π Webserver DMZ - FSociety.pt
Servidor Web de PerΓmetro e Reverse Proxy
Documentação completa do Webserver DMZ da infraestrutura FSociety.pt, incluindo Nginx, site principal, reverse proxies, SSL e CrowdSec com múltiplos bouncers.
| Campo |
Valor |
| Hostname |
webserver.fsociety.pt |
| Endereço IP |
10.0.0.30 |
| Sistema Operativo |
Ubuntu 24.04.3 LTS (Noble Numbat) |
| Kernel |
6.8.0-generic |
| Virtualização |
KVM (Proxmox VE) |
| RAM |
794 MB |
| Disco |
24 GB |
| Zona de Rede |
DMZ (10.0.0.0/24) |
ποΈ Arquitetura DMZ
βββββββββββββββββββ
β INTERNET β
β Cloudflare WAF β
ββββββββββ¬βββββββββ
β
ββββββββββΌβββββββββ
β pfSense β
β 192.168.31.100 β
β NAT:80/443 β
ββββββββββ¬βββββββββ
β
ββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββ
β DMZ (10.0.0.0/24) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Webserver (10.0.0.30) - Nginx 1.24.0 β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β SITE PRINCIPAL: fsociety.pt / www.fsociety.pt β β β
β β β Mr. Robot Theme | Matrix Rain | Hacker Style β β β
β β β Location: /var/www/fsociety.pt/public_html/ β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β REVERSE PROXIES (6 vhosts) β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β
β β β 1. autoconfig.fsociety.pt β 10.0.0.20 β β β
β β β 2. autodiscover.fsociety.pt β 10.0.0.20 β β β
β β β 3. fsociety.pt/www β Site Local β β β
β β β 4. mail.fsociety.pt β 10.0.0.20 (SOGo) β β β
β β β 5. nextcloud.fsociety.pt β 192.168.1.40:443 β β β
β β β - Geo-based access control β β β
β β β - External: Mail app only β β β
β β β - Internal/VPN: Full access β β β
β β β 6. tickets.fsociety.pt β 192.168.1.40:8081 β β β
β β β - Internal access only (LAN + VPN) β β β
β β β - WebSocket support β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β SEGURANΓA β β β
β β β β’ Security Headers (HSTS, CSP, XSS, etc) β β β
β β β β’ Rate Limiting (10r/s geral, 5r/m login) β β β
β β β β’ SSL/TLS 1.2/1.3 + Strong Ciphers β β β
β β β β’ Compression: Gzip + Brotli β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β CROWDSEC (3 Bouncers) β β β
β β β β’ cs-cloudflare-bouncer v0.3.0 β β β
β β β β’ cs-firewall-bouncer v0.0.34 β β β
β β β β’ crowdsec-nginx-bouncer v1.1.3 (Lua) β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Mailcow (10.0.0.20) β β
β β SMTP | IMAP | POP3 | SOGo | ActiveSync β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
ββββββββββΌβββββββββ
β LAN Servers β
β 192.168.1.0/24 β
β β
β β’ Nextcloud β
β β’ Zammad β
β β’ Domain Ctrl β
βββββββββββββββββββ
π Γndice da Documentação
| # |
Documento |
Descrição |
| 1 |
Instalação |
Ubuntu, rede DMZ, pacotes base |
| 2 |
Nginx - Configuração Global |
nginx.conf, security headers, rate limiting |
| 3 |
Site FSociety.pt |
Site principal, tema Mr. Robot, assets |
| 4 |
Proxy - Nextcloud |
Reverse proxy com geo-access control |
| 5 |
Proxy - Zammad |
Reverse proxy com acesso restrito |
| 6 |
Proxy - Mailcow |
Proxies mail, autoconfig, autodiscover |
| 7 |
SSL Letβs Encrypt |
Certificados wildcard |
| 8 |
DNS Cloudflare |
Registos DNS, proxy status |
| 9 |
CrowdSec |
3 bouncers, integração Lua |
| 10 |
Manutenção |
Logs, troubleshooting, updates |
π ServiΓ§os e Portas
| Porta |
Protocolo |
Serviço |
Descrição |
| 80 |
TCP |
Nginx HTTP |
Redireciona para HTTPS |
| 443 |
TCP |
Nginx HTTPS |
Todos os vhosts SSL |
Port Forwarding (pfSense β Webserver)
| Porta Externa |
Destino Interno |
Serviço |
| 80 |
10.0.0.30:80 |
HTTP (redirect HTTPS) |
| 443 |
10.0.0.30:443 |
HTTPS (todos os vhosts) |
π Virtual Hosts (6 Sites)
1. autoconfig.fsociety.pt
# Thunderbird/Outlook email auto-configuration
location /.well-known/autoconfig/mail/config-v1.1.xml
proxy_pass http://10.0.0.20 (Mailcow)
2. autodiscover.fsociety.pt
# Microsoft Autodiscover (Exchange)
location /autodiscover/autodiscover.xml
location /Autodiscover/Autodiscover.xml
proxy_pass http://10.0.0.20 (Mailcow)
3. fsociety.pt / www.fsociety.pt
# Site Principal - Mr. Robot Theme
root /var/www/fsociety.pt/public_html
β’ Matrix rain canvas animation
β’ Glitch text effects
β’ Terminal-style interface
β’ fsociety.mp4 video background
β’ Quote: "Control is an illusion..."
