Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #user http;
- worker_processes 1;
- #error_log logs/error.log;
- #error_log logs/error.log notice;
- #error_log logs/error.log info;
- #pid logs/nginx.pid;
- events {
- worker_connections 1024;
- }
- http {
- include mime.types;
- default_type application/octet-stream;
- #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
- # '$status $body_bytes_sent "$http_referer" '
- # '"$http_user_agent" "$http_x_forwarded_for"';
- #access_log logs/access.log main;
- sendfile on;
- #tcp_nopush on;
- #keepalive_timeout 0;
- keepalive_timeout 65;
- #gzip on;
- server {
- server_name backend.atavismxi.com;
- #charset koi8-r;
- #access_log logs/host.access.log main;
- location / {
- proxy_pass http://localhost:7890/;
- }
- #error_page 404 /404.html;
- # redirect server error pages to the static page /50x.html
- #
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/share/nginx/html;
- }
- # proxy the PHP scripts to Apache listening on 127.0.0.1:80
- #
- #location ~ \.php$ {
- # proxy_pass http://127.0.0.1;
- #}
- # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
- #
- #location ~ \.php$ {
- # root html;
- # fastcgi_pass 127.0.0.1:9000;
- # fastcgi_index index.php;
- # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
- # include fastcgi_params;
- #}
- # deny access to .htaccess files, if Apache's document root
- # concurs with nginx's one
- #
- #location ~ /\.ht {
- # deny all;
- #}
- listen 443 ssl; # managed by Certbot
- ssl_certificate /etc/letsencrypt/live/backend.atavismxi.com/fullchain.pem; # managed by Certbot
- ssl_certificate_key /etc/letsencrypt/live/backend.atavismxi.com/privkey.pem; # managed by Certbot
- include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
- ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
- }
- # upstream php-handler {
- # server 127.0.0.1:9000;
- # server unix:/var/run/php/php7.4-fpm.sock;
- # }
- # Set the `immutable` cache control options only for assets with a cache busting `v` argument
- map $arg_v $asset_immutable {
- "" "";
- default "immutable";
- }
- server {
- listen 80;
- listen [::]:80;
- server_name cloud.atavismxi.com;
- # Enforce HTTPS
- return 301 https://$server_name$request_uri;
- }
- server {
- listen [::]:443 ssl; # managed by Certbot
- listen 443 ssl; # managed by Certbot
- ssl_certificate /etc/letsencrypt/live/cloud.atavismxi.com/fullchain.pem; # managed by Certbot
- ssl_certificate_key /etc/letsencrypt/live/cloud.atavismxi.com/privkey.pem; # managed by Certbot
- include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
- ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
- # Path to the root of your installation
- root /usr/share/webapps/nextcloud/;
- server_name cloud.atavismxi.com;
- # HSTS settings
- # WARNING: Only add the preload option once you read about
- # the consequences in https://hstspreload.org/. This option
- # will add the domain to a hardcoded list that is shipped
- # in all major browsers and getting removed from this list
- # could take several months.
- #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
- # set max upload size and increase upload timeout:
- client_max_body_size 0;
- client_body_timeout 300s;
- fastcgi_buffers 64 4K;
- proxy_buffering off;
- proxy_request_buffering off;
- proxy_read_timeout 30m;
- fastcgi_read_timeout 30m;
- proxy_max_temp_file_size 0;
- # Enable gzip but do not remove ETag headers
- gzip on;
- gzip_vary on;
- gzip_comp_level 4;
- gzip_min_length 256;
- gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
- gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
- # Pagespeed is not supported by Nextcloud, so if your server is built
- # with the `ngx_pagespeed` module, uncomment this line to disable it.
