user nginx; worker_processes 2; daemon off; load_module "modules/ngx_http_dav_ext_module.so"; error_log /var/log/nginx/error-local.log warn; pid /var/run/nginx.pid; events { worker_connections 2000; } http { server_tokens off; include /etc/nginx/mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; client_max_body_size 200M; gzip on; gzip_min_length 1100; gzip_buffers 4 8k; gzip_types text/plain; # caching proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=zone1:10m max_size=1G; proxy_temp_path /tmp/nginx-proxy 1 2; proxy_cache_key "$scheme$request_method$host$request_uri"; proxy_ignore_headers Expires Cache-Control; proxy_cache_use_stale error timeout invalid_header http_502; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_headers_hash_max_size 1024; proxy_headers_hash_bucket_size 128; log_format cached '$remote_addr ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" $upstream_cache_status'; # Useragent ACL: works but ubuntu online accounts does not provide any useragent #map $http_user_agent $useragent_acl { # default deny; # ~(Desktop|Chrome|Nextcloud-iOS|Nextcloud-android|mirall|Mozilla/5\.0|git|ansible-httpget|Go-http-client) allow; #} # _ _ _ _ # _ __ | |__ _ __ | |__ __ _ _ __ __| | | ___ _ __ # | '_ \| '_ \| '_ \ _____| '_ \ / _` | '_ \ / _` | |/ _ \ '__| # | |_) | | | | |_) |_____| | | | (_| | | | | (_| | | __/ | # | .__/|_| |_| .__/ |_| |_|\__,_|_| |_|\__,_|_|\___|_| # |_| |_| # upstream php-handler { server 192.168.86.210:9000; #server unix:/var/run/php/php7.2-fpm.sock; } server { listen 80 default_server; root /var/www/null; # Useragent ACL # if ($useragent_acl = deny) { # return 403; # } # letsencrypt validation location /.well-known/acme-challenge/ { alias /var/www/letsencrypt/; } if ($http_x_forwarded_proto != "https") { return 301 https://$host$request_uri; } } server { listen 443 ssl http2 default_server; root /var/www; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384'; ssl_ecdh_curve secp521r1:secp384r1:prime256v1; ssl_prefer_server_ciphers on; ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; ssl_certificate /home/ssl/xpk.headdesk.me.crt; ssl_certificate_key /home/ssl/xpk.headdesk.me.key; # filter out PROPFIND in access log set $logme 1; if ($request_method = PROPFIND) { set $logme 0; } access_log /var/log/nginx/access.log cached if=$logme; # Useragent ACL # if ($useragent_acl = deny) { # return 403; #} #location / { # proxy_pass http://192.168.86.10:8080/; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header HTTP_X_FORWARDED_PROTO https; # proxy_set_header Host $host; # proxy_cache_bypass $http_pragma $http_authorization; # } # letsencrypt validation location /.well-known/acme-challenge/ { alias /var/www/letsencrypt/; } fastcgi_hide_header X-Powered-By; location = /.well-known/carddav { return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav; } location /nextcloud/ { rewrite ^ /nextcloud/index.php; } location ~ ^\/nextcloud\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { deny all; } location ~ ^\/nextcloud\/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; fastcgi_param HTTPS on; # Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; # Enable pretty urls fastcgi_param front_controller_active true; fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; } location ~ ^\/nextcloud\/(?:updater|oc[ms]-provider)(?:$|\/) { try_files $uri/ =404; index index.php; } location ~ ^\/nextcloud.*\.(?:css|js|woff2?|svg|gif|map)$ { try_files $uri /nextcloud/index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; } location ~ ^\/nextcloud.*\.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { try_files $uri /nextcloud/index.php$request_uri; } location /git/ { proxy_pass http://192.168.86.53:3000/; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; proxy_set_header HTTP_X_FORWARDED_PROTO https; proxy_set_header Host $host; proxy_http_version 1.1; # caching: do not enable, causes cross account caching! # proxy_cache zone1; # proxy_cache_valid 200 302 5m; # proxy_cache_valid any 10m; } location /pad/ { proxy_pass http://192.168.86.51:9001/; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; proxy_set_header HTTP_X_FORWARDED_PROTO https; proxy_set_header Host $host; proxy_http_version 1.1; proxy_cookie_path / "/pad; HTTPOnly; Secure"; proxy_cookie_flags express secure httponly; } location /jenkins/ { proxy_pass http://192.168.86.55:8080/jenkins/; proxy_redirect default; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; proxy_set_header HTTP_X_FORWARDED_PROTO https; proxy_set_header Host $host; proxy_http_version 1.1; } location /mon/ { proxy_pass http://192.168.86.57/; proxy_redirect default; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; proxy_set_header HTTP_X_FORWARDED_PROTO https; proxy_set_header Host $host; proxy_http_version 1.1; proxy_cookie_path / "/mon; HTTPOnly; Secure"; proxy_cookie_flags express secure httponly; } location /enpass/ { root /var/www; auth_basic enpass; auth_basic_user_file /var/www/enpass/.htpass; dav_methods PUT DELETE MKCOL COPY MOVE; dav_ext_methods PROPFIND OPTIONS; dav_access user:rw group:rw all:r; create_full_put_path on; autoindex on; } } }