vim vhost/*.conf upstream php-handler { server 127.0.0.1:9000; } server { listen 80; server_name localhost; add_header Referrer-Policy "no-referrer" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; root /data/www/nextcloud ; location = /robots .txt { allow all; log_not_found off; access_log off; } location = /.well-known /carddav { return 301 $scheme: // $host:$server_port /remote .php /dav ; } location = /.well-known /caldav { return 301 $scheme: // $host:$server_port /remote .php /dav ; } location / { rewrite ^ /index .php; } location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { deny all; } location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } error_page 500 502 503 504 /50x .html; location = /50x .html { root html; } root /data/www/nextcloud ; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; fastcgi_param PATH_INFO $fastcgi_path_info; include fastcgi_params; } # location ~ \.php$ { # if (!-e $request_filename) { # rewrite ^/(.*)$ /index.php/$1 last; # } # root /usr/local/nginx/html/nextcloud; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # include fastcgi_params; # } location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { try_files $uri/ =404; index index.php; add_header Cache-Control "public, max-age=15778463" ; # Add headers to serve security related headers (It is intended to # have those duplicated to the ones above) # Before enabling Strict-Transport-Security headers please read into # this topic first. #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; # # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; # Optional: Don't log access to assets access_log off; } location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ { try_files $uri /index .php$request_uri; # Optional: Don't log access to other assets access_log off; } # set max upload size client_max_body_size 512M; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application /atom +xml application /javascript application /json application /ld +json application /manifest +json application /rss +xml application /vnd .geo+json application /vnd .ms-fontobject application /x-font-ttf application /x-web-app-manifest +json application /xhtml +xml applicat ion /xml font /opentype image /bmp image /svg +xml image /x-icon text /cache-manifest text /css text /plain text /vcard text /vnd .rim.location.xloc text /vtt text /x-component text /x-cross-domain-policy ; } |