nginx

nginx.conf

@@ -0,0 +1,114 @@
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    # Security headers
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header Referrer-Policy no-referrer;
+    add_header Content-Security-Policy "default-src 'self';";
+
+    # Hide nginx version
+    server_tokens off;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # Add custom MIME types
+    types {
+        font/woff2 woff2;
+        application/javascript mjs;
+    }
+
+    # Logging
+    access_log /var/log/nginx/access.log combined;
+    error_log /var/log/nginx/error.log error;
+
+    # Gzip compression
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+    upstream php-handler {
+        server nextcloud:9000;
+    }
+
+    server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+        server_name example.com;
+
+        root /var/www/html;
+        index index.php index.html index.htm;
+
+        client_max_body_size 10G;
+        fastcgi_buffers 64 4K;
+        fastcgi_read_timeout 3600;
+
+        # HTTP response headers
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
+        add_header Referrer-Policy "no-referrer" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Download-Options "noopen" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Permitted-Cross-Domain-Policies "none" always;
+        add_header X-Robots-Tag "none" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header Content-Security-Policy "frame-ancestors 'self'; connect-src 'self' blob: stun.nextcloud.com:443 gabenszip.com:443";
+
+
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
+
+        location = /.well-known/carddav {
+            return 301 $scheme://$host/remote.php/dav;
+        }
+
+        location = /.well-known/caldav {
+            return 301 $scheme://$host/remote.php/dav;
+        }
+
+        location /.well-known/acme-challenge { }
+
+        location ^~ / {
+            try_files $uri $uri/ /index.php$request_uri;
+        }
+
+        location ~ \.php(?:$|/) {
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATH_INFO $fastcgi_path_info;
+            fastcgi_param modHeadersAvailable true;
+            fastcgi_param front_controller_active true;
+            fastcgi_pass php-handler;
+            fastcgi_intercept_errors on;
+            fastcgi_request_buffering off;
+            fastcgi_read_timeout 3600;
+        }
+
+        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+            try_files $uri /index.php$request_uri;
+            expires 6M;
+            access_log off;
+        }
+
+        location ~ \.woff2?$ {
+            expires 6M;
+            access_log off;
+        }
+
+        location ~ /(?:\.|autotest|occ|issue|indie|db_|console) {
+            deny all;
+        }
+    }
+}