From b918e713e5b0433e9403c70fd54018e8a9a538b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Gra=CC=88fenstein?= <mail@thomas-graefenstein.de>
Date: Sun, 22 Mar 2026 17:58:26 +0100
Subject: [PATCH] align nginx and Caddy config with official Nextcloud docs

Move security headers to Caddy (edge proxy), remove nginx gzip
(Caddy already compresses), add asset_immutable map for versioned
cache control, add missing static file extensions, fix .well-known
block, and hide X-Powered-By header.
---
 caddy/Caddyfile      |  5 +++++
 nextcloud/nginx.conf | 20 +++++++++++---------
 2 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/caddy/Caddyfile b/caddy/Caddyfile
index 9ab6f40..f2e6753 100644
--- a/caddy/Caddyfile
+++ b/caddy/Caddyfile
@@ -14,6 +14,11 @@ nextcloud.t-gstone.de {
 	reverse_proxy nextcloud-nginx:80
 
 	header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+	header Referrer-Policy "no-referrer"
+	header X-Content-Type-Options "nosniff"
+	header X-Frame-Options "SAMEORIGIN"
+	header X-Permitted-Cross-Domain-Policies "none"
+	header X-Robots-Tag "noindex, nofollow"
 
 	request_body {
 		max_size 10G
diff --git a/nextcloud/nginx.conf b/nextcloud/nginx.conf
index f5aa800..b4e4b5a 100644
--- a/nextcloud/nginx.conf
+++ b/nextcloud/nginx.conf
@@ -6,6 +6,11 @@ map $uri $nonce_uri {
     default "";
 }
 
+map $arg_v $asset_immutable {
+    "" "";
+    default ", immutable";
+}
+
 server {
     listen 80;
     server_name _;
@@ -14,12 +19,6 @@ server {
     client_body_timeout 300s;
     fastcgi_buffers 64 4K;
 
-    gzip on;
-    gzip_vary on;
-    gzip_comp_level 4;
-    gzip_min_length 256;
-    gzip_types application/javascript application/json text/css text/plain text/xml application/xml image/svg+xml;
-
     root /var/www/html;
     index index.php index.html /index.php$request_uri;
 
@@ -27,7 +26,9 @@ server {
     location ^~ /.well-known {
         location = /.well-known/carddav { return 301 /remote.php/dav/; }
         location = /.well-known/caldav  { return 301 /remote.php/dav/; }
-        location ^~ /.well-known        { return 301 /index.php$uri; }
+        location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
+        location /.well-known/pki-validation { try_files $uri $uri/ =404; }
+        return 301 /index.php$request_uri;
     }
 
     # Deny access to internal paths
@@ -35,9 +36,9 @@ server {
     location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)              { return 404; }
 
     # Serve static files directly, fall through to PHP for dynamic assets (e.g. theming)
-    location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
+    location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac|mp4|webm)$ {
         try_files $uri /index.php$request_uri;
-        expires 6M;
+        add_header Cache-Control "public, max-age=15778463$asset_immutable";
         access_log off;
     }
 
@@ -60,6 +61,7 @@ server {
         fastcgi_param front_controller_active true;
         fastcgi_pass php-handler;
         fastcgi_intercept_errors on;
+        fastcgi_hide_header X-Powered-By;
         fastcgi_request_buffering off;
         fastcgi_max_temp_file_size 0;
     }