Nginx configuration for ownCloud with support for URL rewriting (https://github.com/owncloud/core/pull/14081)

owncloud-nginx-pretty-urls.conf

upstream php-fpm {
	# Path to PHP-FPM socket
	server unix:/var/run/php-fpm/php-fpm.sock;
}

server {
	# Listen on port 80 for non-SSL connections
	listen 80;
	server_name YOURDOMAIN.XYZ;

	# Redirect to the SSL version of the page requested (force SSL)
	return 301 https://$server_name$request_uri;
}

server {
	# Listen on port 443 for SSL connections
	listen 443 ssl;
	server_name YOURDOMAIN.XYZ;

	# Configure access and error log locations
	access_log /var/log/nginx/YOURDOMAIN.XYZ_access.log;
	error_log /var/log/nginx/YOURDOMAIN.XYZ_error.log error;
    
	# Log rewrite errors
	rewrite_log on;

	# Certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
	ssl_certificate YOUR_SSL_CERT.pem;
	ssl_certificate_key YOUR_PRIVATE_KEY.pem;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam YOUR_DH_PARAM.pem;

	# Intermediate configuration
	# https://mozilla.github.io/server-side-tls/ssl-config-generator/
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	add_header Strict-Transport-Security max-age=15768000;

	# OCSP Stapling
	# Fetch OCSP records from URL in ssl_certificate and cache them
	ssl_stapling on;
	ssl_stapling_verify on;

	## Verify chain of trust of OCSP response using Root CA and Intermediate certs
	ssl_trusted_certificate YOUR_CERT_CHAIN.pem;

	# Set the DNS resolver
	resolver 8.8.8.8 8.8.4.4;

	# Path to ownCloud
	root /usr/share/owncloud/;
    
	# Set max upload size
	client_max_body_size 10G;
	fastcgi_buffers 64 4K;

	# Disable gzip to avoid the removal of the ETag header
	gzip off;

	# Only use index.php for the index page
	index index.php;

	# Use pretty error pages
	error_page 403 /core/templates/403.php;
	error_page 404 /core/templates/404.php;

	# If robots.txt is present, always allow access and serve it directly
	# If it isn't, don't log the access attempt
	location = /robots.txt {
		allow all;
		log_not_found off;
		access_log off;
	}

	# Deny access to the data and config directories, .ht* files,
	# the README, and the database structure definition
	location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
		deny all;
	}

	# Pretty URLs for WebDAV
	location ~* \/remote\/(?:.*)$ {
		rewrite ^ /remote.php last;
	}

	# Rewrite file preview requests and requests for the JS configuration file
	# to the ownCloud front controller
	location ~* \/core\/(?:js\/oc\.js|preview\.png).*$ {
		rewrite ^ /index.php last;
	}

	# Main location block
	# Most requests will fall into this block
	location / {
		# Specific rewrites for WebDAV/CalDAV/CardDAV and documentation
		rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
		rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
		rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
		rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
		rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
		rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
		rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
		rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

		# Exclude static assets, specific PHP files, and Let's Encrypt verifications,
		# then rewrite everything else to the ownCloud front controller
		if ($uri !~* (?:\.(?:css|js|svg|gif|png|html|ttf|woff)$|^\/(?:remote|public|cron|status|ocs\/v1|ocs\/v2)\.php|^\/\.well-known\/acme-challenge\/.*$)){
			rewrite ^ /index.php last;
		}
	}

	# Set a long expires header on static assets, excluding files accessed through WebDAV
	# This block will break uploads to WebDAV for the listed file extensions without the negative lookahead
	location ~* ^(?!\/remote\.php)(?:.*)\.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf|html|svg|ttf|woff)$ {
		expires 30d;
		# Optional: Don't log access to assets
		access_log off;
	}

	# Pass PHP files to PHP-FPM for processing
	location ~ \.php(?:$|/) {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		include fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param HTTPS on;	
		fastcgi_param PATH_INFO $fastcgi_path_info;
		# Tell ownCloud we're rewriting URLs
		fastcgi_param front_controller_active true;
		fastcgi_pass php-fpm;
	}
}

the webdav rewrite is wrong, it should be much simpler with this:

rewrite ^/webdav/(.*)$ /remote.php/dav/files/$1 redirect;

so user can use https://xxx/webdav/username to access their files from webdav connection. and this part is also tricky, I don't know if this is the best rewrite for webdav.