chris/scarif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create a nextcloud app with docker-compose

Browse Source
This commit is contained in:
Chris
2020-11-22 23:14:54 +00:00
parent 44263c250f
commit db7c5c3deb
13 changed files with 2482 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
.env

7
db/init/01-databases.sql Normal file
View File

@@ -0,0 +1,7 @@
CREATE DATABASE IF NOT EXISTS `monica`;
# Nextcloud will automatically create a database on setup
#CREATE DATABASE IF NOT EXISTS `nextcloud`;
GRANT ALL PRIVILEGES ON *.* TO 'chris'@'%';
GRANT ALL ON `nextcloud`.* TO 'chris'@'%' ;
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%';

79
docker-compose.yml
View File

@@ -5,6 +5,15 @@ services:
build: ./monica build: ./monica
image: monica image: monica
env_file: ./monica/.env env_file: ./monica/.env
environment:
- APP_URL=https://personel.${DOMAIN}
- DB_PASSWORD=${DB_PASSWORD}
- DB_USERNAME=${DB_USER}
- MAIL_FROM_ADDRESS=${MAIL_FROM}
- MAIL_HOST=${MAIL_HOST}
- MAIL_PORT=${MAIL_PORT}
- MAIL_USERNAME=${MAIL_USER}
- MAIL_PASSWORD=${MAIL_PASSWORD}
volumes: volumes:
- monica-data:/var/www/html/storage - monica-data:/var/www/html/storage
- monica-public:/var/www/html/public - monica-public:/var/www/html/public
@@ -12,15 +21,44 @@ services:
depends_on: depends_on:
- db - db
nextcloud:
build: ./nextcloud
image: nextcloud
restart: always
volumes:
- nextcloud:/var/www/html
environment:
- REDIS_HOST=redis
- MYSQL_HOST=db
- MYSQL_PASSWORD=${DB_PASSWORD}
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=${DB_USER}
- NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD}
- NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER}
- MAIL_FROM=${MAIL_FROM}
- MAIL_HOST=${MAIL_HOST}
- MAIL_PORT=${MAIL_PORT}
- MAIL_USER=${MAIL_USER}
- MAIL_PASSWORD=${MAIL_PASSWORD}
- NEXTCLOUD_TRUSTED_DOMAINS=tower.${DOMAIN}
depends_on:
- db
- redis
db: db:
image: mariadb image: mariadb
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
environment: environment:
- MYSQL_ROOT_PASSWORD=secret - MYSQL_ROOT_PASSWORD=${DB_PASSWORD}
- MYSQL_DATABASE=monica - MYSQL_USER=${DB_USER}
- MYSQL_USER=homestead - MYSQL_PASSWORD=${DB_PASSWORD}
- MYSQL_PASSWORD=secret
volumes: volumes:
- db:/var/lib/mysql - db:/var/lib/mysql
- ./db/init:/docker-entrypoint-initdb.d
restart: always
redis:
image: redis:alpine
restart: always restart: always
nginx: nginx:
@@ -31,29 +69,44 @@ services:
- ./nginx.conf:/etc/nginx/nginx.conf - ./nginx.conf:/etc/nginx/nginx.conf
- monica-public:/var/www/html/monica/public:ro - monica-public:/var/www/html/monica/public:ro
- monica-data:/var/www/html/monica/storage:ro - monica-data:/var/www/html/monica/storage:ro
- nextcloud:/var/www/html/nextcloud:ro
depends_on: depends_on:
- monica - monica
- nextcloud
ports: ports:
- 80:80 - 80:80
- 443:443 - 443:443
depends_on: depends_on:
- omgwtfssl - omgwtfssl-monica
- omgwtfssl-nextcloud
omgwtfssl: omgwtfssl-monica:
image: paulczar/omgwtfssl image: paulczar/omgwtfssl
restart: "no" restart: "no"
volumes: volumes:
- certs:/certs - certs:/certs
environment: environment:
- SSL_SUBJECT=personel.scarif.local - SSL_SUBJECT=personel.${DOMAIN}
- CA_SUBJECT=chris@scarif.local - CA_SUBJECT=chris@${DOMAIN}
- SSL_KEY=/certs/personel.scarif.local.key - SSL_KEY=/certs/personel.${DOMAIN}.key
- SSL_CSR=/certs/personel.scarif.local.csr - SSL_CSR=/certs/personel.${DOMAIN}.csr
- SSL_CERT=/certs/personel.scarif.local.crt - SSL_CERT=/certs/personel.${DOMAIN}.crt
omgwtfssl-nextcloud:
image: paulczar/omgwtfssl
restart: "no"
volumes:
- certs:/certs
environment:
- SSL_SUBJECT=tower.${DOMAIN}
- CA_SUBJECT=chris@${DOMAIN}
- SSL_KEY=/certs/tower.${DOMAIN}.key
- SSL_CSR=/certs/tower.${DOMAIN}.csr
- SSL_CERT=/certs/tower.${DOMAIN}.crt
volumes: volumes:
db: db:
certs:
monica-public: monica-public:
monica-data: monica-data:
nextcloud:
certs:

