From aef892572ec7570de91493c742a9c7f4485e4a51 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Pedro=20Toledo?= <joao.goncalves@itguys.com.br>
Date: Wed, 4 Feb 2026 19:18:40 -0300
Subject: [PATCH] feat: Estrutura de Snippets, Logs JSON e WAF

---
 modsec/main.conf             | 11 +++++++++++
 nginx.conf                   | 29 +++++++++++++++++------------
 snippets/acme_challenge.conf | 10 ++++------
 snippets/blacklist.conf      |  2 ++
 snippets/modsecurity.conf    |  6 ++++++
 snippets/proxy_params.conf   | 15 +++++++++++++++
 snippets/ssl_params.conf     | 15 +++++++++++++++
 7 files changed, 70 insertions(+), 18 deletions(-)
 create mode 100644 modsec/main.conf
 create mode 100644 snippets/blacklist.conf
 create mode 100644 snippets/modsecurity.conf
 create mode 100644 snippets/proxy_params.conf
 create mode 100644 snippets/ssl_params.conf

diff --git a/modsec/main.conf b/modsec/main.conf
new file mode 100644
index 0000000..07138e6
--- /dev/null
+++ b/modsec/main.conf
@@ -0,0 +1,11 @@
+# ModSecurity Main Configuration File
+
+# Include base configuration
+include /etc/nginx/modsec/modsecurity.conf-recommended
+
+# Configure OWASP Core Rule Set
+include /etc/nginx/modsec/owasp-crs/crs-setup.conf
+include /etc/nginx/modsec/owasp-crs/rules/*.conf
+
+# Include Custom Rules
+# include /etc/nginx/modsec/custom_rules.conf
diff --git a/nginx.conf b/nginx.conf
index 4fa8235..35c1c13 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -1,6 +1,9 @@
-load_module modules/ngx_http_brotli_filter_module.so;
-load_module modules/ngx_http_brotli_static_module.so;
-load_module modules/ngx_http_headers_more_filter_module.so;
+# NGINX Master Configuration - Pathfinder Proxy
+
+# Load essential modules
+# load_module modules/ngx_http_modsecurity_module.so; # Se compilado dinamicamente
+# load_module modules/ngx_http_brotli_filter_module.so;
+# load_module modules/ngx_http_brotli_static_module.so;
 
 user nginx;
 worker_processes auto;
@@ -18,28 +21,30 @@ http {
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
 
+    # Performance
     sendfile on;
     tcp_nopush on;
+    tcp_nodelay on;
     server_tokens off;
     proxy_headers_hash_bucket_size 512;
     client_max_body_size 0;
-
     keepalive_timeout 65;
 
-    # SSL Settings
+    # Logging JSON (Detailed)
+    include /etc/nginx/snippets/log_formats.conf;
+    access_log /var/log/nginx/access.log detailed_proxy;
+
+    # SSL Settings (Global)
     ssl_session_cache shared:SSL:50m;
     ssl_session_timeout 1d;
     ssl_session_tickets off;
 
-    # Snippets
+    # Security Snippets
     include /etc/nginx/snippets/security_maps.conf;
-    include /etc/nginx/snippets/log_formats.conf;
-    include /etc/nginx/snippets/cache_zones.conf;
     include /etc/nginx/snippets/rate_limit.conf;
-
-    # Logging
-    # Assumes 'detailed_proxy' is defined in log_formats.conf
-    access_log /var/log/nginx/access.log detailed_proxy;
+    
+    # Ativação Global da Blacklist
+    include /etc/nginx/snippets/blacklist.conf;
 
     # Site Configurations
     include /etc/nginx/conf.d/*.conf;
diff --git a/snippets/acme_challenge.conf b/snippets/acme_challenge.conf
index 72ccc3f..0c99c7b 100644
--- a/snippets/acme_challenge.conf
+++ b/snippets/acme_challenge.conf
@@ -1,9 +1,7 @@
-# ACME Challenge Snippet
-# Include this in port 80 server blocks to allow Certbot validation
-
+# ACME Challenge for Certbot
 location ^~ /.well-known/acme-challenge/ {
-    root /var/www/html;
-    try_files $uri =404;
     allow all;
-    auth_basic off;
+    root /var/lib/letsencrypt/;
+    default_type "text/plain";
+    try_files $uri =404;
 }
diff --git a/snippets/blacklist.conf b/snippets/blacklist.conf
new file mode 100644
index 0000000..af0e7ee
--- /dev/null
+++ b/snippets/blacklist.conf
@@ -0,0 +1,2 @@
+# Arquivo gerado automaticamente pelo Fail2Ban
+# IPs bloqueados aparecerão aqui como: deny 1.2.3.4;
diff --git a/snippets/modsecurity.conf b/snippets/modsecurity.conf
new file mode 100644
index 0000000..f506b05
--- /dev/null
+++ b/snippets/modsecurity.conf
@@ -0,0 +1,6 @@
+# ModSecurity Engine Configuration
+modsecurity on;
+modsecurity_rules_file /etc/nginx/modsec/main.conf;
+
+# Inclusão da Blacklist Dinâmica do Fail2Ban
+include /etc/nginx/snippets/blacklist.conf;
diff --git a/snippets/proxy_params.conf b/snippets/proxy_params.conf
new file mode 100644
index 0000000..44ac451
--- /dev/null
+++ b/snippets/proxy_params.conf
@@ -0,0 +1,15 @@
+proxy_set_header Host $host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Host $host;
+proxy_set_header X-Forwarded-Port $server_port;
+
+# Buffers
+proxy_buffers 32 4k;
+proxy_buffer_size 8k;
+
+# Timeouts
+proxy_connect_timeout 60s;
+proxy_send_timeout 60s;
+proxy_read_timeout 60s;
diff --git a/snippets/ssl_params.conf b/snippets/ssl_params.conf
new file mode 100644
index 0000000..c8e1ec1
--- /dev/null
+++ b/snippets/ssl_params.conf
@@ -0,0 +1,15 @@
+# SSL/TLS Params - Requisitos: Nginx com HTTP/3
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+# HSTS
+add_header Strict-Transport-Security "max-age=63072000" always;
+
+# HTTP/3 (QUIC) Alt-Svc
+add_header Alt-Svc 'h3=":443"; ma=86400';
+
+# OCSP Stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 1.1.1.1 8.8.8.8 valid=300s;
+resolver_timeout 5s;