From f764855d092466d9ec549a0c5cf6af4a83075d25 Mon Sep 17 00:00:00 2001 From: "srvproxy001.itguys.com.br" Date: Tue, 11 Nov 2025 01:13:31 -0300 Subject: [PATCH] =?UTF-8?q?[Auto-Sync]=20Atualiza=C3=A7=C3=A3o=20das=20con?= =?UTF-8?q?figura=C3=A7=C3=B5es=20em=20srvproxy001.itguys.com.br=20-=20202?= =?UTF-8?q?5-11-11=2001:13:31?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../cloud.grupopralog.com.br.conf | 190 ++++++++---------- 1 file changed, 80 insertions(+), 110 deletions(-) diff --git a/nginx/sites-available/cloud.grupopralog.com.br.conf b/nginx/sites-available/cloud.grupopralog.com.br.conf index f8c2f7a..815b90b 100644 --- a/nginx/sites-available/cloud.grupopralog.com.br.conf +++ b/nginx/sites-available/cloud.grupopralog.com.br.conf @@ -1,15 +1,22 @@ +# +# Configuração: cloud.grupopralog.com.br +# Atualizado em: 2025-11-11 @ 01:10 (Horário de Brasília) +# Contexto: Correção de sintaxe. Remoção de aspas ("") das diretivas +# proxy_hide_header e proxy_ignore_headers. +# + map $request_uri $cache_asset { ~*\.(css|js|mjs|svg|gif|png|jpg|jpeg|ico|wasm|woff|woff2|ttf|otf)$ 1y; default off; } map $request_uri $cacheable_session_request { - ~^/apps/files/$ 1; - ~^/apps/files/files$ 1; - ~^/apps/files/\?dir= 1; - ~^/apps/dashboard/$ 1; - ~^/remote\.php/dav/files/ 1; - default 0; + ~^/apps/files/$ 1; + ~^/apps/files/files$ 1; + ~^/apps/files/\?dir= 1; + ~^/apps/dashboard/$ 1; + ~^/remote\.php/dav/files/ 1; + default 0; } map $cacheable_session_request $session_cache_zone { @@ -58,25 +65,29 @@ server { #} #limit_req zone=global_limit burst=100 nodelay; + # Segurança Headers add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header Referrer-Policy "no-referrer" always; - client_body_buffer_size 128M; - proxy_buffer_size 512k; - proxy_buffers 32 256k; - proxy_busy_buffers_size 512k; - proxy_connect_timeout 1200s; - proxy_send_timeout 1200s; - proxy_read_timeout 1200s; - proxy_temp_file_write_size 256k; + # Buffers + client_body_buffer_size 128M; + proxy_buffer_size 512k; + proxy_buffers 32 256k; + proxy_busy_buffers_size 512k; + proxy_connect_timeout 1200s; + proxy_send_timeout 1200s; + proxy_read_timeout 1200s; + proxy_temp_file_write_size 256k; - proxy_hide_header "X-Content-Type-Options"; - proxy_hide_header "X-Frame-Options"; - proxy_hide_header "Feature-Policy"; - proxy_hide_header "Content-Security-Policy"; + # Ocultar headers do backend (CORRIGIDO: Sem aspas) + proxy_hide_header X-Content-Type-Options; + proxy_hide_header X-Frame-Options; + proxy_hide_header Feature-Policy; + proxy_hide_header Content-Security-Policy; + # SSL ssl_certificate /etc/letsencrypt/live/cloud.grupopralog.com.br/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/cloud.grupopralog.com.br/privkey.pem; ssl_protocols TLSv1.3 TLSv1.2; @@ -86,12 +97,15 @@ server { ssl_dhparam /etc/nginx/dhparam.pem; ssl_session_timeout 1d; ssl_session_tickets off; + + # SSL Stapling ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/letsencrypt/live/cloud.grupopralog.com.br/fullchain.pem; resolver 127.0.0.1 valid=300s; resolver_timeout 5s; + # Compressão brotli on; brotli_comp_level 6; brotli_min_length 1024; @@ -103,21 +117,24 @@ server { gzip_min_length 1024; gzip_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/x-icon text/css text/javascript text/plain text/xml; + # CalDAV / CardDAV location = /.well-known/carddav { return 301 /remote.php/dav; } location = /.well-known/caldav { return 301 /remote.php/dav; } + # Office Online (Discovery) location = /hosting/discovery { - proxy_pass https://officeonline_backend; - proxy_set_header Host "srvoffice001.itguys.com.br"; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Accept-Encoding ""; + proxy_pass https://officeonline_backend; + proxy_set_header Host "srvoffice001.itguys.com.br"; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Accept-Encoding ""; - # IMPORTANTE: Permite que o Nginx se conecte ao OOS com certificado autoassinado. - proxy_ssl_verify off; + # IMPORTANTE: Permite que o Nginx se conecte ao OOS com certificado autoassinado. + proxy_ssl_verify off; } + # Office Online (WOPI) location ~ ^/(m|x|we|o|p|wv|op|wd|rtc|rtc2|layouts|view|_layouts)/ { proxy_pass https://officeonline_backend; proxy_set_header Host "srvoffice001.itguys.com.br"; @@ -129,11 +146,11 @@ server { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Accept-Encoding ""; - proxy_buffering off; - proxy_request_buffering off; - proxy_connect_timeout 1200s; - proxy_send_timeout 1200s; - proxy_read_timeout 1200s; + proxy_buffering off; + proxy_request_buffering off; + proxy_connect_timeout 1200s; + proxy_send_timeout 1200s; + proxy_read_timeout 1200s; sub_filter 'srvoffice001.itguys.com.br' 'cloud.grupopralog.com.br'; sub_filter_once off; sub_filter_types text/css text/javascript application/javascript application/json; @@ -151,6 +168,7 @@ server { more_set_headers 'Access-Control-Allow-Credentials: true'; } + # Cache: Assets Estáticos location ~* \.(?:css|js|mjs|svg|gif|png|jpg|jpeg|ico|wasm|woff|woff2|ttf|otf|map)$ { proxy_pass http://nextcloud_backend; proxy_set_header Host $host; @@ -166,34 +184,15 @@ server { more_set_headers 'Cache-Control: public, max-age=43200'; more_set_headers 'X-Proxy-Cache: $upstream_cache_status'; - proxy_hide_header "Cache-Control"; - proxy_hide_header "Expires"; - proxy_hide_header "Pragma"; + # CORRIGIDO: Sem aspas + proxy_hide_header Cache-Control; + proxy_hide_header Expires; + proxy_hide_header Pragma; brotli_static on; gzip_static on; } - #location ~ ^/(remote\.php/(webdav|dav)|ocs/v[12]\.php/apps/forms/api/.*/submissions/files/.*) { - # proxy_pass http://nextcloud_backend; - # proxy_set_header Host $host; - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header X-Forwarded-Proto $scheme; - # proxy_set_header X-Forwarded-Host $host; - # - # proxy_http_version 1.1; - # proxy_set_header Connection ""; - - # # Desabilita o buffering para streaming de arquivos - # proxy_buffering off; - # proxy_request_buffering off; - # - # # Timeouts longos para uploads/downloads - # proxy_connect_timeout 60s; - # proxy_read_timeout 1200s; - # proxy_send_timeout 1200s; - #} - + # Cache: API Recommendations location = /ocs/v2.php/apps/recommendations/api/v1/recommendations { proxy_pass http://nextcloud_backend; proxy_set_header Host $host; @@ -211,6 +210,7 @@ server { more_set_headers 'X-API-Rec-Cache: $upstream_cache_status'; } + # Cache: API Folder-Tree location ~ ^/(apps/files/api/v1/folder-tree|ocs/v2\.php/apps/files/api/v1/folder-tree) { proxy_pass http://nextcloud_backend; proxy_set_header Host $host; @@ -222,7 +222,6 @@ server { proxy_buffering on; - # Usar a zona de cache 'foldertree_cache' que você já tinha, ou a 'nextcloud_cache' proxy_cache foldertree_cache; proxy_cache_key "$scheme$request_method$host$request_uri$is_args$args$cookie_nc_session_id"; @@ -231,17 +230,17 @@ server { proxy_cache_lock on; proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504; - # Ignora "no-cache" do backend - proxy_ignore_headers "Cache-Control" "Expires" "Pragma"; - proxy_hide_header "Cache-Control"; - proxy_hide_header "Pragma"; - proxy_hide_header "Expires"; + # CORRIGIDO: Sem aspas + proxy_ignore_headers Cache-Control Expires Pragma; + proxy_hide_header Cache-Control; + proxy_hide_header Pragma; + proxy_hide_header Expires; add_header Cache-Control "public, max-age=3"; - # Header de depuração more_set_headers 'X-FolderTree-Cache: $upstream_cache_status'; } + # Cache: API User Info/Notifications location ~ ^/(ocs/v[12].php/cloud/users|ocs/v[12].php/privatedata/get|ocs/v2.php/apps/notifications/api/v2/notifications|ocs/v[12].php/cloud/apps|ocs/v[12].php/cloud/user|ocs/v[12].php/privatedata/get/userinfo) { proxy_pass http://nextcloud_backend; proxy_set_header Host $host; @@ -258,6 +257,7 @@ server { more_set_headers 'X-APIMicroCache-Status: $upstream_cache_status'; } + # DAV (WebDAV / PROPFIND Cache) location ~ ^/(remote\.php/(webdav|dav)|ocs/v[12]\.php/apps/forms/api/.*/submissions/files/.