[Auto-Sync] Atualização das configurações em srvproxy001.itguys.com.br - 2025-09-27 13:25:49

2025-09-27 13:25:49 -03:00 · 2025-09-27 13:25:49 -03:00 · 09d01e2785
parent c49155d51d
commit 09d01e2785
1 changed files with 99 additions and 0 deletions
--- a/nginx/sites-available/anatram.com.br.conf
+++ b/nginx/sites-available/anatram.com.br.conf
@ -0,0 +1,99 @@
+# ==============================================================================
+# BLOCO 3: HTTPS (Porta 443) - Servidor Principal e Canônico
+# ==============================================================================
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name anatram.com.br;
+
+    # --- Configurações de SSL/TLS ---
+    # ... (todas as suas diretivas ssl_* permanecem aqui)
+    ssl_certificate /etc/letsencrypt/live/anatram.com.br/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/anatram.com.br/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 1d;
+    ssl_session_tickets off;
+    ssl_dhparam /etc/nginx/dhparam.pem;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/letsencrypt/live/anatram.com.br/chain.pem;
+
+    # --- Cabeçalhos de Segurança (Security Headers) ---
+    # ... (todas as suas diretivas add_header permanecem aqui)
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "no-referrer-when-downgrade" always;
+    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'self';" always;
+
+    # --- Políticas de Acesso, Erros e Logs ---
+    root /var/www/html;
+    error_page 404 /404.html;
+    error_page 500 502 503 504 /50x.html;
+
+    # Logs dedicados para este site
+    access_log /var/log/nginx/anatram.com.br.access.log detailed_proxy; # Recomendo usar o formato detalhado aqui também
+    error_log /var/log/nginx/anatram.com.br.error.log warn;
+    
+    # --- CORREÇÃO APLICADA AQUI ---
+    # Loga requisições bloqueadas em um arquivo separado, usando o formato detalhado.
+    access_log /var/log/nginx/anatram.com.br.bad-bot.log detailed_proxy if=$block_request;
+
+    # --- Bloqueio de Bots e Acessos Indevidos ---
+    if ($block_request) {
+        return 444;
+    }
+
+    # Bloqueia o acesso a arquivos ocultos e sensíveis
+    location ~ /\. {
+        deny all;
+    }
+
+    # ... (o restante da sua configuração de compressão, proxy e locations permanece o mesmo)
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
+
+    brotli on;
+    brotli_comp_level 6;
+    brotli_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
+
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Forwarded-Port $server_port;
+    proxy_connect_timeout 60s;
+    proxy_send_timeout 60s;
+    proxy_read_timeout 60s;
+    proxy_ssl_verify off;
+
+    proxy_cache static_cache;
+    add_header X-Proxy-Cache $upstream_cache_status;
+
+    location ~* \.(?:css|js|mjs|svg|gif|png|jpg|jpeg|ico|wasm|woff2?|ttf|eot)$ {
+        proxy_cache_valid 200 30d;
+        proxy_cache_valid any 1m;
+        expires 30d;
+        add_header Cache-Control "public";
+        log_not_found off;
+        access_log off;
+        proxy_pass https://172.16.12.9:443;
+    }
+
+    location / {
+        proxy_no_cache 1;
+        proxy_cache_bypass 1;
+        proxy_pass https://172.16.12.9:443;
+    }
+}