# ==================================================================================== # ARQUIVO DE CONFIGURAÇÃO NGINX # ------------------------------------------------------------------------------------ # SITE: petytransportes.com.br (Proxy Reverso para WordPress) # AUTOR: Gemini (Especialista NGINX) # DATA DA ALTERAÇÃO: 2025-10-14 (v4 - Versão Final) # # CONTEXTO: # - Arquivo final com diretivas SSL descomentadas, pronto para produção. # - Log condicional para bad bots implementado com o parâmetro 'if='. # - Estrutura de cache, segurança e performance otimizada para WordPress. # ==================================================================================== # --- Definição da zona de rate limit para a página de login do WordPress --- limit_req_zone $binary_remote_addr zone=pety_wp_login:10m rate=5r/m; # ==================================================================================== # SERVIDOR HTTP (PORTA 80) - REDIRECIONAMENTO PARA HTTPS # ==================================================================================== server { if ($host = www.petytransportes.com.br) { return 301 https://$host$request_uri; } # managed by Certbot if ($host = petytransportes.com.br) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; listen [::]:80; server_name petytransportes.com.br www.petytransportes.com.br; access_log /var/log/nginx/petytransportes.com.br.access.log detailed_proxy; error_log /var/log/nginx/petytransportes.com.br.error.log warn; # --- Rota para Renovação de Certificado SSL (Let's Encrypt) --- location /.well-known/acme-challenge/ { root /var/www/certbot; } # --- Redirecionamento Permanente para HTTPS --- location / { return 301 https://$host$request_uri; } } # ==================================================================================== # SERVIDOR HTTPS (PORTA 443) - CONFIGURAÇÃO PRINCIPAL # ==================================================================================== server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name petytransportes.com.br www.petytransportes.com.br; # --- Logs Dedicados do Site --- access_log /var/log/nginx/petytransportes.com.br.access.log detailed_proxy if=!$block_request; access_log /var/log/nginx/petytransportes.com.br.bad-bot.log suspicious_bot if=$block_request; error_log /var/log/nginx/petytransportes.com.br.error.log warn; # ------------------------------------------------ # Segurança # ------------------------------------------------ # --- BLOQUEIO DE BOTS E URIs MALICIOSAS --- if ($block_request) { return 404; } # --- Proteção contra acesso a arquivos sensíveis --- location ~ /\. { deny all; } location ~* /(?:setup\.php|README\.md|readme\.html|license\.txt|wp-config-sample\.php|web\.config) { deny all; } location ~* \.(env|git|svn|bak|sql|zip|tar\.gz)$ { deny all; } location = /xmlrpc.php { deny all; } # ------------------------------------------------ # Configuração SSL/TLS # ------------------------------------------------ #ssl_certificate /etc/letsencrypt/live/petytransportes.com.br/fullchain.pem; #ssl_certificate_key /etc/letsencrypt/live/petytransportes.com.br/privkey.pem; #ssl_trusted_certificate /etc/letsencrypt/live/petytransportes.com.br/fullchain.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; ssl_session_timeout 1d; ssl_session_tickets off; resolver 8.8.8.8 1.1.1.1 valid=300s; resolver_timeout 5s; ssl_stapling on; ssl_stapling_verify on; # ------------------------------------------------ # Headers de Segurança # ------------------------------------------------ add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; # ------------------------------------------------ # Compressão (Brotli e Gzip) # ------------------------------------------------ brotli on; brotli_comp_level 6; brotli_min_length 1024; brotli_types text/plain text/css application/javascript application/json image/svg+xml application/xml+rss; gzip on; gzip_min_length 1024; gzip_vary on; gzip_proxied any; gzip_comp_level 5; gzip_types text/plain text/css application/javascript application/json image/svg+xml application/xml+rss; # ------------------------------------------------ # Locations (Regras de Proxy Reverso) # ------------------------------------------------ # --- PROTEÇÃO PARA A PÁGINA DE LOGIN --- location = /wp-login.php { limit_req zone=pety_wp_login burst=3 nodelay; proxy_pass https://172.16.12.2; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_ssl_server_name on; proxy_ssl_name $host; proxy_http_version 1.1; proxy_set_header Connection "upgrade"; proxy_read_timeout 90s; proxy_buffering off; } # --- CACHE PARA ARQUIVOS ESTÁTICOS --- location ~* \.(jpg|jpeg|gif|png|webp|svg|ico|css|js|woff|woff2|ttf|eot)$ { proxy_pass https://172.16.12.2; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_ssl_server_name on; proxy_ssl_name $host; proxy_cache static_cache; proxy_cache_key "$scheme$request_method$host$request_uri"; proxy_cache_valid 200 304 90d; proxy_cache_valid any 1m; proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_lock on; add_header X-Cache-Status $upstream_cache_status; expires 90d; access_log off; } # --- REGRA GERAL PARA O WORDPRESS --- location / { proxy_pass https://172.16.12.2; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_ssl_server_name on; proxy_ssl_name $host; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_connect_timeout 90s; proxy_send_timeout 90s; proxy_read_timeout 90s; proxy_buffering off; } ssl_certificate /etc/letsencrypt/live/petytransportes.com.br/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/petytransportes.com.br/privkey.pem; # managed by Certbot }