4. mail.fsociety.pt
# Mailcow SOGo Webmail + ActiveSync
proxy_pass http://10.0.0.20
Locations: /SOGo, /Microsoft-Server-ActiveSync
5. nextcloud.fsociety.pt β
# Nextcloud com Geo-Based Access Control
proxy_pass https://192.168.1.40:443
Access Rules:
β’ Internal (LAN + VPN): Full access to all apps
β’ External (Internet): Mail app ONLY
- /apps/mail/*, /remote.php/dav/*, /ocs/*
- All other paths blocked with 403
6. tickets.fsociety.pt
# Zammad Ticketing System (Internal Only)
proxy_pass http://192.168.1.40:8081
Access: LAN (192.168.1.0/24) + VPN (10.8.0.0/24, 10.9.0.0/24)
WebSocket: /ws, /cable
π Modelo de SeguranΓ§a
# Proteção contra Clickjacking
X-Frame-Options: SAMEORIGIN
# Prevenção MIME-type sniffing
X-Content-Type-Options: nosniff
# XSS Protection
X-XSS-Protection: 1; mode=block
# HSTS (HTTP Strict Transport Security)
Strict-Transport-Security: max-age=31536000; includeSubDomains
# Content Security Policy
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'
# Referrer Policy
Referrer-Policy: strict-origin-when-cross-origin
Rate Limiting
| Zona |
Limite |
Burst |
Aplicação |
| general_limit |
10 req/s |
20 |
Global (todos os requests) |
| login_limit |
5 req/m |
10 |
Logins (Nextcloud, Zammad, Mail) |
SSL/TLS Configuration
| ParΓ’metro |
Valor |
| Protocolos |
TLSv1.2 TLSv1.3 |
| Ciphers |
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256 |
| ECDH Curve |
secp384r1 |
| DH Params |
4096 bits |
| Session Cache |
shared:SSL:10m |
| Session Timeout |
10m |
| OCSP Stapling |
Enabled |
π¨ Site FSociety.pt - Assets
Estrutura de Ficheiros
/var/www/fsociety.pt/public_html/
βββ index.html # PΓ‘gina principal
βββ css/
β βββ style.css # Estilos Mr. Robot theme
βββ js/
β βββ matrix.js # Matrix rain animation
β βββ glitch.js # Text glitch effects
βββ media/
β βββ fsociety.mp4 # VΓdeo de fundo
β βββ logo.png # Logo FSociety
βββ fonts/
βββ anonymous-pro.woff2 # Fonte monospaced
CaracterΓsticas do Tema
- π Tema: Mr. Robot / FSociety (hacker aesthetic)
- π§οΈ Efeitos: Matrix rain canvas, glitch text, terminal animation
- π₯ VΓdeo: fsociety.mp4 com overlay de Γ‘udio
- π¬ Quote: βControl is an illusionβ¦β
- π¨ Cores: Verde (#00ff00), Preto (#0d0208), Vermelho (#ff0000)
- π€ Fonte: Anonymous Pro (monospaced)
π SSL Certificates (Letβs Encrypt)
| Tipo |
DomΓnio |
Validade |
| Wildcard |
*.fsociety.pt |
AtΓ© 2026-03-01 |
| Base |
fsociety.pt |
AtΓ© 2026-03-01 |
DomΓnios Cobertos
- β
fsociety.pt
- β
www.fsociety.pt
- β
mail.fsociety.pt
- β
nextcloud.fsociety.pt
- β
tickets.fsociety.pt
- β
autoconfig.fsociety.pt
- β
autodiscover.fsociety.pt
π MΓ©tricas de SeguranΓ§a (CrowdSec)
| MΓ©trica |
Valor |
| CrowdSec Agent |
v1.7.3 |
| Bouncers Ativos |
3 (Cloudflare + Firewall + Nginx) |
| Nginx Bouncer |
v1.1.3 (Lua) |
| Cloudflare Bouncer |
v0.3.0 |
| Firewall Bouncer |
v0.0.34 |
| Scenarios |
50+ (web, nginx, http) |
| Collections |
linux, nginx, base-http-scenarios |
Integração Lua (Nginx)
# CrowdSec Lua Bouncer carregado em nginx.conf
lua_shared_dict crowdsec_cache 50m;
init_by_lua_block {
cs = require("crowdsec")
cs.init("/etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf")
}
access_by_lua_block {
cs.Allow(ngx.var.remote_addr)
}
π DNS (Cloudflare)
Registos A/CNAME
| Nome |
Tipo |
Destino |
Proxy |
| @ (fsociety.pt) |
A |
188.81.65.191 |
βοΈ Proxied |
| www |
CNAME |
fsociety.pt |
βοΈ Proxied |
| mail |
A |
188.81.65.191 |
βοΈ Proxied |
| nextcloud |
A |
188.81.65.191 |
βοΈ Proxied |
| tickets |
A |
188.81.65.191 |
βοΈ Proxied |
| autoconfig |
A |
188.81.65.191 |
βοΈ Proxied |
| autodiscover |
A |
188.81.65.191 |
βοΈ Proxied |
Cloudflare Protection
- π‘οΈ WAF: OWASP Managed Rules
- π« DDoS: L3/L4/L7 Mitigation
- β‘ CDN: 330+ datacenters
- π SSL: Full (Strict) Mode
| Campo |
Informação |
| Instituição |
ESTG - Instituto PolitΓ©cnico do Porto |
| Unidade Curricular |
Administração de Sistemas II |
| Ano Letivo |
2025/2026 |
| Autores |
Ryan Barbosa, Hugo Correia, Igor AraΓΊjo |
π LicenΓ§a
Este projeto estΓ‘ licenciado sob a MIT License.
π ReferΓͺncias
**[β¬
οΈ Voltar Γ Documentação Principal](/fsociety-infrastructure/)** | **[PrΓ³ximo: Instalação β‘οΈ](/fsociety-infrastructure/06-webserver/01-instalacao.html)**
Γltima atualização: Dezembro 2025