mailcow/src/mailcow-dockerized/data/assets/nextcloud/nextcloud.conf - kubeia - Gitiles

 map $http_x_forwarded_proto $client_req_scheme_nc {
      default $scheme;
      https https;
 }

 server {
   include /etc/nginx/conf.d/listen_ssl.active;
   include /etc/nginx/conf.d/listen_plain.active;
   include /etc/nginx/mime.types;
   charset utf-8;
   override_charset on;

   ssl_certificate /etc/ssl/mail/cert.pem;
   ssl_certificate_key /etc/ssl/mail/key.pem;
   ssl_protocols TLSv1.2 TLSv1.3;
   ssl_prefer_server_ciphers on;
   ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
   ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
   ssl_session_cache shared:SSL:50m;
   ssl_session_timeout 1d;
   ssl_session_tickets off;
   add_header Referrer-Policy "no-referrer" always;
   add_header X-Content-Type-Options "nosniff" always;
   add_header X-Download-Options "noopen" always;
   add_header X-Frame-Options "SAMEORIGIN" always;
   add_header X-Permitted-Cross-Domain-Policies "none" always;
   add_header X-Robots-Tag "none" always;
   add_header X-XSS-Protection "1; mode=block" always;

   fastcgi_hide_header X-Powered-By;

   server_name NC_SUBD;

   root /web/nextcloud/;

   location = /robots.txt {
     allow all;
     log_not_found off;
     access_log off;
   }

   location = /.well-known/carddav {
     return 301 $client_req_scheme_nc://$host/remote.php/dav;
   }

   location = /.well-known/caldav {
     return 301 $client_req_scheme_nc://$host/remote.php/dav;
   }

   location = /.well-known/webfinger {
     return 301 $client_req_scheme_nc://$host/index.php/.well-known/webfinger;
   }

   location = /.well-known/nodeinfo {
     return 301 $client_req_scheme_nc://$host/index.php/.well-known/nodeinfo;
   }

   location ^~ /.well-known/acme-challenge/ {
     default_type "text/plain";
     root /web;
   }

   fastcgi_buffers 64 4K;

   gzip on;
   gzip_vary on;
   gzip_comp_level 4;
   gzip_min_length 256;
   gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
   gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
   set_real_ip_from fc00::/7;
   set_real_ip_from 10.0.0.0/8;
   set_real_ip_from 172.16.0.0/12;
   set_real_ip_from 192.168.0.0/16;
   real_ip_header X-Forwarded-For;
   real_ip_recursive on;

   location / {
     rewrite ^ /index.php$uri;
   }

   location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
     deny all;
   }
   location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
     deny all;
   }

   location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
     fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
     set $path_info $fastcgi_path_info;
     try_files $fastcgi_script_name =404;
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_param PATH_INFO $path_info;
     fastcgi_param HTTPS on;
     # Avoid sending the security headers twice
     fastcgi_param modHeadersAvailable true;
     # Enable pretty urls
     fastcgi_param front_controller_active true;
     fastcgi_pass phpfpm:9002;
     fastcgi_intercept_errors on;
     fastcgi_request_buffering off;
     client_max_body_size 0;
     fastcgi_read_timeout 1200;
   }

   location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
     try_files $uri/ =404;
     index index.php;
   }

   location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
     try_files $uri /index.php$request_uri;
     add_header Cache-Control "public, max-age=15778463";
     add_header Referrer-Policy "no-referrer" always;
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-Download-Options "noopen" always;
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Permitted-Cross-Domain-Policies "none" always;
     add_header X-Robots-Tag "none" always;
     add_header X-XSS-Protection "1; mode=block" always;
     access_log off;
   }

   location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
     try_files $uri /index.php$request_uri;
     access_log off;
   }
 }
	map $http_x_forwarded_proto $client_req_scheme_nc {
	default $scheme;
	https https;
	}

	server {
	include /etc/nginx/conf.d/listen_ssl.active;
	include /etc/nginx/conf.d/listen_plain.active;
	include /etc/nginx/mime.types;
	charset utf-8;
	override_charset on;

	ssl_certificate /etc/ssl/mail/cert.pem;
	ssl_certificate_key /etc/ssl/mail/key.pem;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers on;
	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
	ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 1d;
	ssl_session_tickets off;
	add_header Referrer-Policy "no-referrer" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-Download-Options "noopen" always;
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-Permitted-Cross-Domain-Policies "none" always;
	add_header X-Robots-Tag "none" always;
	add_header X-XSS-Protection "1; mode=block" always;

	fastcgi_hide_header X-Powered-By;

	server_name NC_SUBD;

	root /web/nextcloud/;

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	location = /.well-known/carddav {
	return 301 $client_req_scheme_nc://$host/remote.php/dav;
	}

	location = /.well-known/caldav {
	return 301 $client_req_scheme_nc://$host/remote.php/dav;
	}

	location = /.well-known/webfinger {
	return 301 $client_req_scheme_nc://$host/index.php/.well-known/webfinger;
	}

	location = /.well-known/nodeinfo {
	return 301 $client_req_scheme_nc://$host/index.php/.well-known/nodeinfo;
	}

	location ^~ /.well-known/acme-challenge/ {
	default_type "text/plain";
	root /web;
	}

	fastcgi_buffers 64 4K;

	gzip on;
	gzip_vary on;
	gzip_comp_level 4;
	gzip_min_length 256;
	gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
	gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
	set_real_ip_from fc00::/7;
	set_real_ip_from 10.0.0.0/8;
	set_real_ip_from 172.16.0.0/12;
	set_real_ip_from 192.168.0.0/16;
	real_ip_header X-Forwarded-For;
	real_ip_recursive on;

	location / {
	rewrite ^ /index.php$uri;
	}

	location ~ ^\/(?:build\|tests\|config\|lib\|3rdparty\|templates\|data)\/ {
	deny all;
	}
	location ~ ^\/(?:\.\|autotest\|occ\|issue\|indie\|db_\|console) {
	deny all;
	}

	location ~ ^\/(?:index\|remote\|public\|cron\|core\/ajax\/update\|status\|ocs\/v[12]\|updater\/.+\|oc[ms]-provider\/.+)\.php(?:$\|\/) {
	fastcgi_split_path_info ^(.+?\.php)(\/.*\|)$;
	set $path_info $fastcgi_path_info;
	try_files $fastcgi_script_name =404;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param PATH_INFO $path_info;
	fastcgi_param HTTPS on;
	# Avoid sending the security headers twice
	fastcgi_param modHeadersAvailable true;
	# Enable pretty urls
	fastcgi_param front_controller_active true;
	fastcgi_pass phpfpm:9002;
	fastcgi_intercept_errors on;
	fastcgi_request_buffering off;
	client_max_body_size 0;
	fastcgi_read_timeout 1200;
	}

	location ~ ^\/(?:updater\|oc[ms]-provider)(?:$\|\/) {
	try_files $uri/ =404;
	index index.php;
	}

	location ~ \.(?:css\|js\|woff2?\|svg\|gif\|map)$ {
	try_files $uri /index.php$request_uri;
	add_header Cache-Control "public, max-age=15778463";
	add_header Referrer-Policy "no-referrer" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-Download-Options "noopen" always;
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-Permitted-Cross-Domain-Policies "none" always;
	add_header X-Robots-Tag "none" always;
	add_header X-XSS-Protection "1; mode=block" always;
	access_log off;
	}

	location ~ \.(?:png\|html\|ttf\|ico\|jpg\|jpeg\|bcmap)$ {
	try_files $uri /index.php$request_uri;
	access_log off;
	}
	}