poopsies

1. upstream php-handler {
2. server 127.0.0.1:9000;
3. # server unix:/var/run/php/php7.0-fpm.sock;
4. }
5.  
6. server {
7. listen 80;
8. server_name _;
9. # enforce https
10. return 301 https://$server_name$request_uri;
11. }
12.  
13. server {
14. listen 443 ssl;
15. server_name _;
16.  
17. ssl_certificate /config/keys/cert.crt;
18. ssl_certificate_key /config/keys/cert.key;
19.  
20. # Add headers to serve security related headers
21. add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
22. add_header X-Content-Type-Options nosniff;
23. add_header X-Frame-Options "SAMEORIGIN";
24. add_header X-XSS-Protection "1; mode=block";
25. add_header X-Robots-Tag none;
26. add_header X-Download-Options noopen;
27. add_header X-Permitted-Cross-Domain-Policies none;
28. add_header Referrer-Policy no-referrer always;
29.  
30. # Path to the root of your installation
31. root /config/www/nextcloud/;
32. # set max upload size
33. client_max_body_size 10G;
34. fastcgi_buffers 64 4K;
35.  
36. # Disable gzip to avoid the removal of the ETag header
37. gzip off;
38.  
39. # Uncomment if your server is build with the ngx_pagespeed module
40. # This module is currently not supported.
41. #pagespeed off;
42.  
43. index index.php;
44. error_page 403 /core/templates/403.php;
45. error_page 404 /core/templates/404.php;
46.  
47. rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
48. rewrite ^/.well-known/caldav /remote.php/dav/ permanent;
49.  
50. # The following 2 rules are only needed for the user_webfinger app.
51. # Uncomment it if you're planning to use this app.
52. #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
53. #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
54.  
55. location = /robots.txt {
56. allow all;
57. log_not_found off;
58. access_log off;
59. }
60.  
61. location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
62. deny all;
63. }
64.  
65. location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
66. deny all;
67. }
68.  
69. location / {
70.  
71. rewrite ^/remote/(.*) /remote.php last;
72.  
73. rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
74.  
75. try_files $uri $uri/ =404;
76. }
77.  
78. location ~ \.php(?:$|/) {
79. fastcgi_split_path_info ^(.+\.php)(/.+)$;
80. include /etc/nginx/fastcgi_params;
81. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
82. fastcgi_param PATH_INFO $fastcgi_path_info;
83. fastcgi_param HTTPS on;
84. fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
85. fastcgi_pass php-handler;
86. fastcgi_intercept_errors on;
87. }
88.  
89. # Adding the cache control header for js and css files
90. # Make sure it is BELOW the location ~ \.php(?:$|/) { block
91. location ~* \.(?:css|js)$ {
92. add_header Cache-Control "public, max-age=7200";
93. # Add headers to serve security related headers
94. add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
95. add_header X-Content-Type-Options nosniff;
96. add_header X-Frame-Options "SAMEORIGIN";
97. add_header X-XSS-Protection "1; mode=block";
98. add_header X-Robots-Tag none;
99. add_header X-Download-Options noopen;
100. add_header X-Permitted-Cross-Domain-Policies none;
101. add_header Referrer-Policy no-referrer always;
102. # Optional: Don't log access to assets
103. access_log off;
104. }
105.  
106. # Optional: Don't log access to other assets
107. location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
108. access_log off;
109. }
110. }