From 55f5d318e0b4c0621cea589e9eabd3ec9566fac9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Pedro=20Toledo?= Date: Thu, 5 Feb 2026 15:41:30 -0300 Subject: [PATCH] . --- conf.d/ferreirareal.com.br.conf | 4 +- conf.d/test.local.conf | 42 ++++++++++++++++++ modsec/empty.conf | 1 + modsec/main.conf | 6 +-- nginx.conf | 1 + snippets/cache_optimizer.conf | 20 +-------- snippets/modsecurity.conf | 1 - snippets/security_maps.conf | 79 ++++++++++++++++++++------------- 8 files changed, 99 insertions(+), 55 deletions(-) create mode 100644 conf.d/test.local.conf create mode 100644 modsec/empty.conf diff --git a/conf.d/ferreirareal.com.br.conf b/conf.d/ferreirareal.com.br.conf index 89fb477..af88694 100644 --- a/conf.d/ferreirareal.com.br.conf +++ b/conf.d/ferreirareal.com.br.conf @@ -72,10 +72,10 @@ server { # 2. Assets Estáticos (CACHE AGRESSIVO & MODERN) location ~* \.(webp|avif|heic|apng|jpg|jpeg|gif|png|ico|svg|mjs|js|ts|wasm|json|woff2?|ttf|otf|eot|css|less|scss)$ { - include snippets/cache_optimizer.conf; + # include snippets/cache_optimizer.conf; add_header Cache-Control $cache_control_header; - proxy_cache_valid 200 $cache_asset_ttl; + proxy_cache_valid 200 1d; proxy_pass http://ferreirareal_backend; # Rate Limit Diferenciado diff --git a/conf.d/test.local.conf b/conf.d/test.local.conf new file mode 100644 index 0000000..9482d10 --- /dev/null +++ b/conf.d/test.local.conf @@ -0,0 +1,42 @@ +upstream test_backend { + server 127.0.0.1:8080; + keepalive 32; +} + +server { + listen 80; + server_name test.local; + + # Logs JSON (Mandatório para monitoramento 2026) + access_log /var/log/nginx/test.local.access.log detailed_proxy; + error_log /var/log/nginx/test.local.error.log warn; + + # 1. Segurança e Well-Known + include snippets/well_known.conf; + include snippets/security_actions.conf; + + # 2. Performance e Cache + include snippets/cache_optimizer.conf; + + location / { + proxy_pass http://test_backend; + include snippets/proxy_params.conf; + + # Rate Limit + limit_req zone=global_limit burst=20 nodelay; + limit_req zone=punishment_limit burst=5 nodelay; + + add_header X-Test-Tag "v1.0-Homologacao"; + } + + # Assets para teste de Pseudo-CDN e Cache + location ~* \.(webp|avif|heic|apng|jpg|jpeg|gif|png|ico|svg|mjs|js|ts|wasm|json|woff2?|ttf|otf|eot|css|less|scss)$ { + include snippets/cache_optimizer.conf; + add_header Cache-Control $cache_control_header; + + proxy_cache_valid 200 1d; + proxy_pass http://test_backend; + + add_header X-Asset-Test "Injected"; + } +} diff --git a/modsec/empty.conf b/modsec/empty.conf new file mode 100644 index 0000000..9cab844 --- /dev/null +++ b/modsec/empty.conf @@ -0,0 +1 @@ +# Empty rules diff --git a/modsec/main.conf b/modsec/main.conf index 07138e6..5bd12d1 100644 --- a/modsec/main.conf +++ b/modsec/main.conf @@ -1,11 +1,11 @@ # ModSecurity Main Configuration File # Include base configuration -include /etc/nginx/modsec/modsecurity.conf-recommended +Include /etc/nginx/modsec/modsecurity.conf-recommended # Configure OWASP Core