server { listen 443 ssl; listen [::]:443 ssl http2; server_name DOMAIN; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # Allow unlimited download size client_max_body_size 0; fastcgi_buffers 64 4K; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; # Recommended in Nextcloud overview add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location / { proxy_pass http://nextcloud_app_1:80/; proxy_pass_request_headers on; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # All recommended in security overview proxy_set_header Referrer-Policy "no-referrer" ; proxy_set_header X-Content-Type-Options "nosniff" ; proxy_set_header X-Download-Options "noopen" ; proxy_set_header X-Frame-Options "SAMEORIGIN" ; proxy_set_header X-Permitted-Cross-Domain-Policies "none" ; proxy_set_header X-Robots-Tag "none" ; proxy_set_header X-XSS-Protection "1; mode=block" ; } # Needed to make CalDAV and CardDAV work properly location /.well-known/carddav { return 301 $scheme://$host/remote.php/dav; } location /.well-known/caldav { return 301 $scheme://$host/remote.php/dav; } }