Loading config-static/nginx/params/headers_params +3 −0 Original line number Diff line number Diff line Loading @@ -3,5 +3,8 @@ add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "max-age=15768000"; add_header Referrer-Policy "same-origin"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; fastcgi_hide_header X-Powered-By; server_tokens off; scripts/show-info.sh +1 −1 Original line number Diff line number Diff line Loading @@ -6,7 +6,7 @@ source /mnt/repo-base/scripts/base.sh SPAM_UI=$(grep server_name $(grep -l mailserver:11334 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') RSPAMD_PASSWORD=$(grep ^RSPAMD_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') NEXTCLOUD_UI=$(grep server_name $(grep -l nextcloud:80 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') NEXTCLOUD_UI=$(grep server_name $(grep -l nextcloud:9000 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') NEXTCLOUD_ADMIN_USER=$(grep ^NEXTCLOUD_ADMIN_USER= "$ENVFILE" | awk -F= '{ print $NF }') NEXTCLOUD_ADMIN_PASSWORD=$(grep ^NEXTCLOUD_ADMIN_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') Loading templates/docker-compose/docker-compose-base.yml +1 −1 Original line number Diff line number Diff line Loading @@ -102,7 +102,7 @@ services: - mariadb nextcloud: image: nextcloud:15.0.12 image: nextcloud:16.0.5-fpm container_name: nextcloud restart: always networks: Loading templates/docker-compose/docker-compose-networks.yml +2 −0 Original line number Diff line number Diff line Loading @@ -14,6 +14,8 @@ - /mnt/repo-base/config-dynamic/letsencrypt/certstore:/certs - /mnt/repo-base/config-dynamic/nginx/passwds:/passwds - /mnt/repo-base/config-dynamic/letsencrypt/acme-challenge:/etc/letsencrypt/acme-challenge - /mnt/repo-base/volumes/nextcloud/html:/var/www/html - /mnt/repo-base/volumes/nextcloud/custom_apps:/var/www/html/custom_apps/ depends_on: - nextcloud - create-account Loading templates/nginx/sites-enabled/nextcloud.conf +90 −42 Original line number Diff line number Diff line upstream php-handler { server nextcloud:9000; } server { listen 8000; server_name @@@DOMAIN@@@; Loading @@ -17,31 +21,75 @@ server { ssl_certificate_key /certs/live/@@@DOMAIN@@@/privkey.pem; include /etc/nginx/params/ssl_params; # Nextcloud already sets these headers, the include would just duplicate them # We include these headers directly because some are already set by Nextcloud. #include /etc/nginx/params/headers_params; add_header Strict-Transport-Security "max-age=15552000;includeSubDomains;preload"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "max-age=15768000"; add_header Referrer-Policy "same-origin"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; fastcgi_hide_header X-Powered-By; server_tokens off; client_max_body_size 4096M; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; # Enable compression for JS/CSS/HTML bundle, for improved client load times. # It might be nice to compress JSON, but leaving that out to protect against potential # compression+encryption information leak attacks like BREACH. gzip_types application/atom+xml application/javascript application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; root /var/www/html; location / { rewrite ^ /index.php; } location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { fastcgi_split_path_info ^(.+\.php)(/.*)$; try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; # fastcgi_param HTTPS on; #Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; } #auth_basic "Who's this?"; #auth_basic_user_file /passwds/<NAME>.htpasswd; location = /.well-known/carddav { return 301 $scheme://$host/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host/remote.php/dav; } location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://nextcloud:80; # https://docs.nextcloud.com/server/stable/admin_manual/configuration_files/big_file_upload_configuration.html#nginx proxy_buffering off; include /etc/nginx/params/proxy_params; } location ~ (\.(?:css|js|woff2?|svg|gif)$|^/core/img/background.png$) { proxy_pass http://nextcloud:80; include /etc/nginx/params/proxy_params; location ~ (\.(?:css|js|woff2?|svg|gif|png|jpg|ico)$|^/core/img/background.png$) { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; access_log off; } } Loading