Rule Set -include /etc/nginx/modsec/owasp-crs/crs-setup.conf -include /etc/nginx/modsec/owasp-crs/rules/*.conf +Include /etc/nginx/modsec/owasp-crs/crs-setup.conf +Include /etc/nginx/modsec/owasp-crs/rules/*.conf # Include Custom Rules # include /etc/nginx/modsec/custom_rules.conf diff --git a/nginx.conf b/nginx.conf index 989e51b..cd26c9e 100644 --- a/nginx.conf +++ b/nginx.conf @@ -18,6 +18,7 @@ events { } http { + # modsecurity_rules_file /etc/nginx/modsec/empty.conf; include /etc/nginx/mime.types; default_type application/octet-stream; diff --git a/snippets/cache_optimizer.conf b/snippets/cache_optimizer.conf index 047e381..b17970c 100644 --- a/snippets/cache_optimizer.conf +++ b/snippets/cache_optimizer.conf @@ -6,23 +6,5 @@ proxy_cache_revalidate on; proxy_cache_background_update on; proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; -# 2. Configurações de Cache-Control por Tipo de Arquivo +# 2. Configuracoes de Cache-Control por Tipo de Arquivo add_header X-Cache-Status $upstream_cache_status; - -# Trata a política de Cache do Navegador baseado na URI e Versão -map $request_uri $cache_control_header { - # 1. Assets Versionados -> Imutáveis (1 ano) - ~*(\?v=|\?id=|\.v[0-9]|\.[0-9a-f]{8,}) "public, max-age=31536000, immutable"; - - # 2. Assets Comuns (Imagens, Fontes) -> Revalidação obrigatória (curto) - ~*\.(webp|avif|heic|apng|jpg|jpeg|gif|png|ico|svg|woff2?|ttf|otf|eot)$ "public, max-age=86400, must-revalidate"; - - # 3. Scripts e Estilos (Sem versão) -> Revalidação agressiva (curto) - ~*\.(mjs|js|ts|wasm|json|css|less|scss)$ "public, max-age=3600, must-revalidate"; - - # 4. HTML e APIs -> Nunca cachear no navegador sem revalidar - ~*(\.html|\/api\/) "no-cache, must-revalidate"; - - # Padrão: Segurança Máxima (Documentos, PDFs, etc. não são cacheados) - default "no-cache, no-store, must-revalidate"; -} diff --git a/snippets/modsecurity.conf b/snippets/modsecurity.conf index f506b05..13698f3 100644 --- a/snippets/modsecurity.conf +++ b/snippets/modsecurity.conf @@ -1,6 +1,5 @@ # ModSecurity Engine Configuration modsecurity on; -modsecurity_rules_file /etc/nginx/modsec/main.conf; # Inclusão da Blacklist Dinâmica do Fail2Ban include /etc/nginx/snippets/blacklist.conf; diff --git a/snippets/security_maps.conf b/snippets/security_maps.conf index 9efbdb9..9e576ab 100644 --- a/snippets/security_maps.conf +++ b/snippets/security_maps.conf @@ -4,26 +4,26 @@ # Bad Bot Detection map $http_user_agent $is_bad_bot { default 0; - # Scanners, Exploração e Reconhecimento de Rede (RECON) - ~*(nikto|sqlmap|wpscan|gobuster|dirbuster|feroxbuster|nessus|nmap|curl|wget|python|php|perl|ruby|java) 1; - ~*(Acunetix|Netsparker|AppScan|Zgrab|Masscan|OpenVAS|Scanbot|ZmEu|Morfeus|Jorgee|Havij|Nuclei|Tsunami) 1; - ~*(Shodan|Censys|ZoomEye|BinaryEdge|Smap|N-Stealth|N-Sentinel|ScanAlert) 1; + # Scanners, Exploracao e Reconhecimento de Rede (RECON) + "~*(nikto|sqlmap|wpscan|gobuster|dirbuster|feroxbuster|nessus|nmap|curl|wget|python|php|perl|ruby|java)" 