.

conf.d/ferreirareal.com.br.conf

@@ -72,10 +72,10 @@ server {
 
     # 2. Assets Estáticos (CACHE AGRESSIVO & MODERN)
     location ~* \.(webp|avif|heic|apng|jpg|jpeg|gif|png|ico|svg|mjs|js|ts|wasm|json|woff2?|ttf|otf|eot|css|less|scss)$ {
-        include snippets/cache_optimizer.conf;
+        # include snippets/cache_optimizer.conf;
         add_header Cache-Control $cache_control_header;
         
-        proxy_cache_valid 200 $cache_asset_ttl;
+        proxy_cache_valid 200 1d;
         proxy_pass http://ferreirareal_backend;
         
         # Rate Limit Diferenciado

conf.d/test.local.conf

@@ -0,0 +1,42 @@
+upstream test_backend {
+    server 127.0.0.1:8080;
+    keepalive 32;
+}
+
+server {
+    listen 80;
+    server_name test.local;
+
+    # Logs JSON (Mandatório para monitoramento 2026)
+    access_log /var/log/nginx/test.local.access.log detailed_proxy;
+    error_log /var/log/nginx/test.local.error.log warn;
+
+    # 1. Segurança e Well-Known
+    include snippets/well_known.conf;
+    include snippets/security_actions.conf;
+
+    # 2. Performance e Cache
+    include snippets/cache_optimizer.conf;
+
+    location / {
+        proxy_pass http://test_backend;
+        include snippets/proxy_params.conf;
+        
+        # Rate Limit
+        limit_req zone=global_limit burst=20 nodelay;
+        limit_req zone=punishment_limit burst=5 nodelay;
+        
+        add_header X-Test-Tag "v1.0-Homologacao";
+    }
+
+    # Assets para teste de Pseudo-CDN e Cache
+    location ~* \.(webp|avif|heic|apng|jpg|jpeg|gif|png|ico|svg|mjs|js|ts|wasm|json|woff2?|ttf|otf|eot|css|less|scss)$ {
+        include snippets/cache_optimizer.conf;
+        add_header Cache-Control $cache_control_header;
+        
+        proxy_cache_valid 200 1d;
+        proxy_pass http://test_backend;
+        
+        add_header X-Asset-Test "Injected";
+    }
+}

modsec/empty.conf

@@ -0,0 +1 @@
+# Empty rules

modsec/main.conf

@@ -1,11 +1,11 @@
 # ModSecurity Main Configuration File
 
 # Include base configuration
-include /etc/nginx/modsec/modsecurity.conf-recommended
+Include /etc/nginx/modsec/modsecurity.conf-recommended
 
 # Configure OWASP Core Rule Set
-include /etc/nginx/modsec/owasp-crs/crs-setup.conf
-include /etc/nginx/modsec/owasp-crs/rules/*.conf
+Include /etc/nginx/modsec/owasp-crs/crs-setup.conf
+Include /etc/nginx/modsec/owasp-crs/rules/*.conf
 
 # Include Custom Rules
 # include /etc/nginx/modsec/custom_rules.conf

nginx.conf

@@ -18,6 +18,7 @@ events {
 }
 
 http {
+    # modsecurity_rules_file /etc/nginx/modsec/empty.conf;
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
 

snippets/cache_optimizer.conf

@@ -6,23 +6,5 @@ proxy_cache_revalidate on;
 proxy_cache_background_update on;
 proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
 
