blob: 3755c4a7d9b5341939f07218e4ea780dd0ed2da7 [file] [log] [blame]
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +01001map $http_x_forwarded_proto $client_req_scheme_nc {
2 default $scheme;
3 https https;
4}
5
6server {
7 include /etc/nginx/conf.d/listen_ssl.active;
8 include /etc/nginx/conf.d/listen_plain.active;
9 include /etc/nginx/mime.types;
10 charset utf-8;
11 override_charset on;
12
13 ssl_certificate /etc/ssl/mail/cert.pem;
14 ssl_certificate_key /etc/ssl/mail/key.pem;
15 ssl_protocols TLSv1.2 TLSv1.3;
16 ssl_prefer_server_ciphers on;
17 ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
18 ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
19 ssl_session_cache shared:SSL:50m;
20 ssl_session_timeout 1d;
21 ssl_session_tickets off;
22 add_header Referrer-Policy "no-referrer" always;
23 add_header X-Content-Type-Options "nosniff" always;
24 add_header X-Download-Options "noopen" always;
25 add_header X-Frame-Options "SAMEORIGIN" always;
26 add_header X-Permitted-Cross-Domain-Policies "none" always;
27 add_header X-Robots-Tag "none" always;
28 add_header X-XSS-Protection "1; mode=block" always;
29
30 fastcgi_hide_header X-Powered-By;
31
32 server_name NC_SUBD;
33
34 root /web/nextcloud/;
35
36 location = /robots.txt {
37 allow all;
38 log_not_found off;
39 access_log off;
40 }
41
42 location = /.well-known/carddav {
43 return 301 $client_req_scheme_nc://$host/remote.php/dav;
44 }
45
46 location = /.well-known/caldav {
47 return 301 $client_req_scheme_nc://$host/remote.php/dav;
48 }
49
Matthias Andreas Benkard1ba53812022-12-27 17:32:58 +010050 location = /.well-known/webfinger {
51 return 301 $client_req_scheme_nc://$host/index.php/.well-known/webfinger;
52 }
53
54 location = /.well-known/nodeinfo {
55 return 301 $client_req_scheme_nc://$host/index.php/.well-known/nodeinfo;
56 }
57
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +010058 location ^~ /.well-known/acme-challenge/ {
59 default_type "text/plain";
60 root /web;
61 }
62
63 fastcgi_buffers 64 4K;
64
65 gzip on;
66 gzip_vary on;
67 gzip_comp_level 4;
68 gzip_min_length 256;
69 gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
70 gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
71 set_real_ip_from fc00::/7;
72 set_real_ip_from 10.0.0.0/8;
73 set_real_ip_from 172.16.0.0/12;
74 set_real_ip_from 192.168.0.0/16;
75 real_ip_header X-Forwarded-For;
76 real_ip_recursive on;
77
78 location / {
79 rewrite ^ /index.php$uri;
80 }
81
82 location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
83 deny all;
84 }
85 location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
86 deny all;
87 }
88
89 location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
90 fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
91 set $path_info $fastcgi_path_info;
92 try_files $fastcgi_script_name =404;
93 include fastcgi_params;
94 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
95 fastcgi_param PATH_INFO $path_info;
96 fastcgi_param HTTPS on;
97 # Avoid sending the security headers twice
98 fastcgi_param modHeadersAvailable true;
99 # Enable pretty urls
100 fastcgi_param front_controller_active true;
101 fastcgi_pass phpfpm:9002;
102 fastcgi_intercept_errors on;
103 fastcgi_request_buffering off;
104 client_max_body_size 0;
105 fastcgi_read_timeout 1200;
106 }
107
108 location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
109 try_files $uri/ =404;
110 index index.php;
111 }
112
113 location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
114 try_files $uri /index.php$request_uri;
115 add_header Cache-Control "public, max-age=15778463";
116 add_header Referrer-Policy "no-referrer" always;
117 add_header X-Content-Type-Options "nosniff" always;
118 add_header X-Download-Options "noopen" always;
119 add_header X-Frame-Options "SAMEORIGIN" always;
120 add_header X-Permitted-Cross-Domain-Policies "none" always;
121 add_header X-Robots-Tag "none" always;
122 add_header X-XSS-Protection "1; mode=block" always;
123 access_log off;
124 }
125
126 location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
127 try_files $uri /index.php$request_uri;
128 access_log off;
129 }
130}