# Security Maps and Variables
# Include this file in nginx.conf http block

# Bad Bot Detection
map $http_user_agent $is_bad_bot {
    default 0;

    # --- Categorias Originais (Preservadas) ---
    # Scanners, Exploracao e Reconhecimento de Rede (RECON)
    "~*(nikto|sqlmap|wpscan|gobuster|dirbuster|feroxbuster|nessus|nmap|curl|wget|python|php|perl|ruby|java)" 1;
    "~*(Acunetix|Netsparker|AppScan|Zgrab|Masscan|OpenVAS|Scanbot|ZmEu|Morfeus|Jorgee|Havij|Nuclei|Tsunami)" 1;
    "~*(Shodan|Censys|ZoomEye|BinaryEdge|Smap|N-Stealth|N-Sentinel|ScanAlert)" 1;

    # Crawlers Agressivos e Scrapers de Conteudo
    "~*(HTTrack|ia_archiver|mj12bot|AhrefsBot|DotBot|SemrushBot|MJ12bot|DataForSeoBot|PetalBot|QuerySeekerSpider)" 1;
    "~*(SEO-Crawler|SEOstats|SpyFu|Lighthouse|PageSpeed|SiteAudit|Screaming|MegaIndex|ZoominfoBot)" 1;
    "~*(BLEXBot|WinHTTP|Xenu|Scrap|extract|grab|Crawlspace|WebCopier|TeleportPro|OfflineExplorer)" 1;

    # Bibliotecas de Scraping e Automacao (MCPs, Frameworks)
    "~*(Scrapy|BeautifulSoup|selenium|puppeteer|playwright|phantomjs|HeadlessChrome|headless)" 1;
    "~*(GuzzleHttp|axios|requests|urllib|libwww-perl|WinHTTP|Go-http-client|node-fetch|Faraday|Typhoeus)" 1;

    # Bloqueio Total de IA Crawlers (Treinamento e Coleta)
    "~*(GPTBot|ChatGPT-User|OAI-SearchBot|anthropic-ai|ClaudeBot|Claude-Web|Claude-User|Claude-SearchBot)" 1;
    "~*(Google-Extended|Google-CloudVertexBot|Bard-Ai|Gemini-Ai|GoogleAgent-Mariner)" 1;
    "~*(FacebookBot|Meta-ExternalAgent|meta-webindexer|Applebot-Extended|Amazonbot|Applebot)" 1;
    "~*(PerplexityBot|Perplexity-User|Bytespider|CCBot|Diffbot|Cohere-Ai|DeepseekBot|Youbot)" 1;
    "~*(Omgilibot|Omgili|webzio-extended|HuggingFace-Bot|Brightbot|FirecrawlAgent|Seekr|Sentibot)" 1;

    # --- Mitchell Krog's Ultimate Bad Bot List (Update 2026) ---
    # Bloco 01 - 01h4x to BacklinkCrawler
    "~*(01h4x\.com|360Spider|404checker|404enemy|80legs|ADmantX|AIBOT|ALittle\ Client|ASPSeek|Abonti|Aboundex|Aboundexbot|AdsTxtCrawlerTP|AfD-Verbotsverfahren|Ai2Bot|AiHitBot|Aipbot|Alexibot|Aliyun|AliyunSecBot|AllSubmitter|Alligator|AlphaBot|Anarchie|Anarchy|Anarchy99|Ankit|Anthill|Apexoo|Aspiegel|Asterias|Atomseobot|Attach|AwarioBot|AwarioRssBot|AwarioSmartBot|BBBike|BDCbot|BDFetch|BackDoorBot|BackStreet|BackWeb|Backlink-Ceck|BacklinkCrawler)" 1;
    # Bloco 02 - BacklinksExtendedBot to Craftbot
    "~*(BacklinksExtendedBot|Badass|Bandit|Barkrowler|BatchFTP|Battleztar\ Bazinga|BetaBot|Bigfoot|Bitacle|BlackWidow|Black\ Hole|Blackboard|Blow|BlowFish|Boardreader|Bolt|BotALot|Brandprotect|Brandwatch|Buck|Buddy|BuiltBotTough|BuiltWith|Bullseye|BunnySlippers|BuzzSumo|CATExplorador|CODE87|CSHttp|Calculon|CazoodleBot|Cegbfeieh|CensysInspect|CheTeam|CheeseBot|CherryPicker|ChinaClaw|Chlooe|Citoid|Claritybot|Cliqzbot|Cloud\ mapping|Cocolyzebot|Cogentbot|Collector|Copier|CopyRightCheck|Copyscape|Cosmos|Craftbot)" 1;
    # Bloco 03 - Crawling at Home to DnyzBot
    "~*(Crawling\ at\ Home\ Project|CrazyWebCrawler|Crescent|CrunchBot|Curious|Custo|CyotekWebCopy|DBLBot|DIIbot|DSearch|DTS\ Agent|DataCha0s|DatabaseDriverMysqli|Demon|Deusu|Devil|Digincore|DigitalPebble|Disco|Discobot|Discoverybot|Dispatch|DittoSpyder|DnBCrawler-Analytics|DnyzBot)" 1;
    # Bloco 04 - DomCopBot to Getintent
    "~*(DomCopBot|DomainAppender|DomainCrawler|DomainSigmaCrawler|DomainStatsBot|Domains\ Project|Download\ Wonder|Dragonfly|Drip|ECCP/1\.0|EMail\ Siphon|EMail\ Wolf|EasyDL|Ebingbong|Ecxi|EirGrabber|EroCrawler|Evil|Exabot|Express\ WebPictures|ExtLinksBot|Extractor|ExtractorPro|Extreme\ Picture\ Finder|EyeNetIE|Ezooms|FDM|FHscan|FemtosearchBot|Firefox/7\.0|FlashGet|Flunky|Foobot|Freeuploader|FrontPage|Fuzz|FyberSpider|Fyrebot|G-i-g-a-b-o-t|GT::WWW|GalaxyBot|GeedoProductSearch|Genieo|GermCrawler|GetRight|GetWeb|Getintent)" 1;
    # Bloco 05 - Gigabot to Information Security Team
    "~*(Gigabot|Go!Zilla|Go-Ahead-Got-It|GoZilla|Gotit|GrabNet|Grabber|Grafula|GrapeFX|GrapeshotCrawler|GridBot|HEADMasterSEO|HMView|HTMLparser|HTTP::Lite|Haansoft|HaosouSpider|Harvest|Heritrix|Hloader|HonoluluBot|Humanlinks|HybridBot|IDBTE4M|IDBot|IRLbot|Iblog|Id-search|IlseBot|Image\ Fetch|Image\ Sucker|ImagesiftBot|IndeedBot|Indy\ Library|InfoNaviRobot|InfoTekies|Information\ Security\ Team\ InfraSec\ Scanner|InfraSec\ Scanner)" 1;
    # Bloco 06 - Intelliseek to MarkWatch
    "~*(Intelliseek|InterGET|InternetMeasurement|InternetSeer|Internet\ Ninja|Iria|Iskanie|IstellaBot|JOC\ Web\ Spider|JamesBOT|Jbrofuzz|JennyBot|JetCar|Jetty|JikeSpider|Joomla|JustView|Jyxobot|Kenjin\ Spider|Keybot\ Translation-Search-Machine|Keyword\ Density|Kinza|Kozmosbot|LNSpiderguy|LWP::Simple|Lanshanbot|Larbin|Leap|LeechFTP|LeechGet|LexiBot|Lftp|LibWeb|Libwhisker|LieBaoFast|Lightspeedsystems|Likse|LinkScan|LinkWalker|Linkbot|LinkextractorPro|LinkpadBot|LinksManager|LinqiaMetadataDownloaderBot|LinqiaRSSBot|LinqiaScrapeBot|Lipperhey|Lipperhey\ Spider|Litemage_walker|Lmspider|Ltx71|MFC_Tear_Sample|MIDown\ tool|MIIxpc|MQQBrowser|MSFrontPage|MSIECrawler|MTRobot|Mag-Net|Magnet|Mail\.RU_Bot|Majestic-SEO|Majestic12|Majestic\ SEO|MarkMonitor|MarkWatch)" 1;
    # Bloco 07 - Mass Downloader to OpenVAS
    "~*(Mass\ Downloader|Mata\ Hari|MauiBot|Mb2345Browser|MeanPath\ Bot|Mediatoolkitbot|MegaIndex\.ru|Metauri|MicroMessenger|Microsoft\ Data\ Access|Microsoft\ URL\ Control|Minefield|Mister\ PiX|Moblie\ Safari|Mojeek|Mojolicious|MolokaiBot|Mozlila|Mr\.4x3|Msrabot|Musobot|NICErsPRO|NPbot|Name\ Intelligence|Nameprotect|Navroad|NearSite|Needle|NetAnts|NetLyzer|NetMechanic|NetSpider|NetZIP|Net\ Vampire|Netcraft|Nettrack|Netvibes|NextGenSearchBot|Nibbler|Niki-bot|NimbleCrawler|Nimbostratus|Ninja|Nutch|Octopus|OnCrawl|OpenLinkProfiler)" 1;
