joao.goncalves
/
NgixProxy_Pathfinder
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
NgixProxy_Pathfinder/nginx/sites-available/vcenter.itguys.com.br.conf

136 lines
5.5 KiB
Plaintext
Raw Permalink Blame History

# ==============================================================================
# Arquivo de configuração NGINX para: vcenter.itguys.com.br
# Data da Modificação: 2025-10-06 12:00
#
# Contexto:
# Versão final e corrigida.
# - Proxy reverso de HTTPS (cliente) para HTTPS (backend vCenter).
# - Resolve o loop de redirect e o erro 502 Bad Gateway.
# - Inclui diretivas para confiar no certificado auto-assinado do vCenter.
# - Preparado para certificados Let's Encrypt.
# ==============================================================================
# Define o servidor backend do vCenter para facilitar a manutenção
upstream vcenter_backend {
# Aponta para a porta HTTPS do vCenter
server 172.16.254.110:443;
}
# Servidor para redirecionamento de HTTP para HTTPS (Porta 80)
# O Certbot (Let's Encrypt) usará este bloco para validação.
server {
if ($host = vcenter.itguys.com.br) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name vcenter.itguys.com.br;
# Força o uso de HTTPS com um redirecionamento 301 (permanente)
return 301 https://$host$request_uri;
}
# Servidor principal que lida com o tráfego HTTPS (Porta 443)
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name vcenter.itguys.com.br;
# --- Logs ---
access_log /var/log/nginx/vcenter.itguys.com.br.access.log;
error_log /var/log/nginx/vcenter.itguys.com.br.error.log warn;
# --- Configurações de SSL/TLS (Let's Encrypt) ---
# O Certbot irá criar e preencher estes caminhos automaticamente.
#ssl_certificate /etc/letsencrypt/live/vcenter.itguys.com.br/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/vcenter.itguys.com.br/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# --- Cabeçalhos de Segurança ---
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer" always;
brotli on;
brotli_comp_level 6;
brotli_types application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/xml;
brotli_min_length 1024; # Compressão a partir de 1024 bytes
gzip on;
gzip_vary on;
gzip_proxied any; # Compacta respostas de proxy
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 1024; # Compressão a partir de 1024 bytes
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
# --- Cache de Proxy para Ativos Estáticos ---
# Cacheia arquivos estáticos comuns servidos pelo backend
location ~* \.(css|js|jpg|jpeg|gif|png|svg|ico|woff|woff2|ttf|eot)$ {
# --- Configurações do Proxy (Idênticas ao /) ---
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
proxy_buffers 32 4k;
#proxy_ssl_trusted_certificate /etc/nginx/ssl/vcenter_backend.pem;
#proxy_ssl_verify on;
proxy_ssl_server_name on;
proxy_ssl_name vcenter.itguys.com.br;
proxy_pass https://vcenter_backend;
# --- Diretivas de Cache ---
proxy_cache vcenter_cache;
proxy_cache_valid 200 302 60m;
proxy_cache_valid 404 1m;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_cache_min_uses 1;
proxy_cache_lock on;
# Adiciona um header para debug (verificar se o cache está HIT/MISS/BYPASS)
add_header X-Proxy-Cache $upstream_cache_status;
}
# --- Configurações do Proxy Reverso ---
location / {
# --- Suporte a WebSocket ---
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# --- Cabeçalhos do Proxy ---
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# --- Timeouts e Buffers ---
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
proxy_buffers 32 4k;
# --- Confiança no Certificado Backend (Auto-assinado) ---
# Aponte para o certificado público do vCenter que extraímos.
#proxy_ssl_trusted_certificate /etc/nginx/ssl/vcenter_backend.pem;
#proxy_ssl_verify on;
# Resolve o erro 502 Bad Gateway (problema de SNI).
proxy_ssl_server_name on;
proxy_ssl_name vcenter.itguys.com.br;
# Aponta o tráfego para o vCenter Server via HTTPS.
proxy_pass https://vcenter_backend;
}
ssl_certificate /etc/letsencrypt/live/vcenter.itguys.com.br/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/vcenter.itguys.com.br/privkey.pem; # managed by Certbot
}
Reference in New Issue View Git Blame Copy Permalink