SharkyRawr/acme.conf

## acme.conf
# ACME challenge response for acmetool, others might look different
location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
  default_type text/plain;
  return 200 "$1.your-account-id-here";
}

## drop.conf
location = /robots.txt  {
	access_log off; log_not_found off;
	alias /home/public_html/robots.txt;
}
location = /favicon.ico { access_log off; log_not_found off; }
location ~ /\.ht          { access_log off; log_not_found off; deny all; }
location ~ ~$           { access_log off; log_not_found off; deny all; }

## php.conf
# PHP-FPM config
location ~ [^/]\.php(/|$) {
	fastcgi_split_path_info ^(.+?\.php)(/.*)$;
	if (!-f $document_root$fastcgi_script_name) {
		return 404;
	}

	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	#fastcgi_pass 127.0.0.1:18080;
	fastcgi_index index.php;
	include fastcgi.conf;
}

## sharky.pw.conf
server {
	listen					80;
	listen					[::]:80;
	listen					443 ssl http2;
	listen					[::]:443 ssl http2;
	server_name				sharky.pw www.sharky.pw;

	ssl_certificate		/var/lib/acme/live/sharky.pw/fullchain;
	ssl_certificate_key	/var/lib/acme/live/sharky.pw/privkey;
	include ssl_params;
	add_header Strict-Transport-Security "max-age=31536000;" always;

	access_log /var/log/nginx/sharky.pw-access.log;
	error_log /var/log/nginx/sharky.pw-error.log;

	root /home/public_html/sharky.pw/;

	location / {
		if ($ssl_protocol = "") {
			rewrite ^	https://$server_name$request_uri? permanent;
		}
	}

	include acme.conf;
	include php.conf;
	include drop.conf;
}

# Nextcloud config
server {
	listen					80;
	listen					[::]:80;
	listen					443 ssl http2;
	listen					[::]:443 ssl http2;
	server_name				cloud.sharky.pw www.cloud.sharky.pw;

	ssl_certificate		/var/lib/acme/live/cloud.sharky.pw/fullchain;
	ssl_certificate_key	/var/lib/acme/live/cloud.sharky.pw/privkey;
	include ssl_params;
	add_header Strict-Transport-Security "max-age=31536000;" always;

	access_log /var/log/nginx/cloud.sharky.pw-access.log;
	error_log /var/log/nginx/cloud.sharky.pw-error.log;

	root /home/public_html/cloud.sharky.pw/nextcloud;
	index index.html index.htm index.php;
	client_max_body_size 512M;
    fastcgi_buffers 64 4K;
	include acme.conf;


	if ($ssl_protocol = "") {
		rewrite ^	https://$server_name$request_uri? permanent;
	}

	location / {
        rewrite ^ /index.php$uri;
    }

	add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

	location = /.well-known/carddav {
		return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
		return 301 $scheme://$host/remote.php/dav;
    }

	gzip off;
	error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

	location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

	location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
        include fastcgi_params;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        # add_header Strict-Transport-Security "max-age=15768000;
        #  includeSubDomains; preload;";
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }

    location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }


	#include php.conf;
	include drop.conf;
}
	# ACME challenge response for acmetool, others might look different
	location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
	default_type text/plain;
	return 200 "$1.your-account-id-here";
	}
	location = /robots.txt {
	access_log off; log_not_found off;
	alias /home/public_html/robots.txt;
	}
	location = /favicon.ico { access_log off; log_not_found off; }
	location ~ /\.ht { access_log off; log_not_found off; deny all; }
	location ~ ~$ { access_log off; log_not_found off; deny all; }
	# PHP-FPM config
	location ~ [^/]\.php(/\|$) {
	fastcgi_split_path_info ^(.+?\.php)(/.*)$;
	if (!-f $document_root$fastcgi_script_name) {
	return 404;
	}