18
monica/.env
View File

@@ -22,7 +22,7 @@ HASH_SALT=YIfc5Go7H1TNxwnS7Uza
HASH_LENGTH=18 HASH_LENGTH=18
# The URL of your application. # The URL of your application.
APP_URL=https://personel.scarif.local #APP_URL=
# Force using APP_URL as base url of your application. # Force using APP_URL as base url of your application.
# You should not need this, unless you are using subdirectory config. # You should not need this, unless you are using subdirectory config.
@@ -37,8 +37,8 @@ DB_PORT=3306
# You can use mysql unix socket if available, it overrides DB_HOST and DB_PORT values. # You can use mysql unix socket if available, it overrides DB_HOST and DB_PORT values.
#DB_UNIX_SOCKET=/var/run/mysqld/mysqld.sock #DB_UNIX_SOCKET=/var/run/mysqld/mysqld.sock
DB_DATABASE=monica DB_DATABASE=monica
DB_USERNAME=chris #DB_USERNAME=
DB_PASSWORD=secret #DB_PASSWORD=
DB_PREFIX= DB_PREFIX=
DB_TEST_HOST=127.0.0.1 DB_TEST_HOST=127.0.0.1
DB_TEST_DATABASE=monica_test DB_TEST_DATABASE=monica_test
@@ -51,13 +51,13 @@ DB_USE_UTF8MB4=true
# Mail credentials used to send emails from the application. # Mail credentials used to send emails from the application.
MAIL_MAILER=smtp MAIL_MAILER=smtp
MAIL_HOST=smtp.mailtrap.io #MAIL_HOST=
MAIL_PORT=2525 #MAIL_PORT=
MAIL_USERNAME=f41fa47f889c25 #MAIL_USERNAME=
MAIL_PASSWORD=9a13972ad70a6a #MAIL_PASSWORD=
MAIL_ENCRYPTION= MAIL_ENCRYPTION=ssl
# Outgoing emails will be sent with these identity # Outgoing emails will be sent with these identity
MAIL_FROM_ADDRESS=chris@scarif.local #MAIL_FROM_ADDRESS=
MAIL_FROM_NAME="Scarif" MAIL_FROM_NAME="Scarif"
# New registration notification sent to this email # New registration notification sent to this email
APP_EMAIL_NEW_USERS_NOTIFICATION= APP_EMAIL_NEW_USERS_NOTIFICATION=

2
monica/entrypoint.sh
View File

@@ -26,7 +26,7 @@ waitfordb() {
sleep 3 sleep 3
} }
if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ]; then if [ "$1" = "/init" ]; then
MONICADIR=/var/www/html MONICADIR=/var/www/html
ARTISAN="php ${MONICADIR}/artisan" ARTISAN="php ${MONICADIR}/artisan"

46
nextcloud/Dockerfile Normal file
View File

@@ -0,0 +1,46 @@
FROM nextcloud:fpm-alpine
RUN set -ex; \
\
apk add --no-cache \
ffmpeg \
imagemagick \
procps \
supervisor \
libreoffice \
;
RUN set -ex; \
\
apk add --no-cache --virtual .build-deps \
$PHPIZE_DEPS \
krb5-dev \
openssl-dev \
bzip2-dev \
; \
\
docker-php-ext-install \
bz2 \
; \
\
runDeps="$( \
scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
| tr ',' '\n' \
| sort -u \
| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
)"; \
apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
apk del .build-deps
RUN mkdir -p \
/var/log/supervisord \
/var/run/supervisord \
;
COPY --chown=www-data:root config /var/www/html/config
COPY supervisord.conf /
ENV NEXTCLOUD_UPDATE=1
CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

