|
1 | 1 | upstream php-handler { |
2 | | - server 127.0.0.1:9000; |
3 | | -# server unix:/var/run/php/php7.0-fpm.sock; |
| 2 | + server 127.0.0.1:9000; |
4 | 3 | } |
5 | | - |
6 | 4 | server { |
7 | | - listen 80; |
8 | | - server_name _; |
9 | | - # enforce https |
10 | | - return 301 https://$server_name$request_uri; |
| 5 | + listen 80; |
| 6 | + listen [::]:80; |
| 7 | + server_name _; |
| 8 | + return 301 https://$server_name$request_uri; |
11 | 9 | } |
12 | | - |
13 | 10 | server { |
14 | | - listen 443 ssl; |
15 | | - server_name _; |
16 | | - |
17 | | - ssl_certificate /config/keys/cert.crt; |
18 | | - ssl_certificate_key /config/keys/cert.key; |
19 | | - |
20 | | - # Add headers to serve security related headers |
21 | | - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; |
22 | | - add_header X-Content-Type-Options nosniff; |
23 | | - # add_header X-Frame-Options "SAMEORIGIN"; |
24 | | - add_header X-XSS-Protection "1; mode=block"; |
25 | | - add_header X-Robots-Tag none; |
26 | | - add_header X-Download-Options noopen; |
27 | | - add_header X-Permitted-Cross-Domain-Policies none; |
28 | | - add_header Referrer-Policy no-referrer always; |
29 | | - |
30 | | - # Path to the root of your installation |
31 | | - root /config/www/nextcloud/; |
32 | | - # set max upload size |
33 | | - client_max_body_size 10G; |
34 | | - fastcgi_buffers 64 4K; |
35 | | - |
36 | | - # Disable gzip to avoid the removal of the ETag header |
37 | | - gzip off; |
38 | | - |
39 | | - # Uncomment if your server is build with the ngx_pagespeed module |
40 | | - # This module is currently not supported. |
41 | | - #pagespeed off; |
42 | | - |
43 | | - index index.php; |
44 | | - error_page 403 /core/templates/403.php; |
45 | | - error_page 404 /core/templates/404.php; |
46 | | - |
47 | | - rewrite ^/.well-known/carddav /remote.php/dav/ permanent; |
48 | | - rewrite ^/.well-known/caldav /remote.php/dav/ permanent; |
49 | | - |
50 | | - # The following 2 rules are only needed for the user_webfinger app. |
51 | | - # Uncomment it if you're planning to use this app. |
52 | | - #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; |
53 | | - #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; |
54 | | - |
55 | | - location = /robots.txt { |
56 | | - allow all; |
57 | | - log_not_found off; |
58 | | - access_log off; |
59 | | - } |
60 | | - |
61 | | - location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ { |
62 | | - deny all; |
63 | | - } |
64 | | - |
65 | | - location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { |
66 | | - deny all; |
67 | | - } |
68 | | - |
69 | | - location / { |
70 | | - |
71 | | - rewrite ^/remote/(.*) /remote.php last; |
72 | | - |
73 | | - rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; |
74 | | - |
75 | | - try_files $uri $uri/ =404; |
76 | | - } |
77 | | - |
78 | | - location ~ \.php(?:$|/) { |
79 | | - fastcgi_split_path_info ^(.+\.php)(/.+)$; |
80 | | - include /etc/nginx/fastcgi_params; |
81 | | - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; |
82 | | - fastcgi_param PATH_INFO $fastcgi_path_info; |
83 | | - fastcgi_param HTTPS on; |
84 | | - fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice |
85 | | - fastcgi_pass php-handler; |
86 | | - fastcgi_intercept_errors on; |
87 | | - } |
88 | | - |
89 | | - # Adding the cache control header for js and css files |
90 | | - # Make sure it is BELOW the location ~ \.php(?:$|/) { block |
91 | | - location ~* \.(?:css|js)$ { |
92 | | - add_header Cache-Control "public, max-age=7200"; |
93 | | - # Add headers to serve security related headers |
94 | | - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; |
| 11 | + listen 443 ssl http2; |
| 12 | + listen [::]:443 ssl http2; |
| 13 | + server_name _; |
| 14 | + ssl_certificate /config/keys/cert.crt; |
| 15 | + ssl_certificate_key /config/keys/cert.key; |
95 | 16 | add_header X-Content-Type-Options nosniff; |
96 | | - add_header X-Frame-Options "SAMEORIGIN"; |
97 | 17 | add_header X-XSS-Protection "1; mode=block"; |
98 | 18 | add_header X-Robots-Tag none; |
99 | 19 | add_header X-Download-Options noopen; |
100 | 20 | add_header X-Permitted-Cross-Domain-Policies none; |
101 | | - add_header Referrer-Policy no-referrer always; |
102 | | - # Optional: Don't log access to assets |
103 | | - access_log off; |
104 | | - } |
105 | | - |
106 | | - # Optional: Don't log access to other assets |
107 | | - location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ { |
108 | | - access_log off; |
109 | | - } |
| 21 | + add_header Referrer-Policy no-referrer; |
| 22 | + fastcgi_hide_header X-Powered-By; |
| 23 | + root /config/www/nextcloud/; |
| 24 | + location = /robots.txt { |
| 25 | + allow all; |
| 26 | + log_not_found off; |
| 27 | + access_log off; |
| 28 | + } |
| 29 | + location = /.well-known/carddav { |
| 30 | + return 301 $scheme://$host/remote.php/dav; |
| 31 | + } |
| 32 | + location = /.well-known/caldav { |
| 33 | + return 301 $scheme://$host/remote.php/dav; |
| 34 | + } |
| 35 | + client_max_body_size 10G; |
| 36 | + fastcgi_buffers 64 4K; |
| 37 | + gzip on; |
| 38 | + gzip_vary on; |
| 39 | + gzip_comp_level 4; |
| 40 | + gzip_min_length 256; |
| 41 | + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; |
| 42 | + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; |
| 43 | + location / { |
| 44 | + rewrite ^ /index.php$request_uri; |
| 45 | + } |
| 46 | + location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { |
| 47 | + deny all; |
| 48 | + } |
| 49 | + location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { |
| 50 | + deny all; |
| 51 | + } |
| 52 | + location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|ocm-provider\/.+)\.php(?:$|\/) { |
| 53 | + fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; |
| 54 | + include /etc/nginx/fastcgi_params; |
| 55 | + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; |
| 56 | + fastcgi_param PATH_INFO $fastcgi_path_info; |
| 57 | + fastcgi_param HTTPS on; |
| 58 | + fastcgi_param modHeadersAvailable true; |
| 59 | + fastcgi_param front_controller_active true; |
| 60 | + fastcgi_pass php-handler; |
| 61 | + fastcgi_intercept_errors on; |
| 62 | + fastcgi_request_buffering off; |
| 63 | + } |
| 64 | + |
| 65 | + location ~ ^\/(?:updater|ocs-provider|ocm-provider)(?:$|\/) { |
| 66 | + try_files $uri/ =404; |
| 67 | + index index.php; |
| 68 | + } |
| 69 | + location ~ \.(?:css|js|woff2?|svg|gif)$ { |
| 70 | + try_files $uri /index.php$request_uri; |
| 71 | + add_header Cache-Control "public, max-age=15778463"; |
| 72 | + add_header X-Content-Type-Options nosniff; |
| 73 | + add_header X-XSS-Protection "1; mode=block"; |
| 74 | + add_header X-Robots-Tag none; |
| 75 | + add_header X-Download-Options noopen; |
| 76 | + add_header X-Permitted-Cross-Domain-Policies none; |
| 77 | + add_header Referrer-Policy no-referrer; |
| 78 | + access_log off; |
| 79 | + } |
| 80 | + location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { |
| 81 | + try_files $uri /index.php$request_uri; |
| 82 | + access_log off; |
| 83 | + } |
110 | 84 | } |
0 commit comments