1; + "~*(Acunetix|Netsparker|AppScan|Zgrab|Masscan|OpenVAS|Scanbot|ZmEu|Morfeus|Jorgee|Havij|Nuclei|Tsunami)" 1; + "~*(Shodan|Censys|ZoomEye|BinaryEdge|Smap|N-Stealth|N-Sentinel|ScanAlert)" 1; - # Crawlers Agressivos e Scrapers de Conteúdo - ~*(HTTrack|ia_archiver|mj12bot|AhrefsBot|DotBot|SemrushBot|MJ12bot|DataForSeoBot|PetalBot|QuerySeekerSpider) 1; - ~*(SEO-Crawler|SEOstats|SpyFu|Lighthouse|PageSpeed|SiteAudit|Screaming|MegaIndex|ZoominfoBot) 1; - ~*(BLEXBot|WinHTTP|Xenu|Scrap|extract|grab|Crawlspace|WebCopier|TeleportPro|OfflineExplorer) 1; + # Crawlers Agressivos e Scrapers de Conteudo + "~*(HTTrack|ia_archiver|mj12bot|AhrefsBot|DotBot|SemrushBot|MJ12bot|DataForSeoBot|PetalBot|QuerySeekerSpider)" 1; + "~*(SEO-Crawler|SEOstats|SpyFu|Lighthouse|PageSpeed|SiteAudit|Screaming|MegaIndex|ZoominfoBot)" 1; + "~*(BLEXBot|WinHTTP|Xenu|Scrap|extract|grab|Crawlspace|WebCopier|TeleportPro|OfflineExplorer)" 1; - # Bibliotecas de Scraping e Automação (MCPs, Frameworks) - ~*(Scrapy|BeautifulSoup|selenium|puppeteer|playwright|phantomjs|HeadlessChrome|headless) 1; - ~*(GuzzleHttp|axios|requests|urllib|libwww-perl|WinHTTP|Go-http-client|node-fetch|Faraday|Typhoeus) 1; + # Bibliotecas de Scraping e Automacao (MCPs, Frameworks) + "~*(Scrapy|BeautifulSoup|selenium|puppeteer|playwright|phantomjs|HeadlessChrome|headless)" 1; + "~*(GuzzleHttp|axios|requests|urllib|libwww-perl|WinHTTP|Go-http-client|node-fetch|Faraday|Typhoeus)" 1; # Bloqueio Total de IA Crawlers (Treinamento e Coleta) - ~*(GPTBot|ChatGPT-User|OAI-SearchBot|anthropic-ai|ClaudeBot|Claude-Web|Claude-User|Claude-SearchBot) 1; - ~*(Google-Extended|Google-CloudVertexBot|Bard-Ai|Gemini-Ai|GoogleAgent-Mariner) 1; - ~*(FacebookBot|Meta-ExternalAgent|meta-webindexer|Applebot-Extended|Amazonbot|Applebot) 1; - ~*(PerplexityBot|Perplexity-User|Bytespider|CCBot|Diffbot|Cohere-Ai|DeepseekBot|Youbot) 1; - ~*(Omgilibot|Omgili|webzio-extended|HuggingFace-Bot|Brightbot|FirecrawlAgent|Seekr|Sentibot) 1; + "~*(GPTBot|ChatGPT-User|OAI-SearchBot|anthropic-ai|ClaudeBot|Claude-Web|Claude-User|Claude-SearchBot)" 1; + "~*(Google-Extended|Google-CloudVertexBot|Bard-Ai|Gemini-Ai|GoogleAgent-Mariner)" 1; + "~*(FacebookBot|Meta-ExternalAgent|meta-webindexer|Applebot-Extended|Amazonbot|Applebot)" 1; + "~*(PerplexityBot|Perplexity-User|Bytespider|CCBot|Diffbot|Cohere-Ai|DeepseekBot|Youbot)" 1; + "~*(Omgilibot|Omgili|webzio-extended|HuggingFace-Bot|Brightbot|FirecrawlAgent|Seekr|Sentibot)" 1; } # Suspicious URI Detection (Bloqueio de Borda / Fast-Fail) @@ -32,23 +32,23 @@ map $request_uri $is_suspicious_uri { default 0; # Cloud & Infrastructure Metadata (SSRF/Recon) - ~*(169\.254\.169\.254|/latest/meta-data/|/v1/metadata/|/metadata-flavor) 1; - ~*(docker-compose\.ya?ml|Dockerfile|kubernetes\.s?yaml) 1; + "~*(169\.254\.169\.254|/latest/meta-data/|/v1/metadata/|/metadata-flavor)" 1; + "~*(docker-compose\.ya?ml|Dockerfile|kubernetes\.s?yaml)" 1; - # Arquivos de Configuração, Credenciais e Segredos (Deep leaking) - ~*(\.env(\..+)?|\.git|\.aws|\.ssh|\.docker|\.config|config\.php|wp-config\.php) 1; - ~*(composer\.