server { listen 80 default_server; listen [::]:80 default_server;

1. server {
2.     listen 80 default_server;
3.     listen [::]:80 default_server;
4.     return 301 https://$host$request_uri;
5.  
6. }
7.  
8. server {
9.     listen 443 ssl http2;
10.     listen [::]:443 ssl http2;
11.     server_name 10.0.0.78;
12.  
13.     ssl_certificate /etc/ssl/certs/nextcloud.crt;
14.     ssl_certificate_key /etc/ssl/private/nextcloud.key;
15.        
16.     ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
17.  
18.     # Add headers to serve security related headers
19.     add_header X-Content-Type-Options nosniff;
20.     add_header X-XSS-Protection "1; mode=block";
21.     add_header X-Robots-Tag none;
22.     add_header X-Download-Options noopen;
23.     add_header X-Permitted-Cross-Domain-Policies none;
24.     add_header Referrer-Policy no-referrer;
25.     add_header Strict-Transport-Security "max-age=31536000" always;
26.  
27.     #I found this header is needed on Ubuntu, but not on Arch Linux.
28.     add_header X-Frame-Options "SAMEORIGIN";
29.  
30.     # Path to the root of your installation
31.     root /usr/share/nginx/nextcloud/;
32.  
33.     access_log /var/log/nginx/nextcloud.access;
34.     error_log /var/log/nginx/nextcloud.error;
35.  
36.     location = /robots.txt {
37.         allow all;
38.         log_not_found off;
39.         access_log off;
40.     }
41.  
42.     # The following 2 rules are only needed for the user_webfinger app.
43.     # Uncomment it if you're planning to use this app.
44.     #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
45.     #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
46.     # last;
47.  
48. #    location = /.well-known/carddav {
49. #        return 301 $scheme://$host/remote.php/dav;
50. #    }
51. #    location = /.well-known/caldav {
52. #       return 301 $scheme://$host/remote.php/dav;
53. #    }
54. #
55. #    location ~ /.well-known/acme-challenge {
56. #      allow all;
57. #    }
58. #
59. #    location ^~ /.well-known {
60. #        return 301 /index.php$uri;
61. #    }
62.  
63.     # set max upload size
64.     client_max_body_size 1024M;
65.     fastcgi_buffers 64 4K;
66.  
67.     # Disable gzip to avoid the removal of the ETag header
68.     gzip off;
69.  
70.     # Uncomment if your server is build with the ngx_pagespeed module
71.     # This module is currently not supported.
72.     #pagespeed off;
73.  
74.     error_page 403 /core/templates/403.php;
75.     error_page 404 /core/templates/404.php;
76.  
77.     location / {
78.        rewrite ^ /index.php;
79.     }
80.  
81.     location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
82.        deny all;
83.     }
84.     location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
85.        deny all;
86.      }
87.  
88.     location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
89.        include fastcgi_params;
90.        fastcgi_split_path_info ^(.+\.php)(/.*)$;
91.        try_files $fastcgi_script_name =404;
92.        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
93.        fastcgi_param PATH_INFO $fastcgi_path_info;
94.        #Avoid sending the security headers twice
95.        fastcgi_param modHeadersAvailable true;
96.        fastcgi_param front_controller_active true;
97.        fastcgi_pass unix:/run/php/php7.4-fpm.sock;
98.        fastcgi_intercept_errors on;
99.        fastcgi_request_buffering off;
100.     }
101.  
102.     location ~ ^/(?:updater|ocs-provider)(?:$|/) {
103.        try_files $uri/ =404;
104.        index index.php;
105.     }
106.  
107.     # Adding the cache control header for js and css files
108.     # Make sure it is BELOW the PHP block
109.     location ~* \.(?:css|js)$ {
110.         try_files $uri /index.php$uri$is_args$args;
111.         add_header Cache-Control "public, max-age=7200";
112.         # Add headers to serve security related headers (It is intended to
113.         # have those duplicated to the ones above)
114.         add_header X-Content-Type-Options nosniff;
115.         add_header X-XSS-Protection "1; mode=block";
116.         add_header X-Robots-Tag none;
117.         add_header X-Download-Options noopen;
118.         add_header X-Permitted-Cross-Domain-Policies none;
119.         add_header Referrer-Policy no-referrer;
120.         # Optional: Don't log access to assets
121.         access_log off;
122.    }
123.  
124.    location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
125.         try_files $uri /index.php$uri$is_args$args;
126.         # Optional: Don't log access to other assets
127.         access_log off;
128.    }
129.  
130.    location ^~ /.well-known {
131.         location = /.well-known/carddav     { return 301 /remote.php/dav/; }
132.         location = /.well-known/caldav      { return 301 /remote.php/dav/; }
133.         # Anything else is dynamically handled by Nextcloud
134.         location ^~ /.well-known            { return 301 /index.php$uri; }
135.         try_files $uri $uri/ =404;
136.     }
137. #   location ^~ /.well-known {
138. #        return 301 /index.php$uri;
139. #    }
140.  
141. location ^~ /.well-known/webfinger {
142.         return 301 $scheme://$host/index.php/webfinger;
143.     }
144.    
145. location ^~ /.well-known/nodeinfo {
146.         return 301 $scheme://$host/index.php/nodeinfo;
147.     }
148.  
149. }