From 5d1936e63e1f2ea2d38c2c571094d3b1701fc07e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Pedro=20Toledo?= Date: Wed, 4 Feb 2026 20:15:11 -0300 Subject: [PATCH] feat: Moderniza Cache Assets (Modern Web) e Rate-Limit Penalizado --- conf.d/ferreirareal.com.br.conf | 13 +++++++++---- snippets/log_formats.conf | 1 + snippets/rate_limit.conf | 8 +++++--- snippets/security_maps.conf | 34 ++++++++++++++++++++++----------- 4 files changed, 38 insertions(+), 18 deletions(-) diff --git a/conf.d/ferreirareal.com.br.conf b/conf.d/ferreirareal.com.br.conf index 517f801..d62440e 100644 --- a/conf.d/ferreirareal.com.br.conf +++ b/conf.d/ferreirareal.com.br.conf @@ -70,13 +70,18 @@ server { proxy_pass http://ferreirareal_backend; } - # 2. Assets Estáticos (CACHE AGRESSIVO) - location ~* \.(jpg|jpeg|gif|png|webp|svg|css|js|ico|woff2?|ttf|json)$ { - expires 1y; + # 2. Assets Estáticos (CACHE AGRESSIVO & MODERN) + location ~* \.(webp|avif|heic|apng|jpg|jpeg|gif|png|ico|svg|mjs|js|ts|wasm|json|woff2?|ttf|otf|eot|pdf|css|less|scss)$ { + expires $cache_asset_ttl; add_header Cache-Control "public, immutable"; - add_header Alt-Svc 'h3=":443"; ma=86400'; # Garante anúncio H3 em assets + add_header Alt-Svc 'h3=":443"; ma=86400'; proxy_cache_valid 200 30d; proxy_pass http://ferreirareal_backend; + + # Rate Limit Diferenciado + limit_req zone=global_limit burst=50 nodelay; + limit_req zone=punishment_limit burst=5 nodelay; + access_log off; } diff --git a/snippets/log_formats.conf b/snippets/log_formats.conf index 2fa401e..d437b84 100644 --- a/snippets/log_formats.conf +++ b/snippets/log_formats.conf @@ -72,5 +72,6 @@ log_format detailed_proxy escape=json '"is_suspicious_uri":"$is_suspicious_uri",' '"block_request":"$block_request",' '"risk_level":"$risk_level",' +'"security_score":"$security_score",' '"is_internal_ip":"$is_internal"' '}'; diff --git a/snippets/rate_limit.conf b/snippets/rate_limit.conf index b0e2aae..43ea3a5 100644 --- a/snippets/rate_limit.conf +++ b/snippets/rate_limit.conf @@ -1,6 +1,8 @@ # Rate Limit Zones # Include this file in nginx.conf http block -# Smart rate limiting - excludes internal IPs -limit_req_zone $limit_key zone=global_limit:20m rate=10r/s; -limit_req_zone $bad_bot_key zone=bad_bot_limit:10m rate=5r/m; +# Smart rate limiting - IPs internos são ignorados ($limit_key = "") +limit_req_zone $limit_key zone=global_limit:20m rate=20r/s; + +# Zona de Penalidade (Heavy Limit) - Para quem tem Score de Risco > 0 +limit_req_zone $heavy_limit_key zone=punishment_limit:10m rate=1r/s; diff --git a/snippets/security_maps.conf b/snippets/security_maps.conf index 3bd7017..67ae1da 100644 --- a/snippets/security_maps.conf +++ b/snippets/security_maps.conf @@ -97,20 +97,32 @@ geo $is_internal { 45.169.87.175 1; 45.169.73.154 1; 201.73.213.129 1; } -# Rate Limit Key (excludes internal IPs) -map $is_internal $limit_key { - 0 $binary_remote_addr; - 1 ""; +# --- modern Rate Limiting & Performance Maps --- + +# 1. Chave Unificada de Rate Limit com Penalidade +# IPs internos são liberados, IPs suspeitos (score > 0) caem em zonas de limitação mais agressivas. +map $is_internal$security_score $limit_key { + ~^1. 0; # Whitelist para IPs Internos (independente de score) + "00" $binary_remote_addr; # Tráfego Limpo + default $binary_remote_addr; # Qualquer outra coisa (Suspeitos) } -# Bad Bot Rate Limit Key -map $is_bad_bot $bad_bot_key { - 1 $binary_remote_addr; - default ""; +# 2. Chave de "Castigo" para Bots e Ataques (Tarpit / Delay) +map $security_score $heavy_limit_key { + 0 ""; + default $binary_remote_addr; # Apenas quem tem pontuação de risco entra aqui } -# Cache Asset TTL -map $request_uri $cache_asset { - ~*\.(css|js|mjs|svg|gif|png|jpg|jpeg|ico|wasm|woff|woff2|ttf|otf)$ 1y; +# 3. Cache Asset TTL - Suporte Total 2026 (Modern Web) +map $request_uri $cache_asset_ttl { + # Imagens Modernas e Tradicionais + ~*\.(webp|avif|heic|apng|jpg|jpeg|gif|png|ico|svg)$ 1y; + # Scripts Modernos (Modules) e Tradicionais + ~*\.(mjs|js|ts|wasm|json)$ 1y; + # Fontes e Documentos + ~*\.(woff2?|ttf|otf|eot|pdf)$ 1y; + # Estilos e Outros + ~*\.(css|less|scss)$ 1y; + # Padrão: Sem Cache de TTL Longo default off; }