    # Bloco 08 - Openfind to Rankivabot
    "~*(Openfind|Openvas|OrangeBot|OrangeSpider|OutclicksBot|OutfoxBot|PECL::HTTP|PHPCrawl|POE-Component-Client-HTTP|PageAnalyzer|PageGrabber|PageScorer|PageThing\.com|Page\ Analyzer|Pandalytics|Panscient|Papa\ Foto|Pavuk|PeoplePal|Petalbot|Pi-Monster|Picscout|Picsearch|PictureFinder|Piepmatz|Pimonster|Pixray|PleaseCrawl|Pockey|ProPowerBot|ProWebWalker|Probethenet|Proximic|Psbot|Pu_iN|Pump|PxBroker|PyCurl|QueryN\ Metasearch|Quick-Crawler|RSSingBot|Rainbot|RankActive|RankActiveLinkBot|RankFlex|RankingBot|RankingBot2|Rankivabot)" 1;
    # Bloco 09 - RankurBot to ScrepyBot
    "~*(RankurBot|Re-re|ReGet|RealDownload|Reaper|RebelMouse|Recorder|RedesScrapy|RepoMonkey|Ripper|RocketCrawler|Rogerbot|SBIder|SEOkicks|SEOkicks-Robot|SEOlyt|SEOlyticsCrawler|SEOprofiler|SISTRIX|SMTBot|SalesIntelligent|ScoutJet|ScreenerBot|ScrepyBot)" 1;
    # Bloco 10 - Searchestate to SputnikBot
    "~*(Searchestate|SearchmetricsBot|Seekport|SeekportBot|SemanticJuice|Semrush|SemrushBot-BA|SemrushBot-FT|SemrushBot-OCOB|SemrushBot-SI|SemrushBot-SWA|SenutoBot|SeoCherryBot|SeoSiteCheckup|SeobilityBot|Seomoz|Siphon|SiteAuditBot|SiteCheckerBotCrawler|SiteExplorer|SiteLockSpider|SiteSnagger|SiteSucker|Site\ Sucker|Sitebeam|Siteimprove|Sitevigil|SlySearch|SmartDownload|Snake|Snapbot|Snoopy|SocialRankIOBot|Sociscraper|Sogou\ web\ spider|Sosospider|Sottopop|SpaceBison|Spammen|SpankBot|Spanner|Spbot|Spider_Bot|Spider_Bot/3\.0|Spinn3r|SplitSignalBot|SputnikBot)" 1;
    # Bloco 11 - Sqlworm to TurnitinBot
    "~*(Sqlworm|Sqworm|Steeler|Stripper|Sucker|Sucuri|SuperBot|SuperHTTP|Surfbot|SurveyBot|Suzuran|Swiftbot|Szukacz|T0PHackTeam|T8Abot|Teleport|Telesoft|Telesphoreo|Telesphorep|TheNomad|The\ Intraformant|Thumbor|TightTwatBot|TinyTestBot|Titan|Toata|Toweyabot|Tracemyfile|Trendiction|Trendictionbot|True_Robot|Turingos|Turnitin|TurnitinBot)" 1;
    # Bloco 12 - TwengaBot to WiseGuys Robot
    "~*(TwengaBot|Twice|URLy\.Warning|URLy\ Warning|UnisterBot|Upflow|V-BOT|VB\ Project|VCI|Vacuum|Vagabondo|VelenPublicWebCrawler|VeriCiteCrawler|VidibleScraper|Virusdie|VoidEYE|Voil|Voltron|WASALive-Bot|WBSearchBot|WEBDAV|WISENutbot|WWW-Collector-E|WWW-Mechanize|WWW::Mechanize|WWWOFFLE|Wallpapers|Wallpapers/3\.0|WallpapersHD|WeSEE|WebAuto|WebBandit|WebCollage|WebCopier|WebEnhancer|WebFetch|WebFuck|WebGo\ IS|WebImageCollector|WebLeacher|WebPix|WebReaper|WebSauger|WebStripper|WebSucker|WebWhacker|WebZIP|Webalta|WebmasterWorldForumBot|Webshag|WebsiteExtractor|WebsiteQuester|Website\ Quester|Webster|Whack|Whacker|Whatweb|Who\.is\ Bot|Widow|WinHTTrack|WiseGuys\ Robot)" 1;
    # Bloco 13 - Wonderbot to zgrab
    "~*(Wonderbot|Woobot|Wotbox|Wprecon|Xaldon\ WebSpider|Xaldon_WebSpider|YaK|YoudaoBot|Zade|Zauba|Zermelo|Zeus|Zitebot|ZoomBot|ZumBot|ZyBorg|adscanner|allenai\.org|archive\.org_bot|arquivo-web-crawler|arquivo\.pt|autoemailspider|awario\.com|backlink-check|cah\.io\.community|check1\.exe|clark-crawler|coccocbot|cognitiveseo|com\.plumanalytics|crawl\.sogou\.com|crawler\.feedback|crawler4j|dataforseo\.com|dataprovider|demandbase-bot|domainsproject\.org|eCatch|evc-batch|everyfeed-spider|facebookscraper|gopher|imagesift\.com|instabid|internetVista\ monitor|ips-agent|isitwp\.com|iubenda-radar|l9scan|leakix|linkdexbot|linkfluence|lwp-request|lwp-trivial|magpie-crawler|mediawords|muhstik-scan|netEstate\ NE\ Crawler|oBot|omgili|openai|openai\.com|page\ scorer|pcBrowser|plumanalytics|polaris\ version|probe-image-size|ripz|s1z\.ru|satoristudio\.net|scalaj-http|scan\.lol|seobility|seocompany\.store|seoscanners|seostar|serpstatbot|sexsearcher|sitechecker\.pro|siteripz|sogouspider|sp_auditbot|spyfu|sysscan|tAkeOut|trendiction\.com|trendiction\.de|ubermetrics-technologies\.com|voyagerx\.com|webgains-bot|webmeup-crawler|webpros\.com|webprosbot|x09Mozilla|x22Mozilla|xpymep1\.exe|zauba\.io)" 1;
}

