server { server_name cloud.MYSITE.dk; # Add headers to serve sec

1. server {
2. server_name cloud.MYSITE.dk;
3.  
4. # Add headers to serve security related headers
5. add_header X-Content-Type-Options nosniff;
6. add_header X-XSS-Protection "1; mode=block";
7. add_header X-Robots-Tag none;
8. add_header X-Download-Options noopen;
9. add_header X-Permitted-Cross-Domain-Policies none;
10. add_header Referrer-Policy no-referrer;
11.  
12. #I found this header is needed on Ubuntu, but not on Arch Linux.
13. add_header X-Frame-Options "SAMEORIGIN";
14.  
15. # Path to the root of your installation
16. root /var/www/nextcloud/;
17.  
18. access_log /var/log/nginx/nextcloud.access;
19. error_log /var/log/nginx/nextcloud.error;
20.  
21. location = /robots.txt {
22. allow all;
23. log_not_found off;
24. access_log off;
25. }
26.  
27. # The following 2 rules are only needed for the user_webfinger app.
28. # Uncomment it if you're planning to use this app.
29.  
30. rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
31. rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
32. rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
33.  
34. location /.well-known {
35. location = /.well-known/carddav { return 301 /remote.php/dav/; }
36. location = /.well-known/caldav { return 301 /remote.php/dav/; }
37.  
38. # according to the documentation these two lines are not necessary, but version 21.0.0 will produce warnings in the overview setup check
39.  
40. location = /.well-known/webfinger { return 301 /index.php$uri; }
41. location = /.well-known/nodeinfo { return 301 /index.php$uri; }
42.  
43. # anything else is dynamically handled by Nextcloud
44.  
45. location ^~ /.well-known { return 301 /index.php$uri; }
46.  
47. try_files $uri $uri/ =404;
48. }
49.  
50. location ~ /.well-known/acme-challenge {
51. allow all;
52. }
53.  
54. # set max upload size
55. client_max_body_size 512M;
56. fastcgi_buffers 64 4K;
57.  
58. # Disable gzip to avoid the removal of the ETag header
59. gzip off;
60.  
61. # Uncomment if your server is build with the ngx_pagespeed module
62. # This module is currently not supported.
63. #pagespeed off;
64.  
65. error_page 403 /core/templates/403.php;
66. error_page 404 /core/templates/404.php;
67.  
68. location / {
69. rewrite ^ /index.php;
70. }
71.  
72. location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
73. deny all;
74. }
75. location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
76. deny all;
77. }
78.  
79. location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
80. include fastcgi_params;
81. fastcgi_split_path_info ^(.+\.php)(/.*)$;
82. try_files $fastcgi_script_name =404;
83. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
84. fastcgi_param PATH_INFO $fastcgi_path_info;
85. #Avoid sending the security headers twice
86. fastcgi_param modHeadersAvailable true;
87. fastcgi_param front_controller_active true;
88. fastcgi_pass unix:/run/php/php7.4-fpm.sock;
89. fastcgi_intercept_errors on;
90. fastcgi_request_buffering off;
91. }
92.  
93. location ~ ^/(?:updater|ocs-provider)(?:$|/) {
94. try_files $uri/ =404;
95. index index.php;
96. }
97.  
98. # Adding the cache control header for js and css files
99. # Make sure it is BELOW the PHP block
100. location ~* \.(?:css|js)$ {
101. try_files $uri /index.php$uri$is_args$args;
102. add_header Cache-Control "public, max-age=7200";
103. # Add headers to serve security related headers (It is intended to
104. # have those duplicated to the ones above)
105. add_header X-Content-Type-Options nosniff;
106. add_header X-XSS-Protection "1; mode=block";
107. add_header X-Robots-Tag none;
108. add_header X-Download-Options noopen;
109. add_header X-Permitted-Cross-Domain-Policies none;
110. add_header Referrer-Policy no-referrer;
111. # Optional: Don't log access to assets
112. access_log off;
113. }
114.  
115. location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
116. try_files $uri /index.php$uri$is_args$args;
117. # Optional: Don't log access to other assets
118. access_log off;
119. }
120.  
121. listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
122. listen 443 ssl; # managed by Certbot
123. ssl_certificate /etc/letsencrypt/live/cloud.MYSITE.dk/fullchain.pem; # managed by Certbot
124. ssl_certificate_key /etc/letsencrypt/live/cloud.MYSITE.dk/privkey.pem; # managed by Certbot
125. include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
126. ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
127.  
128. add_header Strict-Transport-Security "max-age=31536000" always;
129.  
130. ssl_trusted_certificate /etc/letsencrypt/live/cloud.MYSITE.dk/chain.pem; # managed by Certbot
131. ssl_stapling on; # managed by Certbot
132. ssl_stapling_verify on; # managed by Certbot
133.  
134. }
135. server {
136. if ($host = cloud.MYSITE.dk) {
137. return 301 https://$host$request_uri;
138. } # managed by Certbot
139.  
140.  
141. listen 80;
142. listen [::]:80;
143. server_name cloud.MYSITE.dk;
144. return 404; # managed by Certbot
145.  
146.  
147. }
148.