gstone/nextcloud-selfhosted
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

align nginx and Caddy config with official Nextcloud docs

Browse Source 
Move security headers to Caddy (edge proxy), remove nginx gzip
(Caddy already compresses), add asset_immutable map for versioned
cache control, add missing static file extensions, fix .well-known
block, and hide X-Powered-By header.
This commit is contained in:
Thomas Gräfenstein
2026-03-22 17:58:26 +01:00
parent ac3bff9351
commit b918e713e5
2 changed files with 16 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
caddy/Caddyfile
View File

@@ -14,6 +14,11 @@ nextcloud.t-gstone.de {
reverse_proxy nextcloud-nginx:80 reverse_proxy nextcloud-nginx:80
header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
header Referrer-Policy "no-referrer"
header X-Content-Type-Options "nosniff"
header X-Frame-Options "SAMEORIGIN"
header X-Permitted-Cross-Domain-Policies "none"
header X-Robots-Tag "noindex, nofollow"
request_body { request_body {
max_size 10G max_size 10G

20
nextcloud/nginx.conf
View File

@@ -6,6 +6,11 @@ map $uri $nonce_uri {
default ""; default "";
} }
map $arg_v $asset_immutable {
"" "";
default ", immutable";
}
server { server {
listen 80; listen 80;
server_name _; server_name _;
@@ -14,12 +19,6 @@ server {
client_body_timeout 300s; client_body_timeout 300s;
fastcgi_buffers 64 4K; fastcgi_buffers 64 4K;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_types application/javascript application/json text/css text/plain text/xml application/xml image/svg+xml;
root /var/www/html; root /var/www/html;
index index.php index.html /index.php$request_uri; index index.php index.html /index.php$request_uri;
@@ -27,7 +26,9 @@ server {
location ^~ /.well-known { location ^~ /.well-known {
location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 /remote.php/dav/; }
location ^~ /.well-known { return 301 /index.php$uri; } location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
return 301 /index.php$request_uri;
} }
# Deny access to internal paths # Deny access to internal paths
@@ -35,9 +36,9 @@ server {
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Serve static files directly, fall through to PHP for dynamic assets (e.g. theming) # Serve static files directly, fall through to PHP for dynamic assets (e.g. theming)
location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac|mp4|webm)$ {
try_files $uri /index.php$request_uri; try_files $uri /index.php$request_uri;
expires 6M; add_header Cache-Control "public, max-age=15778463$asset_immutable";
access_log off; access_log off;
} }
@@ -60,6 +61,7 @@ server {
fastcgi_param front_controller_active true; fastcgi_param front_controller_active true;
fastcgi_pass php-handler; fastcgi_pass php-handler;
fastcgi_intercept_errors on; fastcgi_intercept_errors on;
fastcgi_hide_header X-Powered-By;
fastcgi_request_buffering off; fastcgi_request_buffering off;
fastcgi_max_temp_file_size 0; fastcgi_max_temp_file_size 0;
} }