location = /.well-known/carddav {
  return 301 https://$server_name__PATH__/remote.php/dav;
}
location = /.well-known/caldav {
  return 301 https://$server_name__PATH__/remote.php/dav;
}

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#location = /.well-known/host-meta {
#  return 301 $scheme://$host:$server_port__PATH__/public.php?service=host-meta;
#}
#location = /.well-known/host-meta.json {
#  return 301 $scheme://$host:$server_port__PATH__/public.php?service=host-meta-json;
#}

# The following 2 rules are only needed for the Social app.
# Uncomment it if you're planning to use this app.
#location = /.well-known/webfinger {
#  return 301 $scheme://$host:$server_port__PATH__/public.php?service=webfinger;
#}
#location = /.well-known/nodeinfo {
#  return 301 $scheme://$host:$server_port__PATH__/public.php?service=nodeinfo;
#}

#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
location ^~ __PATH__/ {

  # Path to source
  alias __FINALPATH__/;

  # Force usage of https
  if ($scheme = http) {
    rewrite ^ https://$server_name$request_uri? permanent;
  }

  # Add headers to serve security related headers
  more_set_headers "Strict-Transport-Security: max-age=15768000; includeSubDomains; preload;";
  more_set_headers "X-Content-Type-Options: nosniff";
  more_set_headers "X-XSS-Protection: 1; mode=block";
  more_set_headers "X-Robots-Tag: none";
  more_set_headers "X-Download-Options: noopen";
  more_set_headers "X-Permitted-Cross-Domain-Policies: none";
  more_set_headers "Referrer-Policy: no-referrer";

  # Set max upload size
  client_max_body_size 10G;
  fastcgi_buffers 64 4K;

  # Extend timeouts
  client_body_timeout 60m;
  proxy_read_timeout 60m;
  fastcgi_read_timeout 60m;

  # Disable gzip to avoid the removal of the ETag header
  gzip off;

  # Errors pages
  error_page 403 __PATH__/core/templates/403.php;
  # Don't set custom 404 error page, as nextcloud uses 404 codes with meaningful payload.
  # Setting custom 404 page clears the payload and creates UI bugs
  # error_page 404 __PATH__/core/templates/404.php;

  location __PATH__/ {
    rewrite ^ __PATH__/index.php;
  }

  location = __PATH__/robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

  location ~ ^__PATH__/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
    deny all;
  }
  location ~ ^__PATH__/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
  }

  location ~ ^__PATH__/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) {
    fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
    set $path_info $fastcgi_path_info;
    try_files $fastcgi_script_name =404;
    include fastcgi_params;

    fastcgi_param SCRIPT_FILENAME $request_filename;
    fastcgi_param PATH_INFO $path_info;
    fastcgi_param HTTPS on;
    # Avoid sending the security headers twice
    fastcgi_param modHeadersAvailable true;
    # Enable pretty urls
    fastcgi_param front_controller_active true;
    fastcgi_pass unix:/var/run/php/php__YNH_PHP_VERSION__-fpm-__NAME__.sock;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
  }

  location ~ ^__PATH__/(?:updater|oc[ms]-provider)(?:$|\/) {
    try_files $uri/ =404;
    index index.php;
  }

  location = __PATH__/core/js/oc.js {
    rewrite ^ __PATH__/index.php$request_uri;
  }

  location = __PATH__/core/preview.png {
    rewrite ^ __PATH__/index.php$request_uri;
  }

  location ~* ^__PATH__/(?:css|js)/ {
    rewrite ^ __PATH__/index.php$request_uri;
  }

  location ~* ^__PATH__/apps/theming/img/core/filetypes/ {
    rewrite ^ __PATH__/index.php$request_uri;
  }

  location ~* ^__PATH__/apps/documentserver_community/ {
    rewrite ^ __PATH__/index.php$request_uri;
  }

  # Adding the cache control header for js, css and map files
  location ~ ^__PATH__/.+[^\/]\.(?:css|js|woff2?|svg|gif|map)$ {
    try_files $uri __PATH__/index.php$request_uri;
    more_set_headers "Cache-Control: public, max-age=15778463";
    # Add headers to serve security related headers
    more_set_headers "Strict-Transport-Security: max-age=15768000";
    more_set_headers "X-Content-Type-Options: nosniff";
    more_set_headers "X-XSS-Protection: 1; mode=block";
    more_set_headers "X-Robots-Tag: none";
    more_set_headers "X-Download-Options: noopen";
    more_set_headers "X-Permitted-Cross-Domain-Policies: none";
    more_set_headers "X-Frame-Options: SAMEORIGIN";
    more_set_headers "Referrer-Policy: no-referrer";

    # Optional: Don't log access to assets
    access_log off;
  }

  location ~ ^__PATH__/.+[^\/]\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
    try_files $uri __PATH__/index.php$request_uri;
    # Optional: Don't log access to other assets
    access_log off;
  }

  # show YunoHost panel access
  include conf.d/yunohost_panel.conf.inc;
}