config-static/nginx/params/headers_params +3 −0 Original line number Diff line number Diff line Loading @@ -3,5 +3,8 @@ add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "max-age=15768000"; add_header Referrer-Policy "same-origin"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; fastcgi_hide_header X-Powered-By; server_tokens off;
scripts/show-info.sh +1 −1 Original line number Diff line number Diff line Loading @@ -6,7 +6,7 @@ source /mnt/repo-base/scripts/base.sh SPAM_UI=$(grep server_name $(grep -l mailserver:11334 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') RSPAMD_PASSWORD=$(grep ^RSPAMD_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') NEXTCLOUD_UI=$(grep server_name $(grep -l nextcloud:80 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') NEXTCLOUD_UI=$(grep server_name $(grep -l nextcloud:9000 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') NEXTCLOUD_ADMIN_USER=$(grep ^NEXTCLOUD_ADMIN_USER= "$ENVFILE" | awk -F= '{ print $NF }') NEXTCLOUD_ADMIN_PASSWORD=$(grep ^NEXTCLOUD_ADMIN_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') Loading
templates/docker-compose/docker-compose-base.yml +1 −1 Original line number Diff line number Diff line Loading @@ -102,7 +102,7 @@ services: - mariadb nextcloud: image: nextcloud:15.0.12 image: nextcloud:16.0.5-fpm container_name: nextcloud restart: always networks: Loading
templates/docker-compose/docker-compose-networks.yml +2 −0 Original line number Diff line number Diff line Loading @@ -14,6 +14,8 @@ - /mnt/repo-base/config-dynamic/letsencrypt/certstore:/certs - /mnt/repo-base/config-dynamic/nginx/passwds:/passwds - /mnt/repo-base/config-dynamic/letsencrypt/acme-challenge:/etc/letsencrypt/acme-challenge - /mnt/repo-base/volumes/nextcloud/html:/var/www/html - /mnt/repo-base/volumes/nextcloud/custom_apps:/var/www/html/custom_apps/ depends_on: - nextcloud - create-account Loading
templates/nginx/sites-enabled/nextcloud.conf +90 −42 Original line number Diff line number Diff line upstream php-handler { server nextcloud:9000; } server { listen 8000; server_name @@@DOMAIN@@@; Loading @@ -17,31 +21,75 @@ server { ssl_certificate_key /certs/live/@@@DOMAIN@@@/privkey.pem; include /etc/nginx/params/ssl_params; # Nextcloud already sets these headers, the include would just duplicate them # We include these headers directly because some are already set by Nextcloud. #include /etc/nginx/params/headers_params; add_header Strict-Transport-Security "max-age=15552000;includeSubDomains;preload"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "max-age=15768000"; add_header Referrer-Policy "same-origin"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; fastcgi_hide_header X-Powered-By; server_tokens off; client_max_body_size 4096M; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; # Enable compression for JS/CSS/HTML bundle, for improved client load times. # It might be nice to compress JSON, but leaving that out to protect against potential # compression+encryption information leak attacks like BREACH. gzip_types application/atom+xml application/javascript application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; root /var/www/html; location / { rewrite ^ /index.php; } location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { fastcgi_split_path_info ^(.+\.php)(/.*)$; try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; # fastcgi_param HTTPS on; #Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; } #auth_basic "Who's this?"; #auth_basic_user_file /passwds/<NAME>.htpasswd; location = /.well-known/carddav { return 301 $scheme://$host/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host/remote.php/dav; } location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://nextcloud:80; # https://docs.nextcloud.com/server/stable/admin_manual/configuration_files/big_file_upload_configuration.html#nginx proxy_buffering off; include /etc/nginx/params/proxy_params; } location ~ (\.(?:css|js|woff2?|svg|gif)$|^/core/img/background.png$) { proxy_pass http://nextcloud:80; include /etc/nginx/params/proxy_params; location ~ (\.(?:css|js|woff2?|svg|gif|png|jpg|ico)$|^/core/img/background.png$) { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; access_log off; } }