	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	#fastcgi_pass 127.0.0.1:18080;
	fastcgi_index index.php;
	include fastcgi.conf;
	}
	server {
	listen 80;
	listen [::]:80;
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name sharky.pw www.sharky.pw;

	ssl_certificate /var/lib/acme/live/sharky.pw/fullchain;
	ssl_certificate_key /var/lib/acme/live/sharky.pw/privkey;
	include ssl_params;
	add_header Strict-Transport-Security "max-age=31536000;" always;

	access_log /var/log/nginx/sharky.pw-access.log;
	error_log /var/log/nginx/sharky.pw-error.log;

	root /home/public_html/sharky.pw/;

	location / {
	if ($ssl_protocol = "") {
	rewrite ^ https://$server_name$request_uri? permanent;
	}
	}

	include acme.conf;
	include php.conf;
	include drop.conf;
	}

	# Nextcloud config
	server {
	listen 80;
	listen [::]:80;
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name cloud.sharky.pw www.cloud.sharky.pw;

	ssl_certificate /var/lib/acme/live/cloud.sharky.pw/fullchain;
	ssl_certificate_key /var/lib/acme/live/cloud.sharky.pw/privkey;
	include ssl_params;
	add_header Strict-Transport-Security "max-age=31536000;" always;

	access_log /var/log/nginx/cloud.sharky.pw-access.log;
	error_log /var/log/nginx/cloud.sharky.pw-error.log;

	root /home/public_html/cloud.sharky.pw/nextcloud;
	index index.html index.htm index.php;
	client_max_body_size 512M;
	fastcgi_buffers 64 4K;
	include acme.conf;


	if ($ssl_protocol = "") {
	rewrite ^ https://$server_name$request_uri? permanent;
	}

	location / {
	rewrite ^ /index.php$uri;
	}

	add_header X-Content-Type-Options nosniff;
	add_header X-Frame-Options "SAMEORIGIN";
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Robots-Tag none;
	add_header X-Download-Options noopen;
	add_header X-Permitted-Cross-Domain-Policies none;

	location = /.well-known/carddav {
	return 301 $scheme://$host/remote.php/dav;
	}
	location = /.well-known/caldav {
	return 301 $scheme://$host/remote.php/dav;
	}

	gzip off;
	error_page 403 /core/templates/403.php;
	error_page 404 /core/templates/404.php;

	location ~ ^/(?:build\|tests\|config\|lib\|3rdparty\|templates\|data)/ {
	deny all;
	}
	location ~ ^/(?:\.\|autotest\|occ\|issue\|indie\|db_\|console) {
	deny all;
	}

	location ~ ^/(?:index\|remote\|public\|cron\|core/ajax/update\|status\|ocs/v[12]\|updater/.+\|ocs-provider/.+\|core/templates/40[34])\.php(?:$\|/) {
	include fastcgi_params;
	fastcgi_split_path_info ^(.+\.php)(/.*)$;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param PATH_INFO $fastcgi_path_info;
	fastcgi_param HTTPS on;
	#Avoid sending the security headers twice
	fastcgi_param modHeadersAvailable true;
	fastcgi_param front_controller_active true;
	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	fastcgi_intercept_errors on;
	fastcgi_request_buffering off;
	}

	location ~ ^/(?:updater\|ocs-provider)(?:$\|/) {
	try_files $uri/ =404;
	index index.php;
	}

	# Adding the cache control header for js and css files
	# Make sure it is BELOW the PHP block
	location ~* \.(?:css\|js)$ {
	try_files $uri /index.php$uri$is_args$args;
	add_header Cache-Control "public, max-age=7200";
	# Add headers to serve security related headers (It is intended to
	# have those duplicated to the ones above)
	# Before enabling Strict-Transport-Security headers please read into
	# this topic first.
	# add_header Strict-Transport-Security "max-age=15768000;
	# includeSubDomains; preload;";
	add_header X-Content-Type-Options nosniff;
	add_header X-Frame-Options "SAMEORIGIN";
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Robots-Tag none;
	add_header X-Download-Options noopen;
	add_header X-Permitted-Cross-Domain-Policies none;
	# Optional: Don't log access to assets
	access_log off;
	}

	location ~* \.(?:svg\|gif\|png\|html\|ttf\|woff\|ico\|jpg\|jpeg)$ {
	try_files $uri /index.php$uri$is_args$args;
	# Optional: Don't log access to other assets
	access_log off;
	}



	#include php.conf;
	include drop.conf;
	}