From 4162d8130fcdbd6e7f557e050f4c8b0b5702867c Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Mon, 10 Dec 2018 15:55:30 -0500 Subject: [PATCH] Fixed a few things; site accessible now; no images yet --- templates/Nextcloud/Resources/nginx.conf | 55 ++++++++++-------------- 1 file changed, 23 insertions(+), 32 deletions(-) diff --git a/templates/Nextcloud/Resources/nginx.conf b/templates/Nextcloud/Resources/nginx.conf index 82ddf1c..379e00e 100644 --- a/templates/Nextcloud/Resources/nginx.conf +++ b/templates/Nextcloud/Resources/nginx.conf @@ -29,17 +29,6 @@ http { # Path to the root of your installation root /var/www/html/; - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - location = /.well-known/carddav { - return 301 $scheme://$host/remote.php/dav; - } - location = /.well-known/caldav { - return 301 $scheme://$host/remote.php/dav; - } # set max upload size client_max_body_size 1G; # Previous: "512M" @@ -53,6 +42,14 @@ http { gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + # Add headers to serve security related headers + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + # Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off; @@ -61,10 +58,24 @@ http { # error_page 403 /core/templates/403.php; # error_page 404 /core/templates/404.php; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + location = /.well-known/webfinger { + return 301 $scheme://$host/public.php?service=webfinger; + } location / { rewrite ^ /index.php$request_uri; } - location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; } @@ -85,8 +96,6 @@ http { fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; - # fastcgi_param HTTPS on; # Handled through Traefik - #Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; fastcgi_intercept_errors on; @@ -101,24 +110,6 @@ http { location ~ \.(?:css|js|woff2?|svg|gif)$ { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; - # Add headers to serve security related headers (It is intended to - # have those duplicated to the ones above) - # Before enabling Strict-Transport-Security headers please read into - # this topic first. - # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; - # Optional: Don't log access to assets access_log off; }