danielpotthast/nextcloud.conf Secret

## nextcloud.conf
map $arg_v $asset_immutable {
    "" "";
    default "immutable";
}

server {
  # Konfiguration ohne HTTP2, wird von Certbot automatisch ergänzt
  listen 80;
  listen [::]:80;
  server_name cloud.domain.tld; # Hier die Domain einsetzen
  root /var/www/cloud.domain.tld;

  # Sicherheitsrelevante header und Einstellungen
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Permitted-Cross-Domain-Policies none;
  add_header X-Download-Options noopen;
  add_header X-Frame-Options SAMEORIGIN;
  add_header X-Robots-Tag none;
  add_header X-Content-Type-Options nosniff;
  add_header Referrer-Policy no-referrer;
  server_tokens off;

  # Logging deaktivieren um Performance zu sparen
  access_log off;
  log_not_found off;

  location = /robots.txt {
    allow all;
  }

  location = /.well-known/carddav {
    return 301 $scheme://$host:$server_port/remote.php/dav;
  }

  location = /.well-known/caldav {
    return 301 $scheme://$host:$server_port/remote.php/dav;
  }

  location ^~ /.well-known {
    return 301 /index.php$uri;
  }

  # Upload-Limits und Timeouts
  client_max_body_size 512M;
  client_body_timeout 300s;
  fastcgi_buffers 64 4K;

  # GZip aktivieren
  gzip on;
  gzip_vary on;
  gzip_comp_level 4;
  gzip_min_length 256;
  gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
  gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

  location / {
    rewrite ^ /index.php;
  }

  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) {
    return 404;
  }

  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
    return 404;
  }

  location ~ \.php(?:$|/) {
    rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

    fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
    fastcgi_read_timeout 300;

    fastcgi_split_path_info ^(.+\.php)(/.+)$;

    set $path_info $fastcgi_path_info;
    fastcgi_param PATH_INFO $path_info;

    fastcgi_buffers 8 16k;
    fastcgi_buffer_size 32k;

    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

    set $param_https off;
    set $param_port 80;
    if ($scheme = https) {
      set $param_https on;
      set $param_port 443;
    }
    if ($server_port = 443) {
      set $param_https on;
      set $param_port 443;
    }
    if ($http_x_forwarded_proto = "https") {
      set $param_https on;
      set $param_port 443;
    }
    fastcgi_param HTTPS $param_https;
    fastcgi_param SERVER_PORT $param_port;

    fastcgi_keep_conn on;
    fastcgi_index index.php;
    fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
    set $path_info $fastcgi_path_info;

    try_files $fastcgi_script_name =404;
    include fastcgi_params;
  }

  # Statische Dateien
  location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
    try_files $uri /index.php$request_uri;
    add_header Cache-Control "public, max-age=15778463, $asset_immutable";
    access_log off;

    location ~ \.wasm$ {
      default_type application/wasm;
    }
  }

  # Webfonts
  location ~ \.woff2?$ {
    try_files $uri /index.php$request_uri;
    expires 7d;
    access_log off;
  }

}
	map $arg_v $asset_immutable {
	"" "";
	default "immutable";
	}

	server {
	# Konfiguration ohne HTTP2, wird von Certbot automatisch ergänzt
	listen 80;
	listen [::]:80;
	server_name cloud.domain.tld; # Hier die Domain einsetzen
	root /var/www/cloud.domain.tld;

	# Sicherheitsrelevante header und Einstellungen
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Permitted-Cross-Domain-Policies none;
	add_header X-Download-Options noopen;
	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Robots-Tag none;
	add_header X-Content-Type-Options nosniff;
	add_header Referrer-Policy no-referrer;
	server_tokens off;

	# Logging deaktivieren um Performance zu sparen
	access_log off;
	log_not_found off;

	location = /robots.txt {
	allow all;
	}

	location = /.well-known/carddav {
	return 301 $scheme://$host:$server_port/remote.php/dav;
	}

	location = /.well-known/caldav {
	return 301 $scheme://$host:$server_port/remote.php/dav;
	}

	location ^~ /.well-known {
	return 301 /index.php$uri;
	}

	# Upload-Limits und Timeouts
	client_max_body_size 512M;
	client_body_timeout 300s;
	fastcgi_buffers 64 4K;

	# GZip aktivieren
	gzip on;
	gzip_vary on;
	gzip_comp_level 4;
	gzip_min_length 256;
	gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
	gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

	location / {
	rewrite ^ /index.php;
	}

	location ~ ^/(?:build\|tests\|config\|lib\|3rdparty\|templates\|data)(?:$\|/) {
	return 404;
	}

	location ~ ^/(?:\.\|autotest\|occ\|issue\|indie\|db_\|console) {
	return 404;
	}

	location ~ \.php(?:$\|/) {
	rewrite ^/(?!index\|remote\|public\|cron\|core\/ajax\/update\|status\|ocs\/v[12]\|updater\/.+\|ocs-provider\/.+\|.+\/richdocumentscode\/proxy) /index.php$request_uri;

	fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
	fastcgi_read_timeout 300;

	fastcgi_split_path_info ^(.+\.php)(/.+)$;

	set $path_info $fastcgi_path_info;
	fastcgi_param PATH_INFO $path_info;

	fastcgi_buffers 8 16k;
	fastcgi_buffer_size 32k;

	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

	set $param_https off;
	set $param_port 80;
	if ($scheme = https) {
	set $param_https on;
	set $param_port 443;
	}
	if ($server_port = 443) {
	set $param_https on;
	set $param_port 443;
	}
	if ($http_x_forwarded_proto = "https") {
	set $param_https on;
	set $param_port 443;
	}
	fastcgi_param HTTPS $param_https;
	fastcgi_param SERVER_PORT $param_port;

	fastcgi_keep_conn on;
	fastcgi_index index.php;
	fastcgi_split_path_info ^(.+?\.php)(\/.*\|)$;
	set $path_info $fastcgi_path_info;

	try_files $fastcgi_script_name =404;
	include fastcgi_params;
	}

	# Statische Dateien
	location ~ \.(?:css\|js\|mjs\|svg\|gif\|png\|jpg\|ico\|wasm\|tflite\|map)$ {
	try_files $uri /index.php$request_uri;
	add_header Cache-Control "public, max-age=15778463, $asset_immutable";
	access_log off;

	location ~ \.wasm$ {
	default_type application/wasm;
	}
	}

	# Webfonts
	location ~ \.woff2?$ {
	try_files $uri /index.php$request_uri;
	expires 7d;
	access_log off;
	}

	}