0
nextcloud/config/CAN_INSTALL Executable file
View File

168
nextcloud/config/config.backup.php Executable file
View File

@@ -0,0 +1,168 @@
<?php
$CONFIG = [
/**
* Your list of trusted domains that users can log into. Specifying trusted
* domains prevents host header poisoning. Do not remove this, as it performs
* necessary security checks.
* You can specify:
*
* - the exact hostname of your host or virtual host, e.g. demo.example.org.
* - the exact hostname with permitted port, e.g. demo.example.org:443.
* This disallows all other ports on this host
* - use * as a wildcard, e.g. ubos-raspberry-pi*.local will allow
* ubos-raspberry-pi.local and ubos-raspberry-pi-2.local
* - the IP address with or without permitted port, e.g. [2001:db8::1]:8080
* Using TLS certificates where commonName=<IP address> is deprecated
*/
'trusted_domains' =>
[
'tower.scarif.local',
],
/**
* Identifies the database used with this installation. See also config option
* ``supportedDatabases``
*
* Available:
* - sqlite3 (SQLite3)
* - mysql (MySQL/MariaDB)
* - pgsql (PostgreSQL)
*
* Defaults to ``sqlite3``
*/
'dbtype' => 'mysql',
/**
* Your host server name, for example ``localhost``, ``hostname``,
* ``hostname.example.com``, or the IP address. To specify a port use
* ``hostname:####``; to specify a Unix socket use
* ``localhost:/path/to/socket``.
*/
'dbhost' => getenv('MYSQL_HOST'),
/**
* The name of the Nextcloud database, which is set during installation. You
* should not need to change this.
*/
'dbname' => getenv('MYSQL_DATABASE'),
/**
* The user that Nextcloud uses to write to the database. This must be unique
* across Nextcloud instances using the same SQL database. This is set up during
* installation, so you shouldn't need to change it.
*/
'dbuser' => getenv('MYSQL_USER'),
/**
* The password for the database user. This is set up during installation, so
* you shouldn't need to change it.
*/
'dbpassword' => getenv('MYSQL_PASSWORD'),
/**
* Mail Parameters
*
* These configure the email settings for Nextcloud notifications and password
* resets.
*/
/**
* The return address that you want to appear on emails sent by the Nextcloud
* server, for example ``nc-admin@example.com``, substituting your own domain,
* of course.
*/
'mail_domain' => getenv('MAIL_FROM'),
/**
* This depends on ``mail_smtpmode``. Specify the IP address of your mail
* server host. This may contain multiple hosts separated by a semi-colon. If
* you need to specify the port number append it to the IP address separated by
* a colon, like this: ``127.0.0.1:24``.
*
* Defaults to ``127.0.0.1``
*/
'mail_smtphost' => getenv('MAIL_HOST'),
/**
* This depends on ``mail_smtpmode``. Specify the port for sending mail.
*
* Defaults to ``25``
*/
'mail_smtpport' => getenv('MAIL_PORT'),
/**
* This depends on ``mail_smtpmode``. Specify when you are using ``ssl`` for SSL/TLS or
* ``tls`` for STARTTLS, or leave empty for no encryption.
*
* Defaults to ``''`` (empty string)
*/
'mail_smtpsecure' => 'ssl',
/**
* This depends on ``mail_smtpmode``. Change this to ``true`` if your mail
* server requires authentication.
*
* Defaults to ``false``
*/
'mail_smtpauth' => true,
/**
* This depends on ``mail_smtpmode``. If SMTP authentication is required, choose
* the authentication type as ``LOGIN`` or ``PLAIN``.
*
* Defaults to ``LOGIN``
*/
'mail_smtpauthtype' => 'LOGIN',
/**
* This depends on ``mail_smtpauth``. Specify the username for authenticating to
* the SMTP server.
*
* Defaults to ``''`` (empty string)
*/
'mail_smtpname' => getenv('MAIL_USER'),
/**
* This depends on ``mail_smtpauth``. Specify the password for authenticating to
* the SMTP server.
*
* Default to ``''`` (empty string)
*/
'mail_smtppassword' => getenv('MAIL_PASSWORD'),
/**
* Memory caching backend configuration
*
* Available cache backends:
*
* * ``\OC\Memcache\APCu`` APC user backend
* * ``\OC\Memcache\ArrayCache`` In-memory array-based backend (not recommended)
* * ``\OC\Memcache\Memcached`` Memcached backend
* * ``\OC\Memcache\Redis`` Redis backend
*
* Advice on choosing between the various backends:
*
* * APCu should be easiest to install. Almost all distributions have packages.
* Use this for single user environment for all caches.
* * Use Redis or Memcached for distributed environments.
* For the local cache (you can configure two) take APCu.
*/
/**
* Connection details for redis to use for memory caching in a single server configuration.
*
* For enhanced security it is recommended to configure Redis
* to require a password. See http://redis.io/topics/security
* for more information.
*/
'redis' => [
'host' => 'localhost', // can also be a unix domain socket: '/tmp/redis.sock'
'port' => 6379,
'timeout' => 0.0,
'password' => '', // Optional, if not defined no password will be used.
'dbindex' => 0, // Optional, if undefined SELECT will not run and will use Redis Server's default DB Index.
],
];

