diff --git a/nginx/sites-available/verbocloud.itguys.com.br.conf b/nginx/sites-available/verbocloud.itguys.com.br.conf new file mode 100644 index 0000000..3997882 --- /dev/null +++ b/nginx/sites-available/verbocloud.itguys.com.br.conf @@ -0,0 +1,202 @@ +# ---------------------------------------------------------------------- +# Configuração: Nextcloud AIO + Office Online Server (Nativo) +# Data: 2025-10-25 +# Domínio: verbocloud.itguys.com.br +# +# Arquitetura: +# - Nginx (Este servidor) +# - Backend AIO: 172.16.253.13:11500 (HTTP) +# - Backend OOS: 172.16.253.13:443 (HTTPS - Nativo no Windows) +# ---------------------------------------------------------------------- + +# ---------------------------------------------------------------------- +# Declaração dos Backends +# ---------------------------------------------------------------------- + +# Backend 1: O contêiner do Nextcloud AIO no Windows Server +upstream nextcloud_aio_backend { + server 172.16.253.13:11500; +} + +# Backend 2: O Office Online Server (nativo no Windows Server) +upstream office_online_backend { + # Assumindo que o OOS está na porta 443 (HTTPS) + server 172.16.253.13:443; +} + +# ---------------------------------------------------------------------- +# Servidor HTTP (Porta 80) +# - Redireciona para HTTPS +# - Responde aos desafios do Let's Encrypt (Certbot) +# ---------------------------------------------------------------------- +server { + listen 80; + listen [::]:80; + + server_name verbocloud.itguys.com.br; + + location /.well-known/acme-challenge/ { + root /var/www/html; # Ajuste o caminho se necessário + allow all; + } + + location / { + return 301 https://$host$request_uri; + } +} + +# ---------------------------------------------------------------------- +# Servidor HTTPS (Porta 443) +# - Ponto de terminação SSL +# - Proxy reverso para AIO e OOS +# - Headers de segurança +# ---------------------------------------------------------------------- +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name verbocloud.itguys.com.br; + + # --- Logs Exclusivos (Conforme solicitado) --- + access_log /var/log/nginx/verbocloud.itguys.com.br.access.log; + error_log /var/log/nginx/verbocloud.itguys.com.br.error.log warn; + # (Descomente o log de bad-bot quando implementar o $is_bad_bot) + # access_log /var/log/nginx/verbocloud.itguys.com.br.bad-bot.log suspicious_bot if=$is_bad_bot; + + # --- Configurações de SSL --- + # (O Certbot irá gerenciar estas linhas) + #ssl_certificate /etc/letsencrypt/live/verbocloud.itguys.com.br/fullchain.pem; + #ssl_certificate_key /etc/letsencrypt/live/verbocloud.itguys.com.br/privkey.pem; + #ssl_trusted_certificate /etc/letsencrypt/live/verbocloud.itguys.com.br/chain.pem; + + # --- Otimizações de TLS (Baseado no SSLLabs e no seu arquivo antigo) --- + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_session_tickets off; + + # --- OCSP Stapling --- + ssl_stapling on; + ssl_stapling_verify on; + resolver 1.1.1.1 8.8.8.8 valid=300s; # Usando resolvers públicos + resolver_timeout 5s; + + # --- Headers de Segurança --- + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "no-referrer" always; + add_header X-XSS-Protection "1; mode=block" always; + + # --- Configurações do Proxy --- + client_max_body_size 10G; + + # --------------------------------------------------- + # REGRAS DO OFFICE ONLINE SERVER (OOS) + # (Estas devem vir ANTES do location / principal) + # --------------------------------------------------- + + # Rota de Descoberta (Discovery) + location = /hosting/discovery { + # O OOS nativo quase sempre usa HTTPS + proxy_pass https://office_online_backend; + + # ===> ATENÇÃO: Substitua pelo Hostname INTERNO que o OOS espera <=== + proxy_set_header Host "oos.interno.verbocg.local"; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Accept-Encoding ""; + + # Essencial se o OOS usa certificado autoassinado + proxy_ssl_verify off; + } + + # Rotas de Serviço (Word, Excel, etc.) + location ~ ^/(m|x|we|o|p|wv|op|wd|rtc|rtc2|layouts|view|_layouts)/ { + proxy_pass https://office_online_backend; + + # ===> ATENÇÃO: Substitua pelo Hostname INTERNO que o OOS espera <=== + proxy_set_header Host "oos.interno.verbocg.local"; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + + # WebSockets - Essencial para OOS + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Accept-Encoding ""; + + # Essencial se o OOS usa certificado autoassinado + proxy_ssl_verify off; + + # (Filtro para reescrever o host interno - se necessário) + # sub_filter 'oos.interno.verbocg.local' 'verbocloud.itguys.com.br'; + # sub_filter_once off; + + # CORS - Essencial para OOS (Usando add_header, se o módulo 'more_headers' não estiver) + # (Seu config antigo usava 'more_set_headers', o que é melhor se você tiver o módulo) + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' "$scheme://$http_host"; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, HEAD'; + add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Accept, Origin, User-Agent, DNT, Cache-Control, X-Mx-ReqToken, Keep-Alive, X-Requested-With, If-Modified-Since, X-UserType'; + add_header 'Access-Control-Allow-Credentials' 'true'; + add_header 'Access-Control-Max-Age' 1728000; + return 204; + } + + add_header 'Access-Control-Allow-Origin' "$scheme://$http_host"; + add_header 'Access-Control-Allow-Credentials' 'true'; + } + + # --------------------------------------------------- + # REGRAS DO NEXTCLOUD AIO + # --------------------------------------------------- + + # Redirecionamentos CalDAV/CardDAV + location = /.well-known/carddav { return 301 /remote.php/dav; } + location = /.well-known/caldav { return 301 /remote.php/dav; } + location = /.well-known/webfinger { return 301 /index.php/.well-known/webfinger; } + location = /.well-known/nodeinfo { return 301 /index.php/.well-known/nodeinfo; } + + # Cache de Estáticos (Opcional, mas bom para performance) + location ~ \.(css|js|svg|gif|png|jpg|ico|woff|woff2|tff)$ { + proxy_pass http://nextcloud_aio_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + + proxy_buffering on; + proxy_cache_valid 200 304 7d; + expires 7d; + add_header Cache-Control "public"; + } + + # Regra Principal (Nextcloud AIO) + location / { + proxy_pass http://nextcloud_aio_backend; # <-- Aponta para o AIO (HTTP) + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + + # Recomendado pelo AIO para uploads/DAV + proxy_buffering off; + proxy_request_buffering off; + proxy_http_version 1.1; + + # Timeouts longos + proxy_connect_timeout 3600s; + proxy_send_timeout 3600s; + proxy_read_timeout 3600s; + } +}