pid /var/run/nginx/nginx.pid; worker_processes auto; error_log /proc/self/fd/2 info; events { worker_connections 2048; use epoll; multi_accept on; } http { include mime.types; default_type application/octet-stream; aio threads; sendfile on; keepalive_timeout 15; keepalive_disable msie6; keepalive_requests 100; gzip off; ## Temp folders client_body_temp_path /tmp/nginx 1 2; proxy_temp_path /tmp/nginx-proxy; fastcgi_temp_path /tmp/nginx-fastcgi; uwsgi_temp_path /tmp/nginx-uwsgi; scgi_temp_path /tmp/nginx-scgi; ## Handling of IPs in proxied and load balancing situations set_real_ip_from @REAL_IP_FROM@; real_ip_header @REAL_IP_HEADER@; # Log log_format main '$@LOG_IP_VAR@ - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; access_log /proc/self/fd/1 main; ## TCP options tcp_nopush on; tcp_nodelay on; ## Hide the Nginx version number server_tokens off; server { listen 127.0.0.1:12345; server_name _; access_log off; error_log /dev/null; location / { return 500; } location ~ ^/(status|ping)$ { allow 127.0.0.1; deny all; fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; include fastcgi_params; fastcgi_param SERVER_SOFTWARE ""; } } # https://docs.nextcloud.com/server/stable/admin_manual/installation/nginx.html server { listen 8000; listen [::]:8000; root /var/www; index index.php index.html; client_max_body_size @UPLOAD_MAX_SIZE@; client_body_buffer_size 128k; fastcgi_buffers 64 4K; large_client_header_buffers 4 16k; # https://docs.nextcloud.com/server/stable/admin_manual/installation/harden_server.html add_header Strict-Transport-Security "@HSTS_HEADER@"; add_header Referrer-Policy "@RP_HEADER@" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "@XFRAME_OPTS_HEADER@" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # Handle Microsoft DAV clients location = / { if ( $http_user_agent ~ ^DavClnt ) { return 302 @SUBDIR@/remote.php/webdav/$is_args$args; } } location = /robots.txt { allow all; log_not_found off; access_log off; } location ^~ /.well-known { location = /.well-known/carddav { return 301 @SUBDIR@/remote.php/dav/; } location = /.well-known/caldav { return 301 @SUBDIR@/remote.php/dav/; } location /.well-known/acme-challenge { try_files $uri $uri/ =404; } location /.well-known/pki-validation { try_files $uri $uri/ =404; } return 301 @SUBDIR@/index.php$request_uri; } location / { rewrite ^ /index.php; } location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { deny all; } location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) { fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_param SERVER_SOFTWARE ""; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; fastcgi_intercept_errors on; fastcgi_request_buffering off; fastcgi_read_timeout 1200; } location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { try_files $uri/ =404; index index.php; } location ~ \.(?:css|js|woff2?|svg|gif|map)$ { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; add_header Strict-Transport-Security "@HSTS_HEADER@"; add_header Referrer-Policy "@RP_HEADER@" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "@XFRAME_OPTS_HEADER@" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; access_log off; } location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ { try_files $uri /index.php$uri$is_args$args; access_log off; } } }