96 lines
2.7 KiB
Django/Jinja
96 lines
2.7 KiB
Django/Jinja
server {
|
|
{% for listen in nextcloud.listen %}
|
|
listen {{ listen }};
|
|
{% endfor %}
|
|
|
|
root /usr/share/nextcloud;
|
|
client_max_body_size {{ nextcloud.upload_size_max }};
|
|
client_body_buffer_size 512k;
|
|
fastcgi_buffers 64 4K;
|
|
|
|
index index.php index.html /index.php$request_uri;
|
|
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header X-Robots-Tag "noindex, nofollow" always;
|
|
add_header X-Download-Options noopen;
|
|
add_header X-Permitted-Cross-Domain-Policies none;
|
|
add_header Referrer-Policy no-referrer;
|
|
|
|
location = /robots.txt {
|
|
allow all;
|
|
}
|
|
location = /.well-known/carddav {
|
|
return 301 https://$host/remote.php/dav;
|
|
}
|
|
location = /.well-known/caldav {
|
|
return 301 https://$host/remote.php/dav;
|
|
}
|
|
location ^~ /.well-known {
|
|
return 301 https://$host/index.php$uri;
|
|
}
|
|
|
|
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) {
|
|
deny all;
|
|
}
|
|
|
|
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
|
|
deny all;
|
|
}
|
|
|
|
location ~ \.php(?:$|/) {
|
|
# Required for legacy support
|
|
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
|
|
|
|
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
|
try_files $fastcgi_script_name =404;
|
|
include fastcgi_params;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
|
fastcgi_param HTTPS on;
|
|
fastcgi_param modHeadersAvailable true;
|
|
fastcgi_param front_controller_active true;
|
|
# needed to (optionally) support saml via a REMOTE-USER header
|
|
fastcgi_param REMOTE-USER $http_REMOTE_USER;
|
|
|
|
fastcgi_pass php-handler;
|
|
fastcgi_intercept_errors on;
|
|
fastcgi_request_buffering off;
|
|
fastcgi_max_temp_file_size 0;
|
|
}
|
|
|
|
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
|
|
try_files $uri/ =404;
|
|
index index.php;
|
|
}
|
|
location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
|
|
try_files $uri /index.php$request_uri;
|
|
add_header Cache-Control "public, max-age=15778463";
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header X-Robots-Tag "noindex, nofollow" always;
|
|
add_header X-Download-Options noopen;
|
|
add_header X-Permitted-Cross-Domain-Policies none;
|
|
add_header Referrer-Policy no-referrer;
|
|
|
|
location ~ \.wasm$ {
|
|
default_type application/wasm;
|
|
}
|
|
}
|
|
|
|
location ~ \.woff2?$ {
|
|
try_files $uri /index.php$request_uri;
|
|
expires 7d; # Cache-Control policy borrowed from `.htaccess`
|
|
access_log off; # Optional: Don't log access to assets
|
|
}
|
|
|
|
location /remote {
|
|
return 301 /remote.php$request_uri;
|
|
}
|
|
|
|
location / {
|
|
try_files $uri $uri/ /index.php$request_uri;
|
|
}
|
|
|
|
}
|
|
|