*) { proxy_pass http://nextcloud_backend; proxy_set_header Host $host; @@ -268,8 +268,6 @@ server { proxy_http_version 1.1; proxy_set_header Connection ""; - # --- Lógica de Cache vs. Streaming --- - # 1. Por padrão, desabilitamos o buffering para streaming (uploads/downloads) proxy_buffering off; proxy_request_buffering off; @@ -280,24 +278,20 @@ server { proxy_request_buffering on; # Necessário para o cache proxy_cache nextcloud_cache; # Usar a zona de cache - # IMPORTANTE: Autorizar cache do método PROPFIND proxy_cache_methods PROPFIND; - # Chave de cache por usuário/sessão proxy_cache_key "$host$request_uri|$cookie_nc_session_id"; - # Cache de 10 segundos para listagens de pasta (status 200 e 207) proxy_cache_valid 200 207 10s; proxy_cache_lock on; proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504; - # Header para depuração more_set_headers 'X-DAV-Cache: $upstream_cache_status'; - # Ignorar "no-cache" do backend para PROPFIND - proxy_ignore_headers "Cache-Control" "Expires" "Pragma"; - proxy_hide_header "Cache-Control"; - proxy_hide_header "Pragma"; - proxy_hide_header "Expires"; + # CORRIGIDO: Sem aspas + proxy_ignore_headers Cache-Control Expires Pragma; + proxy_hide_header Cache-Control; + proxy_hide_header Pragma; + proxy_hide_header Expires; add_header Cache-Control "public, max-age=10"; } @@ -307,6 +301,7 @@ server { proxy_send_timeout 1200s; } + # Cache: API Tables location ~ ^/(apps/tables/(api|row|share)|index\.php/apps/tables/api/1|ocs/v2\.php/apps/tables/api/2) { proxy_pass http://nextcloud_backend; proxy_set_header Host $host; @@ -317,38 +312,26 @@ server { proxy_http_version 1.1; proxy_set_header Connection ""; - # Habilita buffering para cache proxy_buffering on; - # Define a chave de cache por usuário (baseado no cookie de sessão) proxy_cache nextcloud_cache; proxy_cache_key "$host$request_uri|$cookie_nc_session_id"; - # Cache de 3 segundos para dados dinâmicos. - # Isso agrupa requisições idênticas feitas durante o carregamento da página. proxy_cache_valid 200 3s; - - # Trava o cache para evitar que múltiplas requisições batam no backend (Thundering Herd) proxy_cache_lock on; - - # Entrega conteúdo antigo se o backend falhar proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; - # Força o Nginx a IGNORAR os headers "não-cacheie" (no-cache, no-store) vindos do Nextcloud - proxy_ignore_headers "Cache-Control" "Expires" "Pragma"; - - # Esconde os headers originais do backend para o cliente - proxy_hide_header "Cache-Control"; - proxy_hide_header "Pragma"; - proxy_hide_header "Expires"; + # CORRIGIDO: Sem aspas + proxy_ignore_headers Cache-Control Expires Pragma; + proxy_hide_header Cache-Control; + proxy_hide_header Pragma; + proxy_hide_header Expires; - # Adiciona nosso próprio header de cache para o navegador (3 segundos) add_header Cache-Control "public, max-age=3"; - - # Header para depuração (para vermos se o cache funcionou) more_set_headers 'X-Tables-Cache: $upstream_cache_status'; } + # Cache: API Thumbnails / Direct Editing location ~ ^/(index\.php/apps/files/api/v1/thumbnail/|ocs/v2\.php/apps/files/api/v1/(directEditing|templates|folder-tree)) { proxy_pass http://nextcloud_backend; proxy_set_header Host $host; @@ -359,39 +342,26 @@ server { proxy_http_version 1.1; proxy_set_header Connection ""; - # Habilita buffering para cache proxy_buffering on; - # Reutiliza a zona de cache principal proxy_cache nextcloud_cache; proxy_cache_key "$host$request_uri|$cookie_nc_session_id"; - # Cache de 3 segundos (bom para APIs) - # Nota: Você poderia criar um cache mais longo (ex: 1h) - # se o /thumbnail/ for muito usado, mas 3s é seguro. proxy_cache_valid 200 3s; - - # Trava o cache (Thundering Herd) proxy_cache_lock on; - - # Entrega conteúdo antigo se o backend falhar proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; - # Ignora headers "não-cacheie" - proxy_ignore_headers "Cache-Control" "Expires" "Pragma"; - - # Esconde os headers originais - proxy_hide_header "Cache-Control"; - proxy_hide_header "Pragma"; - proxy_hide_header "Expires"; + # CORRIGIDO: Sem aspas + proxy_ignore_headers Cache-Control Expires Pragma; + proxy_hide_header Cache-Control; + proxy_hide_header Pragma; + proxy_hide_header Expires; - # Adiciona nosso header de cache (3 segundos) add_header Cache-Control "public, max-age=3"; - - # Header para depuração more_set_headers 'X-Files-API-Cache: $upstream_cache_status'; } + # Location Padrão (Catch-all) location / { proxy_pass http://nextcloud_backend; proxy_set_header Host $host;