server { listen 80; server_name dom.herfort.eu; return 301 https:

1. server {
2. listen 80;
3. server_name dom.herfort.eu;
4. return 301 https://$server_name$request_uri;
5. }
6. server {
7. listen 443 ssl http2;
8. server_name dom.herfort.eu;
9. root /var/www/nextcloud;
10.  
11. ssl on;
12. ssl_certificate /etc/letsencrypt/live/dom.herfort.eu/fullchain.pem;
13. ssl_certificate_key /etc/letsencrypt/live/dom.herfort.eu/privkey.pem;
14. ssl_session_timeout 5m;
15. ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
16. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
17. ssl_prefer_server_ciphers on;
18.  
19. add_header X-Content-Type-Options nosniff;
20. add_header X-Frame-Options "SAMEORIGIN";
21. add_header X-XSS-Protection "1; mode=block";
22. add_header X-Robots-Tag none;
23. add_header X-Download-Options noopen;
24. add_header X-Permitted-Cross-Domain-Policies none;
25.  
26. access_log /var/log/nginx/nextcloud.access.log;
27. error_log /var/log/nginx/nextcloud.error.log;
28.  
29. location = /robots.txt {
30. allow all;
31. log_not_found off;
32. access_log off;
33. }
34.  
35. location = /.well-known/carddav {
36. return 301 $scheme://$host/remote.php/dav;
37. }
38. location = /.well-known/caldav {
39. return 301 $scheme://$host/remote.php/dav;
40. }
41.  
42. client_max_body_size 512M;
43. fastcgi_buffers 64 4K;
44. gzip off;
45.  
46. error_page 403 /core/templates/403.php;
47. error_page 404 /core/templates/404.php;
48.  
49. location / {
50. rewrite ^ /index.php$uri;
51. }
52.  
53. location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
54. deny all;
55. }
56.  
57. location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
58. deny all;
59. }
60.  
61. location ~^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
62. include fastcgi_params;
63. fastcgi_split_path_info ^(.+\.php)(/.+)$;
64. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
65. fastcgi_param PATH_INFO $fastcgi_path_info;
66. fastcgi_param HTTPS on;
67. #Avoid sending the security headers twice
68. fastcgi_param modHeadersAvailable true;
69. fastcgi_param front_controller_active true;
70. fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
71. fastcgi_intercept_errors on;
72. fastcgi_request_buffering off;
73. }
74.  
75. location ~ ^/(?:updater|ocs-provider)(?:$|/) {
76. try_files $uri/ =404;
77. index index.php;
78. }
79.  
80. location ~* \.(?:css|js)$ {
81. try_files $uri /index.php$uri$is_args$args;
82. add_header Cache-Control "public, max-age=7200";
83. add_header X-Content-Type-Options nosniff;
84. add_header X-Frame-Options "SAMEORIGIN";
85. add_header X-XSS-Protection "1; mode=block";
86. add_header X-Robots-Tag none;
87. add_header X-Download-Options noopen;
88. add_header X-Permitted-Cross-Domain-Policies none;
89. # Optional: Don't log access to assets
90. access_log off;
91. }
92.  
93. location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
94. try_files $uri /index.php$uri$is_args$args;
95. access_log off;
96. }
97.  
98. location ~ /\.ht {
99. deny all;
100. }
101.  
102. location /tv {
103. proxy_pass http://127.0.0.1:9981;
104. proxy_redirect off;
105. proxy_set_header Host $host;
106. proxy_set_header X-Real-IP $remote_addr;
107. proxy_set_header X-Forwarded-For $remote_addr;
108. proxy_set_header X-Forwarded-Proto https;
109. }
110.  
111. include snippets/letsencrypt.include;
112. }