Nginx configuration for ownCloud with support for URL rewriting (https://github.com/owncloud/core/pull/14081)

owncloud-nginx-pretty-urls.conf

upstream php-fpm {
	# Path to PHP-FPM socket
	server unix:/var/run/php-fpm/php-fpm.sock;
}

server {
	# Listen on port 80 for non-SSL connections
	listen 80;
	server_name YOURDOMAIN.XYZ;

	# Redirect to the SSL version of the page requested (force SSL)
	return 301 https://$server_name$request_uri;
}

server {
	# Listen on port 443 for SSL connections
	listen 443 ssl;
	server_name YOURDOMAIN.XYZ;

	# Configure access and error log locations
	access_log /var/log/nginx/YOURDOMAIN.XYZ_access.log;
	error_log /var/log/nginx/YOURDOMAIN.XYZ_error.log error;
    
	# Log rewrite errors
	rewrite_log on;

	# Certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
	ssl_certificate YOUR_SSL_CERT.pem;
	ssl_certificate_key YOUR_PRIVATE_KEY.pem;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam YOUR_DH_PARAM.pem;

	# Intermediate configuration
	# https://mozilla.github.io/server-side-tls/ssl-config-generator/
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	add_header Strict-Transport-Security max-age=15768000;

	# OCSP Stapling
	# Fetch OCSP records from URL in ssl_certificate and cache them
	ssl_stapling on;
	ssl_stapling_verify on;

	## Verify chain of trust of OCSP response using Root CA and Intermediate certs
	ssl_trusted_certificate YOUR_CERT_CHAIN.pem;

	# Set the DNS resolver
	resolver 8.8.8.8 8.8.4.4;

	# Path to ownCloud
	root /usr/share/owncloud/;
    
	# Set max upload size
	client_max_body_size 10G;
	fastcgi_buffers 64 4K;

	# Disable gzip to avoid the removal of the ETag header
	gzip off;

	# Only use index.php for the index page
	index index.php;

	# Use pretty error pages
	error_page 403 /core/templates/403.php;
	error_page 404 /core/templates/404.php;

	# If robots.txt is present, always allow access and serve it directly
	# If it isn't, don't log the access attempt
	location = /robots.txt {
		allow all;
		log_not_found off;
		access_log off;
	}

	# Deny access to the data and config directories, .ht* files,
	# the README, and the database structure definition
	location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
		deny all;
	}

	# Pretty URLs for WebDAV
	location ~* \/remote\/(?:.*)$ {
		rewrite ^ /remote.php last;
	}

	# Rewrite file preview requests and requests for the JS configuration file
	# to the ownCloud front controller
	location ~* \/core\/(?:js\/oc\.js|preview\.png).*$ {
		rewrite ^ /index.php last;
	}

	# Main location block
	# Most requests will fall into this block
	location / {
		# Specific rewrites for WebDAV/CalDAV/CardDAV and documentation
		rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
		rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
		rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
		rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
		rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
		rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
		rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
		rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

		# Exclude static assets, specific PHP files, and Let's Encrypt verifications,
		# then rewrite everything else to the ownCloud front controller
		if ($uri !~* (?:\.(?:css|js|svg|gif|png|html|ttf|woff)$|^\/(?:remote|public|cron|status|ocs\/v1|ocs\/v2)\.php|^\/\.well-known\/acme-challenge\/.*$)){
			rewrite ^ /index.php last;
		}
	}

	# Set a long expires header on static assets, excluding files accessed through WebDAV
	# This block will break uploads to WebDAV for the listed file extensions without the negative lookahead
	location ~* ^(?!\/remote\.php)(?:.*)\.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf|html|svg|ttf|woff)$ {
		expires 30d;
		# Optional: Don't log access to assets
		access_log off;
	}

	# Pass PHP files to PHP-FPM for processing
	location ~ \.php(?:$|/) {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		include fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param HTTPS on;	
		fastcgi_param PATH_INFO $fastcgi_path_info;
		# Tell ownCloud we're rewriting URLs
		fastcgi_param front_controller_active true;
		fastcgi_pass php-fpm;
	}
}

It's not compatible if you want to upgrade to nextcloud 10.0.2. It just jumps into your personal files, whereas with the "default" config it works fine

It works pretty sweet with nextcloud too. I had just to modify the last section (s. https://goo.gl/c9Ddc6).

the webdav rewrite is wrong, it should be much simpler with this:

rewrite ^/webdav/(.*)$ /remote.php/dav/files/$1 redirect;

so user can use https://xxx/webdav/username to access their files from webdav connection. and this part is also tricky, I don't know if this is the best rewrite for webdav.