update nginx site conf due to CVE

Author: aptalca

README.md

@@ -127,9 +127,11 @@ In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as bel
  
 ## Application Setup
 
-Access the webui at `<your-ip>:443`, for more information check out [Nextcloud](https://nextcloud.com/).
+Access the webui at `https://<your-ip>:443`, for more information check out [Nextcloud](https://nextcloud.com/).
 
-If you are updating our container along with the in app updater and you are not customizing our default nginx configuration you will need to remove the file:
+In order to update nextcloud version, first make sure you are using the latest docker image, and then perform the in app gui update. Docker image update and recreation of container alone won't update nextcloud version. 
+
+If you are not customizing our default nginx configuration you will need to remove the file:
 ```
 /config/nginx/site-confs/default
 ```
@@ -201,6 +203,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **24.10.19:** - Nginx default site config updated due to CVE-2019-11043 (existing users should delete `/config/nginx/site-confs/default` and restart the container).
 * **14.07.19:** - Download nextcloud during build time.
 * **28.06.19:** - Rebasing to alpine 3.10.
 * **23.03.19:** - Switching to new Base images, shift to arm32v7 tag.

readme-vars.yml

@@ -48,16 +48,19 @@ optional_block_1: false
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
-  Access the webui at `<your-ip>:443`, for more information check out [Nextcloud]({{ project_url }}).
+  Access the webui at `https://<your-ip>:443`, for more information check out [Nextcloud]({{ project_url }}).
 
-  If you are updating our container along with the in app updater and you are not customizing our default nginx configuration you will need to remove the file:
+  In order to update nextcloud version, first make sure you are using the latest docker image, and then perform the in app gui update. Docker image update and recreation of container alone won't update nextcloud version. 
+  
+  If you are not customizing our default nginx configuration you will need to remove the file:
   ```
   /config/nginx/site-confs/default
   ```
   Then restart the container to replace it with the latest one. 
 
 # changelog
 changelogs:
+  - { date: "24.10.19:", desc: "Nginx default site config updated due to CVE-2019-11043 (existing users should delete `/config/nginx/site-confs/default` and restart the container)." }
   - { date: "14.07.19:", desc: "Download nextcloud during build time." }
   - { date: "28.06.19:", desc: "Rebasing to alpine 3.10." }
   - { date: "23.03.19:", desc: "Switching to new Base images, shift to arm32v7 tag." }

root/defaults/default

@@ -5,7 +5,7 @@ server {
     listen 80;
     listen [::]:80;
     server_name _;
-    return 301 https://$server_name$request_uri;
+    return 301 https://$host$request_uri;
 }
 server {
     listen 443 ssl http2;
@@ -41,7 +41,7 @@ server {
     gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
     gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
     location / {
-        rewrite ^ /index.php$request_uri;
+        rewrite ^ /index.php;
     }
     location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
         deny all;
@@ -51,6 +51,7 @@ server {
     }
     location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|ocm-provider\/.+)\.php(?:$|\/) {
         fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+        try_files $fastcgi_script_name =404;
         include /etc/nginx/fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_param PATH_INFO $fastcgi_path_info;