Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- server {
- include mime.types;
- default_type application/octet-stream;
- listen 443 ssl default_server;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- # ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
- ssl_prefer_server_ciphers on;
- ssl_dhparam /etc/ssl/dhparams.pem;
- server_name XXX.XXX.XXX.XXX;
- ssl_trusted_certificate /etc/letsencrypt/live/XXX.XXX.XXX.XXX/chain.pem;
- # ssl_certificate /etc/ssl/sfcacert.pem;
- # path to your cacert.pem
- ssl_certificate /etc/letsencrypt/live/XXX.XXX.XXX.XXX/fullchain.pem;
- # path to your cacert.pem
- ssl_certificate_key /etc/letsencrypt/live/XXX.XXX.XXX.XXX/privkey.pem;
- # ssl_certificate_key /etc/ssl/sfprivkey.pem;
- # path to your privkey.pem
- # Add headers to serve security related headers
- add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
- add_header X-Content-Type-Options nosniff;
- add_header X-Frame-Options "SAMEORIGIN";
- add_header X-XSS-Protection "1; mode=block";
- add_header X-Robots-Tag none;
- add_header X-Download-Options noopen;
- add_header X-Permitted-Cross-Domain-Policies none;
- # Path to the root of your installation
- # root /opt/owncloud;
- root /usr/share/webapps/owncloud/;
- # set max upload size
- client_max_body_size 4G;
- fastcgi_buffers 64 4K;
- # Disable gzip to avoid the removal of the ETag header
- gzip off;
- # Uncomment if your server is build with the ngx_pagespeed module
- # This module is currently not supported.
- #pagespeed off;
- rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
- rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
- rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
- index index.php;
- error_page 403 /core/templates/403.php;
- error_page 404 /core/templates/404.php;
- error_log /var/log/nginx/owncloud.error.log info;
- access_log /var/log/nginx/owncloud.access.log;
- location = /robots.txt {
- allow all;
- log_not_found off;
- access_log off;
- }
- location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README) {
- deny all;
- }
- location / {
- # The following 2 rules are only needed with webfinger
- # rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
- # rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
- # rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
- # rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
- # rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
- # try_files $uri $uri/ /index.php;
- rewrite ^/remote/(.*) /remote.php last;
- rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
- try_files $uri $uri/ =404;
- }
- location ~ \.php(?:$|/) {
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
- include fastcgi_params;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- fastcgi_param PATH_INFO $fastcgi_path_info;
- fastcgi_param HTTPS on;
- fastcgi_param modHeadersAvailable true;
- #Avoid sending the security headers twice
- # Unix domain sockets are faster than TCP sockets
- fastcgi_read_timeout 240s;
- fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
- fastcgi_intercept_errors on;
- }
- # Optional: set long EXPIRES header on static assets
- location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
- expires 30d;
- # Optional: Don't log access to assets
- access_log off;
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
