feat: Estrutura de Snippets, Logs JSON e WAF

modsec/main.conf

@@ -0,0 +1,11 @@
+# ModSecurity Main Configuration File
+
+# Include base configuration
+include /etc/nginx/modsec/modsecurity.conf-recommended
+
+# Configure OWASP Core Rule Set
+include /etc/nginx/modsec/owasp-crs/crs-setup.conf
+include /etc/nginx/modsec/owasp-crs/rules/*.conf
+
+# Include Custom Rules
+# include /etc/nginx/modsec/custom_rules.conf

nginx.conf

@@ -1,6 +1,9 @@
-load_module modules/ngx_http_brotli_filter_module.so;
-load_module modules/ngx_http_brotli_static_module.so;
-load_module modules/ngx_http_headers_more_filter_module.so;
+# NGINX Master Configuration - Pathfinder Proxy
+
+# Load essential modules
+# load_module modules/ngx_http_modsecurity_module.so; # Se compilado dinamicamente
+# load_module modules/ngx_http_brotli_filter_module.so;
+# load_module modules/ngx_http_brotli_static_module.so;
 
 user nginx;
 worker_processes auto;
@@ -18,28 +21,30 @@ http {
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
 
+    # Performance
     sendfile on;
     tcp_nopush on;
+    tcp_nodelay on;
     server_tokens off;
     proxy_headers_hash_bucket_size 512;
     client_max_body_size 0;
-
     keepalive_timeout 65;
 
-    # SSL Settings
+    # Logging JSON (Detailed)
+    include /etc/nginx/snippets/log_formats.conf;
+    access_log /var/log/nginx/access.log detailed_proxy;
+
+    # SSL Settings (Global)
     ssl_session_cache shared:SSL:50m;
     ssl_session_timeout 1d;
     ssl_session_tickets off;
 
-    # Snippets
+    # Security Snippets
     include /etc/nginx/snippets/security_maps.conf;
-    include /etc/nginx/snippets/log_formats.conf;
-    include /etc/nginx/snippets/cache_zones.conf;
     include /etc/nginx/snippets/rate_limit.conf;
     
-    # Logging
-    # Assumes 'detailed_proxy' is defined in log_formats.conf
-    access_log /var/log/nginx/access.log detailed_proxy;
+    # Ativação Global da Blacklist
+    include /etc/nginx/snippets/blacklist.conf;
 
     # Site Configurations
     include /etc/nginx/conf.d/*.conf;

snippets/acme_challenge.conf

@@ -1,9 +1,7 @@
-# ACME Challenge Snippet
-# Include this in port 80 server blocks to allow Certbot validation
-
+# ACME Challenge for Certbot
 location ^~ /.well-known/acme-challenge/ {
-    root /var/www/html;
-    try_files $uri =404;
     allow all;
-    auth_basic off;
+    root /var/lib/letsencrypt/;
+    default_type "text/plain";
+    try_files $uri =404;
 }

snippets/blacklist.conf

@@ -0,0 +1,2 @@
+# Arquivo gerado automaticamente pelo Fail2Ban
+# IPs bloqueados aparecerão aqui como: deny 1.2.3.4;

snippets/modsecurity.conf

@@ -0,0 +1,6 @@
+# ModSecurity Engine Configuration
+modsecurity on;
+modsecurity_rules_file /etc/nginx/modsec/main.conf;
+
+# Inclusão da Blacklist Dinâmica do Fail2Ban
+include /etc/nginx/snippets/blacklist.conf;

snippets/proxy_params.conf

@@ -0,0 +1,15 @@
+proxy_set_header Host $host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Host $host;
+proxy_set_header X-Forwarded-Port $server_port;
+
+# Buffers
+proxy_buffers 32 4k;
+proxy_buffer_size 8k;
+
+# Timeouts
+proxy_connect_timeout 60s;
+proxy_send_timeout 60s;
+proxy_read_timeout 60s;

snippets/ssl_params.conf

@@ -0,0 +1,15 @@
+# SSL/TLS Params - Requisitos: Nginx com HTTP/3
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+# HSTS
+add_header Strict-Transport-Security "max-age=63072000" always;
+
+# HTTP/3 (QUIC) Alt-Svc
+add_header Alt-Svc 'h3=":443"; ma=86400';
+
+# OCSP Stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 1.1.1.1 8.8.8.8 valid=300s;
+resolver_timeout 5s;