From a06171b8893db0f92e8b75739e3ddee2a96e0280 Mon Sep 17 00:00:00 2001 From: "srvproxy001.itguys.com.br" Date: Sat, 25 Oct 2025 20:53:31 -0300 Subject: [PATCH] =?UTF-8?q?[Auto-Sync]=20Atualiza=C3=A7=C3=A3o=20das=20con?= =?UTF-8?q?figura=C3=A7=C3=B5es=20em=20srvproxy001.itguys.com.br=20-=20202?= =?UTF-8?q?5-10-25=2020:53:31?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../verbocloud.itguys.com.br.conf | 263 ++++++++++++++++++ 1 file changed, 263 insertions(+) create mode 100644 nginx/sites-available/verbocloud.itguys.com.br.conf diff --git a/nginx/sites-available/verbocloud.itguys.com.br.conf b/nginx/sites-available/verbocloud.itguys.com.br.conf new file mode 100644 index 0000000..f1e55f1 --- /dev/null +++ b/nginx/sites-available/verbocloud.itguys.com.br.conf @@ -0,0 +1,263 @@ +# ---------------------------------------------------------------------- +# Configuração: Nextcloud AIO + Office Online Server (Nativo) +# Data: 2025-10-25 +# Domínio: verbocloud.itguys.com.br +# +# Arquitetura: +# - Nginx (Este servidor) +# - Backend AIO: 172.16.253.13:11500 (HTTP) +# - Backend OOS: 172.16.253.13:443 (HTTPS - Nativo no Windows) +# +# ATUALIZAÇÃO: +# - Adicionado Bloco para Nextcloud Talk (HPB / Push). +# - Adicionado Micro-cache de API (para otimizar Photos, Deck, Notes, etc.) +# - Diretórios de cache EXCLUSIVOS para este site. +# ---------------------------------------------------------------------- + +# ---------------------------------------------------------------------- +# Definições de Cache (EXCLUSIVOS para verbocloud) +# ---------------------------------------------------------------------- +proxy_cache_path /var/cache/nginx/verbocloud_session_cache levels=1:2 keys_zone=verbocloud_session_cache:10m inactive=60m max_size=100m; +proxy_cache_path /var/cache/nginx/verbocloud_foldertree_cache levels=1:2 keys_zone=verbocloud_foldertree_cache:10m inactive=1m max_size=100m; + +# ---------------------------------------------------------------------- +# Declaração dos Backends +# ---------------------------------------------------------------------- + +# Backend 1: O contêiner do Nextcloud AIO no Windows Server +upstream nextcloud_aio_backend { + server 172.16.253.13:11500; +} + +# Backend 2: O Office Online Server (nativo no Windows Server) +upstream office_online_backend { + # Assumindo que o OOS está na porta 443 (HTTPS) + server 172.16.253.13:443; +} + +# ---------------------------------------------------------------------- +# Servidor HTTP (Porta 80) +# - Redireciona para HTTPS +# - Responde aos desafios do Let's Encrypt (Certbot) +# ---------------------------------------------------------------------- +server { + listen 80; + listen [::]:80; + + server_name verbocloud.itguys.com.br; + + location /.well-known/acme-challenge/ { + root /var/www/html; # Ajuste o caminho se necessário + allow all; + } + + # Redirecionamento global para HTTPS + location / { + return 301 https://$host$request_uri; + } +} + +# ---------------------------------------------------------------------- +# Servidor HTTPS (Porta 443) +# - Ponto de terminação SSL +# - Proxy reverso para AIO e OOS +# - Headers de segurança +# ---------------------------------------------------------------------- +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name verbocloud.itguys.com.br; + + # --- Logs Exclusivos (Conforme solicitado) --- + access_log /var/log/nginx/verbocloud.itguys.com.br.access.log detailed_proxy; + error_log /var/log/nginx/verbocloud.itguys.com.br.error.log warn; + # (Descomente o log de bad-bot quando implementar o $is_bad_bot) + # access_log /var/log/nginx/verbocloud.itguys.com.br.bad-bot.log suspicious_bot if=$is_bad_bot; + + # --- Configurações de SSL --- + ssl_certificate /etc/letsencrypt/live/verbocloud.itguys.com.br/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/verbocloud.itguys.com.br/privkey.pem; # managed by Certbot + ssl_trusted_certificate /etc/letsencrypt/live/verbocloud.itguys.com.br/fullchain.pem; + + # --- Otimizações de TLS (Baseado no SSLLabs e no seu arquivo antigo) --- + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers on; + ssl_session_timeout 1d; + ssl_session_tickets off; + + # --- OCSP Stapling --- + ssl_stapling on; + ssl_stapling_verify on; + resolver 1.1.1.1 8.8.8.8 valid=300s; # Usando resolvers públicos + resolver_timeout 5s; + + # --- Headers de Segurança --- + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "no-referrer" always; + add_header X-XSS-Protection "1; mode=block" always; + + # --- Configurações do Proxy --- + client_max_body_size 10G; + + # --------------------------------------------------- + # REGRAS DO OFFICE ONLINE SERVER (OOS) + # (Estas devem vir ANTES do location / principal) + # --------------------------------------------------- + + # Rota de Descoberta (Discovery) + location = /hosting/discovery { + proxy_pass https://office_online_backend; + # ===> ATENÇÃO: Substitua pelo Hostname INTERNO que o OOS espera <=== + proxy_set_header Host "oos.interno.verbocg.local"; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Accept-Encoding ""; + # Essencial se o OOS usa certificado autoassinado + proxy_ssl_verify off; + } + + # Rotas de Serviço (Word, Excel, etc.) + location ~ ^/(m|x|we|o|p|wv|op|wd|rtc|rtc2|layouts|view|_layouts)/ { + proxy_pass https://office_online_backend; + # ===> ATENÇÃO: Substitua pelo Hostname INTERNO que o OOS espera <=== + proxy_set_header Host "oos.interno.verbocg.local"; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + # WebSockets - Essencial para OOS + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Accept-Encoding ""; + # Essencial se o OOS usa certificado autoassinado + proxy_ssl_verify off; + + # CORS - Essencial para OOS + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' "$scheme://$http_host"; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, HEAD'; + add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Accept, Origin, User-Agent, DNT, Cache-Control, X-Mx-ReqToken, Keep-Alive, X-Requested-With, If-Modified-Since, X-UserType'; + add_header 'Access-Control-Allow-Credentials' 'true'; + add_header 'Access-Control-Max-Age' 1728000; + return 204; + } + add_header 'Access-Control-Allow-Origin' "$scheme://$http_host"; + add_header 'Access-Control-Allow-Credentials' 'true'; + } + + # --------------------------------------------------- + # REGRAS DO NEXTCLOUD AIO + # --------------------------------------------------- + + # Redirecionamentos CalDAV/CardDAV + location = /.well-known/carddav { return 301 /remote.php/dav; } + location = /.well-known/caldav { return 301 /remote.php/dav; } + location = /.well-known/webfinger { return 301 /index.php/.well-known/webfinger; } + location = /.well-known/nodeinfo { return 301 /index.php/.well-known/nodeinfo; } + + # --- NOVO: Nextcloud Talk High-Performance Backend (HPB) --- + # Rota para o servidor de sinalização (Notify Push) + location /nextcloud/push { + proxy_pass http://nextcloud_aio_backend; # Aponta para o AIO + + # Configurações para WebSockets + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Otimizações para conexões longas + proxy_buffering off; + proxy_request_buffering off; + proxy_read_timeout 3600s; # 1 hora (padrão do AIO) + proxy_send_timeout 3600s; + + # Não fazer cache desta conexão + proxy_cache off; + } + + # --- NOVO: API Micro-Cache (para Apps: Photos, Deck, Notes, Tasks) --- + + # Cache da Árvore de Pastas (acelera o 'Files' e 'Photos') + location = /apps/files/api/v1/folder-tree { + proxy_pass http://nextcloud_aio_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Connection ""; # Re-use backend connections + proxy_buffering on; + + proxy_cache verbocloud_foldertree_cache; # <-- Usa cache exclusivo + proxy_cache_key "$scheme$request_method$host$request_uri$is_args$args$cookie_nc_session_id"; + proxy_cache_valid 200 3s; # Cache curto (3 segundos) + proxy_cache_lock on; # Evita "thundering herd" + proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504; + + add_header 'X-Cache-FolderTree' $upstream_cache_status always; + } + + # Cache de APIs de Sessão (acelera 'Deck', 'Notes', 'Tasks', Notificações) + location ~ ^/(ocs/v[12].php/cloud/users|ocs/v[12].php/privatedata/get|ocs/v2.php/apps/notifications/api/v2/notifications|ocs/v[12].php/cloud/apps|ocs/v[12].php/cloud/user) { + proxy_pass http://nextcloud_aio_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering on; + + proxy_cache verbocloud_session_cache; # <-- Usa cache exclusivo + proxy_cache_key "$host$request_uri|$cookie_nc_session_id"; + proxy_cache_valid 200 5s; # Cache curto (5 segundos) + proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504; + + add_header 'X-Cache-API-Session' $upstream_cache_status always; + } + + # Cache de Estáticos (Opcional, mas bom para performance) + location ~ \.(css|js|svg|gif|png|jpg|ico|woff|woff2|tff)$ { + proxy_pass http://nextcloud_aio_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + + proxy_buffering on; + proxy_cache_valid 200 304 7d; + expires 7d; + add_header Cache-Control "public"; + } + + # Regra Principal (Nextcloud AIO) + location / { + proxy_pass http://nextcloud_aio_backend; # <-- Aponta para o AIO (HTTP) + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + + # Recomendado pelo AIO para uploads/DAV + proxy_buffering off; + proxy_request_buffering off; + proxy_http_version 1.1; + + # Timeouts longos + proxy_connect_timeout 3600s; + proxy_send_timeout 3600s; + proxy_read_timeout 3600s; + } +}