self-hosting/nginx/sites-available/nextcloud.conf.template

server {
    # SSL Key locations
    ssl_certificate     /etc/letsencrypt/live/${NEXTCLOUD_DOMAIN}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/${NEXTCLOUD_DOMAIN}/privkey.pem;

    listen ${HTTPS_PORT} ssl;
    # Not sure why http2 is here, but let's keep it just in case
    listen [::]:${HTTPS_PORT} ssl http2;
    server_name ${NEXTCLOUD_DOMAIN};

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Allow unlimited download size
    client_max_body_size 0;

    fastcgi_buffers 64 4K;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Recommended in Nextcloud overview
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    location / {
        proxy_pass http://${NEXTCLOUD_HOST}:80/;

        proxy_pass_request_headers on;

        proxy_set_header Host              $host;
        proxy_set_header X-Forwarded-Host  $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # All recommended in security overview
        proxy_set_header Referrer-Policy                   "no-referrer" ;
        proxy_set_header X-Content-Type-Options            "nosniff" ;
        proxy_set_header X-Download-Options                "noopen" ;
        proxy_set_header X-Frame-Options                   "SAMEORIGIN" ;
        proxy_set_header X-Permitted-Cross-Domain-Policies "none" ;
        proxy_set_header X-Robots-Tag                      "none" ;
        proxy_set_header X-XSS-Protection                  "1; mode=block" ;
    }

    
    # Needed to make CalDAV and CardDAV work properly
    location /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }

    location /.well-known/caldav {
        return 301 $scheme://$host/remote.php/dav;
    }
}
Nginx now uses template syntax for easier config 2021-01-09 15:15:22 +01:00			`server {`
Completely revamped nginx config 2021-04-23 16:26:32 +02:00			`# SSL Key locations`
			`ssl_certificate /etc/letsencrypt/live/${NEXTCLOUD_DOMAIN}/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/${NEXTCLOUD_DOMAIN}/privkey.pem;`

			`listen ${HTTPS_PORT} ssl;`
			`# Not sure why http2 is here, but let's keep it just in case`
			`listen [::]:${HTTPS_PORT} ssl http2;`
			`server_name ${NEXTCLOUD_DOMAIN};`
Nginx now uses template syntax for easier config 2021-01-09 15:15:22 +01:00
			`# Enable gzip but do not remove ETag headers`
			`gzip on;`
			`gzip_vary on;`
			`gzip_comp_level 4;`
			`gzip_min_length 256;`
			`gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;`
			`gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;`

			`# Allow unlimited download size`
			`client_max_body_size 0;`

			`fastcgi_buffers 64 4K;`

			`# Remove X-Powered-By, which is an information leak`
			`fastcgi_hide_header X-Powered-By;`

			`# Recommended in Nextcloud overview`
			`add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;`

			`location / {`
Completely revamped nginx config 2021-04-23 16:26:32 +02:00			`proxy_pass http://${NEXTCLOUD_HOST}:80/;`
Nginx now uses template syntax for easier config 2021-01-09 15:15:22 +01:00
			`proxy_pass_request_headers on;`

			`proxy_set_header Host $host;`
			`proxy_set_header X-Forwarded-Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`

			`# All recommended in security overview`
			`proxy_set_header Referrer-Policy "no-referrer" ;`
			`proxy_set_header X-Content-Type-Options "nosniff" ;`
			`proxy_set_header X-Download-Options "noopen" ;`
			`proxy_set_header X-Frame-Options "SAMEORIGIN" ;`
			`proxy_set_header X-Permitted-Cross-Domain-Policies "none" ;`
			`proxy_set_header X-Robots-Tag "none" ;`
			`proxy_set_header X-XSS-Protection "1; mode=block" ;`
			`}`


			`# Needed to make CalDAV and CardDAV work properly`
			`location /.well-known/carddav {`
			`return 301 $scheme://$host/remote.php/dav;`
			`}`

			`location /.well-known/caldav {`
			`return 301 $scheme://$host/remote.php/dav;`
			`}`
			`}`