168
nextcloud/config/config.php Executable file
View File

@@ -0,0 +1,168 @@
<?php
$CONFIG = [
/**
* Your list of trusted domains that users can log into. Specifying trusted
* domains prevents host header poisoning. Do not remove this, as it performs
* necessary security checks.
* You can specify:
*
* - the exact hostname of your host or virtual host, e.g. demo.example.org.
* - the exact hostname with permitted port, e.g. demo.example.org:443.
* This disallows all other ports on this host
* - use * as a wildcard, e.g. ubos-raspberry-pi*.local will allow
* ubos-raspberry-pi.local and ubos-raspberry-pi-2.local
* - the IP address with or without permitted port, e.g. [2001:db8::1]:8080
* Using TLS certificates where commonName=<IP address> is deprecated
*/
'trusted_domains' =>
[
'tower.scarif.local',
],
/**
* Identifies the database used with this installation. See also config option
* ``supportedDatabases``
*
* Available:
* - sqlite3 (SQLite3)
* - mysql (MySQL/MariaDB)
* - pgsql (PostgreSQL)
*
* Defaults to ``sqlite3``
*/
'dbtype' => 'mysql',
/**
* Your host server name, for example ``localhost``, ``hostname``,
* ``hostname.example.com``, or the IP address. To specify a port use
* ``hostname:####``; to specify a Unix socket use
* ``localhost:/path/to/socket``.
*/
'dbhost' => getenv('MYSQL_HOST'),
/**
* The name of the Nextcloud database, which is set during installation. You
* should not need to change this.
*/
'dbname' => getenv('MYSQL_DATABASE'),
/**
* The user that Nextcloud uses to write to the database. This must be unique
* across Nextcloud instances using the same SQL database. This is set up during
* installation, so you shouldn't need to change it.
*/
'dbuser' => getenv('MYSQL_USER'),
/**
* The password for the database user. This is set up during installation, so
* you shouldn't need to change it.
*/
'dbpassword' => getenv('MYSQL_PASSWORD'),
/**
* Mail Parameters
*
* These configure the email settings for Nextcloud notifications and password
* resets.
*/
/**
* The return address that you want to appear on emails sent by the Nextcloud
* server, for example ``nc-admin@example.com``, substituting your own domain,
* of course.
*/
'mail_domain' => getenv('MAIL_FROM'),
/**
* This depends on ``mail_smtpmode``. Specify the IP address of your mail
* server host. This may contain multiple hosts separated by a semi-colon. If
* you need to specify the port number append it to the IP address separated by
* a colon, like this: ``127.0.0.1:24``.
*
* Defaults to ``127.0.0.1``
*/
'mail_smtphost' => getenv('MAIL_HOST'),
/**
* This depends on ``mail_smtpmode``. Specify the port for sending mail.
*
* Defaults to ``25``
*/
'mail_smtpport' => getenv('MAIL_PORT'),
/**
* This depends on ``mail_smtpmode``. Specify when you are using ``ssl`` for SSL/TLS or
* ``tls`` for STARTTLS, or leave empty for no encryption.
*
* Defaults to ``''`` (empty string)
*/
'mail_smtpsecure' => 'ssl',
/**
* This depends on ``mail_smtpmode``. Change this to ``true`` if your mail
* server requires authentication.
*
* Defaults to ``false``
*/
'mail_smtpauth' => true,
/**
* This depends on ``mail_smtpmode``. If SMTP authentication is required, choose
* the authentication type as ``LOGIN`` or ``PLAIN``.
*
* Defaults to ``LOGIN``
*/
'mail_smtpauthtype' => 'LOGIN',
/**
* This depends on ``mail_smtpauth``. Specify the username for authenticating to
* the SMTP server.
*
* Defaults to ``''`` (empty string)
*/
'mail_smtpname' => getenv('MAIL_USER'),
/**
* This depends on ``mail_smtpauth``. Specify the password for authenticating to
* the SMTP server.
*
* Default to ``''`` (empty string)
*/
'mail_smtppassword' => getenv('MAIL_PASSWORD'),
/**
* Memory caching backend configuration
*
* Available cache backends:
*
* * ``\OC\Memcache\APCu`` APC user backend
* * ``\OC\Memcache\ArrayCache`` In-memory array-based backend (not recommended)
* * ``\OC\Memcache\Memcached`` Memcached backend
* * ``\OC\Memcache\Redis`` Redis backend
*
* Advice on choosing between the various backends:
*
* * APCu should be easiest to install. Almost all distributions have packages.
* Use this for single user environment for all caches.
* * Use Redis or Memcached for distributed environments.
* For the local cache (you can configure two) take APCu.
*/
/**
* Connection details for redis to use for memory caching in a single server configuration.
*
* For enhanced security it is recommended to configure Redis
* to require a password. See http://redis.io/topics/security
* for more information.
*/
'redis' => [
'host' => 'localhost', // can also be a unix domain socket: '/tmp/redis.sock'
'port' => 6379,
'timeout' => 0.0,
'password' => '', // Optional, if not defined no password will be used.
'dbindex' => 0, // Optional, if undefined SELECT will not run and will use Redis Server's default DB Index.
],
];

