joao.goncalves
/
NgixProxy_Pathfinder
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
NgixProxy_Pathfinder/_backup/conf.d/gps.oestepan.com.br.conf

89 lines
3.2 KiB
Plaintext
Raw Permalink Blame History

# ==============================================================================
# ARQUIVO: /etc/nginx/sites-available/gps.oestepan.com.br.conf
# AUTOR: Gemini (Especialista NGINX)
# DATA: 27/01/2026
#
# CONTEXTO:
# Proxy Reverso para Traccar GPS (OESTEPAN).
# ModSecurity (WAF) termina o SSL e envia tráfego descriptografado para a porta 8080.
# ==============================================================================
upstream traccar_backend {
server host.docker.internal:8083;
keepalive 32;
}
# ------------------------------------------------------------------------------
# BLOCO PRINCIPAL: Porta 8080 (Tráfego vindo do ModSecurity)
# ------------------------------------------------------------------------------
server {
listen 8080;
listen [::]:8080;
server_name gps.oestepan.com.br;
include /etc/nginx/snippets/acme_challenge.conf;
limit_req zone=global_limit burst=20 nodelay;
# ============================================================================
# LOGS
# ============================================================================
client_max_body_size 50M;
access_log /var/log/nginx/gps.oestepan.com.br.access.log detailed_proxy;
error_log /var/log/nginx/gps.oestepan.com.br.error.log warn;
# ============================================================================
# ROTAS (Sem SSL pois o WAF já terminou a encriptação)
# ============================================================================
# 1. WebSocket
location /api/socket {
proxy_pass http://traccar_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # Informa ao backend que é HTTPS
}
# 2. Rota Principal
location / {
proxy_pass http://traccar_backend;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # Informa ao backend que é HTTPS
proxy_buffering off;
proxy_request_buffering off;
proxy_read_timeout 90s;
}
}
# ------------------------------------------------------------------------------
# BLOCO DUMMY: Apenas para que o script renew_ssl.sh encontre os caminhos do SSL
# ------------------------------------------------------------------------------
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name gps.oestepan.com.br;
# Important: These paths MUST be in /etc/nginx/ssl/ (shared volume)
# so ModSecurity can access them. renew_ssl.sh will copy the certs here.
ssl_certificate /etc/nginx/ssl/gps.oestepan.com.br.fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/gps.oestepan.com.br.privkey.pem;
# Retorna 444 (No Response) se alguém tentar conectar direto (bypass WAF)
location / {
return 444;
}
}
Reference in New Issue View Git Blame Copy Permalink