# Suspicious URI Detection (Bloqueio de Borda / Fast-Fail)
# Atua antes do ModSecurity para economizar processamento do WAF em ataques óbvios.
map $request_uri $is_suspicious_uri {
    default 0;
    
    # Cloud & Infrastructure Metadata (SSRF/Recon)
    "~*(169\.254\.169\.254|/latest/meta-data/|/v1/metadata/|/metadata-flavor)" 1;
    "~*(docker-compose\.ya?ml|Dockerfile|kubernetes\.s?yaml)" 1;

    # Arquivos de Configuracao, Credenciais e Segredos (Deep leaking)
    "~*(\.env(\..+)?|\.git|\.aws|\.ssh|\.docker|\.config|config\.php|wp-config\.php|xmlrpc\.php)" 1;
    "~*(composer\.(json|lock)|package(-lock)?\.json|yarn\.lock|pnpm-lock\.yaml)" 1;
    "~*(web\.config|appsettings\.json|settings\.py|local_settings\.py)" 1;

    # Backups, Dumps e Arquivos Temporarios
    "~*(\.(bak|old|orig|save|sql|db|sqlite|tar\.gz|zip|swp|rar|7z)$|/autobackup/)" 1;
    
    # Wordpress Hardening & CMS Specifics
    "~*/wp-content/uploads/.*\.php" 1; # Bloqueio de execução de PHP em uploads
    "~*(/wp-includes/|/wp-content/plugins/.*\.txt|/wp-content/themes/.*\.txt)" 1;

    # CVE-Specific Exploits (2024-2026)
    "~*/reallysimplessl/v1/two_fa/skip_onboarding" 1; # CVE-2024-10924 (Auth Bypass)
    "~*(/gutenkit/v1/install-active-plugin|/cleantalk-antispam/v1/perform)" 1; # CVE-2024-9234 / CVE-2024-10781
    "~*(/open-url|/open-stack-frame)" 1; # CVE-2025-11953 (Metro4Shell)
    "~*/api/fabric/device/status" 1; # CVE-2025-25257 (FortiWeb RCE - Legacy)
    "~*/api/v2\.0/cmdb/system/admin" 1; # CVE-2025-64446 (FortiWeb Traversal)
    "~*\/ajax\/" 1; # CVE-2025-40551 (SolarWinds Evasion)
    "~*/SetupWizard\.aspx" 1; # CVE-2024-1709 (ScreenConnect Bypass)
    "~*cgi-bin/fwbcgi" 1; # Fortinet CGI signature
    "~*display=filestore.*&action=testconnection" 1; # CVE-2025-64328 (FreePBX)

    # Server-Specific CVEs (Nginx/Apache/IIS)
    "~*/AdmissionReview" 1; # CVE-2025-1974 (Ingress-Nginx)
    "~*(/_vti_bin/|/MSOffice/|/WebDAV/)" 1; # IIS/WebDAV Probes
    "~*/Cityworks/.*(Common|Config)/" 1; # CVE-2025-0994 (Cityworks on IIS)
    "~*(\.php/.*AddType|RewriteRule.*\[E=)" 1; # CVE-2024-40725 (Apache Source Disclosure)
    "~*\.php$" 1; # General PHP probing (e.g. CVE-2025-0108 PAN-OS)
}

# --- Pathfinder Deep Inspect Payload Map ---
# Detecta injeções e ataques vindos via Query String ($args)
map $args $is_malicious_payload {
    default 0;
    
    # 1. SQL Injection (Multi-DB: MySQL, Postgres, MSSQL)
    "~*(SELECT|UNION|DROP|WHERE|INSERT|UPDATE|DELETE|benchmark|waitfor|delay|pg_sleep)" 1;
    "~*(information_schema|pg_stat_activity|@@version|xp_cmdshell|load_file|MD5\()" 1;
    "~*(lo_export|pg_read_file|lo_put)" 1; # CVE-2025-1094 (Postgres Exfiltration)
    "~*(\-\-|%20\/\*|%23|\)%23)" 1; # Comentários e encerramentos de SQL

    # 2. XSS & JS Injection (React/Modern Web)
    "~*(script>|alert\(|onerror|window\.|javascript:|onmouseover|svg\s+onload|<body\s+onload)" 1;
    "~*(dangerouslySetInnerHTML|eval\(|String\.fromCharCode|constructor\.prototype)" 1;
    "~*(__proto__)" 1; # Prototype Pollution

    # 3. NoSQL Injection (MongoDB/NoSQL Security)
    "~*(\$gt|\$ne|\$where|\$regex|\$expr|\$exists|\$mod|\$all)" 1;

    # 4. Advanced Exploits (Log4j, Shellshock, SSTP, Server-CVEs)
    "~*\$\{jndi:(ldap|rmi|dns|nis|iiop|corba|nds|http)\}" 1; # Log4j / Log4Shell
    "~*\(\)\s*\{\s*:\s*;\s*\}\s*;" 1; # Shellshock (CVE-2014-6271)
    "~*(SSTP_DUPLEX_POST|sra_\{BA195980-CD49-458b-9E23-C84EE0ADCD75\})" 1; # SSTP Tunneling
    "~*(ssl_engine|load_module|AdmissionReview)" 1; # CVE-2025-1974 Patterns
    "~*(\.mp4\?.*(start|end|offset)=.*%.*%)" 1; # CVE-2024-7347 (Nginx MP4 DoS)

    # 5. Path Traversal & LFI
    "~*(\.\./|\.\.\\|/etc/passwd|/etc/shadow|boot\.ini|/windows/win\.ini)" 1;

    # 6. PHP & Remote Execution / Binary Probes / Command Injection (n8n/SolarWinds/FreePBX)
    "~*(<\?php|base64_decode|system\(|shell_exec|proc_open|exec\()" 1;
    "~*(child_process|spawn|eval\(|require\(|constructor|fs\.readFile|process\.env)" 1;
    "~*(\\x00|\\x03|\\xE0|\\x83|\\xF8)" 1; # Binary probes / Buffer overflow patterns
}

# --- Pathfinder Extra Risk Vectors ---

# 1. Referer Spam Detection (Mitchell Krog's Bad Referrers)
map $http_referer $is_spam_referer {
    default 0;
    # Bloco 01 - 000free to acortarurl
    "~*(000free\.us|007angels\.com|00author\.com|00go\.com|00it\.com|00webcams\.com|01apple\.com|03e\.info|03p\.info|08800\.top|0daymusic\.org|0lovespells0\.blogspot\.com|1-99seo\.com|1-free-share-buttons\.com|100dollars-seo\.com|101billion\.com|101lesbian\.xyz|123movies\.love|1kdailyprofit\.me|1millionusd\.xyz|1webmaster\.ml|acmebtn\.ml|acortarurl\.es)" 1;
    # Bloco 02 - actionnooz to amanda-porn
    "~*(actionnooz\.com|activepr\.ru|acunetix-referrer\.com|ad-words\.ru|adamoads\.com|adbetclickin\.pink|adcash\.com|adclickthru\.net|adconscious\.com|adf\.ly|adidas\.frwebs\.fr|admeasures\.com|admitad\.com|adnotbad\.com|adpremium\.org|adprotect\.net|adrunnr\.com|ads-cool\.pro|ads-seo\.men|ads\.gold|adsref\.men|adssafeprotected\.com|adtiger\.tk|adult-shop\.com\.ua|adultfriendfinder\.com|adultnet\.in|advokat-grodno\.by|advokateg\.xyz|adzpower\.com|aero2\.ru|affiliate-fr\.com|afslankpillen2017nl\.eu|agecheckadult\.com|aghanyna\.com|ahhjf\.com|aibolita\.com|aihelen\.net|akama\.com|alert-fdm\.xyz|alert\.scansafe\.net|alessandraleone\.com|alibestsale\.com|alienwheels\.de|alkoravto\.ru|all4invest\.ru|allfinweb\.com|allornamenti\.com|allwidewallpapers\.com|aloofly\.com|alot\.com|amanda-porn\.ga)" 1;
    # Bloco 03 - amateurgalls to asdfg
    "~*(amateurgalls\.com|amateurmatch\.com|amazingpic\.net|amazon-adsystem\.com|amazon-seo-service\.com|amehdaily\.com|amigobulls\.com|ample-awards-today\.us|amung\.us|anabolics\.shop|analnoeporno\.tv|analytics-ads\.xyz|ananas\-acresar\.tk|android-systems\.ru|angigreene\.com|angkortours\.vn|animalia-life\.club|animalrank\.com|animaltoplist\.com|animebox\.com\.ua|anjalika\.co\.in|anniemation\.com|anonymous-redirect\.com|anonymousfox\.co|anti-virus-removal\.info|anticrawler\.org|ap.senai\.br|apartmentratings\.com|apessay\.com|api\.stathat\.com|app-ready\.xyz|appearance-cool\.com|appfastplay\.com|appfixing\.space|appiq\.mobi|apple\.com-cleaner\.systems|applyneedy\.xyz|appmsr\.org|approved\.su|apps-analytics\.net|appsaurus\.com|appsecurityr\.com|aproposde\.com|apxeo\.info|arabsexxxtube\.com|arabseyes\.com|arcadeplayhouse\.com|architecturebest\.com|arclk\.net|arcteryxsale\.online|arewater\.com|arius\.tech|arkkivoltti\.net|arraty\.altervista\.org|articlesdirectoryme\.info|art picso\.com|aruplighting\.com|as5000\.com|ascat\.porn|asdfg\.pro)" 1;
    # Bloco 04 - Originais e Famosos
    "~*(semalt\.com|best-seo-offer\.com|buttons-for-website\.com|napaleon\.com|darodar\.com|hulfingtonpost\.com|ilovevitaly\.com|vpn-special\.com)" 1;
}

# 2. Protocol & Header Violations
map $http_user_agent $is_protocol_violation {
    default 0;
    "" 1; # User-Agent Vazio (Geralmente Malicioso)
    "~*^.{0,5}$" 1; # User-Agent suspeitosamente curto
}

# 3. Geographic Risk (Requires GeoIP2 .mmdb files)
map $geoip2_data_country_code $is_high_risk_country {
    default 0;
    "CN" 1; # China
    "RU" 1; # Russia
    "KP" 1; # North Korea
    "IR" 1; # Iran
    "CU" 1; # Cuba
    "SY" 1; # Syria
}

# --- NOVO: Detecção de Cabeçalhos Suspeitos (CVE-2025-55182 / React2Shell) ---
map $http_next_action $react_attack_1 {
    default 0;
    "~*(`|\$|\(|\)|<|>|\{|}|;|\|)" 1;
    "~*(child_process|exec|spawn|eval|require)" 1;
}

map $http_rsc_action_id $react_attack_2 {
    default 0;
    "~*(`|\$|\(|\)|<|>|\{|}|;|\|)" 1;
    "~*(child_process|exec|spawn|eval|require)" 1;
}

map $react_attack_1$react_attack_2 $is_suspicious_header {
    "00" 0;
    default 1;
}

# --- Pathfinder Security Decision Engine (PSDE) ---

# 1. Detecção de Métodos HTTP Incomuns/Perigosos
map $request_method $is_suspicious_method {
    default 0;
    ~*(TRACE|TRACK|CONNECT|DEBUG) 1;
}

# 2. Security Scoring System (8-Vector Combinatorial Matrix)
# Ordem: [Bot][URI][Method][Payload][Geo][Protocol][Referer][Header]
map $is_bad_bot$is_suspicious_uri$is_suspicious_method$is_malicious_payload$is_high_risk_country$is_protocol_violation$is_spam_referer$is_suspicious_header $security_score {
    "00000000" 0;   # Saudável