- #pagespeed off;
- # HTTP response headers borrowed from Nextcloud `.htaccess`
- add_header Referrer-Policy "no-referrer" always;
- add_header X-Content-Type-Options "nosniff" always;
- add_header X-Download-Options "noopen" always;
- add_header X-Frame-Options "SAMEORIGIN" always;
- add_header X-Permitted-Cross-Domain-Policies "none" always;
- add_header X-Robots-Tag "none" always;
- add_header X-XSS-Protection "1; mode=block" always;
- # Remove X-Powered-By, which is an information leak
- fastcgi_hide_header X-Powered-By;
- # Specify how to handle directories -- specifying `/index.php$request_uri`
- # here as the fallback means that Nginx always exhibits the desired behaviour
- # when a client requests a path that corresponds to a directory that exists
- # on the server. In particular, if that directory contains an index.php file,
- # that file is correctly served; if it doesn't, then the request is passed to
- # the front-end controller. This consistent behaviour means that we don't need
- # to specify custom rules for certain paths (e.g. images and other assets,
- # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
- # `try_files $uri $uri/ /index.php$request_uri`
- # always provides the desired behaviour.
- index index.php index.html /index.php$request_uri;
- # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
- location = / {
- if ( $http_user_agent ~ ^DavClnt ) {
- return 302 /remote.php/webdav/$is_args$args;
- }
- }
- location = /robots.txt {
- allow all;
- log_not_found off;
- access_log off;
- }
- # Make a regex exception for `/.well-known` so that clients can still
- # access it despite the existence of the regex rule
- # `location ~ /(\.|autotest|...)` which would otherwise handle requests
- # for `/.well-known`.
- location ^~ /.well-known {
- # The rules in this block are an adaptation of the rules
- # in `.htaccess` that concern `/.well-known`.
- location = /.well-known/carddav { return 301 /remote.php/dav/; }
- location = /.well-known/caldav { return 301 /remote.php/dav/; }
- location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
- location /.well-known/pki-validation { try_files $uri $uri/ =404; }
- # Let Nextcloud's API for `/.well-known` URIs handle all other
- # requests by passing them to the front-end controller.
- return 301 /index.php$request_uri;
- }
- # Rules borrowed from `.htaccess` to hide certain paths from clients
- location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
- location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
- # Ensure this block, which passes PHP files to the PHP process, is above the blocks
- # which handle static assets (as seen below). If this block is not declared first,
- # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
- # to the URI, resulting in a HTTP 500 error response.
- location ~ \.php(?:$|/) {
- include uwsgi_params;
- uwsgi_modifier1 14;
- # Avoid duplicate headers confusing OC checks
- uwsgi_hide_header X-Frame-Options;
- uwsgi_hide_header X-XSS-Protection;
- uwsgi_hide_header X-Content-Type-Options;
- uwsgi_hide_header X-Robots-Tag;
- uwsgi_hide_header X-Download-Options;
- uwsgi_hide_header X-Permitted-Cross-Domain-Policies;
- uwsgi_pass unix:/run/uwsgi/nextcloud.sock;
- }
- location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
- try_files $uri /index.php$request_uri;
- add_header Cache-Control "public, max-age=15778463, $asset_immutable";
- access_log off; # Optional: Don't log access to assets
- location ~ \.wasm$ {
- default_type application/wasm;
- }
- }
- location ~ \.woff2?$ {
- try_files $uri /index.php$request_uri;
- expires 7d; # Cache-Control policy borrowed from `.htaccess`
- access_log off; # Optional: Don't log access to assets
- }
- # Rule borrowed from `.htaccess`
- location /remote {
- return 301 /remote.php$request_uri;
- }
- location / {
- try_files $uri $uri/ /index.php$request_uri;
- }
- }
- # another virtual host using mix of IP-, name-, and port-based configuration
- #
- #server {
- # listen 8000;
- # listen somename:8080;
- # server_name somename alias another.alias;
- # location / {
- # root html;
- # index index.html index.htm;
- # }
- #}
- # HTTPS server
- #
- #server {
- # listen 443 ssl;
- # server_name localhost;
- # ssl_certificate cert.pem;
- # ssl_certificate_key cert.key;
- # ssl_session_cache shared:SSL:1m;
- # ssl_session_timeout 5m;
- # ssl_ciphers HIGH:!aNULL:!MD5;
- # ssl_prefer_server_ciphers on;
- # location / {
- # root html;
- # index index.html index.htm;
- # }
- #}
- server {
- if ($host = backend.atavismxi.com) {
- return 301 https://$host$request_uri;
- } # managed by Certbot
- listen 80;
- server_name backend.atavismxi.com;
- return 404; # managed by Certbot
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement