=$(echo $response | tr -d '\n' | sed -e 's/.*HTTPSTATUS://')
+    response_body=$(echo $response | sed -e 's/HTTPSTATUS\:.*//g')
+    if [ "$http_code" = "200" ]; then
+        echo "  ✓ Updated mc-observability-fe baseurl: ${obs_fe_public_url}"
+    else
+        echo "  ✗ Failed to update mc-observability-fe (HTTP $http_code): $response_body"
+        return 1
+    fi
+
     echo "Public service URL update completed"
     return 0
 }

conf/docker/conf/mc-iam-manager/nginx.template.conf

@@ -309,9 +309,9 @@ http {
             proxy_hide_header X-Frame-Options;
             add_header Content-Security-Policy "frame-ancestors https://${MC_IAM_MANAGER_PUBLIC_DOMAIN}:3001 https://${MC_IAM_MANAGER_PUBLIC_DOMAIN}" always;
 
-            proxy_connect_timeout 60s;
-            proxy_send_timeout 60s;
-            proxy_read_timeout 60s;
+            proxy_connect_timeout 600s;
+            proxy_send_timeout 600s;
+            proxy_read_timeout 600s;
         }
     }
 
@@ -346,6 +346,37 @@ http {
         }
     }
 
+    # mc-observability-front HTTPS proxy (for iframe/external access)
+    server {
+        listen ${MC_OBSERVABILITY_FRONT_PORT} ssl;
+        server_name ${MC_IAM_MANAGER_PUBLIC_DOMAIN};
+
+        ssl_certificate /etc/nginx/certs/live/${MC_IAM_MANAGER_PUBLIC_DOMAIN}/fullchain.pem;
+        ssl_certificate_key /etc/nginx/certs/live/${MC_IAM_MANAGER_PUBLIC_DOMAIN}/privkey.pem;
+
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+        location / {
+            resolver 127.0.0.11 valid=10s;
+            set $upstream_obs mc-observability-front;
+            proxy_pass http://$upstream_obs:18081;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+            proxy_set_header X-Forwarded-Host $host;
+            proxy_hide_header X-Frame-Options;
+            add_header Content-Security-Policy "frame-ancestors https://${MC_IAM_MANAGER_PUBLIC_DOMAIN}:3001 https://${MC_IAM_MANAGER_PUBLIC_DOMAIN}" always;
+
+            proxy_connect_timeout 60s;
+            proxy_send_timeout 60s;
+            proxy_read_timeout 60s;
+        }
+    }
+
     # mc-cost-optimizer-fe HTTPS proxy (for iframe/external access)
     server {
         listen ${MC_COST_OPTIMIZER_FE_PROXY_PORT} ssl;

conf/docker/conf/mc-iam-manager/nginx.template.local.conf

@@ -229,9 +229,9 @@ http {
             proxy_hide_header X-Frame-Options;
             add_header Content-Security-Policy "frame-ancestors http://${MC_IAM_MANAGER_PUBLIC_DOMAIN}:3001 http://${MC_IAM_MANAGER_PUBLIC_DOMAIN}" always;
 
-            proxy_connect_timeout 60s;
-            proxy_send_timeout 60s;
-            proxy_read_timeout 60s;
+            proxy_connect_timeout 600s;
+            proxy_send_timeout 600s;
+            proxy_read_timeout 600s;
         }
     }
 
@@ -261,6 +261,32 @@ http {
         }
     }
 
+    # mc-observability-front HTTP proxy (for iframe)
+    server {
+        listen ${MC_OBSERVABILITY_FRONT_PORT};
+        server_name ${MC_IAM_MANAGER_PUBLIC_DOMAIN};
+
+        location / {
+            resolver 127.0.0.11 valid=10s;
+            set $upstream_obs mc-observability-front;
+            proxy_pass http://$upstream_obs:18081;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $host;
+            proxy_hide_header X-Frame-Options;
+            add_header Content-Security-Policy "frame-ancestors http://${MC_IAM_MANAGER_PUBLIC_DOMAIN}:3001 http://${MC_IAM_MANAGER_PUBLIC_DOMAIN}" always;
+
+            proxy_connect_timeout 60s;
+            proxy_send_timeout 60s;
+            proxy_read_timeout 60s;
+        }
+    }
+
     # mc-cost-optimizer-fe HTTP proxy (for iframe)
     server {
         listen ${MC_COST_OPTIMIZER_FE_PROXY_PORT};

conf/docker/conf/mc-web-console/api/conf/api.yaml

@@ -75,6 +75,11 @@ services:
     baseurl: http://mc-application-manager:18084
     auth:
 
+  mc-observability-fe:
+    version: v0.0.1
+    baseurl: http://mc-observability-front:18081
+    auth:
+
   # sample:
   #   baseurl: http://localhost:1323/test
   #   auth: