From e0c144d7cbdcef0d9b5efcf781bbef424de84090 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Mon, 19 Sep 2016 12:11:11 +0200 Subject: [PATCH] nextcloud: refactor nginx.conf (fix #19) --- nextcloud/10.0/nginx.conf | 86 ++++++++++++++++++++------------------ nextcloud/9.0/nginx.conf | 86 ++++++++++++++++++++------------------ nextcloud/daily/nginx.conf | 86 ++++++++++++++++++++------------------ 3 files changed, 138 insertions(+), 120 deletions(-) diff --git a/nextcloud/10.0/nginx.conf b/nextcloud/10.0/nginx.conf index 623e8b1..b764cf5 100644 --- a/nextcloud/10.0/nginx.conf +++ b/nextcloud/10.0/nginx.conf @@ -28,43 +28,21 @@ http { uwsgi_temp_path /tmp/uwsgi 1 2; scgi_temp_path /tmp/scgi 1 2; - gzip on; - gzip_comp_level 5; - gzip_min_length 512; - gzip_buffers 4 8k; - gzip_proxied any; - gzip_vary on; - gzip_disable "msie6"; - gzip_types - text/css - text/javascript - text/xml - text/plain - text/x-component - application/javascript - application/x-javascript - application/json - application/xml - application/rss+xml - application/vnd.ms-fontobject - font/truetype - font/opentype - image/svg+xml; + gzip off; server { listen 8888; index index.php; root /nextcloud; + client_max_body_size 10G; fastcgi_buffers 64 4K; - rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; - rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; - rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; + error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - add_header X-Frame-Options SAMEORIGIN; + add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; @@ -77,31 +55,59 @@ http { access_log off; } - location ~ ^/(data|config|\.ht|db_structure\.xml|README) { - deny all; + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; } location / { - rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; - rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; - rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; - try_files $uri $uri/ index.php; + rewrite ^ /index.php$uri; } - location ~ ^(.+?\.php)(/.*)?$ { - try_files $1 = 404; + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) { include fastcgi_params; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param modHeadersAvailable true; - fastcgi_param SCRIPT_FILENAME $document_root$1; - fastcgi_param PATH_INFO $2; + fastcgi_param front_controller_active true; fastcgi_pass unix:/tmp/php-fpm.sock; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; fastcgi_read_timeout 1200; } - location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ { - expires 30d; + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; + } + + location ~* \.(?:css|js)$ { + try_files $uri /index.php$uri$is_args$args; + add_header Cache-Control "public, max-age=7200"; + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + access_log off; + } + + location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ { + try_files $uri /nextcloud/index.php$uri$is_args$args; access_log off; } } diff --git a/nextcloud/9.0/nginx.conf b/nextcloud/9.0/nginx.conf index 623e8b1..b764cf5 100644 --- a/nextcloud/9.0/nginx.conf +++ b/nextcloud/9.0/nginx.conf @@ -28,43 +28,21 @@ http { uwsgi_temp_path /tmp/uwsgi 1 2; scgi_temp_path /tmp/scgi 1 2; - gzip on; - gzip_comp_level 5; - gzip_min_length 512; - gzip_buffers 4 8k; - gzip_proxied any; - gzip_vary on; - gzip_disable "msie6"; - gzip_types - text/css - text/javascript - text/xml - text/plain - text/x-component - application/javascript - application/x-javascript - application/json - application/xml - application/rss+xml - application/vnd.ms-fontobject - font/truetype - font/opentype - image/svg+xml; + gzip off; server { listen 8888; index index.php; root /nextcloud; + client_max_body_size 10G; fastcgi_buffers 64 4K; - rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; - rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; - rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; + error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - add_header X-Frame-Options SAMEORIGIN; + add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; @@ -77,31 +55,59 @@ http { access_log off; } - location ~ ^/(data|config|\.ht|db_structure\.xml|README) { - deny all; + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; } location / { - rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; - rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; - rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; - try_files $uri $uri/ index.php; + rewrite ^ /index.php$uri; } - location ~ ^(.+?\.php)(/.*)?$ { - try_files $1 = 404; + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) { include fastcgi_params; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param modHeadersAvailable true; - fastcgi_param SCRIPT_FILENAME $document_root$1; - fastcgi_param PATH_INFO $2; + fastcgi_param front_controller_active true; fastcgi_pass unix:/tmp/php-fpm.sock; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; fastcgi_read_timeout 1200; } - location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ { - expires 30d; + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; + } + + location ~* \.(?:css|js)$ { + try_files $uri /index.php$uri$is_args$args; + add_header Cache-Control "public, max-age=7200"; + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + access_log off; + } + + location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ { + try_files $uri /nextcloud/index.php$uri$is_args$args; access_log off; } } diff --git a/nextcloud/daily/nginx.conf b/nextcloud/daily/nginx.conf index 623e8b1..b764cf5 100644 --- a/nextcloud/daily/nginx.conf +++ b/nextcloud/daily/nginx.conf @@ -28,43 +28,21 @@ http { uwsgi_temp_path /tmp/uwsgi 1 2; scgi_temp_path /tmp/scgi 1 2; - gzip on; - gzip_comp_level 5; - gzip_min_length 512; - gzip_buffers 4 8k; - gzip_proxied any; - gzip_vary on; - gzip_disable "msie6"; - gzip_types - text/css - text/javascript - text/xml - text/plain - text/x-component - application/javascript - application/x-javascript - application/json - application/xml - application/rss+xml - application/vnd.ms-fontobject - font/truetype - font/opentype - image/svg+xml; + gzip off; server { listen 8888; index index.php; root /nextcloud; + client_max_body_size 10G; fastcgi_buffers 64 4K; - rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; - rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; - rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; + error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - add_header X-Frame-Options SAMEORIGIN; + add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; @@ -77,31 +55,59 @@ http { access_log off; } - location ~ ^/(data|config|\.ht|db_structure\.xml|README) { - deny all; + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; } location / { - rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; - rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; - rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; - try_files $uri $uri/ index.php; + rewrite ^ /index.php$uri; } - location ~ ^(.+?\.php)(/.*)?$ { - try_files $1 = 404; + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) { include fastcgi_params; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param modHeadersAvailable true; - fastcgi_param SCRIPT_FILENAME $document_root$1; - fastcgi_param PATH_INFO $2; + fastcgi_param front_controller_active true; fastcgi_pass unix:/tmp/php-fpm.sock; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; fastcgi_read_timeout 1200; } - location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ { - expires 30d; + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; + } + + location ~* \.(?:css|js)$ { + try_files $uri /index.php$uri$is_args$args; + add_header Cache-Control "public, max-age=7200"; + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + access_log off; + } + + location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ { + try_files $uri /nextcloud/index.php$uri$is_args$args; access_log off; } }