From 812b13d3493c42a5032784c7b659da99287764e8 Mon Sep 17 00:00:00 2001 From: "srvproxy001.itguys.com.br" Date: Tue, 11 Nov 2025 00:50:46 -0300 Subject: [PATCH] =?UTF-8?q?[Auto-Sync]=20Atualiza=C3=A7=C3=A3o=20das=20con?= =?UTF-8?q?figura=C3=A7=C3=B5es=20em=20srvproxy001.itguys.com.br=20-=20202?= =?UTF-8?q?5-11-11=2000:50:46?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../cloud.grupopralog.com.br.conf | 424 ++++++++++++++++++ 1 file changed, 424 insertions(+) create mode 100644 nginx/sites-available/cloud.grupopralog.com.br.conf diff --git a/nginx/sites-available/cloud.grupopralog.com.br.conf b/nginx/sites-available/cloud.grupopralog.com.br.conf new file mode 100644 index 0000000..b9b2879 --- /dev/null +++ b/nginx/sites-available/cloud.grupopralog.com.br.conf @@ -0,0 +1,424 @@ +map $request_uri $cache_asset { + ~*\.(css|js|mjs|svg|gif|png|jpg|jpeg|ico|wasm|woff|woff2|ttf|otf)$ 1y; + default off; +} + +map $request_uri $cacheable_session_request { + ~^/apps/files/$ 1; + ~^/apps/files/files$ 1; + ~^/apps/files/\?dir= 1; + ~^/apps/dashboard/$ 1; + ~^/remote\.php/dav/files/ 1; + default 0; +} + +map $cacheable_session_request $session_cache_zone { + 1 nextcloud_session_cache; + default ""; +} + +upstream nextcloud_backend { + server 172.16.253.12; +} + +upstream officeonline_backend { + server 172.16.253.101; +} + +upstream windmill_backend { + server 172.16.253.103:8000; +} + +server { + listen 80; + listen [::]:80; + server_name cloud.grupopralog.com.br; + + location /.well-known/acme-challenge/ { + root /var/www/html; + } + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name cloud.grupopralog.com.br; + + client_max_body_size 10G; + access_log /var/log/nginx/cloud.grupopralog.com.br.access.log detailed_proxy; + error_log /var/log/nginx/cloud.grupopralog.com.br.error.log warn; + access_log /var/log/nginx/cloud.grupopralog.com.br.bad-bot.log suspicious_bot if=$is_bad_bot; + + #if ($block_request) { + # return 404; + #} + #limit_req zone=global_limit burst=100 nodelay; + + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "no-referrer" always; + + client_body_buffer_size 128M; + proxy_buffer_size 512k; + proxy_buffers 32 256k; + proxy_busy_buffers_size 512k; + proxy_connect_timeout 1200s; + proxy_send_timeout 1200s; + proxy_read_timeout 1200s; + proxy_temp_file_write_size 256k; + + proxy_hide_header "X-Content-Type-Options"; + proxy_hide_header "X-Frame-Options"; + proxy_hide_header "Feature-Policy"; + proxy_hide_header "Content-Security-Policy"; + + ssl_certificate /etc/letsencrypt/live/cloud.grupopralog.com.br/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/cloud.grupopralog.com.br/privkey.pem; + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY_1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305'; + ssl_prefer_server_ciphers on; + ssl_ecdh_curve X25519:secp256r1:secp384r1; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_session_timeout 1d; + ssl_session_tickets off; + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/letsencrypt/live/cloud.grupopralog.com.br/fullchain.pem; + resolver 127.0.0.1 valid=300s; + resolver_timeout 5s; + + brotli on; + brotli_comp_level 6; + brotli_min_length 1024; + brotli_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/x-icon text/css text/javascript text/plain text/xml; + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_min_length 1024; + gzip_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/x-icon text/css text/javascript text/plain text/xml; + + location = /.well-known/carddav { return 301 /remote.php/dav; } + location = /.well-known/caldav { return 301 /remote.php/dav; } + + location = /hosting/discovery { + proxy_pass https://officeonline_backend; + proxy_set_header Host "srvoffice001.itguys.com.br"; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Accept-Encoding ""; + + # IMPORTANTE: Permite que o Nginx se conecte ao OOS com certificado autoassinado. + proxy_ssl_verify off; + } + + location ~ ^/(m|x|we|o|p|wv|op|wd|rtc|rtc2|layouts|view|_layouts)/ { + proxy_pass https://officeonline_backend; + proxy_set_header Host "srvoffice001.itguys.com.br"; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Accept-Encoding ""; + proxy_buffering off; + proxy_request_buffering off; + proxy_connect_timeout 1200s; + proxy_send_timeout 1200s; + proxy_read_timeout 1200s; + sub_filter 'srvoffice001.itguys.com.br' 'cloud.grupopralog.com.br'; + sub_filter_once