# The following 2 rules are only needed for the user_webfinger app. # U

1. # The following 2 rules are only needed for the user_webfinger app.
2. # Uncomment it if you're planning to use this app.
3. # rewrite ^/.well-known/host-meta /nextcloud/public.php?service=host-meta
4. # last;
5. #rewrite ^/.well-known/host-meta.json
6. # /nextcloud/public.php?service=host-meta-json last;
7.  
8. location = /.well-known/carddav {
9. return 301 $scheme://$host/nextcloud/remote.php/dav;
10. }
11. location = /.well-known/caldav {
12. return 301 $scheme://$host/nextcloud/remote.php/dav;
13. }
14.  
15. location /.well-known/acme-challenge { }
16.  
17. location ^~ /nextcloud {
18.  
19. # set max upload size
20. client_max_body_size 512M;
21. fastcgi_buffers 64 4K;
22.  
23. # Enable gzip but do not remove ETag headers
24. gzip on;
25. gzip_vary on;
26. gzip_comp_level 4;
27. gzip_min_length 256;
28. gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
29. gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
30.  
31. # Uncomment if your server is build with the ngx_pagespeed module
32. # This module is currently not supported.
33. #pagespeed off;
34.  
35. location /nextcloud {
36. rewrite ^ /nextcloud/index.php$request_uri;
37. }
38.  
39. location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
40. deny all;
41. }
42. location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
43. deny all;
44. }
45.  
46. location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
47. fastcgi_split_path_info ^(.+?\.php)(/.*)$;
48. include fastcgi_params;
49. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
50. fastcgi_param PATH_INFO $fastcgi_path_info;
51. fastcgi_param HTTPS on;
52. #Avoid sending the security headers twice
53. fastcgi_param modHeadersAvailable true;
54. fastcgi_param front_controller_active true;
55. fastcgi_pass php-handler;
56. fastcgi_intercept_errors on;
57. fastcgi_request_buffering off;
58. }
59.  
60. location ~ ^/nextcloud/(?:updater|ocs-provider)(?:$|/) {
61. try_files $uri/ =404;
62. index index.php;
63. }
64.  
65. # Adding the cache control header for js and css files
66. # Make sure it is BELOW the PHP block
67. location ~ \.(?:css|js|woff|svg|gif)$ {
68. try_files $uri /nextcloud/index.php$request_uri;
69. add_header Cache-Control "public, max-age=15778463";
70. # Add headers to serve security related headers (It is intended
71. # to have those duplicated to the ones above)
72. # Before enabling Strict-Transport-Security headers please read
73. # into this topic first.
74. # add_header Strict-Transport-Security "max-age=15768000;
75. # includeSubDomains; preload;";
76. add_header X-Content-Type-Options nosniff;
77. add_header X-XSS-Protection "1; mode=block";
78. add_header X-Robots-Tag none;
79. add_header X-Download-Options noopen;
80. add_header X-Permitted-Cross-Domain-Policies none;
81. # Optional: Don't log access to assets
82. access_log off;
83. }
84.  
85. location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
86. try_files $uri /nextcloud/index.php$request_uri;
87. # Optional: Don't log access to other assets
88. access_log off;
89. }
90. }