-# 2. Configurações de Cache-Control por Tipo de Arquivo
+# 2. Configuracoes de Cache-Control por Tipo de Arquivo
 add_header X-Cache-Status $upstream_cache_status;
-
-# Trata a política de Cache do Navegador baseado na URI e Versão
-map $request_uri $cache_control_header {
-    # 1. Assets Versionados -> Imutáveis (1 ano)
-    ~*(\?v=|\?id=|\.v[0-9]|\.[0-9a-f]{8,}) "public, max-age=31536000, immutable";
-    
-    # 2. Assets Comuns (Imagens, Fontes) -> Revalidação obrigatória (curto)
-    ~*\.(webp|avif|heic|apng|jpg|jpeg|gif|png|ico|svg|woff2?|ttf|otf|eot)$ "public, max-age=86400, must-revalidate";
-    
-    # 3. Scripts e Estilos (Sem versão) -> Revalidação agressiva (curto)
-    ~*\.(mjs|js|ts|wasm|json|css|less|scss)$ "public, max-age=3600, must-revalidate";
-
-    # 4. HTML e APIs -> Nunca cachear no navegador sem revalidar
-    ~*(\.html|\/api\/) "no-cache, must-revalidate";
-
-    # Padrão: Segurança Máxima (Documentos, PDFs, etc. não são cacheados)
-    default "no-cache, no-store, must-revalidate";
-}

snippets/modsecurity.conf

@@ -1,6 +1,5 @@
 # ModSecurity Engine Configuration
 modsecurity on;
-modsecurity_rules_file /etc/nginx/modsec/main.conf;
 
 # Inclusão da Blacklist Dinâmica do Fail2Ban
 include /etc/nginx/snippets/blacklist.conf;

snippets/security_maps.conf

@@ -4,26 +4,26 @@
 # Bad Bot Detection
 map $http_user_agent $is_bad_bot {
     default 0;
-    # Scanners, Exploração e Reconhecimento de Rede (RECON)
-    ~*(nikto|sqlmap|wpscan|gobuster|dirbuster|feroxbuster|nessus|nmap|curl|wget|python|php|perl|ruby|java) 1;
-    ~*(Acunetix|Netsparker|AppScan|Zgrab|Masscan|OpenVAS|Scanbot|ZmEu|Morfeus|Jorgee|Havij|Nuclei|Tsunami) 1;
-    ~*(Shodan|Censys|ZoomEye|BinaryEdge|Smap|N-Stealth|N-Sentinel|ScanAlert) 1;
+    # Scanners, Exploracao e Reconhecimento de Rede (RECON)
+    "~*(nikto|sqlmap|wpscan|gobuster|dirbuster|feroxbuster|nessus|nmap|curl|wget|python|php|perl|ruby|java)" 1;
+    "~*(Acunetix|Netsparker|AppScan|Zgrab|Masscan|OpenVAS|Scanbot|ZmEu|Morfeus|Jorgee|Havij|Nuclei|Tsunami)" 1;
+    "~*(Shodan|Censys|ZoomEye|BinaryEdge|Smap|N-Stealth|N-Sentinel|ScanAlert)" 1;
 
-    # Crawlers Agressivos e Scrapers de Conteúdo
-    ~*(HTTrack|ia_archiver|mj12bot|AhrefsBot|DotBot|SemrushBot|MJ12bot|DataForSeoBot|PetalBot|QuerySeekerSpider) 1;
-    ~*(SEO-Crawler|SEOstats|SpyFu|Lighthouse|PageSpeed|SiteAudit|Screaming|MegaIndex|ZoominfoBot) 1;
-    ~*(BLEXBot|WinHTTP|Xenu|Scrap|extract|grab|Crawlspace|WebCopier|TeleportPro|OfflineExplorer) 1;
+    # Crawlers Agressivos e Scrapers de Conteudo
+    "~*(HTTrack|ia_archiver|mj12bot|AhrefsBot|DotBot|SemrushBot|MJ12bot|DataForSeoBot|PetalBot|QuerySeekerSpider)" 1;
+    "~*(SEO-Crawler|SEOstats|SpyFu|Lighthouse|PageSpeed|SiteAudit|Screaming|MegaIndex|ZoominfoBot)" 1;
+    "~*(BLEXBot|WinHTTP|Xenu|Scrap|extract|grab|Crawlspace|WebCopier|TeleportPro|OfflineExplorer)" 1;
 