(json|lock)|package(-lock)?\.json|yarn\.lock|pnpm-lock\.yaml) 1; - ~*(web\.config|appsettings\.json|settings\.py|local_settings\.py) 1; + # Arquivos de Configuracao, Credenciais e Segredos (Deep leaking) + "~*(\.env(\..+)?|\.git|\.aws|\.ssh|\.docker|\.config|config\.php|wp-config\.php)" 1; + "~*(composer\.(json|lock)|package(-lock)?\.json|yarn\.lock|pnpm-lock\.yaml)" 1; + "~*(web\.config|appsettings\.json|settings\.py|local_settings\.py)" 1; - # Backups, Dumps e Arquivos Temporários - ~*(\.(bak|old|orig|save|sql|db|sqlite|tar\.gz|zip|swp|rar|7z)$|/autobackup/) 1; + # Backups, Dumps e Arquivos Temporarios + "~*(\.(bak|old|orig|save|sql|db|sqlite|tar\.gz|zip|swp|rar|7z)$|/autobackup/)" 1; # Framework Debugging & Admin Endpoints (Fast-Fail) - ~*(/_ignition/|/_profiler/|/_telescope/|/actuator/|/eureka/|/api-docs) 1; - ~*(/phpmyadmin|/wp-admin/setup-config\.php|/rails/info/properties) 1; + "~*(/_ignition/|/_profiler/|/_telescope/|/actuator/|/eureka/|/api-docs)" 1; + "~*(/phpmyadmin|/wp-admin/setup-config\.php|/rails/info/properties)" 1; - # Webshells e Exploração Ativa Conhecida - ~*(/shell\.php|/cmd\.php|/eval-stdin\.php|/xmlrpc\.php|/setup\.php|/install\.php) 1; + # Webshells e Exploracao Ativa Conhecida + "~*(/shell\.php|/cmd\.php|/eval-stdin\.php|/xmlrpc\.php|/setup\.php|/install\.php)" 1; } # --- Pathfinder Security Decision Engine (PSDE) --- @@ -116,8 +116,8 @@ map $security_score $heavy_limit_key { # 3. Cache Asset TTL - Suporte Total 2026 (Modern Web) # No proxy_cache usamos um tempo curto, o Cache-Control (Browser) é que decide o tempo longo. map $request_uri $cache_asset_ttl { - # 1. Assets Versionados (?v= ou .v1.) -> Cache Longo no Proxy (1 mês) - ~*(\?v=|\?id=|\.v[0-9]|\.[0-9a-f]{8,}) 30d; + # 1. Assets Versionados (?v= ou .v1.) -> Cache Longo no Proxy (1 mes) + "~*(\?v=|\?id=|\.v[0-9]|\.[0-9a-f]{8,})" 30d; # 2. Imagens e Mídia (Sem versão) -> 1 dia ~*\.(webp|avif|heic|apng|jpg|jpeg|gif|png|ico|svg)$ 1d; @@ -154,3 +154,22 @@ map $is_global_asset $pathfinder_cache_key { 0 "$scheme$request_method$host$request_uri"; 1 "$scheme$request_method$request_uri"; } + +# --- Pathfinder Smart Cache Optimization Maps --- +# Trata a politica de Cache do Navegador baseado na URI e Versao +map $request_uri $cache_control_header { + # 1. Assets Versionados -> Imutaveis (1 ano) + "~*(\?v=|\?id=|\.v[0-9]|\.[0-9a-f]{8,})" "public, max-age=31536000, immutable"; + + # 2. Assets Comuns (Imagens, Fontes) -> Revalidacao obrigatoria (curto) + "~*\.(webp|avif|heic|apng|jpg|jpeg|gif|png|ico|svg|woff2?|ttf|otf|eot)$" "public, max-age=86400, must-revalidate"; + + # 3. Scripts e Estilos (Sem versao) -> Revalidacao agressiva (curto) + "~*\.(mjs|js|ts|wasm|json|css|less|scss)$" "public, max-age=3600, must-revalidate"; + + # 4. HTML e APIs -> Nunca cachear no navegador sem revalidar + "~*(\.html|\/api\/)" "no-cache, must-revalidate"; + + # Padrao: Seguranca Maxima (Documentos, PDFs, etc. nao sao cacheados) + default "no-cache, no-store, must-revalidate"; +}