Nginx now uses template syntax for easier config

2021-01-09 15:15:22 +01:00 · 2021-01-09 15:15:22 +01:00 · 929d1e2cf4
commit 929d1e2cf4
parent 69fadcbbed
8 changed files with 114 additions and 47 deletions
--- a/nginx/sites-available/nextcloud.conf
+++ b/nginx/sites-available/nextcloud.conf
@ -0,0 +1,55 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl http2;
+    server_name DOMAIN;
+
+    # Enable gzip but do not remove ETag headers
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+    # Allow unlimited download size
+    client_max_body_size 0;
+
+    fastcgi_buffers 64 4K;
+
+    # Remove X-Powered-By, which is an information leak
+    fastcgi_hide_header X-Powered-By;
+
+    # Recommended in Nextcloud overview
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    location / {
+        proxy_pass http://nextcloud_app_1:80/;
+
+        proxy_pass_request_headers on;
+
+        proxy_set_header Host              $host;
+        proxy_set_header X-Forwarded-Host  $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # All recommended in security overview
+        proxy_set_header Referrer-Policy                   "no-referrer" ;
+        proxy_set_header X-Content-Type-Options            "nosniff" ;
+        proxy_set_header X-Download-Options                "noopen" ;
+        proxy_set_header X-Frame-Options                   "SAMEORIGIN" ;
+        proxy_set_header X-Permitted-Cross-Domain-Policies "none" ;
+        proxy_set_header X-Robots-Tag                      "none" ;
+        proxy_set_header X-XSS-Protection                  "1; mode=block" ;
+    }
+
+    
+    # Needed to make CalDAV and CardDAV work properly
+    location /.well-known/carddav {
+        return 301 $scheme://$host/remote.php/dav;
+    }
+
+    location /.well-known/caldav {
+        return 301 $scheme://$host/remote.php/dav;
+    }
+}