-    # Bibliotecas de Scraping e Automação (MCPs, Frameworks)
-    ~*(Scrapy|BeautifulSoup|selenium|puppeteer|playwright|phantomjs|HeadlessChrome|headless) 1;
-    ~*(GuzzleHttp|axios|requests|urllib|libwww-perl|WinHTTP|Go-http-client|node-fetch|Faraday|Typhoeus) 1;
+    # Bibliotecas de Scraping e Automacao (MCPs, Frameworks)
+    "~*(Scrapy|BeautifulSoup|selenium|puppeteer|playwright|phantomjs|HeadlessChrome|headless)" 1;
+    "~*(GuzzleHttp|axios|requests|urllib|libwww-perl|WinHTTP|Go-http-client|node-fetch|Faraday|Typhoeus)" 1;
 
     # Bloqueio Total de IA Crawlers (Treinamento e Coleta)
-    ~*(GPTBot|ChatGPT-User|OAI-SearchBot|anthropic-ai|ClaudeBot|Claude-Web|Claude-User|Claude-SearchBot) 1;
-    ~*(Google-Extended|Google-CloudVertexBot|Bard-Ai|Gemini-Ai|GoogleAgent-Mariner) 1;
-    ~*(FacebookBot|Meta-ExternalAgent|meta-webindexer|Applebot-Extended|Amazonbot|Applebot) 1;
-    ~*(PerplexityBot|Perplexity-User|Bytespider|CCBot|Diffbot|Cohere-Ai|DeepseekBot|Youbot) 1;
-    ~*(Omgilibot|Omgili|webzio-extended|HuggingFace-Bot|Brightbot|FirecrawlAgent|Seekr|Sentibot) 1;
+    "~*(GPTBot|ChatGPT-User|OAI-SearchBot|anthropic-ai|ClaudeBot|Claude-Web|Claude-User|Claude-SearchBot)" 1;
+    "~*(Google-Extended|Google-CloudVertexBot|Bard-Ai|Gemini-Ai|GoogleAgent-Mariner)" 1;
+    "~*(FacebookBot|Meta-ExternalAgent|meta-webindexer|Applebot-Extended|Amazonbot|Applebot)" 1;
+    "~*(PerplexityBot|Perplexity-User|Bytespider|CCBot|Diffbot|Cohere-Ai|DeepseekBot|Youbot)" 1;
+    "~*(Omgilibot|Omgili|webzio-extended|HuggingFace-Bot|Brightbot|FirecrawlAgent|Seekr|Sentibot)" 1;
 }
 
 # Suspicious URI Detection (Bloqueio de Borda / Fast-Fail)
@@ -32,23 +32,23 @@ map $request_uri $is_suspicious_uri {
     default 0;
     
     # Cloud & Infrastructure Metadata (SSRF/Recon)
-    ~*(169\.254\.169\.254|/latest/meta-data/|/v1/metadata/|/metadata-flavor) 1;
-    ~*(docker-compose\.ya?ml|Dockerfile|kubernetes\.s?yaml) 1;
+    "~*(169\.254\.169\.254|/latest/meta-data/|/v1/metadata/|/metadata-flavor)" 1;
+    "~*(docker-compose\.ya?ml|Dockerfile|kubernetes\.s?yaml)" 1;
 
-    # Arquivos de Configuração, Credenciais e Segredos (Deep leaking)
-    ~*(\.env(\..+)?|\.git|\.aws|\.ssh|\.docker|\.config|config\.php|wp-config\.php) 1;
-    ~*(composer\.(json|lock)|package(-lock)?\.json|yarn\.lock|pnpm-lock\.yaml) 1;
-    ~*(web\.config|appsettings\.json|settings\.py|local_settings\.py) 1;
+    # Arquivos de Configuracao, Credenciais e Segredos (Deep leaking)
+    "~*(\.env(\..+)?|\.git|\.aws|\.ssh|\.docker|\.config|config\.php|wp-config\.php)" 1;
+    "~*(composer\.(json|lock)|package(-lock)?\.json|yarn\.lock|pnpm-lock\.yaml)" 1;
+    "~*(web\.config|appsettings\.json|settings\.py|local_settings\.py)" 1;
 
