default.conf.template

upstream php-handler {
  server ${BACKEND_HOST}:9000;
}

fastcgi_cache_path /cache levels=1:2 keys_zone=assets:100m inactive=1440m use_temp_path=off;
fastcgi_cache_key $request_uri;

server {
  set_real_ip_from  10.0.0.0/8;
  set_real_ip_from  172.16.0.0/12;
  set_real_ip_from  192.168.0.0/16;
  real_ip_header  X-Forwarded-For;
  listen 80;

  # set max upload size
  client_max_body_size 100G;
  fastcgi_buffers 64 4K;
  # Tries this fix: https://github.com/nextcloud/server/issues/17992#issuecomment-555822170
  fastcgi_read_timeout 600s;
  fastcgi_send_timeout 600s;
  proxy_request_buffering off;

  gzip off; # handled at reverse-proxy level

  # HTTP response headers borrowed from Nextcloud `.htaccess`
  add_header Referrer-Policy                      "no-referrer"       always;
  add_header X-Content-Type-Options               "nosniff"           always;
  add_header X-Download-Options                   "noopen"            always;
  add_header X-Frame-Options                      "SAMEORIGIN"        always;
  add_header X-Permitted-Cross-Domain-Policies    "none"              always;
  add_header X-Robots-Tag                         "noindex, nofollow" always;
  add_header X-XSS-Protection                     "1; mode=block"     always;

  # Remove X-Powered-By, which is an information leak
  fastcgi_hide_header X-Powered-By;

  # Path to the root of your installation
  root /usr/src/nextcloud;

  # Specify how to handle directories -- specifying `/index.php$request_uri`
  # here as the fallback means that Nginx always exhibits the desired behaviour
  # when a client requests a path that corresponds to a directory that exists
  # on the server. In particular, if that directory contains an index.php file,
  # that file is correctly served; if it doesn't, then the request is passed to
  # the front-end controller. This consistent behaviour means that we don't need
  # to specify custom rules for certain paths (e.g. images and other assets,
  # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
  # `try_files $uri $uri/ /index.php$request_uri`
  # always provides the desired behaviour.
  index index.php index.html /index.php$request_uri;

  # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
  location = / {
      if ( $http_user_agent ~ ^DavClnt ) {
          return 302 /remote.php/webdav/$is_args$args;
      }
  }

  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

  # Make a regex exception for `/.well-known` so that clients can still
  # access it despite the existence of the regex rule
  # `location ~ /(\.|autotest|...)` which would otherwise handle requests
  # for `/.well-known`.
  location ^~ /.well-known {
    # The rules in this block are an adaptation of the rules
    # in `.htaccess` that concern `/.well-known`.

    location = /.well-known/carddav { return 301  https://$host/remote.php/dav; }
    location = /.well-known/caldav  { return 301  https://$host/remote.php/dav; }

    # Let Nextcloud's API for `/.well-known` URIs handle all other
    # requests by passing them to the front-end controller.
    return 301 /index.php$request_uri;
  }

  # Rules borrowed from `.htaccess` to hide certain paths from clients
  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)              { return 404; }

  # Ensure this block, which passes PHP files to the PHP process, is above the blocks
  # which handle static assets (as seen below). If this block is not declared first,
  # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
  # to the URI, resulting in a HTTP 500 error response.
  location ~ \.php(?:$|/) {
      location ~ \.(?:css|js|svg|gif|png)$ {
          fastcgi_ignore_headers Cache-Control;
          fastcgi_cache assets;
          add_header X-Proxy-Cache $upstream_cache_status;
          expires 6M;         # Cache-Control policy borrowed from `.htaccess`
          access_log off;     # Optional: Don't log access to assets

          fastcgi_split_path_info ^(.+?\.php)(/.*)$;
          set $path_info $fastcgi_path_info;
          try_files $fastcgi_script_name =404;
          include fastcgi_params;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          fastcgi_param PATH_INFO $path_info;
          fastcgi_param HTTPS on;
          fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
          fastcgi_param front_controller_active true;     # Enable pretty urls
          fastcgi_pass php-handler;
          fastcgi_intercept_errors on;
          fastcgi_request_buffering off;
      }

      fastcgi_split_path_info ^(.+?\.php)(/.*)$;
      set $path_info $fastcgi_path_info;
      try_files $fastcgi_script_name =404;
      include fastcgi_params;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_param PATH_INFO $path_info;
      fastcgi_param HTTPS on;
      fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
      fastcgi_param front_controller_active true;     # Enable pretty urls
      fastcgi_pass php-handler;
      fastcgi_intercept_errors on;
      fastcgi_request_buffering off;
  }

  location ~ \.(?:css|js|svg|gif)$ {
      try_files $uri /index.php$request_uri;
      expires 6M;         # Cache-Control policy borrowed from `.htaccess`
      access_log off;     # Optional: Don't log access to assets
  }

  location ~ \.woff2?$ {
      try_files $uri /index.php$request_uri;
      expires 7d;         # Cache-Control policy borrowed from `.htaccess`
      access_log off;     # Optional: Don't log access to assets
  }

  location / {
      try_files $uri $uri/ /index.php$request_uri;
  }
}