feat: Moderniza Cache Assets (Modern Web) e Rate-Limit Penalizado

2026-02-04 20:15:11 -03:00 · 2026-02-04 20:15:11 -03:00 · 5d1936e63e
parent b6116b975b
commit 5d1936e63e
4 changed files with 38 additions and 18 deletions
--- a/conf.d/ferreirareal.com.br.conf
+++ b/conf.d/ferreirareal.com.br.conf
@ -70,13 +70,18 @@ server {
        proxy_pass http://ferreirareal_backend;
    }

-    # 2. Assets Estáticos (CACHE AGRESSIVO)
-    location ~* \.(jpg|jpeg|gif|png|webp|svg|css|js|ico|woff2?|ttf|json)$ {
-        expires 1y;
+    # 2. Assets Estáticos (CACHE AGRESSIVO & MODERN)
+    location ~* \.(webp|avif|heic|apng|jpg|jpeg|gif|png|ico|svg|mjs|js|ts|wasm|json|woff2?|ttf|otf|eot|pdf|css|less|scss)$ {
+        expires $cache_asset_ttl;
        add_header Cache-Control "public, immutable";
-        add_header Alt-Svc 'h3=":443"; ma=86400'; # Garante anúncio H3 em assets
+        add_header Alt-Svc 'h3=":443"; ma=86400';
        proxy_cache_valid 200 30d;
        proxy_pass http://ferreirareal_backend;
+        
+        # Rate Limit Diferenciado
+        limit_req zone=global_limit burst=50 nodelay;
+        limit_req zone=punishment_limit burst=5 nodelay;
+        
        access_log off;
    }

--- a/snippets/log_formats.conf
+++ b/snippets/log_formats.conf
@ -72,5 +72,6 @@ log_format detailed_proxy escape=json
 '"is_suspicious_uri":"$is_suspicious_uri",'
 '"block_request":"$block_request",'
 '"risk_level":"$risk_level",'
+'"security_score":"$security_score",'
 '"is_internal_ip":"$is_internal"'
 '}';
--- a/snippets/rate_limit.conf
+++ b/snippets/rate_limit.conf
@ -1,6 +1,8 @@
 # Rate Limit Zones
 # Include this file in nginx.conf http block

-# Smart rate limiting - excludes internal IPs
-limit_req_zone $limit_key zone=global_limit:20m rate=10r/s;
-limit_req_zone $bad_bot_key zone=bad_bot_limit:10m rate=5r/m;
+# Smart rate limiting - IPs internos são ignorados ($limit_key = "")
+limit_req_zone $limit_key zone=global_limit:20m rate=20r/s;
+
+# Zona de Penalidade (Heavy Limit) - Para quem tem Score de Risco > 0
+limit_req_zone $heavy_limit_key zone=punishment_limit:10m rate=1r/s;
--- a/snippets/security_maps.conf
+++ b/snippets/security_maps.conf
@ -97,20 +97,32 @@ geo $is_internal {
    45.169.87.175 1; 45.169.73.154 1; 201.73.213.129 1;
 }

-# Rate Limit Key (excludes internal IPs)
-map $is_internal $limit_key {
-    0 $binary_remote_addr;
-    1 "";
+# --- modern Rate Limiting & Performance Maps ---
+
+# 1. Chave Unificada de Rate Limit com Penalidade
+# IPs internos são liberados, IPs suspeitos (score > 0) caem em zonas de limitação mais agressivas.
+map $is_internal$security_score $limit_key {
+    ~^1. 0; # Whitelist para IPs Internos (independente de score)
+    "00" $binary_remote_addr; # Tráfego Limpo
+    default $binary_remote_addr; # Qualquer outra coisa (Suspeitos)
 }

-# Bad Bot Rate Limit Key
-map $is_bad_bot $bad_bot_key {
-    1 $binary_remote_addr;
-    default "";
+# 2. Chave de "Castigo" para Bots e Ataques (Tarpit / Delay)
+map $security_score $heavy_limit_key {
+    0 "";
+    default $binary_remote_addr; # Apenas quem tem pontuação de risco entra aqui
 }

-# Cache Asset TTL
-map $request_uri $cache_asset {
-    ~*\.(css|js|mjs|svg|gif|png|jpg|jpeg|ico|wasm|woff|woff2|ttf|otf)$ 1y;
+# 3. Cache Asset TTL - Suporte Total 2026 (Modern Web)
+map $request_uri $cache_asset_ttl {
+    # Imagens Modernas e Tradicionais
+    ~*\.(webp|avif|heic|apng|jpg|jpeg|gif|png|ico|svg)$ 1y;
+    # Scripts Modernos (Modules) e Tradicionais
+    ~*\.(mjs|js|ts|wasm|json)$ 1y;
+    # Fontes e Documentos
+    ~*\.(woff2?|ttf|otf|eot|pdf)$ 1y;
+    # Estilos e Outros
+    ~*\.(css|less|scss)$ 1y;
+    # Padrão: Sem Cache de TTL Longo
    default off;
 }