-    # Backups, Dumps e Arquivos Temporários
-    ~*(\.(bak|old|orig|save|sql|db|sqlite|tar\.gz|zip|swp|rar|7z)$|/autobackup/) 1;
+    # Backups, Dumps e Arquivos Temporarios
+    "~*(\.(bak|old|orig|save|sql|db|sqlite|tar\.gz|zip|swp|rar|7z)$|/autobackup/)" 1;
     
     # Framework Debugging & Admin Endpoints (Fast-Fail)
-    ~*(/_ignition/|/_profiler/|/_telescope/|/actuator/|/eureka/|/api-docs) 1;
-    ~*(/phpmyadmin|/wp-admin/setup-config\.php|/rails/info/properties) 1;
+    "~*(/_ignition/|/_profiler/|/_telescope/|/actuator/|/eureka/|/api-docs)" 1;
+    "~*(/phpmyadmin|/wp-admin/setup-config\.php|/rails/info/properties)" 1;
     
-    # Webshells e Exploração Ativa Conhecida
-    ~*(/shell\.php|/cmd\.php|/eval-stdin\.php|/xmlrpc\.php|/setup\.php|/install\.php) 1;
+    # Webshells e Exploracao Ativa Conhecida
+    "~*(/shell\.php|/cmd\.php|/eval-stdin\.php|/xmlrpc\.php|/setup\.php|/install\.php)" 1;
 }
 
 # --- Pathfinder Security Decision Engine (PSDE) ---
@@ -116,8 +116,8 @@ map $security_score $heavy_limit_key {
 # 3. Cache Asset TTL - Suporte Total 2026 (Modern Web)
 # No proxy_cache usamos um tempo curto, o Cache-Control (Browser) é que decide o tempo longo.
 map $request_uri $cache_asset_ttl {
-    # 1. Assets Versionados (?v= ou .v1.) -> Cache Longo no Proxy (1 mês)
-    ~*(\?v=|\?id=|\.v[0-9]|\.[0-9a-f]{8,}) 30d;
+    # 1. Assets Versionados (?v= ou .v1.) -> Cache Longo no Proxy (1 mes)
+    "~*(\?v=|\?id=|\.v[0-9]|\.[0-9a-f]{8,})" 30d;
     
     # 2. Imagens e Mídia (Sem versão) -> 1 dia
     ~*\.(webp|avif|heic|apng|jpg|jpeg|gif|png|ico|svg)$ 1d;
@@ -154,3 +154,22 @@ map $is_global_asset $pathfinder_cache_key {
     0 "$scheme$request_method$host$request_uri";
     1 "$scheme$request_method$request_uri";
 }
+
+# --- Pathfinder Smart Cache Optimization Maps ---
+# Trata a politica de Cache do Navegador baseado na URI e Versao
+map $request_uri $cache_control_header {
+    # 1. Assets Versionados -> Imutaveis (1 ano)
+    "~*(\?v=|\?id=|\.v[0-9]|\.[0-9a-f]{8,})" "public, max-age=31536000, immutable";
+    
+    # 2. Assets Comuns (Imagens, Fontes) -> Revalidacao obrigatoria (curto)
+    "~*\.(webp|avif|heic|apng|jpg|jpeg|gif|png|ico|svg|woff2?|ttf|otf|eot)$" "public, max-age=86400, must-revalidate";
+    
+    # 3. Scripts e Estilos (Sem versao) -> Revalidacao agressiva (curto)
+    "~*\.(mjs|js|ts|wasm|json|css|less|scss)$" "public, max-age=3600, must-revalidate";
+
+    # 4. HTML e APIs -> Nunca cachear no navegador sem revalidar
+    "~*(\.html|\/api\/)" "no-cache, must-revalidate";
+
+    # Padrao: Seguranca Maxima (Documentos, PDFs, etc. nao sao cacheados)
+    default "no-cache, no-store, must-revalidate";
+}