diff --git a/nginx/sites-available/verbocloud.itguys.com.br.conf b/nginx/sites-available/verbocloud.itguys.com.br.conf deleted file mode 100644 index 418501c..0000000 --- a/nginx/sites-available/verbocloud.itguys.com.br.conf +++ /dev/null @@ -1,203 +0,0 @@ -# ---------------------------------------------------------------------- -# Configuração: Nextcloud AIO + Office Online Server (Nativo) -# Data: 2025-10-25 -# Domínio: verbocloud.itguys.com.br -# -# Arquitetura: -# - Nginx (Este servidor) -# - Backend AIO: 172.16.253.13:11500 (HTTP) -# - Backend OOS: 172.16.253.13:443 (HTTPS - Nativo no Windows) -# ---------------------------------------------------------------------- - -# ---------------------------------------------------------------------- -# Declaração dos Backends -# ---------------------------------------------------------------------- - -# Backend 1: O contêiner do Nextcloud AIO no Windows Server -upstream nextcloud_aio_backend { - server 172.16.253.13:11500; -} - -# Backend 2: O Office Online Server (nativo no Windows Server) -upstream office_online_backend { - # Assumindo que o OOS está na porta 443 (HTTPS) - server 172.16.253.13:443; -} - -# ---------------------------------------------------------------------- -# Servidor HTTP (Porta 80) -# - Redireciona para HTTPS -# - Responde aos desafios do Let's Encrypt (Certbot) -# ---------------------------------------------------------------------- -server { - if ($host = verbocloud.itguys.com.br) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - listen [::]:80; - - server_name verbocloud.itguys.com.br; - - location /.well-known/acme-challenge/ { - root /var/www/html; # Ajuste o caminho se necessário - allow all; - } - - location / { - return 301 https://$host$request_uri; - } - - -} - -# ---------------------------------------------------------------------- -# Servidor HTTPS (Porta 443) -# - Ponto de terminação SSL -# - Proxy reverso para AIO e OOS -# - Headers de segurança -# ---------------------------------------------------------------------- -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name verbocloud.itguys.com.br; - - # --- Logs Exclusivos (Conforme solicitado) --- - access_log /var/log/nginx/verbocloud.itguys.com.br.access.log detailed_proxy; - error_log /var/log/nginx/verbocloud.itguys.com.br.error.log warn; - - # --- Otimizações de TLS (Baseado no SSLLabs e no seu arquivo antigo) --- - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; - ssl_prefer_server_ciphers on; - ssl_session_timeout 1d; - ssl_session_tickets off; - - # --- OCSP Stapling --- - ssl_stapling on; - ssl_stapling_verify on; - resolver 1.1.1.1 8.8.8.8 valid=300s; # Usando resolvers públicos - resolver_timeout 5s; - - # --- Headers de Segurança --- - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header Referrer-Policy "no-referrer" always; - add_header X-XSS-Protection "1; mode=block" always; - - # --- Configurações do Proxy --- - client_max_body_size 10G; - - # --------------------------------------------------- - # REGRAS DO OFFICE ONLINE SERVER (OOS) - # (Estas devem vir ANTES do location / principal) - # --------------------------------------------------- - - # Rota de Descoberta (Discovery) - location = /hosting/discovery { - # O OOS nativo quase sempre usa HTTPS - proxy_pass https://office_online_backend; - - # ===> ATENÇÃO: Substitua pelo Hostname INTERNO que o OOS espera <=== - proxy_set_header Host "oos.interno.verbocg.local"; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Accept-Encoding ""; - - # Essencial se o OOS usa certificado autoassinado - proxy_ssl_verify off; - } - - # Rotas de Serviço (Word, Excel, etc.) - location ~ ^/(m|x|we|o|p|wv|op|wd|rtc|rtc2|layouts|view|_layouts)/ { - proxy_pass https://office_online_backend; - - # ===> ATENÇÃO: Substitua pelo Hostname INTERNO que o OOS espera <=== - proxy_set_header Host "oos.interno.verbocg.local"; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - - # WebSockets - Essencial para OOS - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Accept-Encoding ""; - - # Essencial se o OOS usa certificado autoassinado - proxy_ssl_verify off; - - # (Filtro para reescrever o host interno - se necessário) - # sub_filter 'oos.interno.verbocg.local' 'verbocloud.itguys.com.br'; - # sub_filter_once off; - - # CORS - Essencial para OOS (Usando add_header, se o módulo 'more_headers' não estiver) - # (Seu config antigo usava 'more_set_headers', o que é melhor se você tiver o módulo) - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' "$scheme://$http_host"; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, HEAD'; - add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Accept, Origin, User-Agent, DNT, Cache-Control, X-Mx-ReqToken, Keep-Alive, X-Requested-With, If-Modified-Since, X-UserType'; - add_header 'Access-Control-Allow-Credentials' 'true'; - add_header 'Access-Control-Max-Age' 1728000; - return 204; - } - - add_header 'Access-Control-Allow-Origin' "$scheme://$http_host"; - add_header 'Access-Control-Allow-Credentials' 'true'; - } - - # --------------------------------------------------- - # REGRAS DO NEXTCLOUD AIO - # --------------------------------------------------- - - # Redirecionamentos CalDAV/CardDAV - location = /.well-known/carddav { return 301 /remote.php/dav; } - location = /.well-known/caldav { return 301 /remote.php/dav; } - location = /.well-known/webfinger { return 301 /index.php/.well-known/webfinger; } - location = /.well-known/nodeinfo { return 301 /index.php/.well-known/nodeinfo; } - - # Cache de Estáticos (Opcional, mas bom para performance) - location ~ \.(css|js|svg|gif|png|jpg|ico|woff|woff2|tff)$ { - proxy_pass http://nextcloud_aio_backend; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - - proxy_buffering on; - proxy_cache_valid 200 304 7d; - expires 7d; - add_header Cache-Control "public"; - } - - # Regra Principal (Nextcloud AIO) - location / { - proxy_pass http://nextcloud_aio_backend; # <-- Aponta para o AIO (HTTP) - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - - # Recomendado pelo AIO para uploads/DAV - proxy_buffering off; - proxy_request_buffering off; - proxy_http_version 1.1; - - # Timeouts longos - proxy_connect_timeout 3600s; - proxy_send_timeout 3600s; - proxy_read_timeout 3600s; - } - - ssl_certificate /etc/letsencrypt/live/verbocloud.itguys.com.br/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/verbocloud.itguys.com.br/privkey.pem; # managed by Certbot -}