1851
nextcloud/config/config.sample.php Executable file
View File

File diff suppressed because it is too large Load Diff

3
nextcloud/db.env Normal file
View File

@@ -0,0 +1,3 @@
MYSQL_PASSWORD=secret
MYSQL_DATABASE=nextcloud
MYSQL_USER=chris

22
nextcloud/supervisord.conf Normal file
View File

@@ -0,0 +1,22 @@
[supervisord]
nodaemon=true
logfile=/var/log/supervisord/supervisord.log
pidfile=/var/run/supervisord/supervisord.pid
childlogdir=/var/log/supervisord/
logfile_maxbytes=50MB ; maximum size of logfile before rotation
logfile_backups=10 ; number of backed up logfiles
loglevel=error
[program:php-fpm]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=php-fpm
[program:cron]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=/cron.shv

144
nginx.conf
View File

@@ -1,4 +1,4 @@
worker_processes 1; worker_processes auto;
error_log /var/log/nginx/error.log warn; error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid; pid /var/run/nginx.pid;
@@ -27,10 +27,13 @@ http {
set_real_ip_from 192.168.0.0/16; set_real_ip_from 192.168.0.0/16;
real_ip_header X-Real-IP; real_ip_header X-Real-IP;
# Connect to app service # Connect to service services
upstream php-handler { upstream monica-handler {
server monica:9000; server monica:9000;
} }
upstream nextcloud-handler {
server nextcloud:9000;
}
server { server {
listen 443 ssl http2; listen 443 ssl http2;
@@ -110,7 +113,7 @@ http {
# Check that the PHP script exists before passing it # Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404; try_files $fastcgi_script_name =404;
fastcgi_pass php-handler; fastcgi_pass monica-handler;
fastcgi_index index.php; fastcgi_index index.php;
include fastcgi_params; include fastcgi_params;
@@ -163,4 +166,137 @@ http {
deny all; deny all;
} }
} }
server {
listen 443 ssl http2;
ssl_certificate /etc/nginx/certs/tower.scarif.local.crt;
ssl_certificate_key /etc/nginx/certs/tower.scarif.local.key;
server_name tower.scarif.local;
## HSTS ##
# Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# removed from this list could take several months.
#
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
root /var/www/html/nextcloud;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php;
}
location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
# Cannot use $document_root as the path to monica on the docker container
# is different to the path to the public files in this nginx container.
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
# fastcgi_param HTTPS on;
# Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
# Enable pretty urls
fastcgi_param front_controller_active true;
fastcgi_pass nextcloud-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js, css and map files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}
} }