    # --- BLOQUEIO CRÍTICO (Score 3) ---
    "~*...1...." 3; # Qualquer Payload
    "~*......1." 3; # Qualquer Referer Spam
    "~*.......1" 3; # Qualquer Cabeçalho Malicioso (React2Shell/etc)
    "~*[1-9]{3,}" 3; # Qualquer 3 ou mais vetores em simultâneo
    "~*11[1-9]...." 3; # Bot + URI + Método
    "~*11...[1-9]." 3; # Bot + URI + Protocolo
    "~*1.1.1.." 3; # Bot + Método + Geo

    # --- RISCO ALTO (Score 2 - Combinações de 2 Vetores) ---
    "~*11....." 2; # Bot + URI
    "~*1.1...." 2; # Bot + Método
    "~*1...1.." 2; # Bot + Geo 
    "~*1....1." 2; # Bot + Protocolo
    "~*.11...." 2; # URI + Método
    "~*.1..1.." 2; # URI + Geo
    "~*.1...1." 2; # URI + Protocolo
    "~*..1.1.." 2; # Método + Geo
    "~*..1..1." 2; # Método + Protocolo
    "~*....11." 2; # Geo + Protocolo

    # --- SUSPEITO (Score 1 - Vetores Individuais) ---
    "~*1......" 1; # Apenas Bot
    "~*.1....." 1; # Apenas URI
    "~*..1...." 1; # Apenas Método
    "~*....1.." 1; # Apenas Geo
    "~*.....1." 1; # Apenas Protocolo

    default 1;
}

# 3. Nível de Risco para Auditoria (Diagnóstico Descritivo JSON)
map $is_bad_bot$is_suspicious_uri$is_suspicious_method$is_malicious_payload$is_high_risk_country$is_protocol_violation$is_spam_referer$is_suspicious_header $risk_category {
    "00000000" "LIMPO";
    "~*...1...." "ATAQUE_CRITICO";
    "~*......1." "ATAQUE_CRITICO";
    "~*.......1" "ATAQUE_CRITICO";
    "~*[1-9]{3,}" "ATAQUE_COORDENADO"; # Combos triplos são coordenados
    "~*[1-9]{2}"  "RISCO_ALTO";         # Combos duplos são risco alto
    default       "SUSPEITO";
}

map $is_bad_bot$is_suspicious_uri$is_suspicious_method$is_malicious_payload$is_high_risk_country$is_protocol_violation$is_spam_referer$is_suspicious_header $risk_reason {
    "00000000" "Trafego limpo";
    
    # Prioridades de Ataque (Combos Triplos+)
    "~*...1...." "ATAQUE_DIRETO: Payload Malicioso Detectado";
    "~*......1." "ATAQUE_DIRETO: Origem de Referer Fraudulento";
    "~*.......1" "ATAQUE_DIRETO: Cabecalho Suspeito (React2Shell/etc)";
    "~*[1-9]{3,}" "ATAQUE_COORDENADO: Multiplos vetores de risco detectados";
    
    # Combinações Duplas (Risco Alto)
    "~*11......" "COMBINACAO: Bot conhecido em local sensivel";
    "~*1...1..." "COMBINACAO: Bot em regiao de alto risco";
    "~*.1..1..." "COMBINACAO: Acesso sensivel vindo de regiao de risco";
    "~*....11.." "COMBINACAO: Geo-risco com quebra de protocolo";
    "~*[1-9]{2}"  "COMBINACAO: Dois sinais de alerta detectados";

    # Sinais Unitários (Suspeito)
    "~*1......." "SUSPEITO: Bot conhecido (Scraper/Crawler)";
    "~*.1......" "SUSPEITO: Acesso a URI restrita ou sensivel";
    "~*..1....." "SUSPEITO: Metodo HTTP incomum";
    "~*....1..." "SUSPEITO: Origem geografica de alto risco";
    "~*.....1.." "SUSPEITO: Violacao de protocolo (UA invalido)";

    default "Atividade anomala detectada";
}

# 4. Decisão de Bloqueio Final
# 0 = Passa | 1 = Bloqueia
map $security_score $block_request {
    0 0;
    default 1;
}

# Internal IP Detection
geo $is_internal {
    default 0;
    10.10.0.0/16 1; 10.11.0.0/16 1; 10.12.0.0/16 1; 172.16.0.0/16 1;
    
    # Subnets Simplificadas (Agrupamento de IPs)
    45.169.73.154/31 1;   # .154 e .155
    201.73.213.128/30 1;  # .128 ate .131
    177.74.160.16/29 1;   # .16 ate .23
    45.169.87.168/29 1;   # .168 ate .175
}

