server {
	{% for listen in nextcloud.listen %}
        listen {{ listen }};
	{% endfor %}

        root /var/www/nextcloud;
        client_max_body_size {{ nextcloud.upload_size_max }};
        client_body_buffer_size 128k;
	fastcgi_buffers 64 4K;

	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Robots-Tag none;
	add_header X-Download-Options noopen;
	add_header X-Permitted-Cross-Domain-Policies none;
	add_header Referrer-Policy no-referrer;

	location = /robots.txt {
		allow all;
	}
	location = /.well-known/carddav {
		return 301 https://$host/remote.php/dav;
	}
	location = /.well-known/caldav {
		return 301 https://$host/remote.php/dav;
	}
	location ^~ /.well-known {
		return 301 https://$host/index.php$uri;
	}

	location / {
		rewrite ^ /index.php;
	}

	location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
		deny all;
	}
	location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
		deny all;
	}

	location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
		fastcgi_split_path_info ^(.+?\.php)(/.*)$;
		try_files $fastcgi_script_name =404;
		include fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param PATH_INFO $fastcgi_path_info;
		fastcgi_param HTTPS on;
		fastcgi_param modHeadersAvailable true;
		fastcgi_param front_controller_active true;
		# needed to (optionally) support saml via a REMOTE-USER header
		fastcgi_param REMOTE-USER $http_REMOTE_USER;

		fastcgi_pass php-handler;
		fastcgi_intercept_errors on;
		fastcgi_request_buffering off;
	}

	location ~ ^/(?:updater|ocs-provider)(?:$|/) {
		try_files $uri/ =404;
		index index.php;
	}
	location ~ \.(?:css|js|woff|svg|gif)$ {
		try_files $uri /index.php$request_uri;
		add_header Cache-Control "public, max-age=15778463";
		add_header X-Content-Type-Options nosniff;
		add_header X-XSS-Protection "1; mode=block";
		add_header X-Robots-Tag none;
		add_header X-Download-Options noopen;
		add_header X-Permitted-Cross-Domain-Policies none;
		add_header Referrer-Policy no-referrer;
	}
	location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
		try_files $uri /index.php$request_uri;
	}
}