off; + sub_filter_types text/css text/javascript application/javascript application/json; + + if ($request_method = 'OPTIONS') { + more_set_headers 'Access-Control-Allow-Origin: "$scheme://$http_host"'; + more_set_headers 'Access-Control-Allow-Methods: GET, POST, OPTIONS, HEAD'; + more_set_headers 'Access-Control-Allow-Headers: Authorization, Content-Type, Accept, Origin, User-Agent, DNT, Cache-Control, X-Mx-ReqToken, Keep-Alive, X-Requested-With, If-Modified-Since, X-UserType'; + more_set_headers 'Access-Control-Allow-Credentials: true' always; + more_set_headers 'Access-Control-Max-Age: 1728000' always; + return 204; + } + + more_set_headers 'Access-Control-Allow-Origin: "$scheme://$http_host"'; + more_set_headers 'Access-Control-Allow-Credentials: true'; + } + + location ~* \.(?:css|js|mjs|svg|gif|png|jpg|jpeg|ico|wasm|woff|woff2|ttf|otf|map)$ { + proxy_pass http://nextcloud_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_cache nextcloud_cache; + proxy_cache_valid 200 12h; + proxy_cache_valid any 1m; + proxy_cache_revalidate on; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + + more_set_headers 'Cache-Control: public, max-age=43200'; + more_set_headers 'X-Proxy-Cache: $upstream_cache_status'; + + proxy_hide_header "Cache-Control"; + proxy_hide_header "Expires"; + proxy_hide_header "Pragma"; + brotli_static on; + gzip_static on; + } + + location ~ ^/(remote\.php/(webdav|dav)|ocs/v[12]\.php/apps/forms/api/.*/submissions/files/.*) { + proxy_pass http://nextcloud_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + + proxy_http_version 1.1; + proxy_set_header Connection ""; + + # Desabilita o buffering para streaming de arquivos + proxy_buffering off; + proxy_request_buffering off; + + # Timeouts longos para uploads/downloads + proxy_connect_timeout 60s; + proxy_read_timeout 1200s; + proxy_send_timeout 1200s; + } + + location = /ocs/v2.php/apps/recommendations/api/v1/recommendations { + proxy_pass http://nextcloud_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering on; + proxy_cache nextcloud_session_cache; + proxy_cache_key "$scheme$request_method$host$request_uri$is_args$args$cookie_nc_session_id"; + proxy_cache_valid 200 1d; + proxy_cache_revalidate on; + proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504; + more_set_headers 'X-API-Rec-Cache: $upstream_cache_status'; + } + + location ~ ^/(apps/files/api/v1/folder-tree|ocs/v2\.php/apps/files/api/v1/folder-tree) { + proxy_pass http://nextcloud_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Connection ""; + + proxy_buffering on; + + # Usar a zona de cache 'foldertree_cache' que você já tinha, ou a 'nextcloud_cache' + proxy_cache foldertree_cache; + proxy_cache_key "$scheme$request_method$host$request_uri$is_args$args$cookie_nc_session_id"; + + # Cache de 3 segundos + proxy_cache_valid 200 3s; + proxy_cache_lock on; + proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504; + + # Ignora "no-cache" do backend + proxy_ignore_headers "Cache-Control" "Expires" "Pragma"; + proxy_hide_header "Cache-Control"; + proxy_hide_header "Pragma"; + proxy_hide_header "Expires"; + add_header Cache-Control "public, max-age=3"; + + # Header de depuração + more_set_headers 'X-FolderTree-Cache: $upstream_cache_status'; + } + + location ~ ^/(ocs/v[12].php/cloud/users|ocs/v[12].php/privatedata/get|ocs/v2.php/apps/notifications/api/v2/notifications|ocs/v[12].php/cloud/apps|ocs/v[12].php/cloud/user|ocs/v[12].php/privatedata/get/userinfo) { + proxy_pass http://nextcloud_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering on; + proxy_cache nextcloud_cache; + proxy_cache_key "$host$request_uri|$cookie_nc_session_id"; + proxy_cache_valid 200 5s; + proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504; + more_set_headers 'X-APIMicroCache-Status: $upstream_cache_status'; + } + + location ~ ^/(remote\.php/(webdav|dav)|ocs/v[12]\.php/apps/forms/api/.*/submissions/files/.*) { + proxy_pass http://nextcloud_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_http_version 1.1; + proxy_set_header Connection ""; + + # --- Lógica de Cache vs. Streaming --- + + # 1. Por padrão, desabilitamos o buffering para streaming (uploads/downloads) + proxy_buffering off; + proxy_request_buffering off; + + # 2. SE for um PROPFIND (listagem de diretório), ligamos o buffering e o cache + if ($request_method = PROPFIND) { + proxy_buffering on; + proxy_request_buffering on; # Necessário para o cache + + proxy_cache nextcloud_cache; # Usar a zona de cache + # IMPORTANTE: Autorizar cache do método PROPFIND + proxy_cache_methods PROPFIND; + # Chave de cache por usuário/sessão + proxy_cache_key "$host$request_uri|$cookie_nc_session_id"; + + # Cache de 10 segundos para listagens de pasta (status 200 e 207) + proxy_cache_valid 200 207 10s; + proxy_cache_lock on; + proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504; + + # Header para depuração + more_set_headers 'X-DAV-Cache: $upstream_cache_status'; + + # Ignorar "no-cache" do backend para PROPFIND + proxy_ignore_headers "Cache-Control" "Expires" "Pragma"; + proxy_hide_header "Cache-Control"; + proxy_hide_header "Pragma"; + proxy_hide_header "Expires"; + add_header Cache-Control "public, max-age=10"; + } + + # Timeouts longos (mantém para uploads/downloads) + proxy_connect_timeout 60s; + proxy_read_timeout 1200s; + proxy_send_timeout 1200s; + } + + location ~ ^/(apps/tables/(api|row|share)|index\.php/apps/tables/api/1|ocs/v2\.php/apps/tables/api/2) { + proxy_pass http://nextcloud_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_http_version 1.1; + proxy_set_header Connection ""; + + # Habilita buffering para cache + proxy_buffering on; + + # Define a chave de cache por usuário (baseado no cookie de sessão) + proxy_cache nextcloud_cache; + proxy_cache_key "$host$request_uri|$cookie_nc_session_id"; + + # Cache de 3 segundos para dados dinâmicos. + # Isso agrupa requisições idênticas feitas durante o carregamento da página. + proxy_cache_valid 200 3s; + + # Trava o cache para evitar que múltiplas requisições batam no backend (Thundering Herd) + proxy_cache_lock on; + + # Entrega conteúdo antigo se o backend falhar + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + + # Força o Nginx a IGNORAR os headers "não-cacheie" (no-cache, no-store) vindos do Nextcloud + proxy_ignore_headers "Cache-Control" "Expires" "Pragma"; + + # Esconde os headers originais do backend para o cliente + proxy_hide_header "Cache-Control"; + proxy_hide_header "Pragma"; + proxy_hide_header "Expires"; + + # Adiciona nosso próprio header de cache para o navegador (3 segundos) + add_header Cache-Control "public, max-age=3"; + + # Header para depuração (para vermos se o cache funcionou) + more_set_headers 'X-Tables-Cache: $upstream_cache_status'; + } + + location ~ ^/(index\.php/apps/files/api/v1/thumbnail/|ocs/v2\.php/apps/files/api/v1/(directEditing|templates|folder-tree)) { + proxy_pass http://nextcloud_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_http_version 1.1; + proxy_set_header Connection ""; + + # Habilita buffering para cache + proxy_buffering on; + + # Reutiliza a zona de cache principal + proxy_cache nextcloud_cache; + proxy_cache_key "$host$request_uri|$cookie_nc_session_id"; + + # Cache de 3 segundos (bom para APIs) + # Nota: Você poderia criar um cache mais longo (ex: 1h) + # se o /thumbnail/ for muito usado, mas 3s é seguro. + proxy_cache_valid 200 3s; + + # Trava o cache (Thundering Herd) + proxy_cache_lock on; + + # Entrega conteúdo antigo se o backend falhar + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + + # Ignora headers "não-cacheie" + proxy_ignore_headers "Cache-Control" "Expires" "Pragma"; + + # Esconde os headers originais + proxy_hide_header "Cache-Control"; + proxy_hide_header "Pragma"; + proxy_hide_header "Expires"; + + # Adiciona nosso header de cache (3 segundos) + add_header Cache-Control "public, max-age=3"; + + # Header para depuração + more_set_headers 'X-Files-API-Cache: $upstream_cache_status'; + } + + location / { + proxy_pass http://nextcloud_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + + proxy_cache $session_cache_zone; + proxy_cache_key "$scheme$request_method$host$request_uri$is_args$args$cookie_nc_session_id"; + proxy_cache_valid 200 5m; + proxy_cache_revalidate on; + proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504; + proxy_cache_bypass $http_cache_control; + proxy_no_cache $http_cache_control; + + more_set_headers 'X-Session-Cache: $upstream_cache_status'; + + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_connect_timeout 60s; + proxy_read_timeout 1200s; + proxy_send_timeout 1200s; + proxy_buffering on; + proxy_request_buffering off; + proxy_buffer_size 512k; + proxy_buffers 32 256k; + proxy_busy_buffers_size 512k; + } +}