From 381c65d5c2464b4ae48c7188b8d6ead08bb494f5 Mon Sep 17 00:00:00 2001
From: nd <git@notandy.de>
Date: Sat, 2 Sep 2023 01:14:40 +0200
Subject: [PATCH] update nginx config

---
 templates/nginx.j2 | 41 ++++++++++++++++++++++++++++++-----------
 1 file changed, 30 insertions(+), 11 deletions(-)

diff --git a/templates/nginx.j2 b/templates/nginx.j2
index 9d439eb..5159275 100644
--- a/templates/nginx.j2
+++ b/templates/nginx.j2
@@ -5,12 +5,14 @@ server {
 
         root /usr/share/nextcloud;
         client_max_body_size {{ nextcloud.upload_size_max }};
-        client_body_buffer_size 128k;
+	client_body_buffer_size 512k;
 	fastcgi_buffers 64 4K;
 
+	index index.php index.html /index.php$request_uri;
+
 	add_header X-Content-Type-Options nosniff;
 	add_header X-XSS-Protection "1; mode=block";
-	add_header X-Robots-Tag none;
+	add_header X-Robots-Tag "noindex, nofollow" always;
 	add_header X-Download-Options noopen;
 	add_header X-Permitted-Cross-Domain-Policies none;
 	add_header Referrer-Policy no-referrer;
@@ -28,18 +30,18 @@ server {
 		return 301 https://$host/index.php$uri;
 	}
 
-	location / {
-		rewrite ^ /index.php;
-	}
-
-	location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+	location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) {
 		deny all;
 	}
+
 	location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
 		deny all;
 	}
 
-	location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
+	location ~ \.php(?:$|/) {
+		# Required for legacy support
+		rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+
 		fastcgi_split_path_info ^(.+?\.php)(/.*)$;
 		try_files $fastcgi_script_name =404;
 		include fastcgi_params;
@@ -54,24 +56,41 @@ server {
 		fastcgi_pass php-handler;
 		fastcgi_intercept_errors on;
 		fastcgi_request_buffering off;
+		fastcgi_max_temp_file_size 0;
 	}
 
 	location ~ ^/(?:updater|ocs-provider)(?:$|/) {
 		try_files $uri/ =404;
 		index index.php;
 	}
-	location ~ \.(?:css|js|woff|svg|gif)$ {
+	location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
 		try_files $uri /index.php$request_uri;
 		add_header Cache-Control "public, max-age=15778463";
 		add_header X-Content-Type-Options nosniff;
 		add_header X-XSS-Protection "1; mode=block";
-		add_header X-Robots-Tag none;
+		add_header X-Robots-Tag "noindex, nofollow" always;
 		add_header X-Download-Options noopen;
 		add_header X-Permitted-Cross-Domain-Policies none;
 		add_header Referrer-Policy no-referrer;
+
+		location ~ \.wasm$ {
+			default_type application/wasm;
+		}
 	}
-	location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
+
+	location ~ \.woff2?$ {
 		try_files $uri /index.php$request_uri;
+		expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+		access_log off;     # Optional: Don't log access to assets
 	}
+
+	location /remote {
+		return 301 /remote.php$request_uri;
+	}
+
+	location / {
+		try_files $uri $uri/ /index.php$request_uri;
+	}
+
 }