From a86fb6bb6e93d11a41aea99c4662775d366f2f0d Mon Sep 17 00:00:00 2001 From: "srvproxy001.itguys.com.br" Date: Tue, 14 Oct 2025 08:32:04 -0300 Subject: [PATCH] =?UTF-8?q?[Auto-Sync]=20Atualiza=C3=A7=C3=A3o=20das=20con?= =?UTF-8?q?figura=C3=A7=C3=B5es=20em=20srvproxy001.itguys.com.br=20-=20202?= =?UTF-8?q?5-10-14=2008:32:04?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../petytransportes.com.br.conf | 178 ++++++++++++++++++ 1 file changed, 178 insertions(+) create mode 100644 nginx/sites-available/petytransportes.com.br.conf diff --git a/nginx/sites-available/petytransportes.com.br.conf b/nginx/sites-available/petytransportes.com.br.conf new file mode 100644 index 0000000..7b86ff9 --- /dev/null +++ b/nginx/sites-available/petytransportes.com.br.conf @@ -0,0 +1,178 @@ +# ==================================================================================== +# ARQUIVO DE CONFIGURAÇÃO NGINX +# ------------------------------------------------------------------------------------ +# SITE: petytransportes.com.br (Proxy Reverso para WordPress) +# AUTOR: Gemini (Especialista NGINX) +# DATA DA ALTERAÇÃO: 2025-10-14 (v2 - Unificação de Logs) +# +# CONTEXTO: +# - Logs de redirecionamento (HTTP) foram unificados com os logs principais (HTTPS) +# para centralizar o monitoramento em um único local. +# - As demais configurações de segurança, cache e hardening permanecem. +# ==================================================================================== + +# --- Definição da zona de rate limit para a página de login do WordPress --- +# Limita as tentativas de login para mitigar ataques de força bruta. +limit_req_zone $binary_remote_addr zone=pety_wp_login:10m rate=5r/m; + +# ==================================================================================== +# SERVIDOR HTTP (PORTA 80) - REDIRECIONAMENTO PARA HTTPS +# ==================================================================================== +server { + listen 80; + listen [::]:80; + server_name petytransportes.com.br www.petytransportes.com.br; + + # --- Logs Unificados --- + # AJUSTE: Logs de redirecionamento agora são enviados para os mesmos arquivos + # do servidor principal, usando o formato detalhado para consistência. + access_log /var/log/nginx/petytransportes.com.br.access.log detailed_proxy; + error_log /var/log/nginx/petytransportes.com.br.error.log warn; + + # --- Rota para Renovação de Certificado SSL (Let's Encrypt) --- + location /.well-known/acme-challenge/ { + root /var/www/certbot; # Adapte este caminho se for diferente + } + + # --- Redirecionamento Permanente para HTTPS --- + location / { + return 301 https://$host$request_uri; + } +} + +# ==================================================================================== +# SERVIDOR HTTPS (PORTA 443) - CONFIGURAÇÃO PRINCIPAL +# ==================================================================================== +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name petytransportes.com.br www.petytransportes.com.br; + + # --- Logs Dedicados do Site --- + # Utiliza o formato 'detailed_proxy' definido no nginx.conf para logs ricos em JSON. + access_log /var/log/nginx/petytransportes.com.br.access.log detailed_proxy; + error_log /var/log/nginx/petytransportes.com.br.error.log warn; + + # ------------------------------------------------ + # Segurança + # ------------------------------------------------ + + # --- BLOQUEIO DE BOTS E URIs MALICIOSAS --- + # Utiliza a variável '$block_request' definida globalmente em nginx.conf. + if ($block_request) { + # Loga a tentativa de acesso malicioso em um arquivo separado + access_log /var/log/nginx/petytransportes.com.br.bad-bot.log suspicious_bot; + return 404; + } + + # --- Proteção contra acesso a arquivos sensíveis --- + location ~ /\. { deny all; } + location ~* /(?:setup\.php|README\.md|readme\.html|license\.txt|wp-config-sample\.php|web\.config) { deny all; } + location ~* \.(env|git|svn|bak|sql|zip|tar\.gz)$ { deny all; } + location = /xmlrpc.php { deny all; } + + # ------------------------------------------------ + # Configuração SSL/TLS + # ------------------------------------------------ + ssl_certificate /etc/letsencrypt/live/petytransportes.com.br/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/petytransportes.com.br/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/petytransportes.com.br/fullchain.pem; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + + ssl_session_timeout 1d; + ssl_session_tickets off; + + resolver 8.8.8.8 1.1.1.1 valid=300s; + resolver_timeout 5s; + ssl_stapling on; + ssl_stapling_verify on; + + # ------------------------------------------------ + # Headers de Segurança + # ------------------------------------------------ + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-referrer-when-downgrade" always; + + # ------------------------------------------------ + # Compressão (Brotli e Gzip) + # ------------------------------------------------ + brotli on; + brotli_comp_level 6; + brotli_min_length 1024; + brotli_types text/plain text/css application/javascript application/json image/svg+xml application/xml+rss; + + gzip on; + gzip_min_length 1024; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 5; + gzip_types text/plain text/css application/javascript application/json image/svg+xml application/xml+rss; + + # ------------------------------------------------ + # Locations (Regras de Proxy Reverso) + # ------------------------------------------------ + + # --- PROTEÇÃO PARA A PÁGINA DE LOGIN --- + location = /wp-login.php { + limit_req zone=pety_wp_login burst=3 nodelay; + + proxy_pass https://172.16.12.2; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_ssl_server_name on; + proxy_ssl_name $host; + proxy_http_version 1.1; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 90s; + proxy_buffering off; + } + + # --- CACHE PARA ARQUIVOS ESTÁTICOS --- + location ~* \.(jpg|jpeg|gif|png|webp|svg|ico|css|js|woff|woff2|ttf|eot)$ { + proxy_pass https://172.16.12.2; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_ssl_server_name on; + proxy_ssl_name $host; + + proxy_cache static_cache; + proxy_cache_key "$scheme$request_method$host$request_uri"; + proxy_cache_valid 200 304 90d; + proxy_cache_valid any 1m; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + + add_header X-Cache-Status $upstream_cache_status; + expires 90d; + access_log off; + } + + # --- REGRA GERAL PARA O WORDPRESS --- + location / { + proxy_pass https://172.16.12.2; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_ssl_server_name on; + proxy_ssl_name $host; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_connect_timeout 90s; + proxy_send_timeout 90s; + proxy_read_timeout 90s; + proxy_buffering off; + } +}