Team-DoubleO · Bumnote · Dec 23, 2025 · Dec 23, 2025 · Dec 23, 2025 · Dec 23, 2025
diff --git a/build.gradle b/build.gradle
@@ -44,6 +44,10 @@ dependencies {
     annotationProcessor 'jakarta.annotation:jakarta.annotation-api'
     annotationProcessor 'jakarta.persistence:jakarta.persistence-api'
 
+    // Monitoring
+    implementation 'org.springframework.boot:spring-boot-starter-actuator'
+    implementation 'io.micrometer:micrometer-registry-prometheus'
+
     // DB
     testRuntimeOnly 'com.h2database:h2'
     runtimeOnly 'org.postgresql:postgresql'

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -62,6 +62,41 @@ services:
     networks:
       - spots-net
 
+  prometheus:
+    image: prom/prometheus
+    container_name: prometheus
+    volumes:
+      - ./data/prometheus:/prometheus
+      - ./prometheus.yml:/etc/prometheus/prometheus.yml
+    depends_on:
+      - spots-app
+    ports:
+      - "9090:9090"
+    networks:
+      - spots-net
+    restart: always
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+
+  grafana:
+    image: grafana/grafana
+    container_name: grafana
+    env_file:
+      - .env
+    ports:
+      - "3000:3000"
+    volumes:
+      - ./data/grafana:/var/lib/grafana
+      - grafana-storage:/var/lib/grafana
+    depends_on:
+      - prometheus
+    networks:
+      - spots-net
+    restart: always
+    environment:
+      - GF_SECURITY_ADMIN_USER=${GRAFANA_ADMIN_USER}
+      - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_ADMIN_PASSWORD}
+
 volumes:
   dbdata:
   certbot_data:

diff --git a/nginx/nginx-cert-setup.conf b/nginx/nginx-cert-setup.conf
@@ -1,7 +1,7 @@
 # HTTP 서버 (인증서 발급용)
 server {
     listen 80;
-    server_name sspots.site www.sspots.site api.sspots.site;
+    server_name sspots.site www.sspots.site api.sspots.site prometheus.sspots.site grafana.sspots.site;
 
     location /.well-known/acme-challenge/ {
         root /var/www/certbot;

diff --git a/nginx/nginx-prod.conf b/nginx/nginx-prod.conf
@@ -1,6 +1,6 @@
 server {
     listen 80;
-    server_name sspots.site www.sspots.site api.sspots.site;
+    server_name sspots.site www.sspots.site api.sspots.site prometheus.sspots.site grafana.sspots.site;
 
     client_max_body_size 100M;
 
@@ -102,4 +102,60 @@ server {
         proxy_read_timeout    160s;
         send_timeout          160s;
     }
+}
+
+server {
+    listen 443 ssl http2;
+    server_name prometheus.sspots.site;
+
+    ssl_certificate /etc/letsencrypt/live/prometheus.sspots.site/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/prometheus.sspots.site/privkey.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-Frame-Options DENY always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    location / {
+        proxy_pass http://prometheus:9090;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    server_name grafana.sspots.site;
+
+    ssl_certificate /etc/letsencrypt/live/grafana.sspots.site/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/grafana.sspots.site/privkey.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-Frame-Options SAMEORIGIN always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    location / {
+        proxy_pass http://grafana:3000;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
 }
diff --git a/scripts/deploy.sh b/scripts/deploy.sh
@@ -187,6 +187,8 @@ issue_new_certificate() {
       -d sspots.site \
       -d www.sspots.site \
       -d api.sspots.site \
+      -d grafana.sspots.site \
+      -d prometheus.sspots.site \
       --email $CERTBOT_EMAIL --agree-tos --no-eff-email
 
     if [ $? -ne 0 ]; then

diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -30,5 +30,24 @@ spring:
     async:
       request-timeout: 150000 # 2m 30s
 
+# prometheus & actuator
+management:
+  endpoints:
+    shutdown:
+      enabled: false
+    web:
+      exposure:
+        include: health,info,prometheus
+  metrics:
+    tags:
+      application: fitfinder-api
+    distribution:
+      percentiles-histogram:
+        http.server.requests: true
+  prometheus:
+    metrics:
+      export:
+        enabled: true
+
 server:
   forward-headers-strategy: framework
diff --git a/src/main/resources/prometheus.yml b/src/main/resources/prometheus.yml
@@ -0,0 +1,13 @@
+global:
+  scrape_interval: 15s
+  evaluation_interval: 15s
+
+scrape_configs:
+  - job_name: 'prometheus'
+    static_configs:
+      - targets: [ "prometheus:9090" ]
+
+  - job_name: 'fitfinder-actuator'
+    metrics_path: '/actuator/prometheus'
+    static_configs:
+      - targets: [ 'spots-app:8080' ]