From b588a1813ec0988d91d599cf8cebcbbb0e2e1e0b Mon Sep 17 00:00:00 2001
From: Bjorn Neergaard <bjorn@neersighted.com>
Date: Sat, 11 Mar 2017 04:45:06 -0600
Subject: [PATCH] Update nginx config

Update nginx config with upstream changes:

* Stricter PHP paths
* More asset filetypes
* Pretty URLs (no index.php)

https://docs.nextcloud.com/server/11/admin_manual/installation/nginx_nextcloud_9x.html
---
 root/defaults/default | 88 +++++++++++++++++++++++++------------------
 1 file changed, 52 insertions(+), 36 deletions(-)

diff --git a/root/defaults/default b/root/defaults/default
index f33ea25d..6eb5d65b 100644
--- a/root/defaults/default
+++ b/root/defaults/default
@@ -1,6 +1,6 @@
 upstream php-handler {
   server 127.0.0.1:9000;
-# server unix:/var/run/php/php7.0-fpm.sock;
+  #server unix:/var/run/php7-fpm.sock;
 }
 
 server {
@@ -18,7 +18,10 @@ server {
   ssl_certificate_key /config/keys/cert.key;
 
   # Add headers to serve security related headers
-  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+  # Before enabling Strict-Transport-Security headers please read into this
+  # topic first.
+  # add_header Strict-Transport-Security "max-age=15768000;
+  # includeSubDomains; preload;";
   add_header X-Content-Type-Options nosniff;
   add_header X-Frame-Options "SAMEORIGIN";
   add_header X-XSS-Protection "1; mode=block";
@@ -28,8 +31,28 @@ server {
 
   # Path to the root of your installation
   root /config/www/nextcloud/;
+
+  location = /robots.txt {
+    allow all;
+    log_not_found off;
+    access_log off;
+  }
+
+  # The following 2 rules are only needed for the user_webfinger app.
+  # Uncomment it if you're planning to use this app.
+  #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+  #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
+  # last;
+
+  location = /.well-known/carddav {
+    return 301 $scheme://$host/remote.php/dav;
+  }
+  location = /.well-known/caldav {
+    return 301 $scheme://$host/remote.php/dav;
+  }
+
   # set max upload size
-  client_max_body_size 10G;
+  client_max_body_size 512M;
   fastcgi_buffers 64 4K;
 
   # Disable gzip to avoid the removal of the ETag header
@@ -39,58 +62,50 @@ server {
   # This module is currently not supported.
   #pagespeed off;
 
-  index index.php;
   error_page 403 /core/templates/403.php;
   error_page 404 /core/templates/404.php;
 
-  rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
-  rewrite ^/.well-known/caldav /remote.php/dav/ permanent;
-
-  # The following 2 rules are only needed for the user_webfinger app.
-  # Uncomment it if you're planning to use this app.
-  #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-  #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
-
-  location = /robots.txt {
-    allow all;
-    log_not_found off;
-    access_log off;
+  location / {
+    rewrite ^ /index.php$uri;
   }
 
-  location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
+  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
     deny all;
   }
-
   location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
     deny all;
   }
 
-  location / {
-
-    rewrite ^/remote/(.*) /remote.php last;
-
-    rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
-
-    try_files $uri $uri/ =404;
-  }
-
-  location ~ \.php(?:$|/) {
-    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+  location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
+    fastcgi_split_path_info ^(.+\.php)(/.*)$;
     include /etc/nginx/fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_param PATH_INFO $fastcgi_path_info;
     fastcgi_param HTTPS on;
-    fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
+    #Avoid sending the security headers twice
+    fastcgi_param modHeadersAvailable true;
+    fastcgi_param front_controller_active true;
     fastcgi_pass php-handler;
     fastcgi_intercept_errors on;
+    fastcgi_request_buffering off;
+  }
+
+  location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+    try_files $uri/ =404;
+    index index.php;
   }
 
   # Adding the cache control header for js and css files
-  # Make sure it is BELOW the location ~ \.php(?:$|/) { block
-  location ~* \.(?:css|js)$ {
+  # Make sure it is BELOW the PHP block
+  location ~* \.(?:css|js|woff|svg|gif)$ {
+    try_files $uri /index.php$uri$is_args$args;
     add_header Cache-Control "public, max-age=7200";
-    # Add headers to serve security related headers
-    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+    # Add headers to serve security related headers (It is intended to
+    # have those duplicated to the ones above)
+    # Before enabling Strict-Transport-Security headers please read into
+    # this topic first.
+    # add_header Strict-Transport-Security "max-age=15768000;
+    #  includeSubDomains; preload;";
     add_header X-Content-Type-Options nosniff;
     add_header X-Frame-Options "SAMEORIGIN";
     add_header X-XSS-Protection "1; mode=block";
@@ -101,8 +116,9 @@ server {
     access_log off;
   }
 
-  # Optional: Don't log access to other assets
-  location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
+  location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
+    try_files $uri /index.php$uri$is_args$args;
+    # Optional: Don't log access to other assets
     access_log off;
   }
 }