location ^~ /.well-known { # The following 6 rules are borrowed from `.htaccess` # The following 2 rules are only needed for the user_webfinger app. # Uncomment it if you're planning to use this app. #rewrite ^/\.well-known/host-meta\.json __PATH__/public.php?service=host-meta-json last; #rewrite ^/\.well-known/host-meta __PATH__/public.php?service=host-meta last; location = /.well-known/carddav { return 301 __PATH__/remote.php/dav/; } location = /.well-known/caldav { return 301 __PATH__/remote.php/dav/; } location = /.well-known/webfinger { return 301 __PATH__/index.php$uri; } location = /.well-known/nodeinfo { return 301 __PATH__/index.php$uri; } try_files $uri $uri/ =404; } #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location ^~ __PATH__/ { # Path to source alias __FINALPATH__/; # Force usage of https if ($scheme = http) { rewrite ^ https://$server_name$request_uri? permanent; } # Add headers to serve security related headers more_set_headers "Strict-Transport-Security: max-age=15768000; includeSubDomains; preload;"; more_set_headers "Referrer-Policy: no-referrer"; more_set_headers "X-Content-Type-Options: nosniff"; more_set_headers "X-Download-Options: noopen"; more_set_headers "X-Frame-Options: SAMEORIGIN"; more_set_headers "X-Permitted-Cross-Domain-Policies: none"; more_set_headers "X-Robots-Tag: none"; more_set_headers "X-XSS-Protection: 1; mode=block"; # Set max upload size client_max_body_size 10G; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # Pagespeed is not supported by Nextcloud, so if your server is built # with the `ngx_pagespeed` module, uncomment this line to disable it. #pagespeed off; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; # Specify how to handle directories -- specifying `/nextcloud/index.php$request_uri` # here as the fallback means that Nginx always exhibits the desired behaviour # when a client requests a path that corresponds to a directory that exists # on the server. In particular, if that directory contains an index.php file, # that file is correctly served; if it doesn't, then the request is passed to # the front-end controller. This consistent behaviour means that we don't need # to specify custom rules for certain paths (e.g. images and other assets, # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus # `try_files $uri $uri/ /nextcloud/index.php$request_uri` # always provides the desired behaviour. index index.php index.html __PATH__/index.php$request_uri; # Default Cache-Control policy expires 1m; # Rule borrowed from `.htaccess` to handle Microsoft DAV clients location = __PATH__/ { if ( $http_user_agent ~ ^DavClnt ) { return 302 __PATH__/remote.php/webdav/$is_args$args; } } location = __PATH__/robots.txt { allow all; log_not_found off; access_log off; } # Rules borrowed from `.htaccess` to hide certain paths from clients location ~ ^__PATH__/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } location ~ ^__PATH__/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } # Ensure this block, which passes PHP files to the PHP process, is above the blocks # which handle static assets (as seen below). If this block is not declared first, # then Nginx will encounter an infinite rewriting loop when it prepends # `/nextcloud/index.php` to the URI, resulting in a HTTP 500 error response. location ~ \.php(?:$|/) { # Required for legacy support # https://github.com/nextcloud/documentation/pull/2197#issuecomment-721432337 # This line fix the ldap admin page rewrite ^__PATH__/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) __PATH__/index.php$request_uri; fastcgi_split_path_info ^(.+?\.php)(/.*)$; set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param PATH_INFO $path_info; fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice fastcgi_param front_controller_active true; # Enable pretty urls fastcgi_param HTTP_ACCEPT_ENCODING ""; # Disable encoding of nextcloud response to inject ynh scripts fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock; fastcgi_intercept_errors on; fastcgi_request_buffering off; } location ~ \.(?:css|js|svg|gif)$ { try_files $uri / __PATH__/index.php$request_uri; expires 6M; # Cache-Control policy borrowed from `.htaccess` access_log off; # Optional: Don't log access to assets } location ~ \.woff2?$ { try_files $uri / __PATH__/index.php$request_uri; expires 7d; # Cache-Control policy borrowed from `.htaccess` access_log off; # Optional: Don't log access to assets } location ~ / { if ($request_method ~ ^PUT$) { rewrite ^ __PATH__/index.php$request_uri last; } if ($request_method ~ ^DELETE$) { rewrite ^ __PATH__/index.php$request_uri last; } try_files $uri / __PATH__/index.php$request_uri; } # show YunoHost panel access include conf.d/yunohost_panel.conf.inc; }