# --- modern Rate Limiting & Performance Maps ---

# 1. Chave Unificada de Rate Limit com Penalidade
# IPs internos são liberados, IPs suspeitos (score > 0) caem em zonas de limitação mais agressivas.
map $is_internal$security_score $limit_key {
    ~^1. 0; # Whitelist para IPs Internos (independente de score)
    "00" $binary_remote_addr; # Tráfego Limpo
    default $binary_remote_addr; # Qualquer outra coisa (Suspeitos)
}

# 2. Chave de "Castigo" para Bots e Ataques (Tarpit / Delay)
map $security_score $heavy_limit_key {
    0 "";
    default $binary_remote_addr; # Apenas quem tem pontuação de risco entra aqui
}

# 3. Cache Asset TTL - Suporte Total 2026 (Modern Web)
# No proxy_cache usamos um tempo curto, o Cache-Control (Browser) é que decide o tempo longo.
map $request_uri $cache_asset_ttl {
    # 1. Assets Versionados (?v= ou .v1.) -> Cache Longo no Proxy (1 mes)
    "~*(\?v=|\?id=|\.v[0-9]|\.[0-9a-f]{8,})" 30d;
    
    # 2. Imagens e Mídia (Sem versão) -> 1 dia
    ~*\.(webp|avif|heic|apng|jpg|jpeg|gif|png|ico|svg)$ 1d;
    
    # 3. Scripts e Estilos (Sem versão) -> 6 horas
    ~*\.(mjs|js|ts|wasm|json|css|less|scss)$ 6h;
    
    # 4. Fontes -> 7 dias
    ~*\.(woff2?|ttf|otf|eot)$ 7d;
    
    # Padrão: Sem Cache (Documentos como PDF entram aqui por segurança)
    default off;
}

# --- Pathfinder Pseudo-CDN Engine ---

# 1. Identificação de Assets Globais (Idênticos em todos os sistemas)
map $request_uri $is_global_asset {
    default 0;
    # Bibliotecas Comuns (Fingerprinted ou Versão Fixa) - Front-end Power Pack 2026
    ~*(jquery|bootstrap|fontawesome|axios|vue|react|alpine|htmx|inter|roboto).*\.(js|css|woff2?|ttf|otf)$ 1;
    ~*(tailwind|shadcn|lucide|radix|framer|next|lodash|moment|dayjs).*\.(js|css|woff2?|ttf|otf)$ 1;
    ~*(chart|leaflet|mapbox|slick|swiper|videojs).*\.(js|css|woff2?|ttf|otf)$ 1;
    # Fontes Populares (Web Fonts Compartilhadas)
    ~*(montserrat|open-sans|lato|poppins|oswald|playfair|merriweather|nunito|ubuntu|raleway|outfit|plus-jakarta).*\.(woff2?|ttf|otf)$ 1;
    # Pastas de Ativos Compartilhados (Convenção interna)
    ~*(/cdn/|/shared/|/common/) 1;
}

# 2. Chave de Cache Inteligente (Isolation vs Sharing)
# Se for Asset Global -> Chave sem $host (Efeito CDN)
# Se for Normal -> Chave com $host (Isolamento total)
map $is_global_asset $pathfinder_cache_key {
    0 "$scheme$request_method$host$request_uri";
    1 "$scheme$request_method$request_uri";
}

# --- Pathfinder Smart Cache Optimization Maps ---
# Trata a politica de Cache do Navegador baseado na URI e Versao
map $request_uri $cache_control_header {
    # 1. Assets Versionados -> Imutaveis (1 ano)
    "~*(\?v=|\?id=|\.v[0-9]|\.[0-9a-f]{8,})" "public, max-age=31536000, immutable";
    
    # 2. Assets Comuns (Imagens, Fontes) -> Revalidacao obrigatoria (curto)
    "~*\.(webp|avif|heic|apng|jpg|jpeg|gif|png|ico|svg|woff2?|ttf|otf|eot)$" "public, max-age=86400, must-revalidate";
    
    # 3. Scripts e Estilos (Sem versao) -> Revalidacao agressiva (curto)
    "~*\.(mjs|js|ts|wasm|json|css|less|scss)$" "public, max-age=3600, must-revalidate";

    # 4. HTML e APIs -> Nunca cachear no navegador sem revalidar
    "~*(\.html|\/api\/)" "no-cache, must-revalidate";

    # Padrao: Seguranca Maxima (Documentos, PDFs, etc. nao sao cacheados)
    default "no-cache, no-store, must-revalidate";
}